What Lessons Can Law Firms Learn From Cambridge Analytica/Facebook Data Breach?

Although it is only April, there is little doubt the Cambridge Analytica/Facebook data breach will be one of the year’s biggest scandals.  It is now clear targeted ad campaigning on social media was used to influence voters in the Trump election campaign, and there is increasing evidence the same tactics were used by the Vote Leave campaign[1].  Despite the headlines, it is likely many people were already aware of targeted advertising on social media and Russian troll farms churning out biased or misleading comments under online news articles[2].  What has shocked much of the world’s population out of its complacency now, however, is the widening comprehension that anyone who shops online, uses social media, or even just surfs the internet is complicit in the scandal.  Because for years, we have all willingly provided companies such as Google and Facebook with information about our private lives we would never permit our government to collect without a protest[3].

In one of the most widely read and commented articles in the Guardian at the end of March, Dylan Curran, a data consultant and web developer, who undertakes extensive research into spreading technical awareness and improving digital etiquette, stated:

This information has millions of nefarious uses. You say you’re not a terrorist. Then how come you were googling Isis?  Work at Google and you’re suspicious of your wife? Perfect, just look up her location and search history for the last 10 years. Manage to gain access to someone’s Google account?  Perfect, you have a chronological diary of everything that person has done for the last 10 years.

This is one of the craziest things about the modern age. We would never let the government or a corporation put cameras/microphones in our homes or location trackers on us. But we just went ahead and did it ourselves because – to hell with it! – I want to watch cute dog videos.”

Aside from medicine, the profession which holds some of the most sensitive information about the lives of people, governments, and corporations is the law.  Therefore, it is important for CIOs in legal practices to continuously assess risks to data security and manage them accordingly.

Due diligence and third-party suppliers

Large chunks of many solicitors’ hours involve undertaking due diligence for their clients; be it concerning property, or a business or commercial contract.  However, when it comes to engaging third-parties to deal with tech and e-Discovery matters, the due diligence process is paid scant attention.

It is imperative that prior to engaging a third-party to deal with client data, their data security policies and procedures, breach notification practices, and ongoing risk management and audit frameworks are compliant with domestic and international regulations.  After 25th May 2018, compliance with the General Data Protection Act (GDPR) is essential.

How far will GDPR go in preventing major data breaches?

The GDPR significantly shifts power back into the hands of data owners.  All organisations, including law firms must quickly be able to identify the data they hold on a person, why it has been collected, and how it will be used.  In addition, any data breaches must be reported within 72 hours if possible, and no longer will businesses be able to withhold the fact that a data breach has occurred without facing serious penalties.

The biggest gap identified with GDPR compliance is data shared with third-parties.  Many organisations, including law firms, have no idea who has access to the data they hold on particular individuals.  This is why data mapping is so important under the GDPR; for example, going forward, all data relating to a cross-border M&A will need to be contained and tracked to ensure it can be amended or deleted at the request of the data owner.  In addition, before any data can be shared with a third party, such as an overseas regulatory agency or potential buyer in an M&A project, all personal information has to be anonymised or pseudonymised.   Therefore, the idea that eDiscovery is only applicable to litigation is now outdated.

The strengthening of the GDPR

The Guardian’s article on Cambridge Analytica/Facebook data breach[4] and Channel Four’s corresponding sting on CEO Alexander Nix “could help not only strengthen the credibility and enforcement of the GDPR globally, but it could also quash any hope that the stricter proposed ePrivacy Regulation will become more lenient, according to industry observers”[5].  It is also likely to make the defence of ‘legitimate interest’ paper thin.

The bottom line is – law firms on both sides of the Atlantic need to ensure their GDPR compliance policies and procedures are ready for next month.  In addition, a framework for checking and monitoring the data accessed and used by third-party suppliers must be in place.

There is little doubt more significant data breaches will occur in the near future.  And as the public wakes up from its decade-long inertia regarding how businesses, including law firms, use their personal data, we can expect the demand for the severe penalties provided by the GDPR to be used to their full extent.

For those behind the creation of the GDPR, the Cambridge Analytica/Facebook scandal could not have happened at a better time to illustrate why the regulation is so desperately required in today’s digital world.

Lineal is a global leader in providing flexible eDiscovery and litigation support.  To find out more about eDiscovery and the GDPR, please call us on +44 (0)20 7940 4799 or email info@linealservices.com.

Do you have any comments to make on this article?  Please feel free to add them in the comments section below.

[1] https://www.theguardian.com/politics/2018/mar/24/brexit-whistleblower-cambridge-analytica-beleave-vote-leave-shahmir-sanni

[2] https://www.washingtonpost.com/news/worldviews/wp/2018/02/17/a-former-russian-troll-speaks-it-was-like-being-in-orwells-world/?utm_term=.fb1a036cf66a

[3] https://www.theguardian.com/commentisfree/2018/mar/28/all-the-data-facebook-google-has-on-you-privacy

[4] https://www.theguardian.com/news/2018/mar/17/data-war-whistleblower-christopher-wylie-faceook-nix-bannon-trump

[5] https://digiday.com/media/facebook-cambridge-analytica-fallout-extends-gdpr-eprivacy-enforcement/