“Enterprises need to be prepared to deal with many more regulations and higher levels of enforcement, and they should assume that every regulatory investigation is the prelude to a lawsuit,” says Bobby Balachandran, CEO, Exterro, in an exclusive interview with ITSecurityWire.
ITSW Bureau: How can enterprise organizations prepare themselves for regulatory government investigations in 2021?
Bobby Balachandran: There are three critical components of a compliance program that will simplify an organization’s response to investigators.
- An up-to-date, robust data inventory, which accurately tells enterprises what data they have stored throughout the organization. It also provides enterprises an insight about who owns it, what regulations govern its use and retention, and what third parties have access to it, what they do with it, and how they protect it.
- Automated, orchestrated workflows, which ensure the tasks and activities of every business or compliance process, are done consistently and in a defensible manner.
- Automated personnel assignments, ensuring the right people with the proper training are always on the tasks, even when organizations and their roles have shifted.
If enterprises have these three things in place, the chances that they will be investigated dramatically decrease. Even if they are investigated, they can demonstrate compliance based on the record of data, activities, and personnel.
Read More interview : Strengthening Cybersecurity Using Advance Biometrics Solutions
ITSW Bureau: According to you, what challenges does the enterprise face around managing their data and mitigating litigation risks?
Bobby Balachandran: The biggest challenge is a lack of visibility into the data that many in the enterprise world have strewn about their organizations. Below are a few interesting things that have been observed when companies undertake a data inventory or data mapping exercise:
- The first is how much an organization learns about the data they thought they knew about. Think about how easy it is to spin up a new Slack Channel or Microsoft Team site – these data sources often go unreported to IT and Legal, making it difficult to find them when it is needed.
- The second is how much data exists that they didn’t know about at all. For example, data that is stored in the wrong place; data that should have been disposed of but wasn’t; or data that no one uses and has been forgotten about.
- The final challenge is that while many organizations have records retention/disposition policies, until recently, those policies were mostly ignored. However, current data privacy and data breach laws have increased the risks of keeping data past its use, and if the data exists, it can be breached and/or discovered in a legal matter, exposing the organization to increased cost and risk.
ITSW Bureau: How can the enterprise create an organizational standard for the collection and preservation of data?
Bobby Balachandran: First and foremost, enterprises need to operationalize their records retention policies and keep them up to date. Data should be deleted when its risk exceeds its value. Usually, this is when organizations are finished using it for its primary purpose.
Since all the main privacy and breach laws demand that information is deleted, personal information becomes risky very quickly as its purpose ends. Unless the data is under a contractual or regulatory retention obligation, is under a legal hold, or is part of an investigation, it should be deleted.
Read More interview : Active Directory Protection: The Rising Need for Enterprises to Strengthen their…
The key here is operationalizing this process. As I previously mentioned, I have seen too many companies who wrote policies at some point in time promptly ignore them. That is no longer a viable choice, the risks are too high.
ITSW Bureau: How can enterprises prepare themselves for a government investigation, as well scrutiny from regulatory bodies, regarding privacy laws specifically?
Bobby Balachandran: Enterprises need to be prepared to deal with many more regulations and higher levels of enforcement, and they should assume that every regulatory investigation is the prelude to a lawsuit.
Today, more privacy legislation is being enacted in the United States and enforcement is growing in other parts of the world. In the 2021 ACC Chief Legal Officer’s Survey, sixty-one percent of CLOs said they expect industry-specific regulations to pose the biggest legal challenges for their organization, followed by data protection privacy rules (53.6 percent). These numbers include class-action lawsuits stemming from cybersecurity breaches, not just the threat of governmental investigation.
This will require enterprises to focus on compliance with a nuanced understanding of industry norms for compliance; to develop processes for compliance, which position them favorably in the event of litigation (by preserving the ability to assert privilege over important information, for example); and to reduce the amount of information available to be used against the enterprise in the event of litigation.
ITSW Bureau: What will 2021 look like from a regulatory standpoint?
Bobby Balachandran: There are a tremendous amount of new privacy regulations coming online over the next 24 months, including LGPD enforcement, India, new rules in Canada (in the second half of the year), Virginia, Oklahoma, and probably several other states with their own, new regulations and regulators. There will even be new regulators coming into play in jurisdictions with established regulations, like California.
This regulatory ‘perfect storm’ will create an environment where there is a lot of uncertainty and confusion around what compliance looks like and lots of discussion and negotiation around what should be done with the regulators. Enterprises should themselves be involved in those early discussions and if they want to head off some nasty surprises in the future.
Bobby Balachandran is the CEO of Exterro. He founded Exterro with the simple vision that applying the concepts of process optimization and data science to how companies manage digital information and respond to litigation would drive more successful outcomes at a lower cost. He and his team remains committed to this vision today as they deliver a fully integrated Legal GRC platform that enables clients to address their privacy, regulatory, compliance and litigation risks more effectively and at lower costs.