Should all companies have information governance officers?
Ideally, everyone should have a basic understanding of the company’s IT infrastructure, not least because as more companies digitise, the risk of cyber threats increases. A cyberattack can come from anywhere and it is now very common for attacks to originate from company employees who inadvertently allow an attacker into the system. However, it is particularly critical for a company’s crisis response team to be familiar with the company’s IT infrastructure to be able to respond decisively when required. At the same time, designated information governance officers responsible for formulating data management policies and executing the same would be important given the increasing scrutiny on the manner a company stores and protects its data.
How can external counsel work with forensic experts to assist organisations on issues concerning electronically stored information?
The interface between legal rights and obligations and technology is often a blind-spot for most lawyers and in-house counsel who usually tend to be less technologically inclined and focus on more traditional methods of protecting their client’s interests. Similarly, forensic experts are experts in electronic evidence preservation and analysis, but they usually do not have the ability to creatively consider legal or commercial solutions to problems.
It is crucial for the two disciplines to interface more and understand the synergies that exist between them. It often helps to have a tech-savvy lawyer or a legally trained forensic expert to bridge the gap. It is often quite surprising as to how effectively solutions to commercial problems or crafting legal arguments can be found when technology and law collide. From a practical perspective, this means that forensic evidence preservation, review and analysis may need to become part of mainstream legal practice with both lawyers and forensic experts playing their roles seamlessly to serve the client’s interests.
What challenges do you see facing in-house lawyers who need to work with their IT counterparts?
Often, in-house lawyers and their IT counterparts will speak different “languages” and have different concerns. For instance, in a situation where a company has suffered a malware attack, the IT department’s chief concern may be getting to the technological root cause of the issue, while the legal department’s main concern may be preserving privilege over any investigative report commissioned by IT and the accompanying regulatory risk.
Differences in the “languages” spoken also manifest in day-to-day operations. Taking the current Covid-19 situation as an example, where many employees may be forced to work from home, IT’s selection of a third-party service provider for teleconferencing may be driven by certain technological features, but a legal counsel will have to carefully scrutinise both the terms and conditions of use, as well as the protocols used by the system to transmit data, to ensure they are secure.
How can in-house lawyers address these challenges?
In-house counsel should take the time and effort to understand their company’s IT infrastructure. This does not mean they should be fluent in such matters, but they should have at least a conceptual understanding of how the company’s IT infrastructure works, its strengths and weaknesses, and be updated on IT developments and exploits.
At the same time, in-house counsel should hold regular training courses for their IT counterparts to educate them on issues such as regulatory risk and privilege. The goal would be for in-house lawyers and their IT counterparts to be able to bridge the gap in the “languages” to better protect their organisation and its interests.
Published by Asian-Mena Counsel magazine Vol. 17(5), 2020