Thomson Reuters: Down the Hall with Practical Law

Privacy and Data Security: Understanding the Legal Landscape

 

In this episode of Thomson Reuters Down the Hall with Practical Law, Privacy & Data Security Senior Legal Editor Mel Gates covers cybersecurity and privacy issues. Mel recalls the career journey that led her to Practical Law and covers why it can be challenging for organizations to understand and comply with the myriad regulations surrounding data security. She explains how the most successful companies handle compliance, breaking down which industries are especially at risk for data breaches and why they are attractive targets for hackers. She also discusses how lawyers can help companies understand the fiscal and legal repercussions associated with a data breach and aid them in managing that risk. Mel closes the interview with a conversation about current trends in regulatory obligations and data breach litigation and provides resources that you can use to stay up to date with changes in data security regulations.

View transcript

Thomson Reuters: Down the Hall with Practical Law

Privacy and Data Security: Understanding the Legal Landscape

10/06/2016

[Music]

Intro: Welcome to Thomson Reuters: Down the Hall with Practical Law. The show that provides practical insights and expert know-how on trending legal issues. No legalese, just expertise, with your host, Renee Karibi-Whyte.

[Music]

Renee Karibi-Whyte: Hello, and welcome to Thomson Reuters: Down the Hall with Practical Law. The show that provides practical legal knowhow that makes lawyers’ lives easier. I am your host Renee Karibi-Whyte and today our guest is Mel Gates; Senior Legal Editor specializing in privacy and data security.

Welcome Mel.

Mel Gates: Hi Renee! Thanks for inviting me.

Renee Karibi-Whyte: I am really glad to have you here because privacy is such a big issue. Before we get started though, I want to learn a little bit more about your background. How did you come to Practical Law? What did you do before? What’s your background in privacy and data security?

Mel Gates: Well, sometimes I think of it as a bit of a winding road but I’ll try to do the short version. I spent about 20 years in information technology and telecom, and I wrote code back in the days when hacking was a good word that we were all proud of, so that probably says something about my age. But, I did a lot of different work; it was a very exciting time in information technology because we were starting to bring computers out of the mainframe world and closer to users and more distribution of data. So a lot of fun things, lot of user interaction.

Somewhere along the road I discovered that I had a bit of a knack for explaining lot of the technical details to the humans in the room. And so, I took on more-and-more leadership positions, I got very involved in cybersecurity and risk management. I served as the Chief Information Security Officer for a large telecom company for about seven years, and then I started getting more involved in policy and risk management, kinds of questions and often found that I was the only techie in the room full of lawyers. And while they were really smart people, a lot of them I realized just didn’t have the technical framework or mental model to really think about how to handle privacy and data security issues.

And at about the same time I was looking for something different to do. I wanted to step off that operational treadmill, and so, of course, the only answer was go to law school, right?

So I did that and I was in private practice for roughly may be a little less than five years and then I joined Practical Law last fall. It’s been a great transition, it’s just an exciting group to be with. There is such a depth of expertise and so many different experiences that come together at Practical Law. It’s a lot of fun.

Renee Karibi-Whyte: And so, what does your team do at Practical Law?

Mel Gates: We do content development in the privacy and data security space. And so, I like to think of it as researching, teaching, helping; we are helping lawyers to absorb and integrate privacy and data security issues, help them understand what they need to do to address specific problems, whether they are working in-house or in a law firm, and so we do a variety of different kinds of resources. Of course, most of our work is done in written form but we do occasionally get out and do some presentations and other kinds of things too.

Renee Karibi-Whyte: Okay. Well, we are going to get started with today’s topic, which is on, of course, Privacy and Data Security. As a citizen and consumer we see these issues come up all the time; in fact, according to the Identity Theft Resource Center there have been over 450 reaches this year alone, and that was as of mid-June of this year. So in the legal context, we always hear about privacy and data security together, but the terms aren’t actually interchangeable. Can you talk a little bit about the distinction between privacy and data security?

