Privacy

First Ever Multi-State Data Breach Lawsuit Targets Healthcare Provider: Cybersecurity Trends

Just as the number of data breaches continues to rise, the number of lawsuits over data breaches continues to rise as well.  Chances are that your data has been hacked at some point from at least one company with which you do business.  But this lawsuit is unique.

According to The Expert Institute (12 US States Join Forces to File First Ever Multi-State Data Breach Lawsuit, written by Victoria Negron), an Indiana court will serve as the venue for the first-ever multistate data breach lawsuit, as the attorneys general of twelve US states join forces against a healthcare provider and its subsidiary.

The lawsuit alleges that Fort Wayne-based Medical Informatics Engineering and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. The stolen information included not only identifying details, such as names and Social Security numbers, but also healthcare information, including diagnoses and lab results.

Patients whose data was stolen in the hack had visited 11 different healthcare providers and 44 different radiology clinics, all of whom shared one common feature: they used the WebChart app offered by Medical Informatics Engineering and NoMoreClipboard. Most of the affected patients lived in Indiana, but several others were residents of different states.

In response to the hack, the attorneys general from Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin have jointly filed a cross-state lawsuit alleging multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit claims that the defendants failed to implement “basic industry-accepted data security measures,” leading to the breach.

According to the article, the use of “tester” accounts (with easily-guessed default usernames and passwords) enabled hackers to launch a SQL injection attack (which is execution of malicious SQL statements to control a web application’s database server), giving them useful information that eventually led to the access of medical data.  Allegedly, Digital Defense, a company specializing in network security solutions, tested the software in 2014 and 2015 and reported “high risk” in the way the system was designed both times, yet the lawsuit alleges that the defendants did not make changes after Digital Defense’s warnings.

Amazingly, not all states allow patients whose personal health information (PHI) is breached to bring a private right of action regarding the breach (hopefully that changes someday), so pursuing legislation at the state level enables the attorneys general named in the complaint to more directly address HIPAA violations and the alleged misconduct that may have caused them.  Of course, chances are that any breach takes months to discover, so it’s not just about the breach, it’s also about discovering the breach too.

So, what do you think?  Will we see more groups of states go after companies who fail to protect sensitive consumer data?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

After Woman’s iPhone is Seized and She Sues, Homeland Security Agrees to Delete Her Data: eDiscovery Case Law

An American Muslim woman filed suit and asked a federal judge to compel border officials to erase data copied from her iPhone.  Now, she has settled her lawsuit with the government because federal authorities have now agreed to delete the seized data.

As discussed in Ars Technica (Feds took woman’s iPhone at border, she sued, now they agree to delete data, written by Cyrus Farivar), in the case Lazoja v. Nielsen, attorneys for the woman, Rejhane Lazoja, filed what’s called a Rule 41(g) Motion, otherwise known as a “Motion to Return Property.”  Normally, this rule is invoked for tangible items seized as part of a criminal investigation, not for digital data that can easily be copied, bit for bit. But here, the plaintiff, asked the judge to return data that she already had already received 90 days after the seizure when her iPhone was returned, fully intact.

Lazoja’s case has raised new questions about the state of the law with respect to warrantless border searches, particularly in the wake of two notable Supreme Court cases that have dealt with digital privacy in recent years, Carpenter v. United States (2018) and Riley v. California (2014).  The government claims that it has the authority to search and seize someone’s device without a warrant – otherwise needed in the interior of the country. Federal authorities rely on what’s known as the “border doctrine.” This is the controversial but standing legal idea that warrants are not required to conduct a search at the border. The theory has been generally recognized by courts, even in recent years.

In this case, however, Lazoja settled her lawsuit with the government after federal authorities agreed to delete the seized data.  So, the unusual approach worked in this case.

