With the evolution and proliferation of collaboration and information sharing tools, improved mobile connectivity, the adoption of agile working practices and device affordability, users are becoming increasingly self-sufficient and in control of their own IT provisioning, states the law firm Field Fisher Waterhouse in its whitepaper Confidential Collaboration: How to manage regulatory compliance & data privacy while keeping your data safe. The legal experts highlight that many organizations are still too slow to realize the threats posed by ungoverned collaboration and information sharing and provide some advice.
Paradigm shift from organizationally- to user-defined information governance poses legal risks
Field Fisher Waterhouse warns that a company’s loss of control over commercially sensitive or highly regulated information means losing control of business activity and data which in turn can involve significant legal risks, such as breach of data protection and privacy, breach of duty of confidence, breach of litigation rules governing the preservation and disclosure of documents and evidence, or breach of corporate governance rules.
In order to reduce or avoid unacceptable legal risks, the law firm recommends to take into account the following advice:
- Adopt a considered position on collaborative working and information sharing. CIOs and CISOs will understand that safe and secure collaborative working and information sharing requires planning and a methodical approach to the assessment of risk. Ignoring the issues is the speediest route to legal problems.
- Be aware of the phenomenon of unofficial “self-procurement” of technology in the work place. As the “Bring Your Own Device” (BYOD) phenomenon reveals, workers do self-procure IT applications and solutions to facilitate collaborative working and information sharing, often using their personal devices, equipment and online accounts.
- When choosing a technology solution for collaborative working and information sharing, focus also on enabling “good governance”, in addition to the technical ease of sharing. A good platform should enable the organization to track, log and control how information is shared. Bear in mind that email was not designed to offer good governance, and carefully evaluate the quality of the governance offered by new, consumer-type online file sharing applications.
- Work with a technology vendor with a proven track record in facilitating and supporting safe and secure collaborative working and information sharing. A high quality vendor will be able to demonstrate deep experience and sector understanding built up over many years of engagement with enterprise customers, and will have substantial customer support operations in place to help deal with queries and problems.
Field Fisher Waterhouse highlights in addition that uncontrolled collaborative working and information sharing generally poses a variety of non-legal risks as well and hands out good advices:
- Identify incidents of collaborative working and information sharing in the workplace, the purposes for which the collaboration and sharing takes place, and the tools that are used.
- Carry out a risk assessment to measure the nature and likelihood of harm that could be caused to data and to third parties through the collaboration and sharing, including potential legal consequences. Isolate high risk use cases and processes.
- Take decisions on improvements and changes.
- Record your key positions in a written “system” of operational rules, then embed them into the organization through training and raising awareness.
- If you plan to use a third party service provider to support your system, carry out appropriate due diligence and put in place an appropriate written contract.
The legal expert gives even more recommendations regarding your technology strategy, pointing out:
- The use that is made of the technology must be fully auditable, so as to enable the organization to know who accessed data, when they need it and what they did with it.
- Look for technology that requires a minimal amount of behavioral change within the workplace; it should be simple and easy to use and fit for purpose – remember that part of the reason why people “self-procure” is because what is provided for them isn’t what they want or need!
- The technology should enable the user to easily apply readily understandable levels of security to files based on how sensitive they are, and should include fine-grained, customizable access rights and privileges.
- The technology should facilitate the sharing of files in their native file format, which removes the risk of integrity loss in format conversion.
- The technology should allow for the creation of individual “work streams”, to help implement information barriers and support access rights and privileges.
- Look for innovative uses of DRM and encryption, especially in the area of “tethering”, so that access rights and privileges can be time limited and removed, even after information has been shared.
- The technology should maintain encryption of data at rest, with high levels of transport encryption, ideally with individual encryption keys for individual files.
Regarding technology vendors, Field Fisher Waterhouse recommends to look for ones:
- With pedigree, track record and industry experience, with key industry accreditations and references.
- Which provide support to external parties, not just paying customers, as this will remove some of the operational load of successful and safe collaborative working and information sharing between your organization, its extended supply chain and other third parties.
- That are willing to give their customers access to their premises for security auditing purposes. This kind of access will help you satisfy your due diligence obligations as they apply to your service providers.
And last but not least it’s important to remember that the functionality must be about more than just sharing, since it is “safe, secure, controlled and auditable sharing” that the law seeks!
Source: Field Fisher Waterhouse