Mel Gates: Sure, and I think like a lot of evolving fields’ terminology tends to be a really difficult part of the privacy and data security space these days, because we are still sort of finding our way. Oftentimes privacy and data security issues are used interchangeably, but think of them as different perspectives on some very similar issues.

The underlying issue is how we handle data and how we protect data. But when we talk about privacy, we are usually talking about much broader issues of policy, the commitments that we make to individuals, how we collect information, what information we collect, how we use it, how we share it, all of those kinds of much again, broader issues, and in some cases in other parts of the world you will also hear the word “data protection” used to address that, and again, it’s all about how do we make sure people are informed and have appropriate control over data about them.

(00:05:07)

Now, of course, you can’t have privacy without security, right? Because how can I make a commitment to you about what I’m going to do with your data if I don’t know that I have it well secured and frankly looked after properly.

And so, a lot of times you can think of data security as a component of privacy, but at the same time data security is a much broader field to all of its own, and that’s where you hear also other terms like information security and cybersecurity, and in many ways data security, info security and cybersecurity are quite interchangeable with some slightly different perspectives considering who you’re talking to or the context you are in.

Renee Karibi-Whyte: So from what you’re saying it sounds like there are really two sides to this, protecting the data, the info security, data security, and then the compliance and commitment about what you are doing with the information, which is the privacy side. From your perspective, which is actually the bigger challenge?

Mel Gates: I think you spot on that these are really two aspects or two sides of the issue. I think they are both challenging for a couple of different reasons. One is, as you mentioned, we have a big compliance issue. In the US we don’t have a single framework or a single set of regulations around privacy and data protection, we have lots of them at the Federal level, at the State level, for particular sectors, for organizations that act as business providers or business partners to particular sectors.

And so, it’s a bit of a hodgepodge or a patchwork of laws, and so complying with all of those can be very challenging. And the compliance problem takes on those broader privacy issues; how do we use data, what do we collect, what kinds of commitments do we make to consumers, but the compliance issue also involves the data security aspect. Some of those laws and regulations dictate particular things you need to do to properly secure data to create a reasonable level of data security. But compliance from a security perspective is also not enough. And so risk, as you mentioned is, I think the very challenging part of cybersecurity, and that is how do we day-in and day-out stay ahead of the bad guys and manage our risk and reasonably protect data on an ongoing kind of basis.

And so you can tell what I’m saying that when we’re on the security side of the equation, it’s not just about checking compliance check-boxes, it’s about building an information security program that can keep up with the times and keep up with the changes.

Renee Karibi-Whyte: So how do the most successful companies actually do that compliance? What kind of resources do they dedicate to it? I mean obviously there are information security, technology people, IT people, how many lawyers do they use? How many privacy professionals do they use depending on the size of the company?

Mel Gates: Well, there are a lot of different ways to structure the organization. So I think there are two different ways to think about this; one is, organizationally what has worked in a lot of groups, and then in terms of the day-in/day-out work we need to do. And so, organizationally successful groups have often taken information security out of the IT group.

So oftentimes in the past we found the Chief Information Security Officer or the person who is tagged with managing information security — if they are buried down in the IT organization they are going to have just a natural conflict of priorities, because what does the IT group want to do? The IT group wants to make sure your computers and your software work all the time, and they want to give you more features, they want to give you more things you can do with your computers. What does the security person want to do? They want to keep things protected, they want to keep things stable, and so sometimes those priorities can clash.

What very successful organizations have done is recognized that difference in priority, taken that Chief Information Security Officer out of IT and move them over into an independent group, may be an ethics and compliance group, a risk management group, often reporting up through the general counsel so that they have a voice sitting at the executive table and at the risk management table.

Renee Karibi-Whyte: So it sounds like often it’s not even necessarily a lawyer who takes on that role?

Mel Gates: And so frequently the Chief Information Security Officer is someone with a technical background, in some cases it might be a lawyer, might be a technical person who has gotten a lot of training and insight on some other regulations.

