No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.

1. Sarah Banola, legal ethics counsel to lawyers and law firms, Cooper, White & Cooper,
www.cwclaw.com
Diana Maier, Employment Attorney and IAPP Certified Information Privacy
Professional/US/EU, www.dianamaierlaw.com
Privacy Best Practices for Lawyers
What Every Law Practice Needs to Know About Privacy Law
Presented by:
Diana Maier & Sarah Banola

2. 2
WHAT IS PRIVACY LAW?
• Laws that deal with the regulation, storage and
use of personal information about individuals.
• Generally, expectation of privacy is a key
factor.
• Privacy laws can be broadly classified
depending on the kind of data:
Sensitive personal information
Personal information
Non-personal information

3. 3
WHAT IS PRIVACY LAW?
Specific privacy laws that are designed to regulate specific types of
information. Some examples include:
• Communication privacy laws (e.g. TCPA)
• Financial privacy laws (e.g. FCRA)
• Health privacy laws (e.g. HIPAA)
• Online privacy laws (e.g. COPPA; CalOPPA)

4. 4
Internet and the digitization of data has created higher stakes:
• Millions of people are sending off private and sensitive information.
If you break into the right network, you have access to millions of
people’s sensitive information.
• Last year, John Mulligan, Target's chief financial officer, said the
retailer was “deeply sorry” for a breach that affected both payment
data of 40 million customers and the personal data, such as phone
numbers and addresses, of as many as 70 million people.
WHY IS PRIVACY LAW SO HOT RIGHT NOW?

5. 5
Internet and the digitization of data has created higher stakes:
• Internet means private information that you chose to share
(sometimes thinking only a few people will see it) can be viewed by
countless.
• Increasing amount of communications as we are more
interconnected. New resentments by consumers about how those
communications occur. Pressure on legislatures to regulate. (Think
CAN-SPAM act for email; Do Not Call list for phone calls.)
WHY IS PRIVACY LAW SO HOT RIGHT NOW?

6. 6
• Onset of “Big Data” means increasing volumes of information. Private
companies already collect, mine, and sell as many as 75,000 individual
data points on each consumer, according to a Senate report.
• This has ethical/moral/legal implications, so government regulation is
implemented to deal with it.
WHY IS PRIVACY LAW SO HOT RIGHT NOW?

7. 7
Follow FTC Fair Information Privacy Principles
• Government agencies in the United States, Canada, and Europe have
studied how entities collect and use personal information -- their
“information practices” -- and the safeguards required to assure those
practices are fair and provide adequate privacy protection.
• The result has been a series of reports, guidelines, and model codes
that represent widely accepted principles concerning fair information
practices.
HOW DO WE PRACTICE GOOD PRIVACY?

8. 8
Common to all of these documents are five core principles of privacy
protection:
1. Notice/Awareness;
2. Choice/Consent;
3. Access/Participation;
4. Integrity/Security; and
5. Enforcement/Redress.
HOW DO WE PRACTICE GOOD PRIVACY?

9. 9
Always consider the following:
• How does your business collect, use, share and store information (of clients or
employees)? Do you have a lawful or legitimate basis for doing so?
• Where is the data stored/where is it going? (cross-border transfers, vendor to
sub processor)
• How is information collected used and shared? What are the business
purposes for each? (data minimization, reasonable business purpose)
• Who has access to the information collected, and is there a less intrusive way
to collect/process/store?
ISSUE SPOTTING FOR PRIVACY VIOLATIONS

10. 10
• How are the Fair Information Practices
met?
• What do your vendor contracts (if any)
say about privacy and confidential
information, particularly of your clients?
• What does your privacy policy say, where
is it posted, and do you truly follow it?
• What are user expectations about your
website/email system, etc?
ISSUE SPOTTING FOR PRIVACY VIOLATIONS

11. 11
Why are privacy practices so important?
• Most laws apply to law firms just as they would to other types of businesses
 International data protection requirements
 Cross-border data transfer restrictions
 Patchwork U.S. requirements
 Hundreds of state and federal privacy laws
 Section 5 of the FTC Act
 Security breach notification requirements
PRIVACY PRACTICES FOR ATTORNEYS

12. 12
From a legal perspective, the risks are substantial
• FTC enforcement authority: Section 5 of the FTC Act
• Most FTC privacy enforcement actions result from security breaches
Dave&Buster’s, CardSystems, Petco, ChoicePoint, Tower Records, DSW, Barnes &
Noble.com, BJ’s Wholesale Club, Guess.com, Inc.
• Division of Privacy and Identity Protection at the FTC
• Contractual liability
• Civil and criminal penalties or fines (particularly in the EU)
• Reputational harm
PRIVACY PRACTICES FOR ATTORNEYS – THE RISKS OF
NONCOMPLIANCE

13. 13
• Privacy issues have become ubiquitous for all businesses
• Law firms are no exception; in fact, they face unique challenges:
 Must comply with evolving privacy requirements
 Varying client requests and sensitivity of data
 Also must comply with ethical obligations
LAW FIRMS ARE NOT IMMUNE

14. 14
• Personally identifiable information (PII) is routinely collected
• Necessary to provide legal services in some matters
e.g., Mergers and Acquisitions, Employment, Health Care, Trust &
Estates, Immigration, Information Security
Patents, trade secrets, religion, national origin, political affiliation,
criminal background, SSNs, financial account information, medical
history
SENSITIVE CLIENT DATA COLLECTION BY FIRMS

15. 15
• Storage of both hard-copy and electronic records creates risk
Mobile devices particularly risky and BYOD policies important
Breaches
Storage of data in the cloud has become commonplace
 Provides the ability to leverage economies of scale, geographic
distribution, and automated systems to drive down costs
 BUT, must consider the privacy, information security issues and
ethical obligations.
STORAGE OF PERSONAL INFORMATION

16. 16
Data retention
• How long must you keep personal information in the client files context?
Secure destruction of personal information
• Legal requirement at both state and federal level
Cross-cut shredding, degaussing
Consider state bar ethics opinions (Oregon State Bar Formal Ethics Op
2005-141: law firm may contract with recycling service to dispose of
documents that may contain information relating to the representation of a
client.)
DATA RETENTION & DESTRUCTION

17. 17
• ABA Model Rules and California Rules of Professional Conduct
Rule 1.1, CRPC 3-310 – Competence
Rule 1.6, CRPC 3-100, Bus. & Prof. C. 6068§(e)(1) –
Confidentiality
Rule 1.4, CRPC 3-500 – Communication
Rule 1.15, CRPC 4-100 – Client Property and Recordkeeping
Rules 5.1-5.3, Discussion to CRPC 3-310 – Supervision
ETHICAL OBLIGATIONS

18. 18
DUTY OF CONFIDENTIALITY — CALIFORNIA LAW
• California Business & Professions Code § 6068(e)(1) (duty of attorney
“[t]o maintain inviolate the confidence, and at every peril to himself or
herself to preserve the secrets, of his or her client.”)
• Lawyers must take reasonable measures to safeguard confidential client
information and may need to consult with someone who possesses the
requisite technical knowledge. See Cal. State Bar Formal Opns. 2010-
179 & 2012-184.

19. 19
DUTY OF CONFIDENTIALITY — MODEL RULE 1.6
• Paragraph (c) requires lawyers to undertake reasonable efforts to
prevent the inadvertent or unauthorized disclosure of, or access to,
confidential client information.
• Comment [18] addresses safeguarding confidential client information
and includes the duty to prevent unauthorized disclosure by staff.

20. 20
DUTY OF CONFIDENTIALITY AND USE OF SOCIAL MEDIA
• Don’t discuss confidential client information in public social media
forums (e.g., listservs, blogs, LinkedIn).
• Attorney should monitor and advise client re: social media profiles,
websites, and blogs. See Pennsylvania Bar Ass'n Form. Ethics Opn.
2014-300; New York County Ethics Opn. 745 (2013).
• Lawyer may advise client to change profile to “private.” Philadelphia Bar
Ass'n Professional Guidance Committee Opn. 2014-5; New York State
Bar Ass'n Social Media Guidelines (March. 18, 2014) at p. 11.

