eDiscovery could reveal your client’s PII

You take precautions to protect your client’s Personally Identifiable Information, but can you trust your e-discovery provider to do the same?

What you need to know about the treatment of your client’s PII data, Part 1 of 2

By Kim Cannon

Imagine that dreaded phone call from your e-discovery provider informing you that there has just been a security breach resulting in the disclosure of your client’s data.  Perhaps your initial thought is whether the disclosure involved privileged material.  But what if there was no privileged material…should you still be concerned?  Would your reaction change if you were handling a discrimination lawsuit and the disclosure included employee files containing social security numbers, personal heath information, or the like?  The kind of information that, if made public, could result in identity theft for your client, and a loss of trust, damaged reputation, or ultimate legal liability for you?  The kind of information commonly referred to as “PII?”

The answer:  “it depends.”  It depends on whether your e-discovery provider had the proper protections in place to secure your client’s PII data.  Is your provider, at a minimum, meeting the standard protocol for protecting client data?  Are they keeping abreast of industry trends, case law, legislation, and the forward movement of technology so that their current approach can quickly change when necessary?

You are well aware of the concept; most of us go to great lengths to protect our personal information in our everyday lives.  Our worst fears of identity theft keep us on our toes – shredding the credit card bills once they have been paid, ensuring that no one outside of a “need to know” has access to our social security number – you name it and most of us have done it.  That is how you treat your information, but what can you do to protect the confidentiality of your client’s information?  Once discovery has taken place, your client’s data has been collected and presumably is in the capable hands of your e-discovery provider, but how do you know it is safe?

Defining PII

So, what is PII anyway?

PII is most often defined as information that can be used to distinguish or trace an individual‘s identity.  While the term “PII” is ever-expanding, some of the most common examples, when used in combination with one another, are:

  • Name (i.e., full name, maiden name, mother‘s maiden name, or alias)
  • Personal identification number (i.e., social security number, passport number, driver‘s license number, bank account number, credit card number)
  • Date or place of birth
  • Street address or personal email address
  • Personal telephone number
  • X-rays, fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
  • Personal property information (i.e., vehicle registration or title number)

It is important to note that in order for someone’s identity to be traced, typically more than a single piece of information is needed.  Often, information such as name, social security number, date and place of birth, or mother‘s maiden name alone is not enough.  That information along with other personal information linkable to that same individual is where the threat of identity theft can quickly become a reality.

Why should you care?

The federal government has made the protection of PII a priority for quite some time now.  Even before the inception of the Privacy Act of 1974 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), agencies and contractors of those agencies have been under stringent requirements to protect the confidentiality of PII.  Yet, private industry seems to be somewhat behind the times when it comes to protecting the very same data.

States are slowly coming around, some enacting laws under the broad umbrella of “privacy” that can arguably be applied to the treatment of PII data.  Massachusetts and Nevada have enacted privacy laws that outline specific requirements for handling PII and 46 states have enacted “notification laws” that require organizations to notify individuals when a security breach has occurred.

In part 2 of this series we’ll take a closer look at what these state laws require, the risks of not protecting client PII, and how you can ensure that your e-discovery provider is doing all they can.

About the Author

Kim Cannon is a Legal Associate at IE Discovery, Inc. IE Discovery is a leading provider of discovery management and litigation support services.  Kim has been employed at IE Discovery since 2005 and is a licensed attorney with the Commonwealth of Virginia.  She is a graduate of the University of Maine and Widener University School of Law.

~ by CDLB on December 20, 2010.

One Response to “eDiscovery could reveal your client’s PII”

  1. […] Part 1 of this series, we defined PII and began to explore the importance of protecting your client’s PII data.  Here, […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: