Have written internal policies and procedures for employees and how they can access info. Clients often don’t have these for their staff and independent contractors. This is another basic way to reduce risk — of issues arising to begin with and of someone being able to say you didn’t have safeguards in place. Going back to that first story of the company where employees stored customers’ personal information in their email, having internal employee policies that address the use and disclosure of customer information could help to eliminate that risk.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Kate Kliebert, a business and data privacy attorney who founded her own firm, Kliebert Law, to help fellow business owners in Charlotte, North Carolina.
Kate enjoys helping business owners who are doing something they love and are passionate about but don’t understand the legal risks to them or how to deal with those risks. Her goal is to free business owners from legal question marks or troubles so they can focus on their businesses.
She negotiates licensing agreements, vendor contracts, and other commercial contracts, and assists start-ups and existing businesses with operational issues around their formation, trademarks, and marketing strategies. Privacy and data security are areas in which Kate has expertise, as well. She advises clients on data privacy risk and compliance and helps them with data breach response and recovery.
Kate also gives back her time and talents — to her industry and her community. She has served on committees for the Mecklenburg County Bar. She is a past president of Women Lawyers of Charlotte. She is a member of the North Carolina Bar Association’s Privacy and Cybersecurity Committee. And she is a volunteer attorney for the Council for Children’s Rights, a children’s advocacy organization in Charlotte.
Kate earned her Bachelor of Arts degree in English, with a minor in French, from the University of Colorado at Boulder. She earned her doctorate in law from Vanderbilt University Law School. She is licensed to practice law in North Carolina and her native Louisiana.
Thank you so much for joining us in this interview series! Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I grew up in Louisiana in a family of lawyers. My grandfather was a judge. My dad was a lawyer who became a judge when I was in high school. I had two uncles and an aunt who were lawyers. So there was always this expectation that that was what I would do, too. At first, I might have been resistant to it, because it was expected. Then, I got a job at a law firm in college, just part-time, doing assistant type stuff, and that was the first time I saw what a working law firm looked like and what an attorney actually did. That firm was really good about giving me actual substantive things to help out with, so I wasn’t just making copies. I realized I really like digging into a case or legal issue and figuring out all the pieces and solving whatever problem the client was having. That’s when I decided I would look at law schools.
Can you share the most interesting story that happened to you since you began your career?
I started my own — solo practitioner, so far — law firm in 2018, and until then, I’d always worked for other people, at larger firms, with large corporate clients. I was learning how to start a business from scratch. And I quickly realized that my own experience makes it easier to understand some of the issues and problems my clients, who are owners of small- and mid-sized businesses, also face. Having my own business makes it easier for me to relate to my business owner clients and understand what it takes to run your own business.
None of us is able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
My parents always encouraged me to do what I wanted to do. It sounds cliché, but it’s true. I also am grateful to the female judge I clerked for during my first year out of law school. Having that opportunity, as a new lawyer, to see all these different lawyers practice law and witness what works and what doesn’t, was invaluable. I remember once these lawyers from a big, well-respected firm showed up to a hearing in which they were 100 percent right, but didn’t bring the evidence needed to prove it. That judge said something afterward that has stuck with me. Basically, she said don’t lose sight of following the process and don’t ever think you are above doing the basics.
Are you working on any exciting new projects now? How do you think that will help people?
Since the beginning of the year, I’ve been getting a lot of calls from clients who got sidetracked on certain business-related goals in 2020, because of the pandemic. And now they are ready to get back at it — doing deals, signing contracts, hiring staff and vendors, putting together formal agreements and just generally growing their businesses. It’s exciting to see progress being made and to help clients get back on track with their business goals.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
For me it’s about having set hours for when I am available to clients and sticking to them. This is especially important now that many of us are working from home and it is too easy to work all the time. And it’s especially important for lawyers and business owners, because many of us really like to work all the time or feel we have to work all the time. If clients are emailing you at all hours of the night, and it’s not an emergency, it’s OK to say, “I work from 8 to 5.” And you have to be the enforcer of that. There are obviously exceptions when emergencies come up. But those are few and far between.
I also feel strongly that it’s important to have interests and hobbies outside of work and the law, because that makes you a better lawyer. Having other interests gives you more ways to connect with your clients, who also hopefully have diverse interests, too. When I’m not working, I like to read, and mystery novels are my favorite. I also like to scuba dive and hike, often with my rescue dog at my side, and dabble in photography.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
One of the things that makes privacy compliance complex is there is no blanket answer for what you need to do to be compliant. It varies state to state, country to country and industry to industry. Each of the 50 states has its own data breach laws that protect certain sensitive information from release. There is no federal privacy law, though the idea of one does come up now and then.
Part of the challenge is figuring out which regulations apply to your business and then determining how you balance different rules and laws if you operate across the entire U.S. — or in other countries, for that matter. For example, if you have clients in North Carolina and California, the latter of which has stricter privacy laws than most states, do you treat your clients’ information differently based on where they live or do you abide by the stricter standard across the board?
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
The first step is to know what data you have, what you are using it for and how and where you are storing it. Whenever possible, I recommend that customer data be destroyed at some point, especially when the purpose for which it was collected no longer applies.
I also encourage businesses to be transparent with how they use customers’ information and make sure to keep the promises made to customers about how their information is used and disclosed. There’s not necessarily a specific law that requires that, but it’s a good idea.
As more jurisdictions take privacy laws even more seriously, the bar for what is reasonable to protect consumers will be raised, so it’s a good idea to already have systems and procedures in place and to even go above and beyond what might be legally required.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Lawyers have many ethical guidelines, including how long they hold onto client files. But how those files are stored has changed since I began practicing law 10 years ago. When I first started out, every case had a paper file, and files were stored in a large storage room until they were eventually destroyed. Now everything — or most everything — is stored electronically. I scan and shred, unless I really the original. So the length of time I’m required to keep files hasn’t necessarily changed, but the way I keep them has.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
First, I have to comply with the ethical rules for attorneys. That is the first place I start. I use Microsoft 365 and OneDrive and legal practice management software that works with Microsoft to keep everything organized by client and by case. Microsoft 365 also has some great tools for email and document retention that I use.
How long information is stored depends on the client and the case. If I am asking for sensitive information, I ask clients not to email it to me but to upload it via my practice management tool. Related to that, I never ask for information that I don’t need. Some lawyers — or even my dentist — ask for Social Security numbers on intake forms as a matter of course and not because they actually need that information. If you don’t collect information you don’t need, you don’t have to worry about storing it and protecting it.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
Ever since California passed comprehensive and strict consumer privacy legislation in 2018, the same year the European Union implemented its stringent General Data Protection Regulation (GDPR), clients have been asking me if they need to comply or do anything differently. For everyone in the consumer privacy world, the California Consumer Privacy Act (CCPA) and GDPR are the two big ones.
I wouldn’t say I worry about anything in the future. It’s just important to stay on top of state data breach laws, which seem to always be changing. A lot of states are adding health information to data breach laws. It used to be that only those companies subject to HIPAA had to take certain measures to safeguard consumers’ personal health information; now more companies have to do that.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools for data retention and cyber security have evolved and are more accessible to small businesses than they used to be. People kind of expect that that will be really expensive and that their business can’t afford that sort of program. But I’d say you can’t afford not to make this basic investment. There are cybersecurity-as-a-service plans you can sign up for that will provide the level of protections your business needs now and as it grows. It’s not like you have to call a company and get a quote for a big, custom-built enterprise system; there are off-the-shelf options now. In fact, Microsoft 365 is a good place to start and has some good tools for document retention that would work for various-sized businesses.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
This stuff is always on my mind. As a lawyer, you see the worst-case scenarios. We get hired when something has gone wrong.
In early 2020, there was the Maze Ransomware attack that specifically attacked law firms and accounting firms with ransom notices. It didn’t change anything; it was a reminder to be careful. What I would tell clients is that the majority of these attacks, even if they seem sophisticated, are the result of human error — rushing and then clicking on a suspicious link, opening an attachment designed to attack your computer or sending sensitive information to someone you don’t really know.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
1 . You need to know what information you have and where you are storing it before you can do anything to protect it. One issue I see with clients is they don’t know exactly what information they have. Email is a big one. I worked with a client who had a lot of documents with customers’ bank account information and wiring instructions on them, and she and her employees were keeping them all in their email in boxes — thousands of emails. That was their filing system. Someone hacked into the company’s email and got access. We had to do thousands of data breach notifications, going back to customers the firm had worked with several years prior. If they’d had a system that automatically archived email and regularly deleted email as appropriate, it would have significantly limited the number of people whose private information was compromised.
2 . Make sure there is a purpose for each piece of information you collect.
Ask yourself: “What do I really need? Does this piece of information serve a legitimate business purpose?” At a basic level, consumer data can’t get compromised if you don’t have it. This is a basic way to limit your risk.
Consumers should ask themselves similar questions before providing personal information. Why is this business asking for this information? What’s the potential harm of providing or not providing it? I recently went to a new dentist who asked for my Social Security number on my new patient form. I didn’t give it to them, and they didn’t ask for it again before cleaning my teeth, so I guess they didn’t really need it.
3. Know the laws and regulations — state, federal, international and industry — that apply to you. And there’s another one, a big one that people forget — contractual obligations. You might have a contract that states that you must follow above and beyond what is required by any law. I had a client who provided consulting services to financial firms, and each contract he signed said his company had to comply with CCPA and GDPR, even though it otherwise would not have been subject to those laws. And he didn’t realize any of this. You have to understand the law and what you agree in whatever you sign.
4. Have an incident response plan. This is a plan for what you do if something happens. So-and-so in accounting says he opened an email, and it wanted his password, so he entered it, but now realizes maybe that was a bad idea. OK, who’s in charge? Who investigates? Who escalates the matter and to whom? What course of action is required? This is so you don’t have to plan in the moment, in the crisis. And make sure you practice putting the plan into action and regularly update it.
5. Have written internal policies and procedures for employees and how they can access info. Clients often don’t have these for their staff and independent contractors. This is another basic way to reduce risk — of issues arising to begin with and of someone being able to say you didn’t have safeguards in place. Going back to that first story of the company where employees stored customers’ personal information in their email, having internal employee policies that address the use and disclosure of customer information could help to eliminate that risk.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
As business woman, lawyer and avid reader, I’d like to see book clubs sprout up that feature professional women and college women — the next generation of professional women. I’d imagine we’d read books about business leaders and others we admire, books that make us better at what we do or yearn to do and books that just make us think. It would be a great way for professional women to work on ourselves and help those female business owners, CEOs, lawyers, doctors, accountants, entrepreneurs and more coming behind us. What should we read — and what should we read first? Send me your ideas!
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!