Tip

Can unfiltered e-discovery result in violations of data breach laws?

Increased focus on privacy and security concerns in the United States is shining a spotlight on a largely ignored source of data breaches: e-discovery. Concerns about inadvertent privacy and data breach law violations

    Requires Free Membership to View

during the execution of e-discovery have rapidly emerged as 2010’s latest e-discovery risk.

E-discovery is all about information disclosure. Privacy is all about avoiding unauthorized information disclosure. The two goals increase the chances of a collision during lawsuits and regulatory actions. Trying to avoid creating a new data breach problem while attempting to comply with an e-discovery demand requires a special expertise on what is essentially a security risk.

The United States is slowly catching up to Europe’s long-standing tradition of well-developed privacy and related security laws, which are based on the EU's directives on data protection. The latest U.S. legislation includes the Best Practices Act of 2010, currently before the House of Representatives. The Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance, in concert with the Subcommittee on Security, Insurance and Investment, are cosponsoring the “Data Security and Breach Notification Act of 2010,” now before the Senate.

The latter law, which would pre-empt the patchwork of 44 state data breach laws, requires businesses to protect personal information in their possession, to notify residents if that information is breached and to adopt a data security policy. Interpreted in a litigation context, e-discovery could be considered a form of mandated data breach.

E-discovery is about information disclosure. Privacy is about avoiding unauthorized information disclosure. The two goals increase the chances of a collision during lawsuits and regulatory actions.

Intel Corp.’s David Hoffman recently expressed support for the Best Practices Act, which he believes will expand business by allowing individuals to “trust their technology.” John Kerry (D-Mass.) has announced support for a similar bill in the Senate. But those ensnared in e-discovery projects will find that the existing privacy and data breach laws already add yet another layer of e-discovery review to lengthy, complicated and costly projects.

To give you an idea of the scope of the issue, here is a list of the current laws that are applicable to e-discovery production:

  • The Family Educational Rights and Privacy Act;
  • The Health Insurance Portability and Accountability Act (HIPAA);
  • Financial privacy guidelines such as those from the Payment Card Industry (PCI) involving credit card number disclosure and masking primary account numbers; the Fair Credit Reporting Act, which addresses credit reports and background checks; and the Fair and Accurate Credit Transactions Act; and
  • The Electronic Communications Privacy and Stored Communications acts.

You can protect yourself and your organization from problems with unlawful disclosure by incorporating e-discovery scenarios into your underlying policies. In doing so, your policies, standards and technical directives should cover precautions taken during e-discovery, including inadvertent disclosure procedures as well as those for legal hold and production during e-discovery.

Sarah Cortes is a senior technology manager at Inman TechnologyIT. Write to her at sarah_cortes@inmantechnologyIT.com.

This was first published in October 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.