Privacy and Confidentiality Issues

PRIVACY AND CONFIDENTIALITY ISSUES

REGINALD A. HIRSCH 1980 Post Oak Boulevard Suite 2210 Houston, Texas 77056 (713) 961-7800

State Bar of Texas eDISCOVERY IN YOUR CASE February 7, 2014 Austin

CHAPTER 9

REGINALD A. HIRSCH Law Office of Reginald A. Hirsch 1980 Post Oak Boulevard, Suite 2210, Houston, Texas 77056 (713) 961-7800 FAX: (713) 961-3453 E-Mail:[email protected]

BIOGRAPHICAL INFORMATION DATE OF BIRTH: February 24, 1947, Houston, Texas MARRIED: Patricia Wicoff, Attorney at Law Child: Sarah Lauren Hirsch, Age 26, Law Student STCL

EDUCATION: Lamar High School, Houston, Texas, 1965 B.S., University of Houston, 1970 J.D., University of Houston, 1973 Chief Justice Student Court, University of Houston Student Court, 1972-1973 Student Regent to the University of Houston Board of Regents, 1972-1973

PROFESSIONAL EMPLOYMENT: Assistant Attorney General for State Bar of Texas, Environmental Division, 1973-1974 Balasco, Clark, Hirsch and Stern, 1974 - 1979 Lipstet & Hirsch, 1979 - 2008 Law Office of Reginald A. Hirsch, 2008 to present

PROFESSIONAL LICENSES: State Bar of Texas, 1973; U.S. District Court, Southern District of Texas, 1974; U.S. Court of Appeals, Fifth Circuit, 1974

PROFESSIONAL ACTIVITIES: Board Certified in Family Law, 1979-2014 President, Harris County Young Family Lawyers Association, 1977 President, Family Law Section, Houston Bar Association, 1980-1981 Member, State Bar of Texas, Family Law Counsel, 1985-1989 Chairman, Houston Volunteer Lawyers Association, 1983-1984 Director, The Association of Trial Lawyers of America, 1985 President, Family Law Forum, 1983-1985 Director, Association of Gulf Coast Family Law Specialists, 1989-1990 President, Gulf Coast Legal Foundation, 1986 Texas Association of Family Law Specialists International Society of Family Law National Association of Counsel for Children American Academy of Matrimonial Lawyers Adjunct Professor, South Texas College of Law, Environmental Law, 1975-1977 Guest Lecturer at Baylor College of Medicine Guest Lecturer at University of Houston Law School, South Texas College of Law, TSU Marshall School of Law Master, American Inns of Court Chairperson, Family Law Task Force 2000 Treasurer, American Inns of Court, Burta Raborn Chapter 2005-2009 President, American Inns of Court, Burta Raborn Chapter, 2010-2011 Council Member, State Bar of Texas, Computer and Technology Section, 2013-2016

Recent Article and Speeches

Recipient, David Gibson Award, Gulf Coast Family Law Specialist, Houston, Tx, May 11, 2006 http://www.youtube.com/watch?v=Y1TjcxaAZ3U&feature=relmfu Recipient, Texas Super Lawyer, 2007-2013, Family Law, Texas Monthly Magazine Author, Speaker, University of Texas, The Definitive Short Course on Parent Child Relationships, “The World of Court Appointees: Amicus Attorneys, Attorney Ad Litems, Guardian Ad Litems and Social Studies,” Austin, Tx, November 8, 2007 Author, Speaker, State of Texas Judicial College, "Electronic Evidence Issues,” Richardson, Tx, April 17, 2008 Author, Speaker, Co-Panelist, 8th Annual Family Law on the Front Line, “Electronic Evidence –Fighting the War of the Roses in the Electronic Age,” Galveston, Tx, June 20, 2008 Recipient, Judge Judy Warne’s Weekly Acknowledgment of Contribution to the Bench and Bar, June 9, 2008 Author, Speaker, Advanced Family Law Course, “When Technology and Family Law Collide”, San Antonio, August 11, 2008 Speaker, HAL-PC Legal Sig, Electronic Evidence, January 21, 2009 Houston, Tx Author, Speaker, The Impact of Technology on the Parent-Child Relationships: Critical Thinking For Critical Issues, University of Texas, Austin, Tx January 29, 2009 Author, Speaker, Using Electronic Evidence, 23rd Annual Family Law Conference, South Texas College of Law, March 5, 2009 Author, Speaker, What every CPA should know about Electronic Evidence, Houston CPA Society, April 24, 2009 Author, Co-Speaker, Using the Latest Technology in the Courtroom and Electronic Evidence Workshop, Advanced Family Law, Dallas, Tx, August 3-6, 2009 Speaker, Judges and Social Media, Bar to Bench: So You Want to Be a Judge?, Web Cast, State Bar of Texas, Austin, Tx, November 4, 2009 Author, Speaker, Electronic Evidence-How to Avoid Getting Shocked, Ultimate Trial Notebook, San Antonio, Tx, December 3-4, 2009 Speaker, Windows 7 and Office 2010, HAL-PC, Houston, Tx, January 20, 2010 Co-Speaker, Author, Electronic Evidence and Discovery, South Texas School of Law, 24th Annual Family Law Conference, Houston, Tx, March 10, 2010 Presiding, Parent Child Relationships: Advanced ,UT, Houston, TX, January 27, 2011 Author, Co-Speaker, 30 Hot Tips in 30 Minutes, Advanced Family Law Conference, San Antonio, Tx, August 1, 2011 Author, Co-Speaker, Cutting Edge Apps and High Tech Tools for Family Lawyers, Advanced Family Law Conference, San Antonio, Tx, August 4, 2011 Author, Speaker, Electronic Evidence, Texas College of Judicial Studies, Austin, Tx, April 10, 2012 Author, Co-Speaker, Inventories and Internet Resources, Advanced Family Law Conference, August 8, 2012, Houston, Tx Author, Speaker, Family Law Technology Course, Latest Tech Tools for Your Office, Austin, Tx, December 13-14, 2012 http://www.youtube.com/watch?v=k9vukNBfM80 Author, Co-Speaker, Family Law Technology Course, Looking Beyond the Horizon, Austin, Tx, December 13-14, 2012 Author, Co-Speaker, Enhancing Your Case Through Technology ,Innovations-Breaking Boundaries in Custody Litigation, UTCLE/AMML, .January 24-25, 2013. Author, Co-Speaker, Discovery and Electronic Evidence, 27th Annual Family Law Conference, South Texas College of Law, March 8,2013 Houston, Tx Speaker,12th Annual Biennial Sampson and Tindall, Family Law Update, June 2013 Houston and Dallas, Tx Speaker, Author, Forensic Examination of Cell Phones, American Academy of Matrimonial Lawyers, Video, June 2013, http://www.aaml.org/member-resources/launch-learn Speaker, Author, iPads for Lawyers, A Marriage Made in Heaven, Advanced Family Law Conference, San Antonio, Tx, August 6, 2013 Speaker, Author, Gulf Coast Family Law Specialist, Interesting Apps for Family Lawyers, September 12, 2013, Houston, Tx Speaker, Author, AAML, Top Ten Tech Tools for Family Lawyers, Chicago, Illinois, November 7, 2013 Receipent,Houstonia Magazine,List of Best Houston Family Lawyer,Dec.,2013 Co-Author, Texas Perspective on E-discovery, Chapter 23, Practical E-Discovery Advice in Family Law Cases, TexasBarCle. Author, Speaker,E-Discovery In Your Case, Chapter 9, Confidentiality and Privacy Issues, February 7,2014, Austin,Tx , TexasBarCLE Privacy and Confidentiality Issues Chapter 9

