Follow ACC Docket Online:  

Top 5 Legal Tech Trends to Watch in 2019

T echnology rules the world, and the legal world is no exception — from commodified personal data to artificial intelligence (AI) to security. So, what are the hottest legal tech trends we will see in 2019? To answer this question, we must review the growth of technology over the past few years.

I searched for an article written within the past 10 years, and found a 2011 piece from the American Bar Association entitled, “What’s Hot and What’s Not in the Legal Profession.” Privacy was not listed, much less cybersecurity. Yet, these have been driving forces in technology, particularly legal technology, for years now.

As technology has advanced, privacy and related fields (e.g., security, data protection, cybersecurity) have become the fastest growing areas of law. Here’s how they have evolved and what we might expect in 2019.

1. Security and fraud prevention

Protecting data, in any form, requires security measures. Additionally, there is an increased focus on cybersecurity. The number of breaches has been steadily increasing, including ransomware, malware, and corporate espionage.

Among the largest security risks in recent years was the alleged infiltration of US companies by Chinese hackers who installed microchips to server motherboards sold to many US companies. Whether the microchips actually did exist or not is not the main point; the crux was how the potentially impacted companies and the various government agencies responded. This incident also highlighted the heavy reliance US technological supply chains have on products from a handful of countries, including China.

With the Internet of Things (IoT) so prevalent, the supply-chain concern may have a huge impact on the security of devices, including infected personal devices connecting to work environments. This is aside from employees stealing data, such as the 50 terabytes found in the home of former US National Security Agency employee, Harold Martin.

This level of technological manipulation has made fraud easier to commit. Companies are taking steps to prevent and identify fraud, especially with artificial intelligence (AI) capabilities, yet fraud will continue to grow.

Many companies worry that the General Data Protection Regulation (GDPR) will impact their fraud prevention efforts due to its granting the individuals’ control over their personal data, such as access, rectification, and erasure. Preventing fraud is likely a valid reason to deny such rights, but companies must consider its programs, the information obtained and retained, and prepare defenses for its activities.

[Related: EU Regulators Clarify Scope of GDPR]

Many regulations now require protection for personal data, but often do not specify the security controls. The ones that do, such as the US Health Insurance Portability and Accountability Act of 1996 (along with its subsequent amendments, HIPAA), may be outdated (but there is a current Request for Information issued by the US Department of Health and Human Services addressing areas for HIPAA to be updated).

Instead, the standard generally requires reasonable security relative to the size of the company, its resources, the level and amount of sensitivity of the personal data, and the industry norms. This is a target in motion that will ebb and flow with the issuance of regulatory guidance, court decisions, publicized breaches, and technology growth.

Technological advances breed opportunities, for both good and bad actors.

2. Data governance

Often, people confuse data governance with data protection. Data governance is a much larger field, although a good data protection program includes good data governance and vice versa. Data governance is a programmatic concept that focuses on personal data from its inception to destruction — cradle to grave. Therefore, it comprises availability, usability, integrity, consistency, accountability (auditability), and security.

In many cases, companies developed data governance programs in specific data environments or for specific regulations, such as HIPAA, the US Sarbanes-Oxley Act, or various physician payment reporting requirements. Data governance is particularly challenging in an environment that has historically relied on paper documents, but a solid data governance program will help reduce document proliferation, both physically and electronically.

However, given the importance and vulnerability of corporate confidential data (the “crown jewels”) along with far-reaching personal data laws, like the GDPR and the California Consumer Privacy Act, companies should adopt a full-scale data governance program. We are seeing this happen specifically with the GDPR, where companies are creating data inventories and records of data processing activity.

Data inventory, though tedious, is a fundamental element of data governance. How can companies protect what they don’t know they have? Once there is a data inventory, companies should launch programs, such as data protection impact assessments, privacy impact assessments, vendor classifications and oversight, and retention and destruction policies and schedules.

[Related: Why Your Company Needs a Data Inventory]

Companies should invest in technology for these purposes, such as dynamic, user-friendly data inventory systems like the TrustArc Data Flow Manager, which links to DPIAs and vendor assessment tools. Other technology options include Truyo, which offers robust solutions for automating data subject access requests and Exego, which provides intelligent, automated analysis of unstructured data. A manual program in spreadsheets and paper only works for small companies with minimal data and vendors.

Certainly, a data governance program should come with someone to lead it. Whether the company needs a privacy officer, security officer, data governance officer, or information security officer, a data protection officer (DPO) is a determination the company needs to make.

Likely, it is a combination of roles that is required. The individuals chosen as DPOs must keep both privacy and security in mind. Multiple individuals may have the expertise, in whole or in part, to become or to assist the DPOs. Remember that the DPO is a role required under GDPR if a company meets certain thresholds.

If a company appoints a DPO voluntarily, even without meeting the thresholds, then the DPO and the company are held to the same standards as if a DPO were required. So be careful what title is used. But more importantly, be clear on the scope and responsibilities of the position.

Regardless of the role, the position must carry both authority and accountability within the data governance program. Accountability without authority to make decisions, maintain a budget, and execute the duties of the position makes it a position in name only — an empty suit — and is useless in building an effective data governance program.

3. Automation

Technology is both the goal and the tool to achieve it. Automation currently plays a key role in machine learning (or AI), marketing statistics, fraud detection and prevention, targeted behavioral ads, and much more. We will see this trend continue to grow.

We have seen automation in place to handle risk assessments for personal data, risk-based business acceptance, consumer and client self-service portals, contract lifecycles, and work process templates. By using automation, companies can easily scale up their efficiencies, serve more clients (internally and externally), and create outputs and metrics to determine the best use of resources.

