ncc internet policies for audio conference information ... · fenwick & west llp silicon valley...
TRANSCRIPT
Fenwick & West LLPSilicon Valley Center801 California Street
Mountain View, CA 94041Phone: 650.988.8500
www.fenwick.com
Robert D. Brownstone
NCC
Audio Conference
April 22, 2010
Internet Policies for Information-Security
and Data Privacy
Legal Compliance and IT Best-Practices
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.
EIM
GR
OU
P© 2
Agenda/Outline
Introduction
I. Key Duties of Every Organization
A. Protecting its Own Proprietary and Sensitive Information
B. Protecting Clients’/Customers’ & Related Entities’ Confidential Info.
C. Protecting Individuals’ Personal Info.
D. Risk-Management as to Liability to Employees and/or to Third-parties
EIM
GR
OU
P© 3
II. Liability Risks & Data Leakage
A. Intentionally Harmful Intentional Disclosures
B. Inadvertently Harmful Intentional Disclosures
C. Unintentional Losses of Sensitive Information
III. Compliance Overview
A. Big Picture – Three E’s
B. Top 10 InfoSec Tips
Conclusion/Questions
Agenda/Overview
EIM
GR
OU
P© 4
Internet Security Policy is a piece of a Technology-Acceptable-Use Policy (TAUP) = No-Expectation- of-Privacy Policy (NoEPP)
Many SAMPLES linked off Appendix A
TWO KEYS TO DEFENSIBLE POLICIES:
POLICY CONTENTS
CONSISTENT ENFORCEMENT
I. INTRO – Basics ofLegal Defensibility
EIM
GR
OU
P© 5
Modern additional concerns: MANY more ways information
can be posted or shared
E-mail volume, persistence, “forwardability,” etc.
Now, MANY other forums; everyone can be a publisher
I. INTRO – OurDigital World
EIM
GR
OU
P© 6
INTRO – Today’sHeightened Concerns
“37 percent of workers say they could be bought”
Tim Wilson, Many Users Say They'd Sell Company Data For The Right Price, dark reading (4/24/09)<www.darkreading.com/shared/printableArticle.jhtml?articleID=217100330>
“41% of workers have already taken sensitive data with them to their new position”
Help Net Security, Workers stealing data for competitive edge (11/23/09) <www.net-security.org/secworld.php?id=8534>
EIM
GR
OU
P© 7
INTRO – HeightenedConcerns (c’t’d)
Many company failures and dissolutions of service-providers such as law firms ...
lot more places information (electronic and/or hardcopy) can be left unattended
more info. potentially susceptible to theft and/or loss while in transit or at rest
EIM
GR
OU
P© 8
I. Key Duties – A. ProtectingOwn Sensitive Info.
IP, incl. Trade Secrets, Work Product, etc.
Proprietary information:
strategic plans
Customer/client lists
Other Sensitive Information
EIM
GR
OU
P© 9
I. Key Duties – B. OtherEntities’ Confidential Info.
Friendly entities . . . .
Obligations to a Client Based on:
Obligations Travelling with Transferred Information (regulatory and contractual)
Professional-Responsibility Duties. Exs: Lawyers
Attorney-Client Privilege
Ethical Duty of Confidentiality
Accountants
Broker-dealers & other financial service pros.
Consultants, etc.
EIM
GR
OU
P© 10
I(B). Other Entities’Confidential Info. (c’t’d)
Obligations to a Customer (c’t’d):
Some matters even more confidential than others
M&A activity
contemplated or threatened lawsuits
criminal investigations
administrative agency inquiries
information subject to protective order
EIM
GR
OU
P© 11
Friendly entities . . . .
