Editor’s Note: This post was originally published 1/16/19 at ACCDocket.com
Technology rules the world, and the legal world is no exception — from commodified personal data to artificial intelligence (AI) to security. So, what are the hottest legal tech trends we will see in 2019? To answer this question, we must review the growth of technology over the past few years.
I searched for an article written within the past 10 years, and found a 2011 piece from the American Bar Association entitled, “What’s Hot and What’s Not in the Legal Profession.” Privacy was not listed, much less cybersecurity. Yet, these have been driving forces in technology, particularly legal technology, for years now.
As technology has advanced, privacy and related fields (e.g., security, data protection, cybersecurity) have become the fastest growing areas of law. Here’s how they have evolved and what we might expect in 2019.
1. Security and fraud prevention
Protecting data, in any form, requires security measures. Additionally, there is an increased focus on cybersecurity. The number of breaches has been steadily increasing, including ransomware, malware, and corporate espionage.
Among the largest security risks in recent years was the alleged infiltration of US companies by Chinese hackers who installed microchips to server motherboards sold to many US companies. Whether the microchips actually did exist or not is not the main point; the crux was how the potentially impacted companies and the various government agencies responded. This incident also highlighted the heavy reliance US technological supply chains have on products from a handful of countries, including China.
With the Internet of Things (IoT) so prevalent, the supply-chain concern may have a huge impact on the security of devices, including infected personal devices connecting to work environments. This is aside from employees stealing data, such as the 50 terabytes found in the home of former US National Security Agency employee, Harold Martin.
This level of technological manipulation has made fraud easier to commit. Companies are taking steps to prevent and identify fraud, especially with artificial intelligence (AI) capabilities, yet fraud will continue to grow.
Many companies worry that the General Data Protection Regulation (GDPR) will impact their fraud prevention efforts due to its granting the individuals’ control over their personal data, such as access, rectification, and erasure. Preventing fraud is likely a valid reason to deny such rights, but companies must consider its programs, the information obtained and retained, and prepare defenses for its activities.
Many regulations now require protection for personal data, but often do not specify the security controls. The ones that do, such as the US Health Insurance Portability and Accountability Act of 1996 (along with its subsequent amendments, HIPAA), may be outdated (but there is a current Request for Information issued by the US Department of Health and Human Services addressing areas for HIPAA to be updated).
Instead, the standard generally requires reasonable security relative to the size of the company, its resources, the level and amount of sensitivity of the personal data, and the industry norms. This is a target in motion that will ebb and flow with the issuance of regulatory guidance, court decisions, publicized breaches, and technology growth.
Technological advances breed opportunities, for both good and bad actors.
2. Data governance
Often, people confuse data governance with data protection. Data governance is a much larger field, although a good data protection program includes good data governance and vice versa. Data governance is a programmatic concept that focuses on personal data from its inception to destruction — cradle to grave. Therefore, it comprises availability, usability, integrity, consistency, accountability (auditability), and security.
In many cases, companies developed data governance programs in specific data environments or for specific regulations, such as HIPAA, the US Sarbanes-Oxley Act, or various physician payment reporting requirements. Data governance is particularly challenging in an environment that has historically relied on paper documents, but a solid data governance program will help reduce document proliferation, both physically and electronically.
However, given the importance and vulnerability of corporate confidential data (the “crown jewels”) along with far-reaching personal data laws, like the GDPR and the California Consumer Privacy Act, companies should adopt a full-scale data governance program. We are seeing this happen specifically with the GDPR, where companies are creating data inventories and records of data processing activity.
Data inventory, though tedious, is a fundamental element of data governance. How can companies protect what they don’t know they have? Once there is a data inventory, companies should launch programs, such as data protection impact assessments, privacy impact assessments, vendor classifications and oversight, and retention and destruction policies and schedules.
Companies should invest in technology for these purposes, such as dynamic, user-friendly data inventory systems like the TrustArc Data Flow Manager, which links to DPIAs and vendor assessment tools. Other technology options include Truyo, which offers robust solutions for automating data subject access requests and Exego, which provides intelligent, automated analysis of unstructured data. A manual program in spreadsheets and paper only works for small companies with minimal data and vendors.
Certainly, a data governance program should come with someone to lead it. Whether the company needs a privacy officer, security officer, data governance officer, or information security officer, a data protection officer (DPO) is a determination the company needs to make.
Likely, it is a combination of roles that is required. The individuals chosen as DPOs must keep both privacy and security in mind. Multiple individuals may have the expertise, in whole or in part, to become or to assist the DPOs. Remember that the DPO is a role required under GDPR if a company meets certain thresholds.