My cyberprivacy advocacy have taken me to some interesting places, including law firms. When UPIAJ invited me to lecture at the ACCRALAW Tower for the ACCRALAW lawyers last June 17, 2017, on data privacy, I jumped at the opportunity of scrutinizing the policies and practices of this law firm which has a long and illustrious history in the Philippine legal industry, and therefore a good benchmark for Philippine law firms, as far as protecting data privacy is concerned. My objective was to perform an informal external audit to see how the firm has complied with some of the most crucial requirements of the data privacy law (R.A. 10173) which is probably one of the most controversial and challenging laws that all Philippine entities that fall within its scope as a “personal information controller” (PIC) must deal with.
The firm’s website has a News & Updates portion which contained an article concerning the deployment of the iManage system that apparently was done last January of this year. The article states:
xxx In iManage, ACCRALAW has deployed a sophisticated Work Product Management system that encompasses document management, email management, knowledge management, analytics, process automation and more.”
In the first few months of going live with iManage Work, ACCRALAW has already experienced significant benefits. iManage Work integrates seamlessly with ACCRALAW’s existing practice management system, so that when a new matter is created, a workspace is automatically generated in iManage Work, without the need of manual intervention. Within minutes, users can start saving and publishing documents to this centralized repository, allowing anyone connected to the matter to search, access, and view the related files — saving valuable time and enabling more efficient collaboration.
iManage Work has been rolled out across all of the Firm’s practice departments. As a result, the Firm can better carry out work on behalf of its clients in areas ranging from Litigation and Dispute Resolution, Corporate and Special Projects and Intellectual Property, to Labor, Tax and other specializations. [ACCRALAW Deploys iManage for Document and Email Management,January 30, 2017, http://www.accralaw.com/news-updates/accralaw-deploys-imanage-document-and-email-management, accessed July 25, 2017]
In my lecture, I asked the over 40 lawyers present several questions including: Were ACCRALAW’s clients informed, and their written consent secured re: their personal information being subject to “processing” thru the iManage system prior to its roll-out? I further asked if there was a Privacy Impact Assessment (PIA) made prior to the deployment of iManage with respect to their clients who are, in all probability, the “data subjects” whose data are inputted in the iManage system. The response was not positive or clear. To be fair, none of the firm’s IT experts, nor the head of the MIS department, nor its Chief Privacy Officer was there to elucidate on this issue.
The article merely mentioned that before “deciding on a Work Product Management system, ACCRALAW exercised due diligence by visiting several legal firms in neighboring Malaysia that were iManage customers, to hear their opinions first-hand.” If its clients’ consent was secured and a PIA was actually done, then these should have been mentioned in the article. Gathering the opinions of iManage users cannot substitute for the firm actually securing their clients’ consent to the iManage system and conducting the actual PIA that are legally mandated and should have been part of the firm’s due diligence. It is also a legal must that the iManage system must be registered with the NPC, as part of the compliance processes that ACCRALAW as a PIC must undergo. I was not able to get any confirmation if iManage was already registered with NPC.
One good thing about the ACCRALAW’s implementation of the iManage system is that the firm does not utilize the hybrid cloud storage and infrastructure services offered by iManage. iManage’s hybrid cloud purportedly services over 1,800 law firms globally. In this connection, I discussed some of the dangers of entrusting clients’ data to cloud services. By choosing not to hand over their clients’ data to iManage’s cloud, and by deciding to develop their internal expertise in managing and dealing with data issues, ACCRALAW will thus avoid the data security breaches that plague the cloud. It is also commendable that the firm is training its own people on e-data management because they can develop the expertise that can be crucial in the electronic discovery of data that is in the iManage system which could be the subject of future litigation.
Another IT system the ACCRALAW is using is the Elite system for its financial records. The firm has an access policy which contains restrictions and delineates the people who are allowed to access these important records and the system. Other records of significance are located off-site. These are crucial procedures and protocols that can further avoid data security breaches. It is not clear though if the Elite system is registered with NPC.
As of the time of this blog’s publication (July 25, 2017), the ACCRALAW website still does not contain any posting of the law firm’s privacy policy or privacy code. I told the audience that they should pose this document on their website as part of their compliance with the NPC directives. One member of the audience said that they are still at work in crafting their policy/code.
I also found out that the firm has no social media policy and no Bring-Your-Own-Device (BYOD) policy which can create problems for the firm. While lawyers are supposed to observe the confidentiality of communications between them and their clients, I told the audience that cases abound in different jurisdictions where lawyers using social media have honoured this professional obligation in the breach. Some of the junior lawyers who brought their mobile phones with them confirmed during my lecture that these devices are owned by them personally. Assuming that they use these e-devices for their professional work as well, complications can arise due to the commingling of personal and professional data on these e-devices, if any of these data become the subject of litigation. Also, lawyers tend to be mobile, increasing the risk of security breaches on these devices. Firm clear policies on these matters, including access policies to the firm’s IT assets, and their effective implementation can actually serve as an insurance and defense for the firm in any future controversy that involve data breach and gross negligence charges levelled against it.
There are a lot of things that lawyers need to know in securing their own data as well as the data of their clients. The Chief Privacy Officer of any organization has their work cut out for them. The Data Privacy Law was passed last 2012. In a seminar I attended last January of this year, NPC Deputy Commissioner Ivy Patdu made the pronouncement that even if the law’s Implementing Rules and Regulations were promulgated over four years after its passage, the NPC operates on the principle that all PICs should have formulated and implemented the necessary policies, safeguards, and protocols that were clearly mandated by the law way back in 2012. All PICS (including law firms like ACCRALAW), as it stands, only have up to September 9, 2017 to comply with the registration requirements under this law. Law firms are particularly placed on the spotlight because they are supposed to be models of legal and regulatory compliance. Here is trusting that all Philippine law firms can duly and timely comply with the NPC requirements.