Recent news stories have sparked a worldwide debate about the right to privacy for both individuals and businesses. As the European Union pushes for greater safeguards, tech giants like Google are struggling with the potential implications of the “right to be forgotten.” Here in the United States, several high-profile breaches raised the issue of consumers’ right to know when sensitive information about them has been accessed.
In their discussion at CEIC 2014, 451 Research Analyst and
Counsel David Horrigan and Assistant U.S. Attorney Edward McAndrew highlighted
several developments that could impact e-discovery and investigations.
The Right to Be Forgotten
Under the “right to be forgotten,” individuals can request that search engine operators, such as Google, remove personal information that’s outdated or irrelevant. This right was recently bolstered when the Court of Justice of the European Union ruled that internet companies can be made to remove certain information.
In this specific case, a Spanish man objected that Google searches on his name returned results about a real-estate auction to collect alleged debts in the late 1990s. The court ruled that Google was required to remove results that are "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed."
The ruling is already having an impact. According to a
recent Time
Magazine story, Google has received an average of 10,000 requests per day
from individuals who want certain search results deleted.
“It’s a delicate balancing act between the right to know and
the individual’s right to privacy,” Horrigan noted. How privacy is viewed is
also a cultural issue—with the United States often placing greater emphasis on
the right to know and the public’s access to information. Meanwhile, many
Europeans view the United States as the “Wild West” when it comes to data
privacy.
Valuable Corporate Information is in Hackers’ Crosshairs
On the first day of CEIC, the Justice Department announced that it had indicted five members of the Chinese military for allegedly hacking into and stealing trade secrets from six U.S. companies. Horrigan believes that, although data privacy and protection in the United States may not be the priorities they are in many other nations, this case indicates a greater government emphasis on data privacy and cyber security, including criminal prosecutions and regulatory enforcement. Further, the indictment will fuel continuing global dialogue on espionage and cyber threats.
“Economic espionage and the rampant cyber theft of
intellectual property is perhaps the greatest, current threat to the United
States in the cyber realm,” McAndrew said, explaining that China is actively targeting
industries in which it would like to grow in order to gain a competitive
advantage.
A Piecemeal Approach
There are more than 50 federal statutes that address cybersecurity issues, according to McAndrew. There are also a number of federal privacy and data security statutes geared towards protecting an individual’s right to privacy, such as the Health Insurance Portability and Accountability Act (HIPAA).
The Obama Administration has been actively pushing for a national data breach law. The Federal Trade Commission recently joined the data security fray, when it sued Wyndham Worldwide, claiming the hotel chain did not take proper measures to protect the personal and financial information of guests against cybercriminals.
The FTC blamed data breaches at Wyndham hotels on several significant
security lapses, such as lack of firewalls, reliance on weak or easily guessed
passwords, and the failure to conduct security investigations and fix previously
known vulnerabilities.
Defining Privacy in a Rapidly Transforming Environment
What does this all mean for professionals tasked with e-discovery? They should become more actively engaged in discussions concerning security and privacy. Just like the government and other private industry sectors, lawyers and legal services providers are at risk of losing valuable and confidential information.
“This is no longer just an IT problem in need of just an IT solution,” said McAndrew.
He also stressed the importance of individualized risk
assessments and the creation of a data security plan that fits each lawyer or
legal organization’s risk profile, goals, and budget. Legal organizations must
also develop data-breach and incident-response plans, so they are prepared to
act when confronted with different types of cyber issues.
What are Your Thoughts?
What role should legal play in security policies? In an increasingly connected
world, is the further erosion of privacy as we know it inevitable?
No comments :
Post a Comment