Data is now the most valuable commodity in the world. Still, few businesses outside the tech sphere have fully come to terms with the value of the data they hold - and the legal industry is no different.

Knowledge Managers undertake a number of data-intensive activities - managing large numbers of documents, precedents and firms’ proprietary data, intranets and other sources of digital information crucial to smooth business function. Different data types have different obligations attached to them, and this means it is important for Knowledge Managers to understand the value of their data and how best to protect it.

What’s the value of data?

How can we understand data’s worth in a monetary sense? One of the models gaining favour is the ‘prudent value’ approach, which ties the economic value of data to key business initiatives.

Using this model, each data source used by a business has a dollar value that is tied to its ability to inform business decisions. For example, a particular precedent developed by a firm may be used across a number of different client matters. Each time that piece of knowledge is used it contributes to the overall financial return for that work.

Considered in those terms, it’s easy to see just how valuable the full trove of knowledge at a legal business can be. It goes without saying that cybersecurity is no longer just an IT issue, it’s a business-wide responsibility - and Knowledge Managers must be fully aware of recommended actions and obligations when it comes to data safety.

Data protection

So, what’s the best way to protect it? We can consider recommended actions under three broad umbrellas: Prevention, Preparation and Compliance.

Prevention

Prevention is about minimising the risks that your business will fall victim to a data breach. It focuses closely on processes and awareness. Some specific preventative measures businesses should take include:

• Regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
• Effective IT security policies, systems, controls, processes and practices;
• Staff training and awareness of data security obligations;
• A positive and strong compliance culture; and
• Ongoing governance oversight.

Preparation

Preparation is crucial. Currently the accepted wisdom is that despite the best preventative strategies, data breaches are still highly likely to occur - so it’s best to be ready when they do.

Preparative measures focus on incident response planning and testing. Measures include:

• Building a thorough data breach response plan. This should include all tasks associated with containing and neutralising the breach, notifying relevant authorities, and communicating to clients, customers and other stakeholders.
• Assigning clear responsibilities for each action in the response plan and ensuring they are understood by the relevant parties.
• Running full-scale incident response drills to test the plan. This means testing a real-time response to a data breach scenario involving all relevant parties to identify any gaps or issues in the plan
• Constantly updating the plan to ensure it is accurate and can be enacted at a moment’s notice should there be a breach.

Compliance

Though there are a number of compliance considerations based on data type, the vast majority of legal businesses will be considered APP entities under the Privacy Act and thus subject to the Notifiable Data Breach (NDB) scheme. This is a key piece of legislation and a whole-of-business understanding of its scope and requirements is crucial.

The consequences of non-compliance with the NDB can be severe, ranging from injunctions to prevent certain activities to civil penalties of up to $2.1 million.

There are three steps to complying with obligations under the NDB:

• Identifying when notification is required - an ‘eligible’ breach is “one that is likely to result in serious harm to any of the individuals to whom the information relates.”
• Notifying the Privacy Commissioner - this includes a description of the breach, the sort of information involved, and recommendations about the steps that individuals should take in response to the eligible data breach.
• Notifying affected individuals - take action as soon as practicable to notify all individuals of what has happened, how they may be affected, and what they should do in response.

In many ways, Knowledge Managers are data managers. The data they create, store and curate is crucial to the smooth function, success and competitive advantage of their business. With the responsibility for cybersecurity a shared concern, it’s imperative that Knowledge Managers have a detailed understanding of what the obligations are when it comes to cybersecurity and how to prevent an attack.

For more information on data security, mandatory data breach notification, cybersecurity and strategy, check out Practical Guidance Cybersecurity, Data Protection and Privacy.

From simple search to analysis and insight, the powerful intelligence of Lexis Advance sits at the heart of many of LexisNexis' legal solutions. Access exactly what you need with a single subscription.