Corporate legal departments and law firms that host and review data online bear a significant responsibility to ensure that personally identifiable information (PII) remains protected. According to the Social Security Administration, identity theft is one of the fastest growing crimes in America, and the Federal Trade Commission (FTC) estimates approximately nine million Americans have their identities stolen each year. Most of these crimes rely heavily on a single piece of information - the Social Security number (SSN). As more and more information moves online, criminals have developed a variety of methods to steal information, and the majority of these lost or stolen SSNs are a result of database security breaches. By stealing SSNs, criminals can commit financial fraud, open new lines of credit, empty bank accounts and even rack up false medical bills. This means that protecting access to SSNs in the digital era is more important than ever.
When organizations collect large volumes of data during discovery, and especially when client information is collected, sensitive information is often swept up in the collection and processed. With hackers’ ability to break into any computer system, it is imperative that document management databases be safeguarded. If there is a security breach, innocent bystanders may become victims of identity theft, and the organization hosting the data will almost certainly be held responsible and endure a public relations nightmare.
The FTC, acutely aware of the risks of collecting and hosting data that contains PII, has written and published their own security guidelines to ensure that data is protected. Firms hosting data internally in a Concordance, Summation, Relativity or other proprietary database should consider implementing security measures and policies that track the FTC guidelines. If a third-party provider is used, firms are well-advised to consider the provider’s security systems in light of those guidelines and perform an audit of their environment. Most reputable providers offer top-notch security, and for many firms these providers may represent a more economical option than the attempting to set up a firewall in-house.
While sensitive information is particularly vulnerable when firms are hosting data, it can also be compromised when turned over to adversaries or government entities, or when it is filed with the court. Rule 5.2 of the Federal Rules of Civil Procedure, as well as many state equivalents and industry regulations such as the Health Insurance Portability and Accountability Act (HIPAA), require privacy protection for parties or non-parties whose information may be included in court filings. Such information includes not only SSNs, but also taxpayer-identification numbers, birth dates, financial account numbers and the names of minors. As awareness of identity theft increases, courts have become increasingly intolerant of un-redacted PII and have recently granted sanctions when sensitive information has been exposed.
Three recent cases illustrate the risk to counsel that fails to heed the importance of protecting PII. In Allstate v. Linea Latin, the plaintiffs filed an Amended Complaint on the court’s Electronic Case Filing System, which contained more than 160 pages of exhibits disclosing birth dates, names of minors, and financial and other sensitive information. The court cited the advisory committee note to Federal Rule 5.2 and made clear that it is up to the parties to remember all documents are now available over the Internet. The court went on to add that attorneys can no longer ignore technology and shift blame for missed redactions to support staff; the potential consequences of filing documents with personal information are now far too serious. The court emphasized that it is the responsibility of counsel to ensure that personal identifiers are properly redacted. Accordingly, sanctions were granted against plaintiff’s counsel.
In Weakly v. Redline Recovery, documents were filed with the plaintiff’s full SSN listed. Prior to filing the documents, the defendant’s attorney checked a box indicating that he had read a notice that explicitly established his responsibility for redacting sensitive information: “IMPORTANT NOTICE OF REDACTION RESPONSIBILITY: All filers must redact: Social Security…numbers…in compliance with Fed. R. Civ. P. 5.2.” Sanctions were granted against the defendant’s counsel.
Finally, in Engeseth v. County of Isanti, counsel filed an affidavit with full SSNs and dates of birth for 179 individuals. The court stated it was deeply concerned about the harmful and widespread ramifications associated with negligent and inattentive electronic filing of court documents and noted that, although electronic filing significantly improves the efficiency and accessibility of our court system, it elevates the likelihood of identity theft and damage to personal privacy when lawyers fail to redact. Again, sanctions were granted.
In light of these and other cases, it is crucial that attorneys identify all instances of PII during the review phase of e-discovery. Tired eyes can often miss data that reveals personal information. To mitigate this risk, firms should consider using a tool that automatically redacts patterned data such as SSNs and birthdates. With auto-redact technology, reviewers can designate redaction patterns of data to look for, including specific number patterns (such as SSNs or phone numbers or account numbers) or specific text strings. The tool will search and find them automatically, obscuring them with a black box to ensure they are not produced. A good tool will also incorporate a number of quality control protocols to validate performed redactions, flag instances of data that may require manual redaction and generate reports to document a defensible process.
Now that nearly all evidence is stored electronically and can be accessed online, implementing security measures that meet FTC standards for protecting private data is an essential first step to ensure PII is protected, but many firms will also want to consider using automated redaction tools, which not only significantly reduce the risk of missed redactions, but also streamline the redaction process to save both time and money.
Filed under Home Page Featured, Home Page Latest, Sound Evidence, Uncategorized.