Inside Counsel magazine recently reported that data security is the top issue cited by more than half of in-house lawyers. This was reflected in a conversation yesterday at the IACCM Board Meeting, where both lawyers and non-lawyers highlighted its growing importance.
The Inside Counsel article focuses on the need to understand the nature of the data possessed within a business and then to take steps for its protection. It concentrates largely on worries over regulatory compliance and reporting, so various forms of personal data lie at the forefront of concerns. Since some level of hacking appears inevitable, the advice relates largely to the steps needed to limit potential fines and to eliminate the need for reporting. Much of this revolves around encryption, but also the need to analyze data flows to ensure weak spots are identified.
At the IACCM meeting, perhaps because more of the companies represented are b2b, the focus was somewhat different. For them, data security was also about critical business data – product development, strategic plans, customer records. The concern is more around the exposure that arises from links with trading partners – the extent to which shared systems or information access creates a gateway to wider data loss. The implications of this force companies to consider a wider array of solutions. This includes terms and conditions that commit trading partners to appropriate steps and contain penalties for failure. It often incorporates some right of audit or validation.
But ultimately, terms and conditions are a relatively weak form of protection because the most likely reasons for data security breach are either because a trading partner lacks size and sophistication, or because it lacks integrity. And these issues will typically be fixed only one of two ways – that is, do the work in-house or select top quality partners who cannot afford reputational damage.