data privacy & cybersecurity...2019/08/06 · ethical considerations •aba model rule 1.1...
TRANSCRIPT
![Page 1: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/1.jpg)
The Tipping Point?
http://acc.com
DATA PRIVACY & CYBERSECURITY
![Page 2: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/2.jpg)
Presenters:
Phil Yannella, Partner
Practice Leader: Privacy and Data Security Group and
E-Discovery and Data Management Group
Robert Fowler, CIPP-US
Director of Strategic Partnerships
![Page 3: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/3.jpg)
![Page 4: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/4.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
In The Beginning…
1. Protect Personal Data
2. Use Personal Data Appropriately
Purpose & Intent:
(GDPR)General Data Protection Regulation
![Page 5: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/5.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
What Personal Data is Collected
Business Purpose for Collection
Right to Access Data
Right to Opt-Out
Right to Request Deletion
Right to Data Portability
Right to Compensation
Fines up to 4%Annual Global Revenue
Assumption…Companies know everything about their data.
![Page 6: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/6.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Bureaucratic Enforcement
Enforced by Data Protection Authorities
Heavy Compliance Documentation
Regulatory Investigations
Breach Notification Required
Cease Processing Order
![Page 7: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/7.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Privacy Regulations Come To The U.S.
![Page 8: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/8.jpg)
Effective January 1, 2020
$750 IN DAMAGES/Resident /Incident
![Page 9: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/9.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Potential Wave
of Litigation
BREACHES SUDDENLY HAVE GREAT
POTENTIAL FOR PLAINTIFFS’ ATTORNEYS:
10,000 CA RESIDENTS: $1 to $7.5 million
100,000 CA RESIDENTS: $10 to $75 million
1,000,000 CA RESIDENTS: $100 to $750 million
10,000,000 CA RESIDENTS: $1 to $7.5 billion
![Page 10: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/10.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Expanding
Data Privacy &
Cybersecurity
Regulations
![Page 11: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/11.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
The perfect storm.
Lack of Data Governance Practices
Broader Definition of Personal Data
Increased Liability
Energetic Litigation Bar
![Page 12: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/12.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
“Class action lawyers are pursuing data
privacy cases and amassing fortunes even
where no one has been harmed.”
![Page 13: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/13.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Lack of Data Governance Practices
Broader Definition of Personal Data
Broader Definition of Harm
Active Litigation Bar
![Page 14: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/14.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Bet-The-Job Questions…
1Do we really know where all personal
and sensitive data exists?
2
Which of our vendors have our
personal data?
4Do we retain any personal data longer
than necessary?
3
Can we respond compliantly and cost-
effectively to data access requests?
![Page 15: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/15.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Compliance begins
with a data inventory.
Do we really
know where all
personal data
exists?
1
![Page 16: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/16.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
APPLICABILITY
PERSONAL DATA
Web Form Email Paper FormCOLLECTION
Beneficiaries | Current Employees | Customers | Job Candidates |
Minors/Children | Past Employees | SubscribersDATA SUBJECTS
APPLICATIONS
Customer Service | Finance-Payroll | HR-Benefits | HR-Recruiting
Investor Relations | Legal & Compliance | MarketingDEPARTMENTS
LOCATIONS
THIRD PARTIES
AUT
7 Years
BEL
5 Years
NLD
5 Years
ITA
5 Years
USA
7 Years
RETENTION
Payroll Records
Personnel Records
Recruiting Records
Laptops File Cabinets
CHE
5 Years
Social Security #| Drivers’ License # | Account # | Credit Card # | Legal Actions
Corporate Financial Data | Intellectual Property | Profile Data | Preferences | Attitudes
In Person
![Page 17: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/17.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Data Inventory Must Be Sustainable
![Page 18: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/18.jpg)
Informs Critical Compliance Requirements
Legal Obligations
Third-Parties
Data Management
Data Minimization
Vendor Risk Profiling
DSAR Process
> Vendor Agreements
> Incident Response Plan
> Employee Privacy Policy
> Notices & Consent
> Data Access Exceptions
> Online Privacy Policy
> Online Disclosures
![Page 19: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/19.jpg)
Ethical Considerations
• ABA Model Rule 1.1 (Competence)
• To maintain the requisite knowledge and skill, a lawyer should keep
abreast of changes in the law and its practice, including the
benefits and risks associated with relevant technology, engage
in continuing study and education and comply with all continuing
legal education requirements to which the lawyer is subject.
