As I mentioned last year, I always look forward to the first part of the year as general counsel. Basically, it is a fresh start for me and for the Legal Department, a time to close out the past year’s issues and move on to next year’s problems. Though, realistically, a lot of last year’s problems just tag along into the new year like a rude party guest who just doesn’t get the hint that it’s time to leave!
One thing I do near the beginning of every year is put together a list of the Top 10 things I think the Department needs to focus on over the course of the upcoming year. These are tasks that are rooted in cement – they need to get done or there needs to be a damn good reason why not. Well, as – unlike last year at this time – I am back in the General Counsel chair, I have been jotting down ideas like mad. As move deeper into 2018, there are a number of things on which I think my team and I should be focusing. Like last year, this edition of “Ten Things” will share my list with you. I hope that you come up with your own Top Ten list or, if not, that my list gives you some good ideas for things you want to focus on in 2018.
1. EU General Data Privacy Regulation (“GDPR”). Yes, this one is a carry-over from my 2017 list. And how can it not be? With the May 25 deadline looming, companies all over the world are scrambling to get into compliance. If you have no idea what I am talking about, and your company processes personal data of EU citizens, I suggest you get out your check book and call a law firm that specializes in data privacy law. You’re going to have a rough ride. But, if you’re like most companies, you’ve been working on this for a while. There are two questions I am thinking about as the May deadline approaches:
- Sub-Processors – Sub-processors are companies to whom processors farm out work. What constitutes the “processing” of personal data is very broad under the GDPR. If you use sub-processors you need to identify them to your affected customers and those customers have the opportunity to object. If a customer objects, the end result is not clear under the GDPR. For example, if you believe the sub-processor is GDPR compliant do you allow the customer to dictate which sub-processors you use, or worse allow that customer to object and terminate your contract? If you refuse to change sub-processors do complaints go to the EU and, if so, what is the process to resolve them? All of this is unclear to me and I think we will all have to wait and see how this plays out. But, everything starts with knowing who your sub-processors are and identifying them to your customers.
- “Not Quite There” – I suspect there are going to be a lot of companies, in the EU, US, and elsewhere that just are not going to be able to get everything in place by May 25, 2018. What happens then? It is highly unlikely that a regulator will come knocking on your door on May 26, but there will be consequences for non-compliance at some point. My guess is that a European Data Privacy Authority will pick a large American internet company (sorry Facebook, Google, et al.) to go after and send a message about non-compliance. For the rest of us, my suggestion is to continue to work hard to get into compliance and have a good story to tell in the event someone raises questions about your compliance. So long as you’re working diligently to get there and have a plan in place, I think it is unlikely that something really bad will happen to you.
2. Sexual Harassment. It is amazing – in a good way – the sudden focus on sexual harassment in the USA. It seems like hardly a week has gone by without some sexual predator being brought to task. While I think this is good news, the increased attention on this problem raises some issues for in-house counsel. In particular, the need to ensure that your company is buttoned up in a few keys areas. With few exceptions, no legitimate company encourages or promotes sexual harassment of its employees as they can get in deep trouble if one of their employees, e.g., a manager engages in such harassment or fails to properly handle a complaint. Here are three things to focus on in 2018:
- Policy. Compliance for companies starts with having the right policies in place. If it’s been a while since anyone in the Legal Department has reviewed and updated your sexual harassment policy, now is the time to set up a meeting with HR and work together to ensure your policy is fulsome, up-to-date, clear, and easy to find by your company’s employees.
- Training. All companies should have yearly training on a number of compliance issues, and especially with regard to sexual harassment. The training should cover not only what constitutes harassment but the proper steps to report a problem or deal with a problem if it is reported to you. Make sure your training is updated and that every employee, officer and board member takes and passes the course.
- See something/Say something. The most important part of any policy is making it easy for employees to speak up. Send regular reminders to all employees about how to report any compliance issue (e.g., email, hotline, in-person), let alone sexual harassment issues. Employees must be encouraged to speak up and know that there will be no retaliation against anyone bringing forth a claim in good faith. This a great time to utilize short videos of the CEO emphasizing the importance of a “see something/say something” culture.
3. Technology. 2018 needs to be the year you get serious about technology. Not only whether you have the latest and greatest software needed to run a legal department, but that you are maximizing the use of the software you already own (and taking time out to train on existing systems is always worthwhile). It’s easy to get overwhelmed with all of the technology related issues facing in-house counsel. While I am eager to see what the future of Artificial Intelligence has to offer in-house lawyers, that’s not really where I would focus myself over the next 12 months. Instead, I would focus on three things:
- Technology that helps me with my operations – such as an e-billing system which ties into my budget and my forecast.
- Technology that materially saves me time – such as a contract management tool that doubles as a contract assembly tool, or a research service like Practical Law Connect that combines the best of Practical Law and Westlaw.
- Technology that lets my Department function anywhere/anytime – such as a document management tool, or matter management tool, video conference, internet phone calls, easy calendaring, document collaboration (with inside and outside counsel), Slack, etc. If you have a global legal department, or one spread across multiple cities, or one that permits members to work at home, having tools that foster collaboration and connections is vital.
