The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/163881
Brian Donato has been the CIO at the law firm of Vorys, Sater, Seymour and Pease LLP for the last 14 years. With 27 years of experience ranging from software developer to process engineer and IT director, he brings a broad technology and business background to his current position. Brian serves on ILTA's Risk and Records Management Peer Group Steering Committee. He can be contacted at bjdonato@vorys.com. Lisa Pierce Reisz is a partner in the Vorys Columbus office, practicing health care privacy, security and IT law. She assists clients in developing comprehensive data privacy and security strategies and in responding to breach incidents. Lisa can be contacted at lpreisz@vorys.com. WE LIVE IN A REGULATED WORLD In recent years, a variety of legislation has focused on a plethora of privacy issues. Of particular interest to many regulators is what third-party providers, such as law firms, do to ensure the privacy of their clients' sensitive information. However, law firms aren't the only ones under scrutiny. • Health Care: Perhaps no other industry has received more publicity regarding privacy than health care, primarily due to the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH). HITECH requires entities already covered under the Health Information Portability and Accountability Act (HIPAA) to report data breaches to the Department of Health and Human Services and the media, while extending HIPAA's civil and criminal penalties to business associates. If your firm represents a covered entity, such as a hospital, employee health plan or health care clearinghouse, it may be subject to HIPAA/HITECH regulations. • Banking: Banks and financial services companies are regulated by the Office of the Comptroller of the Currency. While banks and financial services companies have long had the responsibility of managing how their vendors handle sensitive information, federal regulators recently have pressured big banks to pay close attention to what law firms are doing to protect that information. Some big banks have taken the step of auditing the security controls in place at their law firms, according to the article "Bank's New Cybersecurity Audits Catch Law Firms Flat-Footed." • All industries: Several regulations impact all industries. For example, 46 states currently have laws that protect the privacy of personally identifiable information (PII) and require notification if that privacy is breached. While definitions vary from state to state, PII can include the person's name and any one of the following: driver's license or similar state-issued ID, social security and credit card numbers. Peer to Peer 55