During the eDiscovery phase of civil litigation, lawyers may be given access to a lot of electronically stored information (ESI), some of which might be covered by certain laws/regulations. To avoid harsh penalties and preserve client confidence, attorneys must move to secure ESI especially during file sharing, when the information can be exposed to a variety of threats.
In this post, we'll take up two important regulations that, due to their wide coverage, can impact a considerable number of eDiscovery processes. We'll then discuss the data protection methods attorneys can employ when transferring ESI to avoid violating these regulations.
Under the Health Insurance Portability and Accountability Act (HIPAA), health care providers, health plans, health care clearinghouses, and other covered entities are required to carry out measures to secure what is known as electronic protected health information (ePHI).
Many kinds of recorded information are considered ePHI, including:
information doctors and nurses enter into medical records;
patient billing information; and
even conversations between doctors and nurses regarding a patient's treatment
Although attorneys aren't automatically considered covered entities, some may have clients who are. If you serve as counsel for a covered entity, you might eventually be given access to ePHI; e.g. when you dive into electronic health records (EHR) during eDiscovery.
This would put you in a category which HIPAA classifies as Business Associates. Under HIPAA's expanded version (known as HITECH) requirements pertaining to the security and privacy of ePHI, which only applied to covered entities, now apply to business associates as well.
In effect, attorneys are now mandated to implement strong security measures to protect any ePHI that ends up in their hands.
In the event of a security or privacy breach affecting ePHI under their care, attorneys can be charged with civil penalties of $100 to $50,000. In addition, there are breach notification provisions that require attorneys to notify affected individuals and, in certain cases, the Secretary of HHS as well as media outlets.
Publication of the incident on the Secretary's website, which is provided by law, and in media outlets can seriously damage your image or your law firm's reputation.
Note that the law allows anyone harmed from the data breach to receive a percentage of the penalty. Because of this, there would certainly be a lot of opportunists who would not hesitate to claim harm.
For a more thorough discussion regarding HIPAA compliant file transfers, please click that link.
Like HIPAA, the GLBA or Gramm-Leach-Bliley Act is an industry-specific federal law aimed at protecting personal information. GLBA covers financial institutions. But its definition of a "financial institution" is quite broad.
Any company significantly engaged in financial activities can be considered a "financial institution" under the GLBA, including businesses offering products/services like: loans, financial advice, investment advice, debt collection, real estate settlement services, money or security exchanges, etc. Some of the examples given in the GLBA website include check-cashing businesses, data processors, mortgage brokers, non-bank lenders, and real estate appraisers.
The law requires all these institutions to ensure the security and confidentiality of sensitive customer data (known as nonpublic personal information or NPI) such as:
names, addresses, phone numbers;
bank and credit card account numbers;
income and credit histories; and
Social Security Numbers.
What has this got to do with an attorney like you?
Just like in HIPAA (remember "business associates"?), not all attorneys are covered by the GLBA. However, if you've got a client who qualifies as a financial institution as per GLBA definition, you will be required to fulfill certain obligations whenever you receive NPI through that particular client.
So for example, upon receiving NPI during a discovery process, you have to make sure the NPI is not disclosed to anyone other than the affiliates of your client and, to a limited extent, your own affiliates.
Between these two laws alone, a large number of organizations can be covered. Hence, if you're a lawyer, there's a good chance you already have a couple of clients whose data will be needing optimal security during eDiscovery.
Protecting data-in-motion ESI using secure file transfers
In an eDiscovery process, file sharing doesn't only take place between opposing litigators. As seen from the figure below, the entire process consists of multiple stages. In one stage alone, sharing can occur among litigators, litigants, IT specialists, digital forensic experts, paralegals, and other litigation support personnel.
When a file transfer of ESI has to traverse insecure networks like the Internet, it will be exposed to numerous threats. To prevent ESI from being compromised, it would be best to implement secure file transfer technologies such as FTPS, SFTP, and HTTPS, which encrypt data-in-motion and hence keep it safe from snoops lurking across the network.
Protecting data-at-rest using DLP and PGP encryption
Due to the sheer volume of files that have to be scrutinized during eDiscovery, a manual method of locating ePHI, NPI or any protected information within those files will not suffice. In spite of best efforts, there may still be instances wherein sensitive ESI can slip through.
When dealing with voluminous data, it would be best to employ automated methods to find regulation-protected information. Managed File Transfer (MFT) servers like JSCAPE MFT Server have Data Loss Prevention (DLP) modules that are specifically designed to detect this kind of information.
As a matter of fact, JSCAPE MFT Server already comes with built-in DLP Rules that can search occurrences of various payment card numbers like American Express, Diners Club, Discover, Master Card, and many others, including US Social Security Numbers. These particular rules can come in handy for PCI-DSS compliance.
These rules are extremely powerful and can still detect those card numbers from deep within files even if they are encoded in a variety of ways (e.g., with or without hyphens, with single or multiple spaces, a mix of hyphens and spaces, and so on). To appreciate what I mean, please read our blog post Exploring Regular Expressions in DLP.
Since these rules are written using regular expressions, you can create rules tailor-made for HIPAA, GLBA, and other laws and regulations.
HIPAA and GLBA aren't the only laws that require strong protection of certain information. Make sure you are familiar with the data protection and privacy laws that govern your clients. That way, you will known what kinds of information you will need to secure in the event of a lawsuit.