As to entity customers and those customers’ entity- customers, parents, subsidiary/ies and joint venturers
All same categories as on prior slides
I(B). Other Entities’Confidential Info. (c’t’d)
EIM
GR
OU
P© 12
Adverse Entities, under NDA and/or Protective Order
entities on other sides of transactions
litigation opponents
third-party subpoena recipients
I(B). Other Entities’Confidential Info. (c’t’d)
EIM
GR
OU
P© 13
I. Key Duties (c’t’d) –C. Individuals’ Info.
WHO? Employees and individual customers of:
own organization
affiliates
adverse parties
WHAT?
all sorts of documents posted on, or transmitted via, web
Exs.: databases’ and spreadsheets’ contents
EIM
GR
OU
P© 14
I(C). Key Duties –Individuals’ PII (c’t’d)
Wrongful acquisition of Personally Identifiable Information (PII) can lead to identity theft
PII legal protections include:
Miscellaneous information:
State constitutional right of privacy
Common-law invasion torts
European Union (EU) Privacy Directive
EIM
GR
OU
P© 15
I(C). Individuals’ PII –Legal Protections (c’t’d)
Personal financial information:
> 40 States’ notice-of-breach and other anti-identity-theft (credit-freeze) statutes <www.ncsl.org/IssuesResearch/TelecommunicationsInformationTec
hnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx>
Pending federal legislation
H.R. 2221 http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=111 cong bills&docid=f:h2221rh.txt.pdf
S. 1490 http://frwebgate.access.gpo.gov/cgi-
bin/getdoc.cgi?dbname=111 cong bills&docid=f:s1490rs.txt.pdf
EIM
GR
OU
P© 16
I(C). Key Duties –Individuals’ PII (c’t’d)
Personal Health/Medical Information (PHI):
Federal: HIPAA (& HI-TECH)
State Ex.: Cal. AB 1298
Personally identifying information:
FRCP 5.2 (redaction)
Consumer credit report information:
FTC’s Disposal Rule (FACTA; FCRA)
EIM
GR
OU
P© 17
I(C). PII (& PHI) Loss/Theft –Scope of Problem
Statistics on Breaches
See “Chronology of Data Breaches” for 2005-2010 (350M+ records)<www.privacyrights.org/ar/ChronDataBreaches.htm#CP>
85% of large orgs. have had major network security incident
Solera/Trusted-Strategies Study (10/1/09)<www.soleranetworks.com/news/survey-despite-expected-attacks-most-networks-are-unprepared-for-quick-response/>
Each missing record can cost $200+ . . . .Angela Moscaritolo, Data breaches cost organizations $204 per record in 2009, SC Magazine (1/25/09) (36 % of situations from loss of laptop or mobile device)
<scmagazineus.com/data-breaches-cost-organizations-204-per-record-in-2009/printarticle/162259/> (linking to <www.encryptionreports.com/2009cdb.html>
EIM
GR
OU
P© 18
I. D. Risk-Management
© Native Intelligence 2001
Direct claims based on breaches and/or leaks
Third parties’ claims based on bad employee conduct, e.g.,postings, copyright infringe-ment via downloads, etc.
Harassment claims by employees or by clients
EIM
GR
OU
P© 19
A. Intentionally Harmful Disclosures
Direct misuse of IP, trade secrets and/or customer lists to compete with ex-employer
“Whistleblower” leaks, i.e. “Wikileaks”
If content violates a site-use policy or infringes copyright, ask for takedown . . .
If neither but if it harms organization and (ex-) employee will not take it down, . . . then what?
Cf. Fred von Lohmann, Improving DMCA Takedowns at Blogger, Flickr, EFF Commentary (9/29/09)<eff.org/deeplinks/2009/09/improving-dmca-takedowns-blogger-flickr>
II. Liability Risks & Data Leakage
EIM
GR
OU
P© 20
Strange Things People Memorialize
E-mail communications generally less formal and thoughtful than other correspondence
"Candid comments" can have significant impact
Can’t go back in time and “terminate” an e-mail
So use best efforts to refrain from writing and from over-saving . . .
"Quick, delete that e-mail before Eliot Spitzer sees it!"
(Corante NY 7/29/05)
II. B. Inadvertently HarmfulIntentional Disclosures
EIM
GR
OU
P© 21
Now . . . bigger universe of miscellaneous web activities
II(B). IntentionalConduct (c’t’d) –
EIM
GR
OU
P© 22
II(B). Social-Media/Web 2.0 (c’t’d)
Search-ability keeps increasing:
Google Launches Social Search, Info. Week (10/27/09) (“ . . . more likely to find what friends and associates have to say . . .”) <www.informationweek.com/shared/printableArticle.jhtml;jsessionid=X2SFWWL1CJBP3QE1GHOSKH4ATMY32JVN?articleID=220900747>
Twitter in Google, Microsoft licensing talks: report, Reuters (10/8/09)<www.reuters.com/articlePrint?articleId=USTRE5974C420091008>
Scoopler.com – New Real Time Search Engine Aggregates Web 2.0 Content (beSpacific 5/10/09) <www.bespacific.com/mt/archives/021321.html#021321>
EIM
GR
OU
P© 23
II(B). Web 2.0 (c’t’d) –Risk Management
Wonderful for networking/transparency. . . BUT:
“76 percent of companies . . . block employees' use of social networking –up 20 percent from February . . .