For more on this, check out LawGeex’s 2017 Legal Tech Buyer’s Guide (and watch out for the near finished 2018 version).
4. Retention. There is nothing more disruptive to a General Counsel or a manager in the Legal Department than the departure of a good lawyer or staff member. Not only will it take a good amount of time to replace this person, in the interim you or others on your team will need to step up to handle the work. Additionally, you will spend time sorting through resumes and interviewing replacement candidates. All of which is a strain on your already packed schedule. This means it is well worth your time to put a real focus on retention of your most valuable team members:
- Succession Planning – start with ensuring you have a comprehensive succession management plan in place. This includes i) knowing the what skills the Department needs to provide the services required by the company, ii) a development plan for every attorney, and iii) a succession plan setting out what happens if key lawyers depart (i.e., will you fill that role from an internal head or will you need to go outside?).
- Delegate – I am talking about true delegation here and not just fobbing off work on someone. True delegation is about training others how to do tasks so as to allow you to focus on more important or larger projects. Delegation is a deliberate process and one – if done properly – pays off in terms job satisfaction, career growth, and efficient distribution of work.
- Little things – It’s difficult to stop someone from leaving if they are offered a huge promotion and salary increase. But that “dream job” scenario is not the reason most people leave jobs. They leave because they are bored, under-utilized, or simply aren’t enjoying going into the office every day. You don’t need large amounts of cash to fix this, you just need to up your game on being a good manager. Little things matter. A gift card, a “sneak away” to the movies, group lunch, recognition at Department meetings (or to the executive team), remembering birthdays and anniversaries, saying “thank you” or “good job,” and the list goes on. Create a workplace where your team is excited and energized to come to work because they know they will get great assignments, recognition, and the little things that make an office fun.
5. Trade Secret Protection – Every company has valuable trade secrets that need to be protected. While theft by outsiders is scary, the really scary story starts with employees. A disgruntled employee can do tremendous damage by pilfering company trade secrets and confidential documents right under your nose. Make sure you are doing everything possible to reduce this threat. Here are three things to focus on in 2018:
- Policies – it all starts with having the right policies in place. Work with HR to ensure you have all of the appropriate policies in place and that they are kept current. This includes policies around marking documents, “clean desks,” confidentiality agreements, proper passwords, BYOD, off-boarding employees, and the company’s right to access work emails and work computers.
- Training – there is no substitute for regular training of your employees about the value of trade secrets, ways to protect trade secrets, the company’s policies, and things to watch out for and how to report concerns.
- Warning Signs – The US Department of Homeland Security puts out a very helpful guide about on the warning signs about potential insider problems in its publication “Combating the Insider Threat.” All company managers should be trained on these warning sides and what to do if they suspect there is a problem.
6. Phishing/Spoofing – One of the most common causes of breaches is an employee clicking on a malicious email link on their work computer. More and more, this is the result of “spoofing” or “phishing.” A “spoofing attack” is a form of social engineering where an outsider attempts to impersonate some company (e.g., your email provider) or someone (e.g., your CFO) in order to get you to take some type of action, from clicking on a malware link to wiring money. The worst part about a spoofing attack is that anyone can be duped, even members of the Legal Department. Phishing, on the other hand, may not be work-related but otherwise seeks to make the employee click on something that could infect his/her computer and thereby the entire company network. The most effective way to combat phishing and spoofing is through training. Start with a general reminder to the entire employee base about some of the most easily recognizable tricks to watch out for. Then make training about phishing risks part of your general mandatory compliance training program. Here are some common tactics to watch out for:
- A scammer sending an e-mail pretending to be from a government organization, particularly with a message of high importance.
- Someone claiming to be a company executive directing you to wire fund or send a confidential file.
- An email message with a false sense of urgency directing you to provide information, enter account or password information, or otherwise take an action you would not normally take via email.
- Anything that seems too good to be true.
7. Learn How to Prioritize. I think this is the hardest task faced by all in-house lawyers. There is always way more to do than there is time in the workday. Unless you want to work 24/7/365, you’ll never come close to getting everything done (and even if you did work 24/7 I doubt you’d get it all done). Getting things done is important, and every in-house lawyer needs to know how to prioritize work, i.e., how to work effectively. I use two things to help me prioritize work and here they are:
- Biggest Risk/Biggest Payoff – I start each morning and several times during the day trying to figure out which things on my pile have the biggest risk to the company or the biggest payoff. I do this because I think the in-house world comes down to two things: value creation and value destruction. You want to push the former and protect against the latter. The things that present the “biggest” risk or payoff automatically move to the top of my list.
- Focus on Three Things – Once I know which things are the most important, my to-do list only contains three things, i.e., these are the three things I want to get done today. I limit it to three because that about all I can realistically get done in one day. And there is nothing more depressing than looking at a list of 50 “things to do.” I don’t ignore everything else, they’re just not priorities today. The bulk of my time and attention goes to working on my top three. And if I get one done, there is always another task waiting in the wings to move up the list.
