PRIVACY AND CONFIDENTIALITY ISSUES

REGINALD A. HIRSCH

1980 Post Oak Boulevard

Suite 2210

Houston, Texas 77056

(713) 961-7800

State Bar of Texas

eDISCOVERY IN YOUR CASE

February 7, 2014

Austin

CHAPTER 9

REGINALD A. HIRSCH Law Office of Reginald A. Hirsch

1980 Post Oak Boulevard, Suite 2210, Houston, Texas 77056 (713) 961-7800 FAX: (713) 961-3453 E-Mail:reghir@hirschfamilylaw.com

BIOGRAPHICAL INFORMATION

DATE OF BIRTH: February 24, 1947, Houston, Texas MARRIED: Patricia Wicoff, Attorney at Law

Child: Sarah Lauren Hirsch, Age 26, Law Student STCL

EDUCATION: Lamar High School, Houston, Texas, 1965 B.S., University of Houston, 1970 J.D., University of Houston, 1973

Chief Justice Student Court, University of Houston Student Court, 1972-1973 Student Regent to the University of Houston Board of Regents, 1972-1973

PROFESSIONAL EMPLOYMENT: Assistant Attorney General for State Bar of Texas, Environmental Division, 1973-1974 Balasco, Clark, Hirsch and Stern, 1974 - 1979 Lipstet & Hirsch, 1979 - 2008 Law Office of Reginald A. Hirsch, 2008 to present

PROFESSIONAL LICENSES: State Bar of Texas, 1973; U.S. District Court, Southern District of Texas, 1974; U.S. Court of Appeals, Fifth Circuit, 1974

PROFESSIONAL ACTIVITIES: Board Certified in Family Law, 1979-2014 President, Harris County Young Family Lawyers Association, 1977 President, Family Law Section, Houston Bar Association, 1980-1981 Member, State Bar of Texas, Family Law Counsel, 1985-1989 Chairman, Houston Volunteer Lawyers Association, 1983-1984 Director, The Association of Trial Lawyers of America, 1985 President, Family Law Forum, 1983-1985 Director, Association of Gulf Coast Family Law Specialists, 1989-1990 President, Gulf Coast Legal Foundation, 1986 Texas Association of Family Law Specialists International Society of Family Law National Association of Counsel for Children American Academy of Matrimonial Lawyers Adjunct Professor, South Texas College of Law, Environmental Law, 1975-1977 Guest Lecturer at Baylor College of Medicine Guest Lecturer at University of Houston Law School, South Texas College of Law, TSU Marshall School of Law Master, American Inns of Court Chairperson, Family Law Task Force 2000 Treasurer, American Inns of Court, Burta Raborn Chapter 2005-2009 President, American Inns of Court, Burta Raborn Chapter, 2010-2011 Council Member, State Bar of Texas, Computer and Technology Section, 2013-2016

Recent Article and Speeches

Recipient, David Gibson Award, Gulf Coast Family Law Specialist, Houston, Tx, May 11, 2006 http://www.youtube.com/watch?v=Y1TjcxaAZ3U&feature=relmfu Recipient, Texas Super Lawyer, 2007-2013, Family Law, Texas Monthly Magazine Author, Speaker, University of Texas, The Definitive Short Course on Parent Child Relationships, “The World of Court Appointees: Amicus Attorneys, Attorney Ad Litems, Guardian Ad Litems and Social Studies,” Austin, Tx, November 8, 2007 Author, Speaker, State of Texas Judicial College, "Electronic Evidence Issues,” Richardson, Tx, April 17,

