Data: blurring the lines between privacy and risk?
The CEO of legal tech company Amiqus Resolution blogs on the particular issues that data infrastructure poses for the legal profession
Data is a topic often in the media. Fairly recently there was heavy coverage following the data breach at a Central American law firm, resulting in worldwide analysis and comment around the use of shell companies, offshore entities and accusations of money laundering.
A few months prior, the discussion was focused on encryption and US law enforcement hacking into mobile phones to access potentially incriminating data. Ironic that differing policies and processes around data from one case to the other may have kept the specifics of financial accounts altogether as opaque as their beneficial owners had intended.
The UK Government classifies cyber attack as a tier 1 threat to the country, alongside terrorism, military crisis and natural disasters. Government research has found two thirds of UK businesses have been targeted by cyber attackers in the last year. A breach involving sensitive information being leaked or lost entirely is almost certain to attract litigation, reputational cost and regulatory investigation, with fines up to 4% of global revenue from the Information Commissioner’s Office – multi-million pound fines as opposed to several hundred thousand…
Failure to take appropriate measures to protect sensitive and valuable data may also indeed lead to claims against directors personally for a breach of fiduciary duties. Regardless of industry or use case, reasonable steps to protect against and mitigate the risks related to cyber attack should be implemented.
Managing data and privacy risks
Cyber insurance can be put in place, and response planning implemented, but creating a company policy and distributing it via all-staff email isn’t going to do the job. Managing data and privacy risks should be handled in a similar way to any other business critical assets, whether infrastructure, staff wellbeing, supply chain or cash flow – all of which can be affected directly through external security attacks.
1. Create a simple risk management process
Understand the risks faced and accept whatever relevant level is acceptable. Assign board level or senior management to identify these risks and own them.
2. Be proactive not reactive to risk
Take a varied and creative approach in order to understand misuse cases and predict worst case scenarios for both internal and external attacks. Taking preventative steps with proportionate resources may avoid or reduce remedial action.
3. Take a continuous approach to risk management
Risk assessment can’t be viewed as a one off or periodic activity. Threats evolve continually, and systems should be kept up to date and monitored either internally or in conjunction with external assistance of ethical hackers or security consultancy.
4. Understand your obligations
Understand the requirements set out in the Data Protection Act 1998 and have processes in place to detect, report and investigate a data breach. Make your organisation aware of the General Data Protection Regulation which will be enforced from 2018. The Information Commissioner’s Office has a volume of accessible information available now. Inaction could be costly.
Data as previously mentioned is a valuable asset, often sought after whether by criminals or indeed competitors via industrial espionage. Our data infrastructure is as important as our physical infrastructure. Physical infrastructure is often carefully planned to allow a business to grow effectively; data should be treated with a similarly considered approach.
A strong data infrastructure can increase collaboration and efficiency, grow supply chains and reduce transaction costs. It comes in various forms and can be grouped into three main areas across the data spectrum:
The data spectrum helps you understand the language of data. (Source: Open Data Institute: https://theodi.org/data-spectrum)
Closed data: secure, private and controlled by a small group of management of perhaps board level. Strategic plans, financial documents and commercially sensitive case content.
Shared data: shared internally based on access rights, employee records, supply chain contracts, billing levels and firm wide conflicts of interest.
Open data: Companies House filings, published legislation accessed via legislation.gov.uk, tribunal judgment data and court listings.
Open data – open approach
Just as closed data should be appropriately secure, open data should be open. Almost all processes and systems generate data that can be of value: internal performance relating to billing, client care and of course for ongoing compliance audit purposes. As businesses reach scale, staying innovative and agile can be a challenge. An open approach to standards, innovation and data can help keep pace with change, seize opportunities and retain a competitive edge.
This may sound like an interesting idea only relevant to a small section of technology companies. However a recent report by the Open Data Institute analysed 270 open data companies across UK sectors and regions, with a combined annual turnover of £92 billion and 500,000 employees. Technology should be approached as an enabler, with data as the underpinning infrastructure which creates value for business. Sending an “all staff” email around your business daily to check for conflicts of interest might well be an early sign that your internal data management systems might be due an audit.
As the value of data discovery and unstructured textual analysis becomes widely embraced, businesses of all sizes should take stock of their strategies to protect and maintain their data assets and consider technology as a core part of day to day business. The growing area of open data and open innovation is where the strategies, opportunities and risks of today, tomorrow and your next three to five years of concern/sustainable growth lie.