So, what do you think?  Should deletion of seized data be covered by a Rule 41(g) motion?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

California’s AG is Not Happy with the State’s New Consumer Privacy Act: Data Privacy Trends

As I noted a couple of months ago, 2018 is certainly on its way to becoming the year of data privacy rights for the individual.  And, back in June, the California Consumer Privacy Act of 2018 was approved unanimously by the state Senate and Assembly and was signed by Gov. Jerry Brown.  But, California’s AG has just ripped lawmakers for ‘unworkable’ provisions in the new law.

As discussed in Legaltech® News (California AG Rips Lawmakers for ‘Unworkable’ Provisions in New Data Privacy Law, written by Mike Scarcella), California Attorney General Xavier Becerra lashed out at lawmakers for imposing “unworkable obligations and serious operational challenges” on his office by effectively making him the chief enforcer of the new law.

In an August 22 letter to legislators who helped get the law passed in June, Becerra complained that his office is not equipped to handle all the related duties, including quickly drafting regulations and advising businesses about compliance with the California Consumer Privacy Act, or CCPA.

“Failure to cure these identified flaws will undermine California’s authority to launch and sustain vigorous oversight and effective enforcement of the CCPA’s critical privacy protections,” Becerra wrote in the letter.  Becerra also questioned the legality of the civil penalties included in the new law, which he said improperly modified the state’s Unfair Competition Law, or UCL.

“The UCL’s civil penalty laws were enacted by the voters through Proposition 64 in 2004 and cannot be amended through legislation,” Becerra wrote. The data-privacy law’s “constitutional infirmity” can be cured “by simply replacing the CCPA’s current penalty provision with a conventional stand-alone enforcement provision” that does not purport to change the Unfair Competition Law.

Lawmakers tried to address some of the attorney general’s concerns in clean-up legislation that was pending Wednesday in the Assembly. One bill, SB 1121, drops a requirement in the Consumer Privacy Act that consumers must first notify the attorney general’s office before suing over a data breach. The pending legislation recasts the civil penalty provisions and delays enforcement of the new law until six months after the attorney general publishes new regulations or July 1, 2020—whichever is sooner.

A separately pending budget bill would also appropriate $700,000 to Becerra’s office for help drafting and enforcing the new regulations.  But, the changes do not include a broader private right of action—sought by the attorney general—that would shift the litigation burden to consumers. Such a provision would have attracted fierce opposition from business groups that oppose any expansion of plaintiffs’ ability bring class actions and individual suits.

Becerra’s beefs with the Consumer Privacy Act foreshadow the fights that are looming over the state’s sweeping digital information law as interests, including those in government, push to alter its reach and enforcement before it goes into effect in 2020.  And, the business lobby is already pushing to narrow what they have to disclose to consumers about information that is collected about them. Companies are also lobbying the federal government for industry friendly rules that would preempt California’s new law.  It looks like California’s new privacy law may look a bit different when it goes into effect in January 2020 – if that timeline still holds.

So, what do you think?  Will California’s privacy law still hold as is?  Or will it be changed significantly?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Grants Defendant’s Motion to Compel Various Records from Plaintiff in “Slip and Fall” Case: eDiscovery Case Law

In Hinostroza v. Denny’s Inc., No.: 2:17–cv–02561–RFB–NJK (D. Nev. June 29, 2018), Nevada Magistrate Judge Nancy J. Koppe granted the defendant’s motion to compel discovery various sources of ESI related to the plaintiff’s claim of injuries resulting from a “slip and fall” accident at one of the defendant’s restaurants.

Case Background

In March 2018, the defendant requested various releases from Plaintiff to obtain documents regarding her employment, a prior car accident in 2015, and records from medical providers and the plaintiff provided some of the requested releases in the same month.  In April 2018, the parties met and conferred three times regarding the outstanding releases, as well as the plaintiff’s responses to the defendant’s amended second set of requests for production of documents. When the parties were unable to resolve their discovery disputes, the defendant filed the instant motion to compel the outstanding releases and responses to its requests.

