Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Class Action newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 17, 2020, 6:03 PM EDT) --
 |
| Derek Dragotta |
Despite the potential risks and threats that exist in today's world, legal professionals can safeguard the confidentiality, integrity, availability and privacy of class member data by following information security best practices at every stage of the case. Below are actionable tips and best practices that any legal team can follow to help ensure their data protection measures are bulletproof.
1. Establish security and privacy policies and review them regularly.
The most important practice to protect class member data is establishing security and privacy policies and procedures for your organization, and reviewing those policies no less than annually or whenever there are significant changes to your information systems or business objectives.
Designate an information security officer and a data privacy officer to be responsible for the development, implementation and upkeep of your information security and privacy programs. Staff in these roles should ensure policies are communicated to all applicable parties, whether internal, such as annual employee policy attestation, or external, such as by posting your privacy notice on public websites.
Equally important is developing an incident response plan to assist the organization in addressing and managing the aftermath of a security or privacy event, to handle the situation in a way that limits damage and reduces recovery time and costs. To limit potential threats, periodically assess the risk to your organization's operations, assets and personnel. Be sure to classify all identified risks, as well as mission-critical functions, services and vendors that could potentially impact the organization's data security.
Development of a training and awareness program covering security and privacy is also critical. Your employees must understand how to protect the confidentiality and integrity of your data and sensitive information.
At minimum, training should be provided at onboarding and no less than annually thereafter. Augment training with periodic awareness messages that inform staff of the latest security threats and the tactics being used by malicious parties to acquire sensitive data. Bad actors always leverage crises to their benefit and the COVID-19 situation is no different. Remember, employees are your first line of defense.
2. Implement safeguards for data collection.
When transmitting class member data to colleagues, opposing counsel or a third-party administrator, it is essential to use secure and encrypted file sharing methods. Many file sharing options are available, including in-house systems that provide secure file transfer protocol or encrypted email services, or cloud-based solutions, such as ShareFile, Box or OneDrive.
Cloud-Based offerings are quickly becoming mainstays within the legal community due to the advancement of technology and ease of deployment. Regardless of the secure transmission solution you choose, educate your staff in its use and ensure they know it is required for secure data transmission. Without proper education and training, staff are more likely to use unapproved and unsecure methods of transmitting data.
3. Identify sensitive data.
When administering or litigating class actions, the collection of sensitive information such as social security numbers, dates of birth, and other types of personal identifiable information and protected health information may be required. The best precaution is to only gather the necessary information and only utilize the data for its intended purpose.
It is important to analyze the data and determine the applicable contractual, regulatory and statutory requirements.
Data protection requirements may fall under, for example, the Health Insurance Portability and Accountability Act's Security and Privacy Rules;[1][2] the Health Information Technology for Economic and Clinical Health Act;[3] the General Data Protection Regulation;[4] or the California Consumer Privacy Act,[5] which explicitly regulate how sensitive data can be collected, transmitted and used.
4. Justify access to the data.
Adhere to the principle of least privilege to provide only the access necessary for each staff member to perform their job. Each staff member should be provided a unique user ID, and credential sharing should be notably prohibited within your information security policies.
Experienced information technology and management teams should review personnel data access on a periodic basis, and always when an employee is transferred, or when roles or responsibilities are changed, so permissions can be modified, as needed. There also must be a mandatory removal of all access, whether physical or logical, at offboarding.
Though most organizations have now embraced using a remote workforce, it is still important to ensure that access to your organization's offices and physical data is limited to only those who need it. Physical controls such as card access systems, closed-circuit television, or similar type recording and alarm systems must be in place in any facility storing, processing or transmitting sensitive data.
5. Secure remote access to class member data.
While there is increased risk associated with expanding your remote workforce in response to the COVID-19 crisis, the risks can be mitigated by implementing effective controls and secure access methods. Many forms of remote access, such as virtual private networks, access gateways and application gateways, can be employed to provide a secure, encrypted connection to class member data.
Also, be sure to institute a strong password policy, implement multifactor authentication for all remote access, and always adhere to industry standard controls, such as those offered by the National Institute of Standards and Technology or the International Organization for Standardization.
Regardless of the control set, always utilize a defense-in-depth approach by layering your security controls. These controls typically include, but should not be limited to, next-generation firewalls; intrusion detection and prevention systems; endpoint protection and behavioral analysis software; email and data loss protection; web filtering solutions; mobile device and application management; system hardening standards; and patch and vulnerability management programs.
Educate employees on your organization's remote access policies and procedures and, most importantly, ensure they know how to always protect the confidentiality of your data regardless of their location.
Importance of Data Security
Data security for class member information is pertinent now more than ever. As the world shifts its remote workforce to the forefront, additional IT security measures should be enacted to avoid costly errors in the future.
Derek Dragotta is vice president of information security at JND Legal Administration Co.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the organization, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] HHS Office of the Secretary, Office for Civil Rights. (2013, July 26). Summary of the HIPAA Security Rule. Retrieved March 31, 2020, from https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
[2] Department of Health and Human Services, Office of the Secretary. (2000, December 28). 45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information; Final Rule. Retrieved April 2, 2020, from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf.
[3] Department of Health and Human Services, Office for Civil Rights. (2017, June 16). HITECH Act Enforcement Interim Final Rule. Retrieved March 31, 2020, from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html.
[4] European Commission Directorate-General for Communication. (2020, February 19). Data protection. Retrieved March 31, 2020, from https://ec.europa.eu/info/law/law-topic/data-protection_en.
[5] STATE OF CALIFORNIA DEPARTMENT OF JUSTICE OFFICE OF THE ATTORNEY GENERAL. (2020, March 11). California Consumer Privacy Act (CCPA). Retrieved March 31, 2020, from https://oag.ca.gov/privacy/ccpa.
For a reprint of this article, please contact reprints@law360.com.
