The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
the quarterly magazine of ILTA 55 Peer to Peer A Data Breach Pandemic transit. Law firms face increasing regulatory compliance challenges around the transfer of confidential client data over unsecure public networks. Typical methods for transferring documents and files to external parties –– including FTP, unsecure e-mail and delivery via courier services –– can result in data breaches that can expose a law firm to significant financial liability and can negatively impact a firm's reputation. As a result, law firms are reassessing their current file transfer practices and are looking for more secure alternatives. Data Breach Regulations Federal data privacy regulations targeting industries such as financial services, healthcare and legal have been in place for several years. Law firms representing clients in these industries may be forced to comply with these regulations as they relate to protecting their clients' confidential data. Examples include payment card industry standards to protect credit card holder information and the Gramm-Leach-Bliley Act's Safeguards Rule that requires financial institutions to develop a written formal plan to protect the nonpublic personal data of its clients. Of particular note are new regulations within the Health Insurance Portability and Accountability Act (HIPAA) that cover the use and disclosure of patient health information. A provision of the recent American Recovery and Reinvestment Act of 2009 expands HIPAA compliance to business associates of healthcare providers, including attorneys and accounting firms. These associates are now responsible for HIPAA violation penalties which can reach as high as US$1.5 million per calendar year and require notification of both the U.S. Health and Human Services department and a "prominent media outlet." Additionally, violators can face criminal charges with penalties that include imprisonment for up to 10 years. Forty-four states have regulations requiring notification of affected parties when data breaches occur. Currently, Nevada and Massachusetts are leading the nation in encryption requirements for companies that store or transmit the personally identifiable information of its residents. Compliance extends to any business that manages state resident data, including businesses outside these states. A sweeping new federal bill in process, the Personal Data Privacy and Security Act of 2009 (S.1490), if passed, may replace the patchwork of state regulations and would require companies and government agencies to follow specific rules for protecting sensitive and personally identifiable data. Secure File Transfer (SFT) Technology With the myriad laws and regulations, and with future legislation coming, companies must address significant changes to existing processes and workflows, and they must now make complex infrastructure and technology decisions to meet many of the data protection requirements. Security and Architecture Always of paramount concern, strong security is necessary; ideally, it is unobtrusive to end users. Data breaches may not only entail monetary fines, but in many cases can hurt a firm's reputation when word gets out that confidential data is not being handled properly and securely. is data encrypted when transmitted over public • networks (in transit) as well as when it is being stored (at rest)? are recipients of a secure file transfer properly • authenticated? can files sent to the wrong recipient be recalled? • Hand in hand with security, the overall system architecture can play a positive or negative role in security. An all-in- one solution that may have to sit close to, or even within, a public-facing network tier is more vulnerable to attack. A framework that supports splitting an application into tiers where the user interface is publicly facing, but the data is located in a more protected network segment, has significant advantages. Flexibility in deploying a solution is important for IT architects who might have specific security requirements for new applications. What kind of system architecture does the solution • support? can the application be separated into logical and physical tiers? are there any special client requirements, or does the • solution support thin clients like Web browsers? Will the application run on multiple platforms? • is the application compatible with virtual • environments; or, better yet, is the solution available as a virtual appliance? can administrators tie into their existing directory • services (aD, lDaP) for user management and authentication?