The electronic records conundrum: today, everything from business e-mails to speeding tickets could potentially--and legally--be posted online for all to see with just a few mouse clicks.

After losing their jobs, their health care, and their pensions and retirement fund savings, Enron Corp. employees probably never dreamed things could get worse.

But in March 2003, the Federal Energy Regulatory Commission The Federal Energy Regulatory Commission (FERC) is the United States federal agency with jurisdiction over electricity sales, wholesale electric rates, hydroelectric licensing, natural gas pricing, and oil pipeline rates. (FERC FERC Federal Energy Regulatory Commission
FERC FEMA Emergency Response Capability ) released the private exchanges of Enron employees--more than 1.6 million e-mails and documents by posting them on the Internet in a searchable database Refers to databases on the Web that are searchable by typing in a query. The term is quite redundant because all databases are searchable. In fact, that is one of their major features. (www.ferc.gov/ industries/electric/indus-act/wem/03-26-03-release.asp) for the world to read.

The agency gathered the e-mails, which included messages sent and received from 2000 through 2002, as part of materials collected for its investigation of Enron's alleged energy market manipulation Market manipulation describes a deliberate attempt to interfere with the free and fair operation of the market and create artificial, false or misleading appearances with respect to the price of, or market for, a stock. . Via the database, individuals can peruse pe·ruse
tr.v. pe·rused, pe·rus·ing, pe·rus·es
To read or examine, typically with great care.

[Middle English perusen, to use up : Latin per-, per- the e-mail of 176 current and former Enron executives and employees, most of whom were involved in the company's power-trading operations. But what has angered the employees as well as privacy advocates is the fact that the names of the e-mails' senders and recipients were not removed or edited, nor were e-mails containing bank records and Social Security numbers.

The FERC told The Wall Street Journal that the purpose of the online database is to help the public better understand whether Enron helped to create--and then profit from--an energy shortage in California during 2000 and 2001. In this vein, the database contains technical e-mails between power traders discussing "price curves" and "hub contracts." But it also includes personal e-mails regarding employees' finances, children, and relationships.

In an interview with The Wall Street Journal, FERC spokesman Kevin Cadden said the agency had given Enron three weeks' notice that it would be releasing the data collected in its investigation but Enron did not respond. Two days after the e-mails were posted online, however, Enron petitioned the FERC to get some of them removed. Employees inundated in·un·date
tr.v. in·un·dat·ed, in·un·dat·ing, in·un·dates
1. To cover with water, especially floodwaters.

2. Enron with angry messages demanding that certain documents be removed from the database. The agency removed a few of the most sensitive e-mails, including a payroll document that listed the Social Security number of every employee.

Following a U.S. Court of Appeals order early last April, the database was disabled for 10 days, during which time Enron was allowed to identify every e-mail it wanted removed. About 100 employee volunteers combed comb
n.
1.
a. A thin toothed strip, as of plastic, used to smooth, arrange, or fasten the hair.

b. An implement, such as a card for dressing and cleansing wool or other fiber, that resembles a hair comb in shape or through hundreds of thousands of messages and filtered out sensitive personal information.

The FERC eventually removed about 8 percent of the database, or 141,379 documents. But Enron employees still believe that too much personal material remains on public display. As of August 8, the agency had spent 350 hours reviewing about 17,185 documents for which confidentiality had been requested. Of those, the FERC said only 5,128 documents--mainly those containing Social Security numbers and employee performance evaluation Performance evaluation

The assessment of a manager's results, which involves, first, determining whether the money manager added value by outperforming the established benchmark (performance measurement) and, second, determining how the money manager achieved the calculated return information--would be withheld permanently.

Although many Enron employees undoubtedly believe that too much personal material still remains online for the public to view, their situation has taught employees everywhere a valuable lesson: Be careful how you use your business e-mail. You never know where your electronic messages may end up or who may be reading them, especially if the company you work for is sued or comes under investigation.

The Business Records Loop Hole

Internet service providers Internet service provider (ISP)

Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs) such as America Online See AOL. and Yahoo! cannot release electronic communications to law enforcement or other parties without a warrant. But once an e-mail has been read or has remained opened for 180 days, it reverts to the unprotected "business records" category and is up for grabs by law enforcement, regulators, and lawyers, making it potentially dangerous to its author.

Weaknesses in existing laws protecting business records, including information stored with ISPs, open the door to widespread government data mining, legal experts said at a recent conference on Internet surveillance law.

Jim Dempsey, executive director of the Center for Democracy and Technology, explained how changes in technology have opened a gaping gap·ing
adj.
Deep and wide open: a gaping wound; a gaping hole.

gaping·ly adv.

