publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1188906
I L T A W H I T E P A P E R | I N F O R M A T I O N G O V E R N E N C E 21 When data is governed properly, it can generate actionable information and institutional knowledge. For instance, if you can see that your customer is filing more diversified patents, it may be time to talk about their business goals and where you are able to help the customer achieve them beyond filing their patents. If automotive-related patents are ramping up, there may be an opportunity for you to help your client with relevant corporate acquisitions to enhance their portfolio. The total economic value of the data stored in your systems has yet to be realized. Understanding that data has become our most unknown asset, there's even an emerging disciple of Infonomics aimed to assert economic significance to information. Risk Management Benefits Privacy and security are at top of mind for every firm and corporate legal department. Recent data breaches, some directed at law firms, and the regulations being developed to limit the impact of these breaches have caused firms to close and others to grow new compliance practices. In part as a reaction to recent corporate data breaches compromising personal information for millions of people, the European Union and the state of California have stepped up their efforts to protect their citizens and residents. Most notably, the General Data Protection Regulation (GDPR) sent businesses worldwide into a fluster, threatening steep penalties for companies unable to comply with GDPR requests made by individuals. Under the regulation, EU residents have the right to demand that a company with whom they have interacted, even if only by visiting their website, 1. identify all instances of the person's information residing across all their systems, 2. edit that information upon request, and 3. permanently delete all instances of that information and cease collecting that information upon request. Signed into effect on June 28, 2018, the California Consumer Privacy Act (CCPA) 2018 resembles the GDPR in that it empowers California residents to demand a company with whom they have done business to, 1. identify what personal information is being collected, 2. provide the individual with access to that information, 3. identify whether their personal information is disclosed, and if so, towhom, 4. Identify whether their personal information is sold (if so, they have the right to opt out of the sale), and 5. they have the right to be provided equal service and price regardless of whether or not they exercise their privacy rights. Where it deviates from the GDPR is that it does not include the right of its residents to opt- out of data collection completely. Enforcement of the CCPA is expected to begin in 2020, once certain issues around the cost of services for those who opt-out of data collection are ironed out. Currently, penalties in the law can include up to $7,500 per incident. This translates to a $75 million fine for a data breach involving 10,000 customers. Meanwhile, your data doesn't have to be breached to be penalized. A recent instance of poor data governance resulting in stiff penalties is the case of Central Hospital of Barreiro Montijo in Portugal. Their fines totaled over $450,000 by Portugal's GDPR supervisory authority for allowing nearly 1,000 people to have doctor-level access to its patient management system with only 300 doctors on staff. Proper data governance is essential to complying with these emerging regulations and can be marketed to customers and prospects as a strategic advantage. Data Governance in Action A driving principle of good data governance is to provide data access to only those in your firm who need it, and only for the duration of time needed; also known as least privilege access. To do this, you need to know where your data resides. Discovering this takes interviewing employees from each practice group and business service group to discuss the data with which they interact. They need to explain why they need this data, and for how long they need this data. That way you can defend your collection of the data and assign a retention schedule to it so that you don't store it for longer than necessary. Your practitioners need to identify all the internal and external sources from which they receive data and to which they provide data. That way you can establish more comprehensive agreements with your vendors to ensure they are properly controlling the data as well. While classifying your data by what types of personal information is collected is another principle of good data governance, as the definition of what D A T A G O V E R N A N C E F O R L A W F I R M G R O W T H A N D C L I E N T S U C C E S S