The recent Anthem data breach has brought security and privacy to the forefront for most organizations. While at Legal Tech New York, our corporate counsel Mary Mack, moderated a panel on privacy with panelists discussing some of the top privacy concerns for this year.
Sponsored by Women in eDiscovery on February 5, 2015, the panel included:
- Amanda Kosowsky, VP, AGC, Discovery Management, JPMorgan Chase
- Laura Kibbe, Counsel, Morgan Lewis
- Monique Altheim, Managing Consultant Global Data Privacy and Security, IBM
- Monika Jedrzejowska, Associate, Hunton and Williams
Here are the top privacy concerns discussed:
1. Health information
With the breathtaking 80 million social security and health ID’s stolen, the Anthem breach is one of the largest data security breach to date. As with the Sony breach, health information was stolen. However, health information is ten times more valuable than credit card information on the black market and is resold, used in medical fraud, and to obtain services via medical identity theft. The impact of the breach was felt immediately when customers received “phishing” emails asking them to verify credit card and personal health information. Angry customers are taking class action suit against Anthem.
2. Service providers and Law Firms as Business Associates
HIPAA compliance for organizations serving “covered entities” was a hot topic on the panel. Organizations serving covered entities are “business associates” and include law firms and service providers. As business associates of covered entities, law firms and service providers in the legal technology space must comply with HIPAA. The panel noted that some of the new business associate contracts shift the liability too far, and cannot be signed. Practical approaches to compliance offered were more targeted indemnity and breach notification contractual provisions, HIPAA audits, auto redaction, process improvement and encryption. Paper should not be ignored, as many breaches occur offline.
3. Financial information
HIPAA for financial institutions or Gramm Leach Bliley (GLB) is causing financial institutions to audit and more closely manage their service providers and law firms to make sure they are complying with the Safeguards Rule.
4. California Erasure Law
The California Erasure Law, the law that mandates removal of a minor’s information was also discussed. Surprisingly, it is the minor that must make the request, and the information can be hidden, and not erased.
5. International Privacy
Moving into international privacy, the panel updated us on EU’s revamp of the Protection of Personal Data. Predictions were made that the Safe Harbor will stand, although it may be tougher to get, and have more oversight. The EU is considering severe penalties for privacy violations, including 5% of global gross. The observation that multiple countries must come to consensus on the revamp makes it likely that it will not be final for some time. The APEC Privacy Framework was also discussed, and it was noted that Russia’s Localization Law is mandating in country processing and hosting of data.
The good news about international privacy includes Binding Corporate Rules with easier compliance than in years past, and a move toward harmonization with many countries and regions looking to the EU for guidance on their rules.
6. US Privacy Legislation
Some of the panelists believed that the US is at a tipping point in privacy for legislation to provide a standard, not only for international commercial purposes, but to blunt the impact of many states employing different schemes, including different schemes on data breach notification.
7. Impact on eDiscovery: Caught Between a Rock and a Hard Place
Attorneys practicing in the cross border, international arena of eDiscovery find themselves at cross purposes. On the one hand, US judges expect Federal Rules of Civil Procedure (FRCP) compliance. On the other hand, various jurisdictions have severe penalties for compliance with US eDiscovery requests. Practical approaches included phasing discovery, in country culling, work with the data protection controllers, and getting to the US judge early to educate on the intricacies and timing of international disclosures.