Digital Risk, Crisis Management, Cyber Security: three fields that would have meant little to nothing for most businesses as recently as 10 years ago. But in today's digital workplace, they are all but unavoidable.
For the last 18 months, I have become interested in these emerging fields. So, I decided to reach out to Robert Brownstone (@ediscoveryguru) from Fenwick and West, LLP. I know Robert from when I sought his advice on the Internet and the Law.
Brownstone started his career on Wall Street as a white-collar crime litigator in fraud cases. He then became law school professor and program director while working as a part-time lawyer. For the last thirteen years, Brownstone has been working out of Fenwick’s Silicon Valley office where he has his hand on the pulse of legal and technical issues, some of which impact the most innovative companies in America.
Bill Fenwick, the firm’s founder, originally hired Brownstone as his “experiment” and gave him the title Knowledge Manager. He wanted to take a law teacher and litigator, and as Brownstone describes it, “pump my head with as much computer knowledge as possible in hopes that I would continue to spark some new developments and opportunities for the firm.”
Fenwick asked Brownstone to focus on electronic discovery, IT, Data Security and Legal issues with the intention of sharing these learnings in two ways: “in house” with Fenwick attorneys and “out-house” (really called “outsiders”) with Fenwick clients.
Brownstone characterizes his role at Fenwick as a "make your own major type of job," where he has often finds himself immersed in issues such as intellectual property, the protection of trade secrets, data security strategies and employer-employee disputes over data. To make all this new information useful, he says, “the secret sauce is understanding (our) clients’ business and how their internal information systems work."
Digital Law: Riding the River
In representing many high-tech and life science companies, Brownstone has found that his main challenge is in the area of Digital Law, which is in flux right now with the Courts wrestling with some major issues, such as:
- How to protect data secrets and information and what to do when their use is in dispute
- How to handle electronic information over a lifetime — from creation to usage to destruction
- How to handle electronic information issues when a company gets sued or when there’s an electronic discovery (e-discovery) request.
Clog That Drain: Prevent Data Leakage and Cut Your Losses
According to Brownstone, there are essentially three ways information can leak from a company:
- An employee or some other insider is intentionally trying to harm the company and puts information in front of the public (sometimes via the Internet). The most highly publicized examples would be from the Wikileaks site. Basically, someone is trying to harm an organization through disclosure or an accusation.
- An intentional disclosure becomes unintentionally harmful. An employee, executive or other insider posts something (e.g. a photo or a tweet) but he or she does not know the FTC prohibits specific kinds of disclosures under certain circumstances. [Having managed online communities and social networks since my AOL days in the mid-1990s, I would say this happens at lease once or twice a year for many companies.]
- An unintentional disclosure. Confidential Information gets out via a smart phone, laptop, device or paper when the item is stolen, hacked or lost. There is no malice or intent on the part of the employee or client, but the information still gets leaked.
Even if the law does not require it, companies can reduce their risk and exposure when it comes to data leakage. Two ways to reduce a company’s risk exposure are:
- Role-Based Access Control or what IT folks call RBAC, which essentially means that not everything within the virtual or physical world is open to everyone in the company. For example, different permissions granted to folks who need to access databases, etc. Brownstone calls this approach “narrowing the risk of leakage.”
- Encryption, particularly for company-issued devices (laptops, phones, etc.) to the extent the data can be encrypted. Two purposes are served. One: companies can prevent someone who steals or finds a lost laptop “from sucking out, bit by bit, the data on that drive and booting it up in another machine.” This measure is important.
First, companies want to protect their employees and their data. Second, companies will not have to take a hit financially or in the court of public opinion by having to announcing a data breach. (Note: some states handle this differently and for customer-relations reasons, many companies choose to voluntarily disclose breaches to their users).
The Mobile Horse Has Already Left the Barn
The ubiquitous usage of mobile devices makes controlling a company’s data even more complicated and gives Information Technology (IT) leaders multiple headaches. Brownstone advises companies to consider issuing a second phone and to officially notify, educate and remind employees that “Anything which involves your company device” is the company's property.