“[N]ow a more popular category of sites to block than those involving shopping, weapons, sports or alcohol.”
Tresa Baldas, Companies Say No to Friending or Tweeting, Nat’l. L. J. (10/8/09) (citing recent survey and another survey showing 54% . . . .) <www.law.com/jsp/cc/PubArticleCC.jsp?id=1202434373430>
EIM
GR
OU
P© 24
One key issue = (ostensible) authority to speak on behalf of city re: work-related matter
Also: Direct misuse of confidential information to harm (ex-)employer
II(B). Web 2.0 Risks (c’t’d) –Intentional Conduct
EIM
GR
OU
P© 25
II(B). Web 2.0 (c’t’d) –Twittering . . .
From <http://twitter.com/petehoekstra/statuses/1182334669>:
Rafe Needleman, Congressman twitters secret trip to Iraq (CNET news 2/6/09) <http://news.cnet.com/8301-17939 109-10159054-2.html>
See also <http://GovTwit.com> and President Obama’s New Twitter Feed (NYT 5/1/09)
EIM
GR
OU
P© 26
II(B). Web 2.0 (c’t’d) –“Off-Duty” Posts
Codes of Conduct and Current Employees’ Personal Postings
Public Sector Exs.: – Teachers and Police
Ian Shapira, When Young Teachers Go Wild on the Web; Public Profiles Raise Questions of Propriety and Privacy, Wash. Post (4/28/08) <http://www.washingtonpost.com/wp-
dyn/content/article/2008/04/27/AR2008042702213 pf.html>
Michelle Yoffee-Beard, Oviedo officer resigns after online sex ads, photos uncovered, Seminole Chronicle (8/6/08)<www.seminolechronicle.com/vnews/display.v/ART/2008/08/06/489a38bf11c0e>
TO LEARN MORE about a variety of related issues, see Ken Strutin, Criminal Law Resources: Social Networking Online and Criminal Justice, LLRX (2/28/09) <http://www.llrx.com/node/2150/print>
EIM
GR
OU
P© 27
II(B). Damaging Posts (c’t’d) –Confidential Docs.
Web 2.0 posting of link to wrong document in June ‘09:
City check registry posted on web by mayor of Battle Creek, Michigan
Contained personally identifiable information on 65 city employees, including Soc. Sec. No for 6 of them
Claimed an employee had mistakenly given him the wrong item
Taken down quickly (within a day)
But employees offered free identity protection for 1 year
EIM
GR
OU
P© 28
Tresa Baldas, Lawyers warn employers against giving glowing reviews on LinkedIn, Nat’l L. J. (7/6/09) <www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202432039774>
II(B). Damaging Posts (c’t’d) –Online References
EIM
GR
OU
P© 29
II(B). Damaging Posts (c’t’d) –Anonymous Praise
“[Wild] OATS [Markets] has lost their way and no longer has a sense of mission or even a well-thought-out theory of the business. They lack a viable business model . . . .”
“Perhaps the OATS Board will wake up and dump [C.E.O. Perry] Odak and bring in a visionary and highly competent C.E.O.”
