Litigation Support Information Governance

See, OMB Memorandums 07-16 and 06-19. Also, GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, www.gao.gov/assets/280/275572.pdf.

Consensus to Protect PII at Rest, in Transit

There is no single law in the United States that provides a comprehensive treatment of data protection or privacy. There have been a number of laws and executive orders specifically dealing with data protection concepts, and at least 47 states are currently considering some level of privacy law provision that requires personal identifiable information to be properly protected from erroneous disclosure. There is some consensus within these laws and regulations that PII should be protected both at rest and in transit.

Many corporate, government organizations and law firms are subject to laws, regulations, or other mandates governing the obligation to protect personal information, such as the Privacy Act of 1974, OMB memoranda, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Some organizations are also subject to specific legal requirements based on their role. For example, organizations acting as financial institutions by engaging in financial activities are subject to the Gramm-Leach-Bliley Act (GLBA). Also, some agencies that collect personal identifiable information for statistical purposes are subject to the strict confidentiality requirements of the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (this may include university and educational institutions). Organizations may also be obliged to protect PII by their own policies, standards or management directives. Violations of these laws or regulations can result in civil or criminal penalties.

Massachusetts is one example of a state that has recently adopted privacy law to address personal identifiable information. If you do business with residents of Massachusetts or have employees that reside in Massachusetts, you must comply with Massachusetts Privacy Law (201 CMR 17, March 1, 2010), that requires specific technology ' encryption ' must be used to protect personal identifiable information, whether “data is at rest” or “data is in transit” over a public network such as the Internet.

Law firms working with clients who may be subject to PII laws or regulations, or any firm clients with internal policies, standards or management directives regarding PII protection, may need to advise litigation support of their duty and obligations to protect PII. To lessen risk in the face of the patchwork of PII laws and regulations, litigation support may need to take a broad approach to protecting all forms of client data, regardless of whether data actually contains PII. A broad-based approach should address both data at rest (i.e., preservation data, work in progress, ESI review or production repositories) as well as data in transit (e.g., evidentiary attachments to e-mail; external media; files sent via transmission protocol (FTP, SFTP)). A PII protection assessment should consider protection requirements at the department and litigation case levels, as well as any underlying litigation support data repositories, data subsets or data transmission mechanisms and streams. An examination of PII protection capabilities may underscore the need to improve litigation support information governance by considering how information is transmitted to and from the law firm, how data is stored and managed, and by considering how to apply the firm's records management policies and procedures to electronic evidence under management by litigation support.

How Identifiable is PII

Organizations are being directed to evaluate how easily personal identifiable information can be used to identify specific individuals. At one level, PII composed of individuals' names, fingerprints or SSNs may uniquely and directly identify individuals, whereas PII data composed of individuals' zip codes and dates of birth may indirectly identify individuals or significantly narrow large datasets. However, data composed of only individuals' area codes and gender usually would not provide for direct or indirect identification of an individual. Direct or indirect identification may be dependant upon the context and sample size. Thus, PII that is uniquely and directly identifiable may warrant a higher level of protection than PII that is not directly identifiable by itself.

Litigation support may need to be apprised by lawyers how to develop a low to high harm threat level scale. The scale should be applied to any data litigation support receives, sends, stores or manages. The threat scale may be used generally to secure client data or a particular file, or may need to be more robust to address specific client, industry, firm practice group or a particular case concern.

A general PII protection scale may rate data from low to high level with harm levels set as:

• Low. An inconvenience, if exposed the PII would not cause too much harm;
• Moderate. May include financial information which would result in some significant type of loss ' identity theft, benefits denial, public humiliation, discrimination, loss of a customer/client or the potential for blackmail; or
• High. May involve serious physical, social, or financial harm that may result in potential loss of life, loss of livelihood or inappropriate physical detention.

Proper protection of PII by litigation support (and IT or records management) may require examination of information governance and records management procedures, as well as examination of workflow procedures, application of security over litigation data repositories, or use of advanced encryption standards to secure PII.

