Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1496203
46 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S P R I N G 2 0 2 3 Microsoft revealed that state-sponsored Chinese hackers have been targeting "US-based universities, defense contractors, law firms and infectious disease researchers". 7 Law firms are on that list because cybercriminals know you hold a wealth of data worth stealing, which is also often ransom-worthy and relatively – in comparison with financial services and big pharma for example – poorly protected. They also know that the more data held by a firm, the more likely that data will yield rewards for them, so the more effort they will put into breaching your defenses – hence the importance of data minimization. And bear in mind that these cybercriminals are highly organized and determined professionals. It's been estimated that in 2021 cybercrime generated USD$6 trillion. To put that in context, cybercriminals earned more that year than Japan, the world's third largest economy. 8 Comply or be fined A second major hazard for those firms not on top of data minimization is incurring a compliance breach – of which there are three types: regulatory compliance, contractual compliance with client Outside Counsel Guidelines (OCGs) and compliance with professional standards. The challenge with regulatory compliance is that the volume of data privacy regulation is continually growing. The General Data Protection Regulation (GDPR) has been enforceable in the EU and UK since 2018 (the UK version is called the Data Protection Act) but note that GDPR applies anywhere that anyone is handling the data of EU citizens. Organizations found to be in breach of GDPR face a penalty of up to 4% of their global annual revenue or €20m (c.USD$21.5m), whichever is higher. Subsequent privacy regulation in other jurisdictions is more or less following the GDPR model of having stringent requirements around how Personally Identifiable Information (PII) is obtained and held and for how long it's stored. Hence the relevance to data minimization. Because PII can only be held for a limited period, to maintain compliance firms need to continually purge their PII data or run the risk of large fines and reputational damage. In the United States there's no federal data privacy law yet – though it's contemplated – but the California Consumer Privacy Act (CCPA) is the first of several state laws already in force or in the pipeline that will mandate how the PII of US citizens is treated. Meanwhile, Brazil has a General Data Protection Law – LGPD – which is close to GDPR; and Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA) which will be strengthened by a new piece of legislation – the Canadian Privacy Bill C-27. This is due to pass into law this year. It includes provisions for mandatory data breach reporting, increased fines for non-compliance and the creation of a new position of Privacy Commissioner of Canada. It imposes yet more data privacy rules and regulations that firms must actively manage if non-compliance is to be avoided. And remember you can not only be fined by the regulator but also sued by a client or data subject if found to be in breach of legislation. Q 1 W H I T E P A P E R S 7. https://www.cbsnews.com/news/microsoft-chinese-hackers-email-server-bug/ 8. https://news.cybersixgill.com/chinese-russian-cyber-threats/ In 2021, the gross domestic product of Japan was estimated to be around 4.9 trillion U.S. dollars. 9. https:////www.fastcompany.com/944128/worker-interrupted-cost-task-switching