A Legal Perspective on Big Data

By Punam Tiwari

On my return home from my Cheltenham Head Office one evening, I happened upon an opinon article quite randomly lying around in the train by David Aaronovitch of The Times, titled “Privacy activists don’t speak for most of us”. The article dealt with Google’s next quest, an ethical one, which the company itself is challenging for being capable of exploitation. The article touches upon the concept of Big Data; that is, the term used to describe collections of data sets that are so large that they become too difficult to process using database management tools.

Businesses seem to be under scrutiny like never before. Recent months have seen millions of customer details stolen by cybercriminals. Companies need to be in control of their data now more than ever. Good information governance is critical to preventing, identifying and mitigating these risks, but many companies struggle to prepare themselves, leaving them open to attack.

Effective data management is three-fold: the prevention and identification of potential problems; the rapid reporting of problems when they occur; and the ability to provide relevant information quickly should an event occur.

Information governance schemes in many companies, however, struggle to meet these criteria. This is in part due to the volume of Big Data being generated by many companies, and this data is becoming incredibly complicated as businesses attempt to keep pace with the competitive nature of our global community’s demanding requirements. The importance of information governance means that it no longer has a place in an IT department alone. Lawyers need to take more of an active interest and become welcomed into the fold by IT practitioners themselves.

An example can be found in responding to a request for information. Non-UK data protection laws can make this less than simple, but the IT practitioner is fool hardy if he or she tries to work this out alone.

IT departments should be able to approach their legal functions for advice on the legal implications of data transfer, and they should accept it is inevitable that data breaches will affect their business at some point in the future. IT managers should work with legal departments on the following:

  1. Communicate internally – ensure that the breach response plan is heavily communicated and circulated among all teams.
  2. Communicate externally – inform regulators/insurance companies, contain the breach within your own IT security team and ensure that your Marketing/PR department is the sole mouthpiece for the company. The last thing you want is for there to be a leak through social media or a disgruntled employee.
  3. Do your homework – make sure that your organization has a robust strategic plan for such events and that all teams have been involved in preparing for such events. Writing policies and procedures is important but not enough. You need to ensure that all areas of the business understand those policies and procedures through adequate training, appropriate for those teams and in their language.

Lawyers are also increasingly required to advise on the architecture of a company’s information governance strategy before a triggering event. This includes the drafting of policies on the use of company email accounts and the internet at work, social media and the management of employee-owned devices on company networks. This should not just be a reactive exercise, and do not forget that many local regulators can levy fines without a financial loss having first been sustained. I have detailed some pertinent points that I myself consider when assessing our client’s information governance from a legal perspective:

  • The use of cloud networks.
  • Whistleblowing and regular reporting mechanisms that should be implemented to ensure that senior management are made aware of issues as and when they develop and are not afraid of whistleblowers.
  • Be cognisant of the legalities associated with data retention and destruction, which need be to be planned carefully, ensuring compliance with the law in all jurisdictions that a company operates in, especially in light of the recent decision by the EU’s Court of Justice on the Data Retention Directive, and I would go so far as to advise corporates to ask legal functions to advise them on how to implement those policies as well.
  •  Be mindful of the fact that the longer it takes to access and assemble data, the greater the chance that it will be lost or destroyed, whether deliberately or inadvertently. This can bring about potentially adverse consequences for the company, especially in a litigious situation.
  • Finally, it is also important to ensure that the company’s information governance strategies are reviewed regularly because technology, data protection legislation and employment practices and procedures change regularly.

Information governance is a top-level strategic issue that senior management should consider proactively. IT departments must involve lawyers and not try to work alone, because they cannot be expected to have a grasp of the multiplicity of legal, organizational and commercial issues that influence information governance strategies. Knowledge may be power, but information can also be a serious liability if it is not managed effectively.

Punam Tiwari is IRM’s Legal Counsel. She is an eight-year qualified lawyer and focuses primarily on commercial practice areas. Having worked previously in private practice, Tiwari now specializes in technology and commercial law, and helps many of IRM’s clients manage their risks from a legal standpoint by presenting interactive seminars, running an ‘Information Security and the Law’ training course and reviewing key information security contracts.

What’s Hot on Infosecurity Magazine?