The Florida Bar’s Standing Committee on Technology developed this Quick Start Guide to Data Privacy Laws to answer basic questions on the application of privacy laws to the practice of law, such as what is privacy, who needs to think about privacy issues, and where to start learning more.
This Quick Start Guide is a companion and introduction to the “Selected Data Privacy Laws Outline,” an outline of some laws that regulate the privacy and security of information that attorneys and their clients handle.
The Florida Bar takes no position on whether these guides are complete or accurate. A lawyer should seek legal advice for any questions or concerns about the application of privacy and security laws. This guide is for familiarization with select laws and is not intended as legal advice.
Quick Start Questions & Answers:
1) Who should use this guide and outline?
Every member of The Florida Bar and Florida Registered Paralegals.
2) What is data privacy?
Data privacy can describe the way a person or entity uses, governs, and protects information about users, people, or organizations. This is especially relevant when the collected information could be used to identify individuals using software or a service. This type of data is often referred to as “personally identifiable information,” but this title sometimes varies based on the scope and application of certain data privacy laws.
3) Why are data privacy laws important for the practice of law?
Understanding the privacy landscape is important for lawyers as keepers of information and as counsel for clients who themselves may be keepers of information. As an example, receiving client credit card information may trigger an obligation. Having a website that collects names and emails for marketing could create another obligation. Every piece of information that a firm collects about a person could be subject to any number of state and federal laws. At the same time, client businesses are often faced with similar issues.
Many laws often place requirements on storing and deleting information. The biggest concern relates to data breaches. A data breach typically includes the accessing of data by an unauthorized person. The most common image is a malicious hacker exploiting a system vulnerability to gain unauthorized access to the data contained within it. However, the risk of a data breach may also arise from a lost cell phone, a misdirected e-mail, a stolen laptop, or the actions of a disgruntled employee.
Knowing what you are required to do in the case of a data breach, when you need to do it, and what the potential liabilities are is something all attorneys should work to understand.
4) Who do data privacy laws apply to?
The application of specific data privacy laws varies based on the scope of the law, including the entities and information that the law covers. For this reason, all attorneys and their clients should be aware of the variety of privacy laws that may apply to their operations. At the federal level, the U.S. has historically taken a sectoral approach to privacy, covering specific industries or individuals in special circumstances. One example of such a law is HIPAA. Most are aware that HIPAA applies to healthcare providers and health plans. However, it also applies to those entities’ business associates that perform certain activities involving protected health information. Even a law firm may be a business associate subject to HIPAA requirements if it provides legal services to a covered entity and the provision of those services involves the disclosure of PHI from the covered entity to the law firm.
At the state-level, Florida has its own data privacy laws, such as the Florida Information Protection Act that, among other requirements, addresses data breach notification timeframes and appropriate data security measures for many Florida businesses, including law firms. Each data privacy law has a particular scope with different impacts to attorneys and their clients. The Florida Bar’s Standing Committee on Technology has created the “Selected Data Privacy Laws Outline” to help practitioners identify how data privacy laws may impact their practice. The Committee encourages practitioners to review the guide and research each law’s applicability to their practices and their clients.
5) What type of information is within scope for data privacy laws?
Data privacy laws encompass many types of information – really anything that can be used to single-out individual identities. Examples of this type of information include, social security numbers, client specific case information, email addresses, medical history, or credit card information. Also included is nonpublic personal information or information collected as part of a transaction. For an attorney, this might include financial information collected as part of a divorce process. Personal information typically does not include information that lacks identifying characteristics linking the information to a specific individual. However, the world of information that may fall within scope of data privacy laws is vast and varied depending on the type of law and circumstances.
6) How should I use the Selected Privacy Laws Outline?
The landscape of data privacy laws is constantly changing. The “Selected Data Privacy Laws Outline” can act as a resource in identifying the most common regulations that may apply to you in your practice of law. It is meant to serve as an introduction to the field and to lend insight into the scope in application of data privacy laws. It is not a substitute for conducting your own determination of which laws may apply to your practice and your clients.
7) My data is in the “cloud,” how do I know that my client’s information is secure and accessible to me to comply with these privacy laws?
Cloud service providers are growing more prevalent in the practice of law. However, attorneys should be cautious when using such providers and conduct appropriate due diligence prior to allowing those providers to process client information. All attorneys should understand the protections offered by cloud service providers prior to using them. For detailed information on these considerations, Florida Bar’s Standing Committee on Technology suggests reviewing the Due Diligence Considerations for Lawyers Evaluating Cloud Service Providers and its companion Quick Start Guide on Cloud Computing.
8) What do I do if I feel my data has been compromised?
If you suspect a data breach has occurred, it is important to act quickly. Determining what laws apply and how to proceed is instrumental. Competent technical and legal advice should be sought. While each situation is different, the FTC’s Data Breach Response Guide has some valuable tips on how to act.
The conversations around privacy continue to get louder each day and at all levels of society. State governments continue their tradition of laboratories of democracy as they enact privacy legislation. Federal lawmakers are also becoming more active in the area. Attorneys are obligated to become knowledgeable as counselors to their clients, but also as stewards of critical and sensitive information. The penalties for failing to protect information can be severe. This Quick Start Guide and accompanying Selected Data Privacy Laws Outline are intended to expose you to the framework and vocabulary of information privacy. Continue to learn more by reviewing the Selected Data Privacy Laws Outline.