If you’re reading this, it’s pretty likely you spend a good bit of your time thinking about privacy. When someone asks for your personal information, or your client’s personal information, somewhere a privacy-concerns cog becomes an active participant in the workings of your brain. Is this something I should share? Are there laws regulating this information? Or company policies? Is it considered sensitive? How is someone going to use this information?
The thing is, you are not the norm. And you likely know this better than anyone. For many lawyers, for example, privacy is merely one issue to consider along with many other issues while trying to represent a client—if they think to consider it at all.
This was in stark relief at Georgetown Law School’s Advanced eDiscovery Institute, where privacy was high on the agenda, with session titles like Data Privacy and Security: Substantive Claims and eDiscovery Issues Abound; eDiscovery and the Internet of Things, and Social Media: Is Anyone Really Appropriately Addressing Privacy. It quickly became clear that for many of the people in attendance, privacy is not a part of the eDiscovery process; it’s an after-thought—and one that creates more questions than answers.
During the Data Privacy and Security session, a discussion related to protective orders highlighted the surface-skimming level at which privacy and security issues have been addressed in relation to eDiscovery. Panelist Annika Martin was asked, “Are you seeing people actually worry about the privacy of the party?” Her answer: “Not as much as you’d think.” The two main aspects of confidentiality, she said, come into play with protecting trade secrets and keeping the identity of harmed individuals from the opposing lawyer. “Privacy is not a big concern.”
So, what about all that producing of data that goes on between firms? Copies getting printed, emailed, kept in files belonging to another law firm? “Does the court have a responsibility to make sure they protect that data?” asked Timothy Opsitnick, the session's moderator. Judge Andrew Peck stepped in, acknowledging the potential domino effect that could end up hurting clients. He said, “Sure, but what’s the court going to do? Is it going to make the firm spend a huge amount of money to put specific security in place? How can they then represent the client? They have to take notes; maybe it’s on an unprotected tablet … there are so many issues that haven’t been raised in front of the court.”
So Opsitnick turned back to Martin, asking, “I want to have the right to request security in your firm. What do you say?”
Her reply: “Honestly, I don’t think that’s ever happened.”
But does a judge have a duty to bring up privacy concerns if he alone recognizes they exist—or would he? In Peck’s experience, “If the parties are going on happily, I probably would not do anything about it. At most, if anything, I would ask if they thought about security and see what they do with it.”
As Hunton & Williams’ Managing Partner Lisa Sotto, CIPP/US, CIPM, noted, “Law firms aren’t doing so well. They hold a lot of personal and sensitive data.”
So where does a firm go to get help?
There’s a hodgepodge of laws and guidance out there, Sotto says, but no single source, so she offered up her mantra: “Administrative, technical and physical safeguards.” Physical meaning locks on file cabinets, doors, etc. Technical, she says, “is so hard, moving by the nanosecond.” Administrative is where the meat of the privacy issue really lives: third-party contracts, risk assessments, training, background checks, breach response plans, etc.
“Any data security program should be tailored to the data the organization has,” Former Acting General Counsel to the FTC David Shonka added to the remarks. “It has to include monitoring by an outside firm, must be implemented consistently and there has to be some plan in place to make sure the business is capable of dealing with a breach—not if, but when—it happens,” he said.
And then there are service providers. Third parties add considerable risk, and, as we have heard numerous times, you can outsource the work, but you can’t outsource accountability. So, paying attention to how third parties are handling your customers’ data and how your contracts are written is exceedingly important. “A must” in any third-party contract involving personal information is that third parties “not be allowed to use the data in any way other than the service they’re providing,” Sotto said, adding, “Security is a snapshot. Intrusion detection is a nonstop process … the question is, do they have a system in place and do they notify you if there’s something amiss?”
Clearly, conversations like these need to continue to create awareness of the privacy concerns in eDiscovery. There’s a lot of ground yet to cover. And with sophisticated hackers the likes of which she’s never before seen, Sotto says, “There’s no question it will get worse before it gets better.”