Litigation Support for Information Governance

The treatment of personal identifiable information (PII) is quickly becoming an increasingly critical issue and should be on litigation support's risk and information governance agenda.

Lawyers in certain industry sectors, such as e-commerce, may have a duty to protect PII. And for some corporations, such as finance or medical, the duty to protect PII may be highly regulated, while in other industries ' education or government, for example ' that compile personal information as statistical data, the duty may be self-imposed through acts or executive order.

Where industry does compile personal identifiable information, and there is a duty to protect this information, companies are moving to regulate it within internal systems. They consider:

• What happens when PII is transmitted to the litigation support team as part of client information subject to an adversarial action?
• What is PII, anyway?
• Does litigation support have a duty to protect PII on behalf of the law firm's client?
• If there is a duty, how should litigation support react to protect PII?

PII Defined

No clear consensus of the exact definition of personal identifiable information exists as each law or regulation offers a slightly different PII definition. An amalgam of several definitions offers us this general definition ' any information about an individual maintained by an agency, including: 1) any information that can be used to distinguish or trace an individual's identity; and 2) any other information linked or linkable to an individual, such as medical, educational, financial and employment information.

Examples of personal identifiable information include, but are not limited to:

• Name, such as full name, maiden name, mother's maiden name, or alias;
• Address information, such as street address or e-mail address;
• Personal identification number such as SSN, passport number, driver's license number, taxpayer identification number, or financial account or credit card number;
• Personal characteristics, including photographic image (especially face or other identifying characteristic), fingerprints, handwriting or other biometric data ( e.g., retina scan, voice signature, facial geometry); and
• Information about an individual that is linked or linkable to one of the above ( e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information or financial information). ( See, OMB Memorandums 07-16 and 06-19. See also, GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, www.gao.gov/assets/280/275572.pdf.) ( Editor's Note: For more on this topic, see, “New European Data Regulation Protection Draft” in the April edition of e-Commerce Law & Strategy, at http://bit.ly/HVkiAR.)

Consensus to Protect PII
At Rest, in Transit

There is no single law in the United States that provides a comprehensive treatment of data protection or privacy. There have been a number of laws and executive orders specifically dealing with data protection concepts, and at least 47 of the states are considering some level of privacy law provision that requires PII be properly protected from erroneous disclosure. There is some consensus within these laws and regulations that PII should be protected at rest and in transit. Given this, it may be beneficial for litigation support to adopt a broad approach to protecting client data regardless of whether it contains PII.

Many corporate, government organizations and law firms are subject to laws, regulations or other mandates governing the obligation to protect personal information, such as the Privacy Act of 1974, Office of Management and Budget (OMB) memoranda, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additionally, some federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to additional specific legal obligations to protect certain types of personal identifiable information. Some organizations are also subject to specific legal requirements based on their role. For example, organizations acting as financial institutions by engaging in financial activities are subject to the Gramm-Leach-Bliley Act (GLBA). Also, some agencies that collect personal identifiable information for statistical purposes are subject to the strict confidentiality requirements of the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (this may include university and educational institutions). Organizations may also be obliged to protect PII by their own policies, standards or management directives. Violations of these laws or regulations can result in civil or criminal penalties.

Massachusetts is one example of a state that recently adopted privacy law to address personal identifiable information. If you do business with residents of Massachusetts or have employees who reside in Massachusetts, you must comply with Massachusetts Privacy Law (201 CMR 17, March 1, 2010) that requires specific technology ' encryption ' be used to protect personal identifiable information, whether “data is at rest” or “data is in transit” over a public network such as the Internet. This means any organization, regardless of size or location of the business (including law firms and their litigation support function), must protect a Massachusetts resident's name in combination with any one of the following pieces of information ' with or without a security code, access code, PIN or password that would permit access to the resident's financial information: Social Security Number, driver's license number or state-issued identification card number, or financial account number or credit/debit card number.

