Vigilance about cybersecurity issues — and the cybersecurity policies of outside law firms with which companies work — is critical for in-house counsel in order to prevent business, legal and public-relations consequences, in-house attorneys said during a recent panel on data policies.
Panelist Tracey Garland Vinson, senior counsel for Bayer, said she and her colleagues work to stay current on cybersecurity issues, as well as the cybersecurity policies of the outside law firms the company hires because “we don’t want to end up on the front page of The New York Times” with a data breach.
Vinson joined other in-house attorneys for companies including Walmart, Bayer, Swiss reinsurance company Swiss Re and Union Pacific Railroad to examine data-retention policies and ways to prevent data breaches associated with eDiscovery. They discussed eDiscovery-related issues they’ve encountered in their practices during the panel held in April as part of the annual National eDiscovery Leadership Institute, also known as NeLI.
Vendors, in-house counsel and outside firms converged at the University of Missouri – Kansas City for the one-day program. Jason Ward of Shook, Hardy & Bacon moderated the discussion.
Vinson said the company uses a questionnaire for the outside law firms it hires, which she said has been helpful. While some firms may take umbrage at being asked to complete the questionnaire, she said many others are happy to comply.
“To me, as in-house counsel, it’s very important because if it’s a patent case, it could be the company’s crown jewels,” she said.
Amy Sellars, associate counsel for Walmart, said the corporation also uses a security assessment with those with which it does business. She said often, vendors do a better job with data security than the law firms do.
She said some problems she sees in terms of data security involve attorneys sharing account log-in information, printing and traveling with sensitive documents and downloading data on a variety of lawyers’ devices.
She said these bad habits tend to cause big problems for companies.
“I think a lot of security breaches are [because of] ineptitude,” Sellars said. “Data has a lot more value these days than it ever has before. It’s a commodity. It’s something that has to be treated as an asset.”
In terms of data retention, Ward asked the panelists what, if anything, their companies do in order to track their data after it is shared with other business or legal partners.
Anastasia Wagner, general attorney for Union Pacific, said she wished her company did so.
“I do think we are beginning to take more of an effort to say, ‘What is it that you have?’” she said, noting new regulations and the potential for data breaches as the motivating factors.
Vinson said since she took on her current role, she has gained a better understanding of where her company’s data is located. She said the company now also has a centralized system for tracking that information.
“One thing you might consider is talking to your vendors and outside counsel, and seeing what they have,” she said.
Data can take many forms, said Vinson, who used an example of a warehouse full of boxes. She said it can be helpful to track down where a company’s data is located by following vendors’ invoices.
Vinson added that if a company doesn’t need the data anymore, the company should consider destroying it.
Sellars agreed. She said that while law firms may stop billing a company for its time, the company might not realize how much of its data is still hanging out on firm servers or in physical form.
“Making sure that you and your firm are clear on what needs to be retained for how long is a great idea,” she said.
Kemoy Foster, eDiscovery manager for Swiss Re, said her company once was told that data from a matter would be retained until 2099.
“Our vendors are actually much better at going through the data,” and destroying it afterwards, Vinson said.
The panel also discussed the importance of in-house counsel building relationships with people in their companies who work in information technology, especially when it comes to dealing with recovering data from legacy systems or transitioning to using new systems.
Vinson said it’s important for in-house attorneys to understand and educate themselves about their company’s technologies.
“If you let them know that you’re interested, sometimes people will tell you more than you want to hear,” she said.
She pointed to the Rules of Professional Conduct, which include technological competence.
“You not only owe it to your client and yourself, but you have an ethical duty to educate yourself about the technology that is available to your client, and that’s true whether you’re in-house counsel or outside counsel,” she said. “I think it’s easier to get that education if you’re in-house, quite frankly, but I don’t think it excuses you, if you’re a lawyer representing a smaller or medium-sized business, from asking questions.”
Also, it’s a good idea to build relationships with those who maintain a company’s technological systems because they can alert attorneys to changes in the future, she said.
“Be sure to tell them how important their work is, and how important preserving data in the system is,” Vinson said.