How to manage data privacy risk more effectively
Ari Kaplan. Photo by Tori Soper.
Ari Kaplan recently spoke with Jerry McIver, the director of cyber services and the data privacy officer for Trustpoint.One, an integrated legal solutions provider serving the Am Law 400 and the Fortune 2000.
Ari Kaplan: Tell us about your background and your role at Trustpoint.One.
Jerry McIver: I serve as the director of cyber services in a unit that helps clients proactively and reactively protect their data through compliance with data privacy regulations and by applying best practices in information governance. In addition, as the data privacy officer, I support and maintain our data privacy program. Over the course of my career, I have helped clients respond to incidences in over 500 cases. I am an attorney licensed in Florida, and in addition to practicing, I have served as a HIPAA compliance officer for a regional health care network and as a systems analyst. I currently hold CIPP/US and CIPM certifications.
Ari Kaplan: How does your dual role as the director of cyber services and data privacy officer intersect for the company’s clients?
Jerry McIver: As the director of cyber services, I focus on helping clients achieve their data, privacy and information governance objectives while internally supporting the company’s data privacy needs. My concentration on proactive and consistent protection of our internal data helps me to offer guidance to our clients who need to update, audit and maintain their privacy programs. This holistic experience and understanding reflects the company’s comprehensive approach to data management, protection and privacy.
Ari Kaplan: How can organizations improve the way they manage their data privacy risk?
Jerry McIver: Understanding the location of your information is critical. Through a combination of technology and expertise, organizations should identify their data, classify it, inventory their records, and create a map of how files travel. In fact, data mapping of this type can help a company truly understand the extent of its data privacy risks by identifying its use of information in certain data sources, whether it is duplicative, the required security of those files, and the people who have access to them. Effective access control is often the key to making sure that those who are looking at the data have permission to do so, rather than granting all employees that privilege. I have seen cases where a ransomware attack that partially shuts down a business was the result of the organization granting full access to all employees to its data management software, so robust access controls are essential.
Ari Kaplan: What are some common mistakes that organizations make in managing their data?
Jerry McIver: Overcollection of data is the top mistake. In fact, I have advised organizations that had no data protection protocols in place. They were collecting and storing sensitive personal information without a privacy program or a data retention policy, which are omissions that pose significant risks. A company cannot simply ignore its duty to protect its data under an array of regulations. The second most common mistake is creating and storing duplicative data, which is increasingly common with collaboration apps and employees working remotely. Holding information in multiple locations without a legitimate purpose should be a huge red flag for any modern organization, so they should routinely and consistently educate their employees on proper data management. The third most common mistake is the lack of understanding of why a team is processing certain records, so every privacy policy should be tailored to the work the organization is currently doing and then associated with a robust retention schedule using data minimization principles.
Ari Kaplan: What records retention and data minimization best practices should organizations apply to minimize their risk?
Jerry McIver: Avoid using an overly broad records retention schedule, which is too common. A specific retention policy allows legal or the team tasked with maintaining a privacy program to audit it much more easily. Teams can also track and retrieve records more rapidly. Ultimately, data minimization is about ensuring that an organization is not overcollecting, storing or processing certain personal and sensitive information without a legitimate reason. To avoid any issues, once an organization processes and uses data for a specific purpose, it should delete it. Do not over collect and maintain the minimum amount of information possible.
Ari Kaplan: How do you see data privacy and information governance in legal organizations evolving?
Jerry McIver: The California Privacy Rights Act and similar regulations are prompting organizations to take a comprehensive and more restrictive approach to how they handle their data. Doing so gives them the best opportunity to address threats and mitigate their risks. Organizations should make sure that their data management software is installed properly and features access controls in lieu of simple file shares. Overall, data privacy and information governance go hand in hand, so when prioritizing proper data discovery, legal teams can optimize how they mine data to make their organizations more efficient and drive further growth in the long term.
Listen to the complete interview at Reinventing Professionals.
Ari Kaplan regularly interviews leaders in the legal industry and in the broader professional services community to share perspective, highlight transformative change and introduce new technology at his blog and on iTunes.
This column reflects the opinions of the author and not necessarily the views of the ABA Journal—or the American Bar Association.