The document provides an overview of data privacy regulations and obligations for law firms. It discusses requirements around protecting client data, firm confidential information, and sensitive data. The presentation notes that firms must establish policies and controls around data collection, use, storage, and sharing to ensure compliance with various privacy laws and standards, including HIPAA, GDPR, and state privacy statutes. It also emphasizes the importance of training employees, conducting security audits, and establishing responsibilities and guidelines for handling personal information.

1. Law Firm Data Privacy Overview
Presented by
David Cunningham
Hildebrandt Baker Robbins

2. Data Privacy Overview
Regulatory
Obligations
Data
Privacy
Client Confidential Firm Confidential
Information Information

3. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) Health and Human Services and
Governing Body Federal Trade Commission
State Privacy Laws
Personally Identifiable Information (PII) Protected Health Information
Sensitive Data • Internal HR data
• Client data
EU Data Protection
Directive /
Safe Harbor
Personally Identifiable Information (PII) Compliance Date February 17, 2010
Red Flag
$100 - $50,000 per incident; $1.5M
Personally Identifiable Information (PII)
Penalty max per year.
Plus potential criminal penalties
ITAR
Classified Defense Information

4. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) State of Massachusetts
Governing Body
(example state)
State Privacy Laws
Personally Identifiable Information (PII) Personal information about a
Sensitive Data resident of the Commonwealth
of Massachusetts
EU Data Protection
Directive /
Safe Harbor Compliance Date March 1, 2010
Personally Identifiable Information (PII)
Red Flag $5,000 per incident plus costs of
Personally Identifiable Information (PII) Penalty investigation, litigation and legal
fees, plus potential civil penalties
ITAR
Classified Defense Information

5. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI) US Dept of Commerce /
Governing Body Federal Trade Commission
State Privacy Laws
Personally Identifiable Information (PII) Personal information transferred to
Sensitive Data or from 27 Members States of the
European Union
EU Data Protection
Directive / Voluntary
Safe Harbor Compliance Date
(replaces Data Transfer Agreements)
Red Flag
Personally Identifiable Information (PII) Penalty Up to $12,000 per day for violations
ITAR
Classified Defense Information

6. Data Privacy
Data Privacy Regulations
- Federal Trade Commission
HITECH / HIPAA Governing Body
Protected Health Information (PHI) via Fair Credit Reporting Act
State Privacy Laws - Require financial institutions and
Personally Identifiable Information (PII) creditors to create a program that
provides for the identification,
detection, and response to patterns,
EU Data Protection Sensitive Data practices, or specific activities –
Directive / known as “red flags.”
Safe Harbor
Personally Identifiable Information (PII) -The purpose of the Red Flags
Rules is to help avoid identity theft.
Red Flag
Personally Identifiable Information (PII)
Compliance Date - June 1, 2010 (law firms exempt)
ITAR
Classified Defense Information - $2,500 - $3,500 per violation, then
Penalty up to $16,000 per violation for
continued non-compliance

7. Data Privacy
Data Privacy Regulations
HITECH / HIPAA
Protected Health Information (PHI)
Governing Body US Department of State
State Privacy Laws
Personally Identifiable Information (PII) “Export of technical data and
Sensitive Data classified defense articles”, as
defined by the US Munitions List
EU Data Protection
Directive / 60 days in advance of any intended
Safe Harbor
Personally Identifiable Information (PII) Compliance Date sale or transfer to a foreign person
of ownership or control
Red Flag
Personally Identifiable Information (PII)
Per violation, civil fines up to $500K;
Penalty criminal penalties up to $1M and 10
ITAR years imprisonment
Classified Defense Information

8. Data Privacy
Data Privacy Regulations Protection of Sensitive Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection
Directive /
Safe Harbor
Personally Identifiable Information (PII)
Red Flag
Personally Identifiable Information (PII)
ITAR
Classified Defense Information

9. Data Privacy
Data Privacy Regulations Protection of Sensitive Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection
Directive /
Safe Harbor Preservation Orders
Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests
Red Flag
Personally Identifiable Information (PII)
Confidential Walls
- Inclusionary Walls for Privacy and Subpoenas
- Exclusionary Walls for Conflicts
ITAR
Classified Defense Information

10. Data Privacy
Data Privacy Regulations Protection of Sensitive Data Standards
Data
HITECH / HIPAA
Protected Health Information (PHI)
Client Data Leaks
Client and Case / Transaction Data
State Privacy Laws
Personally Identifiable Information (PII)
Firm Data Leaks
Firm and Partner Confidential Data
EU Data Protection ISO 27001
Directive / Competence in Addressing Data
Safe Harbor Preservation Orders Confidentiality
Personally Identifiable Information (PII) Litigation, Subpoena or Client Requests
Red Flag
Personally Identifiable Information (PII)
Confidential Walls
- Inclusionary Walls for Privacy and Subpoenas
- Exclusionary Walls for Conflicts
ITAR
Classified Defense Information

11. Data Privacy Solutions

12. Data Privacy - General Adequacy Questions
• Does your firm need the personal data that it is collecting about an individual?
• Can you firm document what it will use the personal data for?
• Do these individuals know that the firm has their personal data and do they understand what
it will be used for?
• If the firm is asked to pass on personal data, would these individuals expect the firm to do
this?
• Is the firm satisfied that the information is being held securely, whether it is on paper, on
computer, or during transfer? Is the firm willing to face a regulatory audit on this security?
• Is it secure and are proper contracts with the third parties in place?
• Is access to personal data limited to those with a strict need to know at the firm?
• Is the firm sure that all personal data is accurate and up to date?
• Does the firm delete or destroy personal information as soon as it has no more need for it?
• Has the firm trained all of its attorneys and staff in their duties and responsibilities under all
relevant data protection laws and are all of its attorneys and staff satisfying their duties and
responsibilities?
• Are all notifications to all Data or Information Commissioners current?

13. Data Privacy – Vendor Agreements
Terms Before Negotiation Terms After Negotiation
Limitations on liability Security and privacy standards
Limited warranties Data ownership and return of data
No performance standards Permissible use and disclosure of data
Ability to change terms without Service level standards
notice Control of security incidents
Weak termination rights Audit rights
Automatic contract renewal Proper allocation of liability
Choice of law/forum

14. Data Privacy Roadmap
• Start with broadest areas of risk
– Protect portable devices: PCs, USB drives, and PDAs
– Conduct an account audit; enact password policies
– Use third party to perform penetration testing
• Inventory PII, PHI, confidential, and sensitive information
• Establish Firm‟s privacy stance
– Establish data privacy roles and responsibilities
– Draft privacy policy
• Incorporate data privacy in agreements with:
– Employees
– Clients
– Firm‟s vendors

15. Data Privacy Roadmap
(continued)
• Educate employees
• Address broader aspects of data privacy
– Processes (manual or automated)
– Physical security
– „Data at Rest‟ and „Data in Motion‟
– Security monitoring
• Register with data privacy authorities
• Maintain security program

16. David Cunningham
Managing Director, Hildebrandt Baker Robbins
dcunningham@hbrconsulting.com