“I like [OATS rival Whole Foods Markets Chair and C.E.O. John P.] Mackey’s haircut. I think he looks cute!”• Some of 7 years of postings by Whole
Foods co-founder Mackey himself on Yahoo Finance’s bulletin board
EIM
GR
OU
P© 30
II(B). Damaging Posts (c’t’d) –Anonymous Praise
Whole Foods did change its Code of Conduct Chelsea Peters, Whole Foods, Unwholesome Practices: Will Sock
Puppeteers be Held Accountable for Pseudonymous Web Postings?, 5 Shidler J.L. Com. & Tech. 4 (9/23/08) <www.lctjournal.washington.edu/Vol5/A04Peters.html>
Compare this VERY recently adjudicated one
Full decision: SEC v. Curshen, No. 09-1196 (10th Cir. 4/13/10) <www.ca10.uscourts.gov/opinions/09/09-1196.pdf>
Also discussed in Amy E. Bivens, Anonymity of Golf Company Promoter's Online Praise May Have Destroyed Haven for Puffery, BNA Elec. Comm. & L. Rep. (4/13/10)
EIM
GR
OU
P© 31
II. C. Unintentional Lossesof Sensitive Information
Unencrypted portable devices and/or removable media lost or stolen: laptops; smartphones; DVD’s & CD’s; and USB sticks, thumb-drives, etc.
Encryption is protective AND typically exempts an incident from the reach of notice-of-breach statutes
Remedial efforts are COSTLY
See Tech//404® Data Loss Cost Calculator <http://www.tech-404.com/calculator.html>
Sites/Networks Attacked/Hacked
Extranets – misuse of access control/ rights settings
EIM
GR
OU
P© 32
Improper disposal of paper or digital data – enabling “dumpster-diving”
Human error, e.g.: NELI conference hotel PC incident
Commuter Indiscretions, typed and spoken
David Lat, A Funny Thing Happened on the Way to New York (Or: Pillsbury associates, brace yourselves.), Above The Law (2/19/09) <http://abovethelaw.com/2009/02/pillsbury winthrop partner indiscretion.php
Bob Lewis, Computer security when travelling by train – an expert’s observation, Computer Weekly (10/21/08)www.computerweekly.com/Articles/ArticlePage.aspx?ArticleID=232765&PrinterFriendly=true
<http //www.newsfactor.com/story.xhtml?story id=52124>
II(C). UnintentionalLosses (c’t’d)
EIM
GR
OU
P© 33
II(C). UnintentionalLosses (c’t’d)
Incoming – Viruses, Worms & Malware, Oh My
Attachments not only potential culprits.
So are:
P2P file-sharing software
malicious links to suspect websites
“phishing” and “whaling” (latter a/k/a “spear-phishing”)
EIM
GR
OU
P© 34
II(C). UnintentionalLosses (c’t’d)
Outgoing
“Reply All” OR “suggest name”/“auto-complete”
Dan Slater, Lawyer’s Email Slip-up Leads to Zyprexa Leak, WSJ Law Blog (2/2/08) < http://blogs.wsj.com/law/2008/02/05/report-lawyers-email-slip-up-leads-to-zyprexa-leak/>
E-mailing an attachment to B if attach-ment contains metadata exposing confidential information about A
Computer unattended and unlocked
EIM
GR
OU
P© 35
IV. ComplianceBasics
A. Big Picture of Defensible Policies -- KUMBAYA?!
Clear, well-thought-out language on which multiple constituencies have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce
© TOSHIBA
EIM
GR
OU
P© 36
See Samples links in Appendix A
NEVER blindly follow a sample
DON’T GO TOO FAR
Right to monitor vs. taking on duty to monitor
Examples: harassing language filter; IM logs
BE REASONABLE/REALISTIC
Incidental/limited personal use exception
Dep’t Of Education v. Choudhri, OATH Index No. 722/06 (N.Y.C. Office Of Admin. T & H 3/9/06)<files.findlaw.com/news.findlaw.com/hdocs/docs/nyc/doechoudri30906opn.pdf>
IV(A). ImplementingDefensible Policies
IV(A). ImplementingDefensible Policies
BE CAREFUL WITH
Defensible Policies
BE CAREFUL WITH:
Attorney-Client Privilege
EIM
GR
OU
P
For split in case law, see Appendix B, §§ I - II
Avoid unauthorized intrusions into
E
employees’ personal Web 2.0 pages, passwords and/or e-mail
Can violates ECPA Title I (Wiretap) or Title II (SCA)
For 3 recent decisions, see Appendix B, § III(A)
© 37
EIM
GR
OU
P© 38
IV. B. Top Ten Info-Sec Tips
10. Strong Passwords
Ex. of flawed basic security measure: login and password = e-mail-address + last-name
Andrew Clevenger, Lawyer admits computer breach; [s]pying on firm may cost license, Charleston Gazette (3/2/08) <http://seclists.org/isn/2008/Mar/6>
Lawyers Disciplinary Bd. v. Markins, No. 33256 (W. Va. Sup. Ct. App. 5/23/08) <http://www.state.wv.us/WVSCA/docs/Spring08/33256.pdf>
9. Warn as to “Reply All”
(but see PDA’s and OWA)<www.sperrysoftware.com/outlook/Reply-To-All-Monitor.asp>
EIM
GR
OU
P© 39
IV(B). Top Ten Info-Sec Tips (c’t’d)
8. “Pseudonymised data” Use apps that replace live Social
Security numbers and credit card numbers with “dummy figures”?