Judge’s Ruling

Noting that the “burden is on the party resisting discovery to show why a discovery request should be denied by specifying in detail, as opposed to general and boilerplate objections, why ‘each request is irrelevant’”, Judge Koppe ruled on each of the following sources of ESI requested by the defendant:

  • Copies of any and all documents related to the 2015 car accident the plaintiff identified in your response to Defendant’s Interrogatory No. 18, as well as information regarding two slip and fall accidents in 2012 where the plaintiff was treated by an orthopedist and a neurologist: Judge Koppe said that “Medical records of injuries prior to an alleged accident are relevant to the issue of whether the injuries existed at the time of the accident and whether the accident caused or aggravated the injuries” and also noted that “police reports and insurance records are relevant because they likely contain statements, photographs, or other information ‘to confirm or refute [a plaintiff’s] allegation [he or she] was not injured’ in an accident”. Because “Courts within the Ninth Circuit have found that medical records and reports dating between three years to ten years prior to an alleged accident are discoverable”, Judge Koppe granted the defendant’s request for this information.
  • Copies of any text messages, emails, or other written communications between either the plaintiff or her counsel and several witnesses and a copy of all text messages or emails the plaintiff sent in the 48 hours after the Subject Accident: Noting that “Phone records are discoverable if the request is narrowly tailored in date and time and relates to a key issue in the case”, Judge Koppe granted in part this request.
  • Copies of any [of] the data of any type of FitBit, or other activity tracker device from five (5) years prior to the Subject Accident through the present: Noting that the plaintiff had waived objections that the request was overbroad and unduly burdensome because she did not raise these objections in her initial response to Defendant’s amended second set of requests for production, Judge Koppe ordered the plaintiff to “supplement her response to Defendant’s request for production number 30 to fully describe the search she conducted for responsive documents, by July 20, 2018.”
  • Copies or allow for inspection, any social media account the plaintiff had from five (5) years prior to the Subject Accident through the present: Noting that “information from social media is relevant to claims of emotional distress because social media activity, to an extent, is reflective of an individual’s contemporaneous emotions and mental state”, Judge Koppe found “that social media information and communications are relevant and, thus, discoverable under Fed.R.Civ.P. 26(b)” and granted the defendant’s request for that information.
  • Authorization for the release of the plaintiff’s employment records: Despite the fact that the plaintiff claimed she was no longer pursuing a lost wage claim, Judge Koppe noted that “an amended complaint reflecting Plaintiff’s new claims has not been filed” and also observed that “it appears that Plaintiff’s claims of “limited occupational … activities … [and] loss of earning capacity” remain in her complaint”, so she granted that defendant’s request as well.

So, what do you think?  Did the judge fail to take into account privacy concerns of the plaintiff or should relevancy override privacy concerns in this case?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

SCOTUS Says Warrantless Access of Cell Phone Locations Violates Fourth Amendment: eDiscovery Case Week

eDiscovery Case Week continues!  We’re catching up on cases leading up to our webcast tomorrow where Tom O’Connor and I will be talking about key eDiscovery case law for the first half of 2018.  With that in mind, this is a key case decision that happened when I was on a family vacation last month.  Did you miss it?  In case you did, here it is.

In Carpenter v. U.S., No. 16–402 (U.S. June 22, 2018), The United States Supreme Court (SCOTUS) held, in a 5–4 decision authored by Chief Justice Roberts, that the government violates the Fourth Amendment to the United States Constitution by accessing historical records containing the physical locations of cellphones without a search warrant.

In 2011, Timothy Carpenter was arrested on suspicion of participating in a string of armed robberies at RadioShack and T-Mobile stores in Michigan and Ohio. In the course of the investigation, FBI agents acquired transactional records from Carpenter’s cell phone carrier. The government sought this data pursuant to the Stored Communications Act of 1986, which allows law enforcement to obtain communications records by demonstrating “specific and articulable facts” that the records are relevant to an ongoing investigation, rather than probable cause that a crime has been committed. The trial court denied Carpenter’s motion to suppress the records, and a jury convicted him of firearms violations and violations of the Hobbs Act. On appeal, Carpenter maintained that the acquisition of his cellular data without a warrant violated his Fourth Amendment rights, but the Sixth Circuit held that such a seizure did not constitute a “search” under the Fourth Amendment.  Carpenter petitioned to have the case heard by SCOTUS, which heard arguments in November 2017.

