Just as Dorothy and her companions feared encountering the risks of lions, tigers and bears on their journey down the yellow brick road to Oz, privacy, privilege and security risks are all around in the information technology age. In his State of the Union address, President Obama announced a cybersecurity executive order to strengthen the security of the nation’s information infrastructure. January 28 was “Data Privacy Day.” Recent security breaches such as the one affecting South Carolina have been in the news. Privacy and data security lawsuits are on the rise. Technology-based risk management is part of the new normal. In assessing technology-based risks, privacy, privilege and security are prime areas.

Privacy – Most businesses have websites, and many of them collect personal information and other data through the site. In assessing risk, one of the first questions to ask is – does your privacy policy reflect what is actually happening? Does the policy describe the information collected and how it is actually used? Are the security measures in place accurately described in the policy? The Federal Trade Commission (FTC) has steadily increased the number of enforcement actions for privacy violations. One area of particular interest to the FTC is whether the user can easily locate the website’s or mobile application’s privacy policy and whether that policy accurately reflects actual practices. The FTC released its final privacy framework in March 2012. Does your privacy policy comply with current laws? Some states, such as Massachusetts, have data protection laws which are stricter than others. For example, Massachusetts’ top court ruled in a decision released March 11, 2013, consumers whose ZIP codes are retained by retailers in the state can sue for violations of state privacy law.

Privilege – The attorney-client privilege is one of the oldest recognized privileges and protects confidential communications between an attorney and client that are made for the purpose of facilitating the rendering legal advice. One critical element of establishing the privilege is maintaining the communication’s confidentiality. But with today’s technology, a number of third-parties may have access to the client’s (or the attorney’s) computers, mobile devices and data. Is the confidentiality of the communication lost if a third-party has access to the otherwise privileged letter, report or e-mail? Does it matter that the e-mail is stored in “the cloud,” or that a third-party service provider claims to own the data it stores? Is confidentiality lost if the e-mail is inadvertently sent to an unintended recipient? Does an employee have an expectation of privacy when, despite a company policy, the employee communicates with her personal attorney on a company-provided laptop about her personal legal issues? Does it matter if the employee used her company email account, or a web-based email account for which she alone has the password? These are just some of the questions being raised today, and the answers often depend on the specific facts presented.

Security – At a conference last year, FBI Director Mueller said, “There are only two types of companies: Those that have been hacked and those that will be.” Is your security for sensitive data sufficient? There is some protection for liability in the event of a misuse of data or a security breach if at least “commercially reasonable” security procedures are in place. If you have such information which could be as simple as employee personal information, do you have a procedure in place to deal with a data breach? There are numerous notifications and other requirements under state laws. Is insurance available to aid in covering expenses of a breach?

These are just some of the areas which should be regularly reviewed to minimize risks in the technology age.