What Every DRI Member Should Know About Data Protection and Privacy by Laura Clark Fey, April Falcon Doss, Brandon Hull, Stephen Reynolds, and Kirsten Small

DRI Center for Law and Public Policy Data Protection 101 What Every DRI Member Should Know About Data Protection and Privacy By Laura Clark Fey, April Falcon Doss, Brandon Hull, Stephen Reynolds, and Kirsten Small

Law firms are inviting targets for hackers. curity risks and key global data protection porate takeover of a potash mining com- Given the nature of the legal industry, that obligations imposed on corporations and pany. Seeking to disrupt the transaction, fact is unlikely to change, but firms can law firms today. In this article, we provide China-based cybercriminals worked their take steps to keep themselves from being basic information on the following topics: way down Bay Street, hacking one law firm easy targets. • cybersecurity risks; after another until they found the law firm • lawyers’ ethical duties in data protection; they were seeking. Introduction to the DRI Center for • overview of challenges posed by data The fact that the hackers in the Toronto Law and Public Policy Electronic protection laws; case successfully infiltrated all seven law Privacy Working Group • key legal obligations and restrictions; firms brings us to an uncomfortable truth: Recognizing the growing impact of ever- and law firms are inviting and easy hacking evolving global data privacy laws on DRI’s • risks of non-compliance. targets. “Law firms are targets for two gen- members, DRI’s Center for Law and Public eral reasons: (1) they obtain, store and Policy created the Electronic Privacy Work- Cybersecurity Risks use highly sensitive information about ing Group (Working Group) this summer. When asked why he robbed banks, Willie their clients while at times utilizing [infe- Our Working Group falls under the auspices Sutton is said to have quipped, “Because rior] safeguards… and (2) the informa- of the Legislation and Rules Committee, that’s where the money is.” If Slick Wil- tion in their possession is more likely to be which is chaired by Gardner Duvall, part- lie were a modern-day cybercriminal, he of interest to a hacker and likely to be less ner at Whiteford Taylor and Preston LLP. might be asked, “Why do you hack law voluminous than that held by [their cli- As a Working Group, we intend to use firms?” The answer would be: “Because ents].” (ABA Formal Opinion 477, “Secur- our deep privacy expertise to complement that’s where the data is.” Lawyers and law ing Communication of Protected Client the work of DRI’s Cybersecurity and Data firms store vast amounts of confidential Information” (May 11, 2017). Privacy Committee. Our goals include: client information, both personal (health Wholly apart from intentional target- (1) providing excellent, practical, educa- information, banking records, Social Secu- ing of law firms, many of the most com- tional materials concerning the electronic rity numbers) and corporate (trade secrets, mon forms of cybersecurity incidents are privacy and information security issues we draft SEC filings, merger negotiations). initiated through automated software anticipate are likely to be of highest inter- Cybercriminals often seek a particular type scanning that looks for vulnerabilities in est to DRI members; and (2) helping DRI of information. Sometimes, it is a specific networks and devices that are connected members stay on top of rapidly evolving type of personal data, such as Social Secu- to the internet. These kinds of opportu- global legislative and case law develop- rity numbers. Other times, it is other data, nistic cybercriminals are just as likely to ments in the privacy field. such as confidential information concern- find exploitable weaknesses in the IT net- We have drafted this first article, “Data ing a corporation a law firm represents or works of law firms, and in lawyers’ per- Protection 101,” to provide DRI members its acquisition targets. In 2010, for example, sonal accounts, as in the IT networks of with a high-level overview of key cyberse- a law firm in Toronto was handling the cor- their clients.

■■ Laura Clark Fey, Privacy Law Specialist (IAPP), CIPP/US, CIPP/E, CIPM, FIP, leads Fey LLC, a privacy and information governance law firm in Leawood, Kansas, and has been selected by the European Commission and U.S. Department of Commerce as an EU-U.S. Privacy Shield Arbitrator. April Falcon Doss, partner and chair of cybersecurity and privacy at Saul Ewing Arnstein and Lehr LLP in Baltimore, Maryland, is a former associate general counsel for the U.S. National Security Agency. Brandon Hull, partner at Overturf McGaff and Hull PC in Denver, Colorado, is a diverse civil litigation and arbitra- tion practitioner with a passion for privacy legislation. Stephen Reynolds, partner and co-chair of the data security and privacy practice at Ice Miller LLP in Indianapolis, Indiana, is a Certified Information Systems Security Professional (CISSP). Kirsten Small, CIPP/US, member of Nexsen Pruet LLC, is a litigator and appellate lawyer with an emphasis on privacy and information management. She practices out of the firm’s Greens- boro, South Carolina, office.

