Hot Issues In Cyberspace: Critical Information Privacy And Security Issues

Françoise Gilbert

© 2008 IT Law Group – All Rights Reserved

Published in the February 2008 issues of The Practical Lawyer.

Think the developments of the last year or two were interesting? Just wait and see what’s coming.

There was a time, not so long ago, when the Internet was a world apart. We distinguished e-commerce and other activities in “cyberspace” from those that had existed for centuries in what we called the “brick and mortar” world. This is no longer the case. These worlds have converged. Companies are exploiting to the fullest extent possible the vast resources of both worlds; all at the same time. This article looks at selected recent developments and the upcoming trends.

Current Issues

Concurrent with the convergence of cyberspace with the brick and mortar world, personal data protection issues have gained greater importance, and frequently taken the center stage. Indeed, without customer information, companies cannot create products adapted to client needs or target the right client for a sale. However, companies have lost goodwill, to the point of bankruptcy, for having failed to address privacy and information security issues.

Accountability for Proper Security

In the 1970s, financial institutions were among the first to be required to protect the critical and sensitive financial secrets they were holding. In the late 1990s, new data protection laws that were enacted, such as the Gramm-Leach-Bliley Act and HIPAA, required the implementation of security measures to protect the confidentiality, integrity, and authenticity of personal information. Today, this requirement has become ubiquitous. It has been extended to all companies that hold sensitive personal information. The Federal Trade Commission has made it an “unfair practice” under section 5 of the FTC Act to hold personal data without providing adequate security. California law requires companies that hold Social Security numbers or bank account numbers in combination with the first and last name of individuals to implement “reasonable security measures.” It also requires these companies to implement the same in their contracts with subcontractors.

The liability thresholds have also been raised by a recent Minnesota law, which became effective in the summer of 2007. Under this new law, companies that retain credit card data after receiving the authorization of the transaction will be held strictly liable for any damages caused by a breach of security. If data have been exposed, liability will follow without a plaintiff having to prove that the business was negligent. This cost will include the cost of “reasonable actions undertaken” by financial institutions to respond to the breach, such as the costs to:

• Cancel or reissue any access device affected by the breach;
• Close accounts affected by the breach and take any action to stop payments or block transactions with respect to the accounts;
• Open or reopen accounts affected by the breach;
• Make any refund or credit to a cardholder to cover the cost of unauthorized transactions related to the breach; and
• Notify the cardholders affected by the breach.

The financial institution will also be entitled to recover the costs for damages that it paid to cardholders injured by the breach. Businesses will also be responsible for violations by their service providers.

Protecting the security of personal information is also a requirement under the laws that have implemented the 1995 European Union Data Protection Directives. Companies that wish to self-certify under the Safe Harbor, or that are contemplating the use of the Model Contracts must ensure that they do have security measures. These measures are also required from their service providers. Thus, supplier and vendor contracts must be drafted as needed to address these requirements and the related risks.

E-Discovery, Records Retention, And Destruction Issues

Many or most documents used as evidence in litigation have been created or stored in cyberspace. The litigants must be in a position to furnish them in response to a document request. They must be able to demonstrate the authenticity of the documents and the completeness of their response.

Several well-reported cases took unexpected turns when the parties battled each other on the production of evidence. The litigants and the courts were concerned about the quality of evidence and the completeness of the files produced. They questioned the so-convenient loss, misplacement, or destruction of electronic evidence that was key to the other party’s case.

For example, in the employment discrimination case Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2004), which spanned over several years because of evidentiary issues, the court ruled that the employer had willfully deleted relevant emails despite contrary court orders. The court granted the plaintiff’s motion for sanctions and ordered the employer to pay costs. Among other things, the court noted that defense counsel was partly to blame for the document destruction because it had failed in its duty to locate relevant information, to preserve that information, and to timely produce it.

Attorneys must take affirmative steps to monitor compliance so that all sources of discoverable information are identified and searched. Specifically, the court concluded that attorneys are obligated to ensure all relevant documents are discovered, retained, and produced. Additionally, the court declared that litigators must guarantee that identified relevant documents are preserved by placing a “litigation hold” on the documents, communicating the need to preserve them, and arranging for safeguarding of relevant archival media.

Amendments to the Federal Rules of Evidence have now been passed to create a new regime for litigation in an era when emails and other electronic documents constitute a crucial component of the litigants’ case. Attorneys and organizations have to take affirmative steps to prevent any form of spoliation of electronic evidence, negligent or intentional. United States courts will not hesitate to impose sanctions for spoliation of electronic documents, even if it results from document mismanagement. In this new era, companies have to address document retention and preservation issues.

Proper Treatment of Customer Databases In Corporate And Commercial Transactions

Due diligence and other checklists for corporate or commercial transactions have also evolved because of the current data protection trends. A company can no longer simply transfer or license its database of customer information. Both parties to the transaction must first ensure that the transfer is not prohibited. They must review each other’s privacy policies. This duty is imposed on both parties.

