Today’s general counsel must understand emerging technology and be conversant with the company’s chief information officer (CIO) as well as all internal IT business partners. The CIO-GC relationship is becoming increasingly symbiotic, particularly within the context of a crisis, such as a data breach or network intrusion, not unlike the events in 2013 that plagued Target, the Federal Reserve, Living Social, Snapchat, Evernote, The Washington Post and Drupal, to name a few.
Crises and doomsday scenarios are not the only reasons for establishing these relationships, however. As companies develop tech-centric policies and procedures, GCs become the best resource for predicting the legal implications, not only of those policies but also the technology itself.
Why it is important to establish relationships with the IT department
In order to effectively develop the IT relationship, in-house lawyers must understand and embrace their company’s technological platform and processes. The reality is that GCs and law department leaders are quickly coming to the realization that all roads lead to the CIO.
The rise or fall of departmental efficiencies, data analytics, cost controls, and trending analysis are inextricably linked to the IT team’s provision of technology resources, education, software development, vendor due diligence, software implementation and a host of other services to their legal departments. The consequences of a poor software purchase or implementation lead to a lack of coordination, failure to execute, mutual recrimination and blame, all of which require a significant investment of time and capital to resolve.
Vendors and inter-departmental cooperation
The selection and implementation of the right vendor for technology tools to be utilized in the law department requires a disciplined RFP process, a dedicated team to conduct due diligence, expert legal and technological knowledge to negotiate the agreement and the IT resources required to ensure the promised implementation and product performance. Critical to vendor due diligence is to determine the cost, reputation for service, efficiency, technology, and security, amongst others factors.
(For a good discussion of managing risk in third-party vendor engagements, see this.)
Additionally, a strong internal contract negotiation team is required to investigate, draft RFPs, make selections, conduct additional due diligence, and negotiate a software-centric agreement. Relying on the vendor for the implementation can yield disastrous results. This process necessarily contemplates significant legal and IT resources that are dedicated to project management.
For most legal department leaders, a lack of resources and time make it impractical or impossible to dedicate the requisite number of in-house lawyers to such a high-stakes endeavor. In many organizations, there simply isn’t time to lead these large projects or devote overworked in-house legal staff that may be inexperienced in these emerging practice areas. However, a strong relationship between IT and legal can ensure efficiency and thoroughness in vendor selection and alleviate a process that is otherwise maligned by departmental isolation.
One potential solution is for legal departments to designate members of the team as temporary liaisons to the IT department for the duration of such projects. Or, the legal department could request that the IT department place a representative in the legal department for the lifecycle of the deal.
“Embedding” department representatives serves two important goals. First, it increases communication quality and frequency between departments and educates the lawyers on the challenges faced by the IT staff as it implements critical corporate strategies. As a result, the legal department achieves greater success and understanding the dependencies that exist in a given technology initiative.
Intangible by-products of this symbiotic relationship are inter-departmental goodwill and appreciation. Additionally, both the GC and CIO are better equipped to anticipate needs and competing interests for these resources.
Strong interdepartmental relationships yield valuable returns when addressing governance, privacy and information security. A lack of communication between departments often results in overlooked or misunderstood risks in data management and security or a disjointed response to crisis events.
Good relationships with IT translate into data risk management
The context for good relationships in the IT department may be straightforward for legal departments in technology companies, health care companies, or financial institutions, but the how can nurturing these relationships on a day-to-day basis mitigate potential data management and security risks for everyone else? There are five key components for cultivating positive working relationships with the IT department to yield comprehensive risk management.
1. Establishing communication channels. GCs need to create continuous, substantive lines of communication with the CIO and IT departments. Ideally, GCs should make it a priority to attend a team meeting in the IT department at least once a month. Unfortunately, it is a common misconception among most in-house counsel that normative communication gaps exist between legal and IT, but GCs must take the lead on establishing a consistent flow of communication. Often, in-house counsel are frustrated by technical IT “speak” while the IT staff has difficulty understanding that lawyers must work through complex corporate legal issues. Effective communication strategies are established by first creating a mutual understanding of how each department functions and the challenges that face them respectively.
2. Understanding IT governance’s impact and risk. When in-house lawyers understand how IT manages risk, creates its budget and determines its own departmental values, the relevancy to the legal department is also realized. For example, the implementation of new software that is fundamentally flawed from a security perspective, a failure to invest in technology, or losing talented employees with IT expertise can have profoundly negative impacts on the company as a whole. The legal team cannot identify and manage significant risks without understanding the resources, challenges and demands placed on the IT department. While a GC may not be able to provide an immediate solution, he or she will need to manage – and prepare for – the long-term impact. GCs should identify potential issues well in advance and engender goodwill by partnering with and advocating for other departments within the company, creating an expected partnership for risk mitigation across the organization.
3. Understanding where data resides. In-house lawyers must understand where the organization’s data is stored. Creating a comprehensive data map requires interdepartmental cooperation, and requires both project management and research, rather than purely technical exercises. While hiring a consultant to get the teams talking or working together is a positive step, the departments can also invest on the front-end by building positive relationships themselves.
4. Adopting privacy and security controls. Once the GC understands where data resides, the legal department can work with the IT group to select the appropriate controls framework, and to establish appropriate privacy and security controls. This process involves a top-down review of all data repositories and a full understanding of existing controls, as well as what, if any new controls, are required to comply with existing or future privacy or security laws. For legal, this process will require a thorough understanding of the legal and regulatory requirements, the privacy and security controls framework, the operation of such controls in the current environment, and the parties responsible for implementing the controls. The IT team is a crucial part of this process since the privacy and security controls are authored and applied by IT personnel. Additionally, it will be incumbent upon the IT team to adequately explain the limits or application of the controls framework to the existing IT systems.
5. Leveraging the IT relationship to establish an information governance program. The end game is creating an enterprise-wide data governance program and the most compelling advocates for the creation of this program are the legal department and the IT department. The intentional cultivation of this relationship can ultimately lead to a unified, cogent and thoughtful explanation of the necessity for a comprehensive data governance program. In a best-case scenario, both the GC and CIO can come to the table with concrete examples of how to mitigate data risk, having carefully considered all of the various ways in which good data governance can positively impact the organization and reduce exposure. Establishing the appropriate buy-in, crafting a budget to initiate a program and successfully implementing the program will be exponentially easier with a partner. One voice in the boardroom can be lost, but two voices can win the argument.
We will explore the creation of a data governance program in the next column.