2. Data Privacy Overview
Regulatory
Obligations
Data
Privacy
Client Confidential Firm Confidential
Information Information
2
3. Examples of data that is regulated by one or
more privacy/security statutes
Name Physical or mental health
Social security number conditions
Last four of social security Information regarding provision
number of or payment for health care
Drivers license number Financial information
(electronic payroll deposit)
Date of birth
Credit card or debit card
Passport information information
Health information Government identification
Maiden name numbers
Electronic or digitized signature Tax information
Address or phone numbers
Biometric information
(fingerprint, voice print, etc.)
3
4. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) Health and Human Services and
Governing Body Federal Trade Commission
State Privacy Laws
Personally Identifiable Information (PII) Protected Health Information
Sensitive Data • Internal HR data
• Client data
EU Data Protection
Directive /
Safe Harbor
Personally Identifiable Information (PII) Compliance Date February 17, 2010
Red Flag
$100 - $50,000 per incident; $1.5M
Personally Identifiable Information (PII)
Penalty max per year.
Plus potential criminal penalties
ITAR
Classified Defense Information
4
5. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) State of Massachusetts
Governing Body
(example state)
State Privacy Laws
Personally Identifiable Information (PII) Personal information about a
Sensitive Data resident of the Commonwealth
of Massachusetts
EU Data Protection
Directive /
Safe Harbor Compliance Date March 1, 2010
Personally Identifiable Information (PII)
Red Flag $5,000 per incident plus costs of
Personally Identifiable Information (PII) Penalty investigation, litigation and legal
fees, plus potential civil penalties
ITAR
Classified Defense Information
5
6. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) US Dept of Commerce /
Governing Body Federal Trade Commission
State Privacy Laws
Personally Identifiable Information (PII) Personal information transferred to
Sensitive Data or from 27 Members States of the
European Union
EU Data Protection
Directive / Voluntary
Safe Harbor Compliance Date
(replaces Data Transfer Agreements)
Red Flag
Personally Identifiable Information (PII) Penalty Up to $12,000 per day for violations
ITAR
Classified Defense Information
6
7. Data Privacy
Data Privacy Regulations
- Federal Trade Commission
HITECH / HIPAA Governing Body
Protected Health Information (PHI) via Fair Credit Reporting Act
State Privacy Laws - Require financial institutions and
Personally Identifiable Information (PII) creditors to create a program that
provides for the identification,
detection, and response to patterns,
EU Data Protection Sensitive Data practices, or specific activities –
Directive / known as “red flags.”
Safe Harbor
Personally Identifiable Information (PII) -The purpose of the Red Flags
Rules is to help avoid identity theft.
Red Flag
Personally Identifiable Information (PII)
Compliance Date - June 1, 2010 (law firms exempt)
ITAR
Classified Defense Information - $2,500 - $3,500 per violation, then
Penalty up to $16,000 per violation for
continued non-compliance
7
8. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI)
Governing Body US Department of State
State Privacy Laws
Personally Identifiable Information (PII) “Export of technical data and
Sensitive Data classified defense articles”, as
defined by the US Munitions List
EU Data Protection
Directive / 60 days in advance of any intended
Safe Harbor
Personally Identifiable Information (PII) Compliance Date sale or transfer to a foreign person
of ownership or control
Red Flag
Personally Identifiable Information (PII)
Per violation, civil fines up to $500K;
Penalty criminal penalties up to $1M and 10
ITAR years imprisonment
Classified Defense Information
8
9. Data Privacy
Data Privacy Regulations Protection of Sensitive Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection
Directive /
Safe Harbor
Personally Identifiable Information (PII)
Red Flag
Personally Identifiable Information (PII)
ITAR
Classified Defense Information
9
10. Data Privacy
Data Privacy Regulations Protection of Sensitive Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection
Directive /
Safe Harbor Preservation Orders
Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests
Red Flag
Personally Identifiable Information (PII)
Confidential Walls
- Inclusionary Walls for Privacy and Subpoenas
- Exclusionary Walls for Conflicts
ITAR
Classified Defense Information
10
11. Data Privacy
Data Privacy Regulations Protection of Sensitive Data Standards
Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection ISO 27001
Directive / Competence in Addressing Data
Safe Harbor Preservation Orders Confidentiality
Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests
Red Flag
Personally Identifiable Information (PII)
Confidential Walls
- Inclusionary Walls for Privacy and Subpoenas
- Exclusionary Walls for Conflicts
ITAR
Classified Defense Information
11
14. „Anonymous‟ Hacking of HB Gary
HB Gary, a security firm, was working with Hunton &
Williams to help protect Bank of America from Wikileaks
contributions.
The CEO of HB Gary announces his company has infiltrated
the security group Anonymous.