TABLE OF CONTENTS

I. INTRODUCTION ...... 1

II. PRIVACY ...... 1 A. A Short History of Privacy ...... 1 B. Privacy and the Constitutions ...... 2 C. Right to Privacy in Common Law...... 2 D. Causes of Action in Tort ...... 2 1. Statutory ...... 2 2. Texas Case Law...... 3 E. Practical Analysis of an Invasion of Privacy Claim ...... 3

III. INTERCEPTION OF COMMUNICATION ...... 4 A. Communications Act (“Stored Communications Act”) ...... 4 1. Conflicting Definitions of “Electronic Storage” ...... 4 2. Social Media and the Stored Communications Act ...... 5 B. The Electronic Communications Privacy Act (ECPA) ...... 5 1. Criticisms of ECPA ...... 5 2. Digital Due Process – the Movement ...... 6 C. The Federal Wiretap Act ...... 6 1. Exceptions to the Federal Wiretap Act ...... 6 D. Texas Wiretap Statutes – the Federal Counterpart ...... 7 1. Texas Civil Practice and Remedies Code ...... 7 2. Texas Penal Code ...... 7 3. Exception to the Texas Wiretap Act ...... 7 E. Computer Breach – the Penal Code ...... 7 1. Caveat Emptor – vehicle ownership required ...... 8 2. Exception: Law enforcement ...... 8 F. Spyware ...... 8 1. Spyware on the Mobile Phone ...... 8 2. Spyware on your computer – key logger programs ...... 8

IV. CONFIDENTIALITY...... 9 A. Texas Rules of Professional Conduct ...... 9 B. ABA Model Rule ...... 9 C. Texas Business & Commerce Code ...... 9

V. HELPFUL LINKS TO FEDERAL LAWS, ACTS AND POLICIES ON PRIVACY AND CONFIDENTIALITY ...... 13

VI. CONCLUSION ...... 14

Privacy and Confidentiality Issues Chapter 9

PRIVACY AND CONFIDENTIALITY Eavesdropping Technologies,” which was presented during the State Bar of Texas Soaking up Some CLE ISSUES course in May 2010, and the excellent paper written by

Reginald A. Hirsch, Rick Robertson and Cindy V. By Reginald A. Hirsch Tisdale entitled, “Electronic Evidence: How to Avoid

Getting Shocked”, State Bar of Texas Best of 2009 I. INTRODUCTION Part Two, February 2010. Our first introduction to issues regarding privacy and confidentiality was probably the school yard, II. PRIVACY where we were introduced to “shh” and “secrets” and A. A Short History of Privacy realized that there was another world of In order to understand how technology may impact communication. As most practitioners are aware, or invade privacy, it is important to understand the technology is advancing at a break-neck pace. Almost right to privacy and the related causes of action. every day we are presented with a new electronic The idea of a legal right to privacy was first device or app that records or intercepts information. addressed in the United States in an 1890 Harvard Law With the touch of few keys on a computer or mobile Review article entitled “The Right to Privacy” by Louis device, and often at a nominal cost, telephone Brandeis (later a Supreme Court Justice) and Samuel conversations can be intercepted, the key strokes you 1 D. Warren. Brandeis and Warren argued that the make on your home computer can be transmitted to Constitution and the common law allowed for the another location, and the act of carrying a cellular deduction of a general “right to privacy”. Their article telephone can mean that your every move is being was the result of a late 1800s outbreak of what we now tracked and recorded. As a result of this evolution in call “sensational journalism” and their attempt to technology, the once seemingly sacred right of privacy provide a legal framework for protecting intrusions has been battered and pummeled, and our lawmakers into privacy. struggle to keep the pace with this ever-changing, often Later, the renowned tort expert, Dean Prosser, hostile environment. With the revelations of the argued that “privacy was composed of four separate programs being used by the NSA, we may reasonably torts, the only unifying element of which was a (vague) ask what is left regarding privacy and privacy rights. ‘right to be left alone’.” The four torts addressed by On October 31, 2013, in an article entitled “No U.S. Dean Prosser were: Action, So States Move on Privacy Law”, the New

York Times pointed out that with the lack of federal 1. Intrusion upon the plaintiff’s seclusion or oversight and laws, individual states are now moving solitude or into his private affairs; into the area of protecting privacy rights. See: 2. Public disclosure of embarrassing private http://nytimes.com/2013/10/31/technology/no-us- facts about the plaintiff; action-so-states-move-on-privacy-law.html 3. Publicity which places the plaintiff in a false This rush of 21st Century technology impacts us as light in the public eye; and lawyers as we are confronted weekly with substantive 4. Appropriation, for the defendant's advantage, issues concerning technology that are being used by or 2 of the plaintiff s name or likeness . against our clients. The guidance available to assist in determining what is proper or, more importantly, what In 1967, the United States Supreme Court was is improper is often conflicting and dated when confronted with a case in which the Defendant walked compared with the technology in question. It is a into a telephone booth, closed the door and made a caveat emptor environment: being forewarned is being call. The FBI had previously placed a recording device forearmed. on the outside of the glass telephone booth and the The goal of this paper is to reduce fear, supplant it Defendant’s telephone call was recorded. The issue with knowledge and remind everyone that the struggle addressed by the court was whether this action by the to protect your client and yourself requires constant FBI violated the Defendant’s Fourth Amendment vigilance. rights. Ultimately, the Court concluded that the Finally, I would like to thank Lacy LaFour of the Defendant’s constitutional protections were violated LaFour Law Firm, P.C. in Houston, Texas who assisted me in the accumulation of materials, writing 1 and editing of this paper. After reviewing the materials Harvard Law Review,Volume VI,12-15-1890, No.5. 2 in this article, she announced that she is terminating See, Prosser’s Privacy Law; A Mixed Legacy, California her cell and internet services and moving to SriLanka. Law Review, California Law Review,Vol. 98,Issue 6, Article No.5, 2010. Ultimately, Prosser’s writings and The following portions of this paper were adapted nd from Reginald A. Hirsch’s paper, “Spy vs. Spy – The thoughts were codified in the 2 Restatement of Torts, Section 652(B-D) in 1997. Legality of using Wiretaps, Spwyare, GPS and Other 1 Privacy and Confidentiality Issues Chapter 9 because the Defendant, when making a call with the intrusion. This right to privacy should yield telephone booth door closed, had a “reasonable only when the government can demonstrate expectation of privacy.” 3 that an intrusion is reasonably warranted for the achievement of a compelling governmental B. Privacy and the Constitutions objective that can be achieved by no less The word "privacy" is never actually used in the intrusive, more reasonable means.” text of the United States Constitution or any of its amendments, but certain provisions have been Based upon these implicit protections, one may assert recognized in case law as implicitly creating protected that a cause of action for invasion of privacy exists “zones of privacy”. 4 under Texas law even if a federal or state criminal Similarly, the Texas Constitution does not statute has not been violated. expressly guarantee a right to privacy, but the Supreme Court in Texas State Employees Union, et al., v. Texas C. Right to Privacy in Common Law Department of Mental Health and Mental Retardation, Most states have recognized a tort right to privacy et al5, recognized implicit privacy protections: in common law. The common law privacy intrusion tort is violated if someone intentionally intrudes upon While the Texas Constitution contains no the private affairs, seclusion or solitude of another express guarantee of a right to privacy, it person by means that would be highly offensive to a contains several provisions similar to those in person of ordinary sensibilities. In cases where wiretap the United States Constitution that have been acts are not violated, the common law invasion of recognized as implicitly creating protected privacy tort may apply to the various forms of "zones of privacy."6 Section 19 of the Texas surveillance that will be discussed later in this paper. Bill of Rights protects against arbitrary A violation of the invasion of privacy tort might result deprivation of life and liberty.7 Section 8 in an award for compensatory damages, but it may not provides the freedom to "speak, write or be a basis for excluding evidence in some court publish". Section 10 protects the right of an proceedings. accused not to be compelled to give evidence against himself.8 Sections 9 and 25 guarantee D. Causes of Action in Tort the sanctity of the individual's home and 1. Statutory person against unreasonable intrusion.9 Section 625B of the Restatement (Second) of Torts Finally, the Texas Constitution protects the (1977) provides a cause of action and liability against: rights of conscience in matters of religion.10 One who intentionally intrudes, physically or Each of these provisions gives rise to a otherwise, upon the solitude or seclusion of concomitant zone of privacy.11 We do not another or in his private affairs or concerns, is doubt, therefore, that a right of individual subject to liability to the other for invasion of privacy is implicit among those "general, great, his privacy, if the intrusion would be highly and essential principles of liberty and free offensive to a reasonable person. government" established by the Texas Bill of Rights.12 We hold that the Texas Constitution To recover on the tort of invasion of privacy, the protects personal privacy from unreasonable complainant must show:

