In today’s information-based economy, personal data drives many industries, including technology, healthcare, and even law. As more companies collect this information and as technology changes, the risk of malicious or accidental disclosure of Personally Identifiable Information and security breaches continues to increase.
Personally Identifiable Information, or PII, is any information that can be used to discern or track an individual’s identity and that is linked or linkable to a particular person. Common examples of PII include name, Social Security number, date and place of birth, and mother’s maiden name. But PII can also include biometric records and any other information that can be connected to an individual, such as medical, educational, financial, and employment information.
Many state and federal laws address maintaining the privacy of PII, including:
- The Fair Credit Reporting Act (FCRA)
- The Fair and Accurate Credit Transactions Act (FACTA)
- The Health Insurance Portability and Accountability Act (HIPAA) medical privacy laws
- Federal Trade Commission (FTC) laws governing telemarketing, online, and email marketing
- Payment Card Industry (PCI) requirements aimed at reducing theft and fraud.
In the legal profession, the American Bar Association has issued two opinions addressing the use and protection of PII in law firms.
- ABA Formal Opinion 477R, May 22, 2017-Securing Communication of Protected Client Information: Read ABA 477R
- ABA Formal Opinion 483, October 17, 2018-Lawyer’s Obligations After an Electronic Data Breach or Cyberattack: Read ABA 483
The South Carolina Supreme Court recently amended the Rules of Professional Conduct for attorneys so as “to provide guidance to lawyers about the benefits and risks of using certain technologies, with a particular emphasis on the protection of clients’ confidential information.” Read the Supreme Court Order
Ready to help with privacy and data protection
Our team at Burnette Shutt & McDaniel is prepared to help you manage these risks and evolving responsibilities, and we can help you respond if there is a data privacy incident.
Our primary goal is to help you prevent the disclosure of your clients’ or customers’ PII. To do that, we can conduct a data privacy risk assessment to evaluate the PII you collect and how you maintain, store, process, or share that information. Part of this assessment is understanding whether your business is subject to regulation in other jurisdictions such as California, which recently passed the California Consumer Privacy Act (or CCPA), or the European Union’s General Data Protection Regulation (GDPR). We can then help you understand your rights and obligations involving management of personal data, make informed privacy compliance decisions, create or enhance any policy or procedure that governs the processing of personal data, develop a data privacy program to reduce the risk of improper disclosure of PII, and provide training to your employees on applicable procedures for data management.
Based on the results of the risk assessment, we can prepare a protocol for breach response and conduct exercises to test the incident plan.
If there is a data breach, we are ready to manage a data breach response, including breach investigation and evaluation, engage and oversee the work of forensic teams, prepare breach notification letters, work with regulators, and advise on remediation actions.
Our team can also assist with adversarial proceedings or litigation, including federal or state regulatory inquiries or investigations and litigation of data protection and data breach matters in state, federal, international, and administrative tribunals.