7 data confidentiality questions attorneys urge you to ask

Attorneys know the law and litigate data breach cases, so who better to explain how your company should approach data confidentiality?

Image: iStock/robynmac

Legal firms are in a unique position when it comes to client data confidentiality. Besides abiding by state and federal regulations applicable to all businesses, lawyer confidentiality and attorney-client privilege (PDF) come into play.

"ABA Model Rule 1.6 generally defines the duty of confidentiality -- and significantly, it broadly extends that duty to information relating to the representation of a client," writes David G. Ries of the American Bar Association (ABA). "It's now commonly accepted that this duty applies to client information in computer and information systems as well."

Seven questions your company should be able to answer

Intimate knowledge of laws surrounding data confidentiality and real-world experience gained from litigating cases involving loss of data confidentiality give law firms expertise not found elsewhere. Thus, they are excellent sources of information on this subject -- an example is this Tech Law Blog post published by the firm Mason, Hayes & Curran.

The post addresses the seven questions responsible parties at companies dealing with sensitive, confidential data need to be asking. "It has never been clearer that companies and organizations need to have data security policies in place and good information governance," begins the post. "Failure to do so inevitably leads to cyber liability that can put any company at considerable risk."

1. Are we transparent?

Company clients must be made aware of any confidential data gathered from them, why the data was collected, and how it will be used. The authors also mention, "Data must not then be put to a further incompatible use."

2. Do we have consent?

The authors note that non-sensitive information may not need consent -- it may be implied. However, the authors add, "If the information gathered is sensitive (such as relating to an individual's health, race, sex life, religious beliefs, or trade union membership), there must be explicit consent."

3. How long are we retaining personal data?

Internationally, best practices consist of storing personal data only as long as it is needed, and no data should be retained "just in case."

Robert Ellis Smith, an attorney, author, and publisher of the monthly newsletter Privacy Journal, tells Digital Guardian's Nate Lord, "If filing electronically, attorneys should first delete personal information that will be stored digitally."

4. Are we collecting unnecessary personal data?

The Mason, Hayes & Curran blog authors suggest collecting and storing client data unnecessarily risks negative public relations with present and future clients. Robert Ellis Smith adds, "Social Security Numbers should never be included in documents, even if 'required' by the court system."

5. Are we keeping the data secure?

Companies need to have appropriate security measures protecting all client data. Some things to consider regarding the security measures employed:

  • the state of the technology being used;
  • the cost of implementation; and
  • the nature of the data and potential harm if a breach occurs.

"For the most sensitive information we receive, we might keep it in paper form, or maybe even not write it down at all," says Jane Muir, an "AV" rated commercial litigator with Gersten & Muir, P.A. "For our electronic files, we encrypt identifiable fields and files in our database and during transmission. Our system meets HIPAA and bank-level security standards."

6. Are we giving the data to third parties?

The Mason, Hayes & Curran blog's authors make a point to distinguish between third-party controllers of data and third-party processors of data. The two parties differ on how the data is used. The authors explain, "If they are controllers, you will likely need consent for collection. If they are processors, special written contract terms are required."

Jonathan Dambrot is the CEO and Co-Founder of Prevalent, a cyber security and vendor threat intelligence innovator, offers additional insight. "Third-party risk management is a security function as well as a compliance requirement. Ensuring broad cyber security coverage means understanding the risks posed by both your third-party providers and their providers (fourth parties)."

7. Is the data leaving the country of origin?

It is important to determine whether additional safeguards are required when data leaves the country. The authors offer the example, "If collected data remains within the European Economic Area (EEA), transfer issues do not arise. If the data is to be transferred outside the EEA, then safeguards are required unless it is an approved country, e.g. Canada."

Good advice

Jared Staver, Attorney at Law and Managing Partner at the Chicago-based Staver Law Group, cuts to the chase, telling Nate Lord of the Digital Guardian that he is neither a data expert nor a security expert. "Given this information, I refuse to keep client data on premises, in our systems, etc.," explains Staver. "I practice law. But that in no way makes me suitable to make decisions about my clients' data. Perhaps the easiest thing law firms can do is to put data in the hands of experts."

Under advisement from the article's legal sources: "The quoted content in this article is provided for information purposes only and does not constitute legal advice."

Also see