Your SlideShare is downloading. ×
Law firm data privacy by dave cunningham
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Law firm data privacy by dave cunningham

383
views

Published on

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
383
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Data privacy is simple in concept – ensuring sensitive data is seen by only the correct people. It can also be called Data Security or Data Loss Prevention. For our discussion today, we’re not going to focus on related topics of perimeter security (firewalls, etc.) or protection from viruses. Specifically, we’ll focus on data privacy regulations and the protection of firm and client confidential data. First, I will outline the issues and obligations for law firms in these areas, then provide a perspective of what we see as an emerging solution to tackle most of the needs for law firms.
  • Transcript

    • 1. Law Firm Data Privacy OverviewPresented byDavid CunninghamHildebrandt Baker Robbins
    • 2. Data Privacy Overview Regulatory Obligations Data PrivacyClient Confidential Firm Confidential Information Information
    • 3. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) Health and Human Services and Governing Body Federal Trade Commission State Privacy Laws Personally Identifiable Information (PII) Protected Health Information Sensitive Data • Internal HR data • Client data EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Compliance Date February 17, 2010 Red Flag $100 - $50,000 per incident; $1.5M Personally Identifiable Information (PII) Penalty max per year. Plus potential criminal penalties ITAR Classified Defense Information
    • 4. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) State of Massachusetts Governing Body (example state) State Privacy Laws Personally Identifiable Information (PII) Personal information about a Sensitive Data resident of the Commonwealth of Massachusetts EU Data Protection Directive / Safe Harbor Compliance Date March 1, 2010 Personally Identifiable Information (PII) Red Flag $5,000 per incident plus costs of Personally Identifiable Information (PII) Penalty investigation, litigation and legal fees, plus potential civil penalties ITAR Classified Defense Information
    • 5. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) US Dept of Commerce / Governing Body Federal Trade Commission State Privacy Laws Personally Identifiable Information (PII) Personal information transferred to Sensitive Data or from 27 Members States of the European Union EU Data Protection Directive / Voluntary Safe Harbor Compliance Date (replaces Data Transfer Agreements) Red Flag Personally Identifiable Information (PII) Penalty Up to $12,000 per day for violations ITAR Classified Defense Information
    • 6. Data PrivacyData Privacy Regulations - Federal Trade Commission HITECH / HIPAA Governing Body Protected Health Information (PHI) via Fair Credit Reporting Act State Privacy Laws - Require financial institutions and Personally Identifiable Information (PII) creditors to create a program that provides for the identification, detection, and response to patterns, EU Data Protection Sensitive Data practices, or specific activities – Directive / known as “red flags.” Safe Harbor Personally Identifiable Information (PII) -The purpose of the Red Flags Rules is to help avoid identity theft. Red Flag Personally Identifiable Information (PII) Compliance Date - June 1, 2010 (law firms exempt) ITAR Classified Defense Information - $2,500 - $3,500 per violation, then Penalty up to $16,000 per violation for continued non-compliance
    • 7. Data PrivacyData Privacy Regulations HITECH / HIPAA Protected Health Information (PHI) Governing Body US Department of State State Privacy Laws Personally Identifiable Information (PII) “Export of technical data and Sensitive Data classified defense articles”, as defined by the US Munitions List EU Data Protection Directive / 60 days in advance of any intended Safe Harbor Personally Identifiable Information (PII) Compliance Date sale or transfer to a foreign person of ownership or control Red Flag Personally Identifiable Information (PII) Per violation, civil fines up to $500K; Penalty criminal penalties up to $1M and 10 ITAR years imprisonment Classified Defense Information
    • 8. Data PrivacyData Privacy Regulations Protection of Sensitive Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy LawsPersonally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection Directive / Safe HarborPersonally Identifiable Information (PII) Red FlagPersonally Identifiable Information (PII) ITAR Classified Defense Information
    • 9. Data PrivacyData Privacy Regulations Protection of Sensitive Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy LawsPersonally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection Directive / Safe Harbor Preservation OrdersPersonally Identifiable Information (PII) Litigation, Subpoena or Client Requests Red FlagPersonally Identifiable Information (PII) Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts ITAR Classified Defense Information
    • 10. Data PrivacyData Privacy Regulations Protection of Sensitive Data Standards Data HITECH / HIPAA Protected Health Information (PHI) Client Data Leaks Client and Case / Transaction Data State Privacy Laws Personally Identifiable Information (PII) Firm Data Leaks Firm and Partner Confidential Data EU Data Protection ISO 27001 Directive / Competence in Addressing Data Safe Harbor Preservation Orders Confidentiality Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests Red Flag Personally Identifiable Information (PII) Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts ITAR Classified Defense Information
    • 11. Data Privacy Solutions
    • 12. Data Privacy - General Adequacy Questions• Does your firm need the personal data that it is collecting about an individual?• Can you firm document what it will use the personal data for?• Do these individuals know that the firm has their personal data and do they understand what it will be used for?• If the firm is asked to pass on personal data, would these individuals expect the firm to do this?• Is the firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the firm willing to face a regulatory audit on this security?• Is it secure and are proper contracts with the third parties in place?• Is access to personal data limited to those with a strict need to know at the firm?• Is the firm sure that all personal data is accurate and up to date?• Does the firm delete or destroy personal information as soon as it has no more need for it?• Has the firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities?• Are all notifications to all Data or Information Commissioners current?
    • 13. Data Privacy – Vendor Agreements Terms Before Negotiation Terms After Negotiation Limitations on liability Security and privacy standards Limited warranties Data ownership and return of data No performance standards Permissible use and disclosure of dataAbility to change terms without Service level standards notice Control of security incidents Weak termination rights Audit rights Automatic contract renewal Proper allocation of liability Choice of law/forum
    • 14. Data Privacy Roadmap• Start with broadest areas of risk – Protect portable devices: PCs, USB drives, and PDAs – Conduct an account audit; enact password policies – Use third party to perform penetration testing• Inventory PII, PHI, confidential, and sensitive information• Establish Firm‟s privacy stance – Establish data privacy roles and responsibilities – Draft privacy policy• Incorporate data privacy in agreements with: – Employees – Clients – Firm‟s vendors
    • 15. Data Privacy Roadmap(continued)• Educate employees• Address broader aspects of data privacy – Processes (manual or automated) – Physical security – „Data at Rest‟ and „Data in Motion‟ – Security monitoring• Register with data privacy authorities• Maintain security program
    • 16. David CunninghamManaging Director, Hildebrandt Baker Robbinsdcunningham@hbrconsulting.com