3 See Katz v. U.S., 389 U.S. 349, (1967).  conduct in the nature of an intrusion; 4 See Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35  the private nature of the thing or place intruded L. Ed.2d 147 (1972). upon; and 5 Texas State Employees Union, et al., Petitioners, v. Texas  the intrusion was substantial and the conduct Department of Mental Health and Mental Retardation, et al., highly offensive or objectionable to the reasonable Respondents 746 S.W.2d 203 (Tex. 1987) person. 6 Cf. Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35

L. Ed.2d 147 (1972). 7 TEX.CONST., art. 1, § 19. In the Handbook of the Law of Torts, Professor 8 TEX.CONST., art. 1, §8, 10. William L. Prosser catalogued four distinct injuries 9 TEX.CONST., art. 1, § 9, 25. under the tort of invasion of privacy: 10 TEX.CONST., art. 1,§ 6. 11 Cf. Griswold v. Connecticut, 381 U.S. 479,484, 85 S. Ct.  intrusion upon a person’s right to be left alone in 1678, 1681, 14L.Ed.2d 510 (1965). his or her own affairs; 12 TEX.CONST., art. I, Introduction to the Bill of Rights.

2 Privacy and Confidentiality Issues Chapter 9

 publicity given to private information about a . Privacy in public (conversation in public person place was private where the parties to the  appropriation of some element of the person’s conversation used hushed voices, stood away personality for commercial use; and from other people and close to each other)24  false light.13 14 . Liability for invasion of privacy does not depend on any publicity given to the person 25 2. Texas Case Law whose interest is invaded or to his affairs. . Punitive damage award of $1,000,000 (21%  Texas recognizes a cause of action for willful of defendant chiropractor husband’s net invasion of privacy.15 worth) where the defendant had bugged telephones of wife’s attorneys and engaged in  The Texas Constitution guarantees the sanctity of 26 the home and person against unreasonable other outrageous conduct. intrusion.16  The concept of invasion of privacy covers E. Practical Analysis of an Invasion of Privacy intrusion on a party’s seclusion, solitude, or Claim private affairs.17 The key to understanding if an invasion of privacy has occurred is to determine a person’s expectation of  Texas has also recognized the following claims privacy related to the object of the potential intrusion. for intrusion on seclusion: The litmus test for claims of invasion of privacy

18 depends on the answer to the following question: . Wiretapping

. Videotaping (defendant liable for videotaping plaintiff’s bedroom without plaintiff’s “Was the material or data preserved in a consent)19;(invasion of privacy when manner to give rise to a reasonable defendant videotaped himself and plaintiff expectation of privacy?” engaging in sexual intercourse and later aired 20 The following is a typical scenario that a practitioner the tape to third parties) might face: . Privacy at home (telephone company liable

when employee entered home without 21 My client has accessed a computer located in customer’s permission and no one present) her home, and during this access she observed . Surveillance (defendant who continuously her spouse engaged in “x” activity. stalked, followed and spied on plaintiff 22 invaded plaintiff’s right to privacy) In this situation, the practitioner should immediately . Privacy at work (searching through an contemplate the following: Was the client’s access to employees locked personal locker constituted 23 the computer in her residence legal? If it was not, what an intrusion of privacy) kind of trouble am I in, if any, just by looking at the

13 material my client obtained from the computer? TEX.CONST., art. I, Introduction to the Bill of Rights. In order to answer these questions, all relevant 14 These four variations of the tort were adopted by the criteria should be examined and weighed: Second Restatement of Torts. See Restatement (Second) of Torts § 652A(1977). 1. Where in the home was the computer located? 15 Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 16Texas State Employees Union v. Texas Dep’t of Mental 2. Was it in the spouse’s private office, or was it Health and Mental Retardation, 746 S.W.2d 203 (Tex. in a main area of the house? 1987). 3. Was the computer or the document that was 17 See Boyles v. Kerr, 855 S.W.2d 593 (Tex. 1993); Texas viewed password protected? If so, was the State Employees Union v. Texas Dep’t of Mental Health and password kept secret by the spouse and not Mental Retardation, 746 S.W.2d 203 (Tex 1987) 18 Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 24 19 Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). Stephens v. Dolcefino, 126 S.W.3d 120 (Tex. App – 20 Houston [1st Dist.] 2003). Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). 25 21 Gonzales v. Southwestern Bell Tel. Co., 555 S.W.2d 219, Clayton v. Richards, 47S.W.3d 149 (Tex. App.–Texarkana 222 (Tex. App. – Corpus Christi 1977, no writ). 2001, no pet.); Restatement (Second) of Torts 752B, cmt. A.. 22 Kramer v. Downey, 680 S.W.2d 524, 525 (Tex.App. – 1987). 26 Dallas 1984, writ ref’d n.r.e.) Parker v. Parker, 897 S.W.2d 918, 930 (Tex. App.–Fort 23 K-Mart Corp. v. Trotti, 677 S.W.2d 632, 637 (Tex. App. – Worth 1995, writ denied) overruled on other grounds by Houston [1st Dist.] 1984, writ ref’d n.r.e., 686 S.W.2d 593 Formosa Plastics Corp. USA v. Presidio Engineers& (Tex. 1985). Contractors, Inc., 960 S.W.2d 41

