Press Release June 01, 2009

Spotlight: Jacqueline Klosek and the Privacy & Data Protection Incubator

Senior Counsel Jacqueline Klosek recently gave us the inside scoop on the firm's Privacy & Data Protection Incubator. As a member of the firm's Intellectual Property Group, she told us about the firm's work in privacy and data protection, what influenced her to work in this area, and tips on how we can protect ourselves.

When and why was the Privacy & Data Protection Incubator created at Goodwin Procter?

We were one of the firm's very first incubators, launched with the commencement of the firm’s Incubator Initiative back in 2004. The Initiative seemed to be the perfect mechanism for advancing our expertise and services in this area, as it accommodated the inter-disciplinary and cross-office nature of our work.

Back then, I was working in the Intellectual Property Transactions & Strategies Practice and doing a lot of privacy work from a technology perspective. I had recently returned from practicing in Europe, where I was dealing with a lot of cross-border issues. At the same time, Financial Services Partner Lynne Barr and others were doing a lot of privacy compliance work for financial services institutions, and Litigation Partner Brenda Sharton and others were handling complex privacy litigation matters. The Incubator Initiative allowed us to work together to expand our knowledge and expertise, while also improving our ability to service clients in an integrated and comprehensive manner.

Was there a particular experience or person that influenced your decision to work on privacy and data security matters?

When I finished law school, I went to Europe to study European and International Law. After completing my LLM in Brussels, I stayed to work as a Legal Advisor with Deloitte. During that year, a major European privacy law was under debate. Among other provisions, that Directive prohibited entities from transferring personally identifiable data from Europe to third countries unless those third countries offered adequate protection to personal data. The U.S. was not (and still is not) considered to be a jurisdiction that offers adequate protection to personal data. As one can imagine, this was a very controversial provision of the law, and caused a lot of companies to seek assistance in legitimizing cross-border data transfers. The topic interested me so much that I wrote my first book, Data Privacy in the Information Age, which examined the differences between U.S. and European approaches to privacy.

What are the main issues and topics the Privacy & Data Protection Incubator addresses?

We work with a wide range of clients in diverse industries to manage global privacy requirements in a proactive manner while counseling them on the array of state, federal and global regulations. We also help these clients to manage the risks associated with privacy and data security. Our experience is extensive and encompasses privacy and data security compliance, financial institution privacy and data security counseling, incident response, and litigation.

In an increasingly crowded field that continues to grow and assume greater importance, we take pride in the fact that so many of our incubator members are recognized as thought leaders in the field. Attorneys in our incubator are highly experienced professionals who are well recognized and involved in key leadership positions. Three members of the incubator are Certified Information Privacy Professionals (“CIPPs”). Additionally, our members have authored numerous publications on data privacy.

We are also frequent speakers at national and international conferences and events concerning privacy and data security. The industry recognition we have earned helps to ensure that clients can entrust us with responsibility on this very important issue.

What is the most enjoyable part of working in privacy and data security?

I thoroughly enjoy the fact that the area changes all the time. There continue to be new technological developments that pose new risks to privacy and security. At the same time, lawmakers continue to propose and enact new measures that present new compliance challenges to companies.

How has the incubator evolved since its origin?

It has undergone a dramatic evolution in the past five years. Since our initial formation, our numbers have grown substantially, and we have developed further expertise and are called upon for increasingly complex and high-profile assignments. Notably, this past January, we held a webinar on new data security regulations that become effective in Massachusetts next year, and had over 700 registrants from a wide range of companies.

Why has data privacy and security become such a hot topic?

There are a number of factors. For one, a vast majority of states have now enacted laws that require companies to notify affected persons and/or the media in the event of a data security breach. As such, we’ve all become much more aware of such breaches. In addition, as technology continues to evolve and new and enhanced means of collecting, using and sharing personal information are unveiled, risks to and concerns about privacy continue to grow.

Can you tell us about a particularly interesting case that you have worked on during the last couple years?

Recently, I have been working a lot with clients that have exciting ideas to capture, use and make data available for a variety of purposes, including personal health optimization. I assist clients to ensure that their business objectives are met in a way that complies with law, contractual commitments and their own policies.

Has anything surprised you about the lengths that individuals or companies will go to obtain data illegally?

Recent business failures and the increase in dumpster diving highlight the importance of proper data disposal practices. There continue to be stories of computers and portable devices that are sold, auctioned off, or simply discarded while still possessing sensitive personal information.

Are there any safeguards that you would recommend to companies to help protect the data that they need to collect?

There are many steps that companies can and should take to protect information. Among them, I cannot emphasize enough the importance of consistent and comprehensive employee training. Many of the high-profile data breaches that have been reported over the past few years have involved relatively simple employee errors.

Do you have any recommendations on how we, as individuals, can protect ourselves?

Its really important to pay attention to what you are agreeing to when you provide personal information, whether it be through an online retailer, medical office, via phone, or otherwise. Most businesses will have policies that explain how they collect, use, and disclose your information. Read those policies. If you don't understand or don't agree to their terms, either question them or go elsewhere. Also, monitor your bank statements, credit card reports, health insurance statements, etc. for erroneous or suspicious information and transactions. Be careful about what you post on social networking sites and other online forums. We all have a role to play in protecting our personal information.

>> Featured in the Summer 2009 Goodwin Procter Connections Newsletter