The Next Big Thing in E-Law?

It's almost a Catch-22: New lawsuit discovery regulations are requiring businesses to retain more electronic data at the same time that lawmakers are leaning on them to do a much better job of making sure such data is secure.
The legal requirements of living in the digital age have inspired one Little Rock law firm, Mitchell Williams Selig Gates & Woodyard, to create a specialty defense unit called the Information Management & Security Practice Team. The five-attorney team is led by Todd L. Newton, a former Assistant U.S. Attorney who cut his teeth on data security by prosecuting Scott Levine and his co-defendants from Boca Raton, Fla., for their high-profile breach of Acxiom Corp.'s client server.
The Mitchell firm, which hired Newton in November, is making a high-dollar bet that advising clients on information security issues and defending them when things go wrong will become a lucrative area of the law. Recent events support that conclusion:
• In October, the Emerson Poynter law firm, with offices in Little Rock and Houston, bought advertisements in the Arkansas Democrat-Gazette trolling for victims of identity theft "due to computer hackers and the poor security of companies that hold our private information."
• In December, the federal court system announced new rules of civil procedure requiring public and private companies to keep track of any e-mails, instant messages and other electronic communications generated by employees that might have any significance if the company is ever sued.
• In February, legislation was introduced in Congress to make it a crime for companies to intentionally conceal a security breach and strengthen requirements for notifying consumers when their personal data has been accessed.
Scott Poynter, the Emerson Poynter lawyer who ran the ads seeking identity theft victims, predicted plenty of work for Newton and his team "because people like Scott Poynter will be coming after them."
Unlike other recent trends in legal work — think nursing home negligence, medical malpractice, shareholder rights and big-truck accidents — data security issues are not limited by industry or company size.
"Even a small business with only information about its own employees has exposure," Newton said, "even a small florist or any company that takes credit cards and keeps that information on file."
And the exposure is not shared with an insurance carrier, Newton's teammate Shannon Short Smith said.
"At this point, we're not aware of insurance companies writing insurance coverage for corporations," she said.
Allstate Insurance Co.'s heavily advertised coverage for identity theft only covers the time and money spent clearing up the policyholder's finances and credit history; it doesn't protect a company from liability for allowing personal data to get into the wrong hands.
Acxiom Example
After Newton prosecuted Levine and his Snipermail.com crew for stealing 1.6 billion data records from Acxiom, Poynter sued Acxiom for letting the security breach happen in the first place. Fortunately for Acxiom, Levine was using the stolen data for pretty much the same purpose that Acxiom had collected it: to sell to companies wanting to target their marketing efforts.
In that way, the Acxiom breach was very different from other well-publicized data thefts, like data from credit card processor CardSystems Solutions used to run up millions of dollars in unauthorized charges.
U.S. District Judge Bill Wilson Jr., who presided over Levine's conviction, dismissed Poynter's class action last October because there was no evidence that any of the information stolen was actually misused.
In effect, Poynter said, Wilson concluded that "the threat of identity theft is not damage." Even receiving unsolicited e-mails or "snail mail" marketing pieces doesn't constitute actual harm, Wilson concluded.
Poynter doesn't plan to appeal.
"I understand [Wilson's] findings and why he came down the way he did," Poynter said. "I think the law is lacking."
He is hoping that businesses will ultimately face statutory damages if they don't take seriously the job of safeguarding personal information.
"I don't believe we'll have the information security we deserve until there are statutory damages in place when security is breached," he said.
Poynter might not be satisfied, then, with the legislation introduced — reintroduced, actually — in February by U.S. Sens. Patrick Leahy, D-Vt., and Bernie Sanders, I-Vt., which would make it a crime to willfully conceal a security breach involving personal data. Among other things (see sidebar), the bill would require businesses and other entities to have policies to protect personal data and would fine violators $5,000 per day up to a maximum of $500,000 per incident. But fines are not the same as statutory damages payable to victims.
Secure Enough?
Individual states have enacted laws safeguarding personal information, and most are patterned after landmark legislation in California, according to Newton. Still, the state laws are not uniform, and that's one of the things that Newton believes could trip up businesses that find themselves on the receiving end of a security breach. If a company — even the aforementioned florist — has sensitive information on customers in different states, those customers have to be notified as prescribed by their home state laws.
Leahy's Personal Data Privacy & Security Act of 2007 would standardize those notification requirements. But legislating a requirement that consumers be notified is simple compared to determining just how secure the data has to be. Right now, Poynter said, "it's up to a jury to decide" whether a company tried hard enough to protect sensitive information. But no company can guarantee that electronic data is impregnable, any more than a company could guarantee that a thief could never break in and steal paper records.
"The bottom line in today's world," Newton said, "is you can do everything just right and a sophisticated hacker can still get in."
Poynter predicts that civil courts will eventually adopt a "reasonably prudent person" standard for determining whether a company tried hard enough. "We were very, very confident that [Acxiom] didn't," he said.
Hiring a qualified data security consultant is a good start, both Poynter and Newton agreed. But even that is no guarantee of protection, either from hackers or from litigation.
"From my perspective, that's another potential defendant," Poynter said.
More:Who Is Most Vulnerable?

E-Discovery Rules Not Such a Big Change, Lawyer Says