(00:10:00)

They oftentimes have a colleague and that colleague is the Chief Privacy Officer. The Chief Privacy Officer, again, sometimes a lawyer, sometimes not; in my experience the Chief Privacy Officer is more often a person from the legal side of things and so you can have a great partnership and many successful organizations do this by having a Chief Privacy Officer who has a legal background and is thinking about policy and regulatory compliance and a Chief Information Security Officer who has a strong technical background who is thinking about how to protect data, and then, of course the most important thing is, those two folks need to be good friends.

Renee Karibi-Whyte: Like in so many different situations. Now you spoke a little bit about the overlapping of regulation on a State and local level and even international level, I imagine that there are some very specific regulations relating to the higher risk industries as well, can you talk a little bit about that and whether those regulations are actually aligned to the level of risk involved?

Mel Gates: Well sure, and you know, that’s the other side of what successful organizations do, right? They get the organization structure working well and then they also do a broad risk assessment and review of what are their compliance obligations. And you mentioned high risk industries, there are certainly privacy and data security laws and regulations that apply to groups that we — I think would all reasonably perceive as higher risk because of the data they hold.

For example, financial services, the classic thing, why is that data a target? Well, because that’s where the money is, right? Healthcare, we think about the information especially with the move to electronic health records that’s under way in the US today, very sensitive information, but at the same time very rich information that can help us all with improving healthcare for the community, so those are two industries that get a lot of attention.

Another sector that gets a fair amount of attention these days is student information and the education sector, and you may think, well, that schools and universities how big of a sector is that, but it’s also their service providers, cloud services, software, organizations that are helping them with online learning, and so, it’s a fairly big group.

So, yup, there are sector-specific regulations, but at the State and Federal level there are also obligations for anyone who holds personal information, and that’s personal information for your employees or personal information for your customers, so you can see what I’m getting to that’s just about everybody, it’s going to fall under the guise of some part of this patchwork of regulations.

Renee Karibi-Whyte: So Mel, in alignment with what you were saying, I just want to refer back to that study I mentioned earlier from the Identity Theft Resource Center. Interestingly of all of the over 450 breaches this year only 2.4% were from the banking, credit, financial industries, nearly 34% were in the medical healthcare arena, which is very surprising to me because I really — I’m surprised that people actually go after that information, 47% is the actual biggest category and that’s general business and then 11.7% is educational and 4.8% is government and military. So it doesn’t necessarily align with what one would think would be the biggest targets.

Mel Gates: Well, it may not align with targets from an intuitive perspective but it’s really notable for a couple of other trends and there are some places here where lawyers can really help, because I think oftentimes lawyers ask themselves – this big technical, privacy, cybersecurity world, how do I help? So what do those trends tell us? One of the things that that particular study and trend tells me is that there are sectors that are much more in tune with and sophisticated about their information security practices than others, because remember, risk is a combination of a threat, a bad guy that wants to come after me and a vulnerability, something that allows me to have an event.

Financial services has long been the big target. Again, why? Because the money lives there, because they’ve been a longtime target they have spent a great deal of time energy as individual organizations, as industry groups, as regulators improving their cybersecurity practices and building up their sophistication so that they aren’t as vulnerable.

So what does that mean? The hacking community starts to go after other targets and other kinds of organizations, healthcare that you brought up, I think you are right, I think it’s very surprising to people what a target healthcare organizations are.

(00:15:01)

I worked with a lot of healthcare groups when I was in private practice and there are couple of really interesting things going on there right now. One is, a big migration to electronic health records.

So you have organizations that have not been accustomed in the past to having their most valuable information stored electronically, now they do. When you implement those kinds of tools and data storage approaches, you have to build security in at the same time, clearly those trends show us that not everybody is thinking about security and building it in, and frankly while the HIPAA regulations have been increasingly enforced and over the last few years we’ve seen a lot more come out of the Federal side around healthcare information technology and what you need to do to secure data. In the past it just didn’t get as much attention.