Adj. privacy hole that has exposed the flaws in two Supreme Court decisions. In the 1976 U.S. v. Miller and the 1979 Smith v. Maryland Smith v. Maryland, 442 U.S. 735 (1979)^[1], was a case in which the Supreme Court of the United States held that the installation and use of the pen register was not a "search" within the meaning of the Fourth Amendment, and hence no warrant was required. cases, the high court ruled that bank records and phone numbers dialed are not protected because there is no "expectation of privacy" once a third party is given information.

"The business records cases say that if you voluntarily disclose [records] to someone else, you lose Fourth Amendment rights to them," Dempsey said. "To carry that over to the world of the Internet poses some problems, where people are taking information and putting it on third parties outside their control."

Recent efforts to build and implement data-mining technologies such as the U.S. Department of Defense's Terrorism Information Awareness (TIA (1) (Telecommunications Industry Association, Arlington, VA, www.tiaonline.org) A membership organization founded in 1988 that sets telecommunications standards worldwide. It was originally an EIA working group that was spun off and merged with the U.S. ) project are exploiting the "business record weakness," he said, and legal scholars, Congress, and executive-branch officials must rethink those precedents.

Dempsey linked the weakness of business record privacy protections to the rise of data mining as an antiterrorism an·ti·ter·ror·ist
adj.
Intended to prevent or counteract terrorism; counterterror: antiterrorist measures.

an tool. But he said he was disappointed that Congress cut all funding for TIA because that meant such research could migrate to less accountable agencies. He said several important questions must be answered, including:

* What should be the standard for governmental access to these large databases?

* Should there be a higher standard for government access to personal information after databases are mined?

* What recourse will individuals have if they are improperly identified?

Measure Expands FBI's Reach into Business Records

It does not look promising for those wishing to adopt limited protections for records. A measure recently approved by the U.S. Congress would significantly expand the Federal Bureau of Investigation's (FBI) power to demand financial records, without a judge's approval, from car dealers, travel agents, pawnbrokers, and many other businesses.

Officials said the measure, which is included in the intelligence community's authorization bill for 2004, would give agents greater flexibility and speed in tracing the financial assets Financial assets

Claims on real assets. of individuals suspected of terrorism and espionage espionage (ĕs`pēənäzh'), the act of obtaining information clandestinely. The term applies particularly to the act of collecting military, industrial, and political data about one nation for the benefit of another. .

Institutions such as banks and credit unions are frequently subject to administrative subpoenas from the FBI to produce financial records in terrorism and espionage investigations. Such subpoenas, which are known as "national security letters," do not require the bureau to seek a judge's approval before issuing them. The new measure, however, would expand the law to include securities dealers, currency exchanges, post offices, casinos, and any other institutions doing cash transactions with "a high degree of usefulness in criminal, tax, or regulatory matters."

A senior Congressional official who supports the provision said it is "meant to provide agents with the same amount of flexibility in terrorism investigations that they have in other types of investigations."

But critics say it would give the government greater power to pry into people's private lives. "This dramatically expands the government's authority to get private business records," said Timothy H. Edgar, legislative counsel for the American Civil Liberties Union American Civil Liberties Union (ACLU), nonpartisan organization devoted to the preservation and extension of the basic rights set forth in the U.S. Constitution. .

Just How Public Should Public Records Be?

In an increasingly electronic world where files posted online are much more easily accessible than files stored in a corporate library or courthouse, public records are caught in the limbo limbo

In Roman Catholicism, a region between heaven and hell, the dwelling place of souls not condemned to punishment but deprived of the joy of existence with God in heaven. The concept probably developed in the Middle Ages. between what should be posted online and what should not.

This battle is raging today in corporations and courthouses worldwide. Individual organizations, as well as federal and local governments, are cobbling together guidelines guidelines,
n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. , but it is becoming increasingly apparent that more definite rules--and perhaps federal regulations--are necessary.

In the court records arena, many states are struggling to strike a balance between which records shoed be posted online for public consumption and which should not. Within this dilemma are other challenges, such as whether public records should be edited to remove individuals' private information, including Social Security numbers and addresses. There are currently no standard federal or local guidelines.

As part of a sweeping computer system upgrade, New Hampshire New Hampshire, one of the New England states of the NE United States. It is bordered by Massachusetts (S), Vermont, with the Connecticut R. forming the boundary (W), the Canadian province of Quebec (NW), and Maine and a short strip of the Atlantic Ocean (E). is considering how much public access to electronic court records should be granted. Privacy and victim advocates have demanded either a ban or strict limits on the online posting of records involving divorces, domestic violence, and sex crimes, all of which are public in the state.

But public-access advocates argue that victims already have many protections. In New Hampshire, sex crime victims, especially children, are referred to in court records by only their initials. Also, the addresses of domestic violence victims are deleted from the copies of restraining orders restraining order: see injunction. given to defendants and placed in public files at the courthouse.

