2020 family law seminar€¦ · manufacturers) are not installed. • lawyers and staff are not...
TRANSCRIPT
2020 Family Law Seminar Data Privacy Issues in Family Law (For Clients and Practitioners)
Friday, July 24, 2020
AM Session
WEBCAST
Maureen Fulton, Koley Jessen P.C., L.L.O.
The NSBA’s Family Law Section presents:
This page intentionally left blank.
SPEAKER BIO
Maureen Fulton dedicates her practice to advising businesses in developing comprehensive privacy and data security programs. Maureen guides companies in navigating through state, federal, and international privacy laws and regulations. She also performs data privacy and security due diligence for buyers and sellers in merger and acquisition transactions.
Maureen has worked with businesses to obtain certification under the EU-U.S. Privacy Shield and to ensure compliance with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA). She has assisted clients in preparing for and remedying data breach incidents and identifying the associated litigation risks.
One of the founders of Koley Jessen’s Data Privacy and Security practice area, Maureen is a member of the International Association of Privacy Professionals and has frequently presented on data privacy and security issues.
This page intentionally left blank.
1
MAUREEN E. FULTON
Data Privacy Issues in Family Law
Nebraska State Bar Association Family Law SeminarJuly 24, 2020
2
Introduction• Data Privacy and Security practice area at Koley Jessen• Why this topic is relevant to your practice
3
Agenda• What is personal data?• U.S. Federal Data Privacy Laws• U.S. State Data Privacy Laws• How to Counsel Family Law Clients on Data Privacy
Compliance• Ethical Obligations For Law Firms Related to Data Security
4
What is “personal data”?• It depends on which law is being applied. • The California Consumer Privacy Act describes “personal
information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
5
PATCHWORK OF FEDERAL STATUTES
U.S. Federal Data Privacy Framework
6
Let’s use mnemonic devices to learn U.S. Privacy Laws
7
When you hear about:
Privacy issues related to Education, think: FERPA
A Furby
8
When you hear about:
Privacy issues related to health information, think: HIPAA
HIPAA-Hippopotamus
9
When you hear about:
Online privacy issues related to children, think: COPPA
COPPA-(Copa)cabana Beach in Rio de Janeiro
10
Other U.S. Federal Data Privacy Laws Affecting Parents and Children
• CFAA (Computer Fraud and Abuse Act)• ECPA (Electronic Communications Privacy Act)• SCA (Stored Communications Act)• The Privacy Act• PPRA (Protection of Pupil Rights Amendment)• CIPA (Children’s Internet Protection Act)• NSLA (National School Lunch Act)
11
National Discussions of New Federal Legislation• Business Roundtable Open Letter• Biggest remaining issues are preemption and enforcement (i.e.
private right of action or government enforcement).• Another important issue: Should federal legislation regulate
what companies do with information or simply requiretransparency?
12
State Data Privacy Laws
13
Data Privacy Existing State Laws• Data Security• Breach Notification• Social Media Privacy• Social Security Numbers• Add-Ons to Federal Laws (such as HIPAA)• Records Disposal• Payment Card Transactions• Telephone Call Recording
14
Data Breach Notification Laws• Timing of notification requirement (from 30 days to “as soon
as practicable”)• Attorney General Notification• Broadening scope of “personal information” definition• Specific information to be provided in notice letters
15
Data Breach Notification in Nebraska• Nebraska Financial Data Protection and Consumer Notification of
Data Security Breach Act (Neb. Rev. Stat. §§ 87-801 to 87-807)• Unauthorized acquisition of unencrypted data that compromises
personal information• Must provide notice to affected individual and the Nebraska
Attorney General
16
Social Security Laws• More than 30 states have adopted laws restricting or
prohibiting the collection, use, or disclosure of SSNs• A business should consider taking the following steps:
• Determine if you collect or maintain SSNs• Review and update your policies and procedures to comply with
state law• Train employees on the new policies and procedures• Audit your employees to ensure they are complying with the
policies and procedures
17
THE NATION’S STRICTEST DATA PRIVACY LAW
The California Consumer Privacy Act of 2018
18
Who Must Comply With the CCPA?Most companies with California-based assets or customers. Businesses that:1. Collect personal data of CA residents,2. “Do business” in CA, and3. Meet one of the following criteria:
a) Has annual gross revenue of $25 millionb) Receives personal data of 50,000 or more consumers, orc) Obtains 50 percent or more of its revenue from the sale of California
residents’ personal data
19
CCPA: Lots of Compliance Components• Data Mapping• Update External Privacy Notice• Comply with DSARs (Data Subject Access Requests)• Create Process for Opting out of Sale of Personal Information• Vendor Contract Compliance• Written Information Security Plan
