The Legal Challenges of Privacy, Computer Fraud and Data SecurityExclusive Interview with
Nick Akerman, Dorsey & Whitney LLP
The development of new technology platforms and explosive growth of social media presents companies with complex legal challenges — from securing trade secrets to safeguarding customer privacy, not to mention protecting your company from potential litigation or direct economic loss.
While an old adage has been that companies’ greatest assets walk out the door at the end of each day, now in the Digital Age they can easily take other vital and proprietary assets in their pocket with them. As Dorsey & Whitney LLP partner Nick Akerman points out, ” what previously could be put into a dozen file cabinets can essentially be downloaded into a small USB disk drive that somebody can just put in their pocket and walk out the door with undetected. Or they can take the same information and simply send it with a couple mouse clicks halfway around the world without even stepping foot out of their office.” And in many cases, outsourcing data operations or working with third-party processors can dramatically increase your exposure and potential liability.
Akerman also shares seven proactive steps you can take throughout your organization to mitigate your risk as well as legal remedies in response to both internal and external threats.
Today, what could be put into to a dozen file cabinets can essentially be downloaded into a small USB disk drive that somebody could just put in their pocket, walk out the door, or they can take the same information and simply send it with a couple mouse clicks halfway around the world. The other big challenge in this area is that most companies really don't realize that this is more than a data security issue.
It relates to HR the human resource department and how you deal with your employees, the agreements that you have with your employees. They're the ones, that if someone's going to take data, that's probably the biggest risk that's involved, is an insider theft. Also, getting involved with the legal staff and knowing what sorts of rules should be in place and what kinds of issues should be looked at when people leave, when they're hired, and all sorts of compliance issues.
There are certainly some very proactive steps that companies can take in going after people who steal their data, whether it's somebody who hacks into the system from the outside or whether it's an inside threat. In fact, I would say one of the biggest problems here really comes from company insiders, people who wind up leaving the company and going to a competitor and taking data with them in order to enhance their position in their new company or to start a competing business themselves.
I think what a lot of companies don't realize is that there are tools out there, legal tools, that companies can use to go after individuals who steal data.
Probably the most under-used statute is the Federal Computer Fraud and Abuse Act, which is a federal computer crimes statute. It was originally enacted back in 1984 as a part of the federal criminal code, and in 1992 was amended by Congress to include civil remedies, so that anybody who been injured as a result of any criminal activity that would be covered by this statute, has the right to bring a federal civil suit.
This suit would involve not only damages, but more importantly an injunction. An injunction is simply a court order that directs somebody to do something. In this case with respect to computer data where I use it most with my clients, is getting an injunction that directs somebody to return the data and to refrain from using it anywhere, at any time, which can be a pretty powerful weapon in terms of insuring that your data does not get out into the market place and is not used against you competitively.
The other legal remedy that has evolved over the years has been the simple state law of conversion, which up until a few years ago didn't apply to computer data. In fact, the old rule was that conversion only applied to tangible property.
And just a few years ago, the New York Court of Appeals held that computer data is encompassed within conversion: basically, looking at how our common laws developed in this area of theft, going all the way back in 1066 with William the Conqueror, and looking at how societal values have changed over the years, and as societal values have changed, so hasn't the common law.
And in this particular case, the New York Court of Appeals decided that because computer data is so important to our commercial life, so important to what we do every day and is so ubiquitous, that there is no good reason why it should not be included as part of the property that's encompassed within conversion.
There are way companies can actually protect their data. A lot of it deals with technology and having the proper technology in place. Encryption is a big issue. Part of the problem here though is that technology moves so fast, the criminal element keeps up with that technology just as well as everybody else does.
And so that what you're dealing with is a moving target that you constantly have to be on top of, and constantly have to be looking at to make sure that your systems are secure. Now keep in mind, no system is totally secure. When you're dealing with data, there's no such thing as a Fort Knox. The best you can do is try and minimize the potential for theft, and put yourself in a position such That if there is a theft of either your proprietary information or personal data that might relate to people's Social Security Numbers that you're in a position to go after them.
And so part of security is not just securing your system, but also having in place, technology, that allows one to determine who actually committed the crime. One of the most frustrating things I find is getting into a situation where I'm called in by a client, and we look at the system, and we find that sure a person who we suspect went into the system the day before he left, was in there for three hours.
But yet there is nothing in the system that allows us to determine what the person looked at, whether the person downloaded anything, whether the person printed anything off the computers. So we're basically left in a position where we do not have admissible proof that permits us to go into court. So one of the lessons of that little story is that you really have to have your technology in place so that you have audit trails, so you have the ability to be able to prove what happened.