In retaliation, Anonymous took control of HB Gary‟s e-mail,
dumping 68,000 e-mails, erasing files, and taking down their
phone system.
They exposed contributors to Wikileaks and HB Gary‟s
CEO‟s home address and social security number.
14
15. Security Hacking for a Cause
Hackers appear to be widening their targets, stealing
information from vendors or contractors that may have
strategic data about their clients, including public relations
and law firms
Law firms have been hacked due to their roles associated
with copyright law
King & Spalding was a large firm known to have been
attacked
15
16. Ex-Sonsini Attorney Charged In $32M
Insider Trading Case
A former senior associate at Wilson Sonsini Goodrich &
Rosati PC was arrested and charged in connection with
allegations that he stole inside information from three firms
that netted $32 million in a decades long insider trading
scheme.
Kluger regularly “stole and disclosed material, nonpublic
information regarding anticipated corporate mergers and
acquisitions on which his law firms were working,” according
to a copy of the criminal complaint.
16
17. From whom are knowledge
managers protecting data?
Internal
– Employees with insider trading intentions
– Employees who accidentally see confidential data
– Employees who re-use content outside their expertise
– Attorney client privilege
– Stock trading without appropriate notification and disclosure
External
– Clients and third parties who may accidentally be sent confidential
information
17
18. What sources of information
may be useful to insiders?
Document management Extranet sites
(document names and Verbal discussions
descriptions)
Records data
Precedents
Newsletters and status
Active material reports
Litigation support data Physical war rooms
Conflicts Travel agendas
New business intake Legal project management
Time entry systems
18
19. How do firms protect
this information?
Standard Tools
Policies Password protection for documents
Ethical training and and spreadsheets
reinforcement Locking and wiping of remote
Ethical walls for known sensitive access devices; security software
matters on remote device
Project code names Minimum password sophistication
Enterprise searching that Required screen saver usage
recognizes folder and file Two-factor authentication
security Account auditing / monitoring
19
20. How do firms protect
this information?
Emerging Tools
Document naming standards
Matters secured by default / ethical walls for all matters
Knowledge Management as gatekeeper
Third party agreements and procedures
Identity management
Monitoring for unusual activity (users and IT)
Encryption (data in transit / data at rest)
Intelligent redaction software
20
22. Questions?
Jim Harvey
jim.harvey@alston.com
Dave Cunningham
dcunningham@hbrconsulting.com
22
23. Data Privacy - General Adequacy Questions
Does the Firm need the personal data that it is collecting about an individual?
Can the Firm document what it will use the personal data for?
Do these individuals know that the Firm has their personal data and do they understand what
it will be used for?
If the Firm is asked to pass on personal data, would these individuals expect the Firm to do
this?
Is the Firm satisfied that the information is being held securely, whether it is on paper, on
computer, or during transfer? Is the Firm willing to face a regulatory audit on this security?
Is it secure and are proper contracts with the third parties in place?
Is access to personal data limited to those with a strict need to know at the Firm?
Is the Firm sure that all personal data is accurate and up to date?
Does the Firm delete or destroy personal information as soon as it has no more need for it?
Has the Firm trained all of its attorneys and staff in their duties and responsibilities under all
relevant data protection laws and are all of its attorneys and staff satisfying their duties and
responsibilities?
Are all notifications to all Data or Information Commissioners current?
23
24. Selected Articles
Block, Meg & David Cunningham. “Legal Information Risk – Action
Plan and Roadmap,” Peer to Peer, June 2011.
http://www.mygazines.com/issue/34686/33
Harbert, Tam. “Catch Me If You Can,” Law Technology News, June
1, 2011.
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id
=1202494769505&slreturn=1&hbxlogin=1
Nelson, Sharon. “Your Chance of Being Hacked in Twelve Months
Now a „Statistical Certainty,‟” Ride The Lightning Electronic
Evidence Blog, June 30, 2011.
http://ridethelightning.senseient.com/2011/06/your-chance-of-
being-hacked-in-twelve-months-now-a-statistical-certainty.html
24
25. Selected Resources
Law Firm Risk Resouces (short list from 2009).
http://lawfirmriskresources.wikispaces.com/
Law Firm Risk Management Blog.
http://www.lawfirmrisk.com/
InfoRiskAwareness Blog (UK focus).
http://inforiskawareness.co.uk/best_practice/
Hildebrandt Baker Robbins Blog (selected posts).
http://info.hbrconsulting.com/blog/archive/2011/06/01/balancing-
information-security-and-collaboration-a-knowledge-management-
view.aspx and
http://info.hbrconsulting.com/blog/archive/2011/05/13/risk-
management-at-law-firms-a-rapidly-evolving-issue.aspx
25
Editor's Notes
Third party agreements / due diligenceEncryptionAuditing of IT capabilityThird-party agreements (for extranets/collaboration rooms) and for subcontractors hosting client data