Recent privacy concerns have caused many countries to beef up their data privacy laws and regulations. The EU of course, is a case in point. As is Korea and others in the Asia Pacific Region. However, the data privacy issues a company faces, are really the tip of the proverbial iceberg. What about the electronically stored information (ESI) that companies have? Electronic data! ESI exposes a company to a myriad of risks, data privacy of course one of them. Besides the multi-dimensional universe of data privacy, cybersecurity is also very important today as many companies and governments continue to get hacked. Even cybersecurity insurance is getting popular. However, companies not only have to worry about getting hacked or running afoul of the latest data privacy laws and regulations. Companies must also consider what data to even store, where to store it, how long to store it and protocols to decide how to analyze and review it. Let alone- where to find it, if it gets lost. Failure to take the where, when and how into consideration can expose the company to unforeseen ESI issues- such as violating ESI discovery laws as well as the associated document retention risks.
Electronically Stored Information- Document Retention Risks and Concerns
If a company is involved with litigation in the United States, it has a duty to locate all relevant information, data, and documents—including ESI that are relevant to the case. This can be quite onerous, as it requires:
• Familiarity with document retention policies
• Involvement with IT personnel
• Communication to “key players” of the litigation hold
• Location and retrieval of all relevant information wherever that information might be
The legal risks facing a company that fails to handle the above requirements in an economical/efficient manner can be tremendous. Companies have been sanctioned millions of dollars for failing to abide by ESI requirements or, even worse, have lost the respective lawsuits, costing even more. What can a company do to mitigate the legal risks surrounding document management to comply with US legal requirements?
1. Plan of Action
A company must take steps to develop an adequate data and document management plan. It is not too surprising that even the IT Department itself may not have an adequate understanding of where all of the electronically stored documents are considering the plethora of handheld devices that may store documents and other electronic information. Therefore, a company’s management and IT folks need to sit down and map out where all of the documents are located if possible. A document management plan should take the following steps into consideration:
• Assess the company’s current use of technology documents.
• Locate all in the company’s possession.
• Use technology to leverage legal requirements.
• Retain experts or outside consultants to above or to help implement systems/processes.
• Implement policies and procedures addressing all legal risks posed by ESI.
2. Risk Assessment of ESI
To implement an appropriate plan of action, a company must conduct a risk assessment of its processes and capabilities by:
• Seeking proposals of vendors (outside experts)
• A top-to-bottom analysis
• ESI and paper documents
• Hardware and software
• Management of data
• Retention of data
• Litigation holds
• Disaster preparedness
3. ESI Implementation
The legal risks facing companies in today’s legal and regulatory climate, especially in the United States, are enormous. Failure to implement a data and document management program that not only addresses a company’s business concerns but legal obligations as well can be disastrous. The development and implementation of a Legal Risk Management Program (LRM) addressing these concerns is not a luxury but a necessity. It is highly recommended that a company implement a data and documentation management program that addresses ESI and all of its issues.
For risk managers or in-house counsel, the development of a comprehensive ESI program is crucial. Talk to your IT folks. If necessary, enlist the help of outside ESI consultants. Get your hands around your company’s ESI. Implement an ESI document management program and implement processes to handle all associated risks.
Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It first amended the PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising. Recently, additional major amendments to PIPA were passed by the National Assembly of Korea because of Big Data /AI /IoT concerns.
The amendments to the PIPA that have been adopted include: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA. A short summary follows:
1. Key Provisions of the Amended PIPA
(1) Clarification of the definition of “personal information”
As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.
(2) Introduction of “pseudonymized information”
The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.”
The amendment stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.
(3) Use of personal information within the scope reasonably related to the original purpose of the collection
The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject. The amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection.
(4) Exclusion of anonymized information from the application of the PIPA.
The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.
(5) Transfer of the Network Act’s personal information-related provisions to the PIPA.
The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party.
Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing. Under the current PIPA, the data subject’s consent is not required for Outsourcing.
The new amendments to PIPA are meaningful in that they help provide clearer guidance to data handlers on what constitutes the lawful processing of personal information as well as setting forth standards for the secure processing of personal information. It is expected that the amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations shall take place in the upcoming months.
The other day I had lunch with a friend who was lamenting the fact his company’s sales team continued to ink deals without any regard for risk. When he asked them why they continued to do so, the reply was “that’s the way we have always done things.” Unfortunately, many companies continue to plod along doing business without regards to risk. In fact, many companies fail to look at operational risk which can lead to disaster down the road. In order for a company to succeed it not only has to a sustainable business model but it has to constantly review its risk processes. After all, what happens when the current business model does not work anymore? What happens when the risks outweigh the benefits of continued standard corporate operations? Maybe it’s time to re-examine your risk management processes. Do they really work?
When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?
I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future.
I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Maybe it did 5 years ago. But what about today?
Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them? Does your current business model still work or is it outdated? What about data privacy laws?
It is a fundamental truth that all things change. Of course, some things change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary. And don’t think that just because “that's the way things are done” your company should continue to operate as usual.
Recently, one of the largest credit reporting agencies in the US, Equifax, joined the long list of companies that have been the victim of a major data breach. Equifax is now trying to explain how over 143 million Americans — effectively most of the U.S. adult population — had their personal data compromised.
The company tracks the detailed financial affairs of all Americans in order to gauge their credit worthiness. Along with TransUnion and Experian, they maintain personal data on millions of US citizens, but that once breached, the information can expose nearly every American adult to identity theft.
Under the threat of massive litigation, which may cause its downfall, Equifax is finding out how important it is to protect the personal information of its users and why data privacy has become a growing area of concern around the world. There are five main reasons why data privacy has become a major area of extreme risk requiring the attention of a company’s management. They are:
Managing the risks inherent in data privacy related issues can be quite a task. However, failure to adequately protect customers’ personal data will lead to great reputational harm and risk to a company’s brand.
In determining the risks a company faces, an organization must answer a series of painful questions, including but not limited to the following:
Only once these questions have been answered and the risks associated with personal data has been considered is a company in the position of creating and implementing a risk management process to handle its personal data. But remember - the tough questions must be answered first.
The recent global cyber-attack emphasizes the growing risk of cyber-attacks around the world and the issues facing the risk and legal community. Not only do cyber-attacks threaten businesses and organizations on a daily basis but the addition of ransomware to the mix underlies the threats facing organizations, businesses and governments on a worldwide basis. (more…)
Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It amended PIPA in 2016 by adding additional regulations and requirements. (more…)