8. Legal Operations. Most in-house legal departments now have a dedicated legal operations person, i.e., a person in charge of billing, accruals, technology, metrics, forecasts, budget, etc. What used to be a luxury is now table stakes. Given the focus from the CEO and CFO on the Legal Department performing like any other business unit, you need to give serious thought on how to improve your operations management. If you cannot afford a full-time person dedicated to this task, you’ll have to figure out how to split the role up among your team or, worst case, assume the responsibilities yourself. Additionally, check out the CLOC website for the latest insights into legal operations. Three keys to legal operations:
- E-Billing System – To properly manage your billings, forecasts, accruals, and budgeting process you need an e-billing system. If you don’t have one, get one. If you have one, be sure you and your team are fully trained on how to use it and on all of its capabilities.
- Forecasting/Accruals – Your in-house life will be much easier if you can accurately forecast legal spend and properly manage accruals. If you mess these up or are lazy about the work required to get them right you will likely find yourself explaining the “misses” to senior management and, potentially, out of a job.
- Dashboard – Develop a dashboard that easily summarizes how the Legal Department is performing. Typically, this will mean budget goals, key projects and priorities (i.e., goals), and any other Key Performance Indicators (“KPI’s”) you come up with or, more likely, are imposed by the business. A simple red, yellow, green scorecard is all you need here or you can look at some of the numerous dashboard creation tools.
9. Crisis Management. This is one of those things you hope you never need but you’ll be very glad you have it in place if the worst happens. The crux of crisis management is having a plan in place before there is a crisis. Your crisis management plan is a document that sets out different crisis scenarios and all the steps the company will take to deal with that problem. The core of the plan is the list of “who to contact” and assemble when there is a crisis. For example, if there is a major malfunction of your computer systems your crisis management plan will contain the names and contact information for internal employees and external vendors who need to be contacted. It may have sample press statements and employee communications. And, it will set out who is the leader for this type of crisis, how often communications go out and to whom, and what back-up systems employees and the company will rely on until the main system is back online. Most importantly, you need to practice the plan at least once a year so that you can make improvements and so you can ensure that the first time anyone sees the plan is not during an actual crisis. Getting a real crisis management plan in place should be a key goal in 2018.
10. Build a Department of Yes. It’s a long-running joke that most business people refer to the Legal Department as the “Department of No.” But what if you made a true effort to turn this joke on its head and cause your business colleagues to view your Legal Department as the “Department of Yes.” This doesn’t mean you and your fellow lawyers are pushovers and let the business do whatever it wants. Rather, it means you focus on instilling an attitude among your team that you will be as flexible, as creative, and as diligent as possible to work with the business to get to “yes.” It takes far more skill to get to “yes” than it does to say “no.” Most in-house lawyers I know, prefer the former to the latter. Here are three things to think about:
- Attitude – the most important part of creating a Department of Yes is the attitude of the lawyers in the Legal Department. Everyone has to understand that Legal’s job is to help the business get things done. This means no “my way or the highway” mentality. Flexibility and creativity are the keys. And, always keep this in mind: Legal does not run the business. We’re just helpers.
- Forms/Playbooks – one sure fire way to help the business get things done is to create as many form agreements as possible. To the extent the business can use templates that do not require additional input from Legal you are well on your way to “Yes.” Likewise, an easy to use playbook that informs the business users how the form agreements work, what the provisions do and why they are needed, and acceptable “fallback” positions, i.e., changes that are acceptable without additional legal input.
- Meetings – equally important is that the Legal Department take advantage of every opportunity to participate in regular meetings of the business, e.g., sales kick-off meetings, quarterly meetings, forecast meetings, staff meetings, etc. Embedding Legal into the various business units is the fastest way to develop a Department of Yes because Legal will be visible and available in real time to the sales teams. That’s when true collaboration (vs. confrontation) begins.
I know a list like this can be intimidating. It’s not meant to be. It’s only a starting point for things that could use your attention in 2018 (or any year for that matter). Even if you only touched on a few of these in 2018, that would be a big bit of forward progress. Heck, even if you went deep on only one of these, that would still be great. The only you cannot do as an in-house lawyer is stand still. Keep the ball in front of you and keep moving down the field. Blazing fast or slow as a turtle, it doesn’t matter. Every step forward is a win.
March 29, 2018
Ten Things You Need to Know as In-House Counsel: Practical Advice and Successful Strategies is now available for sale. Described by the American Bar Association as “The one book all in-house counsel need to own!” Click here for details on how to order. Perfect for your library, or as a gift to clients or members of the legal department (or your next legal offsite).
If you find this blog useful, please click “follow” in the top right and you will get all new editions emailed to you directly. “Ten Things” is not legal advice nor legal opinion and represents my views only. It is intended to provide practical tips and references to the busy in-house practitioner and other readers. If you have questions or comments, please contact me at firstname.lastname@example.org.
My first book, “The Evolution of Professional Football,” is available for sale on Amazon and at www.SterlingMillerBooks.com