Q&A with “Rising Star” Privacy Attorney Mason Weisz, Esq.
Mason, welcome to True North, H5’s blog on navigating the challenges related to electronically stored information (ESI) in the context of litigation, investigations, ediscovery, records management, and compliance. Thanks for taking the time to answer some questions about data privacy.
Can you tell us a bit about the privacy practice and your focus on data privacy issues?
I entered the world of privacy law 10 years ago in the New York State Attorney General’s Internet Bureau. Back then, the field was in its infancy, and there weren’t nearly as many privacy laws on the books. For example, this was before the advent of a federal spam law, and we fought spammers by using more traditional legal tools, such as fraud claims. Today I am in private practice, and the legal and technological landscapes have evolved. I help companies navigate a rapidly expanding web of domestic and international laws regulating marketing, data sharing, financial privacy, computer crime, health privacy, electronic surveillance, information management, data security, and other related topics. My focus is on counseling and transactional work. For example, I help my clients mitigate privacy risk when designing mobile apps, negotiating data licenses, deploying social media tools and responding to data breaches and inquiries from regulators.
How do data privacy issues intersect with the world of electronic data?
Electronic data is the lifeblood of the privacy arena. As a rule of thumb, where the data relate to an identified or identifiable person, there exists the potential that modern privacy laws apply. In recent years, regulators such as the Federal Trade Commission have moved beyond even that broad conception of privacy and have asserted authority to bring enforcement actions involving data that relates only to an identifiable device (such as a unique number stored in a cookie), as opposed to a directly identifiable person. And while most privacy laws are technology-neutral, a fair number of them apply only to electronic data (such as some of the state breach notification laws).
What do you think are the biggest risks facing corporations today when it comes to data privacy?
Businesses face risks from two key types of events, both of which can be caused by the same underlying problem, and both of which can lead to litigation, enforcement actions and devastating reputational fallout. The events are (i) data breaches and (ii) the unexpected handling of personal information in manner contrary to law or to consumer expectations. A large percentage of these cases arise because the company lacks a clear understanding of its data flows, i.e., what personal information it collects; how it uses that information; where the information is stored and by whom; and to whom the information is disclosed, why and subject to what contractual restrictions. A company that lacks this self-knowledge has little ability to assess and improve its compliance posture.
You would be surprised by how often in-house counsel in well established companies have told me things like, “For years we’ve been promising our customers that we never use their data for marketing or share it with third parties, but I just found out that we’re in the middle of five joint marketing campaigns involving the pooling of customer data, and we can’t figure out who hosts the data.” Further investigation often reveals noncompliance with the underlying marketing laws. Part of this is based on a lack of understanding of how privacy laws have evolved. If you take a poll of marketing department leaders in these companies, for example, and ask them whether they hold any personal information, quite a few of them will say no. This is an earnest response but is based on the erroneous view that only things like Social Security Numbers and drivers’ license numbers constitute personal information and are subject to privacy law. In fact, most of these marketing departments collect a large quantity of personal information that is subject to a growing array of privacy laws, many of which feature prominently in privacy class action litigation. This disconnect, if left uncorrected, allows privacy issues to grow unchecked until one day the company experiences an unpleasant surprise. The first step to eliminating this problem is to develop an understanding of the company’s collection, use and disclosure of personal information.
To what extent are the privacy issues that complicate cross-border discovery addressed by handling the review where the data resides?
As the question suggests, the laws of the European Union member states and other economically significant jurisdictions (e.g., South Korea, Russia and a growing number of Latin American countries) heavily restrict the exportation of personal data, even within the same company or corporate family. There are legal mechanisms for surmounting these restrictions, some of which can be put into place as part of the company’s global data transfer compliance strategy before litigation arises, but some may be inappropriate for a particular litigation due to factors such as time constraints, the need for cooperation from the source of the data (e.g., the adversary) or the need for government involvement. Conducting even a portion of the review where the data resides can help with these issues. For example, the compliance burden associated with exporting 200 “hot docs” may be significantly less than that associated with exporting the 2 million records from which they must be culled.
How might privacy issues be impacted by the trend toward technology-assisted review in e-discovery?
Technology of this nature tends to amplify the effects of the decisions of those who use it. A savvy user can deploy technology-assisted review to reduce certain privacy risks. For example:
- It can automate the processing of records containing sensitive information that human reviewers may be tempted to abuse, such as financial or health data.
- It can generate audit logs and accountability, lessening the temptation for privacy abuses.
- It can help identify records containing data for which redaction or other protective measures may be appropriate (e.g., Social Security Numbers or passwords).
- It may provide enhanced security for the records, lessening the likelihood of a data breach during review (e.g., by restricting the printing and sending functionality).
The software alone can’t solve all privacy problems, but it can be an effective tool in the hands of an experienced user with a clear understanding of the privacy issues at stake in a particular case.
In what ways does appropriate identification and defensible disposal of records that a corporation no longer needs reduce the risk associated with privacy-relevant data?
“Appropriate” is the key word here. Other than not collecting unnecessary information in the first instance, one of the most effective ways to mitigate the privacy risk associated with information is to securely dispose of it when it is no longer needed for business or legal purposes. A hacker can’t steal your historical account records if you securely delete those records before the hacking attempt. Two caveats are in order, however. First, the means by which the company disposes of the records should be commensurate with the sensitivity of the data and must comply with any disposal requirements mandated by applicable law. Fines for improper disposal methods have been as high as seven figures in the U.S. Second, real risk arises from the disposal of records that a business is required to retain under the thousands of state and federal records retention laws. Without a solid system for identifying and tracking information throughout its lifecycle, a business will have a hard time knowing when it can legally purge its records. As mentioned above, knowledge is key.
Mason Weisz is counsel at ZwillGen, PLLC. He helps clients navigate a constantly shifting web of domestic and international laws regulating marketing, financial privacy, computer crime, health privacy, electronic surveillance, data security, information management, data sharing, and other areas of privacy law. He has extensive experience with issues relating to the Internet, digital media, new technology and e-commerce. For more on Mason, see https://www.zwillgen.com/crb_team/mason-weisz/
Photos courtesy of Hunton and Williams, LLP, and rpongsaj