In the action by the New York Attorney General against Datran Media, which concerned a database of personal information used in connection with a services agreement, the client was found to have an obligation to verify that its service provider had the right to use the personal information it was using to provide the service to its client. Relying only on a mere representation or warranty in a contract was deemed insufficient. In that case, the company was in the business of sending emails to consumers, in order to promote the products and services of its advertising clients. It obtained the email addresses from list providers, which had gathered these lists through a variety of means.

The New York Attorney General’s investigation of the provenance of these marketing lists revealed that some of the company’s list providers, on their own websites, had promised consumers they would NOT sell, rent, or share their information to or with third parties. On the other hand, the company represented on its website that recipients of its email campaigns “have all requested to receive information about products and services from companies like yours.” In its March 2006 settlement, the company agreed to pay $1.1 million as penalties, disgorgement, and costs. Reliance on the list provider’s representation or warranties that the use of the contact information was permissible was found not sufficient, on its own, to fulfill the obligation of an independent review. The settlement agreement stated that the party that is acquiring personal information must first independently confirm that such acquisition is permissible under relevant seller privacy policies. It must independently review all applicable privacy policies that were in effect when the personally identifiable information (“PII”) was collected, and independently confirm that such policies clearly disclosed that the PII collected would or might be shared. In the absence of such explicit terms, it must confirm, through first-hand investigation, that consumers affirmatively opted-in to permit such sharing. Thus in the event of a corporate or commercial transaction that involves the transfer or disclosure of personal information, the recipient of this information must:

• Conduct due diligence;
• Make sure that the due diligence includes a thorough review and analysis of the co-contractor’s or target’s information privacy and security policies and practices; and
• Not rely solely on written representations and warranties.

Outsourcing, Outsourcing, Outsourcing

While real estate’s motto is “location, location, location,” companies continue to feel that “outsourcing, outsourcing, outsourcing” is the key to success. “Outsourcing,” here, encompasses IT outsourcing, business process outsourcing, legal process outsourcing, offshoring, and similar agreements.

Indeed, from a financial standpoint, outsourcing might provide savings, efficiencies associated with standardization, and attractive balance sheets; but it presents great risks.

Outsourcing contracts are complex and involve a myriad of issues. Due diligence is essential to investigate the practices of the potential service providers. Comprehensive and detailed contracts must define safeguards and other mechanisms to attempt to reduce risks and address the upcoming changes and challenges. During the performance phase, companies must keep monitoring the performance of their vendors.

Of great concern in each of these stages, is the protection of the privacy and security of personal information of the company’s employees and customers entrusted to the outsourcing company. Several U.S. laws and current jurisprudence require companies to ensure the protection of personal information in their custody. Poor privacy and information security safeguards have caused great losses, embarrassment, and loss of goodwill. For example, Master Card, Visa, Discover, American Express, and other large financial institutions that subcontracted certain functions to CardSystems had to incur the cost of replacing the compromised credit cards, arranging for credit record monitoring, and the like, when a hacking at CardSystems caused the compromise of 40 million credit card numbers. Names, account numbers, and verification codes of credit card customers were exposed, forcing the outsourcing companies to reissue cards, pay for credit monitoring services, and rebuild customer trust. See, e.g., http://money.cnn. com/2005/06/17/news/master_card/index.htm.

Emerging Issues

As we are moving into the Web 2.0 era, and we are seeing the emergence of new uses of technology that seem to be stepping out of science fiction books, numerous legal issues are being raised. Consider, for example, the privacy, security, intellectual property, and other issues that may arise from the following:

• New advertising models. Is privacy under attack now that the customers’ footsteps are tracked to serve “better content,” more adapted to the customer’s needs?
• Radio-frequency identification (“RFID”), GPS, and location-based services allow tracking individuals, and cause serious privacy and security concerns. See, e.g., No Place to Hide, by Francoise Gilbert;
• Social engineering. My Space and Facebook are providing forums for disclosing personal secrets, and much more;
• Digital rights management (“DRM”). In the DRM v. privacy battle, privacy loses. DRM systems allow the monitoring of users. The issues will focus on what they listen to or watch, when they do it, and where they do it;
• Mobile web. “Everything on your iPhone” may make electronic payments easy, but will this be Pennies from Heaven for hackers?

Although most of the emerging trends above generally evidence healthy, creative business activities, we should be mindful as well that certain practices, when pushed to the extreme, might have dramatic consequences. For example, while Western companies are happy to unload to India, China, the Philippines, or Eastern Europe a great deal of their operations and processes, serious problems are about to occur. As the cost of living increases in these countries, so will the cost of the personnel entrusted with the delicate missions transferred to them by their American and European clients. These cost increases will have to be addressed or passed on to the customer. The outsourcer may become an outsourcing company itself, and transfer its work to others with lower wages. The outsourcer might stop work and attempt to renegotiate better terms. In all cases, quality will suffer.

Conclusion

The information and communications technologies that were created at the end of the 20th Century are becoming very powerful and are creating new opportunities. Physical and geographical boundaries are crumbling, allowing for greater exchange, but rules from different cultures have trouble coexisting. Individuals seem to be taking over the power. The blogger is a journalist. The YouTube user is a movie star or a movie producer. The Second Life avatar can be a superhero or a criminal. Legal issues abound.

To purchase the online version of this article, go to www.ali-aba.org and click on “Periodicals.”