Recent news reports have revealed a widespread program of U.S. government interception, monitoring, and intrusion into seemingly secure online data storage sites and data streams. That fact that such interceptions and intrusions are occurring, apparently on a regular and ongoing basis, and the fact that they are taking place beyond the scope of legal authority granted by judicial authorities, has serious implications for the legal responsibilities, and potential liabilities of American businesses.
Almost every commercial entity, from relatively small businesses to large corporations, has information that it considers confidential, known by and distributed to a relatively small group of people, such as corporate executives. This includes information concerning the entity's future business plans and its finances.
In addition, companies often possess confidential information from others that has come into their possession during routine business transactions. This might include credit card numbers and bank account information from customers, or other personal identification information, such the names, addresses, and ages of customers and other third parties; as well as user names and passwords. Law firms, of course, possess a variety of confidential information that they have acquired during their representation of individual and corporate clients.
These laws are well known. For example, the Gramm-Leach-Bliley Act specifies privacy standards for financial institutions and HIPPA sets forth privacy requirements for personal health information applicable to medical service providers and others. There are also relevant state laws, such as the California Financial Information Privacy Act. In addition, there are international obligations, such as those in the EU Privacy Directive, with which U.S. companies can comply through their adherence to the so-called "safe harbor" provisions agreed upon between the U.S. and the EU.
Each of these legal requirements has exceptions for requests by law enforcement agencies pursuant to normal legal processes, whether pursuant to judicial oversight, administrative procedure or otherwise. However, none of them provides an exception for extra-legal, or illegal, actions by the government to gain access to such private and confidential data.
For example, the Article 29 Working Group, the EU's official data protection advisory group, has stated that the Safe Harbor Principles allow companies to deviate "to the extent necessary" for national security reasons. However, the Working Group has expressed doubts whether the seemingly large-scale broad surveillance of personal data that has emerged on the part of the U.S. government can still be considered an exception that is strictly limited to the "extent necessary."
Lawyers also are concerned about the implications of this pervasive eavesdropping upon their ability to satisfy their ethical obligations of confidentiality. For example, in Virginia, one lawyer has requested the following legal ethics opinion from the Virginia State Bar:
Knowing the federal government apparently routinely intercepts and monitors all electronic communications in any form, may a lawyer communicate with his or her client by telephone, electronic mail, or video conference without violating Rule 1.6 of the Virginia Rules of Professional Responsibility [concerning a lawyer's obligation to preserve a client's confidences]? Further, knowing that efforts to encrypt or otherwise secure transmitted or stored data are likely to be ineffective, may a lawyer use online data storage, or "cloud storage" facilities without violating Rule 1.6?
These two examples raise the question exceedingly well and that is this: How can a U.S. entity comply with its own domestic legal, international, contractual and ethical obligations concerning the privacy of confidential third party data in its possession when it knows, or should know, that the U.S. government has an active program of extra-legal/illegal electronic/Internet surveillance in place which is capable of capturing, retaining, and analyzing such data?
This question raises policy issues that may well be beyond the power of an individual company to effectively address, particularly when the same entity (the U.S. government) that imposes many of these privacy obligations may also make it impossible to comply with them. Although the government surveillance activities place businesses and other entities in a very difficult position, those organizations can take certain actions to deal with the threat and reduce their risk of liability.
Each organization should consider whether or not the apparent surveillance activities of the U.S. government constitute actual or potential information privacy or data security breaches sufficient to require that notice of such breaches should be provided to any party. Many contractual commitments require notice in the event of an actual or perceived privacy or security breach. A variety of privacy laws in different states and countries require notice in the event of breaches. Fiduciary duties of officers and directors of businesses may require some form of disclosure to shareholders and other parties when an actual or potential breach has been identified. Businesses and all other organizations should follow their internal procedures regarding privacy and security breaches in order to determine whether they are required to provide notice to any parties as a result of the reported U.S. government surveillance and, if so, how such notice should be provided.
In response to the apparent government surveillance, all enterprises should consider enhancing their data security measures. All sensitive data in electronic form should be protected through use of strong encryption. Effective firewalls and identity authentication systems should be applied. Use of "cloud" and other shared computing systems and services should be actively monitored and managed. Access to sensitive materials through public wireless data systems should be limited. Computing and communications equipment and devices should be properly secured. All authorized users of an organization's computing and communications networks should be thoroughly trained as to security threats and requirements. Compliance with all applicable computer and communications security requirements should be incorporated as a mandatory requirement for continued employment. Particularly sensitive digital materials should be insulated from public network access.
In effect, organizations should treat the media disclosures regarding U.S. government surveillance as notice that many of their communications, transactions and data collections have been subject to unauthorized access, monitoring, surveillance, and use. They have, in short, been hacked by the U.S. government. Accordingly, all organizations should follow the procedures they have implemented for responding to breaches of information privacy and data security. The fact that the privacy and security breaches in this instance were apparently perpetrated by the U.S. government does not relieve organizations from their legal, regulatory, and ethical obligations regarding notice and remedial action.
Snowmaggedon: Will your sensitive data make the front page news?
Corporate Counsel Connect, October 2013
Edward Snowden's NSA surveillance revelations and their impact on your organization
Corporate Counsel Connect, August 2013
Cyber-insurance: An important tool to protect information technology investments
Corporate Counsel Connect, April 2013