Brian Bergstein, Why would sensitive data ever need to be on portable computers? AP (7/7/06) <www.usatoday.com/tech/news/computersecurity/infotheft/2006-07-09-stolen-laptop-data x.htm?csp=34>
7. Central vs. Local Storage Firewall and password protection for:
Document Management System (DMS)
Shared network drives
Illustration by Keith Simmons
EIM
GR
OU
P© 41
5. Mobile/Portable Devices/Media
Laptops
Encrypt
Ex: <www.guardianedge.com/shared/Case Study Fenwick West.pdf>
Impose some responsibility on individuals http://web.archive.org/web/20061016130614/http://www.pcguardian.com/p
dfs/computertheftpolicy 082003.rtf (sample “computer theft” policy)
USB sticks, et al.
Great for transferring data quickly
Many legitimate uses
But, unless use DRM . . .
IV(B). Top Ten Info-Sec Tips (c’t’d)
EIM
GR
OU
P© 42
4. Proper Disposal
Remember it’s an administrative issue, too
Manage entire data life cycle, including recycling, donating and throwing away
Securely shred hard-drives & back-up tapes
Periodic auditing needed, too . . . .
IV(B). Top Ten Info-Sec Tips (c’t’d)
EIM
GR
OU
P© 43
3. Internet Access
Location, Location, Location
public computer (in a hotel lobby or a café)
PC at your friend’s or relative’s house
Don’ts: save file to Desktop or My Documents
leave computer with logged-in browser session open to:
work e-mail or personal webmail e-mail Inbox
a secure extranet site
allow browser to save login/password
IV(B). Top Ten Info-Sec Tips (c’t’d)
EIM
GR
OU
P© 44
2. Outsourcing Reasonable care . . . careful contract
drafting . . . synch protocols . . .
Especially important given emergence of: “Cloud”
Electronic PHR era
1. Metadata Scrubbing & Electronic Redaction
Let’s be careful out there . . .
IV(B). Top Ten Info-Sec Tips (c’t’d)
EIM
GR
OU
P© 45
Conclusion/Questions
Q+A
Robert D. Brownstone <fenwick.com/attorneys/4.2.1.asp?aid=544>
650.335.7912 or <[email protected]>
Please visit F&W EIM & Privacy Groups
<www.fenwick.com/services/2.23.0.asp?s=1055>
<www.fenwick.com/services/2.14.0.asp?s=1045>
APPENDIX A -- Brownstone – Materials & Resources – SAMPLE TECHNOLOGY-ACCEPTABLE-USE POLICIES (“TAUP’s”) – @ 3/21/10
� Generic TAUP’s – Samples appended to 8/28/09 NELI White Paper:
o Pages D-1 through D-17 (.pdf pp. 142-58) (blogging policy should be expanded to cover all Web 2.0 sites)
<http://fenwick.com/docstore/publications/EIM/eWorkplace Policies Materials Public Sector EEO 8-28-09.pdf#page=142>
� Web-2.0/Social-Media Policies – Non-Fenwick-Drafted Generic Samples:
o <http://op.bna.com/pl.nsf/id/dapn-7vak72/$File/AP.pdf>
o <http://socialmediagovernance.com/policies.php>
o <http://mashable.com/2009/04/28/facebook-privacy-settings>
o <www.records.ncdcr.gov/guides/best practices socialmedia usage 20091217.pdf>
o <http://Utah-Guidelines-10-12-09.notlong.com>
o <www.law.com/jsp/ca/PubArticleFriendlyCA.jsp?id=1202431342723>, linking to sample:
� <www.jaffeassociates.com/pages/articles/view.php?article id=330>; OR � <http://jaffeassociates.com/uploads/userfiles/file/Social.pdf>
o <http://www.lehrmiddlebrooks.com/SocialMedia.html>
o <www.epolicyinstitute.com/bin/loadpage.cgi?1254863981+forms/index.asp> ($99)
o <www.messagelabs.com/white papers/epolicy form> (free registration)
� Related Helpful Resources
o <http://www.records.ncdcr.gov/>
o <www.pbpexecutivereports.com/er.asp?O=13P&L=NetH> ($99)
o <www.law.com/jsp/cc/PubArticleCC.jsp?id=1202428377614>
