Law firm data privacy by dave cunningham

Law Firm Data Privacy Overview

Presented by

David CunninghamHildebrandt Baker Robbins

Data Privacy Overview

Regulatory Obligations

Client Confidential Information

Firm Confidential Information

DataPrivacy

HITECH / HIPAAProtected Health Information (PHI)

Data Privacy Regulations

State Privacy LawsPersonally Identifiable Information (PII)

EU Data Protection Directive /

Safe HarborPersonally Identifiable Information (PII)

Red FlagPersonally Identifiable Information (PII)

ITARClassified Defense Information

Data Privacy

Governing Body Health and Human Services and Federal Trade Commission

Sensitive DataProtected Health Information• Internal HR data• Client data

Compliance Date February 17, 2010

Penalty$100 - $50,000 per incident; $1.5M max per year.Plus potential criminal penalties

Data Privacy








Governing BodyState of Massachusetts (example state)

Sensitive DataPersonal information about a resident of the Commonwealth of Massachusetts

Compliance Date March 1, 2010

Penalty$5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties

Data Privacy





Safe Harbor



Governing Body US Dept of Commerce / Federal Trade Commission

Sensitive DataPersonal information transferred to or from 27 Members States of the European Union

Compliance Date Voluntary (replaces Data Transfer Agreements)

Penalty Up to $12,000 per day for violations








Data Privacy

Governing Body- Federal Trade Commission via Fair Credit Reporting Act

Sensitive Data

- Require financial institutions and creditors to create a program that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” -The purpose of the Red Flags Rules is to help avoid identity theft.

Compliance Date - June 1, 2010 (law firms exempt)

Penalty- $2,500 - $3,500 per violation, then up to $16,000 per violation for continued non-compliance

Data Privacy








Governing Body US Department of State

Sensitive Data“Export of technical data and classified defense articles”, as defined by the US Munitions List

Compliance Date60 days in advance of any intended sale or transfer to a foreign person of ownership or control

PenaltyPer violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment

Data Privacy








Client Data LeaksClient and Case / Transaction Data

Firm Data LeaksFirm and Partner Confidential Data

Protection of Sensitive Data

Data Privacy











Preservation OrdersLitigation, Subpoena or Client Requests

Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts

Data Privacy











Preservation OrdersLitigation, Subpoena or Client Requests

Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts

Data Standards

ISO 27001Competence in Addressing Data

Confidentiality

Data Privacy Solutions

Data Privacy - General Adequacy Questions

• Does your firm need the personal data that it is collecting about an individual?

• Can you firm document what it will use the personal data for?

• Do these individuals know that the firm has their personal data and do they understand what it will be used for?

• If the firm is asked to pass on personal data, would these individuals expect the firm to do this?

• Is the firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the firm willing to face a regulatory audit on this security?

• Is it secure and are proper contracts with the third parties in place?

• Is access to personal data limited to those with a strict need to know at the firm?

• Is the firm sure that all personal data is accurate and up to date?

• Does the firm delete or destroy personal information as soon as it has no more need for it?

• Has the firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities?

• Are all notifications to all Data or Information Commissioners current?

Data Privacy – Vendor Agreements

Terms Before Negotiation Terms After Negotiation

Limitations on liability Limited warranties

No performance standards Ability to change terms without

notice Weak termination rights

Automatic contract renewal

Security and privacy standardsData ownership and return of data

Permissible use and disclosure of dataService level standards

Control of security incidentsAudit rights

Proper allocation of liabilityChoice of law/forum

Data Privacy Roadmap

• Start with broadest areas of risk– Protect portable devices: PCs, USB drives, and PDAs– Conduct an account audit; enact password policies– Use third party to perform penetration testing

• Inventory PII, PHI, confidential, and sensitive information

• Establish Firm’s privacy stance– Establish data privacy roles and responsibilities– Draft privacy policy

• Incorporate data privacy in agreements with:– Employees– Clients– Firm’s vendors

Data Privacy Roadmap

(continued)

• Educate employees

• Address broader aspects of data privacy– Processes (manual or automated)– Physical security– ‘Data at Rest’ and ‘Data in Motion’– Security monitoring

• Register with data privacy authorities

• Maintain security program

David Cunningham

Managing Director, Hildebrandt Baker Robbins

[email protected]

mailto:[email protected]

Technology

Law firm data privacy by dave cunningham