20
CCPA: Digging Into Your DataIn order to comply with CCPA, the most important things companies need to know about their data are:
• what personal information a business holds about California residents;
• where that information is stored;• to whom that information is disclosed; and • how to access and delete the information if requested
21
Legal Exposure Under the CCPA• CA AG can institute up to $7,500.00 fine for each “violation”• Limited private right of action (think class action)
22
Counseling Family Law Clients on Data Privacy Compliance
23
Spousal Protection of Data and Accounts• A client should take certain steps to ensure the privacy of
their information and accounts from their spouse, such as: • Change passwords and security questions • Stop sharing calendars• Turn off location tracking • Stop text messages from sharing to other devices
• A client should not log onto their spouse’s computer or accounts
24
Nest Cameras: Who Has Rights?• 3 levels of members for Nest family accounts• All family members are notified of a data request by
another member• The owner and full access members can remove
anyone from the family account, except the owner
25
Children’s Data: Who Has Rights?• COPPA and FERPA• School districts’ rights to children’s data • Social Media
26
Managing Children’s Online Privacy• Know about COPPA• Read privacy policies • Manage privacy settings on apps• Use parental controls • Educate children
27
Children’s Online Privacy in Parenting Plans• Parents can agree to a social media plan
• Discuss how the children will use the internet and social media
• Consider if parents will monitor their children’s online presence and communication and then decide how they will do so
28
Ethical Obligations for Law Firms Related to Data Security
29
Roadmap
• Types of Data Held by Law Firms• Nebraska Rules of Professional Conduct Related to Data
Security• ABA Formal Opinion• Association of Corporate Counsel Model Controls• Data Breach Horror Stories• Best Practices for Law Firms
30
Types of Data Law Firms are Trying to Protect• Personally identifiable information (PII).
• 75% of compromised data is PII.• Protected health information (PHI).• Client identity, information and data. • Attorney-client privileged information.• Credit card information.• Trade secrets.• Employee information.• Business and financial information.• Firm Credentials
30
31
Neb. Ct. R. of Prof. Cond. § 3-501.1 - Competence
• A lawyer shall provide competent representation to a client. Competentrepresentation requires the legal knowledge, skill, thoroughness,preparation and judgment reasonably necessary for the representation.
• Comment [6] to Rule 3-501.1: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
32
Neb. Ct. R. of Prof. Cond. § 3-501.4 - Communications
• (a) A lawyer shall:• (1) promptly inform the client of any decision or circumstance with respect to
which the client's informed consent, as defined in Rule 1.0(e), is required by these Rules;
• (2) reasonably consult with the client about the means by which the client's objectives are to be accomplished;
• (3) keep the client reasonably informed about the status of the matter;• (4) promptly comply with reasonable requests for information; and• (5) consult with the client about any relevant limitation on the lawyer's
conduct when the lawyer knows that the client expects assistance not permitted by the Rules of Professional Conduct or other law.
• (b) A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.
33
Neb. Ct. R. of Prof. Cond. § 3-501.6 -Confidentiality of Information
• A lawyer shall not reveal information relating to therepresentation of a client unless the client givesinformed consent. A lawyer may reveal such informationto the extent the lawyer reasonably believes it isnecessary to:
• Prevent reasonably certain death or substantial bodily harm;• Secure legal advice about compliance with these Rules;• Establish a claim or defense on behalf of the lawyer in certain
instances; and• Detect and resolve conflicts of interest.
34
Rule 3-501.6 - Confidentiality of Information• Comment [16]: When transmitting a communication that includes
information relating to the representation of a client, the lawyer musttake reasonable precautions to prevent the information from cominginto the hands of unintended recipients. This duty, however, does notrequire that the lawyer use special security measures if the method ofcommunication affords a reasonable expectation of privacy. Specialcircumstances, however, may warrant special precautions. Factors to beconsidered in determining the reasonableness of the lawyer'sexpectation of confidentiality include the sensitivity of the informationand the extent to which the privacy of the communication is protectedby law or by a confidentiality agreement. A client may require thelawyer to implement special security measures not required by thisRule or may give informed consent to the use of a means ofcommunication that would otherwise be prohibited by this Rule.
