Previous | TOC | Next
IT'S TEN O'CLOCK,
DO YOU KNOW WHERE YOUR DATA IS?
COMPUTER SECURITY, PRIVACY EXPECTATIONS & LIABILITY
IT'S TEN O'CLOCK, DO YOU KNOW WHERE YOUR DATA
IS?
Consider this fictional electronic scenario....
MacTwiddle & Associates, the largest Chicago multi-jurisdictional
law firm specializing in trade and patent law, has received client approval
for the submission of a patent registration on a secret new chemical
process that will substantially reduce the production costs for nitrogen-based
organic fertilizers.
The client, let's call it Synergistic Organic Chemical Optimization
(SOCO), stands to reap huge financial profits from the sale of patent
rights and the increase in value of its stock in what is a Bull maket
for trading in fertilizer and agriculture.
Since MacTwiddles' senior partner for chemical patent works in the Washington,
D.C., office, from where the papers will be filed, the complex chemical
and legal data has been transmitted from Chicago to D.C. for speed, convenience,
and to avoid typographical errors associated with re-typing. The firm
uses their in-house computer system with its built in communications
hardware and software to transmit the legal and proprietary data over
ordinary phone lines.
The final preparation of documents for the patent submission takes only
five working days in the D.C. office (a new in-house record credited
to the efficiency of the computer/phone-line data transfer).
A few weeks later the MacTwiddle firm discovers that two days prior
to their patent submission, SOCO's major competitor Structured Organic
Nitrate Network, had filed papers seeking a patent on a nearly identical
procedure.
Convinced that their trade secrets have been stolen from the offices
of MacTwiddle & Associates, SOCO hires another law firm, Corporate
Liability & Accountability Specialists to file a $600 million lawsuit
against MacTwiddle & Associates. The Complaint cites lax electronic
data security provisions at MacTwiddle & Associates and charges the
firm was negligent in its handling of SOCO's valuable trade secrets.
The Complaint also seeks to expand the litigation into a class action
on behalf of other MacTwiddle clients injured by other suspected data
thefts.
The Chicago Sun-Times financial page headline reads: "SOCO
Socks Big MACC with CLAS Act for SONN Burn in Bull Market."
Can MacTwiddle & Associates be held liable for the theft of the
SOCO data? Is there a valid negligence claim regarding computerized data
security that can stand up in court? Is there any ways to prove or disprove
that the data in an electronic format was stolen from MacTwiddle? Was
MacTwiddle indeed dumb in its handling of the proprietary data? Has anyone
really thought about these questions?
George B. Trubow, Professor of Law at John Marshall Law School and director
of the Center for Information Technology and Privacy Law thinks about these
questions.
Trubow has been concerned about these matters longer than most, and from
1974 to 1976 he served as the general counsel to the Committee on the Right
to Privacy, established by President Ford to formulate White House policy
and propose legislation in this area. Not coincidentally, he is the convener
of this conference.
And what about MacTwiddle & Associates? Trubow doesn't think speculation
about such nightmares is too far fetched, and warns, "the law in its
current status is inadequate to deal with such scenarios. The question
of liability is wide open."
"Last year everyone was pointing fingers at the Hackers and saying
'you dirty bastards' but little was said about the responsibility of the
people who maintained the data bases," Trubow observes.
In one incident the TRW database was penetrated and information was extracted. "No
lawsuit resulted," admits Trubow, "but questions were raised
about liability."
A useful analogy to electronic data bases would be to think about a safety
deposit box at a bank, says Trubow. "Suppose a crook breaks into the
bank and steals something from a customer's box. It appears under Balment
theory that the bank is liable for that property. It simply isn't an excuse
to claim the third party is responsible. The property was put there under
the assumption it would be protected."
Lawyers, because of attorney-client privilege, can't be forced to disclose
information - but what if the information disclosure was not voluntary?
What if it was accidental? What if a third party crook penetrates your
electronic system and steals client information?
According to Trubow, there are conflicting legal theories regarding liability
that could be applied to such a case. "One can be held liable if one
subjects another to an extraordinary and known risk," observes Trubow, "and
we can draw some analogies here as well."
Consider a professional who has sensitive commercial data in file folders
and takes them home and stacks them on her front porch where they are subsequently
stolen. "It would be considered virtually criminal" for a person
with professional obligations to a client to do something like that say
Trubow.
Yet isn't it the same thing to keep sensitive information in a computer
system that can easily be penetrated? Since it is a decision made by a
firm when data is electronically stored and transmitted, do corporate officials
share a responsibility to take steps to protect electronically-stored and
transmitted client data? Should managers anticipate acts of electronic
theft? Do they have a duty to avoid subjecting clients to the risk of data
theft by implementing electronic data security plans?
"Absolutely," says Trubow. "The examples are legion of
situations where computerized data has been stolen and in some instances
it has proven impossible to figure out who did it or how it was done," notes
Trubow. Computer users need to be aware that if data is on a computer attached
to a phone line, it can be obtained.
Which brings us back to the question of liability. Even a Good Faith Defense
based on implemented security precautions might not solve the problem of
liability says Trubow who explains that one question currently being debated
is whether or not a concept of Strict Liability -- liability without fault
-- should apply to situations where harm is caused through the theft of
data. Previous | TOC | Next |