o <www.delawareemploymentlawblog.com/technology/the internet as a hiring tool/>
A-1
APPENDIX B -- Brownstone <[email protected]> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)
B-1
I. Attorney-Client Privilege Decisions
• Stengart v. Loving Care Agency, Inc., ___ A.2d ___, 2010 WL 1189458 (N.J. 3/30/10) <http://www.judiciary.state.nj.us/opinions/supreme/A1609StengartvLovingCareAgency.pdf>
o affirming and modifying 408 N. J. Super. 54, 973 A.2d 390, 393, 106 Fair Empl. Prac. Cas. (BNA) 1177, 158 Lab. Cas. ¶ 60,829, 29 IER Cases 588 (N.J. App. Div. 6/26/09) (“[f]inding that the policies undergirding the attorney-client privilege substantially outweigh the employer's interest in enforcement of its unilaterally imposed regulation, we reject the employer's claimed right to rummage through and retain the employee's emails to her attorney”) <lawlibrary.rutgers.edu/decisions/appellate/a3506-08.opn.html>
reversing 2009 WL 798044 (N.J. Super. L. Div. 2/5/09), available at <privacyblog.littler.com/uploads/file/Stengart%20v%20Loving%20Care.pdf>
• Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866, 2009 WL 3669741 D. Idaho 11/2/09) (pro-employer/subpoena recipient; e-mails to and from lawyer as opposed to cc’s to lawyer; FHA case) <http://www.steptoe.com/assets/attachments/3958.pdf>
• Fiber Materials, Inc. v. Subilia, 974 A.2d 918 (Me. 7/16/09) (split between pro-employee majority and pro-employer concurring opinions) <courts.state.me.us/court info/opinions/2009%20documents/09me71fi.pdf>
• Scott v. Beth Israel Medical Ctr., 17 N.Y. Misc. 3d 934, 2007 N.Y. Slip Op. 27429 (N.Y. Sup. N.Y. 10/17/07) (distinguishing Jiang, in employment breach of contract action; finding Plaintiff's communications with attorney regarding litigation, transmitted over Defendant's email system, not protected by attorney-client privilege or work-product, in light of "no personal use" e-mail policy combined with stated policy allowing for employer monitoring) <http://www.nycourts.gov/reporter/3dseries/2007/2007 27429.htm>
• Sims v. Lakeside School, 2007 WL 2745367, 2007 U.S. Dist. LEXIS 69568 (W.D. Wash. 9/20/07) (“unequivocally clear [contents of] policy on computer networks” partially trumped by “public policy” such that employer “not permitted to review any web-based [sic] generated e-mails, or materials created by plaintiff . . . to communicate with his counsel or his wife”) <jenner.com/files/tbl s69NewsDocumentOrder/FileUpload500/3492/Sims%20v.%20Lakeside%20School.pdf>
• Long v. Marubeni America Corp., 2006 WL 2998671, at *1, *3 (S.D.N.Y. 10/19/06) (where temporary internet files contained “residual images of e-mail messages” sent by employees to their attorney via private e-mail accounts, policy’s “admonishment to . . . employees that they would not enjoy privacy when using [their employer]'s computers or automated systems is clear and unambiguous[; P]laintiffs disregarded the admonishment voluntarily and, as a consequence, have stripped from the e-mail messages . . . the confidential cloak”) <http://wolfs2cents.files.wordpress.com/2007/03/usdc-sdny long v marubeni2006usdistlex76594 19oct.pdf>