There is a major obligation on behalf of companies, if they find that there's been a breach of personal information. Over the last few years, forty-six different states across the country have enacted breach notification laws such that if a company has reason to believe that there has been a breach of personal information -- that includes Social Security numbers, bank card information, anything that can be used to perpetrate identity theft, the whole...
One of the most important things that a company can do to determine that is really have in place a protocol such that they can investigate and determine pretty quickly whether or not there really is a need to disclose. Now, the federal government has not yet enacted an encompassing law on this subject. There is in the TARP Bill, the stimulus bill that was Enacted at the beginning of 2010.
An amendment to the HIPAA, which is the health care act that actually does now put a federal law in place for breach notification. And I think what most companies have to realize is that probably is going to be the forerunner of what were going to see ultimately, in a federal law and what is significant about that new statue is, that isn't just having a reasonable belief that there was a breach but it's also a question of when you should have known there was a breach.
All of which is to say that companies are going to have to be more and more vigilant in this area.
There are certain clients, there are certain industries that have a higher bar than others and that's because of statutes that exist. There for example Gramm-Leach-Bliley applies to the financial industry, and that creates all kinds of requirements on banks and financial institutions. HIPAA, which is the health area; hospitals now have a heightened responsibility in the area of personal information and protecting that information.
But what has happened, and I think what the trend is, and what we're seeing is that this responsibility is really being spread across all industries. And the forerunner on this is the Massachusetts statute that just went into effect this last year which requires all companies, whether they're in Massachusetts or elsewhere that have personal information related to Massachusetts residents to have in place a full blown compliance program relating to the protection of data and are required to encrypt the data in certain ways.
That is a trend that is not just in Massachusetts, but is also something which has come up in a number of other states. Even though there are 46 state laws, with respect to this data and notification, consumer notification, there are some general principles that you can take out of all of these laws and pretty much comply with them.
But they all are basically, kind of, have the same parameters to them, that if you have a reasonable basis to believe that there's been breach, you have to notify. Some states say it's a reasonable amount of time, other states actually set the time limit as 45 days. If you notify law enforcement and law enforcement asks you not to notify because they want to conduct an investigation, that gives you some breathing room in terms of having to notify consumers.
Some states, like Connecticut, require an investigation.
Cloud computing has actually just complicated this issue of security a little bit more, in the sense that companies that use cloud computing are basically outsourcing the data to another party, and so what that means is that you gotta be even more vigilant, because the data is no longer on your premises.
You have to ask yourself, do you know who the company is? Do you know what kinds of protection they're providing for the data? And if they're there is a breach, what kind of control are you going to have over that data? Are you going to be able to conduct the investigation, as opposed to having the third party conducting an investigation?
Are you going to have access, if you need to get that data, in order to comply with just your document retention program? Are you going to have access to that data to be able to comply with e-discovery obligations, which are becoming a big issue for every company? If you look at the 46 state laws that require notification to consumers if there's reason to believe there's a breach, all of those laws require a third parties that are holding the data to immediately notify the other company or the owner of the data that there has been such a breach.
But that really is only the start of it, it just kind of begs the issue about who then conducts the investigation. This past year there have been two major privacy decisions that have come out. One from the Supreme Court, the Quon case, which is a case out of northern California. The city of Ontario had a policy that basically is the same policy that most employers have, that you can only use the computers for personal, for non-personal use, or you can only use the computers for business purposes, and that in this particular situation, this related to text messages.
And the police officer basically was paying for the use of the text messaging, but, they were told that the policy was that the police department could look at anything. Well, it turns out that this particular police officer had some sexually explicit text messages. Which were found at some point by one of the officers reviewing this.
And the District Court and the Ninth Circuit Court of Appeals basically said that even though there were these policies that allowed the employer to look at whatever the employee was doing in the text messaging and had the right to monitor, in practice it didn't work that way. And so therefore, this employee did not have, had an expectation of privacy that his text messages would not be looked at.
The Supreme Court reviewed it and reversed it and basically said under these circumstances that what the city did, did not violate the the 4th Amendment to the Constitution. The other case of interest in this area relating to the attorney-client privilege was from the Supreme Court of New Jersey, where a woman at work had written to her before she left, thinking about suing her company for discrimination, and used the company computers to do that, but used a web-based e-mail.
And of course, after she left, the company looked at her and found the temporary file in which this email was sent to her attorney. So the question was, even though the policies were in place that said that the computers belonged to the company, and that all of the information on there belonged to the company, and that she could only use it for business purposes, the Supreme Court of New Jersey said that, no, that the privilege applied here, regardless.