2008 Author, Speaker, Co-Panelist, 8th Annual Family Law on the Front Line, “Electronic Evidence –Fighting the War of the Roses in the Electronic Age,” Galveston, Tx, June 20, 2008 Recipient, Judge Judy Warne’s Weekly Acknowledgment of Contribution to the Bench and Bar, June 9, 2008 Author, Speaker, Advanced Family Law Course, “When Technology and Family Law Collide”, San Antonio, August 11, 2008 Speaker, HAL-PC Legal Sig, Electronic Evidence, January 21, 2009 Houston, Tx Author, Speaker, The Impact of Technology on the Parent-Child Relationships: Critical Thinking For Critical Issues, University of Texas, Austin, Tx January 29, 2009 Author, Speaker, Using Electronic Evidence, 23rd Annual Family Law Conference, South Texas College of Law, March 5, 2009 Author, Speaker, What every CPA should know about Electronic Evidence, Houston CPA Society, April 24, 2009 Author, Co-Speaker, Using the Latest Technology in the Courtroom and Electronic Evidence Workshop, Advanced Family Law, Dallas, Tx, August 3-6, 2009 Speaker, Judges and Social Media, Bar to Bench: So You Want to Be a Judge?, Web Cast, State Bar of Texas, Austin, Tx, November 4, 2009 Author, Speaker, Electronic Evidence-How to Avoid Getting Shocked, Ultimate Trial Notebook, San Antonio, Tx, December 3-4, 2009 Speaker, Windows 7 and Office 2010, HAL-PC, Houston, Tx, January 20, 2010 Co-Speaker, Author, Electronic Evidence and Discovery, South Texas School of Law, 24th Annual Family Law Conference, Houston, Tx, March 10, 2010 Presiding, Parent Child Relationships: Advanced ,UT, Houston, TX, January 27, 2011 Author, Co-Speaker, 30 Hot Tips in 30 Minutes, Advanced Family Law Conference, San Antonio, Tx, August 1, 2011 Author, Co-Speaker, Cutting Edge Apps and High Tech Tools for Family Lawyers, Advanced Family Law Conference, San Antonio, Tx, August 4, 2011 Author, Speaker, Electronic Evidence, Texas College of Judicial Studies, Austin, Tx, April 10, 2012 Author, Co-Speaker, Inventories and Internet Resources, Advanced Family Law Conference, August 8, 2012, Houston, Tx Author, Speaker, Family Law Technology Course, Latest Tech Tools for Your Office, Austin, Tx, December 13-14, 2012 http://www.youtube.com/watch?v=k9vukNBfM80 Author, Co-Speaker, Family Law Technology Course, Looking Beyond the Horizon, Austin, Tx, December 13-14, 2012 Author, Co-Speaker, Enhancing Your Case Through Technology ,Innovations-Breaking Boundaries in Custody Litigation, UTCLE/AMML, .January 24-25, 2013. Author, Co-Speaker, Discovery and Electronic Evidence, 27th Annual Family Law Conference, South Texas College of Law, March 8,2013 Houston, Tx Speaker,12th Annual Biennial Sampson and Tindall, Family Law Update, June 2013 Houston and Dallas, Tx Speaker, Author, Forensic Examination of Cell Phones, American Academy of Matrimonial Lawyers, Video, June 2013, http://www.aaml.org/member-resources/launch-learn Speaker, Author, iPads for Lawyers, A Marriage Made in Heaven, Advanced Family Law Conference, San Antonio, Tx, August 6, 2013 Speaker, Author, Gulf Coast Family Law Specialist, Interesting Apps for Family Lawyers, September 12, 2013, Houston, Tx Speaker, Author, AAML, Top Ten Tech Tools for Family Lawyers, Chicago, Illinois, November 7, 2013 Rece ipen t ,Hous ton ia Magaz ine ,Li s t o f Bes t Hous ton Fami ly Law yer ,Dec . ,2013 Co-Author, Texas Perspective on E-discovery, Chapter 23, Practical E-Discovery Advice in Family Law Cases, TexasBarCle. Author, Speaker,E-Discovery In Your Case, Chapter 9, Confidentiality and Privacy Issues, February 7,2014, Austin,Tx , TexasBarCLE

Privacy and Confidentiality Issues Chapter 9

i

TABLE OF CONTENTS I. INTRODUCTION ............................................................................................................................................. 1

II. PRIVACY .......................................................................................................................................................... 1 A. A Short History of Privacy ......................................................................................................................... 1 B. Privacy and the Constitutions ..................................................................................................................... 2 C. Right to Privacy in Common Law.............................................................................................................. 2 D. Causes of Action in Tort ............................................................................................................................ 2

1. Statutory ............................................................................................................................................. 2 2. Texas Case Law.................................................................................................................................. 3

E. Practical Analysis of an Invasion of Privacy Claim ................................................................................... 3

III. INTERCEPTION OF COMMUNICATION ..................................................................................................... 4 A. Communications Act (“Stored Communications Act”) ............................................................................. 4

1. Conflicting Definitions of “Electronic Storage” ................................................................................ 4 2. Social Media and the Stored Communications Act ............................................................................ 5

B. The Electronic Communications Privacy Act (ECPA) .............................................................................. 5 1. Criticisms of ECPA ............................................................................................................................ 5 2. Digital Due Process – the Movement ................................................................................................. 6

C. The Federal Wiretap Act ............................................................................................................................. 6 1. Exceptions to the Federal Wiretap Act ............................................................................................... 6

D. Texas Wiretap Statutes – the Federal Counterpart ..................................................................................... 7 1. Texas Civil Practice and Remedies Code ........................................................................................... 7 2. Texas Penal Code ............................................................................................................................... 7 3. Exception to the Texas Wiretap Act ................................................................................................... 7

E. Computer Breach – the Penal Code ........................................................................................................... 7 1. Caveat Emptor – vehicle ownership required .................................................................................... 8 2. Exception: Law enforcement ............................................................................................................. 8

F. Spyware ...................................................................................................................................................... 8 1. Spyware on the Mobile Phone ............................................................................................................ 8 2. Spyware on your computer – key logger programs ............................................................................ 8