• Nat'l Econ. Research Assocs. (NERA) v. Evans, 21 Mass. L. Rep. 337, 2006 WL 2440008, 2006 Mass. Super. LEXIS 371(Mass. Super. Ct. 8/3/06) (“if an employer wishes to read an employee's attorney-client communications unintentionally stored in a temporary file on a company-owned computer that were made via a private, password-protected e-mail account accessed through the Internet, not the company's Intranet, the employer must plainly communicate to the employee that: (1) all such e-mails are stored on the hard disk of the company's computer in a "screen shot" temporary file; and (2) the company expressly reserves the right to retrieve those temporary files and read them.”) <http://www.gesmer.com/upload/download.php?id files=65>
APPENDIX B -- Brownstone <[email protected]> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)
B-2
I. Attorney-Client Privilege Decisions (c’t’d)
• Curto v. Medical World Communics., Inc., 2006 WL 1318387, 99 Fair Empl. Prac. Cas. (BNA) 298 (E.D.N.Y. 5/15/06) (ex-employee had not waived privilege or work product immunity as to information recovered forensically from work-at-home laptop provided by employer) <www.internetlibrary.com/pdf/curto.pdf> (distinguishing U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000))
• Jiang, People v., 31 Cal. Rptr. 3d 227 (Cal App. 6 Dist. 7/14/05) (unpublished decision holding that attorney-client privilege covered documents on employer-issued laptop where employee had “made substantial efforts to protect the documents from disclosure by password-protecting them and segregating them in a clearly marked and designated folder”) <http://caselaw.lp.findlaw.com/data2/californiastatecases/H026546.PDF>
• Asia Global Crossing, Ltd., In re, 322 B.R. 247, 251, 259 (Bankr. S.D.N.Y. 3/21/05) (“[a]ssuming a communication is otherwise privileged, the use of the company’s e-mail system does not, without more, destroy the privilege; however, no waiver of attorney-client privilege because “evidence [wa]s equivocal regarding the existence or notice of corporate policies”) <http://www.internetlibrary.com/pdf/In-re-Asia-Global-Crossing-SD-NY-Bankruptcy.pdf>
II. Attorney-Client Privilege Articles
• Michael Booth, Privilege Trumps Company E-Mail Surveillance, N.J.L.J. (4/1/10) <http://www.law.com/jsp/nj/PubArticleNJ.jsp?id=1202447264728>
• Anthony E. Davis, Attorney-Client Privilege in Work E-Mails, N.Y.L.J. (11/5/09) <http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202435191463>
• Fernando M. Pinguelo and Andrew K. Taylor, New Jersey Court Finds Waiver of Privilege in ‘Loving’ Way, Fios (4/14/09) <http://Fios-Stengart.notlong.com>
• Philip L. Gordon and Kate H. Bally, Web-Based E-mail Accounts Accessed At Work: Private Or Not? Look To The Handbook, Littler Workplace Privacy Counsel (3/24/09) <http://Gordon-Bally-Littler.notlong.com>
• Mary Pat Gallagher, E-Mail Sent on Company Laptop Waives Privilege, N.J.L.J. (3/10/09) <http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202428912956&rss=ltn>
• Michael F. Urbanski and Timothy E. Kirtner, Employee Use of Company Computers – A Privilege Waiver Mine Field , 57 Va. Lawyer 40 (2/1/09) <http://www.vsb.org/docs/valawyermagazine/vl0209 computers.pdf>
• Cecil Lynn, Public ESI or Privileged? Enforcement of Workplace Computer Privacy Policies, BNA Privacy & Security Law Report (11/17/08) (as does Robert Brownstone, this author calls them “ ‘No Expectation of Privacy’ – ‘NEoP’ – policies,” too) (subscription needed) <http://news.bna.com/pvln/PVLNWB/split display.adp?fedfid=11020416&vname=pvlrnotallissues&fn=11020416&jd=A0B7H5F8A2&split=0>