I mean very, very blanket prohibition here which, I am not sure would be followed in any other state. But I think one of the big lessons to learn from this particular situation was again an inconsistency in policies. Even though the policy stated that employees were only to use the computers for business and not personal use, there was also one provision that said that you could use it for personal use.
And there's a little bit of confusion that the court detected. All of which is to say that companies that write computer policies have to be very careful to write them in a way that is very straightforward and not contradictory. And very explicitly sets out what an employee's expectation of privacy is when they use the company computer.
There are basically seven areas of importance that a company has to look at in terms of mitigating its risk, in terms of protecting its data. First and foremost is the hiring process. This is the area, where new people, new employees come into the company. It's an opportunity to explain to people what the rules are, concerning data.
It's the place where you can be certain that people who are coming into your company are not bringing data from their former employer, which can create risks in terms of being sued by your former employer, as well as criminal risks of being prosecuted by the Federal Government for the Economic Espionage Act or the Computer Fraud and Abuse Act.
Secondly, you want to be looking at the agreements that you have in place. Not only with your employees, but also with third parties as they relate to data. What responsibilities do employees have in terms of returning data to the company when they leave? What are the responsibilities that the employees have, in terms to their access to the company computers?
The third area that is important to look at in terms of mitigating risk here are the rules. Now some of those rules that I talked about can be incorporated in agreements, but you also want to have a code of conduct that basically describes what people can do and can't do with the data. And what they can do, for example, in terms of taking laptops home, working at home, what other responsibilities in terms of what you can do with that data and where it can go.
Fourth, you want to look at your technology. What kind of technology do you have in place that will protect the data. Fifth, you want to have a good termination process in place, because a termination process is sort of the bridge where the employee leaves the workplace and if they're going to steal data and go to a competitor or use it for their own purposes, this is the place where you want to make sure that you have returned everything.
Sixth, you want to have protocols for response. These are pretty fast-moving issues. When you find out that your data has been stolen, you don't want to be waiting around. And Seventh, the other big area that companies really ought to be looking at is their compliance function, because ultimately I think this whole issue is going to boil down to compliance.
As the Massachusetts statute is pretty much requiring now all companies with Massachusetts data to have a compliance program in place, I think that's going to spread to other states and I think that's the trend of the future.
But, what I advise my clients to do is if you're going to be protecting the personal data, there is no reason not to be also protecting your competitively sensitive data since the margin of cost is pretty slight and the danger is just as great to the company.
VIDEO SECTIONS (Click link to advance video to specific topic.)
A partner in Dorsey’s New York Office, Nick Akerman is a trial lawyer specializing in both complex civil and criminal cases. He is a nationally recognized expert on computer crime and the protection of competitively sensitive information and computer data. Nick has obtained over 15 injunctions under the federal Computer Fraud and Abuse Act in various federal courts around the country requiring computer thieves to return stolen computer data and prohibiting the dissemination of the data to competitors. He also consults with clients in developing systems, policies and protocols to protect computer data.
Nick speaks and writes regularly on protecting computer data, including in his regular computer data column for the National Law Journal. He has been a featured quoted expert on computer fraud and computer security issues in the New York Times, USA Today, the San Jose Mercury, the Boston Globe, the St. Louis Dispatch, the Sacramento Bee, Forbes, ComputerWorld, CFO Magazine, CNET, CNET Japan, ZDNet, MSN, Internet Week and the Weekly Homeland Security Newsletter..
Prior to private practice Nick served as a federal prosecutor. He was an Assistant United States Attorney in the Southern District of New York, where he prosecuted a wide array of white collar criminal matters, including bank frauds, bankruptcy frauds, stock frauds, complex financial frauds, environmental and tax crimes. Nick was also an Assistant Special Watergate Prosecutor with the Watergate Special Prosecution Force under Archibald Cox and Leon Jaworski..
You can find his Computer Fraud and Data Protection Blog at http://computerfraud.us .
Computer Fraud and Abuse
Harvard Law School, J.D., 1972, cum laude
University of Massachusetts, B.A., 1969, magna cum laude, Phi Beta Kappa
New York, NY 10177
To see a full bio, visit: http://www.dorsey.com/akerman_nick/
For recent articles, visit http://computerfraud.us/category/articles
Clients have relied on Dorsey since 1912 as a valued business partner. With more than 650 lawyers in 19 locations in the United States, Canada, Europe and Asia-Pacific region, Dorsey provides an integrated, proactive approach to its clients’ legal and business needs. Dorsey represents a number of the world’s most successful Fortune 500 companies from a variety of disciplines, including leaders in the financial services, investment banking, life sciences, securities, technology and energy sectors, as well as nonprofit and government entities.
For additional information, visit: http://www.dorsey.com