Lawyers Also Can Be Snared by Privacy Rules

Posted on November 2, 2009 by Privacy and Data Protection Practice Group

Social Security CardsIdentity theft is a booming business. Each year, millions of Americans fall victim to identity theft or have their personal privacy otherwise compromised through unlawful means. Whether it comes in the form of a lost or stolen credit card, or computer hackers accessing social security numbers from employment records, financial institutions, medical records, or government agencies, the costs are staggering. Studies demonstrate that victims spend anywhere from a few hours to, in some cases, literally thousands of hours working to repair damage done by identity theft. Investigations related to identity theft often take months – or sometimes years – to resolve. Reports have estimated that hundreds of billions of dollars per year are lost by businesses worldwide due to identity theft. Individual victims sometimes lose thousands of dollars in wages resolving their cases, and can spend several hundred (sometimes thousands) of dollars in various expenses related to their case.

In an effort to combat ID theft, more than thirty states (including California, New York, Illinois, and Pennsylvania) have enacted laws restricting certain uses and disclosure of social security numbers. The federal judiciary has taken note – and is following suit. Recent revisions to the Federal Rules of Civil Procedure (FRCP) now require attorneys to redact certain personal identifying information of individuals involved in litigation when filing documents in federal court – either electronically or in traditional paper format. 

Revised FRCP 5.2(a) reads:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and
(4) last four digits of the financial-account number.

Last month, the federal district court in Minnesota imposed a $5,000 fine against an attorney who violated FRCP 5.2(a) by including personal information in a court filing. The court also ordered the attorney to contact each of the 179 individuals whose private information had been improperly disclosed in the non-compliant court filing and to offer each of them, at the attorney’s expense, individualized credit reports and a year’s worth of quarterly credit monitoring services. Furthermore, the court ordered the sanctioned attorney to appear in court next year to report on the status of the credit reports. In the opinion, the court noted that it was “deeply concerned with the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents.”

The court’s ruling should serve as a wake-up call to attorneys that they too must be careful to comply with privacy and data protection rules aimed at reducing the risk of identity theft.

This entry was written by Richard L. Sloane.

Photo credit: Kameleon007
Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Contemporaneous Announcements of Obama's Cybersecurity Agenda and of the "Biggest Security Breach Ever" Should Highlight for Employers the Message of National Data Privacy Day

Posted on January 28, 2009 by Philip Gordon

Today — January 28, 2009 — is National Data Privacy Day, which, according to a January 2009 Resolution of the House of Representatives, “constitutes an international collaboration and a nationwide and statewide effort to raise awareness about data privacy and the protection of personal information on the Internet.” This reference to “international collaboration” is not precatory. Canada and the 27 Member States of the European Union also are seeking to focus attention on data privacy today by celebrating their own National Data Privacy Day. In light of two recent events that preceded National Data Privacy Day by only one week, HR departments should take note.

On January 22, 2009, Barack Obama’s first full day as President, he outlined, on the Whitehouse.gov website, his plan to enhance the nation’s cybersecurity. Two central planks of that plan will have a direct impact on employers. First, the plan calls on private industry to “secure personal data stored . . . on private systems” and to institute a “common standard for securing such data.” Second, the plan would create national standards for corporate security breach notification. Put simply, federal data protection and security breach notification legislation is on the way; it is just a matter of time. Such legislation most likely would have the beneficial effect of relieving multi-state employers from the burdens of complying with a patchwork of state data protection and security breach notification laws. Federal legislation, however, also would bring the substantial resources and enforcement power of the federal government to an area of the law that has, to date, seen only fledgling enforcement by the states.
 

On the day before the cybersecurity announcement--Inauguration Day--Heartland Payment Systems, Inc., one of the five largest credit card processors in the U.S., announced that its computer network had been hacked at some unknown time in 2008. The cybercriminals reportedly planted malicious software on Heartland’s network that might have duplicated as many as 100 million credit cards. Although Heartland has not yet revealed the number of affected credit card holders (and, indeed, may never be able to get an exact count), one respected commentator predicted that Hearland’s would be the “biggest breach ever.” Lesson learned: if a credit card processor--with a presumed interest in enhanced information security--can be breached, other organizations are vulnerable as well.

This confluence of events should serve as a clarion call to corporate HR departments — the repositories of the “crown jewels of ID theft,” i.e., an employee’s Social Security number, bank account number, rate of pay, and date of birth — that data privacy no longer is a “back burner” issue. Beyond that, enhancing information security in these times of severe fiscal constraints can be accomplished with virtually no out-of-pocket expense on hardware or software. A few no-cost steps are listed below:

  • Administrative Access Controls: Restrict access to paper documents and electronic files containing personal information to those with a need to know and limit authorized access to the minimum personal information necessary to perform legitimate business activities.
  • Establish Clearance Procedures: Only employees who have demonstrated their trustworthiness through years of service or who have been subject to a background check should be authorized to access personal information. Temporary workers generally should not be given access.
  • Promptly Modify Access Rights: Terminated employees should not be permitted to access physical locations where personal information is stored, and their electronic access should be terminated upon termination of employment. Rights of access to personal information in paper and electronic form should be modified as job responsibilities change.
  • Control Off-Site Use of Personal Information: Require that employees obtain prior approval before removing any personal information, whether in paper or electronic form, from corporate facilities. Personal information in paper form should be returned, and electronic information should be deleted, promptly after the business purpose that justified the off-site transfer has been accomplished.
  • Vendor Management: Engage in due diligence with respect to information security before selecting a vendor who will receive personal information. Vendor agreements should contain provisions that address data security with specificity.
  • Ensure Proper Destruction of Personal Information: Personal information in paper form should be shredded. Electronic personal information should be rendered irretrievable before discarding the equipment on which it is stored.
     

 
Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link