THE BEST LEGAL TEAMS ARE LEADING FROM THE FRONT
Efforts around designing data security and educating employees were something traditionally handled by IT employees, with legal teams focused more on cure than prevention. Today, the best legal teams play a vital role in ensuring a company is doing all within its power to secure itself and comply with complex privacy regulations. These in-house legal teams are stepping into the limelight, taking on critical functions in data protection and compliance design, training, reporting and remediation.
The most proactive companies have sought and obtained the ISO 27001 certification, considered the premier framework for managing information security, and SOC 2, a cybersecurity compliance framework. With all of these new certifications, legal teams must become real champions of collaboration between and among other corporate departments. It’s important for everyone to regularly review and revise employment policies — like the code of conduct, employee handbook and privacy policy — to keep pace with changing laws. Legal teams needed to provide timely indications and warnings when landmark legislation, like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), come into play. As soon as laws like these are enacted, legal teams must revise internal policies in light of the new statutory requirements and share the updates with those employees in California.
Today, the best legal teams play a vital role in ensuring a company is doing all within its power to secure itself from complex privacy regulations.
This kind of quick communication is just as important for customers as well. Some legal teams have even streamlined notification processes so quickly that customers can be notified in less than one second if a breach does occur. It’s a friendly reminder to all of us to regularly check and update our own notification systems, making sure everyone stays informed and secure when it matters most.
NAVIGATING NEW REGULATIONS
On top of data breaches, major regulatory changes came in 2024, like changes to the GDPR and new U.S. data privacy laws. With a U.S. workforce and customer install base spread across many states, in-house legal teams must stay updated on new state regulations.
The key regulations passed and implemented in 2024 include the Texas Data Privacy and Security Act, Florida's Digital Bill of Rights, the Oregon Consumer Privacy Act, and the Montana Consumer Data Privacy Act. While no federal privacy law went into place this year, these state laws have turned what was supposed to be a uniform federal code into a multistate patchwork of compliance requirements that legal must study, adopt and internalize so the business may thrive responsibly.
OTHER MEASURES TAKEN IN 2024
Proactive actions taken by organizations that have mitigated risks in 2024 include increased employee training, tight access controls and sophisticated encryption techniques. Legal teams have played an important role in developing and enforcing new training courses to foster a security-first culture that reduces the risks and consequences of a data breach.
Of course, all successful, security-conscious companies must identify and implement the best security tools available. Responsible companies understand that the efforts and investments deemed sufficient in the past won’t be enough in the future. None can allow complacency to creep into their organizations and jeopardize a hard-earned, security-first culture. Instead, we must remain one step ahead of emerging threats and address an ever-changing regulatory landscape in 2025 and beyond.
Special thanks to Tiffany Shockley and Chloe Noh for their contributions to this article.
