One of the frustrations of being a lawyer is the imperative to recommend the least-risky course of action, even knowing that our clients’ success often requires taking risks. This imperative arises because the lawyer who advises the most thorough (and expensive) approach is beyond reproach when things go bad, whereas the lawyer who tries to give more practical guidance may not be. Being a naysayer becomes the safest bet.
This is especially true in the context of privacy and data security. The requirements imposed by various jurisdictions can be Byzantine. The consequences of shortchanging privacy and data security can be serious. As a result, lawyers rarely (if ever) advise their clients that less-than-perfect measures may be “good enough.” In-house counsel who turn to specialized privacy practitioners for guidance are far more likely to be told that they need to spend hundreds of thousands of dollars improving their privacy practices than that what they’re doing is probably good enough. I’ve given such advice myself. What may be lacking in such recommendations, though, is enough background and context to enable useful cost/benefit analysis. Clients may end up overwhelmed, panicked or confused.