Chief Legal Officers face mounting compliance, privacy and cybersecurity obligations

After earning his master’s degree in computer science and working on the IT side of the business at a number of large financial services organizations, Bobby Balachandran observed one interesting thing: the legal department in these organizations had been left out of all the business process re-engineering projects that the rest of the business had undergone.

Spotting an enormous market opportunity to create a software platform that could effectively orchestrate all the various activities and processes overseen by the legal department, he took the risk of resigning and starting Exterro in 2008, at the height of the global financial crisis. His vision was simple: he wanted to apply the concepts of process optimization and data science to how companies manage digital information and respond to litigation.

The company started by focusing on building a process engine and applying it to e-discovery. Thirteen years, one institutional investor and two acquisitions later, it offers a unified platform that helps general counsel (GC) and chief legal officers (CLOs) manage challenges related to e-discovery, data privacy compliance obligations, Data Subject Access Rights, digital forensic investigation and so on.

While Balachandran, in his double role of president and CEO of Exterro, steered the company forward, the role of the GC/CLO changed, and the groups reporting directly (or with a strong dotted line) to the GC/CLO expanded to include Compliance, Privacy, Legal Operations and Cybersecurity.

In this interview, we’ve asked about his view of the legal governance, risk management and compliance (GRC) field, the challenges legal departments are struggling with, and the changes that have to be made to successfully meet them.

[Answers have been edited for clarity.]

How are companies’ legal departments changing to meet the needs of their organization and the needs arising from worldwide changes?

Organizations face much more regulatory compliance and privacy scrutiny than ever before, and everyone is under a constant threat of cyber breach or attack. Legal plays a critical role in ensuring that all compliance obligations are met, and overall risk to the organization is mitigated.

I firmly believe a new strategy is required to deal with these new converging market forces, one that is rooted in data management. What we’ve observed over the past couple of years is how you treat data is key to addressing so many of the concerns facing your organization. How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value. All of these greater trends have combined to create new business challenges that no longer can be addressed by a single organizational department.

Let me give you an example:

Let’s say your company receives a California Consumer Privacy Act data access request.

First, you must securely validate the requestor’s identity. Then, you must route the request appropriately and act on it promptly. The person or group responsible for the data must locate it, collect it, review it, possibly redact information and then securely deliver this information to the requestor.

You can see how this request quickly crosses conventional divisions and responsibilities—it’s not just someone in your Privacy department’s responsibility – she will need to work with someone with expertise in e-discovery. And, if that user submits a request for data deletion, things get even more complex, because before deleting anything, you must first confirm that the information can legally be deleted (as it can be subject to retention requirements imposed by regulatory compliance obligations or a legal hold).

In this demanding environment, traditional approaches to enterprise data inventory and management are inadequate.

To help put this process into perspective, we like to ask six simple questions:

1. Do you know where your data is?
2. Do you know who owns your data?
3. Do you know what regulations govern your data?
4. Do you know what third parties have access to your data?
5. Can you forensically prove data integrity throughout all the processes that use your data?
6. Can you easily and quickly respond to requests for your data?

We believe the less confidently you can answer those questions, the greater the risk is to your overall organization.

What new strategies should Chief Legal Officers implement to manage their legal GRC obligations?

I believe one should start with the recognition that the old way of doing things isn’t sufficient now and certainly won’t be going forward. I’d start with implementing a robust, enterprise-class data inventory solution – one that is easily updated and not only answers the questions above, but also gives insight into the context under which that data was created and used, because that’s critically important when it comes to ensuring compliance with privacy regulations and data disposition/retention obligations.

I’d recommend taking a process-centric approach to everything – build consistency, transparency, and most of all, defensibility into everything related to legal governance, risk and compliance.

What challenges are legal departments struggling with? How has the advent of ransomware and the last few years of increasing data privacy legislation affected them?

In the recently released Association of Corporate Counsel (ACC) 2021 Chief Legal Officer Survey, cybersecurity, compliance and data privacy top the list as the most important issue area for businesses for the third straight year. But, for the first time, cybersecurity overtook compliance for the top spot. This just wasn’t the case 15 years ago – legal was mostly responsible for providing legal advice, managing litigation, and protecting the organization in the market. Now, there is so much more they have to address.

At the same time, the legal department is under immense pressure to cut costs without sacrificing quality service to the organization. That’s one reason why the ACC report also highlighted that legal operations continues to grow. It’s telling that 61% of legal departments now employ at least one legal ops professional – and that in 2015 this was just over 20%! It’s telling because it demonstrates the need and recognition for legal to become much more process-oriented than they ever were before, and because it shows how fast this has happened over the past few years, but perhaps more interestingly, how much further it has to go.

There are roughly two in five legal departments that are still trying to make do with outdated, ad hoc approaches, and this simply won’t suffice now in our current era of increased data privacy legislation.

Consider just a few potential risk areas related to legislation: if the company has a security incident or breach, there are now rules in every single state related to the reporting and notification obligations if personally sensitive data is impacted, with very short turnaround times. Legal has to quarterback these obligations but require the ability to quickly understand the scope of the incident, what data was affected, where the affected individuals reside and what the reporting obligations are or risk missing deadlines in those jurisdictions and exposing the company to fines and other negative outcomes.

Further, if the organization does not have a consistent, defensible data retention/disposition process, they can run afoul of specific obligations within privacy legislation.

Finally, while the right for consumers to request what information you have stored on them and what you do with it is well understood, when employees are added in the coming years, the problem becomes much, much more difficult. Think of all the systems, applications and places where employee data resides within an organization. The ability to comply with these privacy regulations is growing in difficulty and can’t be done without a strong data governance practice in place.

What changes do you expect to see in the legal GRC field in the next 3 to 5 years?

We are just in the early stages of the Legal GRC field. Similar to how quickly legal operations is growing, I expect to see most organizations formalize their approach to Legal GRC within 5 years.

Data Management will become a critical function within companies, and you’ll see huge advancements in how AI is used and adopted within Legal GRC technology and teams.