CEIC 2014: Highlights of “The Intersection of Privacy, Security and E-Discovery” Session

Recent news stories have sparked a worldwide debate about the right to privacy for both individuals and businesses. As the European Union pushes for greater safeguards, tech giants like Google are struggling with the potential implications of the “right to be forgotten.” Here in the United States, several high-profile breaches raised the issue of consumers’ right to know when sensitive information about them has been accessed.

In their discussion at CEIC 2014, 451 Research Analyst and Counsel David Horrigan and Assistant U.S. Attorney Edward McAndrew highlighted several developments that could impact e-discovery and investigations. 

The Right to Be Forgotten

Under the “right to be forgotten,” individuals can request that search engine operators, such as Google, remove personal information that’s outdated or irrelevant. This right was recently bolstered when the Court of Justice of the European Union ruled that internet companies can be made to remove certain information.

In this specific case, a Spanish man objected that Google searches on his name returned results about a real-estate auction to collect alleged debts in the late 1990s. The court ruled that Google was required to remove results that are "inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed."

The ruling is already having an impact. According to a recent Time Magazine story, Google has received an average of 10,000 requests per day from individuals who want certain search results deleted.

“It’s a delicate balancing act between the right to know and the individual’s right to privacy,” Horrigan noted. How privacy is viewed is also a cultural issue—with the United States often placing greater emphasis on the right to know and the public’s access to information. Meanwhile, many Europeans view the United States as the “Wild West” when it comes to data privacy.

Valuable Corporate Information is in Hackers’ Crosshairs

On the first day of CEIC, the Justice Department announced that it had indicted five members of the Chinese military for allegedly hacking into and stealing trade secrets from six U.S. companies. Horrigan believes that, although data privacy and protection in the United States may not be the priorities they are in many other nations, this case indicates a greater government emphasis on data privacy and cyber security, including criminal prosecutions and regulatory enforcement. Further, the indictment will fuel continuing global dialogue on espionage and cyber threats.

“Economic espionage and the rampant cyber theft of intellectual property is perhaps the greatest, current threat to the United States in the cyber realm,” McAndrew said, explaining that China is actively targeting industries in which it would like to grow in order to gain a competitive advantage.

A Piecemeal Approach

There are more than 50 federal statutes that address cybersecurity issues, according to McAndrew. There are also a number of federal privacy and data security statutes geared towards protecting an individual’s right to privacy, such as the Health Insurance Portability and Accountability Act (HIPAA).

The Obama Administration has been actively pushing for a national data breach law. The Federal Trade Commission recently joined the data security fray, when it sued Wyndham Worldwide, claiming the hotel chain did not take proper measures to protect the personal and financial information of guests against cybercriminals.

The FTC blamed data breaches at Wyndham hotels on several significant security lapses, such as lack of firewalls, reliance on weak or easily guessed passwords, and the failure to conduct security investigations and fix previously  known vulnerabilities.

Defining Privacy in a Rapidly Transforming Environment

What does this all mean for professionals tasked with e-discovery? They should become more actively engaged in discussions concerning security and privacy. Just like the  government and other private industry sectors, lawyers and legal services providers  are at risk of losing valuable and confidential information.

“This is no longer just an IT problem in need of just an IT solution,” said McAndrew.

He also stressed the importance of individualized risk assessments and the creation of a data security plan that fits each lawyer or legal organization’s risk profile, goals, and budget. Legal organizations must also develop data-breach and incident-response plans, so they are prepared to act when confronted with different types of cyber issues.

What are Your Thoughts? What role should legal play in security policies? In an increasingly connected world, is the further erosion of privacy as we know it inevitable? 

No comments :

Post a Comment