Increased focus on privacy and security concerns in the United States is shining a spotlight on a largely ignored
source of data breaches: e-discovery. Concerns about inadvertent privacy and data breach law violations during the execution of e-discovery have rapidly emerged as 2010’s latest e-discovery risk.
E-discovery is all about information disclosure. Privacy is all about avoiding unauthorized information disclosure. The two goals increase the chances of a collision during lawsuits and regulatory actions. Trying to avoid creating a new data breach problem while attempting to comply with an e-discovery demand requires a special expertise on what is essentially a security risk.
The United States is slowly catching up to Europe’s long-standing tradition of well-developed privacy and related security laws, which are based on the EU's directives on data protection. The latest U.S. legislation includes the Best Practices Act of 2010, currently before the House of Representatives. The Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance, in concert with the Subcommittee on Security, Insurance and Investment, are cosponsoring the “Data Security and Breach Notification Act of 2010,” now before the Senate.
The latter law, which would pre-empt the patchwork of 44 state data breach laws, requires businesses to protect personal information in their possession, to notify residents if that information is breached and to adopt a data security policy. Interpreted in a litigation context, e-discovery could be considered a form of mandated data breach.
E-discovery is about information disclosure. Privacy is about avoiding unauthorized information disclosure. The two goals increase the chances of a collision during lawsuits and regulatory actions.
Intel Corp.’s David Hoffman recently expressed support for the Best Practices Act, which he believes will expand business by allowing individuals to “trust their technology.” John Kerry (D-Mass.) has announced support for a similar bill in the Senate. But those ensnared in e-discovery projects will find that the existing privacy and data breach laws already add yet another layer of e-discovery review to lengthy, complicated and costly projects.
To give you an idea of the scope of the issue, here is a list of the current laws that are applicable to e-discovery production:
- The Family Educational Rights and Privacy Act;
- The Health Insurance Portability and Accountability Act (HIPAA);
- Financial privacy guidelines such as those from the Payment Card Industry (PCI) involving credit card number disclosure and masking primary account numbers; the Fair Credit Reporting Act, which addresses credit reports and background checks; and the Fair and Accurate Credit Transactions Act; and
- The Electronic Communications Privacy and Stored Communications acts.
You can protect yourself and your organization from problems with unlawful disclosure by incorporating e-discovery scenarios into your underlying policies. In doing so, your policies, standards and technical directives should cover precautions taken during e-discovery, including inadvertent disclosure procedures as well as those for legal hold and production during e-discovery.