Then your third group that you talked about, general business and retail, well again, you want to think like the attacker thinks. If they are not able to get to that financial services target because they are less vulnerable than they used to be; then, now they’re going to go after what are perceived as softer or easier targets and those organizations perhaps because they have not gotten as much regulatory attention in the past, have not put as much focus on information security, and here’s my point of how lawyers can help.

Lawyers that work with these kinds of organizations can help them understand the risk that they are subject to, and so, now we come full circle and say this isn’t just about compliance, it’s about managing our risks. Because ultimately organizations that suffer data breaches have problems in the marketplace, plenty of studies show that customers are less willing to do business with organizations that have data breaches, their stock prices go down, their business partners become skeptical of them so it’s tougher to negotiate, it’s more than just checking that legal compliance check-box, but lawyers can connect those two things in a unique way that technical people and businesspeople may not be seeing.

Renee Karibi-Whyte: So where do the biggest risks come from? Is it from employees, from hackers, from foreign governments, in terms of all of those different categories, who are the culprits in terms of making those breaches?

Mel Gates: Well, I think that list you gave Renee is, it’s the classic list, right? There are plenty of different kinds of threats and attackers out there. Sometimes they are internal threats. So sometimes our employees are disgruntled, sometimes they are criminal, sometimes you have employees that steal personal information to commit identity theft, sometimes our employees are just having a bad day and they make mistakes, and that’s a really critical part of information security too is the human side and training our employees. So that internal threat is a big one, and lawyers can be very helpful in identifying and working with their human resources groups, their technology groups to help improve that internal base.

But the external threats are a big deal too, obviously, and those are the ones that we tend to hear a lot about. Hackers with serious agendas whether those are criminals, nation-state actors, organizations looking to steal intellectual property, there are a variety of motivations, but I want to offer that we give too much attention to the threat side of this equation, because frankly the threats are out there, they’re going to be out there but the vulnerability side is something that we as lawyers and we as organizations who hold information can really do something about. So if we put a little bit more of our focus on the vulnerability side and proactively protecting ourselves, not as flashy as all that media attention that the latest breach and the latest hat gets, but very effective in terms of protecting organizations.

Renee Karibi-Whyte: So what does that look? How do we put our focus on that side?

Mel Gates: Well, there are a couple of different ways to look at it, one is to first look at the regulations and laws that an organization is subject to and we talked about those, at the Federal level, we have sector specific laws and regulations, around banking and healthcare and student information and some others, but the Federal Trade Commission is also very active with any commercial organization that stores personal information, and especially if they make promises to the consumers from whom they collect that information about how they are going to protect it, and so we have that Federal set of laws.

(00:20:03)

Then at the State level, we have 47 out of 50 states, plus most US territories have data breach notification laws. So different laws that require an organization that suffers a breach to notify individuals, notify regulators in some case who will then go investigate and may take action, and notify the medium.

But here’s a really important trend that I think a lot of folks are less aware of at the State level, and that is the trend towards more proactive data security law and those are laws that say not only do you have to tell people when something bad happens but you have to do exactly what we’ve been talking about. You have to proactively take steps to implement reasonable data security measures to keep those bad things from happening in the first place, to close that vulnerability window.

So lawyers can help out by first surveying and understanding that patchwork of laws and regulations, helping their business leadership understand these compliance obligations, the very real risk they have. And then the next big step is risk assessment and risk assessment is all about knowing your organization, knowing your data, knowing your vulnerabilities and then most importantly doing something about them so that you can close that window of risk.

Renee Karibi-Whyte: So what if I’m working at a company and I am someone with a background similar to yours, and I really know what I’m doing, I have assessed the risk, but no company is an island, everyone has business partners, they have suppliers, they have customers that may access the data in other ways. How do you control for those types of scenarios?

Mel Gates: Well, I think you just hit on another important trend in privacy and data security that’s getting a lot of attention and it’s something that lawyers need to be aware of because they are the ones negotiating contracts in most cases. And that’s business partner service provider and supply-chain governance.