The Court issued its decision on June 22, 2018, with the court split 5–4 to reverse and remand the decision by the lower courts. In a very lengthy ruling, Chief Justice Roberts wrote the majority opinion, with associate Justices Ginsburg, Breyer, Sotomayor, and Kagan joining Roberts’ opinion. The majority determined that the third-party doctrine applied to telephone communications in Smith v. Maryland could not be applied to cellphone technology and ruled that the government must obtain a warrant in order to access historical cellphone records. Roberts argued that technology “has afforded law enforcement a powerful new tool to carry out its important responsibilities. At the same time, this tool risks Government encroachment of the sort the Framers [of the US Constitution], after consulting the lessons of history, drafted the Fourth Amendment to prevent.”

Roberts also considered that “detailed, encyclopedic and effortlessly” tracking a person by cell towers was similar to that of using a Global Positioning System (GPS) tracking device as determined by United States v. Jones. Roberts stressed that the decision is a very narrow ruling; it does not affect other parts of the third-party doctrine, such as banking records, nor does it prevent collection of cell tower data without a warrant in emergencies or for national security issues.

Justices Kennedy, Thomas, Alito, and Gorsuch each wrote dissenting opinions.  Justice Alito wrote in his dissent:

“I share the Court’s concern about the effect of new technology on personal privacy, but I fear that today’s decision will do far more harm than good. The Court’s reasoning fractures two fundamental pillars of Fourth Amendment law, and in doing so, it guarantees a blizzard of litigation while threatening many legitimate and valuable investigative practices upon which law enforcement has rightfully come to rely.”

So, what do you think?  Does this ruling appropriately limit law enforcement use of private cell phone location data without a warrant or does it hamstring the ability for law enforcement to adequately investigate suspects?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

FTC Cracks Down on Privacy Shield Posers: Data Privacy Trends

Did you ever wonder what happens if a company falsely claims that they are certified compliant with either the EU-U.S. or Swiss-U.S. Privacy Shield framework?  Or falsely claims that they are in the process of being certified compliant?  Apparently, the Federal Trade Commission (FTC) gets on their case about it.

According to ACEDS (California Company Settles FTC Charges Related to Privacy Shield Participation), ReadyTech Corporation, a California company, has agreed to settle Federal Trade Commission allegations that it falsely claimed it was in the process of being certified as complying with the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law (we covered details of the framework when it was introduced over two years ago).

“Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield,” FTC Chairman Joe Simons commented. “We believe Privacy Shield is a critical tool for ensuring transatlantic data flows and protecting privacy that benefits both companies and consumers.”

According to the FTC’s complaint, the Commission alleges that ReadyTech, which provides online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” While ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

The FTC alleges in its complaint that the company’s false claim that it is in the process of certification violates the FTC Act’s prohibition against deceptive acts or practices.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing Privacy Shield. It continues the FTC’s commitment to enforcing international privacy frameworks, making a total of 47 cases enforcing the Privacy Shield, the predecessor Safe Harbor framework, and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework.

As you may or may not know, CloudNine is certified for both the EU-U.S. and EU-Swiss Privacy Shield Frameworks (so, yes, at CloudNine we are “certifiable”).  :o)  Periodically, you have to recertify – in fact, I just completed the recertification process for CloudNine a while back.  It’s good to know that somebody is checking up on companies to make sure that their claims of being privacy shield compliant are valid.

So, what do you think?  Is your organization privacy shield certified?  Are your providers certified?  Please share any comments you might have or if you’d like to know more about a particular topic.

P.S. — Happy Birthday, Kiley!  You’re now officially a teenager!  😮

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In California, Data Privacy Foresight is 2020: Data Privacy Trends

2018 is certainly on its way to becoming the year of data privacy rights for the individual.  Barely over a month after the General Data Protection Regulation (GDPR) came into effect in the European Union, California has passed a new data privacy law which will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties.