3 Privacy and Confidentiality Issues Chapter 9

disclosed to others, or did other members of receive wire or electronic communications.28 The Act the household have access to the password? defines “electronic storage” as: (1) “any temporary, 4. Was the computer used by other family immediate storage of a wire or electronic members or 3rd parties? communication incidental to the electronic 5. Was the computer a personal or business transmission thereof;” and (2) “any storage of such computer? communication by an electronic communication 6. Was it used by the accessing spouse regularly service for purposes of backup protection of such or infrequently, or not at all? communication.”29 Possible penalties include a fine, imprisonment, or both.30 If the answers to the above questions indicate the computer was located in a common area of the home, 1. Conflicting Definitions of “Electronic Storage” that it was not password protected and it was often Although the Act defines “electronic storage”, used by the accessing spouse as well as other family several courts have interpreted the definition of members, it is unlikely the spouse had a reasonable “electronic storage” in slightly different ways. At the expectation of privacy to the computer. time of this writing, what is in “electronic storage”, and Conversely, if the analysis indicates that the thus regulated by the Act, depends on where the storage computer in question was housed in the other spouse’s is located, e.g., on a person’s hard drive or saved onto a home office, that it was never used by third parties, and remote server such as Hotmail. To wit: that it was password protected, it is likely the spouse In Fraser v. Nationwide Mutual Insurance Co.31 had a reasonable expectation of privacy in relation to the Eastern District Court of Pennsylvania held that the computer, and a claim for invasion of privacy may access to e-mail on a hard drive was not subject to exist. In this event, the practitioner would not want to the Stored Communications Act. The court reasoned take possession of or view any of the material accessed that the “post-transmission storage [on a hard drive]” by the client. In addition to advising the client of the is not commensurate with “electronic storage” as possible impropriety of her actions, the client should contemplated by the Act. immediately be instructed not to deliver any of the A New Jersey court in White v. White tested the material to the lawyer or the lawyer’s staff, and the holding of Fraser.32 The state court evaluated the lawyer’s staff should be instructed accordingly. applicability of the Act, as well as state statutes, to There are many components to consider when interspousal access to email stored on a computer in analyzing an invasion of privacy claim; in the event of the family home. After Wife discovered a letter from a close call, a practitioner should always err on the side Husband to his girlfriend, allegedly in plain view, of caution. Wife hired a computer detective. The detective, at Wife’s discretion and without using Husband’s III. INTERCEPTION OF COMMUNICATION password, copied his e-mails that were stored on the A. Communications Act (“Stored Communications hard drive.33 The New Jersey Court held that Wife Act”) did not violate the Act because: (1) the email was The primary purpose of the Stored not in “electronic storage” when it was accessed Communications Act is to protect the privacy interests because the family computer’s hard drive was not in personal information that is stored on the Internet, “electronic storage” and (2) the access was not and to limit the government’s ability to compel “without authorization” as contemplated by the Act. 34 disclosure of an Internet user’s information contained In partial contrast, the Western District Court of on the Internet and held by a third party. Wisconsin in Fischer v. Mt. Olive Lutheran Church More specifically, the Act prohibits: (1) the held that the Act does apply to stored email – at least intentional accessing of a facility through which an in some situations.35 The court found that emails electronic communication service is provided without from a Hotmail account that were accessed without authorization; or (2) the intentional exceeding of an authorization were stored by an electronic authorization to access a facility; and thus obtaining, altering, or preventing authorized access to a wire or electronic communication (such as, e-mail or 28 27 (72) 18 U.S.C. Sec. 2510 (15) voicemail) while it is in electronic storage. The 29 (73) 18 US.C. Sec. 2510(17)(2000) Act defines “electronic communication service” as 30 (74) 18 U.S.C. Sec. 2701(b) any service that provides users the ability to send or 31 (75) 135 F. Supp.2d 623 (E.D. Pa. 2001) 32 (76) 781 A.2d 85 (N.J. Super Ct. Ch. Div. 2001) 33 (77) Id. at 87 34 (78) See id. 27 (71) 18 U.S.C. Sec. 2701(a) 35 (79) 207 F. Supp.2d 914 (W.D. Wis. 2002)

4 Privacy and Confidentiality Issues Chapter 9 communication service because the e-mails were saved their email indefinitely, just as they previously on Hotmail’s servers.36 saved letters and other correspondence. The difference, of course, is that it is easier to save, 2. Social Media and the Stored Communications Act search and retrieve digital communications. Currently, it is an unsettled question as to whether Many of us now have many years’ worth of postings on Facebook and MySpace are protected stored email; for many people, much of that under the Act. At least one Court has provided email is stored on the computers of service protection to social media sites from producing providers. information in response to a subpoena. In Crispin v. Christian Audigier, Inc., the Central District of Mobile location: Cell phones and mobile California held that Facebook and MySpace were Internet devices constantly generate location protected under the Stored Communications Act.37 data that supports both the underlying service and a growing range of location-based services B. The Electronic Communications Privacy Act of great convenience and value. This location (ECPA) data can be intercepted in real-time, and is The Electronic Communications Privacy Act of often stored in easily accessible log files. 1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat. Location data can reveal a person’s 1848,18 U.S.C. § 2510[2]) was enacted by the United movements, from which inferences can be States Congress to extend government restrictions on drawn about activities and associations. wiretaps from only telephone calls to include Location data is augmented by very precise transmissions of electronic data by computer. GPS data being installed in a growing number Specifically, the ECPA was an amendment to Title of devices. III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily Cloud computing: Increasingly, businesses designed to prevent unauthorized government access to and individuals are storing data "in the cloud," private, electronic communications. The ECPA also with potentially huge benefits in terms of cost, added new provisions prohibiting access to stored security, flexibility and the ability to share and electronic communications, i.e., the Stored collaborate. Communications Act,18 U.S.C. §§2701-2712, and also included so-called pen/trap provisions that permit the Social networking: One of the most striking tracing of telephone communications. §§ 3121-3127. developments of the past few years has been Later, the ECPA was amended, and weakened to the remarkable growth of social networking. some extent, by provisions of the USA PATRIOT Act. Hundreds of millions of people now use these Additionally, Section 2709 of the Act, which allowed social media services to share information with the FBI to issue National Security Letters (NSLs) to friends and as an alternative platform for Internet service providers (ISPs) ordering them to private communications. disclose records about their customers, was ruled unconstitutional under the First (and possibly Fourth) Because the ECPA has been significantly outpaced by Amendments in ACLU v. Ashcroft (2004). technology, there are wide scale issues associated with the interpretation and application of the Act, and the 1. Criticisms of ECPA ECPA does not provide protection suited to the way Since the enactment of the ECPA in 1986, there technology is used today. For example: have been sweeping advancements in communication technology and the way in which people use it. Some a. Conflicting Standards of these changes include: The ECPA sets rules for governmental access to email and stored documents that are not consistent. A Email: Most Americans have embraced email single email is subject to multiple different legal in their professional and personal lives and use standards in its lifecycle, from the moment it is being it daily for confidential communications of a typed to the moment it is opened by the recipient to the personal or business nature. Because of the time it is stored with the email service provider. The importance of email and unlimited storage Act does not clearly state the standard for capabilities available today, most people save governmental access to local information.

36 (80) Id. at 925 b. Illogical Distinctions 37 Buckley H. Crispin v. Christian Audigier, Inc., et al CV A document stored on a desktop computer is 09-09509-MMM-JEMx C.D. Cal.) (May 26, 2010) protected by the warrant requirement of the Fourth Amendment, but the ECPA says that the same 5 Privacy and Confidentiality Issues Chapter 9 document stored with a service provider may not be 1. Exceptions to the Federal Wiretap Act subject to the warrant requirement. a. Exception: Consent of a Party It is not unlawful for a person to intercept an oral c. Judicial Criticism or wire communication if the person is a party to the The courts have repeatedly criticized ECPA for communication or if a party to the communication has being confusing and difficult to apply. The Ninth given prior consent to the interception.41 Circuit in 2002 said that Internet surveillance was "a confusing and uncertain area of the law." In the past b. Exception: Spousal Consent five years, no fewer than 30 federal opinions have been Though most federal circuits have not recognized published on government access to cell phone location an interspousal exception to the wiretapping statute, information, reaching a variety of conclusions. the Second and Fifth circuit courts of appeals have held that there is such an exception to the statute.42 d. Constitutional Uncertainty In Simpson v. Simpson, the Fifth Circuit Court of The courts are equally conflicted about the Appeals held that the recording of telephone application of the Fourth Amendment to new services conversations in the marital home by Husband who and information. A district court in Oregon recently suspected Wife of infidelity did not violate the opined that email is not covered by the constitutional Federal Wiretap Act.43 The Court reasoned that protections, while the Ninth Circuit has held precisely because federal courts have typically left family the opposite. Last year, a panel of the Sixth Circuit matters to state courts, Congress did not intend to first ruled that email was protected by the Constitution, counteract this tradition through the Federal Wiretap and then a larger panel of the court vacated the Act. This opinion has been widely criticized. opinion. For Texas state law holding differently than This murky legal landscape does not serve the Simpson, see Collins v. Collins, 904 S.W.2d 792 government, customers or service providers well. (Tex.App.–Houston [1st Dist.] 1995, writ denied) Customers are, at best, confused about the security of discussed below. their data in response to an access request from law Similarly, the Second Circuit Court of Appeals in enforcement. Companies are uncertain of their Anonymous v. Anonymous found that interspousal responsibilities and unable to assure their customers wiretaps involve marital disputes, which are an area that subscriber data will be uniformly protected. The generally left to the discretion of states.44 These current state of the law does not well serve law opinions have been widely criticized and rejected by enforcement interests, either. Resources are wasted on other federal courts which have found no litigation over applicable standards, and prosecutions Congressional intent to except willful, intercepted are in jeopardy should the courts ultimately rule on the spousal communications.45 Constitutional questions.