If you dig a little bit deeper into some of those breach trends, what you’ll find is oftentimes businesses are suffering data breaches either because one of their service providers, someone else who’s holding their data or can access their network suffers a breach and that becomes a way into a company’s network and data or because one of those business partners had let’s call them, lax security practices and a hacker was able to steal credential information like a password to an important system. So that means we can’t just think about risk assessment for our own environment but we have to be looking at that entire service provider supply chain.

And so part of that is doing upfront due diligence before we engage with a service provider that’s going to hold information on our behalf or access our IT systems; we want to understand what are their security practices. Do they understand the regulations? Do they understand just good solid information security standards and have they implemented those? And are they willing to prove to us that they have.

Then at the contracting stage, we want to put provisions in our contracts that hold them to those kinds of standards. So reasonable standards of data security, industry standards in addition to applicable laws and regulations, the kinds of things that we talk about in our Practical Law resources, and then we also want our contracts to address how do we handle it if and when a bad thing happens?

And that’s really two important steps; one, incident response, making sure that service provider is on the hook to notify a customer if a data breach or an event has occurred, and then cost-sharing, making sure that that service provider is going to be responsible for picking up costs associated with the data breach, which can be very significant if we’re talking about notifying hundreds or thousands or tens of thousands or in some of the retail breaches that we’ve seen in the last couple of years. Literally, millions of consumers who need to receive notification, we may be offering them credit monitoring, those costs stack up and so we want to make sure our service providers are contractually obligated to do those kinds of things.

Renee Karibi-Whyte: Are those contracts typically litigated? Like are there risks to doing it wrong even if you are contracting those risks away or think you’re contracting those risks away?

(00:24:55)

Mel Gates: Sure. I think you can look at these kinds of situations and have to recognize that when a data breach occurs, the fingers are going to start pointing in different kinds of ways.

And so oftentimes those contracts and that cost allocation in particular is very important to have those laid out clearly and to maintain a good business relationship upfront, and part of maintaining that relationship and minimizing the likelihood of a dispute is to also do ongoing service provider oversight. In other words, checking up on our service providers on a regular basis to make sure they have the right processes in place, they’ve been following the right standards and we all in these business relationships whether it’s the lawyers involved, the businesspeople or others understand and are prepared for how to handle an event; that means having an incident response plan in place and exercising it, and including those critical service providers in those exercises so that no one is surprised.

Renee Karibi-Whyte: So it sounds like people should have a plan in place beforehand no matter what even if a potential breach is the last thing from their mind.

Mel Gates: You bet, and this is one of the things again where lawyers can be very helpful because business folks are busy day-in and day-out doing exactly what they do in driving the business. As lawyers, we can help them to understand risks that they may be subject to, and plan for and prepare for those risks.

So developing an incident response plan is a critical element of any organization’s information security program, that means thinking through ahead of time what kinds of scenarios might occur, what kinds of data do we have and if we suffer a data breach for consumer information or employee information, what are we going to need to do, who will we need to contact, what sort of outside counsel or outside service providers might we want to have in place.

Mapping all of that out and then most importantly exercising it, it’s the classic fire drill kind of experience. Run a scenario, run an exercise and step through what you’re going to do if a real event occurs. That way you know how you’re going to handle things, you’re prepared and you’re able to respond because when data breaches happen and I’ve worked through a lot of them both as a CISO and as outside counsel, they happen very quickly, each one of them is unique and so they’re difficult to investigate, it’s a high anxiety scary time for a business. So it’s even more important that they are prepared upfront.

And in many cases the laws and regulations around privacy and data security require that we have a reasonable response plan in place. So it’s also part of doing the right thing from a compliance perspective.

Renee Karibi-Whyte: Now, you spoke a little bit about the culpabilities and liability that attaches to this, let’s say someone has performed their testing, they have an airtight incident response plan and then something does happen. What in fact are the risks of a breach and litigation risks after that aside from the risk to the company reputation, which you’ve mentioned earlier?

