The document discusses privacy compliance for law firms, emphasizing the distinction between confidentiality and privacy, and outlining regulatory obligations stemming from various laws such as HIPAA, GDPR, and state-specific privacy legislation. It highlights the importance of conducting privacy audits to understand data sources, applicable laws, and safeguarding client information. The document also addresses emerging privacy laws and the need for law firms to implement administrative, physical, and technical safeguards in data handling.

1. Privacy Compliance for Law Firms:
Moving Beyond Confidentiality
Joshua Lenon

2. Joshua Lenon
LAWYER IN RESIDENCE AT CLIO
Attorney admitted in New York
@JoshuaLenon

3. Agenda
• Law Firms’ Data Sources
• Confidentiality vs Privacy
• Regulating Law Firms’ Privacy
• Future Privacy Laws
• Questions (10 minutes)

4. Law Firms’ Data Sources
Whose data is this?

5. Law Firm Data - Traditional
Client Files
Confidential
Privileged
Communication
Work
Product

6. Traditional Law Firm Data Concerns
• Attorney-Client Privilege (Evidentiary Rule)
• Work Product Doctrine (Civil Procedure Rule)
• MPRC Rule 1.6 (Ethical Duty)

7. Attorney-Client Privilege
“encourage[s] full and frank communication between
attorneys and their clients.” Upjohn Co. v. United
States, 449 U.S. 383 (1981).

8. Attorney-Client Privilege
• Limited to communications between the client and
attorney
• Privilege rests with the client; even beyond the grave,
Swidler & Berlin v. United States, 524 U.S. 399 (1998)
• Waiver possible
• Inadvertent disclosures is not necessarily waiver, if:
• the disclosure is inadvertent;
• the holder of the privilege or protection took reasonable steps
to prevent disclosure; and
• the holder promptly took reasonable steps to rectify the error

9. Work Product Doctrine
Federal Rules of Civil Procedure Rule 26(b)(3)
• “Ordinarily, a party may not discover documents and
tangible things that are prepared in anticipation of
litigation...“
• Materials may be discovered if the party shows that it
has substantial need for the materials to prepare its
case and cannot, without undue hardship, obtain
their substantial equivalent by other means.

10. MPRC Rule 1.6 - Confidentiality
(a) A lawyer shall not reveal information relating to the
representation of a client unless the client gives
informed consent, the disclosure is impliedly
authorized in order to carry out the representation or
the disclosure is permitted by paragraph (b).

11. MPRC Rule 1.6(b)
• prevent reasonably certain death
or substantial bodily harm
• prevent the client from
committing a crime or fraud
• prevent, mitigate or rectify
substantial injury to the financial
interests or property of another
• secure legal advice about the
lawyer's compliance with these
Rules
• establish a claim or defense on
behalf of the lawyer
• comply with other law or a court
order
• detect and resolve conflicts of
interest

12. MRPC 1.6
(c) A lawyer shall make reasonable efforts to prevent
the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the
representation of a client.

13. Law Firm Data Sources
Client Files
Business
Development
Employee
Files
Banking

14. Law Firm Data Sources - Examples
Client Files
Business
Development
Employee
Files
Banking
• Employee data
• Health, criminal
records,
• Business
development
• Sensitive non-client
data

15. Law firms need to consider where information
is coming into the firm, not just from clients.
You have more sources of data than you think.

16. Confidentiality vs Privacy

17. Confidentiality vs Privacy
Confidentiality Privacy
Prescriptive
Client focused
Derived from Common Law
Well-documented exceptions
Legal specific consequences

18. Privacy is (mostly) created by statute.

19. Privacy involves identifying data
• Personally Identifiable information (PII)
1. Information that can be used to distinguish or trace an individual‘s
identity
• Name, social security number, date and place of birth, mother‘s
maiden name, or biometric record
2. Other information that is linked or linkable to an individual
• Medical, educational, financial, and employment information.

20. Android ID +
GPS data +
Video viewing information
= PII
Yershov v. Gannett Satellite Information
Network Inc., No. 15-1719 (1st Cir. Apr.
29, 2016)
Video Privacy Protection Act (VPPA)

21. Privacy regulations govern
by geography and subject matter.

22. Privacy Laws Scope
State Privacy
Laws
Business
Area
Privacy
Laws
Federal
Regulations

23. State Privacy Laws
Think broadly, it’s not just
your location, but the
location of all of your clients
and contacts

24. State Privacy Laws
Have a breach notification law
50+ states
• Reporting duties to regulators
40% of states
Right of action for impacted individuals
20% of states

25. Federal Trade Commission v.
Wyndham Worldwide Corp., 799 F.3d
236, (3d Cir. 2015)

26. FTC’s
Standard of Care
Take “reasonable and
necessary measures”
to protect consumer
data

27. Client Business Areas
• Financial information – under
the Gramm Leach Bliley Act
(GLBA), Fair Credit Reporting
Act (FCRA), Fair and Accurate
Credit Transaction Act
(FACTA), Red Flags Rules
• Healthcare information –
under the Health Insurance
Portability and Accountability
Act (HIPAA) and the HITECH
Act
• New York SHIELD Act
• Children information – as
required under the Children
Online Privacy Protection Act
(COPPA) and Family
Educational Rights and
Privacy Act (FERPA)
• Mortgage lending – under
Consumer Finance Protection
Board, Bulletin 2012-03
• Criminal Justice - Criminal
Justice Information Services
Division (CJIS)