Law firms working with clients who may be subject to PII laws or regulations, or any firm clients with internal policies, standards, or management directives regarding PII protection, may need to advise litigation support of a duty and obligation to protect PII. To lessen risk in the face of the patchwork of PII laws and regulations, litigation support may need to take a broad approach to protecting all forms of client data, regardless of whether data contains PII. A broad-based approach should address data at rest (i.e., preservation data, work in progress, electronically stored information review or production repositories) as well as data in transit (e.g., evidentiary attachments to e-mail, external media, files sent via transmission protocol (FTP or SFTP)).

A PII protection assessment should consider protection requirements at the department and litigation case levels, as well as any underlying litigation support data repositories, data subsets or data transmission mechanisms and streams. An examination of PII protection capabilities may underscore:

• The need to improve litigation support information governance by considering how information is transmitted to/from the law firm;
• How data is stored and managed; and
• How to apply the firm's records-management policies and procedures to electronic evidence under management by litigation support.

How Identifiable Is PII?

Organizations are being directed to evaluate how easily personal identifiable information can be used to identify specific individuals. At one level, PII composed of individuals' names, fingerprints, or SSNs may uniquely and directly identify individuals, whereas personal identifiable information data composed of individuals' ZIP codes and dates of birth may indirectly identify individuals or significantly narrow large datasets.

However, data composed only of individuals' area codes and gender usually would not allow direct or indirect identification of an individual. Direct or indirect identification may depend on the context and sample size of the data. Personal identifiable information that is uniquely and directly identifiable may warrant a higher level of protection than personal identifiable information that is not directly identifiable by itself.

Litigation support may need to be apprised by lawyers of how to develop a low- to high-harm threat-level scale. The scale should be applied to any data litigation support receives/sends or stores/manages. The threat scale may be used generally to secure client data or a particular file, or may need to be more robust to address specific client, industry, firm practice group or particular case concern.

A general PII protection scale may rate data from low to high level with harm levels set as:

• Low. An inconvenience, but if exposed, the PII would not cause too much harm;
• Moderate. May include financial information that would result in some significant type of loss, such as identity theft, benefits denial, public humiliation, discrimination, loss of a customer/client or the potential for blackmail; or
• High. May involve serious physical, social or financial harm that may result in potential loss of life, loss of livelihood or inappropriate physical detention.

Proper protection of PII by litigation support (and IT or records management) may require examination of information-governance and records-management procedures for litigation support, as well as examination of litigation-support workflow procedures, application of security over litigation data repositories or use of advanced encryption standards to secure PII.

Duty to Protect PII

In representing corporations obligated to protect PII, the duty to protect may extend to the law firm. Protection obligations may apply to specific types of electronic files in a case or an entire data collection. Lawyers who practice within certain industries may be more aware of their PII protect duties and obligations than others are.

But litigation support (or IT/records management) is probably not self-aware of any extended obligation the lawyer has to protect PII when, or if, the protection duty is passed from corporation to law firm. It may be worthwhile, then, for certain litigation practice group leads or key lawyers to regularly address and advise litigation support if and when there is an obligation to protect PII.

It is also important to keep in mind that PII protection requirements for a particular client or industry may need to be addressed at the case or project level, at work in progress stages or repository levels, at the database field level or at the point data is in transit. The obligation may also extend to vendors when hired to work on, or with, client data. This should be considered part of an overall security protection plan for PII data. For law firms specializing in litigation fraught with personal identifiable information, it may be time to consider how to deploy more stringent security measures over active and inactive litigation-support data and client evidence.

Disguising Data

Litigation support should be well versed in how to examine and treat PII. Personal identifiable information protection and treatment should be on the short list of discussion topics with vendors, too, concerning when they are engaged to handle such data. It is clear that courts will require one to demonstrate PII definition, a sound treatment process/methodology, and to educate the court and opposing counsel on how results were obtained, particularly in instances where PII is disguised to protect its content from harmful disclosure.

