Previous | TOC | Next

IT'S TEN O'CLOCK,
DO YOU KNOW WHERE YOUR DATA IS?

COMPUTER SECURITY, PRIVACY EXPECTATIONS & LIABILITY

IT'S TEN O'CLOCK, DO YOU KNOW WHERE YOUR DATA IS?

 

Consider this fictional electronic scenario....

    MacTwiddle & Associates, the largest Chicago multi-jurisdictional law firm specializing in trade and patent law, has received client approval for the submission of a patent registration on a secret new chemical process that will substantially reduce the production costs for nitrogen-based organic fertilizers.

    The client, let's call it Synergistic Organic Chemical Optimization (SOCO), stands to reap huge financial profits from the sale of patent rights and the increase in value of its stock in what is a Bull maket for trading in fertilizer and agriculture.

    Since MacTwiddles' senior partner for chemical patent works in the Washington, D.C., office, from where the papers will be filed, the complex chemical and legal data has been transmitted from Chicago to D.C. for speed, convenience, and to avoid typographical errors associated with re-typing. The firm uses their in-house computer system with its built in communications hardware and software to transmit the legal and proprietary data over ordinary phone lines.

    The final preparation of documents for the patent submission takes only five working days in the D.C. office (a new in-house record credited to the efficiency of the computer/phone-line data transfer).

    A few weeks later the MacTwiddle firm discovers that two days prior to their patent submission, SOCO's major competitor Structured Organic Nitrate Network, had filed papers seeking a patent on a nearly identical procedure.

    Convinced that their trade secrets have been stolen from the offices of MacTwiddle & Associates, SOCO hires another law firm, Corporate Liability & Accountability Specialists to file a $600 million lawsuit against MacTwiddle & Associates. The Complaint cites lax electronic data security provisions at MacTwiddle & Associates and charges the firm was negligent in its handling of SOCO's valuable trade secrets. The Complaint also seeks to expand the litigation into a class action on behalf of other MacTwiddle clients injured by other suspected data thefts.

    The Chicago Sun-Times financial page headline reads: "SOCO Socks Big MACC with CLAS Act for SONN Burn in Bull Market."

    Can MacTwiddle & Associates be held liable for the theft of the SOCO data? Is there a valid negligence claim regarding computerized data security that can stand up in court? Is there any ways to prove or disprove that the data in an electronic format was stolen from MacTwiddle? Was MacTwiddle indeed dumb in its handling of the proprietary data? Has anyone really thought about these questions?

George B. Trubow, Professor of Law at John Marshall Law School and director of the Center for Information Technology and Privacy Law thinks about these questions.

Trubow has been concerned about these matters longer than most, and from 1974 to 1976 he served as the general counsel to the Committee on the Right to Privacy, established by President Ford to formulate White House policy and propose legislation in this area. Not coincidentally, he is the convener of this conference.

And what about MacTwiddle & Associates? Trubow doesn't think speculation about such nightmares is too far fetched, and warns, "the law in its current status is inadequate to deal with such scenarios. The question of liability is wide open."

"Last year everyone was pointing fingers at the Hackers and saying 'you dirty bastards' but little was said about the responsibility of the people who maintained the data bases," Trubow observes.

In one incident the TRW database was penetrated and information was extracted. "No lawsuit resulted," admits Trubow, "but questions were raised about liability."

A useful analogy to electronic data bases would be to think about a safety deposit box at a bank, says Trubow. "Suppose a crook breaks into the bank and steals something from a customer's box. It appears under Balment theory that the bank is liable for that property. It simply isn't an excuse to claim the third party is responsible. The property was put there under the assumption it would be protected."

Lawyers, because of attorney-client privilege, can't be forced to disclose information - but what if the information disclosure was not voluntary? What if it was accidental? What if a third party crook penetrates your electronic system and steals client information?

According to Trubow, there are conflicting legal theories regarding liability that could be applied to such a case. "One can be held liable if one subjects another to an extraordinary and known risk," observes Trubow, "and we can draw some analogies here as well."

Consider a professional who has sensitive commercial data in file folders and takes them home and stacks them on her front porch where they are subsequently stolen. "It would be considered virtually criminal" for a person with professional obligations to a client to do something like that say Trubow.

Yet isn't it the same thing to keep sensitive information in a computer system that can easily be penetrated? Since it is a decision made by a firm when data is electronically stored and transmitted, do corporate officials share a responsibility to take steps to protect electronically-stored and transmitted client data? Should managers anticipate acts of electronic theft? Do they have a duty to avoid subjecting clients to the risk of data theft by implementing electronic data security plans?

"Absolutely," says Trubow. "The examples are legion of situations where computerized data has been stolen and in some instances it has proven impossible to figure out who did it or how it was done," notes Trubow. Computer users need to be aware that if data is on a computer attached to a phone line, it can be obtained.

Which brings us back to the question of liability. Even a Good Faith Defense based on implemented security precautions might not solve the problem of liability says Trubow who explains that one question currently being debated is whether or not a concept of Strict Liability -- liability without fault -- should apply to situations where harm is caused through the theft of data.

Previous | TOC | Next

Online Articles:

Spotlight On
Explore

Browse Topics | Site Guide | Multimedia Bookstore | Magazine | Publications | Activists Resources

Political Research Associates

Copyright Information, Terms, and Conditions

Please read our Terms and Conditions for copyright information regarding downloading, copying, printing, and linking material on this site; our disclaimer about links present on this website; and our privacy policy.

Updates and Corrections