How to Think Like a Data Security Lawyer (No, This Isn’t a Joke)

I love lawyer jokes, partially because they’re often true, and also because they’re often deserved. Not every lawyer is a shyster of course, and there are plenty who deserve respect, even admiration. But let’s be honest: no one would understand or laugh at these jokes if lawyers behaved like nurses or architects. That’s why they say that there are actually only four lawyer jokes in existence, and the rest are all just true stories. (Get it?)

It’s not always bad to act like a lawyer or, at least, to think like a lawyer. In fact, I often go through exercises with clients where I have them try to imagine the worst case scenario for what they’re planning to do, and then how they’ll respond when something even worse happens. In many ways, that’s the central job of lawyers, to imagine the possible outcomes of a given course of action, and try to account for them. There’s no substitute for an actual lawyer (you can’t practice without a license, for instance), but it never hurts to bring new resources to an issue.

Thinking like a lawyer, for me, means two things. First, it is an exercise in identifying as many facts and factors that will affect a given scenario, and then extrapolating from that a step or two. On law school exams, the traditional format is a page-long narrative of events, and the prompt is essentially “Here are the facts. Go.” The goal is for you to identify every potential problem, every legal rule that applies, the exceptions to the rule, and the exceptions to the exceptions. The goal is to create as complete a picture of potential outcomes as possible.

The second component is a creative adaptation. There are many laws in this country, but the majority of court cases that lawyers cite in briefs are important not because they recite a law, but because they expand, refine, or explain the law. It is the adaptation of limited rules to infinitely variable circumstances that make the task of lawyering, good lawyering, so valuable.

Data security is a great issue to tackle by thinking like a lawyer. There are rules (like GDPR or GLBA) but there is no way the rules cover every situation with clarity. You can rely on experience and prior decisions to frame your choices, but the technology and risks develop so quickly, there will always be a new wrinkle. And the regulatory regime is run by people who think like lawyers (mostly because they are lawyers).

So how can you think like a lawyer when analyzing problems? I would suggest three steps. First, treat every problem as though it has an inventory that you have to complete. Go through, as thoroughly as possible, every conceivable issue that might arise, and then come up with counterfactuals to test your list. You can do this for everything from preparing to adopt a new cloud storage system to outlining your revised privacy policy. Next, imagine everything going wrong – really wrong. Natural disasters, defections to competitors, economic turmoil, all of it. If you have considered the worst case scenario, it will help contextualize more likely problems, and will also give you a sense of how to identify weak points in your plan.

Finally, determine what you don’t know. The best lawyers will tell you that identifying the areas where you need more knowledge is a crucial component of mitigating risk and moving forward with a plan. This is the stage that typically involves getting advice from everyone involved – what does IT think, and what about the managers in individual store locations? When you hear input from those concerned, you’re likely to find that you can’t answer all of their questions, which means you have to go back to step one and rethink.

Again, this is not to say you can just get rid of your lawyers – there’s no replacement for experience and expertise. But thinking like a lawyer sometimes can help give you a different perspective. Successful execution of a plan (whether data security related or not) isn’t just about having the right answers, it’s about reaching the right conclusions for the right reasons. That’s one reason that thinking like a lawyer can help you be datasmart.

Leave a Reply