Exposing legal land mines: protecting the privacy and integrity of e-records is a critical issue for information professionals; understanding e-records laws and company policies can help. (Legal Watch).The legal landscape is changing rapidly with the passage of new laws whose intent is to bring technology under control through the legal system. These new laws provide guidance not only on what is considered an electronic record or electronic signature but also on how these technologies should create and maintain data to meet legal evidentiary requirements and ensure its privacy.The new laws cover a wide variety of complex issues, but there is one that is most important: the privacy of collected information, both on the Internet and within corporate systems. What these laws do not address is the hidden legal menace of spoliation Any erasure, interlineation, or other alteration made to Commercial Paper, such as a check or promissory note, by an individual who is not acting pursuant to the consent of the parties who have an interest in such instrument. -- the intentional or unintentional destruction of evidence -- that can cause great harm to a business in litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. or in achieving compliance under a regulatory agency regulatory agency Independent government commission charged by the legislature with setting and enforcing standards for specific industries in the private sector. The concept was invented by the U.S. . There is no federal privacy requirement in the United States for electronically created or captured information. In this area the United States has adopted the policy of self-regulation rather than imposed regulation, with some exceptions, which are addressed later. The Federal Trade Commission (FTC FTC See Federal Trade Commission (FTC). ), under the authority of the Federal Trade Commission Act, has the authority to monitor unfair or deceptive trade practices of businesses. This is done by reviewing the privacy policy posted on a business' Web site. Although a business is not required to adopt a privacy policy, if it does adopt one and does not follow that policy, the FTC may bring an enforcement action against the company for unfair or deceptive practices. Possible consequences of not complying with the posted privacy policy would be the issuance of a cease and desist order An order issued by an Administrative Agency or a court proscribing a person or a business entity from continuing a particular course of conduct. The force and effect of a cease and desist order are similar to those of an Injunction issued by a court. or the imposition of civil fines. Most actions have been settled with the FTC rather than litigated. A congressional report recently released details of how government Web sites use cookies and collect social security numbers in violation of federal law. Of the 10 sites that reported policies, not one was meeting the provisions of its own stated privacy policy. Companies must be aware that the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the European Community (E.U.) has stringent privacy rules for data protection and these rules affect companies doing business with E.U. member countries, whether traditionally or over the Internet. In August 2001, a survey of 75 U.S. corporate Web sites found that none measured up to the E.U. standards for ensuring the privacy of customers' personal information. U.S. regulations ensuring privacy protection are focused in three major areas: information collected from children, financial information, and health information. Protecting Children The Children's Online Privacy Protection Act Not to be confused with the Child Online Protection Act. The Children's Online Privacy Protection Act of 1998[1] (COPPA)[2] is a United States federal law, located at Title 15, Section 6501, et seq., of the United States Code. of 1998 (COPPA COPPA Children's Online Privacy Protection Act of 1998 (FTC) ), which was enacted on October 21, 1998, and became effective April 21, 2000, is directed at companies whose Web sites are intended for children or who have actual knowledge that a person from whom they collect information is a child. It regulates the online collection, use, and disclosure of individually identifiable information of children under the age of 13 years. COPPA requires parental consent prior to online collection of information about children, and sites must have prominent links to their privacy policy on all pages. Recent studies suggest that companies need to be more attentive to the requirements of COPPA and the consequences of non-compliance. The Center for Media Education issued a report in April 2001 in which 153 Web sites were examined. The majority did not obtain prior parental consent or provide parental notice before collecting personal information from children and did not feature prominent links to their privacy policies as required by COPPA. Violations of COPPA are prosecuted by the FTC under section 5 of the FTC Act as unfair or deceptive trade practices. Penalties may include civil fines up to $11,000 per violation, attorney's fees, and injunctive measures to stop non-compliant practices. COPPA recognizes a safe harbor, or protection from penalty, for companies that comply with self-regulatory guidelines, which are issued by online businesses and approved by the FTC. The first self-regulatory business recognized by the FTC as a safe harbor is the Children's Advertising Review Unit (CARU CARU Children's Advertising Review Unit (Council of Better Business Bureaus) CARU Comisión Administradora del Río Uruguay (Uruguay-Argentina) ) of the Better Business Bureau. The FTC will consider businesses that comply with the CARU guidelines to be in compliance with COPPA. Protecting Financial Information The