What we’re thinking about

Insights, news, and tips from our top tech and business innovators.

Top 7 privacy concerns

afbleeding-avatar
Jeffrey Wolff |February 18, 2015|Read time: 2 min

The recent Anthem data breach has brought security and privacy to the forefront for most organizations. While at Legal Tech New York, our corporate counsel Mary Mack, moderated a panel on privacy with panelists discussing some of the top privacy concerns for this year. 

Sponsored by Women in eDiscovery on February 5, 2015, the panel included:

  • Amanda Kosowsky, VP, AGC, Discovery Management, JPMorgan Chase
  • Laura Kibbe, Counsel, Morgan Lewis
  • Monique Altheim, Managing Consultant Global Data Privacy and Security, IBM
  • Monika Jedrzejowska, Associate, Hunton and Williams

Here are the top privacy concerns discussed:

 

1.     Health information

With the breathtaking 80 million social security and health ID’s stolen, the Anthem breach is one of the largest data security breach to date. As with the Sony breach, health information was stolen.  However, health information is ten times more valuable than credit card information on the black market and is resold, used in medical fraud, and to obtain services via medical identity theft. The impact of the breach was felt immediately when customers received “phishing” emails asking them to verify credit card and personal health information. Angry customers are taking class action suit against Anthem.

2.     Service providers and Law Firms as Business Associates

HIPAA compliance for organizations serving “covered entities” was a hot topic on the panel.  Organizations serving covered entities are “business associates” and include law firms and service providers. As business associates of covered entities, law firms and service providers in the legal technology space must comply with HIPAA. The panel noted that some of the new business associate contracts shift the liability too far, and cannot be signed.  Practical approaches to compliance offered were more targeted indemnity and breach notification contractual provisions, HIPAA audits, auto redaction, process improvement and encryption. Paper should not be ignored, as many breaches occur offline.

3.     Financial information

HIPAA for financial institutions or Gramm Leach Bliley (GLB) is causing financial institutions to audit and more closely manage their service providers and law firms to make sure they are complying with the Safeguards Rule.

4.     California Erasure Law

The California Erasure Law, the law that mandates removal of a minor’s information was also discussed. Surprisingly, it is the minor that must make the request, and the information can be hidden, and not erased.

5.     International Privacy

Moving into international privacy, the panel updated us on EU’s revamp of the Protection of Personal Data. Predictions were made that the Safe Harbor will stand, although it may be tougher to get, and have more oversight.  The EU is considering severe penalties for privacy violations, including 5% of global gross. The observation that multiple countries must come to consensus on the revamp makes it likely that it will not be final for some time. The APEC Privacy Framework was also discussed, and it was noted that Russia’s Localization Law is mandating in country processing and hosting of data.

The good news about international privacy includes Binding Corporate Rules with easier compliance than in years past, and a move toward harmonization with many countries and regions looking to the EU for guidance on their rules.

6.     US Privacy Legislation

Some of the panelists believed that the US is at a tipping point in privacy for legislation to provide a standard, not only for international commercial purposes, but to blunt the impact of many states employing different schemes, including different schemes on data breach notification.

7.     Impact on eDiscovery: Caught Between a Rock and a Hard Place

Attorneys practicing in the cross border, international arena of eDiscovery find themselves at cross purposes.  On the one hand, US judges expect Federal Rules of Civil Procedure (FRCP) compliance.  On the other hand, various jurisdictions have severe penalties for compliance with US eDiscovery requests.  Practical approaches included phasing discovery, in country culling, work with the data protection controllers, and getting to the US judge early to educate on the intricacies and timing of international disclosures.

Jeffrey Wolff
Jeffrey Wolff joined ZyLAB as eDiscovery Director in May 2015 with over 20 years of experience in Information Systems and enterprise software. He has been involved in solution architecture, design, and implementation for major projects within the Department of Defense and Fortune 1000 corporations. Prior to joining ZyLAB, Jeffrey held senior positions within firms specializing in Microsoft SharePoint and enterprise search solutions, so he has vast technical knowledge in the fundamentals of information management and eDiscovery.

Share this blog post:

Get the latest ZyLAB updates