• Understanding technology is critical to understanding
legal implications of data mapping• Cookie Compliance
• Anonymization
• Data Breach Response
![Page 20: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/20.jpg)
![Page 21: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/21.jpg)
![Page 22: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/22.jpg)
![Page 23: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/23.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
45 days to respond
to a verifiable request.
2
Can we respond
compliantly to
data subject
access
requests?
![Page 24: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/24.jpg)
DATA ACCESS REQUESTS
Right to Access
Right to Delete
Right to Opt-Out
Right to Portability
Right to Disclosure
WHERE’S THE DATA?
Verify Identity
Data Locations & Sources
Applications
Third Parties
Retention & Legal Holds
The Challenge Ahead
45Days
![Page 25: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/25.jpg)
The outlook is grim…
45% to 85% of companies aren’t ready
83% need 7 days to respond to one request
$1,400 to fulfill a single request
5K requests = $7 Million
Gartner Research | How to Prepare for the CCPA & Navigate Consumer Privacy Rights
![Page 26: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/26.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Empower consumers to easily request data
Keep data subjects informed about their requests
Ensure consistency across the process
Well-Documented Process to Manage Requests
![Page 27: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/27.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Track tasks and activities
Notify appropriate personnel
Mange Timelines
Fulfill Verified Requests
Configurable, Automated Workflows
![Page 28: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/28.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Compliance extends
to your third parties.
3
Which of our
vendors have our
personal data?
![Page 29: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/29.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Companies lack visibility into the third parties
they share personal data with.
Data Risk in the Third-Party Eco System | Ponemon Institute
![Page 30: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/30.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
VENDOR RISK PROFILEIdentify Regulatory Applicability & Risks
![Page 31: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/31.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Vendors Accessing Personal Data
Vendors Accessing Systems
Vendors With No Access
VENDOR RISK PROFILEIdentify Regulatory Applicability & Risks
![Page 32: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/32.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Evaluate Regulatory Applicability
![Page 33: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/33.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Vendors Accessing Systems
Vendors Accessing Personal Data
NIST CSF
NIST SP 800 171
COBIT
ISO 27000 Requisite
Reporting
COMPREHENSIVE
RISK ASSESSMENT
Identify Data Security Risks
Demonstrate Compliance
![Page 34: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/34.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Assess Security & Compliance Readiness
![Page 35: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/35.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Harmonize retention
and legal holds.
4
Are we retaining
any personal
data longer than
necessary?
![Page 36: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/36.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
A Clear Path to Data Minimization
![Page 37: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/37.jpg)
COPYRIGHT © JORDAN LAWRENCE 2019 | ALL RIGHTS RESERVED
C O N F I D E N T I A L
Manage Retention
Requirements
Document Logic
Develop Deletion
Strategies
Connect Personal Data to Retention Requirements
![Page 38: DATA PRIVACY & CYBERSECURITY...2019/08/06 · Ethical Considerations •ABA Model Rule 1.1 (Competence) •To maintain the requisite knowledge and skill, a lawyer should keep abreast](https://reader034.vdocument.in/reader034/viewer/2022043021/5f3d5449b1f7df07363ee11a/html5/thumbnails/38.jpg)
Questions?
Phil Yannella, Partner
Practice Leader: Privacy and Data Security Group and
E-Discovery and Data Management Group
Robert Fowler, CIPP-US
Director of Strategic Partnerships