H.R. 2221: Data Accountability and Trust Act

The House text of the Federal legislation requiring email encryption and data safeguards for businesses and law firms is now out. What kind of teeth does the proposed data and email privacy act have? Here’s your answer:

TREATMENT OF VIOLATIONS OF SECTION 2- For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each day that a person is not in compliance with the requirements of such section shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

(ii) TREATMENT OF VIOLATIONS OF SECTION 3- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

That’s teeth!

View full text of bill at: http://www.govtrack.us/congress/billtext.xpd?bill=h111-2221

Details Emerge on Federal Email Privacy Legislation

Catherine McCullough, principal of Meadowbrook Strategic Government Relations, a D.C. lobbying firm, guest-blogs for CommLawBlog.com on the language of two online privacy bills being drafted in the US House. The legislation will affect how online information is emailed, gathered, and stored.

“The first is being written by Rep. Rick Boucher (D-VA-9^th), Chairman of the Energy and Commerce Subcommittee on Communications, Technology and the Internet, one of two House subcommittees with jurisdiction over the issue. Boucher reportedly is working with his Republican counterpart, Cliff Stearns (R-FL-6^th), on language that would . . . prohibit the collection of sensitive personal information unless the consumer expressly agreed to such collection by affirmatively 'opting-in."

Because personal information is often combed from email transfers, McCullough goes onto describe subcommittee focus on email privacy safeguards in a second bill.

"The second bill has been introduced by Rep. Bobby Rush (D-IL-1^st), Chairman of Energy and Commerce’s Subcommittee on Commerce, Trade and Consumer Protection – the other House subcommittee of jurisdiction. Rush’s bill, H.R. 2221, would require the Federal Trade Commission (FTC) to promulgate regulations to secure computerized data containing personal information. (See the subcommittee hearing on the bill here.) It would be no surprise if the two subcommittees’ bills were to be merged into one piece of legislation regulating online privacy.”

Legislative changes in Massachusetts and Nevada may offer a guide to changes at the Federal level. Both states require businesses to encrypt their email. Legislation in those states becomes effective in January of 2010.

Can an email address send the wrong impression on client confidence?

Carolyn Elefant asks in a recent blog: can an e-mail address make a negative impression? The question appears to be about more than professional polish. She goes onto write:

Used to be that lawyers worried about the cache that their physical mail address would convey. For example, here in the D.C. area, a "K" Street or Pennsylvania Avenue address carries white-shoe prestige while an address on 5th Street near the D.C. Superior Court house suggests a practicing criminal lawyer or consumer-oriented practice.

But in an Internet age, does a lawyer's e-mail address matter just as much? Doug Cornelius of Compliance Building initiated a recent discussion of the matter with this tweet:

Esquire's Rule #1033. If your lawyer's email address ends in hotmail.com, gmail.com or yahoo.com (or aol.com), find a new lawyer.

Cornelius didn't elaborate on the point (after all, he only had 140 characters), but I suppose that Hotmail, Yahoo or Gmail addresses suggest that a lawyer is too cheap or lacking in tech savvy to set up an e-mail account on his own firm's server. In addition, some have raised privacy concerns about Gmail, which would presumably apply to the other services as well. Questions about the confidentiality of a firm's e-mail might be another reason for a client to avoid a lawyer using one of these services.

Email Privacy Targeted by Boucher House Subcommittee

The US Congress is shining a light on the extent to which email can now be viewed by outside 3rd parties.

“The thought that a network operator could track a user’s every move on the internet, record the details of every search and read every email or attached document is alarming,” according to Virginia Congressional Democrat Rick Boucher in his opening remarks before the committee he now heads, the House subcommittee on Communications, Technology and the Internet.

In a hearing on April 23rd, Boucher said he was directing his committee to write an online privacy law this year. Clearly from Boucher’s remarks the new law will involve email privacy. Nevada and Massachusetts are the first states to require businesses to use encrypted email when exchanging personal client information. California has also introduced privacy legislation requiring data spills, including wayward emails with ostensibly personal client data, to be reported to Jerry Brown, the State’s Attorney General. It appears now that within the year a Federal law will also require personal data to be locked down when stored or emailed. This may change the game for law firms reliant on attorney client privilege.

For lawyers, the real question remains whether email will retain its legal mantle for a reasonable expectation of privacy, a term of law setting the bar for attorney client privileged. If email loses its legal claim to a reasonable expectation of privacy, law firms will need to seek alternatives. That’s likely to be either encryption or paper. Email privacy status has already been challenged in cases such as the 1996 case of Michael A. Smyth v. The Pillsbury Company in which company email was held not to offer a reasonable expectation of privacy.

ABA best practices also hinge on whether email offers a reasonable expectation of privacy. If Boucher’s committee stays on track, the extent to which these new laws impact ABA best practices may be felt within the year.

Web solutions for the legal industry include services such as the Lawdex Secure Document Exchange of which I’m a founder.

California Online Privacy Bill

California may soon toughen its online privacy laws. Introduced December 1, 2008, California Senate bill 20 amends privacy statues Sections 1798.29 and 1798.82 of the California Civil Code. The amendment, introduced by Senator Joe Simitian, requires notification to the California Attorney General’s Office when dealing with unencrypted data mishaps. http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_introduced.pdf

The legislation would affect the way firms store and send information over the web. Curiously, recent changes in the law in Nevada and Massachusetts may already have a bigger impact on Californians than their own state law.

According to Charlene Brownlee in her Privacy and Security Law blog: “Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. (NRS 597.970)” Brownlee notes, “Companies operating nationally should consider whether their existing policies and procedures regarding transmission of customer personal information comply with this new law.”

In his published account, the Wall Street Journal’s Ben Worthen digs into the new email privacy and data security laws enacted in Nevada and Massachusetts this past year. Worthen draws insight from experts in the field:

“The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent” -- Miriam Wugmeister, attorney with Morrison & Foerster LLP.”

"We do business in all 50 states so we're definitely reviewing it." -- Andrew Speirs, Information security officer for National Life Group, insurance based in Montpelier, Vt."It's a burden, but it's something you have to do." -- Karen Grant, Chief Privacy Officer for Boston Based Partners HealthCare System Inc., commenting on the $100,000 price tag for complying with the new law.

"Breach-notification laws deal with what happens after the horse leaves the barn. [The new regulation] is intended to prevent the horse from getting out of the barn in the first place." -- Daniel Crane, Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation.

As for my own firm’s privacy solution, I’m told by Whittier Law Professor Denny Haythorn that “Lawyers should be breaking down your website to use it.” That solution can be viewed for free through the Los Angeles County Bar Association at https://sdx.lawdex.com/partners/lacba/ .