c. Exception: Vicarious Consent for Minors 2. Digital Due Process – the Movement With respect to parents who tape record the phone In response to these issues, a recently formed conversations of their minor children within the home, group aims to revise the ECPA. Information about this some courts have recognized a limited “vicarious group’s work and relevant resources associated with consent” exception, whereby parents and guardians of the Act can be found at http://digitaldueprocess.org. minors have the authority to consent for their minor C. The Federal Wiretap Act child when it is perceived by the parent or guardian to 46 The Federal Wiretap Act specifically prohibits be in the best interests of the child. The Federal “any person” from intercepting a wire, oral, or electronic communication without a court order or the 38 consent of one of the parties to the conversation. 41 (84) 18 U.S.C. Sec. 2511(d)(d) The Act defines “intercept” as the “aural or other 42 (85) Simpson v. Simpson, 490 F.2d 803 (5th Cir. 1974); acquisition of the contents of any wire, electronic, or Anonymous v. Anonymous, 558 F.2d 677 (2d Cir. 1977). oral communication through the use of any electronic, 43 (86) 490 F.2d 803 (5th Cir. 1974) mechanical, or other device.”39 The interception 44 (87) 558 F.2d 677 (2d Cir. 1977) must be intentional.40 The penalty for violations may 45 (88) See United States v. Jones, 542 F.2d 661, 669 (6th Cir. th be a fine, imprisonment for up to five years, or both. 1976). See also Pritchard v. Pritchard, 732 F.2d 372 (4 Cir. 1984); Kempf v. Kempf, F.2d 1537, 1539 (10th Cir. 1991); Platt v. Platt, 951 F.2d 159 (8th Cir. 1989) 38 (81) 18 U.S.C. Sec. 2510-2520 46 (89) See e.g., Wagner v. Wagner, 64 F. Supp. 895, 896 (D. 39 (82) 18 U.S.C. Sec. 2510(4) Minn. 1999); March v. Levine, 136 F. Supp.2d 831, 849 40 (83) 18 U.S.C. Sec. 2511(1) (M.D. Tenn. 2000), aff’d, 248 F.3d 462 (6th Cir. 2001); Allen

6 Privacy and Confidentiality Issues Chapter 9

Wiretap Act may not be violated if a party to the 1) an injunction prohibiting further interception intercepted conversation has “vicariously” consented or divulgence or use of the information to the recording. obtained by an interception; In Pollock v. Pollock, the Sixth Circuit Court of 2) statutory damages of $10,000 for each Appeals articulated a “good faith” test.47 If the parent occurrence; has a “good faith, reasonable basis for believing such 3) all actual damages in excess of $10,000; consent was necessary for the welfare of the child,”48 4) punitive damages in an amount to be then a recording of a child’s conversation would be determined by the court or jury; and admissible. The Court also found that the parent 5) reasonable attorney’s fees a n d costs.” T E X . C doing the recording on behalf of the minor child IV . P R A C . &R M CODE §123.004. must demonstrate a reasonable belief “…that the minor child is being abused, threatened, or intimidated by the 2. Texas Penal Code other parent.”49 Section 16.02 of the Texas Penal Code provides The exception does not apply to every situation. that a person commits the offense of unlawful The West Virginia Supreme Court of Appeals in West interception, use, or disclosure of wire, oral, or Virginia Dep’t of Health and Human Resources v. electronic communications “if the person David L., found that a parent did not have a right to intentionally intercepts, endeavors to intercept, or record conversations with the other parent while the procures another person to intercept or endeavor to children were in the other parent’s house.50 intercept a wire, oral or electronic communication.”51 An offense under this section is a second degree 52 D. Texas Wiretap Statutes – the Federal felony. Counterpart 1. Texas Civil Practice and Remedies Code 3. Exception to the Texas Wiretap Act A party to a communication may sue a a. Exception: Express or Implied Consent person who: Texas law allows one party to a conversation to 53 tape or intercept the conversation. 1) intercepts, attempts to intercept or employs or obtains another to intercept o r attempt to b. Non-exception: Spousal Consent – inte rc ept a communication; Unlike the Federal counterpart, Texas does not 2) uses or divulges information that the person recognize the interspousal exception to 54 55 knows or reasonably should know was wiretapping. Texas courts generally have obtained by interception of the declined to follow the Simpson case to attach a communication; or spousal immunity exception to applicable federal or state 3) as a landlord, building operator, or wiretap statues. communication common carrier, either personally or through an agent or employee, E. Computer Breach – the Penal Code aids or knowingly permits interception or Section 33.02 of the Texas Penal Code provides attempted interception of the communication. that “a person commits an offense if the person knowingly accesses a computer, computer network, or For purposes of the statute, “interception” means computer system without the effective consent of the “the aural acquisition of the contents for a owner.” An offense under this section is a class B communication through the use of an electronic, misdemeanor. If the person who commits the offense mechanical, or other device that is made without the knowingly obtains a benefit, defrauds or harms consent of a party to the communication.” TEX.CIV. PRAC.& REM. CODE§123.001(2). A person who establishes a cause of action under the statute is entitled to: 51 Texas Penal Code 16.02 (b)(1) 52 Tex Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ. App. 1996). 93 453 S.E.2d 646, 654 (1994 ).as Penal Code v. Mancini, 170 S.W.3d 167 (Tex. App. – Eastland 2005, 16.02(f) pet. filed) 53 Kotria v. Kotria, 718 S.W.2d 853, 855 (Tex.App.– Corpus 47 (90) 154 F.3d 601 (6th Cir. 1998) Christi 1986, writ ref’d n.r.e.). 48 (91) See id at 610 54 Collins v. Collins, 904 S.W.2d 792 (Tex.App.–Houston 49 (92) See id; Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ. [1st Dist.] 1995, writ denied) App. 1996). 55 See Kent v. State, 809 S.W.2d 664 (Tex.App.–Amarillo 50 (93) 453 S.E.2d 646, 654 (1994). 1992, writ ref’d).

