Here in the 21st century, we in-house lawyers work in a virtual business world made up of electronic data: e-commerce, electronic records, social media sites, hacking, file sharing, e-discovery, etc.. Rows of storage racks in data centers and miles of fiber optic cables are our new frontiers, not the wide open plains of the Old West or the humming smoke stacked factories of post-World War II. At the same time that we have sailed into this unexplored ocean of electronic data, governments in America and abroad have submersed companies in regulations to a depth heretofore unfathomed.
Companies are generating and storing electronic data, transmitting data, or accessing and processing data from somewhere else, 24 hours a day. Data may be your company’s business, or your company may outsource the management of its internal data to other companies. Or both. The electronic data that your company touches may contain many different types of information. Data may be proprietary to your company, or it may be deemed proprietary by someone else and accessed by your company for a fee. Data may be copyrighted. Even if it has no intellectual property value, data may nevertheless be protected by law. These laws are meant to protect the privacy of individuals, by imposing duties on companies to safeguard data and not use it without authorization. Data protection laws can impose heavy monetary penalties and some provide standing for private lawsuits. Your company cannot contractually waive its way out of liability under these laws. In fact, the laws often require your company’s contracts to extend the law’s reach to others.
Trying to figure out how to protect your company from liability for electronic data can be daunting. Dealing with electronic data is especially difficult because often it is not obvious what information is contained in the data, where the data comes from, whether your company takes possession of a copy or who in your company will have access to it.
I have worked as a lawyer in the IT and telecommunications industries for a number of years. Safeguarding electronic data and controlling access to it are not impossible tasks, but they are difficult. Safeguards and controls can be compromised by the amount of human involvement in managing data and by the numerous handoffs of data from provider to provider during transmission: backups, hot swaps, physical access, network caching and routing and disaster recovery. And add to these variables the use of third-party contractors, which affects them all. Whenever an in-house lawyer is assessing legal liabilities associated with electronic data, the assumption must be made that the data poses significant risks. Electronic data is hot stuff.
In my current job, I work for a company that provides information technology and professional services to hospitals and physician groups. Healthcare-related electronic data is governed by the Health Insurance Portability and Accountability Act (HIPAA). Within the HIPAA regulations, there is an often overlooked concept called “minimum necessary,” which says that electronic data should only be used to satisfy a particular purpose or carry out a function.
I would take the minimum necessary standard one step farther: Avoid the risks of using electronic data as much as possible.
On its face, the statement sounds a little absurd and something like the sentiment of an anti-technologist. How can a company avoid data? And anyway, isn’t more data better for business?
What I am suggesting is a well-established risk management technique (avoidance) that in-house lawyers can practice as part of an overall corporate electronic data risk management strategy. Such a strategy also would include mitigation of risk using technological and administrative tools including, but not limited to: encryption technology, documented security policies and training, monitoring and auditing. The company would mitigate some electronic data risks and avoid others, avoidance to include eliminating the data itself.
Avoiding the risks of electronic data starts with asking questions such as the following:
- What information is contained in the data? Can unneeded data be stripped out?
- Is our company creating the data? If the data isn’t originating with us, what is its source?
- What is the commercial or operational value of the data to our company? If the data comes from another source, does the source make proprietary claims in it? Do we know of any third party claims?
- Does our company need to take possession of the data, i.e., download it to our systems? Can we access it on a query basis from another system?
- If our company is downloading the data, how long do we need to keep it?
- Who in our company needs access to the data and why?
I am required to take two opposing views of electronic data in my job. When my company is providing professional services, the consultants work on site at hospitals. For these transactions, I point out to customers during negotiation that our consultants will only be accessing data using the hospital’s own systems and that access is almost exclusively within the control of the hospital. For some consulting projects, after asking the right questions, I find out that the consultants can do their work using dummy data and don’t need to see real patient data.
When providing cloud computing services, on the other hand, my company is asking the hospital to entrust it with their electronic data. Still, I’m looking for ways to minimize our touching of data. For one of our managed service products, I discovered that while we install the hospital’s copy of a well-known hospital software product at our data center, the hospital is solely responsible for uploading patient and hospital administrative data to our data center and that we have no access to the data other than backup. There is nothing wrong with me pointing out the limits of our service for purpose of minimizing our exposure to data, as long as my point is in line with the service’s standard terms.
Minimizing physical and virtual exposure to electronic data is a direct and effective technique for reducing potential liability that in-house lawyers can employ without needing a computer engineering degree. A word of caution, though: Telling people that they can’t have data at their fingertips goes against the cultural flow. Our collective appetite for electronic data is insatiable. Congress running away from their own online piracy bills because Google and Wikipedia shut their online doors for a day is a testament to the power of data in the 21st century.