In recent years, businesses have been investing in digital transformation. With the pandemic, most businesses have accelerated these initiatives to accommodate, among other things, a transition to some form of remote work – even as we contemplate a return to the workplace in the coming months.
Broadly speaking, there is no one definition of “digital transformation,” but it generally encompasses (i) updating end-of-life systems and infrastructure, (ii) accelerating the move to the cloud and XaaS (everything as a service), and (iii) creating and using new technologies such as artificial intelligence and machine learning. The underlying rationale for such initiatives is the potential in cost savings and increased efficiencies that will benefit the business’s operations.
As with any major initiative, a successful digital transformation will depend on identifying key risks and implementing measures (including contractual ones) to mitigate such risks. The type and magnitude of risks depend on a variety of factors, including the organization’s business model, its stakeholders and the complexity of its technology. In this article, we briefly discuss the risks associated with digital transformation from technology, cybersecurity and privacy perspectives.
As a starting point, consider all of the different types of technologies that your business may be looking at implementing as part of an overall digital transformation strategy (e.g., 5G, Web 3.0, Smart APIs, AI/ML, IOT, DevOps, blockchain and cloud). Developing a framework that brings some or all of these technologies under a coherent and unified framework should be priority number one. Absent such a framework, a business may find itself managing a patchwork of technologies, services and contracts. Accordingly, your legal team should be leading the charge in articulating methodology, reporting standards, testing and structuring relief events – all of which will feed into the digital transformation framework.
One of the key challenges relates to the risk of early adoption – where the supplier of a promising technology does not have a lengthy track record of successful deployment. This means that the business is essentially taking on more risk than it normally would, in exchange for implementing a promising technology sooner. That said, there are ways to mitigate some of the associated risks. For example, the contract with the supplier should have very specific language regarding delivery of the technology on time, on budget and in compliance with defined or acceptable technical standards. The business should also insist on meaningful and enforceable remedies to address failures to avoid incurring irrecoverable additional expenses and losses (especially where the business is highly dependent on said technology). When identifying these remedies, businesses should consider possible failure scenarios and an attempt to quantify them in terms of potential financial losses to the business, including disruption to business operations.
Another way to minimize risk is to conduct rigorous proof-of-concept testing that will assess the functionality and performance of the technology versus representations made by the supplier. More importantly, this is an important opportunity to assess the interplay between the new technology and other technologies (new or legacy). In other words, consider whether technology A operates as anticipated with existing technology B and another new technology C. If not, does it still make sense to move forward with the acquisition of technology A for the business?
Lastly, no digital transformation project is entirely ringfenced and businesses should consider what support and interaction may be required by other third-party service providers. A change to one element of an IT stack is likely to impact other elements of the business’s broader IT environment. This is why a cross-party dependency should be carefully assessed when onboarding a new service provider
Ensuring protection of data and the digital environment from unauthorized access is another key challenge facing digital transformation. As noted in our previous publication, COVID-19 and remote working pose enhanced security risks to organizations and increase exposure to cyberattacks or other unauthorized access. As a result, organizations would need to consider and ensure protection of data across the digital ecosystem, including data at rest and in transit. This can be challenging when data needs to travel through a complex IT stack – sometimes providing suppliers with access and in other cases, providing them outright with the data in question.
Over the course of the pandemic, there has been an increase in the number of cyberattacks, accompanied by new tactics from threat actors such as “double extortion,” placing organizations at a higher risk of business interruption. Use of additional digital tools also increases the chances of human error, which are often exploited by such threat actors. As many organizations move to a more digital environment to accommodate both office-based and remote working, it is important to consider and implement training, policies and controls to protect against cybersecurity threats. For instance, moving to a cloud-based email infrastructure that is not accompanied by multi-factor authentication and proper training and controls around phishing may expose an organization to a cybersecurity breach. Organizations should also consider whether the digital environment to be implemented will enable the organization to obtain data evidence in the event of a cybersecurity incident and consider its admissibility in court.
From a contracting standpoint, the business should insist on having clarity on the information security standards that the supplier is required to meet. The business should also have the ability to vet and audit the supplier’s compliance with contractually mandated requirements. Further, the contract should clearly outline the circumstances where the supplier is liable for a cybersecurity incident, the extent of their financial liability and what costs may be coverable by the business. This can often be tricky since in some instances, the specifics may boil down to which party has leverage in the negotiations. However, not considering and negotiating these points can leave a business highly vulnerable in the event of a cybersecurity incident or data breach.
Privacy and regulatory risks
With COVID-19 and the increased use of digital technologies, protection of personal information has become even more important. Organizations of all sizes are now collecting additional personal information, including personal health information, on their employees and customers. Such collection, use and disclosure of sensitive personal information necessitates compliance with applicable privacy laws. Depending on the industry in which an organization operates, the type of personal information being collected and the means by which it may be obtained, organizations may also be required to comply with additional regulatory requirements. For instance, an organization now using digital payment methods may need to ensure compliance with the Payment Card Industry Data Security Standards (also referred to as PCI DSS) and, if applicable, other requirements of regulatory bodies such as the Office of the Superintendent of Financial Institutions.
The uptick in cyberattacks means that security monitoring is more essential than ever. However, any increase in monitoring or access to information would need to be balanced against employees’ and customers’ privacy rights. Given the lack of regulatory guidance concerning employee personal information in most Canadian jurisdictions as well as the upcoming changes in the Canadian privacy regime, organizations will need to consider how to ensure compliance when revamping their privacy-focused policies and controls.
Additionally, businesses are under increased scrutiny to demonstrate compliance with privacy laws from multiple jurisdictions, often making it difficult to contract with suppliers who cannot guarantee compliance with privacy laws around the world – especially those that have onerous compliance requirements. However, businesses need to balance risk with opportunity and, in some instances where the privacy risk is too high (e.g., where non-compliance will result in significant monetary penalties), consideration should be given to whether the proposed technology solution can be scaled back or additional assurances can be obtained from the supplier.
In short, digital transformation projects are here to stay and the role of legal and procurement teams should be to (i) develop an overall framework that will coherently drive the initiative and (ii) pay close attention to contractual language, as that is one of the few ways to materially mitigate the risks associated with the early adoption of new technologies.