Avoid risk of litigation in protection of clients’ PII

In Part 1 of this series, we defined PII and began to explore the importance of protecting your client’s PII data.  Here, you’ll learn the risks of not protecting client PII and how you can ensure that your e-discovery provider is doing all they can.

PII Risks

The starting point for most PII protection laws is an encryption requirement (encryption is a method of scrambling data so that only someone who possesses the appropriate password or “key” can access the information).  The more specific laws also require organizations to do the following:

  • Develop a security program;
  • Conduct internal/external security reviews;
  • Provide employee training;
  • Use up-to-date firewalls;
  • Have effective access controls;
  • Limit the amount of PII collected;
  • Limit how long PII is retained;
  • Allow access only as necessary to perform job responsibilities;
  • Contractually bind providers to have programs in place to adequately protect PII;
  • Certify that providers have a compliant documented information security program;
  • Regularly monitor employee access to PII;
  • Prevent terminated employees from gaining access to PII;
  • Evaluate security program effectiveness annually;
  • Take corrective action when necessary and document actions taken in security/privacy breaches.

The guidelines set forth in the current state laws are very similar to those implemented by the federal government.  The takeaway here is that it is just a matter of time before other states enact similar laws.

Aside from the obvious problems the disclosure of PII could create for the individual (embarrassment, compromised privacy, identity theft), litigation against the keeper of the data is beginning to rise.  In Saenz v. Kaiser Permanente Int’l, 2010 U.S. Dist. LEXIS 21246 (N.D. Cal. Feb. 19, 2010), the plaintiff alleged she and at least 50 putative class members suffered economic damages resulting from disclosure of their PII.  Those damages included the costs of obtaining identity theft insurance, professional credit monitoring, cancelling and obtaining new credit and debit cards, and fees for freezing and unfreezing bank and credit accounts.  The plaintiff also argued that the security breach occurred two years prior to the defendant providing notice of the breach, preventing the plaintiff and other members of the class from taking immediate steps to monitor and attempt to safeguard their personal information.

Saenz is just one example of how real the threat of litigation can be if proper precautions are not taken to protect the confidentiality of your client’s PII data.  No one is sure of what the future will hold but chances are the growing concerns over PII protection are here to stay.  Why not be proactive and stay ahead of the game?  Ensure your client’s data is protected regardless of your state’s current requirements.

Included is a checklist that can help you as you work with your e-discovery provider.  It hits upon the requirements most often referenced in both government and state PII legislation and should give you a good head start in protecting your client’s PII data.

PII Checklist

Questions for your e-Discovery Provider:

  • Does your organization have a policy or procedure in place for the treatment of PII data?
  • Does your organization hold frequent training regarding the handling of PII data
  • Who is required to attend and how often?
  • What is your organization’s retention schedule for PII data?
  • Who within your organization has access to PII data and what are the rules regarding that access?
  • Does your organization treat data residing on servers differently than data being transferred (e.g., via email)?
  • Does your organization implement encryption to ensure the confidentiality of PII data?
  • What steps does your organization take to stay current with industry trends and technological advances regarding the protection of PII data?
  • Does your organization have a remediation plan in place for the loss of PII data?
  • What is your organization’s breach notification policy?
  • Does your organization hold individuals accountable for failure to follow policy and procedure regarding the treatment of PII data?

About the Author

Kim Cannon is a Legal Associate at IE Discovery, Inc. IE Discovery is a leading provider of discovery management and litigation support services.  Kim has been employed at IE Discovery since 2005 and is a licensed attorney with the Commonwealth of Virginia.  She is a graduate of the University of Maine and Widener University School of Law.

~ by CDLB on December 29, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: