Editor: How do you see electronic data security issues percolating through business-related litigation?
Vernick: Business-related litigation covers a wide range of disputes; for example, the protection of trade secrets and other intellectual property, technology service agreements, securities, antitrust, mergers and acquisition transactions, government contracts, commercial lending, unfair competition, minority shareholder rights and employment issues.
In these cases, the impact of technology's evolution (if not, revolution) is readily apparent. Issues of electronic data security permeate most, if not all, market sectors. Virtually, every commercial enterprise confronts issues of electronic data security if for no other reason than for the purposes of protecting their own proprietary information, as well as discovering evidence in the investigation of civil disputes or criminal matters. The recent litigation initiated by Korn/Ferry International underscores the prevalence of data security issues.
Editor: Why is data security increasingly important in today's global economy?
Vernick: Regardless of the market sector, today our economy is primarily service and information driven. As such, the engine of this economy is electronic communications and computing technologies. Data security is vital to the functioning of the electronic marketplace.
For example, the need for data security is self-evident in consumer transactions processed over the Internet. Customers want to be sure that their financial information and other personal information will be used only for authorized purposes. They need to feel secure that they will not be harmed by identity theft or other forms of fraud.
Similarly, the handling of medical information is another highly visible area in which data security is of critical importance. From a federal and state legislative perspective, the goal is to provide ease of access while at the same time ensuring the confidentiality of sensitive data.
Editor: What sources of electronic data loss present the greatest threats to corporate America?
Vernick: Hacking or infiltrating into web browsers, servers or routers undermines the basic building blocks of communications and computing systems. Companies need to address the vulnerabilities that exist from both internal and external sources. For example, when a vendor proposes to add software to a system, a company needs to take reasonable steps to ensure that the new software does not create unintended access points, perform unwanted functions or store information in undisclosed databases.
Companies also need to stay current on the flourishing (not to mention, ever evolving) business of cyber crime. A currently popular scam is called "phishing." When "phishing," fraudsters make internet users believe that they are receiving e-mail from a trusted source when, in fact, the fraudster is "phishing" for the recipient's personally identifiable information. A variation of "phishing," "pharming" attacks servers by redirecting traffic to a bogus website that looks like a legitimate one. Believing the bogus site to be safe, potential victims are unaware of the nefarious nature of the site's requests for personally identifiable information.
Open to everyone, the internet is owned by no one. Users have to rely on the providers of the routers, servers and other constituent components of the Internet to establish the appropriate mechanisms needed for effective data security.
Editor: What steps can a corporation take to prevent losses of electronic data?
Vernick: Too often, vulnerabilities are addressed after fraud or other misappropriation of electronic data has occurred. The encryption of sensitive data is quickly becoming an industry standard. Another approach that is being considered is to reduce or eliminate reliance on name, address, social security numbers, mother's maiden name and other personal identifiers that are all too easily obtained and misused. Biometrics and similar safeguards are also receiving increased attention.
Companies can tackle the challenge of preventing losses of electronic data by taking a comprehensive risk management approach. A key step in this process is doing a forensic review of the company's computing and communications systems, including an assessment of the vulnerability of the systems' access points.
Monitoring systems are needed to identify irregular and suspicious behavior. A continuous review of the numerous ways in which security breaches occur accelerates identifying system compromises.
Companies need to have plans in place for responding to breaches of electronic data security. Putting to one side the spate of federal legislative proposals, an increasing number of states require notification and other protections be made available to people whose individual data may have been compromised by unauthorized access to their personally identifiable information. Response plans should include an effective strategy for addressing the media as news of a security breach becomes public.
Editor: How are issues of electronic data security being addressed by state governments?
Vernick: California led the way in 2003 with a law requiring companies doing business in California to notify state residents of electronic data security breaches and unauthorized access to their personally identifiable information. The number of states following California's lead continues to grow, with some significant variations. North Dakota expanded California's definition of protected information to include items like date of birth, mother's maiden name, an identification number assigned by an individual's employer and electronic signature. Florida's new notification law sets minimum prison terms for fraudulent use of personally identifiable information. Indiana enacted legislation prohibiting disclosure of social security numbers by state agencies, except under limited circumstances. As well as requiring businesses to report breach of computer security, Montana's Security Breach Notification Law requires consumer reporting agencies to block information that results from identity theft.
Most states require notification to be made in the "most expedient time possible" and "without unreasonable delay" unless a law enforcement agency determines that the notification would impede a criminal investigation. Florida requires, however, that notification be given within 45 days after discovery of the breach. Connecticut requires notification within 15 days of the discovery. Illinois does not have the law enforcement exemption. Nevada's broad Security Breach notification Law enhances penalties for crimes involving personal information that are committed against older persons and vulnerable persons.
Notification requirements are imposed by other governing authorities as well. New York City has adopted a notification law that covers companies licensed or supervised by the city's Department of Consumer Affairs. In Ohio, a suit was recently filed by the attorney general against a company that failed to notify consumers of a computer security breach under the state's Consumer Sales Practices Act, even though Ohio does not have a breach notification law.
Editor: What federal legislation is pending to help thwart theft of electronic data?
Vernick: Several bills have been proposed by Congress as lawmakers debate the need for federal legislation in this area. As we speak, at least four bills are pending before the U.S. House of Representatives and four before the U.S. Senate, the most notable of which is the Spector-Leahy bill. Active debate of these bills is anticipated later this year. Debate will focus on such issues as the extent to which the federal law will preempt conflicting state laws, the standard that should apply for determining when and to whom notification of an electronic security breach needs to be given, and the penalties to impose when the required notification is not provided.
This summer the Federal Trade Commission promulgated a new rule requiring businesses to properly dispose of and destroy sensitive consumer data such as names, addresses and social security numbers. The rule is one of the several new requirements to combat identity theft required by the Fair and Accurate Credit Transactions Act (FACT Act), enacted in December 2003. Filling in gaps left by the Gramm-Leach-Bliley Act, the new rule requires companies to take reasonable measures to protect against unauthorized access to, or use of, personally identifiable information in connection with its disposal. For example, credit report information must be burned, pulverized or shredded, and electronic files must be destroyed or erased, so that the information cannot be read or reconstructed. In addition, companies must exercise due diligence when hiring a vendor to dispose of personally identifiable information.
Editor: How do American and European approaches to electronic data security differ?
Vernick: Identity theft occurs less often in Europe because the key piece of personally identifying information is a national ID number that is used in far fewer places than a social security number is used in the U.S. Another reason is that European laws that prohibit businesses from sharing and selling private data are much stricter than in the U.S. For example, companies are prohibited from creating or selling databases of an individual's former address(es) and telephone number. In addition, a slower process for establishing credit makes it more difficult for fraudsters in Europe to open new accounts in an unsuspecting victim's name.
Editor: Do you anticipate that forensic computer work will continue to be a fertile area in the discovery context?
Vernick: Yes. With cases like the highly publicized Arthur Andersen litigation and more recently the Morgan Stanley case turning on electronic discovery issues, we can anticipate continued attention to forensic computer work.
Companies need to plan for intense scrutiny of their document retention policies. The policies need to specify the period of time for retaining documents in the ordinary course of business and must comply with legislative, regulatory and judicial requirements. Equally important are the instructions given for suspending the designated period in the event of pending or threatened litigation.
As the judiciary's and litigators' experience with electronic evidence grows, I expect that we will see a party's demand for access to electronic data balanced against the cost, inconvenience and other burdens imposed on the other party of retaining, retrieving and putting the information into an understandable form.
Published September 1, 2005.