Mel Gates: Risk management is really what we’re talking about here because as you point out, Renee, breaches happen, right? Organizations with very sophisticated programs who engage in a lot of due diligence, who are doing the right things still have data breaches. Why does that happen?

Well, frankly, information security is hard. Day-in and day-out, it requires a great deal of ongoing vigilance and you have to be perfect, I mean, that’s something that is important to keep in mind from a technical perspective. There are lots of things we can do from a security control’s perspective and we need to do those things to minimize our vulnerabilities, but we can’t be a 100% all the time.

The hacker on the other hand, they’re all about being opportunistic. Right? I think there’s this sort of thinking out there today that the hackers are the smartest guys and gals in the room, and I disagree. They are not smarter than the rest of us, but they are very diligent and they are very opportunistic, and add in there that they are very patient. What does that mean?

That means that they’re going to find a gap. And so, even if we’ve gone through all the right steps on any given day, we may have a gap and that vulnerability may be exploited. So what does that mean to us in terms of liability? Well, litigation risk is very real. It is not uncommon in today’s world when a company suffers a data breach, after they make the announcement of that data breach oftentimes the breach litigation comes on the same day, it is literally filed on the same day.

(00:30:09)

So you’ve got to expect that that litigation is going to come. Now, how do you address that? Well, one thing that is an ongoing trend in data breach litigation is the ability of these class-action plaintiffs to demonstrate harm or not. So oftentimes these cases can be addressed by the company that has suffered a data breach at motion to dismiss stage because the plaintiffs are not able to demonstrate that they’ve suffered actual harm.

And this can be because for example, with payment card breaches, consumers are protected from payment card fraud. Companies that offer credit monitoring or take steps to help individuals protect themselves from the fallout of a data breach can help to minimize that harm. And so a number of these cases have been dismissed; however, there is also a set of cases particularly in the Seventh Circuit over just the last few months or so where the court has been willing to say, you know what, maybe some of that identity theft risk, maybe some of those issues are enough to demonstrate harm. And so my point is, we need to treat this litigation risk as very real and be prepared to deal with it.

One way organizations can deal with that is the same way they’ve addressed risk management in other areas of their business and that is by putting cyber insurance in place. So just like I have insurance programs to protect me as an organization from other kinds of unforeseen events, I can also put cyber insurance to help protect me from the costs associated with a data breach.

Renee Karibi-Whyte: Okay, so that’s a really great overview of the landscape right now. I know that there have been some recent changes internationally, particularly on safe harbor that caused some problems for US companies with overseas operations. Can you explain what that change means for those in other companies?

Mel Gates: You bet. We’ve been talking about that patchwork of regulations and how complicated privacy and data security can be to address from a compliance point of view and from a risk management point of view just in the US, but now when we start thinking about most companies or many companies these days that operate in a global space or they aspire to operate in a global space, we almost have to take a deep breath and realize, wow, it’s even more complex because the reality is the way we view privacy in particular in the US is very different than the way privacy and data protection are viewed in other parts of the world.

And the one that you mentioned is the one that’s probably getting the most attention these days, although it’s not the only global regime out there, and that is the EU approach to privacy and data protection. And in the EU, it’s important to remember that personal information and privacy personal information are treated as a fundamental right, it’s a part of the European Convention of Human Rights and there is a very strong, consistent legal and regulatory regime in place that addresses any form of collection and use of personal information.

Renee Karibi-Whyte: Why do you think it’s so different there?

Mel Gates: Well, we have to think about culturally the difference in experience for the US and Europe. This is something I think that’s very difficult for Americans and American businesspeople to recognize, but if we take a step back and we look historically, it makes a lot more sense. I was very fortunate a few months back to attend a presentation from a member of the EU delegation to the US. So these are the folks that represent the EU to the US.

And this individual was speaking to a group of about 75-80 American lawyers and he was broaching this subject and he said, you know, this is kind of a brash way to explain this, but I want you to understand why we think about privacy so differently so that we can work together. So here it is.