21. 21
DUTY OF COMMUNICATION
• Duty to keep the client “reasonably informed about significant
developments” and “to promptly respond to reasonable requests for
information.” CRPC 3-500
• Revised Comment [4] to Rule 1.4 reflects changes in communication
technology and requires a lawyer to promptly respond to or
acknowledge client communications.
• Client instructions

22. 22
Security of Confidential Information, Cal. State Bar Formal Opn. 2012-184
• Reasonable steps are required
• Factors to consider:
Level of security offered by particular device
Legal consequences for unauthorized use or access
Sensitivity of information
Potential impact to client of inadvertent disclosure
Urgency of the situation
Client directions and circumstances
ETHICS OPINIONS

23. 23
Arizona State Bar Ass’n Ethics Opinion 09-04
“It is important that lawyers recognize their own competence
limitations regarding computer security measures and take
necessary time and energy to become competent or alternatively
consult experts in the field.”
ETHICS OPINIONS

24. 24
• To what extent may a lawyer respond to negative online review by the
lawyer’s ex-clients?
Los Angeles County Bar Association Formal Opinion No. 525
San Francisco Bar Association Formal Opinion No. 2014-1
ETHICS OPINIONS

25. 25
• If third parties will access personal information on the firm’s behalf,
there is risk.
• Consider getting the client's consent to use of cloud computing
services, particularly with highly sensitive data.
• Adequately vet providers:
Credentials/Expertise in the industry
Security measures utilized/Who will have access to the information
Resources available to the vendor
How the vendor will transmit client information
CLOUD COMPUTING

26. 26
• Mitigate risk through:
Due diligence
Protective privacy and information security contract language
 Maintain PII in strict confidence
 Use PII only for your company’s benefit
 Comply with all applicable laws, industry standards and the company privacy policy
 Develop, implement and maintain reasonable security procedures to protect PII from
unauthorized access, destruction, use, modification and disclosure
Ongoing monitoring
PRIVACY PRACTICES FOR ATTORNEYS - SERVICE
PROVIDER MANAGEMENT

27. 27
Ethics violations
• Waiver of attorney-client privilege
• Malpractice or breach of fiduciary duty
• Fee dispute or disgorgement
• Consequential damages, such as replacing hacked client trust funds
• State bar discipline, including reprimand, suspension, disbarment
PRIVACY PRACTICES FOR ATTORNEYS – THE RISKS OF
NONCOMPLIANCE WITH FIDUCIARY DUTIES

28. 28
• Inventory personal data maintained by the firm and devices used
• Conduct risk assessment considering at least:
 Employee training, policies and mobile device management
 Secure information systems design and information processing, storage, transmission,
and disposal
 Responding to and preventing attacks, intrusions, and systems failures
 Breach notice requirements
• Fix vulnerabilities identified through the risk assessment
• Oversee vendors
• Monitor and manage information security program and policies
CHECKLIST

29. 29
• ABA’s “Information Security for Lawyers,” available at
http://www.abanet.org/abastore/index.cfm
• FTC’s “Protecting Personal Information, A Guide for Business” available at
http://www.ftc.gov/infosecurity/
• IAPP’s “Information Privacy” handbook, available at http://www.iapp.org
• “Protecting and Securing Confidential Client Data,” by Anthony Davis and Michael P.
Downey at http://www.law.com/jsp/lawtechnologynews/PubArticle L
TN.jsp?id=1202474447879&slreturn=1&hbxlogin=1
• NYSBA Social Media Ethics Guidelines, available at
http://www.nysba.org/socialmediaguidelines/
• For suggested BYOD terms, see ACC Top 10 Tips, available at
http://www.acc.com/legalresources/publications/topten/tttfmtbyodttwe.cfm
RESOURCES

30. 30
DISCLAIMER: The information contained in this presentation has been prepared
by the Law Offices of Diana Maier and Cooper, White & Cooper LLP (collectively,
the “Firms”) and is not intended to constitute legal advice. The Firms have used
reasonable efforts in collecting, preparing, and providing this information, but do
not guarantee its accuracy, completeness, adequacy, or currency. The
publication and distribution of this presentation are not intended to create, and
receipt does not constitute, an attorney-client relationship.
COPYRIGHT © 2016, Diana Maier and Sarah J. Banola. All rights reserved.
THANK YOU FOR LISTENING