Personal Data and Service Contracts: How to Protect Your Personal Information
Attorneys know that one of their primary obligations to their clients is to protect client confidences. Therefore, great pains are taken to make sure that clients’ highly personal information stays in safe hands. But what happens when attorneys are the ones passing along their personal information? Well, unfortunately lawyers are far less careful with their own confidential information than they are with their clients’.
For example, we recently attended a legal conference where a legal recruiter summarized how scrupulously she protects her attorney client’s information. She explained that in some instances she collects highly private financial data from attorneys she’s trying to place, including tax returns. What amazes her, and us, is that these attorneys rarely ask for any assurances that their information will remain confidential.
For instance, these attorneys don’t know that although the legal recruiter takes pains to protect their personal information by encrypting her computer, she eventually turns that data over to law firms and corporations without any assurances they will be as mindful.
There are scores of instances where it’s necessary to turn over personal information to receive a service. But to do so without any effort to learn how that data will be used and protected is to relinquish responsibility for it. In this day and age that’s akin to just crossing your fingers and hoping for the best.
In other words, it’s just unacceptable.
Before you hand over personal information to a service provider, ask:
- Access: Who will have access to that information?
- Security: How will that information be protected?
- Storage: Where will that information be stored?
- Sharing: Will that information be shared with anyone?
- Transit: How is that information transferred—Via mail? Email? A shared lockbox? Cloud computing?
- Reasonable Efforts: What efforts are taken to protect the data in storage? And in transit?
- Breach: What is the notification procedure in the case of a security breach?
- Disposal: How is the information destroyed once it is no longer needed?
And for the professionals who are the recipients of this information, they may need to consider how to protect themselves from liability for the misuse or loss of data. This can be done via contractual changes in agreements between both clients and collaborators. For instance, the legal recruiter described above could require the following:
- Consent: That clients consent to her sending their personal information to other parties.
- No Liability: That clients agree to not hold her responsible if the other party with whom she is collaborating fails to take adequate measures to protect the data as well.
- Reasonable Efforts: That her collaborators take reasonable efforts to protect the data.
When it comes to your personal information, don’t assume that because you’re a trained professional who mindfully protects your clients’ data, that others will do the same with yours. Ask questions, demand answers, and don’t turn over anything until you’re satisfied that you’re in safe hands.