Disguised information ' called anomalyzing data, a term being used in the litigation-support sector because the original information has been made into an anomaly of sorts, something different or unusual ' is defined as previously identifiable information that has been de-identified by replacing the identifiable data with a masking code. The data removed may be identified only by removing the masking code, and that way revealing the initial data the mask replaced. Information disguised this way usually involves the application of statistical disclosure limitation techniques to ensure the data cannot be re-identified. Five such techniques are:

• Generalizing the data. Making information less precise, such as grouping continuous values ;
• Suppressing the data. Deleting an entire record or certain parts of a record;
• Introducing noise into the data. Adding small amounts of variation into selected data;
• Swapping the data. Exchanging certain data fields of one record within the same data fields of another similar record ( e.g., swapping the ZIP codes of two records); and
• Replacing data with the average value. Replacing a selected value of data with the average value for the entire group of data. ( See, Guidelines to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-122, Erika McCallister, Tim Grance, Karen Scarfone, April 2010 at 4-6, available at http://1.usa.gov/HVmqZ9.)

Using these techniques, the information is no longer personal identifiable information, but it can retain its useful and realistic properties. Tread lightly if PII must be anomlyzed in a file. Carefully consider how to mask PII in a way that protects the information from harm. Seek court approval when PII must be anomolyzed and exchanged between litigants, and always document the definitions, the process and the results.

Conclusion

Litigation support requires lawyer assistance to properly identify and address PII protection duty and obligations. If a broad PII protection approach is taken, then a basic protection plan may be prepared by a well rounded team of key stakeholders who may include a lawyer, and personnel from IT, litigation support and records management. This team will be able to consider the full scope of protection required for the entire life of the data. A basic protection plan may include:

• Limiting access to client data containing PII by deploying ethical walls, folders, or file- or field-level security;
• Using advanced encryption standards for data transit; or
• Applying firm records-management policies and procedures to dispose client evidence with PII in a timely fashion.

If a case-by-case protection approach is taken, then responsibility will rest with the lawyer and client to define what PII is, its nature, the harm and threat level, and to advise litigation support of its obligations to protect data containing PII.

Protection actions, whether broad-based or case-specific, will require lawyer, litigation support, the firm's IT and records-management departments to work together closely to ensure that PII content is properly maintained and secure throughout the lifecycle of the file.

The treatment of personal identifiable information (PII) is quickly becoming an increasingly critical issue and should be on litigation support's risk and information governance agenda.

Lawyers in certain industry sectors, such as e-commerce, may have a duty to protect PII. And for some corporations, such as finance or medical, the duty to protect PII may be highly regulated, while in other industries ' education or government, for example ' that compile personal information as statistical data, the duty may be self-imposed through acts or executive order.

Where industry does compile personal identifiable information, and there is a duty to protect this information, companies are moving to regulate it within internal systems. They consider:

• What happens when PII is transmitted to the litigation support team as part of client information subject to an adversarial action?
• What is PII, anyway?
• Does litigation support have a duty to protect PII on behalf of the law firm's client?
• If there is a duty, how should litigation support react to protect PII?

PII Defined

No clear consensus of the exact definition of personal identifiable information exists as each law or regulation offers a slightly different PII definition. An amalgam of several definitions offers us this general definition ' any information about an individual maintained by an agency, including: 1) any information that can be used to distinguish or trace an individual's identity; and 2) any other information linked or linkable to an individual, such as medical, educational, financial and employment information.

Examples of personal identifiable information include, but are not limited to:

• Name, such as full name, maiden name, mother's maiden name, or alias;
• Address information, such as street address or e-mail address;
• Personal identification number such as SSN, passport number, driver's license number, taxpayer identification number, or financial account or credit card number;
• Personal characteristics, including photographic image (especially face or other identifying characteristic), fingerprints, handwriting or other biometric data ( e.g., retina scan, voice signature, facial geometry); and
• Information about an individual that is linked or linkable to one of the above ( e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information or financial information). ( See, OMB Memorandums 07-16 and 06-19. See also, GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, www.gao.gov/assets/280/275572.pdf.) ( Editor's Note: For more on this topic, see, “New European Data Regulation Protection Draft” in the April edition of e-Commerce Law & Strategy, at http://bit.ly/HVkiAR.)

