What you need to know about law firm data security
We covered Information Governance (IG) basics for lawyers in our first post and are diving into the nitty gritty of state, federal and international rules surrounding information governance. More specifically, we’re highlighting how maintaining compliance to protect private client information can be complex and burdensome.
When it comes to IG, three separate legal forums must be considered: 1) state laws/private litigation, 2) sector specific federal regulations, and 3) The Federal Trade Commission’s regulations. Let’s look at the each of these separate legal forums to better understand how to effectively maintain client privacy.
State laws and private litigation
Forty-six states and 3 US territories have breach notification requirements (www.privacyandsecuritymatters.com). All states require that the customer or clients be notified of the breach but only some states require additional reporting of that breach to government agencies. Some state laws are triggered as soon as there’s a risk of harm to the private data while other state laws don’t come into effect until the private data is acquired by an unauthorized party.
State laws and data privacy expectations can also be affected by a number of factors: 1) SSN laws require limitations of the collection, use and display of SSN’s 2) State Unfair and Deceptive Acts Practices, 3) state secure disposal laws that require business to securely dispose of personal data records, 4) privacy torts like negligence, misappropriation, defamatory speech, trespass to chattel, stalking etc., 5) RFID laws that prohibit the nonconsensual use or reading of RFID chips, 6) medical and genetic privacy laws and restrictions on the use, disclosure, and protection of biometric data, 7) laws on employee surveillance and notice rules, 8) laws that restrict the use of GPS enabled devices to track/collect location information, 9) laws surrounding behavioral tracking for advertising purposes.
There’s no single comprehensive US federal privacy statute – privacy is regulated through sector-specific federal regulations:
Gramm-Leach Bliley Act of 1999 (GLBA) regulates the privacy of personally identifiable, non-public, financial information disclosed to non-affiliated third parties by financial institutions. The statute requires attorneys and other proprietors of this type of information to take administrative, technical, and physical safeguards.
Health Insurance portability and Accountability Act of 1996 (HIPAA) & Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) protects confidentiality and security of medical information in the hands of “covered entities” and “business associations” such as healthcare providers, hospitals, and employer sponsored health plans.
The FTC is responsible for preventing unfair methods of competition and unfair or deceptive acts/practices in or affecting commerce. The FTC enforces against companies that engage in the “unfair” practice of failing to provide adequate security for consumer data. Ultimately the agency enforces acts including but not limited to GLBA, the Fair Credit Reporting Act, Computer fraud and Abuse Act, and the Children’s Online Privacy Protection Act.
This legal forum is due for reform. Ultimately, more comprehensive federal regulations would help streamline the national, and even global, standards and expectations when it comes to data breaches and data privacy expectations. Businesses and law firms need to have internal safeguards and comprehensive business privacy programs coupled with greater transparency regarding these safeguards for their clients and customers.
Why is this information important to you?
Security breaches happen.
While publicized cases of security breaches at law firms are few and far between, especially when compared to the more publicized occurrences like at Target and Sony, there’s still a move within the legal industry towards increased diligence as a result of these headlines. In 2012, the FBI met with 200 law firms to discuss the risks of breaches and data theft. According to the ABA, “[b]oth large and small law firms have been the target of hacker attacks in the U.S. as well as abroad” and “[a] cybersecurity firm that helps organizations secure their networks against threats and resolve computer security incidents estimated that 80 major law firms were breached in 2011 alone.”
Additionally, there is increased scrutiny of law firm IT security and IG plans in general because of the outsourcing of many legal functions in large corporations (like banks and insurance companies). Client data can be especially vulnerable in the custody of outside attorneys. Consider how data is distributed between different members of litigation teams across multiple devices and how it is retained or destroyed during and after a case. While the vulnerability of the data is similar to other businesses, law firms are custodians of their client’s confidential data bringing a different level of liability and responsibility into the equation.
Data security methods and protocols vary across law firms, however and all firms face some level of risk due to the nature of managing confidential client information.