Much of what I have been reading lately seems contradictory regarding obligations of institutions to safeguard confidential information. And although most of this applies to financial institutions and not law firms, I can’t help but feel that eventually it will all trickle down into the definition of “reasonable care” which will define the bright light in the sand between “best practices” and malpractice for law firms.
First, an article by Eric Sinrod, a partner in the San Francisco office of Duane Morris LLP, appeared in Findlaw’s Modern Practice on 2/21/06. His article discussed a decision in which a court has ruled recently that a student loan company was not negligent and did not have a duty under the Gramm-Leach-Bliley statute to encrypt a customer database on a laptop computer that fell into the wrong hands. As many as 500,000 students might have been affected, but it seems thus far none have become victims of identity theft as a result.
Judge Richard Kyle granted the summary judgment motion and dismissed a student’s lawsuit. Significantly, while recognizing that Gramm-Leach-Bliley does require financial institutions to protect against unauthorized access to customer records, Judge Kyle held that the statute does not require that “any nonpublic personal information stored on a laptop computer should be encrypted.”
Next, I’ll point to an article in January 2006 in Findlaw’s Modern Practice by Anita Ramasastry, an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She reports on an FTC news release advising that data broker ChoicePoint will pay $10 million to the Commission, and $5 million to redress consumer harms caused by a large data breach — reportedly the largest civil penalty in FTC history.
According to the FTC, ChoicePoint sold records of at least 163,000 individuals to a criminal ring of identity thieves — and thereby violated federal consumer protection laws. It did so, the FTC says, by failing to maintain reasonable procedures to protect consumer data, and also by falsely advertising that it adequately shielded personal information from fraud and misuse. Thus far, ChoicePoint’s sale of personal data to thieves has caused at least 800 consumers to fall prey to identity theft.
Finally, another article in January 2006 in Findlaw’s Modern Practice by Anita Ramasastry, discusses the practice of “pretexting” whereby for around $100, an online “people locator” or “information broker” company can get you unauthorized access to almost anyone’s cell phone records. All you need to provide to the company is a credit card, and the person’s cell phone number.
The information found in the article detailing how the information broker actually gets the information is fascinating, as are the various potential risks resulting from the breach of confidentiality. In short, cell phones are lifelines for people in vulnerable situations – but with “pretexting,” they can leave a trail a predator can follow — whether that be for use and abuse by spouses who suspect their partners of infidelity, criminals who may want to track down law enforcement officials, or to aid the potential assassin trying to target a political candidate.
Is “pretexting” illegal? To the layman, this seems to be a no brainer. But at present, according to the author, the answer is not clear. Federal law does make our call records private. And making false statements to procure cell phone records can, under some circumstances, constitute federal wire fraud. But federal law does not expressly make “pretexting”–the practice of procuring these records for sale — illegal.
Now to me, there is a difference between the first news item and the second. In the first instance there was no resulting harm. (Of course, there could have been, and next time a similar theft occurs with unencrypted data on a laptop, there very well might be. And at that point there will be precedent set that reasonable measures were used without requiring encryption.) In the second instance there was significant harm caused. Hence the heavy penalties. But no measures have been spelled out as to what constitutes “best practices” to prevent a similar occurrence. In the final instance, it’s not even clear whether the law is being broken, although the potential harm is very clear.
I don’t think that law firms can sit back and wait for the smoke to clear on these issues. I have long been a proponent of many safety precautions to protect sensitive data at law firms. See, for example, my 1/30/06 post entitled Secure Critical Information Residing on Desktops and Laptops and my 2/25/06 post post entitled When Private Becomes Public — Unwittingly.
If any of you would like to discuss these issues with me, or offer further clarification, I encourage you to contact me. Useful insights will be shared, with your permission, in a future post on the topic.
==========
To return to the main page of the blog, click here. To return to the blog Index, click here.