File Repository Management

Law firms have been steadily modernizing their technology stacks over the past several years and a major component of this modernization is moving toward cloud-based document management systems (DMS). Cloud-based DMS – like DropBox, Google Drive, and O365 – offer significant advantages for remote workers and bring new levels of efficiency and productivity to legal professionals. Data from the American Bar Association shows that legal teams are adopting consumer DMS solutions much faster than specialized legal-specific solutions that were relied on in the past.

With the advent of these new technologies comes an increase in the velocity of sensitive content – both in creation and dissemination – that makes it difficult for centralized IT teams to adapt. This is an acute pain felt during offboarding when a legal professional leaves the firm or is reassigned from a matter and visibility into files is lacking. This forces the IT team to be responsible for finding, managing, and retaining critical documents in systems they have little oversight of.

BetterCloud addresses these challenges by empowering IT to gain comprehensive insights into document stewardship across integrated systems among the top cloud DMS providers. It offers robust reporting capabilities, enabling accurate and efficient management of these systems. BetterCloud also facilitates batch operations such as file transfers and file unsharing, streamlining content management during offboarding.

User Lifecycle Management

Law firms are undergoing rapid digital transformation and adopting numerous cloud-based software solutions. This introduces complexity as users require immediate access to multiple SaaS applications and the existing processes may not be mature enough to meet these new business needs, causing inefficiencies and delays.

BetterCloud’s no-code solution empowers lean IT teams to develop automated workflows for onboarding and offboarding processes. By automating these processes, BetterCloud improves time to delivery for IT, enhances adherence to service level agreements (SLAs), and provides an improved – and secure – employee experience. 

BetterCloud’s platform was designed with the most common alerts and templated zero-touch workflows to enable automatic resolution for common IT issues, like password resets and app requests. Customers of BetterCloud have been able to reduce up to 78% of these common IT tasks and deliver real results for their stakeholders.

Application Discovery

Law firms often work with clients who require the use of specific tools that may not be officially supported by the firm’s IT department. This results in users creating accounts and storing sensitive data in disparate systems beyond IT’s control. These environments often surface late in the engagement lifecycle, leading to additional overhead during offboarding processes.

BetterCloud’s application discovery capabilities empower IT teams to proactively identify shadow IT and remediate the usage of unsanctioned systems across the enterprise. Quickly identifying such instances allows the IT team to mitigate security risks and align applications with the firm’s approved solutions. This capability becomes particularly valuable during initiatives like application consolidation, where BetterCloud’s insights facilitate the transition to a more streamlined and controlled IT environment.

Efficient file management and IT operations are critical for law firms to ensure data security, regulatory compliance, and streamlined processes. BetterCloud offers law firms the tools necessary to enhance file repository management, user lifecycle management, and application discovery. By leveraging BetterCloud, law firms can improve accuracy, efficiency, and visibility across their systems, ultimately leading to better file management and data security. Request a demo today to learn more about how BetterCloud can help address the unique needs of your IT team.

So what do these enhanced individual rights mean for a business that wants to stay on the right side of compliance?

What does it mean, internally, for tracking data through systems and keeping tabs on who has access to it? And externally, what rights do you need to honor, and how will it impact your customer relationships and your business practices?

Individual rights, for purposes of our discussion, are all about giving a person control over their personal information. Respecting individual rights is essential for building a strong brand culture of trust and sustaining relationships with your customers, vendors, and employees.

But negative experiences don’t just impact immediate concerns—though they absolutely do that, too. Each negative experience erodes the hard work of your marketing and sales teams. It throws a wrench in your operation practices. Taken all together, it damages your long-term business strategies.

When it comes to compliance considerations, this breaks down into six different areas.

#1: Right to notice

You have to tell your customers about your data collection practices. Full stop. This is one of the big-ticket items for individual rights. Moreover, you have to tell them:

1. At or before the point of collection what categories of personal information you’re gathering and why you’re doing it
2. What your privacy policy is
3. How to get in touch with you about any of this

If you’re an online-only business with a direct connection with customers, an email address or contact form on your website will suffice. But for all other businesses, you need to provide a toll-free number plus one other method of contact (email, website form, or physical form).

