Post on 08-May-2015
© 2011 HBR CONSULTING LLC. All rights reserved.
Issues Relating to the Interrelationship of Knowledge Management and Data Privacy in Law Firms
Presented by:
James A. Harvey, Partner, Alston & Bird
David Cunningham, Managing Director, HBR Consulting
Confidentiality and Knowledge Collaboration
2
Data Privacy Overview
Regulatory Obligations
Client Confidential Information
Firm Confidential Information
DataPrivacy
3
Examples of data that is regulated by one or more privacy/security statutes
Name Social security number Last four of social
security number Drivers license number Date of birth Passport information Health information Maiden name Electronic or digitized
signature
Physical or mental health conditions
Information regarding provision of or payment for health care
Financial information (electronic payroll deposit)
Credit card or debit card information
Government identification numbers
Tax information Address or phone numbers Biometric information
(fingerprint, voice print, etc.)
4
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy
Governing Body Health and Human Services and Federal Trade Commission
Sensitive DataProtected Health Information• Internal HR data• Client data
Compliance Date February 17, 2010
Penalty$100 - $50,000 per incident; $1.5M max per year.Plus potential criminal penalties
5
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Governing BodyState of Massachusetts (example state)
Sensitive DataPersonal information about a resident of the Commonwealth of Massachusetts
Compliance Date March 1, 2010
Penalty$5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties
6
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe Harbor
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Governing Body US Dept of Commerce / Federal Trade Commission
Sensitive DataPersonal information transferred to or from 27 Members States of the European Union
Compliance Date Voluntary (replaces Data Transfer Agreements)
Penalty Up to $12,000 per day for violations
7
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy
Governing Body- Federal Trade Commission via Fair Credit Reporting Act
Sensitive Data
- Require financial institutions and creditors to create a program that provides for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags.” -The purpose of the Red Flags Rules is to help avoid identity theft.
Compliance Date - June 1, 2010 (law firms exempt)
Penalty- $2,500 - $3,500 per violation, then up to $16,000 per violation for continued non-compliance
8
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Data Privacy Regulations
Governing Body US Department of State
Sensitive Data“Export of technical data and classified defense articles”, as defined by the US Munitions List
Compliance Date60 days in advance of any intended sale or transfer to a foreign person of ownership or control
PenaltyPer violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment
9
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Firm Data LeaksFirm and Partner Confidential Data
Protection of Sensitive Data
10
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Protection of Sensitive Data
Firm Data LeaksFirm and Partner Confidential Data
Preservation OrdersLitigation, Subpoena or Client Requests
Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts
11
Data Privacy
HITECH / HIPAAProtected Health Information (PHI)
Data Privacy Regulations
State Privacy LawsPersonally Identifiable Information (PII)
EU Data Protection Directive /
Safe HarborPersonally Identifiable Information (PII)
Red FlagPersonally Identifiable Information (PII)
ITARClassified Defense Information
Client Data LeaksClient and Case / Transaction Data
Protection of Sensitive Data
Firm Data LeaksFirm and Partner Confidential Data
Preservation OrdersLitigation, Subpoena or Client Requests
Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts
Data Standards
ISO 27001Competence in Addressing Data
Confidentiality
12
1313
14
‘Anonymous’ Hacking of HB Gary
HB Gary, a security firm, was working with Hunton & Williams to help protect Bank of America from Wikileaks contributions.
The CEO of HB Gary announces his company has infiltrated the security group Anonymous.
In retaliation, Anonymous took control of HB Gary’s e-mail, dumping 68,000 e-mails, erasing files, and taking down their phone system.
They exposed contributors to Wikileaks and HB Gary’s CEO’s home address and social security number.
15
Security Hacking for a Cause
Hackers appear to be widening their targets, stealing information from vendors or contractors that may have strategic data about their clients, including public relations and law firms
Law firms have been hacked due to their roles associated with copyright law
King & Spalding was a large firm known to have been attacked
16
Ex-Sonsini Attorney Charged In $32M Insider Trading Case
A former senior associate at Wilson Sonsini Goodrich & Rosati PC was arrested and charged in connection with allegations that he stole inside information from three firms that netted $32 million in a decades long insider trading scheme.