As reported by the ABA Journal, ARS Technica and Ride the Lightning (among other sites), the California Consumer Privacy Act of 2018 was approved unanimously by the state Senate and Assembly on June 28 and was signed by Gov. Jerry Brown.  The law is set to take effect on January 1, 2020 (which explains my “clever” blog title)… :o)

A legislative bill summary says the law will give Californians “the right to know what PI [personal information] is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer; and the right to equal service and price, even if they exercise such rights.”

The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request.  It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.

A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail maintain reasonable security procedures. However, consumers can’t sue unless they 1) first notify the business and the state attorney general, 2) the business doesn’t correct the problem in 30 days and 3) the state attorney general does not bar the suit.  A lot of contingencies and a small damage amount, though that number could add up if several consumers are involved and sue.  Also, intentional violations can bring civil penalties of up to $7,500 per violation.

The group Californians for Consumer Privacy had sponsored a ballot initiative and had gathered roughly 625,000 signatures to get the initiative on the ballot in November, but group chair and ballot question sponsor Alastair Mactaggart agreed to pull the question if the state passed the bill by June 28, the last day in which the question could be pulled from the ballot.

Will other states follow suit?  In 2018, the year of data privacy, I wouldn’t be surprised if they do and do so quickly.

So, what do you think?  Does this law go far enough in protecting data privacy rights of Californians?  Or does it fall short?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

GDPR is Here! Is Your Law Firm Fully Prepared for It? Maybe Not: Data Privacy Trends

Unless you live under a rock, you know that the deadline for compliance with Europe’s General Data Protection Regulation (GDPR) has come and gone (it was May 25 – almost three weeks ago now).  So, does that mean your law firm is fully ready for it?  Based on the results of one survey, the odds are more than 50-50 that they’re not.

In Legaltech® News (Not Just Corporate: Law Firms Too Are Struggling With GDPR Compliance, written by Rhys Dipshan), the author covers a recent Wolters Kluwer survey which was conducted among 74 medium (26-100 staff members) to large (100-plus) law firms.  The result?  Less than half (47 percent) feel fully prepared to address the new GDPR requirements.  Another 16 percent of respondents said they were somewhat prepared and more than a third (37 percent) had made no specific preparations.

Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. “Many of the law firms kind of half expected that there would be a delay, and they wouldn’t have had to solve the problem by May 25,” he said.  Ader also noted that the lack of preparation was also a sign that “law firms just don’t have the necessary skills, people, and budget to figure out how to handle GDPR.”

Other notable results:

  • Fewer than half of respondents (43 percent) had assigned a Data Protection Officer, a requirement of many organizations under GDPR. However, nearly 60 percent had assigned an individual, team or outside consultant to lead GDPR compliance efforts. And, approximately 72 percent of those surveyed were also investing in cybersecurity solutions due to the new regulation.
  • With regard to employee training on security, the survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Amazingly, 17 percent of respondents did not conduct training and had no plans to train at all.

If you’re a client of a law firm, you may want to check to see if your firm can demonstrate full preparedness for GDPR.  If you believe this survey, chances are greater that they can’t do so than they can.

So, what do you think?  Is your organization fully prepared for GDPR?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Unsure About How to Map Your Data for GDPR? Here are Several Templates to Get Started: Data Privacy Best Practices

Now that Europe’s General Data Protection Regulation (GDPR) is in effect, all organizations out there have a good handle on all of their data, including which personally identifiable information (PII) they handle for European data subjects out there and clear policies for how they ensure protection of that PII.  Right?  OK, maybe not.  If your organization is still scrambling to comply with GDPR and still trying to get a handle on the data you’re managing and the flow of that data, here is a site with several templates to help you get started in that process.

