Every day it seems as though I read about another company that has suffered a data security breach. From Sony having its PlayStation network hacked to Citibank’s Visa cards being compromised to the release of files purportedly stolen from AT&T, Corporate America’s information infrastructure is under attack. There may be an important role for the legal department in helping to defeat these threats.
Data security faces a fundamental challenge: How do organizations provide employees, customers and other legitimate stakeholders access to data while, at the same time, limiting access to the “bad guys” and other non-legitimate users? Problems arise when companies do not know what type of data they have, have not defined what security and access is appropriate and where data resides. This is where the legal department’s records management and e-discovery processes can play an important role.
Record Retention Schedules – Many companies are updating their record retention schedules to not only include what types of records they have and how long they should save them, but also to include the level of security and privacy each type of document should be afforded. Updating a record retention schedule is an excellent opportunity to review document security. Data security classification is an important step to locking down data, and many organizations already have a useful record retention framework to conduct this classification.
e-Discovery Processes – Data security suffers when companies do not know what documents they have where and data breaches often occur as a result of the wrong documents being stored in the wrong place. Legal has faced a similar problem, needing to identify where and which documents contain relevant information during litigation. The same in-house e-processes companies have developed for e-discovery may and should also be leveraged for data privacy. Many legal departments are already pretty good at this. Data often leaks to where it should not be, and legal departments often already have a framework in place to find and control it.
Data Deletion – I have often mentioned in this column the importance of effective and defensible data deletion as part of a record retention program. Many records and documents containing sensitive information have little business value beyond a short period of time, and should be deleted early and often. Effective data deletion is not just for records anymore.
Although not part of its traditional role, the legal department has an important role to play in data security.