7 Privacy and Confidentiality Issues Chapter 9 another, or alters, damages or deletes property, the common is the ability to capture email, text messages, offense is based on the value of the harm done.56 websites visited, keystrokes, including name and passwords, it can screen shot program activity and Tracking Devices and Vehicles capture photographs. The key logger programs also run in stealth mode Section 16.06 of the Texas Penal Code provides and some now provide web access - no longer that a person commits the offense of unlawful requiring access to the actual computer where the installation of a tracking device “if the person spyware was installed versus emailing you the content. knowingly installs an electronic or mechanical tracking In United States v. Ropp, because a key logger device on a motor vehicle owned or leased by another recorded keystroke information in transit between the person.” Such an offense is a Class A misdemeanor.57 keyboard and the CPU, the court found that the system transmitting the information did not affect interstate 1. Caveat Emptor – vehicle ownership required commerce, and the keystroke signals, therefore, were Occasionally, a client will inquire about hiring a not “electronic communication” under the Wiretap Private Investigator to place a GPS device on the Act.60 spouses’ car. Be advised that it is a violation of Texas In Potter v. Havlicek, Mr. Havlicek admitted to law to install a tracking device on a vehicle unless the installing monitoring software on the family computer. vehicle is registered in the client’s name.58 He also admitted to downloading e-mail from his wife’s web-based email account, but claimed it was 2. Exception: Law enforcement authorized because she had chosen to save her Note that the same rules may not apply to law username and password through the browser’s enforcement. In United States of America v. Bernardo 59 “remember me” feature. The District Court for the Garcia, the police attached a GPS device to a suspect Southern District of Ohio ruled that evidence obtained and the court held that the suspect’s constitutional in a divorce case through the use of spyware could be rights had not been violated. admitted, noting that the ECPA does not permit courts to disallow such evidence. The Court did say that F. Spyware “disclosure of the information in state court by Jeffery Spyware equipment can range from simple Havlicek or his attorney might be actionable civilly or (Maxwell Smart) to highly complex. A tape recorder, criminally”, and it was suggested that the “remember a mobile phone, an EZ tag, a webcamera and a me” option probably did not give Mr. Havlicek an computer all can all be used to find information. implied right to view his wife’s e- mail messages.61 Additionally, the Havlicek Court questioned 1. Spyware on the Mobile Phone whether Ropp’s construction of “affecting interstate For a nominal fee beginning as low as $40.00, commerce” is correct. It suggested that Ropp reads the spyware can be purchased and installed on statute as requiring that the communication must be unsuspecting party’s mobile phone to record traveling in interstate commerce as opposed to merely information such as call and SMS contact history, “affecting interstate commerce.” The keystrokes, appointments, Internet browsing, bookmark and email while not traveling in interstate commerce, do “affect history, location tracking and location history, sound inter-state commerce.” recording of phone calls, picture and video history, text The following portions of this paper are adapted messages, it can remotely activate the cell phone’s from the article entitled “Tips for Safeguarding microphone and record every call made. Confidentiality & Privacy of Client Information in Compliance with Professional Rules, HIPPA & other 2. Spyware on your computer – key logger programs Statutory Requirements,” written by Al Harrison and Most key logger programs are available for less Randy Claridge, and presented at the State Bar of than $100.00 and can readily be purchased in computer Texas 2010 Annual Meeting in Fort Worth, Texas, and stores and via the internet. What the programs share in “A Lawyer’s Work is Never Done” written by Esther Chaves and moderated by Caren K. Lock, Esther

56 Chaves and W. Reid Wittliff at the State Bar of Texas TEX. PEN. CODE 33.02(2) th 57 TEX.PEN.CODE § 16.06(c). 9 Annual Advanced Consumer & Commercial Law 58 See United States of America, Plaintiff-Appellee, v. Course in August of 2013 in Houston, Texas. The Bernardo Garcia, Defendant- Appellant. United States of Appeals for the Seventh Circuit, No. 06-2741, January 10, 2007, Argued- February 2, 2007, Decided 474 F.3d 994e 60 Ropp, 347 F.Supp.2d 837-38 Occupations Code Chapter 1702, Section 17.02.332. 61 The case may be found on Westlaw at 2007 WL 539534 59 United States v. Ropp 347 F.Supp.2d 831 (C.D.Cal.2004) (S.D.Ohio) Potter v. Havlicek

8 Privacy and Confidentiality Issues Chapter 9 author would like to thank all of the authors for their In addition to the duties imposed upon lawyers by excellent contributions. the disciplinary rules, there are many federal and state rules and regulations that impose additional IV. CONFIDENTIALITY requirements of confidentiality on certain classes of Gone are the days where adding an additional lock personal information, including requirements to the client file room door would almost guarantee associated with the destruction of personal client information was protected. Today, law firms information. transfer confidential information via email almost daily. An entire client file can be placed on a flash C. Texas Business & Commerce Code drive the size of a stick of gum. In the “paperless Texas is among the many states that has enacted office”, all of a client’s information is stored legislation that creates a duty for businesses to protect electronically on servers, on hard drives or in the personal information provided in the regular course of cloud. Whether through the loss of a laptop or a flash business. Law firms are included among those drive, or data breaches due to lack of proper businesses that have a duty to protect the information protections or due to hacking, lawyers face new and to notify clients in the event of a breach of challenges in protecting client information. In addition security. The following is a sampling of duties created to the disciplinary rules historically imposed upon by the Texas Business & Commerce Code. lawyers, emerging and evolving federal and state laws may be applicable to certain client information. 1. The Texas Identity Theft Enforcement and Protection Act (ITEPA): Requires businesses to (i) A. Texas Rules of Professional Conduct implement and maintain reasonable procedures to The Texas Disciplinary Rules of Professional protect from unlawful use or disclosure any sensitive Conduct provide that except as otherwise permitted personal information (SPI) collected or maintained by or required, a lawyer shall not knowingly “reveal the business in the regular course of business; (ii) confidential information of a client or a former client destroy or arrange for the destruction of customer to: (i) a person that the client has instructed is not to records containing SPI (that are not to be retained) receive the information; or (ii) anyone else, other by shredding, erasing or otherwise making the than the client, the client’s representatives, or the information unreadable or undecipherable. Tex. Bus. members, associates, or employees of the lawyer’s & Com. Code Ann. § 521.052 (West 2009). Section law firm.” Confidential information includes both 521.053 requires businesses that operate in Texas, privileged information and unprivileged client and own or license computerized data that includes information. Unprivileged client information means sensitive personal information, to disclose any breach all information relating to a client, other than of its system security (which means unauthorized privileged information, acquired by the lawyer acquisition of computerized data that compromises the during the course of or by reason of the security, confidentiality, or integrity of sensitive representation of the client. Comment 4 related to personal information maintained by a person, Rule 1.05 notes that the rule generally extends including data that is encrypted if the person accessing ethical protection to unprivileged information the data has the key required to decrypt the data) to relating to the client or furnished by the client during any person whose information was, or is reasonably the course of or by reason of the representation of believed to have been, acquired by an unauthorized the client. See, Tex. Disciplinary R. Prof’l Conduct person. Tex. Bus. & Com. Code Ann. §521.053 (West 1.05(a) and (b), reprinted in Tex. Gov’t Code Ann., 2009). tit. 2, subtit. G, app. A (West 2005 & Supp. 2009). There are monetary penalties for violations of the Act. Fines of up to $500.00 for each record that could B. ABA Model Rule potentially be exposed to unintended or unauthorized In August 2012, the American Bar Association review can be imposed. Additional penalties of up to added a new Model Rule 1.6(c) which provides: “A $20,000.00 per violation can be assessed against lawyer shall make reasonable efforts to prevent the businesses that give customers specific assurances inadvertent or unauthorized disclosure of, or about protection of confidential information and then unauthorized access to, information relating to the fail to provide that protection. representation of a client.” New language in the comment to this rule identifies factors that lawyers 2. Privacy Policy Necessary to Require should take into account in determining whether their Disclosure of Social Security Number: A person efforts are reasonable, including the cost of the may not require an individual to disclose the safeguards and the sensitivity of the information. individual’s social security number (SSN) to obtain See, August 2012 Amendments to ABA Model Rules goods or services from or enter into a business of Professional Conduct. transaction with the person unless the person (i) adopts 9 Privacy and Confidentiality Issues Chapter 9 a privacy policy; (ii) makes the privacy policy Portability and Accountability Act (“HIPPA”). It available to the individual; and (iii) maintains under the expands the definition of the term “covered entity” in privacy policy the confidentiality and security of the the existing health privacy law and requires all SSN disclosed to the person. Tex. Bus. & Com. employees of covered businesses to undergo training Code Ann. § 501.052 (West 2009). The privacy on HIPPA and Texas’ health privacy law within sixty policy must include: (i) how personal information is (60) days of hiring and once every two (2) years collected; (ii) how and when the personal information thereafter. Additionally, the Texas Attorney General, is used; (iii) how the personal information is Texas Health Services Authority, or Texas Department protected; (iv) who has access to the personal of Insurance is authorized to conduct compliance information; and (v) method of disposal of the audits of covered entities that have consistently personal information. Id. Certain entities are exempt violated the Texas law. Fines for violations range from including those required to maintain privacy policies $5,000.00 up to $1,500,000.00 per year for violations. under the federal Gramm-Leach Bliley Act, the For a more detailed discussion see: Updates to the federal Family Educational Rights and Privacy Act of Texas Medical Privacy Act: How Texas Covered 1974, and the Health Insurance Portability and Entities Should Prepare By George R. Gooch, J.D Accountability Act of 1996. Tex. Bus. & Com. Code http://www.law.uh.edu/healthlaw/perspectives/2012/H Ann. § 501.051 (West 2009) LPGoochHIPrivacy.pdf

