It’s Not Over Yet: Addressing Persistent Legal and Regulatory Risks in Remote Work Environments
Earlier this year, we teamed up with Colin R. Jennings, a partner at Squire Patton Boggs, and other speakers on a panel for the Northeast Ohio Chapter of the ACC. Our talk covered the breadth of risks and mitigation strategies that have emerged—and are continuing to create headaches for—legal teams during the COVID-19 pandemic.
Our talk emphasized new data challenges and risks, which are on virtually every in-house counsel’s mind these days. With surveys reporting that more than half of employees believe they can get away with riskier behavior when working from home, and roughly half citing “not being watched by IT,” “being distracted” and/or productivity as reasons for not following safe data practices (Tessian – The State of Data Loss Prevention 2020 Report), sensitive data and IP are more exposed than ever before. At the same time, business user adoption of cloud-based and collaboration applications has exploded among a largely remote workforce, and 83% of employees feel that their employer is not meeting their needs for state-of-the-art technology (ServiceNow June 2020 survey). Thus, many communications, file sharing and collaboration applications continue to be used without robust information governance controls or legal and IT oversight.
With these changes, a new set of legal and compliance risks have emerged. Legal teams must contend with how improper employee or third-party handling of company data may implicate their organization’s reporting obligations, data privacy policies, industry-specific laws, contracts, insurance terms, trade secret protection, cross-border activities and regulatory compliance. Given the strain and rapid change of the last year, many organizations continue to face these issues in reactive mode. FTI Consulting’s 2021 Resilience Barometer® survey found that more than one-third of companies are reactive about the increased regulatory scrutiny they’ve faced in the last year and 39% are reactive about the risk of fraud or a leak of sensitive information. And despite an anticipated uptick in disputes in the coming year, 44% are managing this risk reactively, while 11% are not managing the risk at all.
Saying that a proactive stance on risk is the better approach is simply stating the obvious. But what’s perhaps not as obvious is that legal teams can become more proactive without making massive investments or intense process overhauls. It’s important also to remember that most (if not all) breaches of sensitive information and regulatory violations will lead to an investigation, enforcement action and/or litigation. With this in mind, it’s easier to see how proactive risk mitigation can actually serve as an opportunity to add business value.
Straightforward steps teams can take in anticipation of a data-related legal or regulatory matter include:
- Preserve evidence and issue necessary legal holds
- Ensure remote investigation methodologies are documented and defensible
- Retain well-respected incident response partners
- Avoid the appearance of conflicts of interest with existing IT vendors
- Understand and meet all notification obligations
- Establish privilege over sensitive data
In addition to data challenges, the landscape of e-discovery and investigations has also changed permanently. Proactive or not, legal teams must be prepared to shift the way they think about traditional document review and place greater importance on enriching and visualizing data sets, rather than adhering to a stringent step-by-step methodology. Adapting to best practices for remote data collections and document review will also be important to ensure efficiencies and further reduce risks.
In a recent article published in Cybersecurity Law & Strategy with John Winkler from our team and Mr. Jennings from Squire Patton Boggs, we covered numerous remote best practices designed to ensure timely and secure investigations in light of these new challenges relating to the data footprint and dispersed workforces. These best practices included:
- Following proven remote collection methodologies vetted by digital forensics experts.
- Allocating extra time and resources for handling structured data.
- Setting a high bar for confidentiality and security of remote document review workspaces.
- Planning for realistic timelines.
- Tracking of all parties that have access to case documents and methodologies used throughout the process.
Even before the pandemic forced a shift to remote work, the data footprint was growing and diversifying. This past year accelerated what was already in progress, forcing legal teams to adapt much faster than anticipated. Inevitably, more change is on the horizon, and teams will need to continue to evolve their information governance, e-discovery and investigations best practices to align with emerging risks and challenges. To read more about how to stay proactive in this climate of perpetual motion, check out our recent article in Cybersecurity Law & Strategy.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.