User-generated and crowd-sourced content have become familiar terms with the rise of social apps. Though user-generated content has existed outside of the social media context for years, we still fail to grasp its significance in our business and personal lives away from social apps.
In this insightful interview, privacy lawyer Jessica Brown explains how the content of our documents is user-generated content which we allow word-processing software to access. With that revelation, Jess helps us ask the right questions to determine whether our word-processing software is the right fit for our confidential work. After you read this interview, you’ll think twice about the privacy standards of all software you use in the business and practice of law.
What prompted your interest in privacy law?
I was a tech developer for nearly 15 years before becoming a lawyer. It was a natural fit to parlay my experience in software, database, and web development into privacy work, particularly because I was familiar with data architecture and cybersecurity from a technical standpoint.
What is your role and how is it related to privacy law?
I have a general business and litigation practice, but data privacy issues are so pervasive that counseling clients about them has become an integral part of most law practices, including mine.
What’s the difference between privacy and data security?
Privacy is broader than data security. Privacy encompasses the rules governing appropriate collection, use, and protection of personal information, whether that information is in digital form or not, as well as the rights individuals have regarding their data. Data security requires the use of strategies, processes, and technical controls to protect data from unauthorized access.
What surprising types of information qualify as confidential information or electronically stored information under the ethics rules?
A company or individual can deem any information “confidential.” It’s common for the following types of information to be confidential: metadata, editing and version histories, file paths, and who has access to that information. For lawyers in many jurisdictions, the mere fact that you represent a particular client is considered confidential. As such, lawyers must be able to scrub metadata that includes client information from any documents or spreadsheets, and ensure that public file paths do not contain sensitive information.
What are unexpected ways that privacy and data security come up in legal practice?
Lawyers not only need to be prepared to advise clients on privacy and security compliance, but lawyers need to be prepared for cyberattacks against their firms. It is increasingly common for foreign hackers to target law firms and hold files or confidential information hostage in exchange for cryptocurrency. Law firms are prime targets because we hold extremely sensitive information and we have the means to pay the ransom. It is unclear at this time whether these continued cyberattacks are routinely orchestrated by quasi-state actors or by foreign organized crime. Either way, outside access to sensitive information could be catastrophic to any client, and disclosure of a data breach to a client is an essential part of crisis management. Your clients shouldn’t discover a firm data breach from anyone other than the firm.
What are some dangers of using a freemium consumer app in legal practice?
Freemium is never free. Any information, documents, or data that one enters into a freemium consumer app can be used by the app companies to generate a profit—either by selling a user’s personal data directly, or by monetizing it via selling advertising against anonymized user profiles. In fact, frequently anonymized data is used to make detailed inferences about consumers by compiling previously disparate sources of data and correlating them. Increasingly, companies are also securing rights to use both identified and anonymized data to power their machine learning models. Therefore, it is essential for legal tech users to trust the company whose products they are using and its data practices, and understand how their data may be used.
People think a lot about privacy related to email, but they don’t think about it related to documents. What are other surprising areas where privacy might be a concern?
Privacy is a concern wherever personal data is collected and used. Often, people think about services that explicitly collect data, such as social media applications or e-commerce sites. But personal data can be included in email, documents, and other business tools, including instant messaging and other communications programs. Importantly, personal data is not always kept in structured formats, so understanding where it resides in an organization is key to ensuring the appropriate controls and processes are put into place.
What terms and conditions should you check when using consumer apps that help with word processing and email?
Fundamentally, word processing and email are user-generated content. Apps that help with these tasks have access to that content. Therefore, it is vital that they maintain confidentiality of the information and don’t use personal data for their own purposes. When selecting an app, one must look for assurance that the app will not use the content of the document or email beyond the specific functionality the app offers. One must also look for strong security protections, including strong encryption, around transmission of the content to and from the app, and while the app has the content. And one would want assurances that the information is kept no longer than needed.
When you’re searching for new software, what’s the most important privacy-related question to ask vendors?
When considering a new product, you’ll want to know the vendor’s reputation first. It is also essential to ask (1) how your data will be protected, (2) what data the vendor will have access to, (3) where the data will be stored, (4) how the data will be destroyed, (5) what the vendor’s disaster recovery plan is, and (6) whether the vendor works with any third parties that may have access to the data. These seemingly innocuous questions require highly technical responses, and it is therefore essential to work with a knowledgeable data privacy team who can ensure the vendor’s practices align with your organization’s privacy goals and ensure the right commitments are embodied in the vendor contract.
What are the top 3 privacy-related questions lawyers should ask about access to confidential data granted to consumer apps?
They should ask (1) what data will the app have access to and why, (2) what permissions does the app have to use that data, both to provide the service and for other reasons, and (3) how will the app protect and delete that data to make sure it doesn’t fall into the wrong hands.
How many layers of data-sharing should lawyers investigate when considering purchasing an app that will have access to confidential information?
Often, in selecting an app, a user might look only at the company offering the app. But the company will often have sub-processors that help it in delivering the app’s functionality, or provide other ancillary services. A user will want to make sure that the same privacy protections the app offers are committed to by any sub-processors. The user will also want to make sure that any data shared with ancillary service providers is strictly limited (e.g., customer support), with strong limitations on use of data, effective security measures, and short data retention periods. For analytics, the user will want to make sure only anonymized data is shared.
Do you see legal tech vendors missing any important privacy trends or changes? What new privacy rights and obligations should legal tech vendors know?
The key privacy trend that legal tech vendors should know is the broader rise of privacy tech. With personal information increasingly pervasive, companies are adopting technological solutions at a rapid pace. There are several core requirements that will be essential to the continued success of legal tech vendors: Users' ability to know what data an organization has and where it resides; the vendor's ability to respond quickly and effectively to requests to access or delete that information; and the vendor's ability to compile information in response to regulator inquiries.
What should lawyers know about the new privacy laws from the past few years?
The important thing is that privacy laws are proliferating at an ever-increasing pace. There is of course GDPR in Europe from 2018, which replaced an earlier privacy law. But over the past two years we’ve seen state-level privacy legislation in California, Virginia, and Colorado, with more to come. There are significant federal privacy legislative proposals, and the new FTC leadership is likely to take a more aggressive approach to enforcing privacy using existing consumer protection authority. These laws have slightly different requirements and obligations, so lawyers need to stay on top of developments to not be blindsided.
What resources do you recommend for laypeople wanting to learn more about privacy?
The best place to start is the website of the International Association of Privacy Professionals (IAPP), which provides numerous articles, summaries, and other resources to help both laypeople and practitioners understand the latest developments in privacy law. Following privacy leaders on Twitter also helps in quickly understanding emerging privacy news and trends.
About Jessica Brown
Jessica Brown is a litigator and business lawyer in Nevada who represents business entities in general, commercial, employment, and data privacy matters. Before law, Jess had a successful career in technology where she implemented enterprise-level software and web services for universities and major companies. Her background makes her uniquely positioned to advise companies on legal issues at the intersection of technology and law, as she brings a deep understanding of both to help clients strategically navigate emerging areas.
About the Privacy and Security Interview Series
This interview is part of a collection of interviews about privacy and data security. By producing this series, we hope to prompt legal professionals to think about the privacy concerns that arise in everyday tasks like word processing and selection of document creation software.
WordRake is clear and concise editing software designed for people who work with confidential information. The software improves writing by simplifying and clarifying text, cutting legalese, and recommending plain English replacements. WordRake runs in Microsoft Word and Outlook, and its suggestions appear in the familiar track-changes style. Try WordRake for free for 7 days.