3. Disposal of Business Records Containing F. Protecting Your Clients’ Confidentiality Personal Identifying Information: When a business Practicing law in today’s high-tech environment disposes of a business record that contains personal while being faced with constantly evolving rules and identifying information of a customer of the business, regulations associated with privacy concerns require the business shall modify, by shredding, erasing, or practitioners take proactive steps to protect your clients other means, the personal identifying information so and yourselves. The following are relatively easy to as to make the information unreadable or implement steps that may go a long way in protecting undecipherable. Tex. Bus. & Com. Code Ann. § client information while protecting yourself from 72.004 (West 2009). Exceptions include financial liability. institutions as defined by 15 U.S.C. 6809 and entities defined by 601.001 of the Texas Insurance Code. Id. 1. Encryption Violators are subject to a civil penalty of up to $500 Encryption refers to a process of converting for each business record. Id. A business is considered information into a form which is unusable, unreadable, to be in compliance if it contracts with a person and indecipherable to parties not possessing the engaged in the business of disposing of records for the requisite decryption algorithm. There currently exist modification of PII on behalf of the business. Id. several popular encryption paradigms including: file or folder encryption, full-disk encryption, and encrypted D. HIPPA/HiTECH communications to and from networked computers. Most practitioners are familiar with the Health Regardless of the approach taken, encryption is quickly Insurance Privacy Portability and Accountability Act becoming a standard requirement of the contemporary of 1996 (HIPPA). It requires releases for obtaining law office because the loss of an encrypted computer medical records and information frequently sought or encrypted data file often does not trigger notification during family law disputes. It was updated in 2010 by rules, thereby potentially protecting attorneys and the Health Information Technology for Economic and clients from the expenses and other ramifications Clinical Health Act (HiTECH). The purpose of the associated with a breach of client confidentiality. update was to require any business that handles personal health information to comply with HIPPA a. Individual File Encryption regulations. Individual file or folder encryption is perhaps the first form of encryption adopted by many attorneys E. Texas Health Privacy Law using software programs such as Adobe Acrobat Recent law was enacted to specifically target Professional (Acrobat). Using Acrobat, a Portable patient data privacy, see HB 300 amended Chapter Document Format (PDF) file, or set of PDF files, can 181, Health and Safety Code and became effective on be converted to a form that renders the file unreadable September 1, 2012. According to health care to anyone lacking a corresponding password or digital providers, the law mandates patient privacy protections certificate. An encrypted file may then be stored on a and harsher penalties for privacy violations related to computer network or e-mailed to a client without fear electronic health records (EHR). The requirements of of inadvertent disclosure of confidential information. the Texas law are more stringent than those of its Although easily implemented, individual file federal counterpart, the Health Insurance Privacy encryption poses a significant challenge when dealing 10 Privacy and Confidentiality Issues Chapter 9 with numerous clients and client matters that implicate inherently strong password; (2) relatively short laptop multiple passwords. If the password required for a or handheld inactivity or the placement of handheld in particular file were destroyed or otherwise were to holster causes timeout that blanks screen, or shuts become unavailable, the contents of the encrypted file down hard drive, deactivates keys or touch screen, and would be in all likelihood lost and thus effectively requires password for reactivation; (3) email should digitally “shredded.” preferably be encrypted in transit to and from user; (4) stored files encrypted - text, images; (5) all data should b. Full Disk Encryption (FDE) preferably be remotely purged if laptop or handheld Another encryption approach, typically has gone missing. implemented on business-class laptops, is full-disk encryption (FDE), either hardware-based or software- b. Password Logistics based. With FDE, the contents of the entire hard drive The propriety of passwords must be assured and are stored in an encrypted state. In a hardware-based sustained or else the integrity of the safeguarding implementation of FDE, a decryption key is stored protocol is undermined. This is a very serious and within the circuitry of the hard drive and data is crucial aspect of safeguarding client data. While seamlessly decoded following initial entry of a inconvenient and introducing another level of password by the user. In a software-based complexity to the law firm environment, password implementation of FDE, pre-installed software such as protocol must be carefully established and rigorously the open-source program TrueCrypt serve as boot-time practiced and enforced. Use common sense with gatekeepers requiring password entry prior to decoding password protocol. For example, do not keep of user data. The ease of FDE is readily apparent; passwords in plain view near computers and do not however, care should be taken following initial generously share core or private passwords and be password entry because data is automatically decoded discriminating when determining which personnel have until the system is turned off or rebooted.62 Unlike access to core passwords. individual file encryption, FDE does not require password entry beyond a single boot-time entry. A c. Secure the laptops, mobile and memory devices single password can be used for each computer which Be vigilant about properly caring for each and stores confidential client information thereby rendering every storage device containing proprietary and the information unreadable should the computer be confidential client information ― both in the office stolen or otherwise misplaced. and contained on a portable electronic device or storage medium. According to the FBI’s National c. Encryption of client communications Crime Information Center, the number of reported In addition to secure storage of client information laptop and mobile device thefts are rising exponentially on internal office computers, electronic from year to year. communications with client should also be encrypted. One of the most prevalent venues for laptop losses Fortunately, most Internet services, including e-mail, e- to occur are U.S. airports: as many 12,000 laptops are commerce, and document storage incorporate the lost or stolen weekly at domestic airports, as estimated Secure Sockets Layer (SSL) protocol specified within by the Ponemon Institute. This Institute has also the settings of an e-mail software application or guesstimated that as many as 800,000 memory devices, identifiable by “https://” preceding a website address. laptops, smartphones and thumb drive memory sticks If “https://” does not precede a website address, then are lost or stolen annually; and that major corporations the communications to and from that website are not are inflicted by annual robberies devolving to about encrypted and are potentially readable by unknown 600 laptops, 2000 USB thumb drive memory sticks, third parties. 1000 smartphones, and 1,500 other portable electronic data storage devices. 2. Procedural Tips for Protecting Client Information Caution should be exercised in virtually every a. Security Prerequisites for Laptops and venue the attorneys visit or travel, not just airports and Handhelds train stations, but also coffee shops, government Recommended security prerequisites for laptops buildings and offices, clients' offices and sites. It and handhelds: (1) password protected with an appears that contemporary criminals have adopted the protocol for stealing or demanding popular, easily 62 Information on TrueCrypt can be found at liquidated electronic devices besides cash money. (http://truecrypt.com), PGP Whole Disk Encryption Laptops and netbooks should be held securely to (http://pgp.com), and Windows proprietary Bit Locker prevent thieves from engaging in a snatch-and-run (http://microsoft.com/windows/windows- maneuver at an attorney's expense. 7/features/bitlocker.aspx).

