News of data breach occurrences appear on an almost daily basis, frequently involving embarrassing leaks of credit card data, email addresses, names, phone numbers, physical addresses, and financial transactions. The consequences can result in significant fines, reputational damage, legal claims and expense and even imprisonment.

With Data Breach Legislation expected to be introduced to the Australian parliament before the end of 2016, legal teams will need to work in tandem with their IT departments to ensure they are ready to comply with the legislation once it takes effect, according to Michael Bishop, APAC Regional Legal Counsel for Commvault.

Bishop is also concerned that today’s lawyers don’t necessarily understand the complexities that modern IT departments face in classifying, accessing, protecting and storing data. Similarly, IT departments don’t necessarily know how what obligations are required to be legal and regulatory compliant.

As a corporate legal counsel with an IT vendor, Bishop has a dual role in transactional work for the company but at the same time is also trying to get out to the market and educate them on data management, on good practice and general information.

“I think fundamentally the problem is that lawyers, whether in-house or in firms, can tend to be very outward looking in their focus.  They’re generally not involved in the IT function, because their work can be very transactional,” said Bishop.

“Also I think a lot of organisations have a policy of dealing with issues as and when they arise, so they tend to have a very reactive approach. At Commvault we’re trying to advocate a holistic business approach to data management or information governance, where the entire business owns that strategy. 

“Although notwithstanding that it’s got to be a holistic approach to data management, I think legal in particular can help guide and drive those practices in combination with IT, purely just because they understand the regulatory and legislative framework,” he said.

The draft Australian Data Breach legislation released for comment indicated that there’s going to be plenty of room for lawyers interpreting the guidelines for what a data breach is and when a notification is required.  Making those calls will be nigh on impossible for in-house lawyers who don’t really have a lot of knowledge or understanding of good data practice.

“It’s amazing how many CIOs are working in isolation, " - Michael Bishop, APAC Regional Legal Counsel for Commvault.

“For example, do they know if all their data’s being held in the cloud, on-prem or off-prem,” asks Bishop.

“They might know that it’s being held on-shore in an Australian data centre, but do they know whether that data is being backed up? Are they having those conversations to really know the whole entire information life cycle of that data? 

“It’s amazing how many CIOs are working in isolation because they don’t have the support from the business, let alone legal.  They don’t have the support that they need, they’re under this huge pressure where there’s increasing legislation and regulation, and their budgets are being cut at the same time." 

“I honestly found that most people come up to you and say ‘Well, all I’ve been doing is retaining all my data.  I don’t know about records management.  I just keep everything, because I’m so paranoid about being non-compliant’.  So those conversations aren’t happening.”

The potential risks are highlighted in a recent report from global law firm Allens, which looked at the situation in the US, where 47 of the 50 states have mandatory notification laws. It found that the average total cost of a data breach there is US$6.5 million.

“That must ring alarm bells for medium and large business in Australia as to the potential risks,” said Bishop.

“With data breach legislation a case of when not if, organisations must be undertaking privacy impact assessments, working on action plans, if they’re a large public company, looking at the directors’ duties, and the way they’re going to communicate and respond to breaches.

“A holistic whole of business approach to data management is required.  It’s about being proactive rather than reactive,

“You must have some plan in place for when a breach is suffered.  There must be remedial plans in place to fix the security issues pretty quickly.  There must be a process for notifying customers and the Office of the Information Commissioner.

“The quicker that reporting happens, the more integrity and reputation you retain with your customers.  And that’s what the data seems to show, that although a data breach can initially cause you some reputational harm, you can win it back and improve that by reporting it properly and working with your customers to resolve it.”