With annual statistics constantly show- the world. The data breach even got its own thorized disclosure of, or access to, infor- ing the breadth and frequency of cyber- moniker: The Panama Papers. For lawyers mation relating to the representation of a attacks on the rise, all lawyers have good and law firms, the Panama Papers case client.” Comment 18 is particularly rel- reason to be mindful of the privacy risks serves as a cautionary tale, reminding us evant, noting that mere compromise of to information they maintain, as well as to that we have an ethical duty to protect the confidential client information is not a vio- the business interruption, costs, and repu- vast amounts of confidential information lation of the rules, “if the lawyer has taken tational damage that can stem from attacks our clients entrust to us. reasonable efforts to prevent the unauthor- such as ransomware attacks. With annual statistics constantly show- ized access or disclosure.” In determining Many lawyers and law firms are being the breadth and frequency of cyberat- whether a lawyer’s data handling practices hind the curve when it comes to cyberse- tacks on the rise, lawyers have good reason are reasonable, the comment suggests that, curity. The ABA 2018 Legal Technology to be mindful of the privacy risks to infor- “Factors to be considered in determining Survey Report showed that many lawyers mation they maintain, as well as to the the reasonableness of the lawyer’s efforts and law firms are not taking even basic se- business interruption costs and reputa- include, but are not limited to, the sensi- curity measures. For example, 72 percent tional damage that can stem from attacks tivity of the information, the likelihood of law firms reported they had not con- like ransomware attacks. The rules of pro- of disclosure if additional safeguards are ducted a full security assessment; 75 percent fessional responsibility provide additional, not employed, the cost of employing addi- had no incident response plan; 76 percent important reasons for lawyers to focus tional safeguards, the difficulty of imple- did not use full-drive encryp- menting the safeguards, and tion; 88 percent did not have re- the extent to which the safe- mote data wiping capabilities; Several states have specifically promulgated guards adversely affect the 71 percent did not use secure lawyer’s ability to represent cli- (encrypted) emails for confi- ethics guidance—in the form of comments ents (e.g., by making a device dential/privileged communica- to professional rules, or ethics opinions— or important piece of software tions; 15 percent did not use any excessively difficult to use).” of the typical security measures that makes clear that lawyers have a Several states have specifi- available with respect to high- cally promulgated ethics guid- risk public wireless (WiFi) net- professional obligation to understand the ance—in the form of comments works; and 60 percent had no to professional rules, or ethics disaster recovery or business technology they are using and how it could opinions—that makes clear that continuity plan. And because lawyers have a professional ob- only 34 percent of law firms impact the confidentiality of information ligation to understand the tech- have cybersecurity insurance, nology they are using and how if a firm suffers a breach, the relating to client matters. it could impact the confidenti- costs of remediating the breach, ality of information relating to currently averaging around $4 million, will on protecting the data in their possession client matters. have to be borne by the firm. from external cybersecurity incidents as In 2017, Florida became the first state to The cybersecurity threats to law firms well as from insider threats. require technology-specific CLE for lawyers, and corporations are myriad and ever- The ABA has issued guidance on how requiring three technology-related credits in changing. It is easy for cybersecurity to the Model Rules of Professional Conduct each reporting cycle. As the ABA and indi- drop a long way down on a priority list, (“Model Rules”) apply to data privacy and se- vidual states continue to update ethics guid- especially when it involves understanding, curity, and a host of states have followed suit. ance relating to lawyers’ use of technology, implementing, and adapting new security As a general matter, Model Rule 1.1 re- and as the landscape of cybersecurity risks protocols while simultaneously focusing on quires lawyers to demonstrate competence increases while the framework of privacy running a business and meeting client and in handling client matters. In order “to protection laws becomes more complex, customer needs. But the Willie Suttons of maintain the requisite knowledge and skill, lawyers must pay more attention to under- the world are still out there—they’ve just a lawyer should keep abreast of changes in standing how they are using technology to traded in their Tommy Guns for keyboards. the law and its practice, including the benefits manage clients’ data, what risks are associ- and risks associated with relevant technol- ated with those technologies, and how they, Lawyers’ Ethical Duties ogy.” By early 2019, nearly three dozen states and others in their firm or their vendors, are in Data Protection had adopted this language imposing tech- safeguarding the information their clients In April 2016, a massive breach of confi- nology-related obligations under Rule 1.1. entrusted to them. dential client information at the law firm In terms more specific to cybersecurity Mossack Fonseca made international news. and data privacy, Model Rule 1.6 notes that Overview of Challenges Posed Hackers had compromised the security of lawyers have a duty to protect confidential by Data Protection Laws the firm’s IT systems, and leaked informa- client information and “to take reasonable Compliance with state, federal, and inter- tion began appearing in headlines around efforts to prevent the inadvertent or unau- national data protection laws is challeng-

