Top 10 Privacy Law Pointers for Lawyers
Privacy law is an area of law that is gaining increasing visibility and relevancy. As the internet, electronic transactions, and the sharing of personal or sensitive data increase, resulting regulations governing this data also increase. The result is an increasingly relevant area of law - privacy law - that has special significance for attorneys and their clients.
What Is Privacy Law, and Why Does It Matter?
Privacy law deals with personal data and the use of that data: the regulation, storage, and protection of information about individuals. It is a multidisciplinary field of law, impacting any business that collects information from customers, clients, employees, or other businesses, in any form. For example, privacy law impacts a small cafe that takes payment card information. It also impacts the cafe when it collects information to process an employee’s paycheck. On a much larger scale, a company like Amazon is impacted by privacy laws regulating what a business can collect from consumers via its website, how it must protect personal information (generally from an IT perspective), and to whom it must report when such information is breached (think the recent Target data breach).
The Health Information Privacy Accountability Act (HIPAA), which deals with medical privacy, is a classic privacy law, as are laws that specify what information a company can collect online, such as the Children’s Online Privacy Protection Act (COPPA). Most laws about marketing are considered privacy law, as they regulate when and how you can use people’s information to contact them (via email, mail, and phone). The CAN-SPAM Act (regulating what businesses can do with emails) and Do Not Call laws are classic privacy legislation. In short, any time you are collecting, giving away, or using personal information, you’ve entered the realm of privacy law.
Why Are Law Firms Subject to Privacy Law?
On a big-picture level, lawyers should understand that lawyers and law firms have to comply with privacy laws. Lawyers often have very sensitive, confidential information stored on their mobile devices, networks, and computers.
Depending on the practice area, lawyers may be gathering highly sensitive or confidential information from their clients or other sources. The specifics, of course, will vary depending on the nature of the law practice, but below are some practical considerations for all lawyers.
Top Ten Privacy Practices for Attorneys
1. There are several free or low-cost programs that allow a subscriber to send encrypted emails. Lawyers should consider using this type of software if they send email with private or confidential information. Some examples of these services include Tutanota and Virtru.
2. Law firms should post a privacy policy on their website. California state law requires a posted privacy policy on commercial web sites that collect personally identifiable information. If the website allows visitors to sign up for webinars, newsletters, or contact an attorney (and thus provide their contact information), the site needs a privacy policy. The California Online Privacy Protection Act of 2003 (CalOPPA) requires businesses to conspicuously post a privacy policy and to actually comply with it or risk being penalized by the Federal Trade Commission for deceptive privacy advertising.
3. Lawyers should use security when using the internet and should consider the risk of a data breach their devices and electronics might pose. Attorneys often have confidential information on their mobile phone or iPad, for example, and they should secure their devices at all times. Using password protection on these devices is a bare minimum. Attorneys should also be careful of joining unsecured internet hotspots, should carry anti-virus protection on their phones, and should treat their mobile devices like they would a wallet – securing it physically at all times. Small businesses are 50% more likely than larger businesses to report a physical breach, or theft or loss of unencrypted data on electronic devices, so encrypting data on any mobile device, as well as on laptops, desktop computers, hard drives, and USB drives is a good practice.
4. A law firm or company should have a document retention policy that it follows consistently. After the time period for retaining records expires, a firm takes on additional risk for a data breach by keeping confidential documents on hand.
5. When a law firm uses a cloud service, it should realize that it is still responsible for a data breach. Cloud services spend significant time and money to ensure that a data breach does not occur, so they are a good way to manage risk. However, know that unless the firm asks for an indemnification clause from the cloud provider, the firm retains liability.
6. On a related note, law firms should consider limiting access to private data, either via cloud or local hardware, to its employees who have a "need to know."
7. When logging in remotely, law firms should make sure they are doing everything they can to secure their systems, such as using strong passwords and updating software. Firms should also consider additional security measures like firewalls, limiting users who can log in remotely, and setting an account lockout policy after a certain number of incorrect guesses.
8. Firms’ vendor contracts should address privacy and confidential information and be sufficiently protective of client and employee information. Law firms must not assume that vendors will take all necessary measures to protect sensitive information unless spelled out in contract.
9. Law firms may be "business associates" under HIPAA if they have access to the protected health information of their clients, or they may be covered entities if they administer their own health plan, for example. If the firm is a business associate or covered entity, there are extensive, technical requirements it will need to follow, including creating and sending on to its vendors a business associate agreement (or signing one itself).
10. Malware and hacking present the greatest threat in terms of breaches of personal information to attorneys and other businesses. Malware can be delivered via “phishing,” which is used to deceive employees into clicking on an email that downloads malicious software. Law firms should train employees to spot phishing emails and should upgrade new versions of browsers and other critical software when earlier versions are no longer supported and patched. The California Department of Justice recommends that all businesses implement the Center for Internet Security’s Critical Security Controls. According to the California Department of Justice, failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security. In addition, when firms become aware of a security breach, they should follow legally required procedures. For example, California law requires a business to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.
Privacy law, like technology, is constantly and rapidly evolving. Attorneys should understand enough about this vital area of the law so that they can protect themselves, their staff, and their clients.