As a contract lifecycle management provider, LinkSquares holds a lot of sensitive customer information.
In light of that reality and the growing number of state-level data privacy laws, LinkSquares Chief Legal Officer Tim Parilla said his company takes data privacy very seriously.
“The way that we think about our customers' information is that contracts are right up there with Social Security numbers as far as needing to protect them,” he said.
Parilla recently shared with Legal Dive several overarching best practices for in-house legal teams responsible for helping their companies operationalize data privacy initiatives.
Evaluating your data
An important initial step companies should take is assessing the type of data they possess and collect.
This inventory helps a legal team determine the company’s level of risk if a data breach were to occur, as well as the laws and regulations they need to comply with regarding data storage and breach notification.
For example, a company that gathers email addresses and usernames has a much different risk profile than one that collects banking information and social security numbers, Parilla said.
A key determination that legal teams need to make is whether their company is in possession of personally identifiable information or what in some jurisdictions is referred to as personal information. This could include credit card, driver’s license and home address information.
Breaches or suspected breaches of personally identifiable information typically require notifications to those customers who may have been affected, with some states also requiring the provision of services such as credit monitoring to impacted consumers.
Identifying allies and forming teams
Parilla said an important second step for a legal team is identifying other departments and employees who will be key allies in carrying out data privacy initiatives.
These collaborators will normally include personnel from the IT department, product engineers and sometimes compliance professionals.
“If you have your legal team, your IT team, and you have your engineers, you have a pretty good start for the people who need to really be bought in and be stakeholders in your security and your privacy program,” Parilla said.
He said these teams should meet on a regular basis to discuss key data privacy action steps, such as any security certifications it would worth seeking from outside organizations.
The action steps should include conducting a gap analysis to help cross-functional teams determine where they are today in terms of data security and what they need to do to enhance their efforts.
“Probably the best way to actually start to implement a plan is to appoint leadership and then do that gap analysis,” Parilla said.
Practice makes perfect
It’s also essential that the leaders of data privacy programs ensure their efforts are ongoing, rather than set-and-forget initiatives, according to Parilla.
One way to keep privacy and security top of mind is to do regular tabletop exercises in which key personnel go over their roles in the case of a data breach.
Fire drill-type scenarios in which little to notice is provided about a potential breach can also help companies review how quickly they mobilized and communicated.
Parilla said if legal teams and their colleagues are well prepared to “contain, remediate, focus on relationships and understand [their] legal obligations,” they are well-positioned to deal with data breaches.
“It's not only how you respond to contain the damage, it's how you respond to maintain the relationships with your customers who are affected,” he said.