Many privacy professionals will persuade by drawing on the fear that private information may be disclosed, but Shaun takes a different approach: He draws interesting distinctions between similar topics and asks questions that will make you think twice.
In this interview, Shaun Jamison, professor of the Future of Law Practice and Cybersecurity Law, gets us to think critically about our data habits and challenges our assumptions about seemingly straightforward rules. Read on to learn how you should assess the privacy and security of your everyday tools and how human error or inattentiveness can reveal more information than expected.
What is your role and how is it related to privacy law?
I am the associate dean and a professor of law at Purdue Global Law School. I oversee faculty and academics for the school. Courses I have designed and taught include Cybersecurity Law and The Future of Law Practice. We discuss privacy in both classes, but in greater detail in Cybersecurity Law.
What prompted your interest in privacy law?
The Patriot Act woke me up to the extent of how fragile our privacy can be. I credit the American Association of Law Libraries for educating me on this point.
What’s the difference between privacy and data security?
Privacy concerns information about people and how we handle it. Basically, privacy is your right to be left alone and not have people know personal information about you that you do not want to share. Data security is keeping whatever information an organization has safe from breach. You can violate someone’s privacy by collecting and using data improperly without having a security breach. And you can have a security breach that does not involve private data. Here’s a 45 second video I did on the topic.
What surprising types of information qualify as confidential information or electronically stored information under the ethics rules?
We keep seeing lawyers get tripped up by metadata and redacting. If you don’t properly strip out metadata or redact confidential information, then confidential or strategic information will be revealed. Your opposing counsel may have an ethical obligation to ignore accidental disclosures in some jurisdictions, but journalists are not bound by lawyer ethics—and you will have failed in your duty to protect your client’s confidential information.
This is also a good time to talk about access control. If others in your firm do not need access to client documents, don’t give it to them. Yes, you may trust them to the ends of the earth, but what if their access is compromised? Then only the information they needed access to would be at risk—not your entire firm’s client data. Likewise, even if someone appropriately has access, you may wish to limit their ability to alter what they access or to edit documents they access. Because respecting privacy also involves protecting the accuracy of information about people, then controlling access to alter documents supports that right.
What are some unexpected ways that privacy and data security come up in legal practice?
Work from home during the pandemic created unexpected issues, such as the need to secure a home network or limit access to verbal information. Before the pandemic, few people considered whether the lawyers they hired had an exclusive home office so others in the house couldn’t overhear their conversations or see their work on their computer screen.
Ransomware has also been an issue for lawyers. Lawyers are considered “soft” targets, as smaller firms may be at a disadvantage for securing their systems and data. It is critical to train staff to avoid phishing attempts.
Lawyers must also consider whether they have become responsible for laws beyond ethics rules. For instance, if you handle medical information as part of your cases, you need to know how HIPAA and related laws apply to business associates.
Deep fakes can be used to embarrass you or your clients, taint jury pools, and even create fake evidence.
What are some red flags in privacy policies of consumer apps?
It’s a glaring red flag if they do not have a privacy policy or it is not easily accessible. You should also be concerned if it’s hard to follow or overly vague; or if the user guides or marketing materials contradict the privacy policy. Finally, be concerned if the app is gathering information about you and sending it to third parties or reserving the right to see it.
What are some surprisingly good privacy protections you’ve seen in legal tech or other apps?
Apps that never send actual data or store data outside your phone or computer are the best, if available. There is always the risk you lose your physical device, so take steps to limit unfettered access if it gets into the wrong hands. Your goal is to limit access if the physical device is no longer in your control.
What are some dangers of using a freemium consumer app in legal practice?
First, a contract concern: If a lawyer is using a consumer app for their law practice, they could be violating terms of service by using it for commercial purposes. Second, an ethics concern: If the lawyer is allowing the app to access and use confidential client information, and the app may disclose the information to third parties, then I would be worried. Given those concerns, I want to know what business model the freemium app is using: Do they make money off selling the data gathered, or is it strictly used to improve the product? Or is their business model exclusively advertising or in-app purchases/upsells?
For example, if I use an AI such as ChatGPT that utilizes questions as part of its training process, I probably cannot retract any information I entered while working on my client’s case. It has become part of the data stored and utilized by the AI. I could use a non freemium version where my firm controls access to the use of any of data inputted. That might be less powerful, but the data would be more secure.
My concerns about my client’s association with the data is about whether the client data is identified, de-identified, or anonymized.
- Identified Data: If you are identified with the data, that means the company and anyone who accesses their information knows who you are and that the data is about you. This can be good if you need the information to log in to the site and get the services you want. However, it should be a goal to minimize personal data and only retain data for which you have a legitimate business purpose.
- De-Identified Data: De-identified data is where obvious connections between you and the data are removed. Unfortunately, if one has access to that data and another data set where people are identified, they can use artificial intelligence to match up the records if there are enough records in common.