AI can help manage large volumes of information quickly and be programmed to deliver necessary information, such as contracts. For example, with some software, such as the Exego platform mentioned above, you can check breach notification timeframes or limitations of liability clauses across 3,000 contracts within seconds.

[Related: Smart Contracts: The Shared Ledger That’s Set in Stone]

Templates are one of the easiest ways to enter the automation workstream for in-house counsel. Most of us have standard agreements already, but what about automating flexible agreements that can easily suggest or adjust approved clauses, complete terminology changes, and attach the right geographical or product requirements to all necessary documents?

The software would also help the legal team to identify what clauses are consistently problematic across the client base. Once in place, those pesky conditional requirements could be automatically triggered to ensure vendor A got its audit report submitted or vendor B moved to a lower cost for a higher-quantity purchase.

Another area for automation focuses on individual rights to data. Automation can be used to handle intake requests, show the requestor what is available, and process requests according to a set of parameters. One could carry this further and have product teams input certain information, such as personal data elements (e.g., name, location, tax identification numbers) and geographies, and then generate a privacy notice.

An interesting aspect of automation is legal project management. This software is starting to be used more commonly in law firms, but there is no reason that it would not also help streamline the workday of in-house counsel. This particularly helps if counsel have project-type work with multiple actions by counsel to complete, such as implementing policies across multiple jurisdictions, mergers and acquisitions, and product development lifecycles. Given the increasing amount of work we are seeing in-house, tools to assist in organizing our workstreams could be useful.

The last example in this segment is online or phone helper bots. Your company may consider using these tools, and in-house counsel need to understand the technology (see the “Tech and data fluency” section below) for the benefit of the external clients, to prepare notices, and to comprehend any potential liability. But perhaps these technologies could also benefit in-house counsel in their duties.

4. Mobility

Mobile workforces and devices are certainly not new, but we are seeing the concept of mobility increase and impact even more areas of our professional and personal lives. Cloud services are ubiquitous, and the growing expectation is that one truly can work anywhere at any time with access to shared drives and real-time collaboration online available on any computing device.

Phones can now store up to a terabyte of data. In context, a terabyte is roughly the equivalent to 40 Blu-ray movies. This poses an increased security risk that in-house counsel can’t ignore.

We see the complexity of the risk encompassing a company’s mobile device management, data loss prevention, remote access, outsourced cloud services, audit trails, disaster recovery, back-up, data retention, and data and device destruction.

But let’s take the hypothetical further by adding driverless cars, smart homes, and trackers (like mobile employee badges for easy access to satellite offices, hotel entry keys, and keyless cars). Will mobile devices sync with one’s environment to facilitate a merger of work and life? Imagine leaving work with some tasks to do, perhaps a contract negotiation.

Enter your driverless car, where you take a call and the contract displays on an inside wall, muting traffic noises, and reflecting changes captured orally, noting who suggested what and who agreed. Dinner choices pop up on a side screen, so you can choose your meal to be delivered 30 minutes after arriving home, given current traffic conditions.

[Related: “Intelligence” of Things — How the Internet of Things Connects the Spaces] (PDF)

Once home, the dog’s kennel unlocks, your call switches to the house phone, automatically muting on your side to give you time to get settled. The contract shifts to the screen of each room you walk into for seamless viewing. Your evening beverage dispenses, while the home temperature changes to “at home” settings. Meanwhile, your significant other is alerted that you have arrived home, dinner has been ordered, and you are scheduled to be on a call for another 20 minutes.

We enter a mobility ecosystem with a new infrastructure, perhaps built on existing technology and incrementally moving us from one state to another. Alternatively, the new infrastructure may change drastically, thanks to technologies that disrupt our industries, as the mobile phone has done. We may not see the full-scale mobile ecosystem arrive in 2019, but the scenario above is imagined with, and based on, current, known technology.

5. Tech and data fluency

It’s imperative to be fluent with technology and data and our devices must be fluent with each other — except where it should be prohibited. Common prohibitions would be set by the corporate data classification, where the most sensitive data — draft product development, strategic plans, and sensitive personal data — would be restricted to identified devices and not shared. Not being in tune with tech will jeopardize any efforts to protect proprietary code.

No longer can we afford to humor the attorneys who refuse to accommodate technology. Adoption lags if culture doesn’t drive innovation. As in-house counsel, we do not drive innovation. Instead, we are typically pushed, pulled, or dragged along while the company innovates and we try to get the proper agreements and notices in place before calamity strikes.

The workplace is now multigenerational, but the differences between generations are the differences between being digital natives and digital immigrants. Our always-on culture spills over into a profession that was always measured by time and methodical practices. Some of us, at any age, adapt well. Others need intensive training. Adapting will soon no longer be enough; we must be fluent.

In a Legaltech News article, Mark Cohen, CEO of LegalMosaic was quoted:

“Law is now about collaboration of human resources as well as humans and machines. Many still regard tech as a necessary evil rather than a means to the end of providing customer-centric delivery.”

Whether serving internal clients or external ones, counsel must be fluent in technology and data practices. Understanding these is as critical as understanding the client’s business, product, or service.

Take advantage of available resources (e.g., online communities or peer-sourcing challenges), and use technology to keep your client informed. We have passed the age of periodic updates — we are “always on.” We should accommodate in real time.

About the Author

K RoyalK Royal is a technology columnist for, and director at TrustArc. @heartofprivacy

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.