The KPMG General Counsel Survey investigated the views of 320 General Counsel (GC) around the world, on the issues of risk, regulation and disputes. When asked what issue most concerned them, regulation was clearly top of mind. In contrast, risks around cloud and social media ranked the lowest with nearly a third of general counsel seeing little or no risk to their organisations from these pervasive technology trends.
Data protection did come higher on the list, but a clear takeaway from the study is that GC are less familiar with or concerned about the challenges that new technologies bring to the business: how cloud and social media, for example, contribute to risk and what are the technologies that govern and manage this. Asked which functions in their organisations they would need to work closely with to manage future risks, not one GC mentioned IT.
We find this astonishing and worrying, especially given the trend in data loss incidents, which increased strongly in 2011 and 2012 with a jump of over 40% in publicly disclosed cases. Our view is that GC have a key role to play in helping organisations manage risks and this responsibility should encompass technology risks too.
Six discussion points for General Counsel on data risk
Of course, they should not be expected to shoulder this burden alone. The following are some of the key areas of risk that should be on the radar of the GC, and actively under discussion with the CFO or Chief Risk Officer as well as the CIO.
1. What is your data?
Defining what corporate data is can be more challenging than ever before. It is no longer defined by location, as data frequently leaves company premises on legitimate grounds, for example to the supply chain or to third-party service providers like printing or marketing firms. Even when still under direct control, as cloud services become more pervasive, data is likely to be hosted off-site. It already often leaves the premises at the end of each day on employee laptops and tablets, which increasingly no longer belong to the company.
As it becomes harder to protect all data, it becomes essential to classify company data and to decide what level of protection is appropriate to each type, from relatively immaterial information to personal data, price sensitive information and trade secrets. This is a pre-condition for a successful take up of cloud services and is an area where GCs can add considerable value.
2. Where is your data?
Probably the most ubiquitous trend in enterprise IT today is the move to cloud systems, giving IT services a very different profile in pursuit of extreme efficiency. Cloud services and cloud infrastructure may be on-premise, delivered from within an organisation’s real-estate, or off-premise, hosted in other locations on behalf of the company. In both cases the data may sit in one or many places, and it may move.
Location matters therefore. GCs need to be clear on the legal implications of where data is stored, even if fleetingly, especially if this is in another territory and/or legal jurisdiction and so involves cross-border movement of, for example, personal data, and especially in a public cloud. Where data is stored may bring a company into another regulatory regime, for data privacy or financial regulation for example, or put it in breach of local laws.
It is also key to understand in whose hands your corporate data lies. The recent demise of outsourcer 2e2 caused some of its customers real problems as they struggled to retain access to business critical information, to recover it in an orderly fashion and to make sure it had been demonstrably removed from 2e2’s infrastructure. This was a contractual and legal risk as much as a technical challenge.
3. How and where is key data protected?
Protecting data stored on or accessed from tablets, smartphones and USB memory sticks, as well as via traditional computing devices, is a fast-shifting challenge. Protecting data here involves two things. First, ensuring it is secured against malicious attack and accidental loss. Second, delivering resilience and recovery in the event of an incident. In both cases there are contractual and regulatory implications.
The regulatory context depends on the industry you are in. The financial services industry, for example, faces additional requirements because of its economic importance and systemic risk. Other parts of the critical national infrastructure will have their own constraints. There was particular concern, for example, amongst NHS trusts which used 2e2 in case data loss or access restrictions might have had consequences for patient care.
The contractual position depends on your own agreements with customers – companies that lose data or are unable to provide access to data or services may be in breach of contract. As GCs will be acutely aware, however, the court of public opinion is often a more pressing forum than the law courts.
Assessing these risks and choosing the right mitigation path – redundancy, resilience, recovery – needs inputs from the business, backed up with legal insight to enable the CIO to justify investment in security and backup and recovery technologies.
4. How is data stored?
The rise of compact, high capacity data storage devices and the growth of cloud storage services creates the risk of "guerrilla IT" – where employees circumvent technical restrictions either to drive productivity or to deliberately and maliciously gain access to data. This routinely results in confidential data moving beyond the corporate firewall, violating corporate governance as well as, potentially, regulation and local law. Educating employees on the personal and corporate risks that may flow from this is a compliance role which should fall to the legal function, in consultation with IT for technical controls around prevention and detection.
5. What Big data do we have?
Big data, from one perspective, is the integration of multiple data sets to create new insights. These data sets may be innocuous separately – and properly created or obtained – but in combination they may allow "net-new" data to be developed which is unexpected and sensitive. For example, careful analysis of social media activity might provide information that an insurer might consider relevant in offering a customer or group of customers a life assurance product. The legal position of this sort of activity is not always clear and GC need to keep an eye on how this area of law develops, as big data will play an increasing role in how businesses strive for growth in future.
6. Are organisations equipped to meet e-disclosure requirements in all markets?
Cloud changes the context for e-disclosure, in other words the production of information to an opponent and a court in the course of a dispute. Discovery and disclosure laws vary across different countries, and the location of your data could have significant implications: for example, if your email traffic routes through the US, all electronic communications could potentially be discoverable in US actions – even if you have no other point of contact in the US.
Recommendations
As technology continues to evolve and disrupt traditional ways of doing business, GC will need to have and maintain closer links with IT, the CFO and Chief Risk Officer to ensure businesses have a holistic view of their exposure to different categories of risk. This could have implications on everything from IT to overall business strategy and policy, govern interaction with or access to specific markets, and have implications for customer and employee contracts.
Key to keeping at the forefront of this, GC need to include cross-departmental collaboration (particularly with IT), sourcing external advice where necessary and evaluating IT risk in terms of exposure to a variety of geographies, and legal and regulatory jurisdictions. In turn, these will inform the warranties and obligations you give to your customers, and the implications for your own supply chain.
With a better understanding of the technology issues at play, General Counsel will be in a good position to help their organisations manage the risks more effectively.