Consensus to Protect PII
At Rest, in Transit

There is no single law in the United States that provides a comprehensive treatment of data protection or privacy. There have been a number of laws and executive orders specifically dealing with data protection concepts, and at least 47 of the states are considering some level of privacy law provision that requires PII be properly protected from erroneous disclosure. There is some consensus within these laws and regulations that PII should be protected at rest and in transit. Given this, it may be beneficial for litigation support to adopt a broad approach to protecting client data regardless of whether it contains PII.

Many corporate, government organizations and law firms are subject to laws, regulations or other mandates governing the obligation to protect personal information, such as the Privacy Act of 1974, Office of Management and Budget (OMB) memoranda, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Additionally, some federal agencies, such as the Census Bureau and the Internal Revenue Service (IRS), are subject to additional specific legal obligations to protect certain types of personal identifiable information. Some organizations are also subject to specific legal requirements based on their role. For example, organizations acting as financial institutions by engaging in financial activities are subject to the Gramm-Leach-Bliley Act (GLBA). Also, some agencies that collect personal identifiable information for statistical purposes are subject to the strict confidentiality requirements of the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (this may include university and educational institutions). Organizations may also be obliged to protect PII by their own policies, standards or management directives. Violations of these laws or regulations can result in civil or criminal penalties.

Massachusetts is one example of a state that recently adopted privacy law to address personal identifiable information. If you do business with residents of Massachusetts or have employees who reside in Massachusetts, you must comply with Massachusetts Privacy Law (201 CMR 17, March 1, 2010) that requires specific technology ' encryption ' be used to protect personal identifiable information, whether “data is at rest” or “data is in transit” over a public network such as the Internet. This means any organization, regardless of size or location of the business (including law firms and their litigation support function), must protect a Massachusetts resident's name in combination with any one of the following pieces of information ' with or without a security code, access code, PIN or password that would permit access to the resident's financial information: Social Security Number, driver's license number or state-issued identification card number, or financial account number or credit/debit card number.

Law firms working with clients who may be subject to PII laws or regulations, or any firm clients with internal policies, standards, or management directives regarding PII protection, may need to advise litigation support of a duty and obligation to protect PII. To lessen risk in the face of the patchwork of PII laws and regulations, litigation support may need to take a broad approach to protecting all forms of client data, regardless of whether data contains PII. A broad-based approach should address data at rest (i.e., preservation data, work in progress, electronically stored information review or production repositories) as well as data in transit (e.g., evidentiary attachments to e-mail, external media, files sent via transmission protocol (FTP or SFTP)).

A PII protection assessment should consider protection requirements at the department and litigation case levels, as well as any underlying litigation support data repositories, data subsets or data transmission mechanisms and streams. An examination of PII protection capabilities may underscore:

• The need to improve litigation support information governance by considering how information is transmitted to/from the law firm;
• How data is stored and managed; and
• How to apply the firm's records-management policies and procedures to electronic evidence under management by litigation support.

How Identifiable Is PII?

Organizations are being directed to evaluate how easily personal identifiable information can be used to identify specific individuals. At one level, PII composed of individuals' names, fingerprints, or SSNs may uniquely and directly identify individuals, whereas personal identifiable information data composed of individuals' ZIP codes and dates of birth may indirectly identify individuals or significantly narrow large datasets.

However, data composed only of individuals' area codes and gender usually would not allow direct or indirect identification of an individual. Direct or indirect identification may depend on the context and sample size of the data. Personal identifiable information that is uniquely and directly identifiable may warrant a higher level of protection than personal identifiable information that is not directly identifiable by itself.

Litigation support may need to be apprised by lawyers of how to develop a low- to high-harm threat-level scale. The scale should be applied to any data litigation support receives/sends or stores/manages. The threat scale may be used generally to secure client data or a particular file, or may need to be more robust to address specific client, industry, firm practice group or particular case concern.

A general PII protection scale may rate data from low to high level with harm levels set as:

• Low. An inconvenience, but if exposed, the PII would not cause too much harm;
• Moderate. May include financial information that would result in some significant type of loss, such as identity theft, benefits denial, public humiliation, discrimination, loss of a customer/client or the potential for blackmail; or
• High. May involve serious physical, social or financial harm that may result in potential loss of life, loss of livelihood or inappropriate physical detention.

