law firm data privacy by dave cunningham
TRANSCRIPT
Law Firm Data Privacy Overview
Presented by
David CunninghamHildebrandt Baker Robbins
Data Privacy Overview
Regulatory Obligations
Client Confidential Information
Firm Confidential Information
DataPrivacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy
Governing Body Health and Human Services and Federal Trade Commission
Sensitive DataProtected Health Information• Internal HR data• Client data
Compliance Date February 17, 2010
Penalty$100 - $50,000 per incident; $1.5M max per year.Plus potential criminal penalties
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Governing BodyState of Massachusetts (example state)
Sensitive DataPersonal information about a resident of the Commonwealth of Massachusetts
Compliance Date March 1, 2010
Penalty$5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe Harbor
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Governing Body US Dept of Commerce / Federal Trade Commission
Sensitive DataPersonal information transferred to or from 27 Members States of the European Union
Compliance Date Voluntary (replaces Data Transfer Agreements)
Penalty Up to $12,000 per day for violations
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy
Governing Body- Federal Trade Commission via Fair Credit Reporting Act
Sensitive Data
- Require financial institutions and creditors to create a program that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” -The purpose of the Red Flags Rules is to help avoid identity theft.
Compliance Date - June 1, 2010 (law firms exempt)
Penalty- $2,500 - $3,500 per violation, then up to $16,000 per violation for continued non-compliance
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy Regulations
Governing Body US Department of State
Sensitive Data“Export of technical data and classified defense articles”, as defined by the US Munitions List
Compliance Date60 days in advance of any intended sale or transfer to a foreign person of ownership or control
PenaltyPer violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Firm Data LeaksFirm and Partner Confidential Data
Protection of Sensitive Data
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Protection of Sensitive Data
Firm Data LeaksFirm and Partner Confidential Data
Preservation OrdersLitigation, Subpoena or Client Requests
Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Protection of Sensitive Data
Firm Data LeaksFirm and Partner Confidential Data
Preservation OrdersLitigation, Subpoena or Client Requests
Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts
Data Standards
ISO 27001Competence in Addressing Data
Confidentiality
Data Privacy Solutions
Data Privacy - General Adequacy Questions
• Does your firm need the personal data that it is collecting about an individual?
• Can you firm document what it will use the personal data for?
• Do these individuals know that the firm has their personal data and do they understand what it will be used for?
• If the firm is asked to pass on personal data, would these individuals expect the firm to do this?
• Is the firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the firm willing to face a regulatory audit on this security?
• Is it secure and are proper contracts with the third parties in place?
• Is access to personal data limited to those with a strict need to know at the firm?
• Is the firm sure that all personal data is accurate and up to date?
• Does the firm delete or destroy personal information as soon as it has no more need for it?
• Has the firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities?
• Are all notifications to all Data or Information Commissioners current?
Data Privacy – Vendor Agreements
Terms Before Negotiation Terms After Negotiation
Limitations on liability Limited warranties
No performance standards Ability to change terms without
notice Weak termination rights
Automatic contract renewal
Security and privacy standardsData ownership and return of data
Permissible use and disclosure of dataService level standards
Control of security incidentsAudit rights
Proper allocation of liabilityChoice of law/forum
Data Privacy Roadmap
• Start with broadest areas of risk– Protect portable devices: PCs, USB drives, and PDAs– Conduct an account audit; enact password policies– Use third party to perform penetration testing
• Inventory PII, PHI, confidential, and sensitive information
• Establish Firm’s privacy stance– Establish data privacy roles and responsibilities– Draft privacy policy
• Incorporate data privacy in agreements with:– Employees– Clients– Firm’s vendors
Data Privacy Roadmap
(continued)
• Educate employees
• Address broader aspects of data privacy– Processes (manual or automated)– Physical security– ‘Data at Rest’ and ‘Data in Motion’– Security monitoring
• Register with data privacy authorities
• Maintain security program
David Cunningham
Managing Director, Hildebrandt Baker Robbins