29. HIPAA Fines
HIPAA Violation Minimum Penalty Maximum Penalty
Individual did not know (and by
exercising reasonable diligence would
not have known) that he/she violated
HIPAA
$100 per violation, with an annual
maximum of $25,000 for repeat
violations (Note: maximum that can be
imposed by State Attorneys General
regardless of the type of violation)
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to reasonable cause
and not due to willful neglect
$1,000 per violation, with an annual
maximum of $100,000 for repeat
violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation due to willful neglect but
violation is corrected within the required
time period
$10,000 per violation, with an annual
maximum of $250,000 for repeat
violations
$50,000 per violation, with an annual
maximum of $1.5 million
HIPAA violation is due to willful neglect
and is not corrected
$50,000 per violation, with an annual
maximum of $1.5 million
$50,000 per violation, with an annual
maximum of $1.5 million

30. Privacy Safeguards
3 types of safeguards must be considered and
implemented
1. Administrative
2. Physical
3. Technical

31. Confidentiality vs Privacy
Confidentiality Privacy
Prescriptive Performance
Client focused Data focused
Derived from Common Law Regulation
Well-documented exceptions Affirmative defenses
Legal specific consequences Fines

32. Regulating
Law Firms’ Privacy

33. Giving Your Law Firm a Privacy Audit
1. Where are you located?
2. Whose data are you collecting?
3. Where are those data subjects located?
4. What are you doing with the data?
5. Where is the data located?

34. Giving Your Law Firm a Privacy Audit
1. Where are you located?
• What laws apply to your business
2. Whose data are you collecting?
3. Where are those data subjects located?
• What laws apply to the people whose data you
collect?
4. What are you doing with the data?
5. Where is the data located?

35. California
Consumer
Privacy Act
(CCPA)
Signed into law in June, 2018,
becomes effective on January 1, 2020
Personal data rights for California
residents
Obligations to certain businesses with
California ties
Extraterritorially applied; Sanctions

36. Personal data rights
for California residents
Know what
personal data is
being collected
about them.
01
Know whether
their personal
data is sold or
disclosed and
to whom.
02
Say no to the
sale of personal
data.
03
Access their
personal data.
04
Request a
business delete
any personal
information.
05
Not be
discriminated
against for
exercising their
privacy rights.
06

37. California business obligations
• $25 million gross revenue,
• Data about 50,000 Californians, or
• Generates 50% of its revenue from selling personal information
Does business in California, and
Mandatory disclosures to consumers
Breach notice to consumers, sometimes CA AG

38. General Data
Protection
Regulation
(GDPR)
Superseding the Data Protection Directive
95/46/EC
Adopted in 2016, enforceable as of May 25,
2018
Personal rights for EU resident data subjects
Obligates data controllers handling EU
resident data subjects’ personal data
Extraterritorially applied; Sanctions

39. Personal data rights
for EU residents
Access
01
Correction
02
Erasure
03
Portability
04

40. Data controller obligations
• Lawful Basis for Processing
• Consent, contractual obligation, legal obligation,
vital interest, public interest, legitimate interest
• Privacy by Design
• Data Protection Officer
• Notices to Data Protection Commissioners

41. Data processing purpose matters to law firms.

43. Professional Secrecy Exemptions
Country Legal Exemption
France Article 44. Controllers and processors are not
required to disclose information falling under a
lawyer-client relationship, the anonymity of
journalistic sources or medical confidentiality.
Germany § 29(2) FDPA states that where, in the context of
a client-lawyer relationship, the data of third
persons are transferred to persons subject to a
legal obligation of professional secrecy, the right
to be informed does not apply unless the
individual has an overriding interest to be
informed.

44. Not Professional
Secrets
• Holiday cards
• Newsletters
• Testimonials

45. Clients Alter Privacy Law Scope
This Photo by Unknown Author is licensed under CC BY-SA
This Photo by Unknown Author is licensed under CC BY-SA-NC
HIPAA

46. Location, location, location
Gathering Data
5 states require
website privacy
policies
Storing Data
Data locale is
becoming increasingly
regulated

47. Data Locale - 2 Visions

49. Data Locale – 2 Visions

50. Future Privacy Laws

51. 2020 Privacy
Law Updates Michigan’s SB 172 modifies requirements for
insurers providing privacy policies to customers,
Virginia's SB 101 allows a merchant to scan the
machine readable zone of an individual's driver’s
license for verification purposes, but requires
destruction after.
California voters in November, California
Proposition 24, when effective on January 1, 2023,

52. 2021 Privacy
Law Updates Federal: Information Transparency and
Personal Data Control Act introduced
Virginia Consumer Data Protection Act,
signed into law March 2, 2021.
Colorado SB21-190 Protect Personal
Data Privacy Act, passed on June 6,
2021 with a July 1, 2023 start date

54. Questions

55. Thank You
Joshua Lenon
joshua@clio.com
@JoshuaLenon
Linkedin.com/in/joshualenon
1-888-858-2546