A Cautionary Tale for Data Privacy Day

Angered by the recent tragic suicide of Internet activist Aaron Swartz, a group of hackers claiming to be from the group Anonymous, made threats over the weekend to release sensitive information about the United States Department of Justice. The group claimed to have a file on multiple servers that is ready to be released immediately.

Swartz’s suicide has served to mobilize the group Anonymous, a loosely defined collective of Internet “hacktivists” that oppose attempts to limit Internet freedoms. Anonymous is a staunch advocate of open access to information, as was Swartz. Anonymous said that Swartz “was killed” because he “faced an impossible choice.”

Swartz was facing federal computer fraud charges that carried a maximum sentence of 35 years in prison, although in reality he probably would not have been given a sentence anywhere near approaching the statutory maximum. Prosecutors told Swartz’s legal team they would recommend to the judge a sentence of six months in a low-security setting.

The charges arose from allegations that he made freely available an enormous archive of research articles and similar documents offered by JSTOR, an online academic database, through the computers at the Massachusetts Institute of Technology.

Swartz was a leading activist involved in the movement to make information more freely available on the Internet and is credited with helping to lead the protests that ultimately defeated the Stop Online Piracy Act (SOPA), a statute that would have significantly broadened law enforcement powers in policing Internet content that may violate U.S. copyright laws.

Earlier this month, Rep. Zoe Lofgren (D-Calif.) indicated that she is drafting a bill that she terms “Aaron’s Law,” which would limit the scope of the Computer Fraud and Abuse Act, a 1986 law that prosecutors used to help bring these charges against Swartz.

The hackers reportedly hijacked the website of the United States Sentencing Commission, the federal agency responsible for the federal sentencing guidelines for criminal offenses. They said that the Sentencing Commission’s website was chosen because of its influence in creating sentences that they deemed unfair. The hackers posted a message that demanded reform of the criminal justice system or threatening that sensitive information would be leaked. Anonymous also posted an editable version of the website, which invited users to edit it as they pleased.

Today is Data Privacy Day. These recent incidents serve to show that no organization – not even the U.S. Department of Justice – is immune from security breaches. Data breaches and data losses will occur and it is crucial for an organization to be prepared and have policies in place to allow a quick response when something does happen.

The legal ramifications and bad publicity that follow such an incident can be very damaging to an organization. However, by making sure that you are prepared, you can minimize your damages. Preparedness involves consultation across a range of specialties, including information technology, legal advice, and public relations. The impact that a data breach or loss can have on the bottom line of any organization is enormous and preparation is the best method to combat it.

A data breach or data loss can also have far-reaching legal consequences under international, federal and various state laws. For example, companies may not realize that if they have even a few employees or customers in a state, it may trigger a number of different requirements under state privacy laws. In order to avoid problems with federal agencies or state attorney general offices, it is best for companies to have a plan in place in advance and make sure they are already compliant with all relevant laws.

Ifrah Law Partner Michelle Cohen: Don’t Consider Yourself Immune to Data Breaches

Michelle Cohen recently joined Ifrah Law as a partner. Here is an edited transcript of a recent interview with Ms. Cohen.

Question: What are some of your legal experiences and strengths that you’d like to highlight?

Answer: I have many years of experience representing clients engaged in various industry sectors before state attorney generals, the FTC and the FCC, particularly in investigations and enforcement matters. I have a deep knowledge of marketing law and have counseled and defended clients in dozens of matters involving the Telephone Consumer Protection Act, the federal Can Spam Act, and state and federal telemarketing laws and regulations. I also sat for and passed the Certified Information Privacy Professional examination administered by the International Association of Privacy Professionals. This demonstrates my broad capabilities in the field of privacy law.

Some recent matters of note include managing a data loss incident for a client that entailed notifications to several state attorney generals’ offices, assisting the client with remediation and public relations management, and reviewing existing data retention policies, as well as a follow-up investigation at the state level. The client was able to move forward without any enforcement activity.

On the Telephone Consumer Protection Act side, I have supervised teams of attorneys in defending class and individual actions and resolved FCC enforcement matters (including without any penalties).

My training as both a litigator and a regulatory/corporate advisor allows me to offer a wide range of services to clients. I take great pride in knowing that my regulatory advice to clients in how to craft their business practices and establish meaningful policies has resulted in these clients avoiding enforcement actions and litigation.

Question: There has been a lot of publicity these days about data breaches that have caused serious harm to a number of retailers, credit card companies, banks, and others. Do you think there has been a real uptick in the number of such breaches, and if so, why has it occurred?

Answer: I think the increased publicity stems more from the growing awareness on the part of companies and the press that there are various types of data breaches and data losses that are covered by federal and state laws and that need to be reported and remediated. Some years back, if a laptop containing sensitive information was stolen from an employee’s car, the company might disable the account and report the theft, but the event did not necessarily trigger potentially thousands of notices to those affected, state attorney generals and consumer protection offices, publicity (via news reports and blogs that cover daily breaches) and possible lawsuits and enforcement activity. Today, that one event can result in all of those actions occurring.

Question: What is your advice to companies that may someday face a data breach?

Answer: A couple of months ago, I wrote an article regarding data breaches. The central point was that no organization should consider itself immune. Rather, a data breach (in the form of a bad actor) or a data loss (for instance, by negligent but unintentional employee action) WILL occur, no matter how many precautions a company takes. The key is to have policies in place regarding data security, to train employees in an effort to prevent negligent actions, and to be prepared for actions that will need to be taken when an event occurs. Organizations should have a team in place (human resources, legal, public relations, etc.) for dealing with these types of problems. Data loss events require swift, but considered action. In particular, some of the state breach laws have deadlines, and companies have found themselves under investigation (or involved in litigation) when their responses to a breach have been too slow or failed to meet the requirements of the law. These legal ramifications, combined with the negative publicity that WILL follow, can often be much worse than the actual data loss event.

Question: Are some companies failing to put the best safety provisions in place?

Answer: Most large companies have incorporated data safety policies; however, many medium size and smaller businesses have not done so. In addition, I think that many companies, both large and small, do not realize the scope and applicability of many of the laws. For example, consider a large company based in Texas, with most of its employees in that state. Its managers may not realize that if the company has three employees in Massachusetts, they are covered by Massachusetts’ data protection law. This statute has very specific requirements, including a requirement for a Massachusetts-specific information security plan. Let’s say the Texas company has a data loss and has to notify the Massachusetts employees and the Massachusetts Attorney General’s office along with all of its other employees. The company may get a follow-up inquiry from the Massachusetts AG asking for a copy of that company’s Massachusetts-compliant written information security policy. If the company does not have one, because it never realized it fell within that state’s law, it may find itself in some hot water there.

Accordingly, all organizations need to be proactive in their data security planning and must provide continuing updates to their policies, training, and understanding of what federal, state, and international laws may apply to their operations.