For The Defense ■ October 2019 ■ 9 DRI Center for Law and Public Policy ing, in part because of the sheer volume of • third-party vendor contracting and about their data collection, usage, and pro- such laws. There are currently hundreds of management; tection practices. Laws vary in terms of different global laws, and many more on • data subject rights; what must be covered in a privacy notice the way. • employee monitoring; or statement, but many require notifica- In addition, compliance with data pro- • electronic marketing communications; tion of the categories of personal data col- tection laws is challenging because of the • data minimization; lected; the purposes for which personal breadth of actions covered by such laws. • data destruction; data is used; the types of third parties with Many laws govern a broad range of per- • data breach notification; and which personal data will be shared; the rea- sonal data practices—from collection to • accountability practices/recordkeeping. sons for sharing such personal data; and final disposition of the data. Others gov- In this section of our article, we will pro- any applicable data subject rights. ern specific practices, such as sending vide a high-level overview of these data electronic marketing communications or protection obligations and restrictions. Consent monitoring employees. Some data protection laws require that con- Some laws are applicable to all types of Information Security sent be obtained from a data subject before personal data. Others impose obligations Many countries, some federal agencies, and personal data is collected and/or used for and restrictions on organizations concerning at least twenty-five states have laws that certain purposes or for new purposes. Cer- the collection, use, disclosure, retention, and require organizations to protect the per- tain laws, such as the EU’s General Data Pro- security of specific categories of tection Regulation, set forth the information, such as Social Secu- specific type of consent that is rity numbers and other national Another reason data protection compliance required (e.g., freely given, spe- identifiers, driver’s license infor- cific, informed, unambiguous mation, children’s data, financial is challenging is that laws in different consent given by a statement or or credit-related information, jurisdictions governing the exact same clear affirmative action). Many medical records, criminal justice laws permit an opt-out approach records, and education records. practices (e.g., notice, consent, third-party in which consent is assumed if Some laws apply to all orga- a data subject does not object or nizations collecting or receiv- vendor contracting) can vary significantly. “uncheck” a checked box. ing personal data. Others apply only to organizations in certain Third-Party Vendor sectors. For example, there are laws appli- sonal data they collect, store, and transfer. Contracting and Management cable only to financial services organiza- Most laws require only reasonable security Some data protection laws impose specific tions, such as the federal Gramm Leach procedures and practices that are appro- requirements on organizations to enter into Bliley Act, which requires financial serv- priate to the nature of the personal data written agreements with their third-party ices companies to secure non-public per- involved. However, some laws are very vendors that include specified provisions sonal information (NPI) of customers; to detailed in terms of the specific technical, relating to privacy and security. The req- restrict disclosure and use of NPI; and to physical, and administrative safeguards uisite terms vary, depending on the law at notify customers when NPI is exposed to required for protecting personal data. issue. Some data protection laws also man- unauthorized persons. For example, Massachusetts requires or- date vendor oversight. Another reason data protection compli- ganizations collecting personal data about ance is challenging is that laws in differ- Massachusetts residents to implement a Data Subject Rights ent jurisdictions governing the exact same comprehensive, written information secu- A number of data protection laws provide practices (e.g., notice, consent, third-party rity program (WISP) that meets very specific for specific data subject rights. Rights given vendor contracting) can vary significantly. standards for safeguarding personal data to data subjects include the right to access in both electronic and paper format. Mas- their personal data; to correct incorrect or Key Legal Obligations and Restrictions sachusetts recently raised the importance outdated personal data; to delete their per- As addressed above, data protection laws of compliance by amending its data breach sonal data; to transfer their personal data; set forth widely varying data protection notification law to require every organiza- to object to or opt-out of certain uses or obligations and restrictions. Each organi- tion experiencing a data breach to inform sharing of their personal data; to withdraw zation must analyze the laws that apply the Massachusetts Attorney General and the consent to the processing of their personal to it and determine its own unique set of Massachusetts Director of Consumer Affairs data; and not to be discriminated against compliance obligations. Some of the most and Business Regulation whether the orga- for exercising their data subject rights. significant requirements are in the follow- nization maintains a WISP. Data subject rights laws vary significantly ing areas: in terms of the specific rights provided, the • information security; Notice/Transparency circumstances under which data subject • notice/transparency; Several data protection laws require orga- rights may be exercised, and deadlines for • consent; nizations to provide notice to data subjects addressing data subjects’ requests.

