Data Privacy and Your World

February 6, 2018

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Data Privacy and Your World Time to Step It Up

By Larry Briggi

 

Data creep continues to expand into our world in many amazing ways.  There is more data about businesses and individuals than you can possibly imagine and the uses as well as the abuses are mind blowing.  For example, recent advances in technology allows sensors in the floor to identify individuals as they walk through the isles within a store.  This data can be used by marketing to track what products you look at.  I can imaging shelves automatically rearranging to present products most likely to be purchased in the near future.

 

With so much data, transfer and the need to securely store data is inevitable, whether you are a corporate entity or private individual.  Whether it is a store transferring consumer data for analysis, an attorney transferring corporate documents, a refrigerator tracking your food habits, bankers transferring financial records or a doctor sending medical records, the data must be secured.

 

Are Your Data Transfers Secure?

 

The Sedona Conference just released their Data Privacy Primer.  Here are a few points:

  • There is no universal definition of what personal information is in the United States.

You could say that there is a general understanding that personal information includes government issued identification numbers, financial, medical, & insurance information.  This likely includes information about children as well.  But interpretations will vary from agency to agency, Federal to State courts and even within jurisdictions. That said, one need only look at what constitutes a reportable “data breach” under Sarbanes Oxley or under the ABA Model Rules. 

  • The situation gets even more complex when one takes into account the various international definitions of personal information. For example, the EU’s interpretations are broader than the US interpretations. 

Ownership of data

 

The EU takes the position that some data belongs employees, not the corporation.  Use of this data requires approval of the individual and has significant restrictions on the use of that data. In the US, the absence of a clear corporate policy on data ownership can at times create unnecessary ambiguity. 

 

  • Scrubbed Data may still be trouble

There has been at least one case where information that was scrubbed of personal information, was then cross-referenced with other 3rd party data, enabling individual identification once again. Arguably, there are differences as to what constitutes sufficient “scrubbing”, anonymization or Pseudonymization. 

  • Adopting a narrow definition of personal information may not be sufficient. The way one looks at “PII” needs to be contextual.  

More and more focus has been placed on exposed personal information, with financial penalties designed to encourage companies to take the security of this data seriously. With this increased financial risk comes lowered thresholds of fiduciary liability for directors and officers. 

 

Are You Ready for GDPR?

 

In 2015, the European Commission started outlining a package of reforms to modernize and harmonize existing data protection rules throughout member countries.  The result is the General Data Protection Regulation (GDPR), and it is here now.  These guidelines provide broader interpretation of personal information, consent, handling, and auditing of that information.  These are specification on the use, storage and protection of this data. Things to note:

  • The specifications extend to US companies who do business in the EU or as a result of that business, obtain data protected by the GDPR.  This requires US companies, large and small, to be aware and rethink the handling of this data.

  • Penalties are significant: 4% of annual global turnover or 20 million Euros, whichever is greater. 

It is important to note that GDRP Article 29 working party guidance, adopted on October 3rd 2017, provides notification protection by providing that breach notification to individuals need not be given if:

 

“The controller has applied appropriate technical and organizational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorized to access it. This could, for example, include protecting personal data with state-of-the-art encryption.”

 

Prepare, Reduce Your Risk, 

Save Yourself…

 

The reality is that only through implementing better practices will we reduce our risk, both personally and professionally.  While corporate wide changes are often slow and painful to implement, we can think about improving high risk tasks and projects.

 

Start with File Transfer

 

File transfer is an easy place to start.  Sending files between parties is a common task whether it is for eDiscovery, M&A, audit, medical or to facilitate some other form of collaboration.  Here are a couple of points to keep in mind:

 

  • You want Point-To-Point encryption

Your file(s) should be encrypted at the source prior to transfer.  Many methods transfer unencrypted.  Others transfer unencrypted until they reach the storage location, at which point they are encrypted only while in storage, and unencrypted to send to the other party.  Point to Point ensures protection before leaving your computer all the way to the destination.

  • Storage should be Secure

Many transfer methods implement a “storage” location where the files rest for a period of time until picked up by the other party.  This storage location should be as secure as possible, including storing files in encrypted format.  The best methods even prevent the manager of the storage location from decrypting the files, ever.  This reduces the risk if someone hacks the storage location or the court orders production of the files stored there.

 

  • Auditing of the Activity

Good systems will track not only user activity, but individual file activity.  Security is great, but providing a log of activity is the proof of that security and provides great peace of mind.

  • Individual & Workgroup Functionality

Better systems work for those one-off transfers as well as allowing easily repeated distribution with established workgroups.

  • Pedigree & Third Party Certifications

Don’t just rely on marketing material and conversations with sales reps.  Look at who uses the application and what types of certifications they have gone through.  IT and security certifications are a tedious and time consuming effort, often taking over a year.  Investing the time and resources adds credence to the application’s security and stability.

 

 

Larry Briggi
Director of Operations

lbriggi@davisinfogov.com

 

Larry Briggi is the Director of Operations for Davis and Associates, LLC.  

Bona fides include:

  • Manager of Technical Litigation Support and User Support Services at Cravath, Swaine and Moore.

  • Director – Navigant Consulting

  • Managing Director – FTI Consulting  

535 Fifth Avenue, 4th Floor

New York City, NY 10017

Office: 1.914.325.9339 

e-Fax: 1.713.470.9817

Share on Facebook
Share on Twitter
Please reload

Featured Posts

Cybersecurity - Convergent Fiduciary Duties of Lawyers, Directors & CIOs

February 1, 2018

1/1
Please reload

Recent Posts
Please reload

Archive
Please reload

Search By Tags

I'm busy working on my blog posts. Watch this space!

Please reload

Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square