The site Demplates has templates for all sorts of things, including SWOT analysis templates (we wrote about the benefits of a SWOT analysis here), Certificates of Appreciation for employees, even Pest Control Service Agreements.  A couple of months ago (on my birthday, no less), the site posted GDPR Data Mapping Template: 10+ Print-Ready Templates, with several useful templates to help organizations create data maps, data flow diagrams, GDPR Data Processing Notices, privacy policy and data protection policy statements, data protection impact assessments and data audits.  The template documents are in different formats, including Excel, Word and Visio.  Here are pictures of a couple of examples:

With the challenges these days stemming from the growth of big data, data mapping is not only a good organization practice to not only help get a handle on your organization’s big data, but also to document your organization’s handling of PII and compliance with GDPR on the handling of PII.  Tom O’Connor and I talked about the importance of data mapping in our webcast on GDPR back in February (you can check it out here).  Data mapping supports in compliance and adherence to critical GDPR factors such as:

  • Maintenance of the data lifecycle;
  • Documentation that records are kept in adherence to the rules of GDPR to submit to the regulatory and supervising authorities;
  • Maintaining Accountability of the data for the full data lifecycle;
  • Evidence for the organization that the data is protected in its full cycle.

If you’re still scrambling to comply with GDPR, perhaps one or more of these templates can help you document your compliance or help you discover one or more areas where you may be deficient in your compliance.

So, what do you think?  Is your organization still trying to comply with GDPR?  Does your organization have an organization data map?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Fourth Circuit Rules that Warrantless Cell Phone is Warranted: Data Privacy Trends

Don’t let my cute title confuse you.  In this case, the Fourth Circuit issued an interesting decision regarding whether a warrant is required to search an individual’s cell phone.

According to Sharon Nelson’s terrific Ride the Lightning blog (4th Circuit Says Border Search of Phones Requires Individualized Suspicion (But Not a Warrant)), on May 9th, the Fourth Circuit Court of Appeals issued a decision in US v. Kolsuz, ruling that in light of the immense privacy concerns, forensic searches of electronic devices seized at the border must be justified by individualized suspicion, or some reason to believe that a particular traveler had committed a crime.  But not a warrant.

The appeals court said border patrol officers had reasonable suspicion to conduct a forensic search of Hamza Kolsuz’s cellphone, and they were entitled to rely on that standard based on case law that suggested it was, at most, all that was required. The officers had seized Kolsuz’s phone after they found firearms parts that required an export license in his checked luggage. It was the third time weapons parts were found in his luggage.  That certainly seems like reasonable suspicion to me.

The forensic search of Kolsuz’s phone produced information that included personal contact lists, e-mails, messenger conversations, photographs, videos, calendar, web browsing history, call logs and GPS tracking history. He was sentenced to 30 months in prison after a conviction for violating the Arms Export Control Act and conspiracy.

The federal government had contended that searches of electronic devices require no warrant or individualized suspicion under an exception that allows searches of suitcases at the border.  Tom O’Connor discussed the Border Entry exception as part of his Understanding eDiscovery in Criminal Cases on our blog here.

The decision is the first federal appellate ruling to require individualized suspicion in a border search of a cellphone since the U.S. Supreme Court ruled in Riley v. California in 2014 (which Tom O’Connor also discussed on our blog here) that police generally can’t search the contents of a cellphone seized during an arrest, unless they get a warrant, according to the Electronic Frontier Foundation (EFF).

Under Riley’s recognition of the extensive information stored on cellphones, the Fourth Circuit said, the forensic search of Kolsuz’s phone should be considered a nonroutine border search that requires some measure of individualized suspicion.

The EFF and the ACLU had filed amicus briefs urging the Fourth Circuit to go further and hold that probable cause is needed before a search of electronic devices, whether it’s a manual search or one using forensic software.

After arguments in the case, the Department of Homeland Security adopted a policy that treats forensic searches of digital devices as nonroutine border searches requiring reasonable suspicion of activity that violates the customs laws or in cases raising national security concerns, according to the opinion.

The ACLU and the EFF have filed a separate lawsuit that challenges warrantless searches of electronic devices at the border.  In her blog, Sharon notes that she “remain(s) on their side.”  We can agree to disagree on this one… :o)

So, what do you think?  Should cell phone and other electronic device searches at the border require a warrant?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.