10 ■ For The Defense ■ October 2019 DRI Center for Law and Public Policy

Employee Monitoring Data Breach Notification harm to organizations than the fines. For Laws in certain states and countries reg- There are a multitude of data breach notifi- example, laws may permit regulators to ulate employee monitoring—most typi- cation laws at the state, federal, and inter- issue a temporary or permanent ban on cally with respect to notice and consent. national level. For example, all fifty states, data processing (including data collection, For example, states such as Connecticut as well as the District of Columbia, Guam, storage, and handling); to order the erasure and Delaware expressly prohibit employers Puerto Rico, and the U.S. Virgin Islands, of data; to implement new security proto- from electronically monitoring employees have their own unique data breach notifi- cols; or to suspend cross-border transfers without giving prior notice. cation laws in place. Data breach notifica- of data. Additionally, some laws permit the tion laws vary significantly, including with imposition of criminal penalties, including Electronic Marketing Communications respect to what constitutes a breach; who prison sentences and personal fines. There are extensive international laws set- must be notified; time limits for provid- In addition to the risk of being hit with ting forth obligations and restrictions on ing notification; what must be included in regulatory sanctions, organizations risk electronic marketing practices. Obliga- the breach notification; and whether and being confronted with class actions and tions can vary significantly by state and under what circumstances credit monitor- individual litigation, which can, of course, country. Obligations also vary depending ing or identity theft protection service must also take a toll financially. And some laws on the type of communication at issue (e.g., be provided. provide for joint and several liability, so text, email, facsimile, or telephone com- that even if an organization’s vendor was munication). Electronic marketing com- Accountability Practices/Recordkeeping the primary cause of a breach, the organi- munications laws often prohibit deceptive Some data protection laws require orga- zation that hired the vendor could be held practices. Key obligations that may be nizations to maintain documentation of fully liable for the breach. imposed include identifying the commu- their compliance with data protection obli- Finally, there is the risk of harm to nication as a solicitation or advertisement; gations. Some of the records that must be an organization’s reputation, value, and obtaining consent from recipients; provid- retained are quite detailed. See, e.g., Arti- overall health. For example, as a result of ing recipients with an opt-out opportunity; cle 30 of the GDPR (enumerating specific the data breach suffered by Equifax, the and registration and licensing obligations. information to be covered in records of company had its credit outlook down- data processing activities). graded by Moody’s from “stable” to “neg- Data Minimization ative.” This was the first time in history Many data protection laws require that Risks of Non-Compliance that a company had its credit outlook organizations apply the principle of data Non-compliance with data protection downgraded as a result of a cyberattack. minimization to limit the personal data laws can result in significant risks for a When it comes to the valuation of an that may be collected and to limit the time business. These risks extend well beyond organization, a 2018 analysis indicated period for which such personal data may be legal liability. that companies that suffer a data breach used and stored. With respect to the latter Risks arising from regulatory actions see their share prices fall an average of point, the data minimization principle gen- include steep financial penalties (up to 4 nearly 3 percent after a data breach is erally prohibits organizations from keep- percent of annual worldwide revenues or announced. https://www.comparitech.com/ ing personal data for a longer period than €20 million, whichever is higher, in the blog. In instances where more sensitive is necessary to fulfill the original basis for case of the GDPR). The amounts imposed personal information (e.g., credit card collecting and processing the data. by regulators are growing. This sum- information, Social Security numbers, mer, the U.K.’s data protection authority etc.) is compromised, share prices gener- Data Destruction announced its plan to fine British Air- ally drop even more. Although prices may Many data protection laws require organiza- ways £183 million. In the U.S., regulators rebound in the weeks after the breach, in tions to ensure personal data is unreadable announced their settlement with Equifax the long term, breached companies have or indecipherable at the time organiza- in which Equifax agreed to pay between been shown to underperform the market. tions dispose of such data. For example, the $300 million and $425 million to the peo- Health Insurance Portability and Account- ple whose data was exposed, and another Conclusion ability Act of 1996 (HIPAA) Security Rule $275 million in civil penalties to forty- In conclusion, we hope our Data Protec- (Security Rule) requires implementation of eight states, Washington, D.C., Puerto tion 101 article provides you with a helpful reasonable policies and procedures to ad- Rico, and the Consumer Finance Protec- overview of key legal and ethical obliga- dress the disposal of electronic Protected tion Bureau. Regulators are getting more tions imposed on corporations and law Health Information (PHI) and the hardware comfortable handing down fines totaling firms, as well as the key risks of non-com- or electronic media on which it is stored, as hundreds of millions, and even billions, pliance. Please reach out to the working well as procedures for removing electronic of dollars. group chair, Laura Clark Fey, at lfey@feyllc. PHI from electronic media before the media Although financial penalties seem to get com, if you have specific topics you would are made available for re-use. The Security the most “play” in the news, some of the like our Working Group to address, or if Rule also requires training workforce mem- other sanctions that regulators are autho- there are specific resources you would like bers on disposal policies and procedures. rized to impose could actually cause more our Working Group to provide.

For The Defense ■ October 2019 ■ 11