data protection in the ago christina beusch deputy attorney general wa state attorney general’s...
TRANSCRIPT
DATA PROTECTION IN THE AGO
Christina BeuschDeputy Attorney General
WA State Attorney General’s Office
It’s Not Just Our Clients’ Problem!
• Paralegal: Where is that disk?• Legal Assistant: Oops – Wrong
email address!• AAG: I need a USB flash drive
to download documents to take to court.• Investigator: My car was parked right in front
of my house and the file was on the backseat.• Manager: It’s just easier if I travel with these
reports on my Kindle Reader.
Source of Privacy Obligations
• HIPAA/HITECH – AGO is a “business associate”
• State health information privacy laws, e.g. ch. 70.02 RCW
• State and federal personal information privacy laws e.g. RCW 42.56.590, Gramm-Leach-Bliley Act
• Attorney-Client and Work Product Privileges
Know Your Data
• Category 1 – Public Information • Category 2 – Sensitive Information –
not specifically protected but for official use only
• Category 3 – Confidential Information – privileged, personal/personnel, security
• Category 4 – Confidential Information Requiring Special Handling – strict legal requirements and sanctions apply, e.g. health information, SSNs, personal financial info
Create a Data Protection Program
• Assemble office experts to advise management and empower them to do the job
• Have strong senior executive support• Adopt specific and legally compliant
policies, procedures, and business rules to govern how staff are required to protect data and address breaches
• Document data protection obligations in client MOUs and vendor contracts
Implement a Data Protection Program
• Can’t have protection without education• Train new employees and existing employees
at regular intervals and document training• Create a culture of compliance, e.g. use
strategic plans, staff meetings, CLEs, signage • Keep up with technology –
identify new ways data can be compromised and find new tools to safeguard data so staff can do business
A “Toolkit”
• IT Security Policy• Mobile Device Policy• HIPAA/HITECH Policy• Breach Notification Protocol• Division/Unit Business Rules• Client MOU for HIPAA /HITECH Compliance• Contract language for HIPAA /HITECH
Compliance