Ensuring clients’ data privacy is essential for responsible representation. Whether a firm is working on a multi-million-dollar settlement or a small personal injury case, core data privacy principles should protect the identity of all those involved. Careful guarding of personally identifiable information demonstrates a firm’s commitment to keeping confidential data out of the wrong hands in an environment where hackers are increasingly targeting law firms. Cybersecurity firm Mandiant estimated that at least 80 of the 100 biggest law firms in the country, by revenue, have been hacked since 2011.1
Just what is personally identifiable information?
Known more commonly by the acronym PII, personally identifiable information can be defined as data relating directly or indirectly to an individual from which the identity of the individual can be ascertained.2 Examples of PII include clients' names, addresses, phone numbers, social security numbers, and financial account numbers. In the age of technology, the definition of PII continues to expand and may also encompass information such as IP addresses, MAC addresses, device IDs, cookies, and even GPS location data. PII does not include publicly available information that is lawfully available from federal, state, or local governmental records.
PII is linked to specific individuals through direct and indirect identifiers. Direct identifiers enable the identification of an individual without additional information. Examples of direct identifiers include driver's license numbers, passport numbers, social security numbers, tribal identification numbers, or financial account numbers. Indirect identifiers enable the identification of individuals when coupled with other data. Examples of indirect identifiers include street address without a city, the last four digits of a social security number, or birth dates.
What laws govern personal data privacy protection?
In the U.S., no single federal law regulates the protection of PII. Instead, there is a complex patchwork system of federal and state laws, sector-specific regulations, common law principles, and self-regulatory programs developed by industry groups. Examples of federal laws that regulate the collection, use, processing, and disclosure of PII include:
- Consumer protection laws such as the Federal Trade Commission Act (FTC Act), which are used to prohibit unfair or deceptive trade practices involving the collection, use, processing, and disclosure of PII.
- Some of the laws that apply to specific sectors are:
- Gramm-Leach-Bliley Act (GLBA), which applies to financial institutions
- Health Insurance Portability and Accountability Act (HIPAA), which applies to health care and health plan information.
- Laws that apply to types of activities affecting individual privacy are the following:
- Telephone Consumer Protection Act (TCPA), applies to telemarketing activities
- Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), applies to commercial emails
- Children's Online Privacy Protection Act (COPPA), which applies to the online collection of information from children under 13
- Fair Credit Reporting Act (FCRA), which applies to consumer credit and other information; and
- Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA), which regulate electronic communications and unauthorized computer use
In addition to federal laws, hundreds of privacy and data security laws govern the protection of PII at the state level. These laws vary in their scope and obligations. To date, California and Massachusetts have adopted some of the most rigorous data privacy laws in the country.
Privacy principles for legal providers
Compliance with US privacy law requires an understanding of the various sectoral laws and requirements for financial information, health information, and other sensitive client information. As a starting point, law firms should consider adopting the following data protection principles to safeguard their clients' PII.
- Notice. Notifying the client of the exact PII required and why it's needed will help the client make informed decisions when providing information to a firm.
- Consent to collect PII. The client should complete an authorization form indicating the client's consent to the collection, use, and disclosure of PII for specific purposes related to the firm's representation. The client should understand that he or she has the right to withdraw consent at any time.
- Purpose limitation. The PII collected from a client should be adequate, relevant, and not excessive. Collect only the personal data that is required for the representation on a need-to-know basis.
- Accessibility. Clients should be able to view the data a firm has collected from them. Firms should provide an efficient way for online access and viewing. Paper documentation with PII should be scanned and made digital where feasible.
- Accuracy. Personal information should be accurate, complete, and current. Clients should have an efficient way to make changes or update their records.
- Lawfulness. Client PII must be collected and handled lawfully, fairly, and in a transparent manner. This means the information will be used in a legitimate manner and for legitimate purposes.
- Individual's rights. Clients have the right to know exactly how their information is being used, the right to revoke consent, right to change update their information, and object to inaccurate or nefarious information.
- Accountability. As data owners, law firms are responsible for the protection of client PII through the data life cycle of collecting, using, cataloging, protecting, and properly disposing of PII.
- Security & confidentiality. To protect PII from theft, alteration, unauthorized access & use, firms should, at a minimum: (1) create an inventory where PII lies in the firm's information flow and repositories; (2) implement technical safeguards such as access controls, passwords, encryption, and physical security; and (3) implement human safeguards such as security training, data protocol training, background checks, and policy and procedure development.
- Onward transfer. Firms should not transfer client PII to other third parties, including other law firms, without the client's consent, knowledge, and adequate protection. Online transfers of PII should use encryption measures when possible.
- Storage limits – Firms should not retain client PII for longer than is necessary for the representation. A retention and purge schedule should be set up and followed. A data removal software solution can be implemented if feasible. Paper documentation should be shredded upon disuse.
1) ABA Journal “Law Firms Must Manage Cybersecurity Risks” (March 2017) http://www.abajournal.com/magazine/article/managing_cybersecurity_risk
2) Office of the Privacy Commissioner for Personal Data, Hong Kong "Data Protection Principles in the Personal Data (Privacy) Ordinance," 2010, 8, online https://www.pcpd.org.hk/english/publications/files/Perspective_2nd.pdf
Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.