Duty to Protect PII

In representing corporations obligated to protect PII, the duty to protect may extend to the law firm. Protection obligations may apply to specific types of electronic files in a case or an entire data collection. Lawyers who practice within certain industries may be more aware of their PII protect duties and obligations than others. It is doubtful however that litigation support (or IT/records management) is self aware of any extended obligation the lawyer has to protect PII when and if the protection duty is passed from corporation to law firm. Therefore it may be worthwhile for certain litigation practice groups leads or key lawyers to regularly address and advise litigation support if and when there is an obligation to protect PII. PII protection requirements for a particular client or industry may need to be addressed at the case or project level, at work in progress stages or repository levels, at the database field level, or at the point data transit. The obligation may extend to vendors when hired to work on client data. This should be considered as part of an overall security protection plan for PII data. For law firms specializing in litigation fraught with personal identifiable information, it may be time to consider how to deploy more stringent security measures over active and inactive litigation support data and client evidence.

Anomalyzing Data

Litigation support should be well versed in its own internal abilities to both examine and treat PII. Personal identifiable information protection and treatment should be on the short list of discussion topics with vendors where they are engaged to handle such data. It is clear that courts will require one to demonstrate PII definition, a sound treatment process/methodology, and to educate the court and opposing counsel how results were rendered, particularly in instances where PII is anomalyzed to protect its content from harmful disclosure.

Anomalyzed information is defined as previously identifiable information that has been de-identified by replacing the identifiable data with a masking code. The data removed may only be identified by removing the masking code revealing the initial data the mask replaced. Anomalyzed information usually involves the application of statistical disclosure limitation techniques to ensure the data cannot be re-identified. Five such techniques are:

1. Generalizing the data. Making information less precise, such as grouping continuous values.
2. Suppressing the data. Deleting an entire record or certain parts of a record.
3. Introducing noise into the data. Adding small amounts of variation into selected data.
4. Swapping the data. Exchanging certain data fields of one record within the same data fields of another similar record ( e.g., swapping the zip codes of two records).
5. Replacing data with the average value. Replacing a selected value of data with the average value for the entire group of data.

See, Guidelines to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-122, Erika McCallister, Tim Grance, Karen Scarfone, April 2010 at 4-6, available at http://1.usa.gov/HVmqZ9.

Using these techniques, the information is no longer personal identifiable information, but it can retain its useful and realistic properties. Tread lightly if PII must be anomalyzed in a file. Carefully consider how to mask PII in a way that protects the information from harm. Seek court approval when PII must be anomalyzed and exchanged between litigants; and always document the definitions, the process and the results.

Conclusion

Litigation support requires lawyer assistance to properly identify and address PII protection duty and obligations. If a broad PII protection approach is taken, then a basic protection plan may be prepared by a well rounded team of key stakeholders who may include a lawyer, IT, litigation support and records management. This team will be able to consider the full scope of protection required for the entire life of the data. A basic protection plan may include: 1) limiting access to client data containing PII by deploying ethical walls, or folder, file or field level security; 2) using advanced encryption standards for data transit; or 3) applying firm records management policies and procedures to dispose client evidence with PII timely. If a case-by-case protection approach is taken, responsibility will rest with the lawyer and his or her client to define what PII is, its nature, the harm threat level, and thereafter advise litigation support of its obligations to protect data containing PII. Protection actions, whether broad based or case specific, will require lawyer, litigation support, the firm's IT and records management departments to work together closely ensuring that PII content is properly maintained and secure throughout the entire file's lifecycle.

The treatment of personal identifiable information (PII) is quickly becoming a critical issue and should be on litigation support's risk and information governance agenda. Certain industry sectors that lawyers represent may have a duty to protect PII. For some corporations, such as financial or medical, the duty to protect PII may be highly regulated; while in other industries that compile personal information as statistical information, education or government for example, the duty may be self imposed through Acts or executive order. Where industry does compile personal identifiable information and there is a duty to protect this information, companies are moving to regulate this information within their internal systems. What happens when PII is transmitted to litigation support as part of client information subject to an adversarial action? What is PII anyway? Does litigation support have a duty to protect PII on behalf of the law firm's client? If there is a duty, how should litigation support react to protect PII?

