Sunday, October 18, 2009

H.R. 2221: Data Accountability and Trust Act

The House text of the Federal legislation requiring email encryption and data safeguards for businesses and law firms is now out. What kind of teeth does the proposed data and email privacy act have? Here’s your answer:

TREATMENT OF VIOLATIONS OF SECTION 2- For purposes of paragraph (1)(C) with regard to a violation of section 2, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each day that a person is not in compliance with the requirements of such section shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

(ii) TREATMENT OF VIOLATIONS OF SECTION 3- For purposes of paragraph (1)(C) with regard to a violation of section 3, the amount determined under this paragraph is the amount calculated by multiplying the number of violations of such section by an amount not greater than $11,000. Each failure to send notification as required under section 3 to a resident of the State shall be treated as a separate violation. The maximum civil penalty calculated under this clause shall not exceed $5,000,000.

That’s teeth!

View full text of bill at: http://www.govtrack.us/congress/billtext.xpd?bill=h111-2221

Monday, October 5, 2009

Details Emerge on Federal Email Privacy Legislation

Catherine McCullough, principal of Meadowbrook Strategic Government Relations, a D.C. lobbying firm, guest-blogs for CommLawBlog.com on the language of two online privacy bills being drafted in the US House. The legislation will affect how online information is emailed, gathered, and stored.

“The first is being written by Rep. Rick Boucher (D-VA-9th), Chairman of the Energy and Commerce Subcommittee on Communications, Technology and the Internet, one of two House subcommittees with jurisdiction over the issue. Boucher reportedly is working with his Republican counterpart, Cliff Stearns (R-FL-6th), on language that would . . . prohibit the collection of sensitive personal information unless the consumer expressly agreed to such collection by affirmatively 'opting-in."

Because personal information is often combed from email transfers, McCullough goes onto describe subcommittee focus on email privacy safeguards in a second bill.

"The second bill has been introduced by Rep. Bobby Rush (D-IL-1st), Chairman of Energy and Commerce’s Subcommittee on Commerce, Trade and Consumer Protection – the other House subcommittee of jurisdiction. Rush’s bill, H.R. 2221, would require the Federal Trade Commission (FTC) to promulgate regulations to secure computerized data containing personal information. (See the subcommittee hearing on the bill here.) It would be no surprise if the two subcommittees’ bills were to be merged into one piece of legislation regulating online privacy.”

Legislative changes in Massachusetts and Nevada may offer a guide to changes at the Federal level. Both states require businesses to encrypt their email. Legislation in those states becomes effective in January of 2010.

Wednesday, August 12, 2009

Can an email address send the wrong impression on client confidence?

Carolyn Elefant asks in a recent blog: can an e-mail address make a negative impression? The question appears to be about more than professional polish. She goes onto write:

Used to be that lawyers worried about the cache that their physical mail address would convey. For example, here in the D.C. area, a "K" Street or Pennsylvania Avenue address carries white-shoe prestige while an address on 5th Street near the D.C. Superior Court house suggests a practicing criminal lawyer or consumer-oriented practice.

But in an Internet age, does a lawyer's e-mail address matter just as much? Doug Cornelius of Compliance Building initiated a recent discussion of the matter with this tweet:

Esquire's Rule #1033. If your lawyer's email address ends in hotmail.com, gmail.com or yahoo.com (or aol.com), find a new lawyer.

Cornelius didn't elaborate on the point (after all, he only had 140 characters), but I suppose that Hotmail, Yahoo or Gmail addresses suggest that a lawyer is too cheap or lacking in tech savvy to set up an e-mail account on his own firm's server. In addition, some have raised privacy concerns about Gmail, which would presumably apply to the other services as well. Questions about the confidentiality of a firm's e-mail might be another reason for a client to avoid a lawyer using one of these services.

Wednesday, May 6, 2009

Email Privacy Targeted by Boucher House Subcommittee

The US Congress is shining a light on the extent to which email can now be viewed by outside 3rd parties.

“The thought that a network operator could track a user’s every move on the internet, record the details of every search and read every email or attached document is alarming,” according to Virginia Congressional Democrat Rick Boucher in his opening remarks before the committee he now heads, the House subcommittee on Communications, Technology and the Internet.

In a hearing on April 23rd, Boucher said he was directing his committee to write an online privacy law this year. Clearly from Boucher’s remarks the new law will involve email privacy. Nevada and Massachusetts are the first states to require businesses to use encrypted email when exchanging personal client information. California has also introduced privacy legislation requiring data spills, including wayward emails with ostensibly personal client data, to be reported to Jerry Brown, the State’s Attorney General. It appears now that within the year a Federal law will also require personal data to be locked down when stored or emailed. This may change the game for law firms reliant on attorney client privilege.

For lawyers, the real question remains whether email will retain its legal mantle for a reasonable expectation of privacy, a term of law setting the bar for attorney client privileged. If email loses its legal claim to a reasonable expectation of privacy, law firms will need to seek alternatives. That’s likely to be either encryption or paper. Email privacy status has already been challenged in cases such as the 1996 case of Michael A. Smyth v. The Pillsbury Company in which company email was held not to offer a reasonable expectation of privacy.

ABA best practices also hinge on whether email offers a reasonable expectation of privacy. If Boucher’s committee stays on track, the extent to which these new laws impact ABA best practices may be felt within the year.

Web solutions for the legal industry include services such as the Lawdex Secure Document Exchange of which I’m a founder.

Tuesday, February 3, 2009

California Online Privacy Bill

California may soon toughen its online privacy laws. Introduced December 1, 2008, California Senate bill 20 amends privacy statues Sections 1798.29 and 1798.82 of the California Civil Code. The amendment, introduced by Senator Joe Simitian, requires notification to the California Attorney General’s Office when dealing with unencrypted data mishaps. http://www.leginfo.ca.gov/pub/09-10/bill/sen/sb_0001-0050/sb_20_bill_20081201_introduced.pdf

The legislation would affect the way firms store and send information over the web. Curiously, recent changes in the law in Nevada and Massachusetts may already have a bigger impact on Californians than their own state law.

According to Charlene Brownlee in her Privacy and Security Law blog: “Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. (NRS 597.970)” Brownlee notes, “Companies operating nationally should consider whether their existing policies and procedures regarding transmission of customer personal information comply with this new law.”

In his published account, the Wall Street Journal’s Ben Worthen digs into the new email privacy and data security laws enacted in Nevada and Massachusetts this past year. Worthen draws insight from experts in the field:

“The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent” -- Miriam Wugmeister, attorney with Morrison & Foerster LLP.”

"We do business in all 50 states so we're definitely reviewing it." -- Andrew Speirs, Information security officer for National Life Group, insurance based in Montpelier, Vt."It's a burden, but it's something you have to do." -- Karen Grant, Chief Privacy Officer for Boston Based Partners HealthCare System Inc., commenting on the $100,000 price tag for complying with the new law.

"Breach-notification laws deal with what happens after the horse leaves the barn. [The new regulation] is intended to prevent the horse from getting out of the barn in the first place." -- Daniel Crane, Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation.

As for my own firm’s privacy solution, I’m told by Whittier Law Professor Denny Haythorn that “Lawyers should be breaking down your website to use it.” That solution can be viewed for free through the Los Angeles County Bar Association at https://sdx.lawdex.com/partners/lacba/ .

Saturday, November 22, 2008

Congress Reports on Targeted Foreign Surveillance of US Email

According to separate reports this week, the Chinese are spying on US email and Barack Obama is having his Blackberry taken away.

New York Times reporter Jeff Zeleny writes in his recent article entitled, “Give up his Blackberrry? Yes he can. Maybe” :

“Presidents were not advised to use e-mail because of security risks and fear that messages could be intercepted,” according to Diana Owen, who heads the American Studies program at Georgetown University. "They could come up with some bulletproof way of protecting his e-mail and digital correspondence, but anything can be hacked,' said Ms. Owen, who has studied how presidents communicate in the Internet era."

Although, in partial answer to Ms. Owen, it’s also true that not everything is hacked and not everything is stolen. Some things are more stolen than others. Some communiqués are less read.

