eDiscovery Daily Blog

• November 12, 2015

When we started this blog over five years ago, privacy and security wasn’t the big topic it is today.  Now, there seems to be a story about a data breach practically every day and privacy is a big issue, especially internationally.  Thankfully, The Sedona Conference® has created a guide to help with this growing issue.

The Sedona Conference Working Group on Electronic Document Retention and Production (WG1) has just rolled out the final release of its new Commentary on Privacy and Information Security: Principles and Guidelines for Lawyers, Law Firms, and Other Legal Service Providers.  As the name implies, it’s a guide for all of us!  I say “final release” because they already rolled out the public comment version back in July and this new guide reflects changes resulting from comments received.  The original public comment version of the Commentary was published in July after more than two years of dialogue, review, and revision, including discussion at several working group meetings.

The Commentary is divided into several sections, including:

• Section I: A brief Introduction and statement of Principles;
• Section II: Identifies some of the major sources of a provider’s duty to protect private and confidential information;
• Section III: Describes a process by which legal service providers may conduct thorough security risk assessments, taking into account the information they possess, the vulnerability of that information to unauthorized disclosures, breaches, loss, or theft, and the way in which each provider may mitigate those threats by adopting a structured or layered approach to protect private and confidential information; and
• Section IV: Delves into various policies and practices that can address privacy and information security, setting forth processes that can be scaled to the needs and circumstances of an individual legal service provider.

The guide also includes appendices that discuss privacy and security in the Health Care and Financial Services industries.

Of course, the heart of any Sedona Conference guide is its principles – here are the seven principles stated in this guide:

• Principle 1: Legal service providers should develop and maintain appropriate knowledge of applicable legal authority including statutes, regulations, rules, and contractual obligations in order to identify, protect, and secure private and confidential information.
• Principle 2: Legal service providers should periodically conduct a risk assessment of information within their possession, custody, or control that considers its sensitivity, vulnerability, and the harm that would result from its loss or disclosure.
• Principle 3: After completing a risk assessment, legal service providers should develop and implement reasonable and appropriate policies and practices to mitigate the risks identified in the risk assessment.
• Principle 4: Legal service providers’ policies and practices should address privacy and security in reasonably foreseeable circumstances, and reasonably anticipate the possibility of an unauthorized disclosure, breach, loss, or theft of private or confidential information.
• Principle 5: Legal service providers’ privacy and information security policies and practices should apply to, and include, regular training for their officers, managers, employees, and relevant contractors.
• Principle 6: Legal service providers should monitor their practices for compliance with privacy and security policies.
• Principle 7: Legal service providers should periodically reassess risks and update their privacy and information security policies and practices to address changing circumstances.

Hopefully, these principles will influence providers of legal services to improve their own privacy and security practices.  The PDF guide can be downloaded here and, as always, it’s free!

So, what do you think?  Do you plan to adopt these principles and guidelines for managing security and privacy within your organization?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.