X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
With the advent of faster hardware, smarter software and cheaper storage, more and more companies are creating a new category of intellectual property — the data collection. Data collection, both online and offline, has soared in the past decade. The global market for database software and services was estimated at $9 billion in 2001. With the swipe of a member card, consumers receive discounts on their purchases while retailers download information about the purchasing habits of their customers. With a few taps on the keyboard, consumers using the Internet input information about themselves or are simply tracked electronically, in each case adding information to a Web site’s already bulging data collections. And the technology continues to evolve at an extremely rapid pace. IBM and others are promising delivery this year of new software designed to create a “virtual” database by linking existing, incompatible data systems so that information can be retrieved in an organized fashion and all at once from disparate, physically separate data sources. The new software reportedly will issue a single query across different databases and consolidate the results in one report to the user, all at a fraction of the cost of the current method of data warehousing. There, large groups of data are transferred to a single system to create one extensive database. Yet before companies create and link larger and more comprehensive databases, some attention should be given to the emerging issues and liabilities surrounding data collections. Not surprisingly, with better, faster, cheaper technology come greater consequences. NOT ALL THAT GLIMMERS IS GOLD In addition to creating, accessing and storing data collections, companies also must secure them from unauthorized access. Failure to do so can be, at a minimum, a public relations nightmare and at worst, grounds for liability. Recent security mishaps underscore the seriousness of security breaches. According to one recent report, [FOOTNOTE 1]Carmichael Lynch, a public relations and advertising firm, inadvertently published its administration password on its Web site. The slip-up apparently went undetected by the company for more than six months. During that time, unauthorized visitors using the password could have accessed databases belonging to Porsche and American Standard, two of Carmichael Lynch’s largest clients. One such database contained names, addresses, and vehicle information on approximately 75,000 luxury car and SUV owners. Another database contained e-mail addresses and passwords for almost 12,000 people who had registered on the American Standard Web site. Publisher giant Ziff-Davis Media Inc. is also reported to have had security woes. [FOOTNOTE 2]Ziff-Davis, following a security lapse that exposed the personal data of thousands of subscribers, entered into an agreement with the attorneys general of the states of New York, California and Vermont. The media company agreed to pay $100,000 to the New York State Department of Law and $500 each to 50 or so customers whose credit card information had been disclosed. Not to be outdone, a recent security glitch on Tower Records’ Web site exposed data on millions of U.S. and U.K. customers. The exposed data included sensitive information such as home and e-mail addresses, phone numbers and information regarding video and music purchases dating back to 1996. [FOOTNOTE 3]It is estimated that more than three million such customer records were exposed. The security glitch on the Web site was the result of a programming error that existed for an unknown length of time. Proving that no entity is immune from security headaches, the American Civil Liberties Union (ACLU), in January 2003, agreed to pay New York State $10,000 in connection with a security breach. For a three-month period, sensitive, personal information on about 90 or so consumers could be accessed from the ACLU Web site as a result of a security breach caused by a third-party vendor. In yet another heavily publicized incident, hackers on April 5, 2002, broke into the payroll database for the State of California. The database contained personal information on the state’s 265,000 employees including names, home addresses, Social Security numbers and bank account information. The security breach went undetected for more than a month and unreported to state employees for another two weeks. Testimony at an informational hearing held by the Senate Committee on Privacy revealed that during the time in question, unauthorized persons in Germany attempted to access a state worker’s bank account and someone attempted to change the address on another worker’s credit card account. Voters in California took matters in hand and, on Sept. 26, 2002, passed a bill mandating that companies and agencies publicly disclose any computer security breaches that implicated personal information. That law is scheduled to take effect on July 1, 2003. TRUTH OR DARE The California law, known as SB 1386, is the first state law of its kind. It requires not just state agencies to disclose security breaches, but “any person or business that conducts business in California.” Starting in July, any company doing business in California must disclose a security breach to each affected resident in California whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. The law recognizes a safe harbor for encrypted data. As defined in SB 1386, personal information means an individual’s first name or initial and last name in combination with one or more of the following “data elements,” where either the name or the data element(s) is not encrypted: • social security number, • driver’s license number, or California ID number, or • account number, debit or credit number in combination with any required security code, access code or password that would permit access to a person’s financial account. By definition, encrypted data does not qualify as personal information. Merrill Lynch, hoping to take advantage of the safe harbor, requested that implementation of the bill be delayed until July 1, 2003 to allow the company enough time to deploy encryption systems for its financial data. The law is intended to help consumers protect against identity theft and credit card fraud by requiring companies and state agencies to quickly disclose any breach in the security of a data system when the information that has been hacked is personal and not encrypted. Recognizing that victims of identity theft must act quickly to minimize damage, the law requires that notice be made “in the most expedient time possible” and “without unreasonable delay.” The need for speed is tempered by the requirements of law enforcement. The California law requires that any disclosure of the security breach be “consistent with the legitimate needs of law enforcement” and with the time necessary to restore “reasonable integrity” to the affected data system. Failure to provide prompt notice may expose a company to a suit for damages; SB 1386 provides that consumers who have been injured by a violation of the law may bring a civil action for damages. The law creates an interesting conundrum for multi-state enterprises. In the unfortunate event of a security breach, should a company notify just its California customers? Probably not. Other questions under the law are sure to arise as companies grapple with law enforcement demands and the meaning of “reasonable belief” that personal information has been acquired without authorization. Implicit in the law is the idea that companies will employ security measures that prevent, detect and monitor intrusions. What of those companies doing business in California that have little to no security measures in place? They should be counseled on the unspoken requirements for such measures under the new law. Law firms too may want to review their data practices in the wake of SB 1386. Proponents of the law applaud the measure, arguing that disclosure will enable consumers to protect themselves from identity theft, one of the fastest growing crimes in the majority of states. Others believe that the law will have the salutary effect of pushing companies and agencies to pay more attention to security issues. After all, an ounce of prevention is worth a pound of cure. Critics lament the measure, predicting that it will unleash a torrent of litigation from injured customers and disgruntled shareholders. The concern over lawsuits may explain in part the secrecy surrounding security breaches. Companies are reluctant to share information about security breaches, hushing up the incidents and making it difficult for law enforcement and others to gauge the nation’s technical vulnerabilities. In response, Congress added a provision to the Homeland Security Bill allowing companies to share information about security breaches with the government without concern that the information will be publicly disclosed. HUSH LITTLE BABY The Homeland Security Act of 2002, like SB 1886, was prompted by the need for more information about security breaches and electronic vulnerabilities. The Homeland Security Act, however, is vastly different, mirroring its focus on combating terrorism rather than protecting consumers. Unlike the California law, disclosure of information relating to the security of computer systems under the Homeland Security Act is voluntary. Moreover, such voluntarily shared information is exempt from the public disclosure requirements of the Freedom of Information Act. In fact, officers or employees of the government who knowingly disclose voluntarily shared information in violation of the act shall (not may) be fined or imprisoned for a year, and fired from their position. The act specifically states that no private right of action is created under the information sharing provisions. Disclosure under the Critical Infrastructure Information Act of 2002 (as the subtitle on information sharing is named) does not insulate a company from further disclosure to the government. Voluntary compliance with the act is not treated as compliance with any other reporting requirement of a federal agency. Thus, companies must still contend with law enforcement’s increased surveillance powers under the USA Patriot Act, and databases appear to be a favored target. SHARING WITH THE GOVERNMENT Not all cooperation with the government is voluntary. Recent developments, including the decision of the Foreign Intelligence Surveillance Court of Review, have greatly expanded the ability of law enforcement agencies to obtain information. In one heavily publicized instance, the Professional Association of Diving Instructors turned over its entire list of certified divers worldwide in response to a federal agency’s request for its entire database. When pressed, the association defended its actions explaining that it voluntarily turned over the list to avoid an FBI subpoena that would have required the association to disclose even more information. [FOOTNOTE 4] The trend towards greater and greater disclosure to the government is perhaps best captured by the proposed Total Information Awareness (TIA) program spearheaded by Adm. John Poindexter. According to a description of the program on the Web site, www.darpa.mil/iao/ TIASystems.htm, one of its points of focus will be developing novel ways for populating its large-scale counter-terrorism database from existing databases. While the reference conceivably is to existing government databases, the lack of specificity certainly implicates private databases as well. Companies creating data collections are apt to get caught in the middle, between government surveillance on one hand and irate customers whose data is disclosed on the other. Privacy issues, long the concern of vocal Internet privacy groups, are once again gaining momentum. The ACLU recently issued its own report, entitled “Bigger Monster, Weaker Chains, The Growth of an American Surveillance Society,” by Jay Stanley and Barry Steinhardt of the ACLU Technology and Liberty Program. The report paints a stark vision of America’s evolution into a culture of continual surveillance by government and businesses. According to the authors, no menial task is too small to be captured, no database too large to be effectively mined. Caught between the threat of unauthorized access by hackers and unwanted disclosure to law enforcement, companies must view their latest category of intellectual property, the data collection, critically. Unlike other forms of intellectual property, the data collection comes with its own set of instant problems. Elaine M. Laflamme is a partner and head of the intellectual property practice in the New York office of Akin Gump Strauss Hauer & Feld ( www.akingump.com). If you are interested in submitting an article to law.com, please click herefor our submission guidelines. ::::FOOTNOTES:::: FN1Wired News, “Help Wanted: Steal This Database,” by Brian McWilliams, Jan. 6, 2003, at http://wired.com/news/ infostructure/0,1377,57066,00.html. FN2Wired News, “Help Wanted: Steal This Database,” by Brian McWilliams, Jan. 6, 2003, at http://wired.com/news/ infostructure/0,1377,57066,00.html. FN3ZDNet UK, “Tower Records exposes customer data,” by Declan McCullagh, Dec. 6, 2002, at http://news.zdnet.co.uk/ story/0,,t295-s2127128,00.html. FN4ZDNet, “E-terrorism: Liberty vs. security,” by John Borland and Lisa M. Brown, Aug. 27, 2002, at http://zdnet.com.com/ 2102-1023-966311.html

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.