• Herrington, Matthew J. and Gordon, William T., Are You at Risk of Waiving the Attorney-Client Privilege by Using Your Employer's Computer Systems to Communicate With a Personal Attorney?, 7 BNA Privacy & Security Law Report No. 18, at 685 (5/5/08) <http://pubs.bna.com/ip/bna/pvl.nsf/eh/a0b6k4w6m5>
• Talcott, Kelly D., “Cutting Out Privacy in the Office,” N.Y.L.J. (12/19/07) <http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1198010085253>
• Bick, Jonathan, “E-Communications Policy: Getting It Right, “E-Commerce Law & Strategy (Oct. 12, 2006) <http://www.bicklaw.com/Publications/E-ComPol.htm>
APPENDIX B -- Brownstone <[email protected]> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)
B-3
III. More Privacy Decisions in Other Contexts re: Laptop or Desktop Contents:
• A. ECPA decisions re: employer obtaining password and accessing private webmail account or Web 2.0 page:
o Pietrylo v. Hillstone Rest. Group d/b/a Houston's, 2009 WL 3128420 (D. N.J. 9/25/09) (MySpace group page; SCA violation; punitive damages) <http://www.employerlawreport.com/uploads/file/Opinion%209-25-09.pdf>
o Brahmana v. Lembo, 2009 WL 1424438 (N.D. Cal. 5/20/09) (key-logging to obtain login/password to personal e-mail account; Wiretap Act claim survives motion to dismiss) <http://op.bna.com/pl.nsf/id/dapn-7sfhhx/$File/brahmana.pdf>
o Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (9th Cir. 3/18/09) (personal e-mail account accessed as part of defense of sexual harassment claim; SCA violation; punitive damages) <http://pacer.ca4.uscourts.gov/opinion.pdf/071892.P.pdf>
• B. Employee Laptop/Desktop Decisions in Other Contexts: o 1. Various decisions compiled at these footnotes & accompanying text
Robert D. Brownstone, Workplace Privacy Policies, Nat’l Emp. L. Inst. (NELI) (Aug. 2009) <fenwick.com/docstore/publications/EIM/eWorkplace Policies Materials Public Sector EEO 8-28-09.pdf > (more recent, shorter version available from author on request):
footnote 60 @ .pdf p. 20 (White Paper p. 14); footnotes 305-09 @ .pdf pp. 75-77 (White Paper pp. 69-71); and footnote 325 @ .pdf p. 79 (White Paper p. 73)
o 2. Various decisions compiled at these pages
Robert D. Brownstone, Preserve or Perish; Destroy or Drown – eDiscovery Morphs Into EIM, 8 N.C.J. L. & Tech. (N.C. JOLT), No. 1, at 1 (Fall 2006) <http://jolt.unc.edu/sites/default/files/8 nc jl tech 1.pdf>
2006 L. Rev. article, at pp. 32-33 <http://jolt.unc.edu/sites/default/files/8 nc jl tech 1.pdf#page=32>
2007 Supp., at p. 8 <fenwick.com/docstore/publications/EIM/NC JOLT eDiscovery Supplement.pdf#page=8>
o 3. Overbreadth of discovery via forensics
Bennett v. Martin, 2009-Ohio-6195, 2009 WL 4048111(10th App. Dist. 11/24/09) <http://www.supremecourt.ohio.gov/rod/docs/pdf/10/2009/2009-ohio-6195.pdf>
Cornwall v. Northern Ohio Surgical Ctr., Ltd., 2009-Ohio-6975, 2009 WL 5174172 (6th App. Dist. 12/31/09) <www.supremecourt.ohio.gov/rod/docs/pdf/6/2009/2009-ohio-6975.pdf>
In re Weekley Homes L.P., 295 S.W. 3d 309 (Tex. 8/28/09) (conclusory assertions as to hoped-for circumstantial evidence insufficient to warrant capture of four hard disc images) <www.supreme.courts.state.tx.us/historical/2009/aug/080836.pdf>
John B. v. Goetz, 2008 WL 2520487, 2008 U.S. App. LEXIS 13459 (6th Cir. 6/26/08) (vacating district court order that had required forensic captures of > 50 computers’ hard drives, based in part on privacy/confidentiality concerns) <www.ca6.uscourts.gov/opinions.pdf/08a0226p-06.pdf>
Full Brownstone Bibliography at <fenwick.com/attorneys/4.2.1.asp?aid=544>