E-Discovery Strategies For Handling Personal Identifying Information
We’re all familiar with the importance of avoiding the inadvertent disclosure of attorney-client communications, work product or sensitive, proprietary or confidential business information. However, our obligations don’t end there. In addition to protecting this information, we also need to consider how to handle personal identifying information (“PII”). With extremely large amounts of data being at play in most litigation matters, it is becoming more and more important to have a solid game plan with safeguards and protections in place. Accidentally disclosing PII can lead to a chaotic discovery process and could lead to expensive monetary sanctions.
What Is PII?
PII is any personal information that may be used to identify a single individual. Generally, this is a person’s name along with some of the following pieces of information:
- Social security numbers
- Driver’s licenses
- Financial account information, such as bank account numbers or credit card numbers
- Birthdays
- Tax identification numbers
- Employee identification numbers
- Account names/passwords
- Personal Health Information (PHI)
Although PII is defined in 2 CFR § 200.79, it is far from being a cut and dried issue. “The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.” 2 CFR § 200.79. Furthermore, “Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual.” Id.
Why Should You Be Worried About Protecting PII?
Attorneys and their clients need to be concerned about protecting PII due a multitude of varying data privacy laws that vary from state to state and, depending on how your clients use data, could include a variety of international laws. These laws protect consumers by providing specific rules on how information can be collected, accessed, and distributed. Violations of these laws can result in heavy fines and sanctions.
United States Federal Law:
Although the United States has no comprehensive data privacy law (yet!), there are several laws/regulations that address these issues, along with regulatory agencies to oversee. These include:
- The Federal Trade Commission and Trade Commission Act, which regulate consumer protections.
- The Health Insurance Portability and Accounting Act (HIPAA), which governs health information.
- The Fair Credit Reporting Act (FCRA), which regulates the use and collection of consumer credit information.
State Laws:
Because there is no comprehensive federal law, states have taken it upon themselves to enact their own privacy laws to protect consumers. Some of the most notable ones are the following:
- The California Consumer Privacy Act (CCPA), which provides broad individual consumer rights and significant duties on companies or persons that collect personal information about or from a California resident.
- The California Privacy Rights Act (CPRA), which expanded on the rights in the CCPA.
- New York: The Stop Hacks and Improve Electronic Data Security (SHIELD) Act amended the existing New York law, adding stronger data breach protections for New York residents.
Here’s a helpful map of states that have already or are contemplating implementing privacy legislation, which can be found on the IAPP website here:[1]
International Laws:
- The General Data Protection Regulation (“GDPR”), which applies to all European Union (“EU”) residents, and reaches any entity that accesses the information regardless of whether the entity is located in the EU. Failure to comply with the GDPR can result in potentially hefty fines — namely, up to 4% of a company's annual global revenues or 20 million euros ($22.8 million), whichever is the bigger amount.
- Brazil's General Law for the Protection of Personal Data (“GPD”) is similar to the GDPR, with violations that can result in a fine such as 2% of their sales revenue, or up to $50 million Brazilian Real (approximately $12 million USD).
What Are The Best Litigation Strategies To Prevent Accidental Disclosures?
Although there is no singular approach that fits every litigation matter, employing these strategies with help limit accidental PII disclosure and violations of privacy laws:
- Build a Data Privacy Map: this will help identify the scope of data at issue, its location, and types of data.
- Targeted Collections: collecting too much data can cause a host of issues during discovery such as sweeping in unwanted PII. Targeting collections will limit the information and will lower the likelihood of this happening.
- Protective Orders: common practice in litigation is for the parties to seek a protective order from the court when a case involves the handling of sensitive information. This will provide a framework and guidelines for counsel to follow. Be sure to include stipulations such as what constitutes a breach, and the scope of how that information is distributed outside of counsel.
- E-Discovery Platform: it almost goes without saying these days that you are going to need a robust e-discovery platform in order to assist with the collection, processing, review, and production of the documents. During the review, having PII key search terms and formats (such as SSNs) highlighted will go a long way in ensuring document reviewers do not overlook PII. Some platforms can even proactively identify potential PII for you based on industry standards or human input.
- Detailed Review Protocols: document reviewers should be given detailed review protocols with information on responsiveness, privilege, and confidentiality. It would be extremely helpful to have a section on PII which describes in detail how to identify it and whether the information should be withheld or redacted.
- QC Protocols: secondary QC searches should be set up to provide another layer of protection from inadvertent PII disclosure.
While this was not an exhaustive list, it gives you planning and preparation strategies that will keep you ahead of the game. With the constant changes in data privacy laws and regulations, it can be tricky to be able to keep up the best approach to dealing with PII. Oftentimes, the responsibility falls on us to keep up with these laws and educate ourselves as to best approaches.