#2: Right to request access to information

Under CCPA, your customers have the right to request access to their information. This means your data inventory needs to be up to date in order for you to be able to fulfill the request. You should be able to articulate:

• What categories of personal information you’re collecting
• What categories of source the personal information is collected from
• Business and/or commercial purpose for the data
• What categories of third parties you’re sharing personal information with
• What pieces of personal information your business holds about them

This might seem pretty detailed—and it is! You need an easily accessible and complete population of information about every single one of your consumers.

Let’s take a moment to really drive home the point: It becomes really important to stay on top of your data inventories. What’s your workflow? Are you using the best tools for the job? Are you staying on top of the process? (Nothing in privacy is ever a one-and-done deal, after all!)

You, the IT team, will know where to find the data, and that’s a big win. Complying with individual rights requests is a combination of both business owners and the IT team who can work their magic.

#3: Right to get data in an easily accessible format

When you have a consumer’s data, they have the right to know if it’s being transferred (i.e., sold or shared). But they also have the right to get this information in an accessible, easy-to-understand format.

Upholding this right isn’t just good because it’s what you’re supposed to do. Making data accessible and understandable for customers goes a long way to supporting a culture of trust and transparency with them.

#4: Right to deletion

Your consumers can ask that you delete their personal information from your database, but only if it’s collected directly from them. But what if it’s not? Some data is collected indirectly and may be needed beyond the scope of your data collecting program—and it’s exempt from this right.

Experts agree the law gets vague here when it comes to the listed exceptions. You don’t have to delete information if it’s:

• Necessary for detecting security incidents
• Required for exercising free speech
• Protecting or defending against legal claims
• For internal uses, reasonably aligned with the consumer’s expectations

Again, here is where the business and IT teams must collaborate. Typically the business owner will approve the request and will rely on the IT team to ensure the data is appropriately deleted.

When there’s a mapped out process on how to handle these requests, the communication between the teams will run much more smoothly and can be completed in a timely way.

#5: Right to opt-out

Under CCPA, opt-out is defined as the right to stop the sale, meaning the sale or transfer of your personal data.

The right to opt-out also provides for minors. Consumers under the age of 16 are considered minors, and you can’t collect information on minors unless you’ve received an explicit opt-in from either the parents themselves (for children under 13) or directly from the child (if they’re between 13-15).

Knowing where the data lives is critical for the business process owner. To opt out of the sale of data, the IT team will potentially need to be involved to help pull an individual out via an API, a data warehouse, create a flag in a system, or other methods to support the request by an individual to opt out of the sale of data.

#6: Right to equal service and price

Equal services are perhaps the most important piece of this puzzle. You absolutely cannot deny a consumer equal service and prices if they chose to exercise their rights.

This contrasts with the fact that you can offer financial incentives for sharing data. However, incentives must correspond to said data’s value, and the individual must review and consent to the terms before opting in.

Supporting individual rights through your privacy practices

It’s not enough to just have a solid understanding of what your customers’ rights are, though. You need to know how to implement these rights through your business practices.

Your IT systems should be structured to allow the appropriate controls, and everyone should be trained on how to use them. Otherwise, you’re only half delivering.

Handling consumer requests

A big part of upholding individual rights is honoring requests to access and delete a consumer’s personal information. Is your team ready to handle requests?

What you need to know about handling requests

You have 10 days to confirm receipt of a Request for Access and/or Deletion, and you must respond to the request within 45 calendar days after receipt of the request. Responding quickly is essential to demonstrate to your customers that you take their privacy seriously.

However, all opt-out requests must be acted upon within 15 days, and you must notify all third parties to whom you have sold data to between receiving the Opt-Out request and executing it.

Be aware of when you have the right to refuse a request and when you are required to comply. Consumers are only allowed to make most information requests twice a year and only for the previous 12 months. (There is an exception for deletion and do not sell requests—those are unlimited).

