How to Read a Privacy

Statement
Learn how to read privacy statements to meet your professional obligations and reduce risks

Intro

Amy Weston Laura Lemire Olivia Holder

Shareholder Of Counsel Senior Privacy Counsel
Carney Badley Spellman, P.S. Schwabe Atlassian
Weston@carneylaw.com llemire@Schwabe.com oholder@atlassian.com

2
 Objectives

1. Know when you should read and understand a third party’s privacy statement
• When does your duty of confidentiality require it?
• When would doing so reduce risks or ensure compliance?
2. Identify the key elements of a privacy statement; and
3. Learn how to analyze key provisions of a privacy statement to accomplish your task

Objective 1

Know when you should read and understand a

third party’s privacy statement
• When does your duty of confidentiality require it?
• When would doing so reduce risks or ensure compliance?

4
 When should you read and understand a third
party’s privacy statement?

When you need to know what the third party will do with
information you give it access to or share.

Scenario 1: You or your law firm would like to share information relating to the representation of a
client that is subject to the duty of confidentiality.

Scenario 2: You or your client would like to share client information with a third party subject, where
the client information is:

o Considered highly confidential, high impact information;

o Governed by contractual obligations or other commitments; and/or
o Subject to privacy laws and regulations. Q: What does sharing
mean in this context?
What does it look like?

Scenario 1

Information relating to the representation of a client

When does this come up in-house? In private practice?

6
 Duty of Confidentiality

RPC 1.6 CONFIDENTIALITY OF INFORMATION

• A lawyer shall not reveal information relating to the
representation of a client unless the client gives informed
consent, the disclosure is impliedly authorized in order to carry
out the representation, or the disclosure is permitted by
paragraph (b).

• A lawyer shall make reasonable efforts to prevent the

inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a client.

Duty of Confidentiality

RPC 1.6 CONFIDENTIALITY OF INFORMATION

• A lawyer shall not reveal information relating to the representation
of a client unless the client gives informed consent, the disclosure is
impliedly authorized in order to carry out the representation, or the
disclosure is permitted by paragraph (b).

• A lawyer shall make reasonable efforts to prevent the inadvertent or

unauthorized disclosure of, or unauthorized access to, information
relating to the representation of a client.

8
 Information Relating to the
Representation of a Client

The phrase “information relating to the representation” should be

interpreted broadly.

The “information” protected by this Rule includes, but is not necessarily

limited to, confidences and secrets.

• “Confidence” refers to information protected by the attorney

client privilege under applicable law
• “Secrets” refers to other information (1) gained in the
professional relationship that the client has requested be held
inviolate or (2) if disclosed, would likely be embarrassing or
detrimental to the client.
9

WSBA Advisory Opinion on RPC 1.6

2022: Ethical Practices of the Virtual or Hybrid Law Office

• An attorney must take reasonable precautions when transmitting information relating to the
client’s representation.
• Lawyers also are responsible for assessing whether additional security precautions are required to
comply with other law, such as state and federal laws that govern data privacy.
• The use…of online data storage maintained by a third-party vendor raises a number of ethical
questions because any confidential client information included in the stored data is outside of
the direct control of the lawyer.

10
 WSBA Advisory Opinion on RPC 1.6

2012: Cloud Computing (#2215)

• The lawyer as part of a general duty of competence must be able to understand the technology involved
sufficiently to be able to evaluate a particular vendor’s security and storage systems.
• The lawyer shall be satisfied that the vendor understands and agrees to maintain and secure stored data in
conformity with, the lawyer’s duty of confidentiality.
• The lawyer shall ensure that the confidentiality of all client data will be maintained, and that client
documents stored online will not be lost, e.g., that the vendor will maintain secure back-up storage.
• The storage agreement should give the lawyer
• prompt notice of non-authorized access or other breach of security, and
• a means of retrieving the data if the agreement is terminated or the vendor goes out of business.
• Because data storage technology, and related threats to the security of such technology, change rapidly,
the lawyer must monitor and review regularly the adequacy of the vendor’s security systems.

11

Duty of Competence

RPC 1.1 COMPETENCE

A lawyer shall provide competent representation to a client. Competent
representation requires the legal knowledge, skill, thoroughness and
preparation reasonably necessary for the representation.

Comment 8:

To maintain the requisite knowledge and skill, a lawyer should keep abreast
of …the benefits and risks associated with relevant technology…

12
 Scenario 2

Client Information
When does this come up in-house? In
private practice?

13

Client Information

You or your client would like to share client information with a

third party subject, where such the client information is:

• Considered highly confidential, high impact information;

• Governed by contractual obligations or other commitments; and/or
• Subject to privacy laws and regulations.

14
 Client Information

• Consider what will be shared and what can be inferred by

the information
• Consider what laws and regulations apply
• You may need to look beyond the privacy statement
• Many privacy laws and regulations, require specific data
protection contractual provisions.

15

Objective 2

Identify the key elements of a privacy statement

16
 What is a privacy statement?

• Is it a contract?
• How does it differ from terms of use?
• What is the difference between a privacy statement and
data processing agreement?
• What other agreements may matter?

17

Key Elements of a Privacy Statement

• What’s covered by the privacy statement and what isn’t?

• What will be collected and processed?
• How will it be collect and from what sources?
• How will it be used?
• Who is it shared with? Will I know when it’s shared?
• Where will it be stored? How long?
• Will you let me know if something goes wrong?
• Do I have any choice?
• What can I do if I have questions?

18
 Objective 3

Learn how to analyze key provisions of a

privacy statement

19

What’s covered and what isn’t? Scope

20
 How will it be used?

21

WSBA Best Practices from 2012 Advisory Opinion

“best practices for a lawyer without advanced technological knowledge could include…”

1. Familiarization with the potential risks of online data storage and review of available general audience
literature and literature directed at the legal profession, on cloud computing industry standards and desirable
features.
2. Evaluation of the provider’s practices, reputation and history.

3. Comparison of provisions in service provider agreements to the extent that the service provider recognizes the
lawyer’s duty of confidentiality and agrees to handle the information accordingly.
4. Comparison of provisions in service provider agreements to the extent that the agreement gives the lawyer
methods for retrieving the data if the agreement is terminated or the service provider goes out of business.
5. Confirming provisions in the agreement that will give the lawyer prompt notice of any nonauthorized access to
the lawyer’s stored data.
6. Ensure secure and tightly controlled access to the storage system maintained by the service provider.

7. Ensure reasonable measures for secure backup of the data that is maintained by the service provider.

22
 Questions?

Amy Weston Laura Lemire Olivia Holder

Shareholder Of Counsel Senior Privacy Counsel
Carney Badley Spellman, P.S. Schwabe Atlassian
Weston@carneylaw.com llemire@Schwabe.com oholder@atlassian.com

23