Monday, November 24, 2008

The Reality of Data Breaches

In 2008 alone, over 270 data breaches were recorded by the Privacy Rights Clearinghouse. These data breaches spanned across a wide variety of organizations --universities, banks, government agencies, department stores, etc. No industry has been spared as new breaches continue to occur on a daily basis. Data breaches have become so widespread that many states have passed legislation addressing confidentiality of personal information. There are many different causes of these security violations. Data breaches occur due to theft of laptops, USB drives, back-up tapes, and other media used to store data away from an organization’s servers. They can occur due to inadequate disposal of items containing sensitive data (e.g. files recycled as scrap paper). Employees give away their user ids and passwords to hackers masquerading as support techs. Misuse of data by employees ranging from inappropriate access to actual corporate espionage has also contributed to data losses.

In general, data breaches are primarily attributed to human error rather than the technology. An organization’s policies and procedures should clearly inform employees on proper handling of data. Providing instruction and training to employees on best practices is also necessary. An effective auditing and monitoring program, as well as consistent enforcement of the program, are also required components of an effective security approach. Technology solutions can help, but cannot replace, a comprehensive program to protect an organization’s information assets.

Friday, November 14, 2008

The Stored Communications Act may affect your ability to view your employees’ text messages

The Stored Communications Act, 18 U.S.C. § 2701 – 2711, generally prevents providers of communications services from divulging private communications to certain individuals or entities. On its face, then, the Act prohibits companies from accessing text messages sent by its employees, if, as many companies do, third-party messaging services are used. (The result may be different if the company uses its own equipment for messaging.)

The Act contains two notable exceptions: If the service provider is an “electronic communications service” or ECS, the provider can release communications with the consent of the originator, an addressee, or intended recipient of the communication. If the service provider qualifies as a “remote computing service,” or RCS, the provider can release communications with the consent of the subscriber, i.e. the company hiring the provider to provide a text messaging service, as well as the other parties.

So, how are an ECS and an RCS defined? The Act defines an ECS as "any service which provides to users thereof the ability to send or receive wire or electronic communications." An RCS is defined as "the provision to the public of computer storage or processing services by means of an electronic communications system."

This distinction can be important if your policies aren’t up to date. If your provider is an RCS, you can request communications from the service provider as a “subscriber.” However, if your provider is considered an ECS, you’ll need consent of the originator or addressees to see the content. Even where you have policies stating your right to monitor all communications, and informing your employees that those communications are not confidential, that may not be enough.

In Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), the city of Ontario, California had those policies in place. The city had provided text messaging equipment to many employees, including police officers, for use in city business. The city wanted to access certain text messages of police officers who were over their quota of text messages to determine whether the officers were texting for public or personal reasons. (Of course, it didn’t help that one of the lieutenants of the police department treated the messages as personal to the officers by telling the officers that if the officers didn’t want the department to read the messages, the officers should pay fees for exceeding the monthly limit.) The court didn’t even consider whether the policies constituted consent on the part of the officers – by turning over the messages to the city, the court found that the service provider had violated the Act, as the provider was found to be an ECS.

The lesson is that you should get your employees to explicitly give their consent to a service provider to allow your company to access their text messages (or other electronic communications).. Since most companies require their employees to sign for company provided equipment (such as mobile devices or laptops), this consent can be incorporated into that process. In addition, the consent should be clearly explained to them. (And your managers should be warned of the consequences of making exceptions!) Don’t try to figure out if your provider is an ECS or an RCS – the courts haven’t consistently defined what that means. It may not be a bulletproof defense – a court might hold that employees have to give their consent for specific messages – but at least you’ll have a fighting chance.

Tuesday, November 4, 2008

A Legal Hold doesn’t mean hold everything

A common reaction to companies faced with an e-discovery request is to hold, or preserve, everything. While this is a better reaction than doing nothing, it usually stems from fear or ignorance. The fear is that if the company doesn’t hold everything, it will be sanctioned if it can’t produce information responsive to the plaintiff’s requests. The ignorance stems from its knowledge (or lack thereof) of the electronic information it has (or doesn’t have).

Kahn Consulting explains why you don’t have to hold everything in this article.