Verifying requests

Each request made must be verified before actually executing the request. In order to properly verify a request, an organization must do the following:

• Establish with a reasonable degree of certainty that the requestor is valid before executing the request. Two matching data points are sufficient for this.
• Don’t ask for new information—use existing information in the consumer’s profile.
• Avoid asking for sensitive information like their Social Security number.

Your staff are your best resource

All of this requires significant internal support. First and foremost, you need to have your operational pieces securely in place. What are the processes that employees need to follow? How are employees trained? What does ongoing reporting look like?

Is the relationship between the business team and the IT team well established with clear lines of communication?

And does your staff understand the value of individual rights to data within the context of your company? Are they able to help your customers exercise them?

Think of it this way: Your processes support your brand. If all the key business and IT functions are well equipped to handle not just the day-to-day issues that come up, but unexpected problems and challenges too, then they’ll be strongly positioned to provide customers with a good experience each and every time. And each good experience builds trust in your privacy practices.

If you need a leg up on providing your staff with training that will give them the tools they need to serve your customers and stay in compliance, Red Clover can help. Contact them today for a free consultation.

To learn more about successful compliance, check out our eBook, Conquering Compliance: A Guide for Security and Data Privacy in the Era of SaaS.

We’re here to help. The burning question is: Do you know what data you are collecting and retaining? As an IT professional, this is key for you and your company since the CCPA regulations are all about the privacy of data. It is designed so that people (in California):

• understand what personal information is being collected about them.
• know whether their personal information is sold or disclosed and to whom.
• can say no to the sale of personal information.
• are able to access their personal information.
• have equal service and price, even if they exercise their privacy rights.

The regulations are designed to help companies with implementation and cover six main areas:

1. 1. Notices to Consumers: These include notices regarding your business’ privacy policy, financial incentives, and an individual’s right to opt out of the sale of their personal information. You must also notify the user at the time their personal information is being collected. As an IT professional, do you know if these notices have been created and are ready to appear on your website? And do you have the technology in place to support opt-out links and browser plug-ins?
   2. Privacy Policies: Your company must post a comprehensive online privacy policy on the website that is easily navigable, along with an additional notice for each point of data collection. Your privacy policy must explicitly state that an individual will not be treated differently if they exercise their individual rights. Your business also has to be transparent about the sources of information, categories of personal information collected, and what your business plans to do with the information collected. All of this is important to know as the IT professional since you are likely in charge of housing this data and knowing how information is collected. You should be sure your company’s leadership knows these details so you can ensure CCPA compliance.
   3. Handling Consumer Requests: Unless your business is strictly an online entity, you must provide two options for consumers to submit a request. You have to have a toll-free number set up for handling requests and then you can choose email, regular mail, or a web form for the additional option. Only companies who have a direct relationship with consumers can forego having a toll-free number. As the IT team, have these solutions been set up? And has the team been trained on the timeline for responding to requests?
   4. Information Sharing/Verification Requirements: Basically, this stipulates that your business cannot at any time release the following information: an individual’s Social Security number, driver’s license number, any government-issued ID, financial account number, any health insurance or medical identification information, account passwords, or security questions. Furthermore, you must verify that the person requesting the information you are allowed to release is the person they say they are. You can set up password-protected accounts that require re-authentication for data requests or use security credentials if they exist. As an IT professional, you should lead the charge on this effort. Be sure to consider which system will keep the data most secure.
   5. Handling the Personal Information of Minors: The CCPA outlines specific methods for verifying that an opt-in for the sale of personal information of a child greater than 13 years is their actual parent or guardian and additional security measures should be in place regarding data of children under the age of 16. If your company deals with this sort of data, read up on the specifics for this regulation and add any necessary components to your technology packages.
   6. Offering Financial Incentives: If your business provides a loyalty program or has a subscription service and a free service, it’s important for your business to understand these new (complicated) rules regarding financial incentives. While calculating the value of this customer data likely does not fall to you as the IT professional, ensuring that the systems in place can accurately track this information does.

