People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
Privacy is a concern wherever personal data is collected and used. Often, people think about services that explicitly collect data, such as social media applications or e-commerce sites. But personal data can be included in email, documents, and other business tools, including instant messaging and other communications programs. Importantly, personal data is not always kept in structured formats, so understanding where it resides in an organization is key to ensuring the appropriate controls and processes are put into place.
What terms and conditions should you check when using consumer apps that help with word processing and email?
Fundamentally, word processing and email are user-generated content. Apps that help with these tasks have access to that content. Therefore, it is vital that they maintain confidentiality of the information and don’t use personal data for their own purposes. When selecting an app, one must look for assurance that the app will not use the content of the document or email beyond the specific functionality the app offers. One must also look for strong security protections, including strong encryption, around transmission of the content to and from the app, and while the app has the content. And one would want assurances that the information is kept no longer than needed.
When you’re searching for new software, what’s the most important privacy-related question to ask vendors?
When considering a new product, you’ll want to know the vendor’s reputation first. It is also essential to ask (1) how your data will be protected, (2) what data the vendor will have access to, (3) where the data will be stored, (4) how the data will be destroyed, (5) what the vendor’s disaster recovery plan is, and (6) whether the vendor works with any third parties that may have access to the data. These seemingly innocuous questions require highly technical responses, and it is therefore essential to work with a knowledgeable data privacy team who can ensure the vendor’s practices align with your organization’s privacy goals and ensure the right commitments are embodied in the vendor contract.
What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?
They should ask (1) what data will the app have access to and why, (2) what permissions does the app have to use that data, both to provide the service and for other reasons, and (3) how will the app protect and delete that data to make sure it doesn’t fall into the wrong hands.
How many layers of data-sharing should lawyers investigate when considering purchasing an app that will have access to confidential information?
Often, in selecting an app, a user might look only at the company offering the app. But the company will often have sub-processors that help it in delivering the app’s functionality, or provide other ancillary services. A user will want to make sure that the same privacy protections the app offers are committed to by any sub-processors. The user will also want to make sure that any data shared with ancillary service providers is strictly limited (e.g., customer support), with strong limitations on use of data, effective security measures, and short data retention periods. For analytics, the user will want to make sure only anonymized data is shared.
Do you see legal tech vendors missing any important privacy trends or changes? What new privacy rights and obligations should legal tech vendors know?
The key privacy trend that legal tech vendors should know is the broader rise of privacy tech. With personal information increasingly pervasive, companies are adopting technological solutions at a rapid pace. There are several core requirements that will be essential to the continued success of legal tech vendors: Users' ability to know what data an organization has and where it resides; the vendor's ability to respond quickly and effectively to requests to access or delete that information; and the vendor's ability to compile information in response to regulator inquiries.
What should lawyers know about the new privacy laws from the past few years?
The important thing is that privacy laws are proliferating at an ever-increasing pace. There is of course GDPR in Europe from 2018, which replaced an earlier privacy law. But over the past two years we’ve seen state-level privacy legislation in California, Virginia, and Colorado, with more to come. There are significant federal privacy legislative proposals, and the new FTC leadership is likely to take a more aggressive approach to enforcing privacy using existing consumer protection authority. These laws have slightly different requirements and obligations, so lawyers need to stay on top of developments to not be blindsided.
What resources do you recommend for laypeople wanting to learn more about privacy?
The best place to start is the website of the International Association of Privacy Professionals (IAPP), which provides numerous articles, summaries, and other resources to help both laypeople and practitioners understand the latest developments in privacy law. Following privacy leaders on Twitter also helps in quickly understanding emerging privacy news and trends.
About Jessica Brown
Jessica Brown is a litigator and business lawyer in Nevada who represents business entities in general, commercial, employment, and data privacy matters. Before law, Jess had a successful career in technology where she implemented enterprise-level software and web services for universities and major companies. Her background makes her uniquely positioned to advise companies on legal issues at the intersection of technology and law, as she brings a deep understanding of both to help clients strategically navigate emerging areas.
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.