Requests for information are becoming increasingly common, and with emerging regulation such as the CCPA and the ongoing effects of the COVID-19 pandemic, there’s no end in sight. Now is the time to assume a proactive approach and ensure your organization is prepared for these projects.
At Relativity Fest, we spoke with Philip Laffey, senior associate general counsel at Global Payments Inc., about his experience with responding to RFIs and what changes he anticipates may be around the corner for this type of work.
During the session, Relativity’s Joe Hirasawa interviewed Philip about his background in government, the private sector, and academia to help paint a more complete picture of this issue and what can be done about it.
What Challenges Do RFIs Pose for In-House Teams?
As corporations receive more DSARs, third-party subpoenas, CIDs, and other such requests, they’re learning that outsourcing the process is expensive and risky. Increasing regulation only raises the stakes.
The bottom line is that, once you receive a request, the clock starts ticking. And if your team fails to respond appropriately or on time, it can lead to trouble: “This is the stuff that keeps us up at night. It’s worrisome and it doesn’t matter what industry you’re in,” Philip said.
RFIs are laden with risks—corporate teams don’t ask for it, but they have to do it, and if they miss the redaction of any PII, it puts their team at risk for litigation.
In fact, Philip said, it’s likely only a matter of time before you receive an RFI of some kind.
It’s not just large corporations or specific sectors that are subject to these kinds of requests. “Any industry has a need for preparedness or readiness in responding to these because you don’t want to be caught metaphorically behind the eight ball in responding,” Philip explained. “These have deadlines and the deadlines are serious.”
Requests can take many different forms, regarding any area of your business, and potential requesters could include former or current employees, third parties, or regulatory bodies, such as the IRS, DOJ, FTC, or CFPB.
All RFIs need to be taken seriously, but especially those issued by a federal regulatory agency. Penalties of not responding to a subpoena completely or on time can result in sanctions, liability for monies owed, or even being held in contempt.
And it’s not enough to meet the minimum requirements of every RFI. You must be judicious in how you respond, conducting careful review of each request to protect your organization’s most sensitive information as well as PII from being shared or accessed inappropriately.
As a result of these risks and conditions, these unforeseen requests can become so demanding that they prevent you from focusing your limited resources on the more substantive work you need to do to protect your company and support ongoing operations.
What Else Can We Expect to Disrupt this Field?
The last year has reminded us all how important it is to roll with the punches. So, with an eye toward the horizon and what else might be coming along to disrupt in-house teams, we asked Philip what factors might impact the issuing, receiving, and responding of RFIs.
He talked about a number of issues he’s watching.
Regulators’ Expanding Authority and Shifting Focus
Just like regulation, regulators are in a state of flux as the economy adapts to current challenges and innovations. The CFPB, for example, is relatively new, and still establishing their mandate and jurisdiction. While regulatory oversight does need to keep pace with the current realities of business, this evolution can sow confusion as businesses evaluate whether they fall into the scope of these bodies. Lately, companies who’ve historically attracted little or no regulatory interest might find themselves surprised by RFIs.
“Keep a watch on how regulators are looking at your industry, because you might be able to see the breadcrumbs,” Philip advised Relativity Fest attendees.
Continued Impact of COVID-19
As economic uncertainties continue to upend many industries, the impacts of this pandemic will have substantial ripple effects on disputes, federal oversight, and litigation. And not all of the impacts may already be apparent: Your customer’s customers may have been affected in some way, initiating legal challenges that find their way back to you in the form of an RFI.
DSARs and the Evolution of State-by-State Privacy Regulation
With the introduction of the CCPA, California has knocked over the first domino of privacy and personal data regulation across the United States. Many experts predict other states will follow, each with their own unique codes.
Certainly, Philip said, the resulting “patchwork” of regulation won’t be ideal. But he was not optimistic about seeing a federal resolution anytime soon: “I just don’t see Congress acting to prioritize this.”
What Can Your Team Do About the Rising Demand of RFIs?
These challenges may seem insurmountable, but with the right application of insight, process, and technology, they’ll soon become just another task in your team’s portfolio. To get there, develop a keen understanding of your organization’s accountabilities and a plan for how you will respond when the need arises.
Pushing Back When Appropriate
In some instances, a case can be made that an RFI is not applicable or appropriately framed. While every request needs a response, you may not be obligated to fulfill every request as submitted.
That said, it’s important to remember that challenging improper RFIs must be done respectfully, judiciously, and cooperatively. Particularly when responding to government agencies, not responding appropriately or failing to cooperate could be opening the door to more intense scrutiny.
Philip was able to describe a number of considerations that will help your team determine whether follow-up may be warranted when you receive a request:
- Does the court issuing this subpoena have proper jurisdiction over your organization?
- Is too much data being requested?
- Are you the right party to meet this request?
- Is the requester submitting excessive RFIs and, if so, might outside counsel be helpful?
Insight into the People, Process, and Technology to Handle RFIs at Scale
For Philip’s team, it has been critical to build a workflow for responding to these requests ever more efficiently and securely. “The volume was becoming so high a few years ago that we decided we needed metrics to keep track of what was happening,” he said.
They started by answering questions like these:
- Who is sending these requests most often?
- How many is a particular law firm or party sending?
- How often are the sending parties getting hits, and are they doing their homework before sending?
- Which regulatory bodies are requesting information?
- What type of information is frequently requested?
- How much time and what kind of resources are these requests taking?
Many legal departments are leanly staffed and don’t have extra hands, making the answers to these questions vital in project planning. If you’re already being inundated with requests, an open dialogue with your team who is closest to these request, driven by metrics, will help you understand the scope of impact RFIs are having on your organization—and support your case to bring in the tools you’ll need to tackle them.
Choosing the Right Tool for the Job
Using technology to lighten the burden of requests will become an increasingly critical component to managing RFIs. Ultimately, keeping data secure will protect your company and customers from the repercussions of mishandling sensitive information. Doing so efficiently will lighten your load and give your team time back to focus on the work that drives your business forward. But if you don’t have the right tools in place, it’s easy to become quickly overwhelmed.
“This isn’t the kind of information that you want sitting on your hard drive,” Philip continued. “You want to make sure you are never really downloading it.”
Being careless with this information is both dangerous and unethical. To disregard this responsibility constitutes “malpractice on the part of the in-house counsel,” Philip warned, “and your staff has to know that, too.”
In addition to ensuring the safe transfer of data, your chosen tool should offer robust review and redaction capabilities. Your team is the last line of defense in ensuring that PII doesn’t fall into the wrong hands.
“That is something that I think about with every document that goes out the door,” Philip said.
Did you know? RelativityOne offers a four-step subpoena workflow which can help improve your team’s ability to tackle this growing, time-consuming, and error-prone process. The platform eliminates risky data transfers by keeping your most sensitive information in one place, offers granular security permissions to control access to that data, and enables efficient and accurate redactions—so you can be confident in your ability to defensibly comply with RFIs and protect PII. If you’d like more information, contact our team—we’d be happy to walk you through it.
This is just a highlight of one of the topics we covered in this year’s corporate track at Relativity Fest. Through October 31, you can still view this session with Philip Laffey and Joe Hirasawa, as well as the rest of our sessions assembled for in-house teams like yours.
If you registered for Relativity Fest before or during the conference, simply visit the event platform to access this content. If you missed out on registration, don’t worry: You can visit this page to fill out a post-event registration form. Our team will follow up to provide access as soon as possible.