Now that you know the basics, let’s go even deeper. Five amendments were passed in October 2019 to further clarify the CCPA. These may answer some lingering questions you have regarding customer notices, privacy policies, verification requirements, and more. Here’s how they break down:

1. Employee data is excluded from a consumer’s right to access, delete, and opt out. Employers are still required to comply with the disclosure requirements and are subject to data security with employee data.
What does that mean for you? You must keep all HR files and information secure, but they do not need access to it in order to opt out of company communications and the like. If you do not already have a secure storage plan for digital data on your employees, you should find a solution soon.

2. Information that is “publicly available” and “deidentified or aggregate” is not considered “personal information.”
What does that mean for you? If the data you collect does not identify a particular person or can be found easily elsewhere, you do not need to make adjustments to your technology or systems for that particular information. It just reinforces that you need to know what sort of data your company is collecting and keeping so that you can be sure the proper systems are in place.

3. B2B exemption for one year (until January 1, 2021)
This refers to B2B communications or transactions where “personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency.”

What does this mean for you?
Not all B2B communications are excluded. Much of the marketing data can still be in scope and the right to opt out of sale still applies, though the opt out of sale requirements would not apply. It’s critical to know your data and what can and can’t be exempt, plus it’s important to consider any customer contract requirements.

If some data is CCPA exempt and other information is not, you need to know what data goes where and who can access what. You also need to know what relationships your company has with other businesses so you can better understand if any shared employee data is CCPA exempt or not.

Additionally, any data that fits into the Fair Credit Reporting Act is exempt from the CCPA.

4. People cannot opt out of communications regarding vehicle repair relating to warranty or recall.
What does this mean for you? If you do not work in the automobile industry, this is not relevant to your job. However, if you do, it means you need to ensure the data regarding vehicle ownership is stored in a database that does not allow for opt-outs.

5. If your company does business exclusively online and has a direct relationship with the customer, having only an email address for consumer requests is acceptable.
What does this mean for you? If your company qualifies as an online-only business with a direct relationship with the customer, you do not need to set up a phone number for consumer requests. As described previously, you do need to be sure an email address or web form is available and that everyone on the team knows where these emails go and there is a system in place for prompt replies.

CCPA requires you to control access to personal data, follow the right to deletion, maintain reasonable security practices, and more. Click here to learn more about how BetterCloud can help with these areas, or request a demo right here.

For more general information about CCPA regulations, click here to read our previous post regarding the key areas of the CCPA regulations, or check out our webinar recording featuring Jodi.

What is CCPA, and why should I care?

The CCPA is the most comprehensive general data privacy bill of its kind to pass in the United States. There is significant focus in the bill about data that is sold, and it also highlights the increasing amounts of data that are collected and used in the digital economy. The bill covers all data, not just digital data.

Penalties

Businesses are subject to civil action by the California Attorney General’s (AG) Office and could face up to $7,500 penalty per intentional violation or $2,500 per unintentional violation. There is also a private right of action if a California resident’s personal information is subject to unauthorized access, theft, or disclosure. If the AG’s office declines to bring an action, residents can bring their own action. In that situation, businesses could face paying between $100 to $750 per resident or incident and regardless if actual damages are actually shown. If there were 10,000 records at $750 per incident, that is $7.5M in fines! It will add up quickly.

Aside from the financial penalties, California residents are going to expect the companies they do business with to adhere to these laws. The bar for privacy and security will be raised higher, and it is important for companies to comply.

Who does CCPA apply to?

CCPA covers for-profit companies doing business in California that collect consumers’ personal information and meet one of the following criteria:

1. exceed $25 million in gross revenue;
2. buy or receive the personal information of 50,000 or more consumers, devices, or households;
3. or derive 50% or more of their annual revenue from selling consumers’ personal information.

How it’s similar to (and different from) GDPR

CCPA in several sections resembles the General Data Protection Regulation (GDPR), which began enforcement on May 25, 2018. Some are calling CCPA a “mini-GDPR,” but it is different from the GDPR.