By contrast, the Montgomery County, Pennsylvania Montgomery County is a county located in the U.S. state of Pennsylvania, in the United States. As of 2000, the population was 750,097. A 2005 U.S. Census estimate placed the population at 795,618, making it the third most populous county in Pennsylvania, after Philadelphia and , civil court Web site includes an "abuser index" searchable by the name of the abuser or the victim. The posted information includes the victim's address. Critics worry that the index could be used by criminals to track down victims. But civil court clerks A court clerk, in British English clerk to the court or in American English clerk of the court is an officer of the court whose responsibilities include maintaining the records of a court. Another duty is to swear in witnesses, jurors, and grand jurors. say their hands are tied because the county's judges have deemed the records public. Many are advocating a compromise: access to a database that could generate statistics such as the number of domestic assault cases each year, what charges are filed, and the outcome--without identifying victims.

Many public records that cities and states routinely post online--speeding tickets, divorce records, bankruptcy filings--often contain detailed personal and financial information. Lawyers can ask judges to seal sensitive information on paper and online, but sealed records The introduction to this article provides insufficient context for those unfamiliar with the subject matter.
Please help [ improve the introduction] to meet Wikipedia's layout standards. You can discuss the issue on the talk page. can be unsealed.

Privacy advocates say all this places a huge burden on people already under stress, many of whom do not have lawyers. In New Hampshire, for example, nearly 70 percent of domestic abuse cases last year involved at least one person with no lawyer.

A carefully considered policy on what records should or should not be posted online and what information those records should and should not contain is necessary for governments and corporations. Lawmakers may pass regulations in the coming years, but records and information managers must make themselves aware of the problem, discuss the challenges, and present the potential solutions. If not, companies and governments may be left open to lawsuits and individuals may be vulnerable to identity theft or worse.

Protecting Court Records

When it comes to court records, judges generally control whether or not records are public or sealed. Most state and local courts that store records electronically use inexpensive imaging systems that scan documents as pictures in PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. format.

Many imaging systems can black out portions of images, providing some degree of privacy. But imaging software also makes it hard for court clerks to verify that confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead is excluded from motions and forms filed by lawyers. For that reason, many courts won't post imaged documents online.

Instead, many courts post dockets, or chronological lists of motions, rulings, and hearings in each case. Court clerks control docket information because they enter it. Docket information may not show up in an Internet search because Web-design tools can designate sites or parts of sites off-limits to search engines like Google. In addition, most court Web sites require users to fill out search forms with the case number or name of one of the parties to access a case. Software used by search engines cannot fill out those forms.

To further protect confidential information, some state and local courts have started asking lawyers to use computerized forms that have special fields for private data, such as Social Security numbers. Those fields display sensitive information as asterisks when viewed online. The federal courts' software, however, allows users to search for words within court records. All federal courts are now using or installing software that links dockets to motions and orders in each case, but entire cases, individual records, or parts of records can be sealed.

Under federal rules, lawyers are required to refer to minor children by their initials and to use only the last four digits of Social Security and financial account numbers in motions. The full names and numbers are on a separate, sealed form. All federal courts will have implemented new software by the end of 2005, according to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. the Administrative Office of the U.S. Courts. Users of the new federal system must set up accounts, making it easier to track hacking See hack and hacker. incidents or criminal misuse of information. Only Social Security cases will be kept offline.

Global Privacy and Public Records Policies

In Europe and Canada, records containing private information are protected more stringently than in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . While the United States has opposed comprehensive privacy protection regulations, other nations have passed tough rules governing how companies and governments may collect, release, and use personal data such as age, martial status, buying patterns--even the information on a business card.

European-Union inspired laws are now the norm in Canada, South America South America, fourth largest continent (1991 est. pop. 299,150,000), c.6,880,000 sq mi (17,819,000 sq km), the southern of the two continents of the Western Hemisphere. , Australia, New Zealand New Zealand (zē`lənd), island country (2005 est. pop. 4,035,000), 104,454 sq mi (270,534 sq km), in the S Pacific Ocean, over 1,000 mi (1,600 km) SE of Australia. The capital is Wellington; the largest city and leading port is Auckland. , and parts of Asia. Increasingly, those rules are shaping the way businesses operate around the globe.

Canadian Privacy Protections

In Canada, the Freedom of Information and Protection of Privacy Act Freedom of Information and Protection of Privacy Act may refer to:

Freedom of Information and Protection of Privacy Act (Nova Scotia)
Freedom of Information and Protection of Privacy Act (Ontario)
Freedom of Information and Protection of Privacy Act (Alberta)

(FIPPA FIPPA Freedom of Information and Protection of Privacy Act (Manitoba, Canada)
FIPPA Foreign Investment Promotion and Protection Act ) provides access to most records under the control of the provincial government while protecting the privacy of individuals who do not want their personal information made public. FIPPA's goal is to strike a balance between the public's right to know and an individual's right to privacy.