Gramm-Leach-Bliley Act, also called the Financial Services Modernization Law, was enacted on November 12, 1999. This act permits financial holding companies to sell banking, securities, and insurance products and services through an organization comprised of one or more related entities. Subtitle A of Title V of Gramm-Leach-Bliley, "Disclosure of Nonpublic Personal Information," imposes certain obligations and restrictions on a financial institution's collection, use, and disclosure of nonpublic consumer personal information. Various federal agencies that regulate the financial services industry were required by Congress to adopt rules to implement the privacy standards of the Gramm-Leach-Bliley Act. These agencies are the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. (OCC OCC See: Options Clearing Corporation OCC See Options Clearing Corporation (OCC). ), Board of Governors of the Federal Reserve System Board of Governors of the Federal Reserve System The managing body of the Federal Reserve System, which sets policies on bank practices and the money supply. (FRB See Federal Reserve Board. ), Federal Deposit Insurance Corporation Federal Deposit Insurance Corporation (FDIC), an independent U.S. federal executive agency designed to promote public confidence in banks and to provide insurance coverage for bank deposits up to $100,000. (FDIC FDIC See: Federal Deposit Insurance Corporation FDIC See Federal Deposit Insurance Corporation (FDIC). ), Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. (OTS See Office of Thrift Supervision. ), National Credit Union Administration The National Credit Union Administration (NCUA) is responsible for chartering, insuring, supervising, and examining federal credit unions (FCUs) and for administering the National Credit Union Share Insurance Fund. , Securities and Exchange Commission, and the FTC. Each agency has issued regulations, and mandatory compliance with these regulations was required by July 1, 2001. In addition, the OCC, OTS, FRB, and FDIC issued guidelines relating to administrative, technical, and physical security measures, also effective July 1, 2001. Consequences of failure to comply with the requirements of Gramm-Leach-Bliley and the regulations of the other agencies can result in civil and/or criminal remedies and penalties. A recent report from the Center for Democracy and Technology found that several online mortgage companies fail to disclose privacy policies and most online banks fail to accommodate consumers wanting to keep their personal financial information private, thereby in violation of Gramm-Leach-Bliley. Protecting Health Information The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), which went into effect on April 14, 2001, regulates the use or disclosure of all forms of personally identifiable health information by health plans, health care clearinghouses, and certain health care providers and business associates. Most affected entities have until April 14, 2003, to comply with HIPAA. Health plans with annual receipts of $5 million or less have until April 14, 2004, to comply. Some of the requirements of HIPAA include: * Notice - Covered entities must inform individuals of the uses that may be made of their protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the and of any options they have to prevent it from being used by the covered entity or disclosed to outside parties. They must also provide a privacy-policy notice about the individual's rights, the covered entities' duties, and the types of information uses and disclosures that may be made. * Accuracy -- HIPAA imposes no duty on the covered entities to ensure that the information collected is complete or accurate. * Access and correction - Individuals have the right to access, inspect, and obtain a copy of protected information in a "designated record set" for as long as the information is maintained. Entities may provide a summary of the requested material instead of the full file of information, provided that the individual has agreed upon this in advance. Entities must act on a request for access no later than 30 days after receipt of the request. * Security -- Entities must implement policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to enable the verification of an individual's identity or entity requesting protected information. Covered entities must ensure that valid contracts are in place to cover their business associates' compliance with HIPAA requirements. Non-compliance with HIPAA will result in civil penalties from the Department of Health and Human Services' Office of Civil Rights. Violations can result in a penalty of up to $250,000 and a prison term of 10 years for the unlawful acquisition or disclosure of individually identifiable health information relating to an individual. Violators could also be charged with a federal crime for willful violations of the regulations. Destruction Issues Spoliation of evidence Lawyers and courts use the term spoliation to refer to the withholding, hiding, or destruction of evidence relevant to a legal proceeding and is a criminal act in the United States under Federal and most State law. is defined as the "... destruction of evidence. The destruction or the significant and meaningful alteration of a document of instrument." Spoliation arises from the duty to preserve evidence. The duty to preserve can come from existing, pending, or reasonably foreseeable litigation, through state or federal law, contract, or a company's record retention policy. Spoliation becomes a legal hazard when dealing with electronic records due to the ease of their creation, duplication, and alteration. Special care must be afforded to electronic documents to retain their integrity and to prevent unauthorized alteration and/or deletion. This