Lawbytes 126: OPERATIONALIZING DATA PRIVACY IN LAW FIRMS (Copyright by Dr. Atty. Noel Guivani Ramiscal)

My cyberprivacy advocacy have taken me to some interesting places, including law firms. When UPIAJ invited me to lecture at the ACCRALAW Tower for the ACCRALAW lawyers last June 17, 2017, on data privacy, I jumped at the opportunity of scrutinizing the policies and practices of this law firm which has a long and illustrious history in the Philippine legal industry, and therefore a good benchmark for Philippine law firms, as far as protecting data privacy is concerned. My objective was to perform an informal external audit to see how the firm has complied with some of the most crucial requirements of the data privacy law (R.A. 10173) which is probably one of the most controversial and challenging laws that all Philippine entities that fall within its scope as a “personal information controller” (PIC) must deal with.

The firm’s website has a News & Updates portion which contained an article concerning the deployment of the iManage system that apparently was done last January of this year. The article states:

xxx In iManage, ACCRALAW has deployed a sophisticated Work Product Management system that encompasses document management, email management, knowledge management, analytics, process automation and more.”

In the first few months of going live with iManage Work, ACCRALAW has already experienced significant benefits. iManage Work integrates seamlessly with ACCRALAW’s existing practice management system, so that when a new matter is created, a workspace is automatically generated in iManage Work, without the need of manual intervention. Within minutes, users can start saving and publishing documents to this centralized repository, allowing anyone connected to the matter to search, access, and view the related files — saving valuable time and enabling more efficient collaboration.

iManage Work has been rolled out across all of the Firm’s practice departments. As a result, the Firm can better carry out work on behalf of its clients in areas ranging from Litigation and Dispute Resolution, Corporate and Special Projects and Intellectual Property, to Labor, Tax and other specializations. [ACCRALAW Deploys iManage for Document and Email Management,January 30, 2017, http://www.accralaw.com/news-updates/accralaw-deploys-imanage-document-and-email-management, accessed July 25, 2017]

In my lecture, I asked the over 40 lawyers present several questions including: Were ACCRALAW’s clients informed, and their written consent secured re: their personal information being subject to “processing” thru the iManage system prior to its roll-out? I further asked if there was a Privacy Impact Assessment (PIA) made prior to the deployment of iManage with respect to their clients who are, in all probability, the “data subjects” whose data are inputted in the iManage system. The response was not positive or clear. To be fair, none of the firm’s IT experts, nor the head of the MIS department, nor its Chief Privacy Officer was there to elucidate on this issue.

The article merely mentioned that before “deciding on a Work Product Management system, ACCRALAW exercised due diligence by visiting several legal firms in neighboring Malaysia that were iManage customers, to hear their opinions first-hand.” If its clients’ consent was secured and a PIA was actually done, then these should have been mentioned in the article. Gathering the opinions of iManage users cannot substitute for the firm actually securing their clients’ consent to the iManage system and conducting the actual PIA that are legally mandated and should have been part of the firm’s due diligence. It is also a legal must that the iManage system must be registered with the NPC, as part of the compliance processes that ACCRALAW as a PIC must undergo. I was not able to get any confirmation if iManage was already registered with NPC.

One good thing about the ACCRALAW’s implementation of the iManage system is that the firm does not utilize the hybrid cloud storage and infrastructure services offered by iManage. iManage’s hybrid cloud purportedly services over 1,800 law firms globally. In this connection, I discussed some of the dangers of entrusting clients’ data to cloud services. By choosing not to hand over their clients’ data to iManage’s cloud, and by deciding to develop their internal expertise in managing and dealing with data issues, ACCRALAW will thus avoid the data security breaches that plague the cloud. It is also commendable that the firm is training its own people on e-data management because they can develop the expertise that can be crucial in the electronic discovery of data that is in the iManage system which could be the subject of future litigation.

Another IT system the ACCRALAW is using is the Elite system for its financial records. The firm has an access policy which contains restrictions and delineates the people who are allowed to access these important records and the system. Other records of significance are located off-site. These are crucial procedures and protocols that can further avoid data security breaches. It is not clear though if the Elite system is registered with NPC.

As of the time of this blog’s publication (July 25, 2017), the ACCRALAW website still does not contain any posting of the law firm’s privacy policy or privacy code. I told the audience that they should pose this document on their website as part of their compliance with the NPC directives. One member of the audience said that they are still at work in crafting their policy/code.

I also found out that the firm has no social media policy and no Bring-Your-Own-Device (BYOD) policy which can create problems for the firm. While lawyers are supposed to observe the confidentiality of communications between them and their clients, I told the audience that cases abound in different jurisdictions where lawyers using social media have honoured this professional obligation in the breach. Some of the junior lawyers who brought their mobile phones with them confirmed during my lecture that these devices are owned by them personally. Assuming that they use these e-devices for their professional work as well, complications can arise due to the commingling of personal and professional data on these e-devices, if any of these data become the subject of litigation. Also, lawyers tend to be mobile, increasing the risk of security breaches on these devices. Firm clear policies on these matters, including access policies to the firm’s IT assets, and their effective implementation can actually serve as an insurance and defense for the firm in any future controversy that involve data breach and gross negligence charges levelled against it.

There are a lot of things that lawyers need to know in securing their own data as well as the data of their clients. The Chief Privacy Officer of any organization has their work cut out for them. The Data Privacy Law was passed last 2012. In a seminar I attended last January of this year, NPC Deputy Commissioner Ivy Patdu made the pronouncement that even if the law’s Implementing Rules and Regulations were promulgated over four years after its passage, the NPC operates on the principle that all PICs should have formulated and implemented the necessary policies, safeguards, and protocols that were clearly mandated by the law way back in 2012. All PICS (including law firms like ACCRALAW), as it stands, only have up to September 9, 2017 to comply with the registration requirements under this law. Law firms are particularly placed on the spotlight because they are supposed to be models of legal and regulatory compliance. Here is trusting that all Philippine law firms can duly and timely comply with the NPC requirements.

LAWBYTES 116: HOW SMART ELECTRONIC METER GRIDS IN THE INTERNET OF THINGS AND DRONES CAN POSE DANGERS TO THE PRIVACY AND SECURITY OF CONSUMERS (Copyright by Dr. Atty. Noel G. Ramiscal)

 

In my Mandatory Continuing Legal Education (MCLE) lectures on the Data Privacy Law, I always strive to present novel issues on data privacy that have not been tackled in any MCLE lecture before by any other lecturer, and connect them with the concerns of the audience that I am giving my presentations. When I was invited by the UP Administration of Justice to do a special lecture for the MERALCO on data privacy (June 24, 2016), I took that opportunity to scrutinize its smart grid meter system which is planned to be rolled out nationally by 2017 and discuss with their legal, corporate and IT officials some of the legal concerns relative to this, and how its connection with the Internet of Things can impact on the security and privacy rights of their consumers. I shared these concerns in my Data Privacy lectures for the Integrated Bar of the Philippines (IBP) Chapters in Misamis Oriental Chapter, Grand Caprice Restaurant Hall, Cagayan De Oro, last September 7, 2016, and the Zamboanga del Norte Chapter, at the Dipolog Commercial Center, on August 25, 2016, for the Department of Foreign Affairs (DFA) lawyers and foreign service officers, at the DFA building, in Roxas Boulevard, Pasay, last August 30, 2016, and in the ConsumerNet Region 10 meeting at the Department of Trade and Industry Building, Cagayan De Oro, last September 9, 2016.

Dr. Atty. Noel G. Ramiscal lecturing to the IBP Misamis Oriental lawyers, September 8, 2016

Praises have been sung in favour of establishing smart grid systems. Olivier Monnier stated that “building a smart grid means securing the future of energy supply for everyone in a rapidly growing population with a limited power production capacity. A smart grid reduces the losses, increases efficiency, optimizes the energy demand distribution[,] and also makes large-scale renewable energy such as solar and wind deployments a reality. With an aging infrastructure, the [current power] grid is facing severe challenges including recurring black outs in major industrialized cities around the globe”.

In the dawn of the Internet of Things (IoT), smart e-devices in the homes should be able to transmit and receive information to and from the smart meters and utility providers. The eventual vision, for the smart cities of the future is one where all these IoT devices, smart meters, utility providers of gas, water, electricity, and providers of other services, including government agencies are linked together, in order to give effective and efficient services to their consumers/clients.

Dr. Atty. Noel G. Ramiscal at the ConsumerNet lecture, DTI Region 10, September 9, 2016

I understand that MERALCO has partnered with GE (with its electric meters and system integration services) and Trilliant which has a Smart Grid Communications Platform, that enables advanced intelligence in the prepaid metering system, and will serve as a foundational platform for future advanced smart grid capabilities. MERALCO will also have a smart grid incubator called PowerTech that will be launched early next year (2017). MERALCO also had acquired 3 drones to inspect areas on the grid that are geographically hard to reach. This trend appears to be unstoppable. Electric utilities in other parts of the Philippines (e.g. CEPALCO) have placed the establishment of a smart grid system as a target for their business models.

In my lectures on IoT and data privacy, I show the audiences how these devices can lead to the erosion of the privacy of the personal information of users/consumers.

Ann Cavoukian’s research on the smart grid have shown us if: the homeowner tends to arrive home shortly after the bars close; the individual is a restless sleeper and is sleep deprived; the occupant leaves late for work; the homeowner often leaves appliances on while at work; the occupant rarely washes his/her clothes; the person leaves their children home alone; the occupant exercises infrequently.

One interesting computer study conducted by Miro et al revealed that by examining just the electronic signals emanating from a person’s house can reveal what the occupants were watching on TV with a 96% degree of accuracy.

It is for these reasons, and so much more, that the European Data Protection Supervisor in its Opinion on the Commission Recommendation on Preparations for the Roll-Out of Smart Metering Systems, warned that such grids could lead to “massive collection of personal data” without much protection for the consumers.

The National Institute of Standards and Technology also warned that:

Personal energy consumption data . . . may reveal lifestyle information that could be of value to many entities, including vendors of a wide range of products and services. Vendors may purchase attribute lists for targeted sales and marketing campaigns that may not be welcomed . . . . Such profiling could extend to . . . employment selection, rental applications, and other situations that may not be welcomed by those targets.

In the hands of a good cybercriminal, these information can be used to the detriment of the smart grid user. In view of these, I asked the MERALCO audience last June 24, 2016, these questions:

DOES MERALCO HAVE A CLEAR EXPRESS WRITTEN POLICY ON THE DEPLOYMENT OF THE SMART GRID TO ITS CUSTOMERS THAT PERTAIN TO THEIR PRIVACY RIGHTS?
IS THIS POLICY WELL KNOWN AND EXPLAINED TO THEM?
IS THERE AN OPT-OUT OR OPT-IN CHOICE FOR MERALCO CUSTOMERS?

The response I gathered from the audience was that there was no policy set in place, but MERALCO is planning to give their consumers opt-in or opt-out choices.

Drones are also a particularly invasive form of surveillance technology. They collect all forms of data indiscriminately. Apart from the privacy issues they pose, there have been well known incidents where these drones have figured in traffic accidents, collisions and targets of destruction.

I also asked if MERALCO has a privacy policy on the utilization of drones, and the response I got was in the negative.

In order for MERALCO to avoid violating the data privacy rights of their consumers, I advised them, not only to have a privacy policy for the smart grid and the use of drones, but that they must also conduct a privacy impact assessment (PIA) for these two matters, ideally prior to their utilization, in order to gain the support of all the stakeholders. They must implement and enforce the PIAs and document the implementation. This holds true for any organization or entity that is planning to implement any project that would have significant privacy and security repercussions.

Under R.A. 10173 or the Data Privacy Law, all personal information controllers (“PICs”) like the MERALCO who process the personal information of data subjects are obligated to formulate privacy codes/policies for the approval of the National Privacy Commission (NPC). Recently, the NPC came out with an issuance requiring the submission of PIAs as well. It is not clear from the law what the nature and status of these policies are. Would having them be enough to save PICs like MERALCO from liability for future data privacy violations?

Dr. Atty. Noel G. Ramiscal at the Department of Foreign Affairs, August 30, 2016

The matter becomes complicated by ascertaining specifically what types of personal data information from the customer need to have their prior consent before they are processed by the smart meter provider. The Voluntary Code of Conduct by the US DOE and the Federal Smart Grid Task Force distinguished between personal information that serves a distinct purpose. Personal information for which no customer consent is necessary would be those relegated to a primary purpose, or one that is “reasonably expected by the customer,” such as using the aggregate data for the electric utility to set prices. Personal information devoted to a secondary purpose which needs prior consent from the customer is one that is “materially different from the primary purpose and is not reasonably expected by the customer relative to the transactions or ongoing services provided to the customer.” This includes providing the information to third parties, who can request access to customer data from service providers for secondary purposes.” In the US, there is no consistent law or policy adopted by states concerning the installation of smart grids in consumers’ homes, the availability of the opt out choice for the consumer, and the ability of the smart meter provider to share the e-data generated from the use of the smart grid with third parties.

Considering that in the Philippines, it is the Energy Regulatory Commission (ERC) that has primary jurisdiction over electric utilities like MERALCO, data privacy considerations must also be addressed by the ERC concurrently or with guidance from the NPC.

Another important agency in this matter is the SEC which should require all PICs that are registered with them to submit as part of the legal requirements for keeping their certificates of registration valid, certified copies of their privacy codes and PIAs.

One thing that must be done though, by any PIC that plans to roll out a massive project like the smart grid, is that it must be as transparent and forthcoming with correct and relevant information in the conducting of its PIA consultations with stakeholders, and in its website, and should engage in real time and digital education campaigns as well.

Thank you to the UP IAJ, all of its wonderful staff, all the fabulous and supportive IBP officers and members of the Misamis Oriental Chapter and the Zamboanga del Norte Chapter, the accommodating DFA officials and lawyers, the attentive ConsumerNet members, and of course, the gorgeous MERALCO lawyers and corporate officials, who gave me their time and attention, and the opportunity to share my privacy advocacies.