PII Defined

There is no clear consensus as to the exact definition of personal identifiable information as each law or regulation offers a slightly different PII definition. An amalgam of several definitions offers us this general definition ' any information about an individual maintained by an agency, including: 1) any information that can be used to distinguish or trace an individual's identity, such as name, Social Security number, date and place of birth, mother's maiden name or biometric records; and 2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.

See, OMB Memorandums 07-16 and 06-19. Also, GAO Report 08-536, Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, May 2008, www.gao.gov/assets/280/275572.pdf.

Consensus to Protect PII at Rest, in Transit

There is no single law in the United States that provides a comprehensive treatment of data protection or privacy. There have been a number of laws and executive orders specifically dealing with data protection concepts, and at least 47 states are currently considering some level of privacy law provision that requires personal identifiable information to be properly protected from erroneous disclosure. There is some consensus within these laws and regulations that PII should be protected both at rest and in transit.

Many corporate, government organizations and law firms are subject to laws, regulations, or other mandates governing the obligation to protect personal information, such as the Privacy Act of 1974, OMB memoranda, and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Some organizations are also subject to specific legal requirements based on their role. For example, organizations acting as financial institutions by engaging in financial activities are subject to the Gramm-Leach-Bliley Act (GLBA). Also, some agencies that collect personal identifiable information for statistical purposes are subject to the strict confidentiality requirements of the Confidential Information Protection and Statistical Efficiency Act (CIPSEA) (this may include university and educational institutions). Organizations may also be obliged to protect PII by their own policies, standards or management directives. Violations of these laws or regulations can result in civil or criminal penalties.

Massachusetts is one example of a state that has recently adopted privacy law to address personal identifiable information. If you do business with residents of Massachusetts or have employees that reside in Massachusetts, you must comply with Massachusetts Privacy Law (201 CMR 17, March 1, 2010), that requires specific technology ' encryption ' must be used to protect personal identifiable information, whether “data is at rest” or “data is in transit” over a public network such as the Internet.

Law firms working with clients who may be subject to PII laws or regulations, or any firm clients with internal policies, standards or management directives regarding PII protection, may need to advise litigation support of their duty and obligations to protect PII. To lessen risk in the face of the patchwork of PII laws and regulations, litigation support may need to take a broad approach to protecting all forms of client data, regardless of whether data actually contains PII. A broad-based approach should address both data at rest (i.e., preservation data, work in progress, ESI review or production repositories) as well as data in transit (e.g., evidentiary attachments to e-mail; external media; files sent via transmission protocol (FTP, SFTP)). A PII protection assessment should consider protection requirements at the department and litigation case levels, as well as any underlying litigation support data repositories, data subsets or data transmission mechanisms and streams. An examination of PII protection capabilities may underscore the need to improve litigation support information governance by considering how information is transmitted to and from the law firm, how data is stored and managed, and by considering how to apply the firm's records management policies and procedures to electronic evidence under management by litigation support.

How Identifiable is PII

Organizations are being directed to evaluate how easily personal identifiable information can be used to identify specific individuals. At one level, PII composed of individuals' names, fingerprints or SSNs may uniquely and directly identify individuals, whereas PII data composed of individuals' zip codes and dates of birth may indirectly identify individuals or significantly narrow large datasets. However, data composed of only individuals' area codes and gender usually would not provide for direct or indirect identification of an individual. Direct or indirect identification may be dependant upon the context and sample size. Thus, PII that is uniquely and directly identifiable may warrant a higher level of protection than PII that is not directly identifiable by itself.

Litigation support may need to be apprised by lawyers how to develop a low to high harm threat level scale. The scale should be applied to any data litigation support receives, sends, stores or manages. The threat scale may be used generally to secure client data or a particular file, or may need to be more robust to address specific client, industry, firm practice group or a particular case concern.