Kluger regularly “stole and disclosed material, nonpublic information regarding anticipated corporate mergers and acquisitions on which his law firms were working,” according to a copy of the criminal complaint.
17
From whom are knowledgemanagers protecting data?
Internal– Employees with insider trading intentions
– Employees who accidentally see confidential data
– Employees who re-use content outside their expertise
– Attorney client privilege
– Stock trading without appropriate notification and disclosure
External– Clients and third parties who may accidentally be sent confidential
information
18
What sources of information may be useful to insiders?
Document management (document names and descriptions)
Precedents Active material Litigation support data Conflicts New business intake Time entry
Extranet sites Verbal discussions Records data Newsletters and status
reports Physical war rooms Travel agendas Legal project management
systems
19
How do firms protect this information?
Standard Tools
Policies Ethical training and
reinforcement Ethical walls for known sensitive
matters Project code names Enterprise searching that
recognizes folder and file security
Password protection for documents and spreadsheets
Locking and wiping of remote access devices; security software on remote device
Minimum password sophistication Required screen saver usage Two-factor authentication Account auditing / monitoring
20
How do firms protect this information?
Emerging Tools Document naming standards Matters secured by default / ethical walls for all matters Knowledge Management as gatekeeper Third party agreements and procedures Identity management Monitoring for unusual activity (users and IT) Encryption (data in transit / data at rest) Intelligent redaction software
21
Data Privacy Solutions
22
Questions?
Jim Harvey
jim.harvey@alston.com
Dave Cunningham
dcunningham@hbrconsulting.com
23
Data Privacy - General Adequacy Questions
Does the Firm need the personal data that it is collecting about an individual?
Can the Firm document what it will use the personal data for?
Do these individuals know that the Firm has their personal data and do they understand what it will be used for?
If the Firm is asked to pass on personal data, would these individuals expect the Firm to do this?
Is the Firm satisfied that the information is being held securely, whether it is on paper, on computer, or during transfer? Is the Firm willing to face a regulatory audit on this security?
Is it secure and are proper contracts with the third parties in place?
Is access to personal data limited to those with a strict need to know at the Firm?
Is the Firm sure that all personal data is accurate and up to date?
Does the Firm delete or destroy personal information as soon as it has no more need for it?
Has the Firm trained all of its attorneys and staff in their duties and responsibilities under all relevant data protection laws and are all of its attorneys and staff satisfying their duties and responsibilities?
Are all notifications to all Data or Information Commissioners current?
24
Selected Articles
Block, Meg & David Cunningham. “Legal Information Risk – Action Plan and Roadmap,” Peer to Peer, June 2011.
http://www.mygazines.com/issue/34686/33
Harbert, Tam. “Catch Me If You Can,” Law Technology News, June 1, 2011. http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202494769505&slreturn=1&hbxlogin=1
Nelson, Sharon. “Your Chance of Being Hacked in Twelve Months Now a ‘Statistical Certainty,’” Ride The Lightning Electronic Evidence Blog, June 30, 2011.
http://ridethelightning.senseient.com/2011/06/your-chance-of-being-hacked-in-twelve-months-now-a-statistical-certainty.html
25
Selected Resources
Law Firm Risk Resouces (short list from 2009).
http://lawfirmriskresources.wikispaces.com/
Law Firm Risk Management Blog.
http://www.lawfirmrisk.com/
InfoRiskAwareness Blog (UK focus).
http://inforiskawareness.co.uk/best_practice/
Hildebrandt Baker Robbins Blog (selected posts).
http://info.hbrconsulting.com/blog/archive/2011/06/01/balancing-information-security-and-collaboration-a-knowledge-management-view.aspx and http://info.hbrconsulting.com/blog/archive/2011/05/13/risk-management-at-law-firms-a-rapidly-evolving-issue.aspx