Workshops‎ > ‎cs-ga-2010‎ > ‎

Nick Akerman


Recent legal trends in data protection

There are three major areas of law which have developed over the last few years designed to protect computer systems and two types of data – 1) competitively sensitive data that provide businesses with an advantage in the marketplace and 2) personal individual data which, if it falls into the hands of criminals, can be used to perpetrate identity theft on the individual. 

The first is Computer Fraud and Abuse Act (CFAA).  18 U.S.C. § 1030.  The statute was enacted in 1984 as a criminal statute to criminalize the theft of national security and banking data. The CFAA has since been amended a number of times in response to new technologies and the ubiquitousness of computers in society. The CFAA outlaws the entire panoply of computer crime including stealing computer data, schemes to defraud through computers, trafficking in computer passwords or similar information with intent to defraud, destroying computer data, hacking,  sending computer viruses and extortion. All of these illegal acts can form the basis for a criminal prosecution or a civil action.  The statute covers all computers used in interstate commerce, meaning that a computer that sends and receives email is operating in interstate commerce.

What is unique about this statute is that it allows companies to set the rules that form the predicate for a violation of the statute. In EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58, 63 (1st Cir. 2003), the court recognized that the “CFAA…is primarily a statute imposing limits on access and enhancing control by information providers.” Thus, a company “can easily spell out explicitly what is forbidden.” Id. at 63.  The critical element that must be proved under most violations of the statute is that the violator did not have authorized access to the computer or exceeded authorized access.  What is and is not authorized access has been a major subject of federal court litigation.

The second area of law is the 45 state statutes requiring companies which maintain personal data on individuals to notify individuals if there is reasonable basis to believe there has been a data breach involving their personal data.  The first of such statutes was enacted in 2003 by California Calif.   Civ. Code §1798.82, et seq.  The type of personal information covered under the law is non-public information such as Social Security numbers, driver’s license numbers, and account, credit card, or debit card numbers in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

The purpose of the law is to provide individuals with adequate, timely notice so they have the opportunity to protect their bank accounts and credit cards from being accessed and used by the data thieves. The key issue for companies is how to respond to a suspected breach, particularly what constitutes reasonable basis to believe there was a breach, and if so, what steps to take to investigate the breach and to notify individuals whose data may been breached.  Also, the federal government has become involved in the protection of personal data through enforcement actions by the Federal Trade Commission and the passage last year of the HITECH Act requiring notification to consumers when personal health related data is believed to be breached.

The third trend is compliance.  Rather than simply requiring businesses to respond to a data breach with notifications, newly enacted laws in Connecticut, Massachusetts, Nevada and Washington impose certain compliance obligations on businesses to protect personal information from a data breach.   The most onerous of these statutes is the Massachusetts law that became effective on March 1, 2010, requiring businesses which store personal data on individuals to institute a comprehensive compliance program to protect the data.  The law applies to businesses outside of Massachusetts which store personal data on Massachusetts residents.  

Compliance is also becoming an important issue in protecting competitively sensitive data.  Beginning in 2003 the New York Stock Exchange requires listed companies to have in place data compliance programs to protect both competitively sensitive and personal data.  Also, because a violation of the CFAA is predicated on authorization or permissions to the company computers, every company should set out the scope of those authorizations in its codes of conduct and employee agreements.