A general PII protection scale may rate data from low to high level with harm levels set as:

• Low. An inconvenience, if exposed the PII would not cause too much harm;
• Moderate. May include financial information which would result in some significant type of loss ' identity theft, benefits denial, public humiliation, discrimination, loss of a customer/client or the potential for blackmail; or
• High. May involve serious physical, social, or financial harm that may result in potential loss of life, loss of livelihood or inappropriate physical detention.

Proper protection of PII by litigation support (and IT or records management) may require examination of information governance and records management procedures, as well as examination of workflow procedures, application of security over litigation data repositories, or use of advanced encryption standards to secure PII.

Duty to Protect PII

In representing corporations obligated to protect PII, the duty to protect may extend to the law firm. Protection obligations may apply to specific types of electronic files in a case or an entire data collection. Lawyers who practice within certain industries may be more aware of their PII protect duties and obligations than others. It is doubtful however that litigation support (or IT/records management) is self aware of any extended obligation the lawyer has to protect PII when and if the protection duty is passed from corporation to law firm. Therefore it may be worthwhile for certain litigation practice groups leads or key lawyers to regularly address and advise litigation support if and when there is an obligation to protect PII. PII protection requirements for a particular client or industry may need to be addressed at the case or project level, at work in progress stages or repository levels, at the database field level, or at the point data transit. The obligation may extend to vendors when hired to work on client data. This should be considered as part of an overall security protection plan for PII data. For law firms specializing in litigation fraught with personal identifiable information, it may be time to consider how to deploy more stringent security measures over active and inactive litigation support data and client evidence.

Anomalyzing Data

Litigation support should be well versed in its own internal abilities to both examine and treat PII. Personal identifiable information protection and treatment should be on the short list of discussion topics with vendors where they are engaged to handle such data. It is clear that courts will require one to demonstrate PII definition, a sound treatment process/methodology, and to educate the court and opposing counsel how results were rendered, particularly in instances where PII is anomalyzed to protect its content from harmful disclosure.

Anomalyzed information is defined as previously identifiable information that has been de-identified by replacing the identifiable data with a masking code. The data removed may only be identified by removing the masking code revealing the initial data the mask replaced. Anomalyzed information usually involves the application of statistical disclosure limitation techniques to ensure the data cannot be re-identified. Five such techniques are:

1. Generalizing the data. Making information less precise, such as grouping continuous values.
2. Suppressing the data. Deleting an entire record or certain parts of a record.
3. Introducing noise into the data. Adding small amounts of variation into selected data.
4. Swapping the data. Exchanging certain data fields of one record within the same data fields of another similar record ( e.g., swapping the zip codes of two records).
5. Replacing data with the average value. Replacing a selected value of data with the average value for the entire group of data.

See, Guidelines to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, U.S. Department of Commerce, Special Publication 800-122, Erika McCallister, Tim Grance, Karen Scarfone, April 2010 at 4-6, available at http://1.usa.gov/HVmqZ9.

Using these techniques, the information is no longer personal identifiable information, but it can retain its useful and realistic properties. Tread lightly if PII must be anomalyzed in a file. Carefully consider how to mask PII in a way that protects the information from harm. Seek court approval when PII must be anomalyzed and exchanged between litigants; and always document the definitions, the process and the results.

Conclusion

Litigation support requires lawyer assistance to properly identify and address PII protection duty and obligations. If a broad PII protection approach is taken, then a basic protection plan may be prepared by a well rounded team of key stakeholders who may include a lawyer, IT, litigation support and records management. This team will be able to consider the full scope of protection required for the entire life of the data. A basic protection plan may include: 1) limiting access to client data containing PII by deploying ethical walls, or folder, file or field level security; 2) using advanced encryption standards for data transit; or 3) applying firm records management policies and procedures to dispose client evidence with PII timely. If a case-by-case protection approach is taken, responsibility will rest with the lawyer and his or her client to define what PII is, its nature, the harm threat level, and thereafter advise litigation support of its obligations to protect data containing PII. Protection actions, whether broad based or case specific, will require lawyer, litigation support, the firm's IT and records management departments to work together closely ensuring that PII content is properly maintained and secure throughout the entire file's lifecycle.