- Anonymized Data: Anonymization goes further by making sure it is (hopefully) impossible to re-identify people in connection with their data by using other data sets. The IAPP website has more discussion on the topic.
The more sensitive your case is, the more worried you must be about what apps will do with your information. If you are researching one of millions of divorce cases, that’s not going to stand out in the data. But what if you research war reparations? That’s a far more limited pool of queries and likely law firms, and you may wish to keep such a novel action secret until you file it.
Finally, you must consider the stability of the freemium company. Will they be around a long time so you can rely on them for your practice? Will they spend the money needed to protect privacy and security? If they go out of business, can you retrieve your data in usable form? If they get sold, does the new company own the data and will they respect the privacy policy?
People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
Some areas that I may have mentioned elsewhere include:
- Editing history and comments: You do not want your candid comments about the strength of arguments to go public.
- Redacting: You do not want something that you were supposed to exclude from the public record to be exposed.
- Metadata: I have mixed feelings about this one because it sometimes exposes people who lied about when they created a document or who drafted it. So it can be good, just not for the person submitting the document when it reveals information they did not want to share.
- Access to documents: People get curious and only authorized people should have access.
- Editing rights: Only authorized people should be able to alter or delete documents.
What should lawyers know about the new privacy laws from the past few years? Do they apply to law firms? If so, how?
An easy privacy issue to trip over is your public-facing privacy policy. It needs to match up to any laws which apply to your jurisdiction and your actual practices. It is essential to review the current law of any states you operate in and to review your actual privacy practices to make sure they line up with what you are promising.
Whether privacy laws apply to law firms generally has to do with the amount of revenue the firm generates or the number of records they maintain. This varies by state.
Whether or not you live in a state actively changing privacy law, such as California, there are strategies you can employ to be ready for changes. You need to understand what data your firm collects, how it is used, how it is stored, and when you will share it or dispose of it. You will also want to categorize data by its level of sensitivity or risk. Once you have done that review, you can make any improvements needed, including not collecting data you do not need. Data you don’t have cannot be breached, and data you didn’t collect in the first place cannot be mishandled. In any event, knowing what your data process is will make it much easier to comply with any laws heading your way.
Are there important privacy trends legal tech vendors should be paying attention to? What new privacy rights and obligations should legal tech vendors be aware of?
If vendors are not on board with Privacy by Design (PbD), they should be. The idea is to create your product with privacy in mind from the beginning. Once you have developed a product, it might be difficult and costly to address privacy and some options might be foreclosed. Get someone at the design meetings who will advocate for privacy as part of the design.
There are a couple of issues to think about. One is the right to be forgotten, or right to erasure. Can your product accommodate this type of request? Related to that are requests by consumers to know what information a company has regarding them. Can you accommodate this? Depending on whether consumer data is part of your business, can your product interact with privacy-related platforms?
When you’re searching for new software, what’s the most important privacy-related question to ask vendors?
I’m sure it’s “Who has access to what data, and how do you protect against a breach?” However, I want to point out that a potentially very important question might be “Can data be permanently deleted off the system and all of the backups?” Some of the newer privacy laws have a right to erasure or right to be forgotten. Do not assume that your technology actually can perform this function.
What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?
- “Who will have access to the data?”
- “How will it be used?”
- “How will it be protected?”
What terms and conditions should you check when using consumer apps that help with word processing and email?
The privacy policy is a top concern. As with other apps, you want to know what data they are gathering, how long they will keep it, what they will use it for, where it will be stored and processed, and who has access.
Never make assumptions about how an app will handle information. I was a member of a social media site where they claimed ownership over all user-generated content such as blog posts, photos, videos, etc. You want to understand who owns the content and who has the rights to use it.
What is the greatest threat to privacy?
People are the weakest link. Employees can be negligent, disgruntled, or greedy. Train your staff and audit behavior to make sure you are protecting privacy the way you promised your clients. [Editor’s Note: If this inspires you, listen to this podcast interview with Edna Conway from Microsoft: Start With The Human, Not The Technology.]
What resources do you recommend for laypeople wanting to learn more about privacy?
The Federal Trade Commission has great information for consumers: https://www.ftc.gov/. I am a member of the IAPP (International Association of Privacy Professionals). They produce quite a bit of helpful information. One might also check out the EPIC consumer privacy project: https://epic.org/.
About Shaun Jamison, JD, PhD, CIPP
As Associate Dean of Academic Affairs at Purdue Global Law School, Dr. Shaun Jamison oversees faculty and academics. He conceived of and created the Cybersecurity Law and the Future of Law Practice courses, and provides commentary to the media on technology and privacy issues. Shaun's academic career has focused on skills development and emerging issues in law practice and technology.
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.