Just as Dorothy and her companions feared encountering the risks of lions, tigers and bears on their journey down the yellow brick road to Oz, privacy, privilege and security risks are all around in the information technology age. In his State of the Union address, President Obama announced a cybersecurity executive order to strengthen the security of the nation’s information infrastructure. January 28 was “Data Privacy Day.” Recent security breaches such as the one affecting South Carolina have been in the news. Privacy and data security lawsuits are on the rise. Technology-based risk management is part of the new normal. In assessing technology-based risks, privacy, privilege and security are prime areas.
Privilege – The attorney-client privilege is one of the oldest recognized privileges and protects confidential communications between an attorney and client that are made for the purpose of facilitating the rendering legal advice. One critical element of establishing the privilege is maintaining the communication’s confidentiality. But with today’s technology, a number of third-parties may have access to the client’s (or the attorney’s) computers, mobile devices and data. Is the confidentiality of the communication lost if a third-party has access to the otherwise privileged letter, report or e-mail? Does it matter that the e-mail is stored in “the cloud,” or that a third-party service provider claims to own the data it stores? Is confidentiality lost if the e-mail is inadvertently sent to an unintended recipient? Does an employee have an expectation of privacy when, despite a company policy, the employee communicates with her personal attorney on a company-provided laptop about her personal legal issues? Does it matter if the employee used her company email account, or a web-based email account for which she alone has the password? These are just some of the questions being raised today, and the answers often depend on the specific facts presented.
Security – At a conference last year, FBI Director Mueller said, “There are only two types of companies: Those that have been hacked and those that will be.” Is your security for sensitive data sufficient? There is some protection for liability in the event of a misuse of data or a security breach if at least “commercially reasonable” security procedures are in place. If you have such information which could be as simple as employee personal information, do you have a procedure in place to deal with a data breach? There are numerous notifications and other requirements under state laws. Is insurance available to aid in covering expenses of a breach?
These are just some of the areas which should be regularly reviewed to minimize risks in the technology age.