Attorney Perspective: The Importance of Data Privacy

When attorney Darius Bennett first got involved in e-discovery seven years ago, he didn’t necessarily envision that data privacy would play a role in his day-to-day—but these days, data knows no boundaries.

“When the [COVID-19] pandemic hit, data security and privacy became immediate concerns because everyone who could was now working from home, but not everyone was prepared to do that from a cybersecurity and privacy standpoint,” said Bennett. “Although I already worked from home, I became even more interested in being well-educated on the topics of the secure transfer of data, data storage, the safe elimination of data, and general privacy concerns related to that data. Essentially, how can I ensure my clients that their data is safe with me? My first thoughts were secure transmissions, encrypted access and secure deletion.”

Bennett, a licensed attorney practicing for 15 years, signed up for a webinar through EDRM, and found Exterro’s Masters of Data Privacy courses referenced within.

“I eventually thought that If I became certified in data privacy, it would give my clients the assurance I felt they needed,” said Bennett. “I hoped that their knowing that I sought specific training related to privacy protection would provide them the comfort that I would not mishandle their data.”

Bennett recently sat down with Exterro to discuss his experiences with the Masters of Data Privacy courses, and offer his thoughts for those who are considering signing up.

Exterro: What did you take away from this course?

Bennett: There was a good deal to take away!

If you’ve attended the entire series, you should feel a sense of urgency about how you’re dealing with people’s data and should know that there’s probably more that you should be doing.

I deal with both corporate clients and public-facing clients. During the series, as I began to see the inter-relatedness of cybersecurity, data governance and data privacy, I began to firmly believe that the people working in those areas of an organization need to be jointly involved in decisions that relate to overall information governance, including when and how to allow a contractor like myself third party access. I also thought of my public clients’ information, and how much of it we as private attorneys retain needlessly. I realized that even law firms that face the general public must have data inventory, data mapping, data access, data retention and data elimination processes. And, I learned through the Exterro series that those processes should be automated, including regular updates, and that all key players should be kept in the loop. Not inexpensive. But, we all must behave responsibly, those representing corporate clients and those representing the public. This series emphasizes that and explains why it is significant.

Exterro: What can you apply to your daily practices?

Bennett: The first thing that springs to mind is undertaking a data inventory. That never would have occurred to me without this series.

If I were to sit down with a corporate client that sought to improve its data privacy policy, I would ask the following questions: “Do you, or does anyone here, know all the information you have stored, where it is stored, and who has access to it?” I am fully convinced that it is a fundamental first step. And, there are occasions where corporations and law firms alike simply have not contemplated the perils of being unable to answer those questions. Essentially, Know Your Information.

During the first three months of the shutdowns, and because courts were closed, I attended a large number of webinars and virtual talks where data privacy and cybersecurity were discussed, but only in the context of the viability of working from home. Data inventories, data mapping and data retention/elimination were hardly ever discussed. If they had been more than a passing reference, I definitely would have spent more of those slower earlier days working on the data inventory for my boutique practice. That’s what I have begun to do since the series ended: ascertain the location(s) of any client information stored and determine whether I can now eliminate it.

It is essential for those of us who work with others’ data to understand that it is not just a weapon in the legal context, or an asset that can be commercialized in the business context. It could be that, whether you’re a company or a law firm, you’re not actually entitled to retain the information you have stored. And, we think about the third parties to whom we have granted access to others’ data, if for no other reason because there are potential penalties involved currently under the GDPR, CCPA and/or Illinois’ BIPA.

This series created that awareness for me.

Exterro: What recommendations do you have for others?

Bennett: I would recommend that attorneys, or at least the key decision-makers in every law firm, become certified in data privacy. And, I hesitate to add this, because attorneys already have costly CLE requirements in order to maintain our licenses, I don’t know how one can say he is a “certified master of data privacy” if he does not separately update that knowledge every year. If you work in a legal department, or are working for a law firm, and you are responsible for retaining or deleting data, how do you know what should be retained and what should be deleted under the current new privacy regulations? What if that information is under a litigation hold or falls under other compliance requirements? Does that change your assessment?

Stricter data privacy regulations have arrived, and there will be more. There are multiple facets to these new privacy laws, and if you don’t keep up, your knowledge will become outdated and therefore will not be very useful. Right now, here in the US, many businesses are scrambling to see what the relatively new GDPR and CCPA privacy standards mean for business. I believe you have to have training in this area and that the knowledge must be kept up-to-date.

After Schrems II, many in the business and legal sectors now see that we [the US] can longer muscle Europe or the EU into doing what we want. The consequence, in my opinion, is that we can either get on board with greater data privacy protections or we can start to lose business opportunities. The real challenge is how do you convince the decision-makers that a data privacy policy and that data privacy training are important, that both are good for business in the long-term? Some of it is demonstrating the penalties of non-compliance, and some of it is underscoring the global repercussions of poor businesses practices with regard to data privacy. These new data privacy laws have informed how we must operate going forward, in both the corporate and legal sectors.

Darius E. Bennett is a 15-year licensed attorney, with 19 years of practical legal experience, including four as either a paralegal or law clerk. A former Fulbright Fellow, Mr. Bennett’s background was originally in research and writing before becoming an attorney. As an attorney in private practice, he worked in negotiations, litigation, and criminal defense within an 8-year span, and then a happenstance but fortuitous circumstance led him to eDiscovery. He is an Exterro-certified Master of Data Privacy and a studied privacy advocate.