By: Michael Singer
Edited By: Sigalle Barness
First there was the dream of “big data” (look at all this data we can collect and store and play with!). Then there was the big data breach, with its attendant privacy and identity theft nightmares. When is big data too much data and how can an organization get a handle on it so it’s not a sitting duck for hackers? Jenner & Block’s Mary Ellen Callahan and Heidi L. Wachs shed some light on this and other issues in their recent Lawline program Developing Issues in Global Privacy and Risk Management.
Some are even beginning to call it Creepy Data—the stuff that makes the average lawyer cringe. “You want to collect what? Why?” There is such a thing as too much data. And too much data can be, well…“creepy.” While they don’t draw an uncrossable line where “your clients’ data collection practices become creepy,” Callahan and Wachs do offer some insight on what creepy data may look like:
Callahan and Wachs would probably argue that “creepy” also implies “dangerous” to companies, their customers, and vendors. In an era where serious security and data breaches are a click or lost cell phone away, it behooves your clients to define and combat creepy data. Callahan and Wachs offer an approach for lawyers seeking to help clients with their overall approach to global privacy risk.
There’s no single standard. This is a growing and daunting area of law—data and privacy laws are being passed country by country, and here in the U.S., sector by sector and state by state. Callahan and Wachs throw a lifeline here with a concise listing of the official names of various privacy laws worldwide. What laws apply to your client depend on where your client is doing business—obviously, the bigger and more global they are, the more laws to comply with. The frustrating fact is “there is no single standard for compliance” in the privacy area. Yet the principles are the same worldwide, so once you understand them, you’re off to a good start.
So you need a comprehensive privacy program. The truly invaluable advice here stems from the work both Callahan and Wachs have done as privacy officers, Callahan as CPO of the Department of Homeland Security from 2009-2012 and Wachs as CPO of Georgetown University from 2007-2012. Each speaks from experience dealing with the explosion of data located on your clients’ (and probably your firm’s) servers.
First? Don’t keep your clients at arm’s length. Callahan encourages lawyers who are advising clients on a privacy program to establish relationships across the board in the organization, from IT to legal, compliance, customer service…basically get to know the entire company. This process requires getting into the trenches. Wachs adds that lawyers often don’t begin to ask the necessary questions until after an incident occurs or until an audit comes back with negative findings about something that needs to be fixed immediately. She agrees with Callahan: make friends with the IT department.
You’ve made friends—now what? Now it’s time to get a handle on the terabytes of info. What’s in this Comprehensive Privacy Program? Here are seven steps to getting data under control and knowing what your client has and why:
If this sounds like a lot, well, it is. But Callahan and Wachs have a message for you and your clients: pace yourself. You will not get all this done in one day. Start with the most important, most sensitive materials—the high-risk and high-volume assets, or what Callahan calls the “crown jewels” of the organization (social security numbers, health information, etc.). Work your way down the list. Lastly, make sure your clients are testing the systems they put in place. This is a stark warning from Callahan, especially as it relates to DLP systems, but it applies to the entire operation: don’t just turn it on. Know what will happen when you do—because something will happen the first day.