Let’s review a few of the differences. Data processing is defined comparably as “any operations performed on personal data, automated or otherwise.” Under GDPR, data can be processed when there is a specific lawful basis. Under CCPA, companies will need to understand their specific data processing uses/bases. In addition, the sale of data is prohibited unless consent is obtained.

Both GDPR and CCPA cover individual rights and vary somewhat in the fine details. Under CCPA, the right to portability is wider. Each response to a consumer access request for collected data, if given electronically, must contain the data in a portable format, without the consumer having to specifically request this. CCPA is more broad when it comes to the right to object (such as the right to object to sale of personal information, or the right to opt in for sale of minors’ personal information).

Under CCPA, prior to any sale of information to a third party, opt-in consent is required from consumers under age 16. Consumers between 13-16 years old can opt in for themselves. Businesses must obtain a parent or guardian’s affirmative authorization for consumers under the age of 13. Under GDPR, consent is required under the age of 16 by the parent; some states can lower it to 13.

What you need to know

Under CCPA, the definition of personal information is expanded and broadly defined. Personal information includes but is not limited to: geolocation data and inferences extracted from data, unique personal identifiers, browsing and search history, biometric data, professional or employment related information, psychometric data, audio data, visual data, and IP addresses.

To comply with CCPA, it will be critical for companies to know what data they collect and where they store it. This ensures that privacy notices can be updated, contracts are appropriately written, and individual rights can be granted.

CCPA requires businesses to notify consumers about the type of data they collect, both in privacy policies and in response to specific requests. Consumers can opt out of the data being sold. CCPA requires companies to keep a record of all data sales for 12 months and to provide a “clear and conspicuous” link on its website with a “Do Not Sell My Personal Information” call to action, so an individual may easily opt out. To be able to allow a customer to opt out of data sold, IT teams must be able to know exactly where the data is being held.

Other processes and systems may be impacted. For example, if your business collects data on individuals and sells that data, then you’ll need to review how old these individuals are, as well as which parties the data is being sold to. Marketing activities may be impacted if they rely on third parties that have purchased data. If any of this data moves through the organization via APIs or through a cloud vendor, it will be important to know what that is. The customer support teams will also need to be familiar with these new privacy rules and be able to direct any inbound individual rights requests to the appropriate teams.

If a customer opts out of the sale of data, companies cannot discriminate against them by charging a different price or servicing them differently unless the difference is reasonably related to the value provided by the data. A company can still offer financial incentives to consumers to collect their personal data.

What this means for IT

Organizations can no longer have siloed data (or lack data management altogether). It is not only the IT team’s role to know what data is in what system. Any group using personal data will need to understand the flow of data in, through, and out of a company. The marketing team, for example, will need to take ownership and know how the data moves into its email service provider, its CRM, its CMP, or any other tools that it uses.

If departments share personal data through Slack or use collaboration tools like Dropbox or Google Drive, IT should ensure there is a strong policy on what types of data can be stored in those tools (and for how long — don’t forget about retention policies).

This is not a one-time exercise. It needs to become ingrained into the corporate culture and maintained on an ongoing basis. Being able to limit access to systems with personal data will be important for businesses. With more at risk, businesses will need to shore up their security activities.

Having a proactive dynamic security program will be important as CCPA provides a limited private right of action for violations and statutory damages, including for data breaches resulting from lack of reasonable security.

5 steps IT can take to prepare now

1. Conduct a privacy assessment and document data processing activities for the data collected, used, disclosed and/or sold.
2. Review your security tools and plans to minimize risk of a data breach and impending fines.
3. Identify all the impacted stakeholders including marketing (this will impact ad tech activity), IT, business development, and product development teams.
4. Review if you need to make any changes to databases, systems, or even vendors to comply with the law.
5. Evaluate your current processes to see if any changes are needed to meet the strict access request requirements. This includes an online portal or building opt-out webpages.