BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

7 data confidentiality questions attorneys urge you to ask

From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 23 Dec 2015 18:29:07 -0600
http://www.techrepublic.com/article/7-data-confidentiality-questions-attorneys-urge-you-to-ask/

Legal firms are in a unique position when it comes to client data
confidentiality. Besides abiding by state and federal regulations
applicable to all businesses, lawyer confidentiality and attorney-client
privilege
<http://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/confidentiality_or_attorney.authcheckdam.pdf>
(PDF) come into play.

"ABA Model Rule 1.6
<http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information.html>
generally defines the duty of confidentiality — and significantly, it
broadly extends that duty to information relating to the representation of
a client," writes David G. Ries of the American Bar Association
<http://www.americanbar.org/publications/law_practice_home/law_practice_archive/lpm_magazine_articles_v36_is4_pg49.html>
(ABA). "It's now commonly accepted that this duty applies to client
information in computer and information systems as well."
*Seven questions your company should be able to answer*

Intimate knowledge of laws surrounding data confidentiality and real-world
experience gained from litigating cases involving loss of data
confidentiality give law firms expertise not found elsewhere. Thus, they
are excellent sources of information on this subject — an example is this Tech
Law Blog post
<http://www.mhc.ie/latest/blog/cyber-security-7-essential-questions-for-directors>
published by the firm Mason, Hayes & Curran.

The post addresses the seven questions responsible parties at companies
dealing with sensitive, confidential data need to be asking. "It has never
been clearer that companies and organizations need to have data security
policies in place and good information governance," begins the post.
"Failure to do so inevitably leads to cyber liability that can put any
company at considerable risk."
*1. Are we transparent?*

Company clients must be made aware of any confidential data gathered from
them, why the data was collected, and how it will be used. The authors also
mention, "Data must not then be put to a further incompatible use."
*2. Do we have consent?*

The authors note that non-sensitive information may not need consent — it
may be implied. However, the authors add, "If the information gathered is
sensitive (such as relating to an individual's health, race, sex life,
religious beliefs, or trade union membership), there must be explicit
consent."
*3. How long are we retaining personal data?*

Internationally, best practices consist of storing personal data only as
long as it is needed, and no data should be retained "just in case."

Robert Ellis Smith, an attorney, author, and publisher of the monthly
newsletter Privacy Journal, tells Digital Guardian's Nate Lord
<https://digitalguardian.com/blog/law-firm-data-security-experts-how-protect-legal-clients-confidential-data>,
"If filing electronically, attorneys should first delete personal
information that will be stored digitally."
*4. Are we collecting unnecessary personal data?*

The Mason, Hayes & Curran blog authors suggest collecting and storing
client data unnecessarily risks negative public relations with present and
future clients. Robert Ellis Smith adds, "Social Security Numbers should
never be included in documents, even if 'required' by the court system."
*5. Are we keeping the data secure?*

Companies need to have appropriate security measures protecting all client
data. Some things to consider regarding the security measures employed:

   - the state of the technology being used;
   - the cost of implementation; and
   - the nature of the data and potential harm if a breach occurs.

"For the most sensitive information we receive, we might keep it in paper
form, or maybe even not write it down at all," says Jane Muir
<https://digitalguardian.com/blog/law-firm-data-security-experts-how-protect-legal-clients-confidential-data>,
an "AV" rated commercial litigator with Gersten & Muir, P.A. "For our
electronic files, we encrypt identifiable fields and files in our database
and during transmission. Our system meets HIPAA and bank-level security
standards."
*6. Are we giving the data to third parties?*

The Mason, Hayes & Curran blog's authors make a point to distinguish
between third-party controllers of data and third-party processors of data
<http://www.meritattorneys.com/blog/>. The two parties differ on how the
data is used. The authors explain, "If they are controllers, you will
likely need consent for collection. If they are processors, special written
contract terms are required."

Jonathan Dambrot is the CEO and Co-Founder of Prevalent, a cyber security
and vendor threat intelligence innovator, offers additional insight
<https://digitalguardian.com/blog/law-firm-data-security-experts-how-protect-legal-clients-confidential-data>.
"Third-party risk management is a security function as well as a compliance
requirement. Ensuring broad cyber security coverage means understanding the
risks posed by both your third-party providers and their providers (fourth
parties)."
*7. Is the data leaving the country of origin?*

It is important to determine whether additional safeguards are required
when data leaves the country. The authors offer the example, "If collected
data remains within the European Economic Area (EEA), transfer issues do
not arise. If the data is to be transferred outside the EEA, then
safeguards are required unless it is an approved country, e.g. Canada."
*Good advice*

Jared Staver, Attorney at Law and Managing Partner at the Chicago-based
Staver Law Group, cuts to the chase, telling Nate Lord of the Digital
Guardian
<https://digitalguardian.com/blog/law-firm-data-security-experts-how-protect-legal-clients-confidential-data>
that he is neither a data expert nor a security expert. "Given this
information, I refuse to keep client data on premises, in our systems,
etc.," explains Staver. "I practice law. But that in no way makes me
suitable to make decisions about my clients' data. Perhaps the easiest
thing law firms can do is to put data in the hands of experts."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: