Francoise Gilbert

Not so long ago, the Internet was a separate world.  We distinguished e-commerce and other activities in “cyberspace” from those that were conducted in the brick and mortar world.  Today, most companies are exploiting at the same, and to the fullest extent possible, all of the vast resources that are available through the Internet, the World Wide Web and otherwise.

Concurrent with the convergence of cyberspace with the brick and mortar world, telephone and information technologies are converging.  From one single device, we can make calls, send emails, browse the web, review our documents, and even pay for our lattes.  With this convergence, and the ubiquitous need for access to personal information databases, data protection issues have gained greater importance.  Without customer information, companies cannot create products adapted to client needs or target the right client for a sale.

However, holding personal information without adequate safeguards may lead to disaster.  Companies have lost goodwill, to the point of bankruptcy, for having failed to address privacy and information security issues.

This article will look at selected current issues and trends in information privacy and security.

Current Issues

  • Accountability for Proper Security

While information privacy and security concepts were first developed in the early 1970s, it is only with the enactment of the modern data protection laws, such as GLBA and HIPAA, that certain markets became aware of, and required to implement security safeguards to protect the confidentiality, integrity, and authenticity of personal information.  Today, this requirement has been extended to all companies that hold sensitive personal information.  The Federal Trade Commission has made it an “unfair practice” under Section 5 of the FTC Act to hold personal data without providing adequate security.  California law requires companies that hold social security numbers or bank account numbers in combination with the first and last name of individuals to implement “reasonable security measures.”  It also requires these companies to implement the same in their contracts with their service providers.

The liability thresholds have also been raised by a recent Minnesota law, which became effective in the summer of 2007.  Under this new law, companies that retain credit card data after receiving the authorization of the transaction will be held strictly liable for any damages caused by a breach of security.  If data have been exposed, liability will follow without a plaintiff having to prove that the business was negligent.  Damages will include the cost of “reasonable actions undertaken” by financial institutions to respond to the breach, such as the costs to cancel or reissue any access device affected by the breach; close accounts affected by the breach and take any action to stop payments or block transactions with respect to the accounts; open or reopen accounts affected by the breach; make any refund or credit to a cardholder to cover the cost of unauthorized transactions related to the breach; and notify the cardholders affected by the breach. The financial institution will also entitled to recover the costs for damages that it paid to cardholders injured by the breach.  Businesses will be also responsible for violations by their service providers.

Security to protect personal information has also been required under the laws that have implemented the 1995 European Union Data Protection Directive.  US Companies that wish to self certify under the Safe Harbor, or that are contemplating the use of the Model Contracts must ensure that they do have security measures, and that their service providers do the same.

Failure to have adequate security measures is likely to lead to security breached, which US companies are required to report to the affected parties, clients or employees, under the Security Breach Notification Laws enacted in over 40 States.  Japanese companies have the same obligation.  The European Union is said to contemplate revisions to its laws to implement a similar requirement, as well.

  • E-Discovery, Records Retention and Destruction Issues

The need for adequate security measures and document control is also created by the new E-Discovery rules that result from a recent amendment of the US Federal Rules of Civil Procedure which were adopted after several well-reported cases took unexpected turns when the parties battled each other on the production of evidence.  The courts questioned the quality and completeness of the files produced and the so convenient loss, misplacement, or destruction of electronic evidence that was key to the case.

In the employment discrimination case Zubulake v. UBS Warburg, 220 F.R.D. 212 (SDNY 2004), which spanned over several years (because of evidentiary issues), for example, the court ruled that the employer had willfully deleted relevant emails despite contrary court orders.  The court granted the plaintiff’s motion for sanctions and ordered the employer to pay costsbecause it had failed to locate relevant information, to preserve that information, and to timely produce that information.

The amendments to the Federal Rules of Evidence, recently adopted, create a new regime for litigation in an era where emails and other electronic documents constitute a crucial component of the litigants’ case.  Organizations have to take affirmative steps to prevent spoliation of electronic evidence, negligent or intentional.  They must guarantee that identified relevant documents are preserved by placing a “litigation hold” on the documents, communicate the need to preserve them, and arrange for safeguarding of relevant archival media.

U.S. courts will not hesitate to impose sanctions for spoliation of electronic documents, even if it results from document mismanagement.  In this new era, companies have to address document retention and preservation issues.

Companies must take affirmative steps to implement appropriate Enterprise Security Programs that ensure that the location of all documents is known, and that these documents are protected and only destructed according to appropriate policies.  When a suit is filed, they must ensure that all sources of discoverable information are retained, and produced.

  • Proper Treatment of Customer Databases in Corporate and Commercial Transactions

Due diligence and other checklists for corporate or commercial transactions have also evolved with the current data protection trends.  A company can no longer simply transfer or license its database of customer information.  Both parties to the transaction must first ensure that the transfer is not prohibited.  They must review each other’s privacy policies.  This duty is imposed on both parties.

In a recent case were a database of personal information was used in connection with a services agreement, the client was found to have an obligation to verify that its service provider had the right to use the personal information it was using to provide the service. Relying only on a mere representation or warranty in a contract was deemed insufficient. http://files.ali-aba.org/thumbs/datastorage/lacidoirep/articles/PL_ACFF154_thumb.pdf)

In that case, the company was in the business of sending emails to consumers.  In order to promote the products and services of its advertising clients, it obtained the email addresses from list providers, which had gathered these lists through a variety of means.

The New York Attorney General’s investigation of the provenance of these marketing lists revealed that some of the company’s list providers, on their own websites, had promised consumers they would NOT sell, rent, or share their information to or with third parties.  On the other hand, the company represented on its website that recipients of its email campaigns “have all requested to receive information about products and services”.

In its March 2006 settlement, the company agreed to pay $1.1 million as penalties, disgorgement, and costs. Reliance on the list provider’s representations or warranties that the use of the contact information was permissible was found insufficient, on its own, to fulfill the obligation of an independent review.  The settlement agreement stated that the party that is acquiring personal information must first independently confirm that such acquisition is permissible under relevant seller privacy policies.  It must independently review all applicable privacy policies that were in effect when the information was collected, and independently confirm that such policies clearly disclosed that the information collected would or might be shared.  In the absence of such explicit terms, it must confirm, through first-hand investigation, that consumers affirmatively opted-in to permit such sharing.

It is therefore recommended that in the event of a corporate or commercial transaction that involves personal information, the recipient of this information (a) conduct due diligence; (b) conduct a thorough review and analysis of the co-contractor’s or target’s information privacy and security policies and practices; and (c) do not rely solely on written representations and warranties.

  • Outsourcing, outsourcing, outsourcing

Many US companies continue to feel that  “outsourcing, outsourcing, outsourcing” is the key to success.  “Outsourcing,” here, encompasses IT outsourcing, Business Process Outsourcing, Legal Process Outsourcing, Offshoring, and similar agreements.  Indeed, outsourcing might provide savings, efficiencies associated with standardization, and attractive balance sheets; but it presents great risks for client and employee personal information.

Poor privacy and information security safeguards have caused great losses, embarrassment, and loss of goodwill when outsourcers or service providers failed to use adequate security.  For example, Master Card, Visa, Discover, American Express and other large financial institution, were forced to reissue cards, pay for credit record monitoring services, and rebuild customer trust when a hacking at their service provider Card Systems caused the compromise of 40 million credit card numbers. (http://money.cnn.com/2005/06/17/news/master_card/index.htm)

When outsourcing contracts involve providing or giving access to personal information, thorough due diligence is essential to investigate the privacy awareness and security practices of the potential service providers.  Comprehensive and detailed contracts must define safeguards and other mechanisms to ensure adequate security to protected personal information, and compliance with privacy laws.  During the performance phase, companies must keep monitoring the performance of their vendor.  Failure to address seriously privacy and security concerns during these three faces would create exposure to great liability.  Several US laws and current jurisprudence require companies to ensure the protection of certain personal information in their custody, and this obligation extends to subcontractors and service providers of these entities.

Emerging Issues

As we are moving into the Web 2.0 era, and we are seeing the emergence of new uses of technology that seem to be stepping out of science fiction books, numerous legal issues are being raised.  Information privacy and security are likely to continue to be a top concern and priority.  Consider, for example, the following trends:

  • New Advertising models.  The customers’ footsteps are tracked to serve “better content,” more adapted to the customer’s needs.
  • Digital rights management.  These systems track customer uses.  What song or movie is accessed, when, how, where from which machine?
  • Social engineering.  My Space, Facebook are providing forums for disclosing the undisclosable.
  • RFID, GPS, and location based servicesallow tracking individuals, and cause serious privacy and security concerns (Nowhere to Hide, by Francoise Gilbert,  http://itlawgroup.com/privacy_publications.html)
  • Mobile web.  Avertisements sent to cellphones.  Electronic payments made easy.  Customers tracked everywhere.  Privacy might be achieved only by turning off the device.
  • Second Life.  Do avatars have feelings, and … a right of privacy?

While most of the emerging trends above are exciting, creative business activities, certain practices might have dramatic consequences for personal privacy.  In addition, current practices might also take a sour turn.  For example, as the cost of living increases in India or Eastern Europe where many companies have outsourced their call centers, so does the cost of the personnel entrusted with the delicate missions outsourced red to them.  If the outsourcer cannot increase the fees paid by its American client, it may attempt to unload the engagement elsewhere, to transfer its work to others with lower wages, and possibly lesser privacy or security practices and awareness.

Conclusion

The information and communications technologies that were created at the end of the XXth century are becoming very powerful and creating new opportunities.  Physical and geographical boundaries are crumbling, allowing for greater exchange.  Individuals seem to become more empowered.  The blogger becomes a journalist, the YouTube user a movie star.  The Second Life avatar can be a superhero.  However, in this emerging world where individuals seem more valued and powerful, privacy might be under attack and security might be endangered.  Legal issues will abound.