The act directs that every document, record, or file held by government, regardless of format, is subject to release to the general public. Exemptions are few and narrow in scope but are designed to protect against the unreasonable invasion of personal privacy, to prevent unfair advantages in commercial or government transactions, to protect law enforcement activities, and to safeguard government business.

FIPPA does not apply to

* published information, material available for purchase, court records, and material that is a matter of public record

* archival material, including information at the Public Archives of Nova Scotia Nova Scotia (nō`və skō`shə) [Lat.,=new Scotland], province (2001 pop. 908,007), 21,425 sq mi (55,491 sq km), E Canada. Geography
, that has not been placed there by a government body

* records created or collected by the conflict-of-interest commissioner, the ombudsman ombudsman (äm`bədzmən) [Swed.,=agent or representative], public official appointed to deal with individual complaints against government acts. , or a review officer relating to relating to relate prep → concernant

relating to relate prep → bezüglich +gen, mit Bezug auf +acc their statutory functions

* a record of a question that is to be used on an examination or test

* a record relating to a prosecution if all proceedings are incomplete

* records of the legislature

In Canada, a government body cannot collect personal information unless legislated to do so or stated in an act. Personal information can be collected for law enforcement purposes and if it relates directly to, and is necessary for, a government program. Government bodies can disclose certain types of personal information about a third party with his or her written permission.

A government body can release personal information without the prior approval of the individual if it is in the public interest (i.e., information that concerns a risk of significant harm to the environment or to the public's health or safety).

EU Regulations and the United States

European privacy laws regulate how companies transmit personal information to countries the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the

European Community (EU) says lack "adequate" privacy laws, including the United States. Some restrictions include

* limits on the amount of information companies can collect

* curbs on a company's ability to share personal data with marketers or even its own affiliates

* rights for individuals to see and correct their information

* requirements for companies to erase personal data after a short time

Because the European Union considers the United States to be a country "not ensuring adequate protection," EU- or European-based U.S. companies in possession of personal information are prohibited from exporting it to the United States unless that company has joined the Safe Harbor Safe Harbor

1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated.

2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. framework. Under the Safe Harbor rules safe harbor rule Antitrust law A federal guideline as to what constitutes antitrust activity, established by the FTC and Justice Dept, after specific legislation–which might be open to misinterpretation–is enacted. Cf Self-referral. negotiated by the U.S. Department of Commerce, U.S. companies must promise to handle European data by Europe's standards outside the European Union.

The United States regulates privacy in only a few sensitive areas, such as medical and financial records. While European countries have established independent government privacy agencies to actively enforce their rules, U.S. laws grant similar authority in only a few industries. In addition, after the terrorist attacks of September 11, 2001, the U.S. government passed laws and initiated new offices that allow more unfettered access to citizens' data than ever before.

EU laws require retailers to ask permission to collect data, trade it to partners, sell it, or even use it for their own marketing--all common practices in the United States. In addition, companies in Europe are obliged o·blige
v. o·bliged, o·blig·ing, o·blig·es

v.tr.
1. To constrain by physical, legal, social, or moral means.

2. to let people see their data and correct it if it is wrong. The law restricts how much information companies can collect on customers and employees and how long they can keep it.

The EU rules are so broad that global companies often assign dozens, and in some cases hundreds, of employees to deal with them, enacting far-reaching policies and restructuring entire databases. Many large U.S. companies have adopted more global, one-size-fits all approaches. Some are collecting consent forms from their employees and asking all their affiliates to sign contracts vowing not to abuse the information. Others are employing more privacy officers and lawyers to help keep up with privacy regulations.

Nikki Swartz is Associate Editor of The Information Management Journal. She may be contacted at nswartz@arma.org.

COPYRIGHT 2004 Association of Records Managers & Administrators (ARMA)
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	On the edge: the use & misuse of information
Author:	Swartz, Nikki
Publication:	Information Management Journal
Date:	Jan 1, 2004
Words:	2779
Previous Article:	Shakespeare's will available online.(Up front: news trends & analysis)
Next Article:	Crowley purchases Mekel Technology.(Market place: new products & industry announcements)

Related Articles
Medical records online for all to see?
Public Internet/Private Lives.(Internet privacy laws)
GETTING BURIED BY E-MAIL.(L.A. LIFE)
The legal lowdown on-signatures.(Technology)
New technologies, new RIM challenges.(In focus: a message from the editor)
Nothing beats a good message: RecreAction Network is a good resource for NRPA.(Advocacy Update)
U.S. states disagree about online access to court records.(Up front: news, trends & analysis)
TMC[TM] Labs review.
PC Cleanser now included as part of software bundle with Antivirus Email subscription.(Logical Innovations)(Brief Article)
Prepare for landing: the home page isn't always where the heart is.(The Conservation Fund )