From e-discovery sanctions to privacy regulation fines, C-suite executives face unprecedented challenges in data management. Exterro’s Bobby Balachandran offers insights on how to address pressing data questions (and mitigate risk) while taking advantage of data’s undeniability.
Every year, I talk with dozens of executives and C-suite officers at conferences for e-discovery, privacy and digital forensics professionals. I also connect with them at legal technology shows, awards ceremonies and executive retreats. Sometimes they’re formal meetings, but other times, they’re quick chats over coffee. We talk about the opportunities they see and are taking, and we discuss the challenges they’re facing today and anticipate tomorrow.
More than ever before, we talk about data.
Every enterprise understands the value of data and the opportunities it presents. Data fuels innovation and efficiency. It unlocks new markets and helps maximize the value of existing ones. It powers better, faster decision-making, the bedrock of business success. But data also holds great risks — and those risks are keeping business leaders up at night as a litany of questions roll around their brain.
Does your C-suite know what your employees are discussing on dozens of different Slack channels about HR issues, software development or data analysis? How long are chat messages being kept? What about emails, recordings of Zoom or Teams meetings, text messages, voice memos or Google Chat? And most of all: What happens when some or all of these data sources might contain information relevant to a lawsuit?
This concern is not just about what data exists; you also need to track where it resides, who has access to it and how it is handled. It is also not just employees that need to be tracked. There could be vendors or contractors that have access to it — and they could be working from anywhere across the globe. Depending on the industry you work in — say financial, retail or healthcare — this could have serious compliance implications.
If you don’t know the answers to these questions, you might be in for an unwelcome surprise. In one of the biggest business lawsuits of this century — the DOJ’s antitrust lawsuit against Google — Google earned e-discovery sanctions for deleting internal chat communications and the presiding judge tore into the company’s chief legal officer, stating, “You of all people should have known that there was no excuse for not preserving chats.”
It doesn’t matter if you’re facing an HR suit around discrimination or hiring, an intellectual property case or a contract dispute. Litigators need to know what’s in the data — whether it’s a smoking gun or a long chain of evidence supporting a legal claim — to set the best strategy for resolving the case.
Data privacy & compliance challenges
What about increasing privacy regulations? The failure to obtain and document adequate consent, to protect confidential data, to produce, correct or delete personal data on request and the misuse of data are all potentially grounds for class-action lawsuits or regulatory enforcement by European data protection authorities (DPAs), state attorneys general and even private citizens. In 2020, privacy regulations covered about 10% of the world’s population; Gartner has predicted that by the end of this year, 75% will be covered.
Can your organization confidently respond to a consumer request for all the data you hold on them, including specific consent to its use? What about an employee request? Does your answer change if it’s a disgruntled ex-employee using a weaponized data subject access request form letter?
Leaders must be able to answer yes to this and other compliance questions, because the costs of failure are massive. Some of the largest and best-known companies in the world have earned eight-, nine- and even 10-figure fines from European DPAs. The Irish DPA alone has issued over €2.7 billion in fines under GDPR. Privacy enforcement in the U.S. is on the uptick as well, including at the state level with new laws and at the federal level with enforcement actions focused on privacy laws like HIPAA, COPPA, GLBA and the Privacy Act of 1974.
Fines aren’t the only cost of a breach. Breaches are expensive for a variety of reasons. Considering financial losses, reputational damage, the cost of remediation and more, IBM’s 2023 Cost of a Data Breach Report calculates the average cost of a breach at $4.5 million. The average cost of a breach rises for organizations with complex data structures or the inability to detect breaches and respond to them rapidly.
Total Recall? What Infosec Teams Can Learn From Microsoft’s Misstep
Benefits of AI-enabled apps must be balanced with privacy concerns
Read moreDetailsMitigating data risks
On their own, each of these data risks are substantial, but the fact of the matter is that they are all interrelated and interconnected. The fact that they compound each other can mean that the risk level rises to existential, bet-the-company levels.
I can’t help but think of Capital One’s “What’s in your wallet?” ad campaign. So I ask my C-suite colleagues, connections and competitors, “What’s in your data?” Do you really know what data you hold, where it is, what basis you have for collecting it, how long you plan to keep it, how you use it and how you share it?
All of these risks are worsened when an organization doesn’t have that knowledge — and they’re mitigated when it does. When you know what data you hold, you not only can extract maximum business value from it, you can also lessen the risks associated with it by protecting what’s most sensitive, deleting what’s unnecessary or disallowed and responding quickly to threats against it.
All too often there’s no single source of truth that provides a holistic understanding of all this data. Creating one is challenging but not impossible. Here are some steps organizations can take to get there:
- Regular data audits: Conduct thorough data audits frequently and consistently to understand what data is available to you.
- Data minimization: Collect and retain only the data that is necessary for the intended purpose. Minimize the amount of personal data you collect to reduce the risk of data breaches and regulatory noncompliance.
- Data retention, deletion and remediation: Define clear data retention and deletion policies to ensure that data is not kept longer than necessary, and to ensure it is redacted or corrected when necessary. Regularly review and securely dispose of data that is no longer needed.
- Data workflows: Create workflows that showcase your data map and ensure alignment and insight into the data across departments. Make sure you can identify everyone who “touches” the data once it becomes available.
- Technology: Adapt technology to automate processes, potentially including AI tools that can learn to recognize existing and new types of sensitive and personal data. You can also use technology-driven insights to pinpoint anomalies and potential security threats.
- Data security measures: Implement strong data security measures such as encryption, access controls, and regular security audits to protect data from unauthorized access, disclosure or alteration.
No organization can afford to ignore the value inherent in the data they hold, nor can they ignore the risks. The future belongs to those who recognize trends as they start to take shape and act decisively to capitalize on them. The persistence of civil litigation, the rapid spread of privacy regulations, and the increasing risk posed by cybersecurity threats all require executive leadership of today’s enterprises to view their data both as their biggest asset and as an existential threat. Corporate leaders up to and including CEOs must have a firm grasp on the data they hold and the ability to act on it at any given moment.
Bobby Balachandran