In Europe it was only 50 or so years ago, so only a generation or two when the personal information that someone held about you, who you worked for what you did, where you went to school, what kinds of books you read who you associated with, things that you bought made the difference between whether you and members of your family got a bullet in the back of your head or not.

(00:35:00)

So in other words it’s very visceral. It’s important to them because they have seen what can happen when individuals are classified or categorized and they’ve had that experience in the very recent past. As Americans we don’t think of personal information that way. And so we have to recognize that the two legal approaches are coming out of a very different cultural experience.

Renee Karibi-Whyte: And that puts it in a whole different perspective, because I would imagine even you as a privacy professional don’t read every single HIPAA notice or a website privacy policy that you come across.

Mel Gates: Well, I am a privacy geek so I read a lot of them but I will admit that I don’t always read them because oftentimes what I’ve done is I’ve read enough of them to make decisions about what companies and what organizations I trust and I think that’s what a lot of folks do. But for lawyers, it’s important to recognize those global differences and especially all the change that’s happening in the EU.

So companies that are operating in a global community have to be very aware of these things, and again, this is a place where lawyers can be in tune with their business strategies and priorities and be very helpful to identify these issues upfront. When a company starts thinking about expanding their marketplace, that’s the time for the privacy and data security lawyer to get involved and say, well, let’s talk about what we need to do to make sure we’re handling data properly because the rules of the game are different than they are in the US.

Renee Karibi-Whyte: Well, Mel, I want to thank you so much for joining us today and really helping us get our bearings with respect to privacy and data security.

If someone wants to learn more about this area and get more specific information, keep up-to-date with the changing regulation, perhaps find some model language for agreements to address potential culpability, where should they go to get that information?

Mel Gates: Well, there are so many resources for privacy and data security these days. It’s important to go to a place where you can really rely on trusted answers, and those are the kinds of things that we do at Practical Law. We explain the law in our practice notes. We provide standard documents that are great starting places whether it’s creating an information security policy or putting that service provider contract in place and we help lawyers very quickly in a very practical, action-oriented kind of way understand these issues and take the steps that they need to take whether they are in-house counsel or they are law firm counsel that might be new to some of these kinds of issues.

Renee Karibi-Whyte: Okay, thank you Mel. And before we wrap, because we do specialize in providing know-how to help make lawyers’ lives easier, can you just share a piece of advice that you’ve received that made your life easier, personally or professionally?

Mel Gates: I think back to when I first started getting involved in privacy and data security and one of the things that made the biggest difference from my being successful as an information security professional and it was, listen to your business, listen to what they want to do and help them find a way to yes, so often as lawyers and compliance professionals. We get tagged with, you are the no-person and that’s not helping the business, people want to do the right thing and if we listen to them and we help them find a way to yes, in my experience we can very often find that way to yes.

And on the rare occasion when we can’t find the way to yes, if we’ve listened and we’ve cultivated that relationship then the business side understands and they’ve probably found another way to meet their goals. So listen and find a way to yes, my favorite one.

Renee Karibi-Whyte: That is great advice for any lawyer who wants to reach that coveted status of true business partner.

So it looks like we’ve reached the end of our program. Thank you again, Mel Gates, Senior Legal Editor with Practical Law for giving us a great sense of bearings on privacy and data security.

Mel Gates: Thanks Renee. It was a pleasure.

Renee Karibi-Whyte: This has been another edition of Thomson Reuters: Down the Hall with Practical Law. I am Renee Karibi-Whyte. Until next time, thank you for listening!

[Music]

Outro: If you would like more information about today’s show, please visit  HYPERLINK “http://www.legaltalknetwork.com” legaltalknetwork.com, subscribe via iTunes and RSS, find both Thomson Reuters Practical Law and Legal Talk Network on Twitter, Facebook and LinkedIn, or download the free app from Legal Talk Network in Google Play and iTunes.

The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Thomson Reuters, Legal Talk Network or their respective officers, directors, employees, agents, representatives, shareholders or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.