Proper protection of PII by litigation support (and IT or records management) may require examination of information-governance and records-management procedures for litigation support, as well as examination of litigation-support workflow procedures, application of security over litigation data repositories or use of advanced encryption standards to secure PII.

Duty to Protect PII

In representing corporations obligated to protect PII, the duty to protect may extend to the law firm. Protection obligations may apply to specific types of electronic files in a case or an entire data collection. Lawyers who practice within certain industries may be more aware of their PII protect duties and obligations than others are.

But litigation support (or IT/records management) is probably not self-aware of any extended obligation the lawyer has to protect PII when, or if, the protection duty is passed from corporation to law firm. It may be worthwhile, then, for certain litigation practice group leads or key lawyers to regularly address and advise litigation support if and when there is an obligation to protect PII.

It is also important to keep in mind that PII protection requirements for a particular client or industry may need to be addressed at the case or project level, at work in progress stages or repository levels, at the database field level or at the point data is in transit. The obligation may also extend to vendors when hired to work on, or with, client data. This should be considered part of an overall security protection plan for PII data. For law firms specializing in litigation fraught with personal identifiable information, it may be time to consider how to deploy more stringent security measures over active and inactive litigation-support data and client evidence.

Disguising Data

Litigation support should be well versed in how to examine and treat PII. Personal identifiable information protection and treatment should be on the short list of discussion topics with vendors, too, concerning when they are engaged to handle such data. It is clear that courts will require one to demonstrate PII definition, a sound treatment process/methodology, and to educate the court and opposing counsel on how results were obtained, particularly in instances where PII is disguised to protect its content from harmful disclosure.

Disguised information ' called anomalyzing data, a term being used in the litigation-support sector because the original information has been made into an anomaly of sorts, something different or unusual ' is defined as previously identifiable information that has been de-identified by replacing the identifiable data with a masking code. The data removed may be identified only by removing the masking code, and that way revealing the initial data the mask replaced. Information disguised this way usually involves the application of statistical disclosure limitation techniques to ensure the data cannot be re-identified. Five such techniques are:

• Generalizing the data. Making information less precise, such as grouping continuous values ;
• Suppressing the data. Deleting an entire record or certain parts of a record;
• Introducing noise into the data. Adding small amounts of variation into selected data;
• Swapping the data. Exchanging certain data fields of one record within the same data fields of another similar record ( e.g., swapping the ZIP codes of two records); and
• Replacing data with the average value. Replacing a selected value of data with the average value for the entire group of data. ( See, Guidelines to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-122, Erika McCallister, Tim Grance, Karen Scarfone, April 2010 at 4-6, available at http://1.usa.gov/HVmqZ9.)

Using these techniques, the information is no longer personal identifiable information, but it can retain its useful and realistic properties. Tread lightly if PII must be anomlyzed in a file. Carefully consider how to mask PII in a way that protects the information from harm. Seek court approval when PII must be anomolyzed and exchanged between litigants, and always document the definitions, the process and the results.

Conclusion

Litigation support requires lawyer assistance to properly identify and address PII protection duty and obligations. If a broad PII protection approach is taken, then a basic protection plan may be prepared by a well rounded team of key stakeholders who may include a lawyer, and personnel from IT, litigation support and records management. This team will be able to consider the full scope of protection required for the entire life of the data. A basic protection plan may include:

• Limiting access to client data containing PII by deploying ethical walls, folders, or file- or field-level security;
• Using advanced encryption standards for data transit; or
• Applying firm records-management policies and procedures to dispose client evidence with PII in a timely fashion.

If a case-by-case protection approach is taken, then responsibility will rest with the lawyer and client to define what PII is, its nature, the harm and threat level, and to advise litigation support of its obligations to protect data containing PII.

Protection actions, whether broad-based or case-specific, will require lawyer, litigation support, the firm's IT and records-management departments to work together closely to ensure that PII content is properly maintained and secure throughout the lifecycle of the file.