By: Michael Singer
Edited By: Sigalle Barness
First there was the dream of “big data” (look at all this data we can collect and store and play with!). Then there was the big data breach, with its attendant privacy and identity theft nightmares. When is big data too much data and how can an organization get a handle on it so it’s not a sitting duck for hackers? Jenner & Block’s Mary Ellen Callahan and Heidi L. Wachs shed some light on this and other issues in their recent Lawline program Developing Issues in Global Privacy and Risk Management.
Some are even beginning to call it Creepy Data—the stuff that makes the average lawyer cringe. “You want to collect what? Why?” There is such a thing as too much data. And too much data can be, well…“creepy.” While they don’t draw an uncrossable line where “your clients’ data collection practices become creepy,” Callahan and Wachs do offer some insight on what creepy data may look like:
- companies that collect data with no particular purpose in mind and hence never use the data they are holding on to;
- collecting data with the intent of keeping it stored “forever,” even if it’s not being used, which Wachs has encountered on more than one occasion;
- when a company finds out that ex-employees years removed from the organization still have access to all the company databases.
Callahan and Wachs would probably argue that “creepy” also implies “dangerous” to companies, their customers, and vendors. In an era where serious security and data breaches are a click or lost cell phone away, it behooves your clients to define and combat creepy data. Callahan and Wachs offer an approach for lawyers seeking to help clients with their overall approach to global privacy risk.
There’s no single standard. This is a growing and daunting area of law—data and privacy laws are being passed country by country, and here in the U.S., sector by sector and state by state. Callahan and Wachs throw a lifeline here with a concise listing of the official names of various privacy laws worldwide. What laws apply to your client depend on where your client is doing business—obviously, the bigger and more global they are, the more laws to comply with. The frustrating fact is “there is no single standard for compliance” in the privacy area. Yet the principles are the same worldwide, so once you understand them, you’re off to a good start.
So you need a comprehensive privacy program. The truly invaluable advice here stems from the work both Callahan and Wachs have done as privacy officers, Callahan as CPO of the Department of Homeland Security from 2009-2012 and Wachs as CPO of Georgetown University from 2007-2012. Each speaks from experience dealing with the explosion of data located on your clients’ (and probably your firm’s) servers.
First? Don’t keep your clients at arm’s length. Callahan encourages lawyers who are advising clients on a privacy program to establish relationships across the board in the organization, from IT to legal, compliance, customer service…basically get to know the entire company. This process requires getting into the trenches. Wachs adds that lawyers often don’t begin to ask the necessary questions until after an incident occurs or until an audit comes back with negative findings about something that needs to be fixed immediately. She agrees with Callahan: make friends with the IT department.
You’ve made friends—now what? Now it’s time to get a handle on the terabytes of info. What’s in this Comprehensive Privacy Program? Here are seven steps to getting data under control and knowing what your client has and why:
- Do a data inventory: understand what the company has and where it is stored.
- Privacy Impact Assessments: In what is perhaps the best line ever in the history of CLE presentations, Callahan and Wachs encourage you to “channel your inner five-year old” when assessing privacy risk. Whenever they tell you they have something, you ask “Why?” And when they answer, you ask, “Why, why, why?” A company should not be keeping data forever (creepy, remember?). Nor should a company collect data without knowing why. As Callahan observes, if they don’t know why they are going to use it, they will never use it, and it will be sitting there, waiting to be hacked. Get rid of it.
- Vendor Review/Certification: This is the same as step two, except you do it with the company’s vendors. What company data do they have? What access to company data do they have? Engage them in data minimization discussions.
- Incident Response Planning: Make sure you test the plan before reality strikes!
- Third party contract obligations: What access do they have to your clients’ systems? Obtain the right to audit vendors and make sure the indemnification clause fits reality. A company doing a couple thousand in business with your client can do millions in damage. Remember, even if a small third party causes a breach, the breach belongs to the big name company.
- Identity Management & Governance: Review access credentials regularly. This avoids the ex-employee with access problem. Implement multi-factor identification systems where possible.
- Adopt Data Loss Prevention (DLP) Tools: These systems can help scan and block certain data from transmission within and outside the organization.
If this sounds like a lot, well, it is. But Callahan and Wachs have a message for you and your clients: pace yourself. You will not get all this done in one day. Start with the most important, most sensitive materials—the high-risk and high-volume assets, or what Callahan calls the “crown jewels” of the organization (social security numbers, health information, etc.). Work your way down the list. Lastly, make sure your clients are testing the systems they put in place. This is a stark warning from Callahan, especially as it relates to DLP systems, but it applies to the entire operation: don’t just turn it on. Know what will happen when you do—because something will happen the first day.