goes not only to the security of the data, but of the system itself as well. Limiting access to documents to those people required to have access for their jobs will limit the potential for unauthorized access and alteration. A company must have the appropriate policies and procedures to put a legal hold on the destruction of records during litigation. Even routine functions, like rotation of back-up tapes, may invoke a cause for spoliation of evidence if documents on the backup tapes are not available from another source. The consequences of having a spoliation charge during litigation can be severe. Many companies have been -- and will be -- heavily sanctioned monetarily for failure to protect their documents during litigation. There are generally two methods that courts rely upon to remedy spoliation: recognizing an independent cause of action for intentional and/or negligent spoliation and engaging in civil discovery or evidentiary sanctions in pending litigation (Koesel, Bell, and Turnbull 2000). Only 12 states and the District of Columbia District of Columbia, federal district (2000 pop. 572,059, a 5.7% decrease in population since the 1990 census), 69 sq mi (179 sq km), on the east bank of the Potomac River, coextensive with the city of Washington, D.C. (the capital of the United States). have recognized an independent cause of action for spoliation of evidence. They are Alabama, Alaska, Florida, Idaho, Illinois, Indiana, Kansas, Louisiana, Montana, New Mexico, New Jersey, and Ohio. Other states rely on the authority of the court to implement sanctions. The authority to impose sanctions on a party for failure to produce evidence in violation of the discovery rules comes from the federal and state rules of civil procedure. These rules give the courts broad discretion to impose a variety of sanctions. Why are these new laws of importance to records and information managers? Many of these new laws may create new record series that must be scheduled and added to the retention policy. Long-term retention issues need to be addressed, specifically for information being retained in electronic format. Understandably, all electronic records are not created equal, depending upon their use, and there are specific retention issues for records that use electronic signature technologies. The new laws, both federal and state, provide the requirements that must be met in order to ensure the privacy, integrity, and security of electronic records. Records and information managers should be able to identify the laws that affect their businesses and understand the requirements for retaining electronic information. Every company needs to understand the legal landscape for their records, both paper and electronic, to avoid the landmines that may detonate det·o·nate intr. & tr.v. det·o·nat·ed, det·o·nat·ing, det·o·nates To explode or cause to explode. [Latin d as a result of non-compliance. Like the old saying goes, ignorance of the law is no excuse. At the Core This article: * Lists the various new e-record laws * Investigates how these laws are affecting information management * Looks at establishing company policies for document destruction Read More About It Black, Henry C. Black's Law Dictionary Black's Law Dictionary is the law dictionary for the law of the United States. It was founded by Henry Campbell Black. It has been cited as legal authority in many Supreme Court cases (see Secondary authority). , 7th Ed. New York: Kluwer Law International, 2001. Center for Democracy and Technology at www.cdt.org/privacy/(provides privacy resources, including information about ConsumerPrivacyGuide.org, an online resource providing consumers with tips and other information on how to better protect their privacy) Center for Media Education at www.cme.org/children/privacy/coppa_rept.pdf (provides a report on Web site compliance with COPPA) Children's Advertising Review Unit at www.caru.org/carusubpgs/harborpg.asp (describes the CARU Safe Harbor Program to aid its supporters in protecting the privacy of children online and meeting the requirements of COPPA) Gramm-Leach-Bliley Act at thomas.loc.gov/cgi-bin/query/z?c106:S.900.ENR ENR Enrolled (bill, resolution, etc. passed by both houses of Congress and re-typed) ENR Engineering News Record EnR Énergies Renouvelables (French) enr Enregistrement (French) : (provides the full text of the act) "Highlights of Recent IG Reports on Internet Data Collection," 2001. Available at www.senate.gov/~thompson/pr061801b.html (provides a summary of a report that reveals many U.S. government agencies are violating the federal Internet privacy rules for data collection) Koesel, Margaret M., David A. Bell, Tracey L. Turnbull, and Dan Gourash. Spoliation of Evidence, Sanctions, and Remedies for Destruction of Evidence in Civil Litigation. Chicago: American Bar Association American Bar Association (ABA), voluntary organization of lawyers admitted to the bar of any state. Founded (1878) largely through the efforts of the Connecticut Bar Association, it is devoted to improving the administration of justice, seeking uniformity of law , 2000. U.S. Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS at aspe.os.dhhs.gov/admnsimp/ (provides guidance on Standards for Privacy of Individually Identifiable Health Information regulation) "Web Banks Come Up Short on Privacy," August 2001. Available at news.cnet.com/news/0-1005-200-7004484.html Rae N. Cogar, J.D., is a consultant with RCS (1) (Remote Computer Service) A remote timesharing service. (2) (Revision Control System) A Unix utility that provides version control. RCS - Revision Control System Consulting in Hamburg, New York Hamburg, New York may refer to the following locations in Erie County, New York:
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion