Professional Growth

Attorneys Face Growing Challenges in Uneven Data Privacy Landscape

May 25, 2022

By Jeremy Conrad

The past half century’s unprecedented technological advancements have introduced a plethora of concerns relating to the practice of law and attorneys’ solemn ethical duty to preserve their clients’ confidences.

During a recent D.C. Bar CLE event, Hunton Andrews Kurth LLP attorneys Maeve Olney and Jenna N. Rode provided an overview of the most recent challenges to safeguarding client privacy, both domestically and internationally; government efforts to protect information; relevant court decisions; statutory developments; and the legal and ethical issues that lawyers must consider.

Most countries have adopted some form of data protection, but not the United States as a whole, and this lack of comprehensive legislation creates a significant challenge for practitioners. Rode said that U.S. data privacy laws tend to be narrowly crafted and industry-specific, while other nations’ laws, particularly in Europe, have taken an omnibus approach, establishing broadly applicable data privacy principles that apply across industries.

“For example, we have laws in the U.S. that regulate financial privacy at the federal level and healthcare privacy; HIPAA is well known,” Rode said. “We are starting to see an emergence of comprehensive privacy law at the state level, but at the federal level we are still without an omnibus approach.”

Rode identified four areas of concern surrounding data privacy that attorneys should consider: legal compliance, reputational risk, investment risk, and reticence risk. Legal compliance is necessary to avoid lawsuits and fines. Failure to adequately address privacy issues can result in reputational damage. The growing interest in cybersecurity by investors and the Securities Exchange Commission has increased investment risk, and organizations may be reticent to use data if they are uncertain about the legal landscape, which means lost opportunities.

“To manage these four risks when we think about data processing and the privacy space, a key concept that has emerged in recent years is privacy-by-design,” Rode said. She explained that companies have to consider privacy concerns at every stage of design and implementation, given the broad range of data privacy approaches taken by different jurisdictions.

Rode also cited recent law firm hacking incidents as evidence that even lawyers whose practice does not involve advising clients on data privacy concerns should apply best practices to their own handling of information.

Olney described the limited federal protections relating to data. The Federal Trade Commission (FTC) is the primary regulator for data privacy in the United States, deriving its authority from section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting trade. Also, HIPAA protects the medical data processed by certain parties, and the Children’s Online Privacy Protection Act safeguards the information of children under the age of 13 collected online.

In the absence of federal regulation, state regulatory schemes have proliferated. There are currently hundreds of different state privacy laws with a broad range of approaches. Among the most significant is the landmark California Consumer Privacy Act, which was amended and expanded by the California Privacy Rights Act. Olney also provided an overview of California’s data privacy laws as well as those of other jurisdictions, including Colorado, Connecticut, Utah, and Virginia.

Federal legislation on data privacy may be on the horizon. Olney cited the Cambridge Analytica scandal in which an organization harvested massive amount of consumer data from Facebook for use in the 2016 election. “We’re now moving toward a more comprehensive approach, and we’re seeing that at the state level and potentially federal level down the line, but there’s really not a bill right now that has a chance of passing, in my opinion,” Olney said.

Best practices for data privacy affect not only clients but also attorneys operating online or in the cloud. Rode cited D.C. Bar Ethics Opinion 371, requiring attorneys to understand how nonclient users can access social media postings made by a client. D.C. Rule of Professional Conduct 1.6 addresses confidentiality of information, including attorney–client privilege and the work product doctrine, she said.

The webinar concluded with a set of tips for protecting clients’ data, including ways to inform themselves of potential risks, implement written information security policies, identify and classify sensitive data, and continually audit and assess the state of their security, software, and systems. “It’s not a question of if you’ll have a breach, but a question of when,” Rode said. “Having a plan in place that clearly establishes your policies and procedures and clearly identifies who is responsible is important.”