35
ABA Formal Opinion 477
• Securing Communications of Protected Client Information• “[A] lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks of technology…”• In order to comply with their general obligations under the Rules, lawyers must
continuously analyze how they communicate electronically about clientmatters, applying the following factors to determine what efforts arereasonable:
• The sensitivity of the information;• Likelihood of disclosure without additional safeguards;• Cost of and difficulty in employing additional safeguards; and• Extent to which the safeguards adversely affect the lawyer’s ability to
represent clients.
36
Association of Corporate Counsel Model ControlsClients are Requiring Security – The Association of Corporate Counsel
Model Controls require internal security and privacy policies that include:
• Security policy; organization of information security; assetmanagement; human resources security; physical and environmentsecurity, communications and operations management, access control,etc.
• Retention; return/destruction; certification of destruction of records.• Encryption in transit, at rest, stored on portable devices, etc• Data security breach reporting.• Physical security protections.
36
37
Association of Corporate Counsel Model Controls
• Logical access controls.• Monitoring.• Vulnerability controls and risk assessments – at least
annually.• System administration and network security.• Company has security review rights to inspect, examine
and review outside counsel records, practices andprocedures used in rendering services.
• Cyber liability insurance with minimum coverage level of$10,000,000.
37
38
Verizon 2020 Data Breach Investigations Report
• Annual report conducted the past 13 years.• Information gathered by Verizon independently and through the
help of contributing organizations.• Provides data to organizations regarding latest threats in data
security and privacy.• Provides individual data for specific industries.
39
Verizon 2020 Data Breach Investigations Report
• Tactics, Actors, and Victims• Attack Types
• Malware• Hacking• Social Engineering
• Professional, Scientific, and Technical Services Industry
40
Real-Life Law Firm Data Breaches
41
Most Common Scenarios Involving Data Breaches• Devices with unencrypted data are stolen or lost.• Security patches (software fixes issued by
manufacturers) are not installed.• Lawyers and staff are not trained about social
engineering. • Malware comes in via an attachment or through social
media (like spear phishing). • Hackers, cybercriminals and even nations find
vulnerabilities in your network. • Hackers enter through third party vendors’ unsecured
networks.
41
42
43
44
45
In May 2020, 193 Firms Were Exposed
• User names, IDs, and passwords exposed.• Impacted firms ranging from largest to small
boutiques.• 10,000 legal documents leaked.Hackers got in through unsecured database belonging to a large software company.
45
46
Ramifications of Data Breaches
• State Ethics/Licensing Issues• HIPAA fines and penalties• Contractual liability
• Business Associate Agreement• Client Engagement
• General privacy claims
46
47
Installing Safeguards47
48
Data Security Policies & Procedures for Law Firms
• Workforce Training• Discipline
• Policy Review• Amendments
• Record Retention and Destruction• Shredding bins
• Accounting of Disclosures and Breach Notification• Reporting improper uses and disclosures• Everyone’s responsibility
48
49
Data Security Policies & Procedures for Law Firms
• Technical Safeguards• User ID• Automatic Logoff // Screen Timeout• Encryption
• Mobile Device Policy• Password Protected• Lock after predetermined unsuccessful attempts• Must have firewall and antivirus installed and
operational
49
50
Data Security Policies & Procedures for Law Firms
• ID Badge // Fob• Sharing prohibited
• Password Policy• Smartphones (4 Character)• Other (20 Character)• Change required every six months
50
51
Data Security Policies & Procedures for Law Firms
• Remote Access Policy• Only Firm-owned devices• Unsecured networks prohibited
• Internet Use Policy• Appropriate Use• Inappropriate Use
51
• Email Use Policy• General Terms• Appropriate Use• Inappropriate Use
52
Software is Important to Keep Your Data Secure...
52
53
But So Is User Training!53
54
Cybersecurity During COVID-19?
• IT and security professionals report 71% in threats or attacks since outbreak.
• Employees are more relaxed in work-from-home environment.• Less secure networks in home offices.• Hackers posing as the World Health Organization amid pandemic
concerns.
54