Thomas Claburn writes this week in Information Week:

"China is targeting U.S. government and commercial computers for espionage," says the U.S.-China Economic and Security Review Commission's (USCC) 2008 Annual Report to Congress.

"Alan Paller from the SANS Institute, an Internet security company, believes that in 2007 the 10 most prominent U.S. defense contractors, including Raytheon, Lockheed Martin, Boeing, and Northrop Grumman, were victims of cyberespionage through penetrations of their unclassified networks."

Claburn goes on to write:

“In June, U.S. Rep. Frank Wolf, R-Va., said that four computers in his office had been compromised in 2006 and that computers used by other members of Congress and by the House Foreign Affairs Committee had also been hacked.”

Claburn quotes Wolf as saying, “These cyberattacks permitted the source to probe our computers to evaluate our system's defenses, and to view and copy information. My suspicion is that I was targeted by Chinese sources because of my long history of speaking out about China's abysmal human rights record."

To run full circle on presidential email, according to Demetri Sevastopulo writing for the Financial Times on Novemeber 7th:

“Chinese hackers have penetrated the White House computer network on multiple occasions, and obtained e-mails between government officials, a senior US official told the Financial Times.
The cyber attackers managed to penetrate the White House system for brief periods that allowed them to steal information before US government experts each time patched the system.
The specialists suspect the attacks were sponsored by the Chinese government, although they cannot say for definite.”

Meanwhile the Associated Press writes today, November 22nd:

“BEIJING (AP) — China has denounced a U.S. congressional panel that issued a report accusing it of stepping up computer espionage attacks on the American government, its defense contractors and businesses.”

Regardless of foreign involvement, the wider issue here may be whether email continues to offer a reasonable expectation of privacy. Even before the courts do, it’s a question the American Bar Association may soon need to revisit. Without legal consensus of email’s reasonable expectation of privacy, businesses and government, and the law firms that serve them may need to treat their communiqué’s more like they should have treated money.

There are, in fact, some ways to easily send email without spilling the beans to moneyed, foreign, or governmental interests. My own firm continues to look at ways at keeping email easy without opening it to anyone with an incentive to pry. It’s one of the reasons why the Los Angeles Bar brought our firm in to help secure email for its 22,000 members in California and the Pacific Rim.

I’m including here the following link into the LA Bar's free offer of our service. They’ve made it available for a limited time. I’m also including a link into a legal education class I taught on email privacy at the Los Angeles County Bar with former CIA staffer, Fred Klapetzky, now a disaster recover expert with Marsh Consulting.

Thursday, November 20, 2008

The Wall Street Journal's Ben Worthen Investigates New Wave of State Privacy Laws

The Wall Street Journal’s Ben Worthen digs into the new email privacy and data security laws enacted in Nevada and Massachusetts. The Nevada law went into effect October 1st. The Massachusetts law goes into effect in January.

In his October 16th article Worthen draws insight from experts in the field:

“The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent” -- Miriam Wugmeister, attorney with Morrison & Foerster LLP.”

"We do business in all 50 states so we're definitely reviewing it." -- Andrew Speirs, Information security officer for National Life Group, insurance based in Montpelier, Vt.

"It's a burden, but it's something you have to do." -- Karen Grant, Chief Privacy Officer for Boston Based Partners HealthCare System Inc., commenting on the $100,000 price tag for complying with the new law.

"Breach-notification laws deal with what happens after the horse leaves the barn. [The new regulation] is intended to prevent the horse from getting out of the barn in the first place." -- Daniel Crane, Undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation.

My own firm’s approach to complying with the law looks at the participants in this legal ecosystem. So much paper moves between law firms, insurance companies and hospitals that some people call this the devil’s triangle. But people are also asking how to move these documents privately. My firm’s development team has produced one solution for client privacy.

We’re one of a handful of companies that have taken a specific look at how to move legal documents privately over the web. But these new laws make one thing clear: the reasonable expectation of privacy when using email is now being questioned under state law. More information on my firm’s solution is available at: Legal Lockbox.