In-house counsel must take lead role in enforcing data security measures and training
Employee training in data protection measures has declined in many businesses this year, despite an increased risk of data breaches resulting from remote work, according to a new report by Shred-it.
Shred-it’s 10th anniversary edition 2020 Data Protection Report also found that businesses – and legal departments in particular – still use vast quantities of paper, which signals a need for careful oversight of physical information and its protection.
In-house counsel have a vital role to play in implementing and enforcing data protection policies and training programs, and in ensuring that a robust plan is in place to securely destroy sensitive physical documents, according to Michael Borromeo, vice president of data protection at Stericycle, the provider of Shred-it information security solutions. With COVID-19 forcing many businesses to switch to a remote working environment this year, data protection is more critical than ever, so prioritizing employee training for the protection of data is essential, together with ensuring that employees have the resources and tools they need to safeguard information, Borromeo says.
While many people believe that data protection is the domain of IT and HR departments, it should really be regarded as a shared responsibility, according to Borromeo.
“With privacy frequently falling within the orbit of an organization’s legal department, in-house legal counsel often needs to take a leadership role in ensuring that the right security measures and training programs are in place, and that they are adhered to,” he says. “In-house counsel should lead by example. Are you putting confidential documents in the garbage or blue bin without having them professionally shredded first?…Be an advocate for protecting confidential information. Your organization will be better off because of it.”
Alarmingly, almost a quarter of C-suite executives and more than half of small business owners have no regular training on information security procedures and policies, the report indicates.
“What’s most troubling to see this year is the decline in employee training and policies against the backdrop of diminishing consumer trust and a higher frequency of data breaches,” says Borromeo. “Now, more than ever, organizations need to be taking greater steps to protect their data as a majority of consumers [86%] agree that physical and digital data security is a top priority when choosing who to do business with.” Moreover, only six per cent of C-suites and 14 per cent of small business owners operate in a paperless environment, the report found, indicating a need for stringent policies surrounding disposal of paper documents.
Compliance is another area of responsibility for legal departments, and astute in-house counsel will be closely monitoring expected changes to Canada’s Personal Information and Protection of Information Act.
External threats and physical property loss are the biggest information security threats to Canadian businesses, Shred-it’s report found. Only 41 per cent of organizations have a strictly enforced policy in place for storing and disposing of confidential information when employees work off-site. In fact, 45 per cent of small business owners have no such policy at all.
Consumer trust is another major concern as 83 per cent of consumers fear that private, personal information about them may be available on the internet, and 66 per cent are concerned that their private, personal information exists somewhere in paper format. Borromeo suggests that businesses can help to ease these consumer concerns by providing transparency on the collection of data, being proactive in taking data protection measures, and being honest in the case of a breach.
“On a day-to-day basis, provide transparency on what data is collected and retained, how it is stored and for how long, and how committed the organization is to protect is,” says Borromeo.
Shred-it commissioned Ipsos to conduct a quantitative online survey of 900 small business owners in Canada with fewer than 100 employees, and 157 C-suite executives in Canada with a minimum of 100 employees. The fieldwork was conducted between February 27 and March 9, 2020.