Data Privacy and Your World Time to Step It Up
By Larry Briggi
Data creep continues to expand into our world in many amazing ways. There is more data about businesses and individuals than you can possibly imagine and the uses as well as the abuses are mind blowing. For example, recent advances in technology allows sensors in the floor to identify individuals as they walk through the isles within a store. This data can be used by marketing to track what products you look at. I can imaging shelves automatically rearranging to present products most likely to be purchased in the near future.
With so much data, transfer and the need to securely store data is inevitable, whether you are a corporate entity or private individual. Whether it is a store transferring consumer data for analysis, an attorney transferring corporate documents, a refrigerator tracking your food habits, bankers transferring financial records or a doctor sending medical records, the data must be secured.
Are Your Data Transfers Secure?
The Sedona Conference just released their Data Privacy Primer. Here are a few points:
You could say that there is a general understanding that personal information includes government issued identification numbers, financial, medical, & insurance information. This likely includes information about children as well. But interpretations will vary from agency to agency, Federal to State courts and even within jurisdictions. That said, one need only look at what constitutes a reportable “data breach” under Sarbanes Oxley or under the ABA Model Rules.
Ownership of data
The EU takes the position that some data belongs employees, not the corporation. Use of this data requires approval of the individual and has significant restrictions on the use of that data. In the US, the absence of a clear corporate policy on data ownership can at times create unnecessary ambiguity.
There has been at least one case where information that was scrubbed of personal information, was then cross-referenced with other 3rd party data, enabling individual identification once again. Arguably, there are differences as to what constitutes sufficient “scrubbing”, anonymization or Pseudonymization.
More and more focus has been placed on exposed personal information, with financial penalties designed to encourage companies to take the security of this data seriously. With this increased financial risk comes lowered thresholds of fiduciary liability for directors and officers.
Are You Ready for GDPR?
In 2015, the European Commission started outlining a package of reforms to modernize and harmonize existing data protection rules throughout member countries. The result is the General Data Protection Regulation (GDPR), and it is here now. These guidelines provide broader interpretation of personal information, consent, handling, and auditing of that information. These are specification on the use, storage and protection of this data. Things to note:
The specifications extend to US companies who do business in the EU or as a result of that business, obtain data protected by the GDPR. This requires US companies, large and small, to be aware and rethink the handling of this data.
Penalties are significant: 4% of annual global turnover or 20 million Euros, whichever is greater.
It is important to note that GDRP Article 29 working party guidance, adopted on October 3rd 2017, provides notification protection by providing that breach notification to individuals need not be given if:
“The controller has applied appropriate technical and organizational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorized to access it. This could, for example, include protecting personal data with state-of-the-art encryption.”
Prepare, Reduce Your Risk,
The reality is that only through implementing better practices will we reduce our risk, both personally and professionally. While corporate wide changes are often slow and painful to implement, we can think about improving high risk tasks and projects.
Start with File Transfer
File transfer is an easy place to start. Sending files between parties is a common task whether it is for eDiscovery, M&A, audit, medical or to facilitate some other form of collaboration. Here are a couple of points to keep in mind:
Your file(s) should be encrypted at the source prior to transfer. Many methods transfer unencrypted. Others transfer unencrypted until they reach the storage location, at which point they are encrypted only while in storage, and unencrypted to send to the other party. Point to Point ensures protection before leaving your computer all the way to the destination.
Many transfer methods implement a “storage” location where the files rest for a period of time until picked up by the other party. This storage location should be as secure as possible, including storing files in encrypted format. The best methods even prevent the manager of the storage location from decrypting the files, ever. This reduces the risk if someone hacks the storage location or the court orders production of the files stored there.
Good systems will track not only user activity, but individual file activity. Security is great, but providing a log of activity is the proof of that security and provides great peace of mind.
Better systems work for those one-off transfers as well as allowing easily repeated distribution with established workgroups.
Don’t just rely on marketing material and conversations with sales reps. Look at who uses the application and what types of certifications they have gone through. IT and security certifications are a tedious and time consuming effort, often taking over a year. Investing the time and resources adds credence to the application’s security and stability.
Director of Operations
Larry Briggi is the Director of Operations for Davis and Associates, LLC.
Bona fides include:
Manager of Technical Litigation Support and User Support Services at Cravath, Swaine and Moore.
Director – Navigant Consulting
Managing Director – FTI Consulting
535 Fifth Avenue, 4th Floor
New York City, NY 10017