LockPath’s Sam Abadir says that regular communication about people’s responsibilities is critically important. His remarks have been edited for length and style.
IT risk and information security are among the highest priorities for both in-house law departments and law firms. What steps can both take to ensure that they’re securing and protecting both personal and confidential data? And how can in-house law departments ensure their law firms are taking these necessary steps?
Abadir: The first step is to create policies around how to define and manage personal and confidential data. Once you have the ground rules in place of how your organization will manage sensitive data, the next step is to identify the data, where it lives, and how you are managing it today. Issuing risk assessments to your attorneys, assistants, IT departments, and others that manage day-to-day work helps you quickly understand the who, what, where, when and how sensitive data is used. From there, organizations can see how this adheres to the organization’s desire to manage that sensitive data in a responsible way (as defined in policies). It also gives your organization the framework on what to measure to see if you are in compliance.
Organizations that do this often come to the realization they have either too much personal or confidential data or give unnecessary access to this data at different points of the business process.
Compliance is constantly evolving. How can law firms and law departments partner to ensure both groups are maintaining the highest quality standards, and what can corporate law departments do to create policies that are easy for law firms to adhere to and update continuously?
Abadir: Compliance does change, along with the laws and regulations with which you have to comply. However, if you look at some of the best-practice compliance and risk management frameworks out there, such as those in the ISO 27000 family, they are generally broad enough that, as new laws arise and compliance requirements change and evolve, those that are managing to the best practice frameworks will find a low impact of change.
With any good framework, you should be able to map your organizational controls used to manage the framework to the laws and regulations you need to follow. As soon as a law comes up or changes, you can quickly identify what those changes are and what in your framework needs to change.
When designing policies, you should create them not only for your employees, but also for all stakeholders, including third parties. Using your internal controls as a bridge between your framework, laws, risks and policies allows you to measure your compliance and risk program and policy effectiveness. You can identify key performance indicators to show that you are being effective or not. You can collect operational metrics or issue assessments to see if you are on track to achieve effectiveness. If you do not keep track of these metrics, you are going to run into problems trying to meet your own compliance standards.
Communication is a huge deal. You cannot just have a policy and a framework and throw it out there as a piece of shelfware. Regular communication about what people’s responsibilities are, whether they are employees or third parties, is extremely important. That communication is two-way. Not only will the corporate legal departments you asked about be required to share with law firms what is required, but the firms must also follow agreed-upon procedures for reporting how they are actually achieving their policy-driven mandates on a timely basis.
Third-party risk management is another high-risk area, not just for data breach but for FCPA and other compliance issues. How can law firms best demonstrate their due diligence of their vendors to clients and how can clients ensure that their own vendors are also maintaining compliance?
Abadir: Be committed to developing and maintaining a robust and agile vendor risk management program. Using your organizational risk management framework we discussed earlier, you need to structure data-driven and risk-driven processes to help you understand all the different areas of risk your third parties expose you to, including the FCPA and data risks.
Once you have your policies and processes created – using the same processes as we talked about in the last question – you will have to share your supplier code of conduct with your third parties and those responsible for managing the third parties.
Third-party management has some special challenges, mostly because you may not have all the data and information accessible to you as you might for your internal processes and employees. This makes measuring compliance and effectiveness a challenge. Issuing assessments is generally very effective and expected, but your third parties will dislike answering them. One industry standard assessment we work with is about 1800 questions long, and another one has about 700 or 800 questions. These are very difficult for your vendor contacts to answer and it is not something they want to do on a monthly basis. Instead, have a mechanism that allows them to tell you what has changed and make it easy to show this at a summary level. Some new technologies exist that continuously monitor your third parties for things like cybersecurity or financial health. They are not a substitute for issued or on-site assessments but are very good for verifying your assessment answers and showing when changes are occurring with your vendors.
Ideally, you have a mechanism for dashboarding and trending all this data. The volume of assessment and continuous monitoring data increases rapidly to the point where they are too much to deal with. Having all this data automatically update your dashboards, scorecards, and reports can easily help you demonstrate compliance to customers and internal auditors. If you do not have this type of dashboarding tool, managing the results becomes harder than managing the vendors.
What steps should firms and law departments take if they discover a vendor has exposed them to a data breach, an FCPA evaluation or another risk?
Abadir: There is no single set of steps to take. Legal departments should leverage the risk assessment information we talked about earlier and plan out what to do when an incident occurs. Organizations should look at all their third parties and the data that they have and determine what it means if that data disappears or if a breach occurs. There can be multiple scenarios, so determine which is the most likely and which is the most impactful. If an FCPA violation occurs, you should already have a plan for what you need to do.
Once you have your plans, you need to practice your response. Gather the parties that need to be involved for each type of incident and perform regular tabletop exercises. Also, make sure that you contract with your third parties to participate in exercises and crises. When performing your tabletop exercises for the first time, you will likely identify gaps in your steps and plans.
You also need to define exactly what an incident is. For example, the banking industry’s Consumer Financial Protection Bureau (CFPB) requires banks to report complaints; however, if you look through some of the CFPB reporting, you will find people saying things like, “I ran out of checks, I can’t pay my bills.” That is an excuse, not a complaint. When you are putting together your likely scenarios, define what an actual incident or crisis is. If it is not an incident, it does not mean it is not important, it just means it might not be reportable.
When an incident does occur, make sure you understand your external reporting responsibilities and work to meet those deadlines with accurate information. Creating confusion with incorrect information helps nobody, including your reputation.
Many firms talk about using business intelligence to combat risks. What kinds of business intelligence protocol systems or partners should law department leaders be considering?
Abadir: There are business intelligence tools called governance, risk and compliance (GRC) and integrated risk management (IRM) platforms. These platforms help you identify your strategic goals and manage the risk that can prevent you from achieving those goals. They effectively and efficiently manage frameworks, policies, laws, vendor risks and the other things we talked about. These platforms manage the risk and incident processes, keep track of the volumes of data and provide real-time dashboards that help you understand if you are meeting your goals, if you are performing within your control thresholds, and where risk can cause issues. These platforms provide you with business intelligence tailored to your company and your role so you can ensure your management principles are followed and you are effective in managing your business.