When lawyers hear “inadvertent disclosure” or “exposed client confidences,” they immediately think of stray emails and shadowy hackers. That narrow understanding means we don’t recognize when other issues of confidentiality may be in play. This interview will broaden your thinking.
In this interview with privacy expert Irene Mo, she reveals our privacy blind spots and gives us new ways to think about our work so we keep confidentiality foremost in our minds. She also explains why you should be just as worried about giving away your information as you are about having it stolen—and she gives red flags to spot tools that demand too much information. Read on for Irene’s insights.
What prompted your interest in privacy law?
In my last year of undergrad, I took an upper-level math class called “Introduction to Cryptography” and became fascinated with the fact that the most widely used cryptosystems are based on the assumption that there is no efficient algorithm to factorize very large prime numbers. For the first semester of law school, I said I wanted to do “cryptography law” because I didn’t have the vocabulary to know what I actually wanted to do was privacy and data security law.
What’s the difference between privacy and data security?
Data security is protecting data from unauthorized access and theft. Privacy focuses on the rights of individuals to decided how and why personal information is collected, used, and shared.
What are some unexpected ways that privacy and data security come up in legal practice?
When lawyers are warned about privacy and data security risks, there is a big emphasis on preventing criminals from gaining unauthorized access to privileged and confidential data through phishing attacks, ransomware, or social engineering. But one overlooked issue is when lawyers may inadvertently agree to sharing privileged and confidential data through seemingly innocuous means.
Before using a new software tool, lawyers need to review the terms of service and privacy notice to determine what information the tool will collect and how it will collect, use, and share that information, including any privileged or confidential data the tool may touch. It is not uncommon for software tools to collect information, but it is important to understand the exact types of information collected, the purposes for which that information is used or shared, and who that information may be shared with (e.g., third parties like service providers or advertisers).
What are some red flags in privacy notices?
Data protection laws outline specific requirements of what must be included in privacy notices, but the user experience of privacy notices is largely up to each company. When I write privacy notices, I keep three audiences in mind: regulators, consumers, and other privacy professionals. Along with meeting the requirements in data protection laws, I also want the privacy notices I write to be appealing to read and easy to understand.
The first red flag I see is usually the “last updated” date—I get suspicious about whether the privacy notice is accurate if it has not been updated in the last year or two.
Next, I look at the overall aesthetic of the privacy notice. It’s a red flag if I see blocks of text with little white space and no headers. That makes it hard to know where I can find certain information. Headers, sub-headers, and bullet points make privacy notices more appealing to read by directing people where to find information and by breaking up text.
Focusing on the actual content of the privacy notice, I look at the amount of detail provided about what information the company or tool will collect and how it will collect, use, and share that information. Vague language in the privacy notice signals lack of transparency. Balancing the amount of detail to provide in the privacy notice with readability can be difficult, but it is important (and required) to include enough detail for people to understand what companies or tools do with their information.
Finally, as a consumer, I ask myself whether the data they collect matches what I expect them to collect in connection with the service. If I read the privacy notice and find that the tool or company is collecting, using, or sharing unexpected or irrelevant information, that’s a red flag. It might not stop me from using the service or software anyway—and it doesn’t necessarily signal wrongdoing—but I will spend more time evaluating the company and whether it’s worth it to do business with them.
Note: Most law firms are not subject to Online Privacy Protection Act (“CalOPPA”), or the California Consumer Privacy Act (“CCPA”) / California Privacy Rights Act (“CPRA”), so law firms may not need a privacy notice in the United States. However, law firms may need a privacy notice under laws like the European Union’s General Data Protection Regulation (“GDPR”).
What are some of the dangers of using freemium software tools in legal practice? What are some surprises?
One of the biggest risks of using free software licenses is the lack of privacy and data security protections. In legal practice, using the free license of software tools may lead to inadvertent disclosures of privileged and confidential data. The chart below provides examples of differences between free and paid software licenses.
EXAMPLES OF DIFFERENCES BETWEEN FREE AND PAID SOFTWARE LICENSES |
|
FREE |
PAID |
The company or tool collects and stores document contents on the company’s servers. |
The company or tool does not collect document contents. |
Data collected is stored indefinitely. |
Data collected is retained and deleted after a certain time period. |
The company can use the data collected for its own benefit like improving its tool or for marketing. |
The company cannot use the data collected for its own purposes or can only use the data for limited purposes. |
Data collected can be shared or sold to third parties like advertisers. |
Data collected cannot be shared or sold to third parties. |
The tool has limited security controls. |
The tool provides enhanced security controls like multi-factor authentication. |
People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
I’m always surprised to hear of lawyers and law firms failing to remove metadata or redact properly. But we don’t hear about these failures at the same rate, and we still don’t dig deep enough. Failing to properly redact or failing to remove metadata may result in improper disclosure of confidential or privileged information.
We often hear about failures to redact in primary court filings like motions, briefs, and memos; however, the most common redaction failures are in the attachments, exhibits, and supporting materials. Lori Shemka, a lawyer who formerly worked in the chambers of Michigan Supreme Court Chief Justice Bridget Mary McCormack, wrote a great blog post about redacting personal information for Data Privacy Day. In the post, Shemka explains that even though most personal information risks are in supporting documents, personal information can also appear in images inserted into filings.
But we don’t often hear about failures to remove metadata, even though it’s also important. That’s probably because discussions of metadata usually focus on the final document, but accidental disclosure usually happens during the drafting and negation process. Lawyers should be mindful of metadata when sharing documents throughout the drafting process, especially when using cloud-based, collaboration tools. For example, sharing a link with someone or otherwise giving them access to edit the document may allow them to view the revision history up to when the document was created. Additionally, some of these collaboration tools keep records of “resolved” comment threads, where as “deleted” comment threads are removed from the document.
It’s also important for attorneys to determine when it’s appropriate to scrub for metadata before sending a document, or when to send a PDF versus an editable document to a client or opposing counsel. For example, scrubbing metadata clears out the authors’ names in comments and redlines, so this wouldn’t be helpful mid-negotiation. And sending a non-editable PDF may not be the friendliest of moves to opposing counsel.
About Irene Mo
Irene Mo is an Associate with Hintze Law working from the San Francisco Bay Area. She counsels clients on a wide range of privacy and data security issues, including conducting and setting up Records of Processing Activities, Data Protection Impact Assessments, implementing global data protection programs, and integrating privacy protections into emerging technology. Irene has experience with the California Consumer Protection Act (CCPA), EU GDPR, the FTC Act, HIPAA Privacy Rule, and cybersecurity.
Before Hintze Law, Irene was a Senior Associate at Aleada Consulting and gained valuable experience as a legal technology consultant helping organizations with project management, lean-process improvement, content creation, and community building.
Irene was honored as an inaugural NextGen Fellow at the American Bar Association Center for Innovation, where she focused on the privacy and data security risks faced by low-income and marginalized individuals. For her work at the Center, Irene was recognized by Legaltech News as one of the “18 Millennials Changing the Face of Legal Tech,” and by the American Bar Association's Legal Technology Resource Center as one of the “Women of Legal Tech.”
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.