11 Privacy and Confidentiality Issues Chapter 9 d. Remote Laptop Security 3. Maintaining Client Confidentiality 101 A recent fail-safe application to be considered by In its article, Preventing Law Firm Data Breaches, law firms is Remote Laptop Security ("RLS") the Texas Bar Journal discussed security basics that corresponding to a procedure that enables users to every lawyer should know, including: control access to files on a laptop even if the laptop has gone missing. Proprietary files for safeguarding are  Have a strong password of at least 12 characters. selected a priori and are implicated in a protocol for A strong 12-character password takes roughly 17 either restoring or terminating the account that owns years to crack. the data files. The designated administrator selects  Don’t use the same password everywhere. which files to be safeguarded using the RLS  Change your passwords regularly. application. Duly safeguarded files are then converted  Do not have a file named “passwords” on your and encrypted to permit only authorized access. For a computer. laptop which has gone missing, access to secured files  Change the defaults. Whether you are configuring is unequivocally denied. There are RLS tools a wireless router or installing a server operating dependent upon Internet or WiFi connections, and even system, make sure you change any default cellular access. In the abundance of caution, RLS values. applications should periodically authenticate user  Laptops should be protected with whole disk identity. Of course, under circumstances in which encryption—no exceptions. access to proprietary files on a particular laptop has  Backup media should be encrypted. If you use an been deactivated, that laptop ceases to be online backup service, make sure the data is authenticated. encrypted in transit and while being stored. Also, e. Client Confidentiality and Third Parties be sure that employees of the backup vendor do The Supreme Court of Texas Professional Ethics not have access to decrypt keys. Committee Opinion Number 572, June 2006,  Thumb drives should be encrypted. addresses the use of an independent contractor, such as  Keep your server in a locked rack in a locked a copy service, hired by the lawyer to perform services closet or room. Physical security is essential. in connection with the lawyer’s representation of the  Most smartphones write some amount of data to client. The Committee concluded: the phone. Opening a client document may write it to the smart-phone. The iPhone is data A lawyer's delivery of materials containing rich. Make sure you have a PIN for your phone. privileged information to an independent This is a fundamental protection. Don’t use contractor providing a service, such as “swiping” to protect your phone as thieves can copying, to facilitate the lawyer's discern the swipe the vast majority of the time due representation of a client (and not for the to the oils from your fingers. Also make sure that purpose of disclosing information to others) you can wipe the data remotely if you lose your does not constitute "revealing" such privileged phone. information within the meaning of Rule 1.05,  Solos and small firms should use a single provided that the lawyer reasonably expects integrated product to deal with spam, viruses that the independent contractor will not and malware. disclose or use such items or their contents  Wireless networks should be set up with the except as directed by the lawyer and will proper security. First and foremost, encryption otherwise respect the confidential character of should be enabled on the wireless device. the information. In these circumstances, the Whether using Wired Equivalent Privacy independent contractor owes a duty of (WEP) 128-bit or WPA encryption, make sure confidentiality both to the lawyer and to the that all communications are secure. WEP is lawyer's client. weaker and can be cracked. The only wireless encryption standards that have not been cracked Although not explicitly addressed by the Committee, (yet) are WPA with the AES (Advanced use of independent contractors in the form of Internet- Encryption Standard) or WPA2. based services would not necessarily constitute  Make sure all critical patches are applied. This revealing of privileged client information. However, may be the job of your IT provider, but too often attaining a reasonable expectation that Internet-based this is not done. service providers will neither disclose nor use such  If software is no longer being supported, its privileged information, except as directed by the security may be in jeopardy. Upgrade to a lawyer, may prove problematic. supported version to ensure that it is secure.  Control access. 12 Privacy and Confidentiality Issues Chapter 9

 Using cloud providers for software applications is 4. The American Bar Association’s Legal fine, provided that you made reasonable inquiry Technology Resource Center provides into their security. Read the terms of service information regarding the latest legal carefully and check your state for current ethics technology and an extensive resource list on opinions on this subject. technology related ethics matters.  Be wary of social media applications, as they are http://americanbar.org/groups/departments_of now frequently invaded by cybercriminals. fices/legal_technology_resources.html. Giving another application access to your 5. The Federal Trade Commission is responsible credentials for Facebook, as an example, could for many business related privacy laws, and result in your account being hijacked. And even its website provides an extensive listing of though Facebook now sends all hyperlinks legal resource statutes relating to consumer through Websense first (a vast improvement), be protection, including The Children’s Online wary of clicking on them. Privacy Protection Act, Health Information  Consider whether you need cyber insurance to Technology Provisions of American Recovery protect against the possible consequences of a and Reinvestment Act of 2009, Title XIII, breach. Most insurance policies do not cover the Subtitle D, the Gram-Leach Bliley Act, and cost of investigating a breach, taking remedial the Fair Credit Reporting Act. http://ftc.gov. steps or notifying those who are affected. 6. TRUSTe operates a privacy seal program  Dispose of anything that holds data, including a which certifies how businesses collect and digital copier, securely. For computers, you can manage personally identifiable information. use a free product like DBAN to securely wipe the http://truste.com/about-TRUSTe/. data. 7. The Better Business Bureau offers a data  Use wireless hot spots with great care. Do not security guide which includes checklists for enter any credit card information or login small businesses to secure sensitive data, credentials prior to seeing the https: in the URL. safely transmit data, properly dispose of paper  For remote access, use a VPN or other encrypted and electronic records and includes steps to connection. take in the event of a data breach. http://bbb.org/us/bbb-online-business/.

8. Privacy Act of 1974: Provides an overview of See, Sharon D. Nelson and John W. Simek, the Privacy Act, which safeguards personal Preventing Law Firm Data Breaches, Texas Bar information held by government agencies Journal, May 2012, p 364. from queries by others.

http://justice.gov/opcl/privstat.htm V. HELPFUL LINKS TO FEDERAL LAWS, 9. Family Educational Rights and Privacy Act ACTS AND POLICIES ON PRIVACY AND (FERPA): Protects privacy of educational CONFIDENTIALITY data.

http://ed.gov/policy/gen/guid/fpco/ferpa/index 1. The Patient Safety and Quality Improvement .html Act of 2005 (PSQIA) Patient Safety Rule: 10. Library of Congress' Thomas Search Engine Confidentiality protections to encourage the reporting and analysis of medical errors. for U.S. Federal Legislation: A search engine for the text of bills. You can search by exact http://ahrq.gov/qual/psoact.htm bill number, if known, or by a topic such as 2. The Confidential Information and Statistical "HIPAA," "Confidentiality," "Patriot Act," or Efficiency Act of 2002(CIPSEA): This act "E-Government Act of 2002" which will ensures that information provided to statistical agencies for statistical purposes under a produce a list of direct links to the legislation. http://thomas.loc.gov/home/thomas.php pledge of confidentiality can be used only for 11. Legal Information Institute at the Cornell Law statistical purposes, and that individuals' or School: This website has materials to make organizations' data confidential data should be law more accessible to students, teachers, and kept confidential. the general public. http://law.cornell.edu/ http://bls.gov/opub/mlr/cwc/confidentiality-

information-protection-and-statistical- 12. The Code of (U.S.) Federal Regulations efficiency-act-of-2002.pdf (CFR): This website allows users to access 3. Freedom of Information Act: This website all the Federal regulations issued by any provides guidelines as to which data may and agency. The CFR is a codification of the may not be disclosed under the terms of the general and permanent rules published in the Freedom of Information Act. http://foia.gov Federal Register by the Executive 13 Privacy and Confidentiality Issues Chapter 9

departments and agencies of the Federal Government. http://gpo.gov/fdsys/browse/collectionCfr.acti on?collectionCode=CFR 13. Several statistical agencies have their own confidentiality statutes, e.g., the Census Bureau, the National Center for Education Statistics and the National Science Foundation. Search their web sites for specific details.

VI. CONCLUSION It is often said that the best defense is a good offense. The smart practitioner will heed this advice and take proactive steps to remain abreast of the evolution of privacy laws and requirements for the protection of confidential client information. It may never be possible to fully insulate client information in today’s environment, but self-educating and taking precautionary measures may prevent you from having to phone your malpractice carrier in the event of a data breach.