IV. CONFIDENTIALITY........................................................................................................................................ 9 A. Texas Rules of Professional Conduct ......................................................................................................... 9 B. ABA Model Rule ....................................................................................................................................... 9 C. Texas Business & Commerce Code ........................................................................................................... 9

V. HELPFUL LINKS TO FEDERAL LAWS, ACTS AND POLICIES ON PRIVACY AND

CONFIDENTIALITY ...................................................................................................................................... 13

VI. CONCLUSION ................................................................................................................................................ 14

Privacy and Confidentiality Issues Chapter 9

1

PRIVACY AND CONFIDENTIALITY

ISSUES

By Reginald A. Hirsch

I. INTRODUCTION

Our first introduction to issues regarding privacy

and confidentiality was probably the school yard,

where we were introduced to “shh” and “secrets” and

realized that there was another world of

communication. As most practitioners are aware,

technology is advancing at a break-neck pace. Almost

every day we are presented with a new electronic

device or app that records or intercepts information.

With the touch of few keys on a computer or mobile

device, and often at a nominal cost, telephone

conversations can be intercepted, the key strokes you

make on your home computer can be transmitted to

another location, and the act of carrying a cellular

telephone can mean that your every move is being

tracked and recorded. As a result of this evolution in

technology, the once seemingly sacred right of privacy

has been battered and pummeled, and our lawmakers

struggle to keep the pace with this ever-changing, often

hostile environment. With the revelations of the

programs being used by the NSA, we may reasonably

ask what is left regarding privacy and privacy rights.

On October 31, 2013, in an article entitled “No U.S.

Action, So States Move on Privacy Law”, the New

York Times pointed out that with the lack of federal

oversight and laws, individual states are now moving

into the area of protecting privacy rights. See:

http://nytimes.com/2013/10/31/technology/no-us-

action-so-states-move-on-privacy-law.html

This rush of 21st Century technology impacts us as

lawyers as we are confronted weekly with substantive

issues concerning technology that are being used by or

against our clients. The guidance available to assist in

determining what is proper or, more importantly, what

is improper is often conflicting and dated when

compared with the technology in question. It is a

caveat emptor environment: being forewarned is being

forearmed.

The goal of this paper is to reduce fear, supplant it

with knowledge and remind everyone that the struggle

to protect your client and yourself requires constant

vigilance.

Finally, I would like to thank Lacy LaFour of the

LaFour Law Firm, P.C. in Houston, Texas who

assisted me in the accumulation of materials, writing

and editing of this paper. After reviewing the materials

in this article, she announced that she is terminating

her cell and internet services and moving to SriLanka.

The following portions of this paper were adapted

from Reginald A. Hirsch’s paper, “Spy vs. Spy – The

Legality of using Wiretaps, Spwyare, GPS and Other

Eavesdropping Technologies,” which was presented

during the State Bar of Texas Soaking up Some CLE

course in May 2010, and the excellent paper written by

Reginald A. Hirsch, Rick Robertson and Cindy V.

Tisdale entitled, “Electronic Evidence: How to Avoid

Getting Shocked”, State Bar of Texas Best of 2009

Part Two, February 2010.

II. PRIVACY

A. A Short History of Privacy

In order to understand how technology may impact

or invade privacy, it is important to understand the

right to privacy and the related causes of action.

The idea of a legal right to privacy was first

addressed in the United States in an 1890 Harvard Law

Review article entitled “The Right to Privacy” by Louis

Brandeis (later a Supreme Court Justice) and Samuel

D. Warren.1 Brandeis and Warren argued that the

Constitution and the common law allowed for the

deduction of a general “right to privacy”. Their article

was the result of a late 1800s outbreak of what we now

call “sensational journalism” and their attempt to

provide a legal framework for protecting intrusions

into privacy.

Later, the renowned tort expert, Dean Prosser,

argued that “privacy was composed of four separate

torts, the only unifying element of which was a (vague)

‘right to be left alone’.” The four torts addressed by

Dean Prosser were:

1. Intrusion upon the plaintiff’s seclusion or

solitude or into his private affairs;

2. Public disclosure of embarrassing private

facts about the plaintiff;

3. Publicity which places the plaintiff in a false

light in the public eye; and

4. Appropriation, for the defendant's advantage,

of the plaintiff s name or likeness2.

In 1967, the United States Supreme Court was

confronted with a case in which the Defendant walked

into a telephone booth, closed the door and made a

call. The FBI had previously placed a recording device

on the outside of the glass telephone booth and the

Defendant’s telephone call was recorded. The issue

addressed by the court was whether this action by the

FBI violated the Defendant’s Fourth Amendment

rights. Ultimately, the Court concluded that the

Defendant’s constitutional protections were violated

1 Harvard Law Review,Volume VI,12-15-1890, No.5.

2 See, Prosser’s Privacy Law; A Mixed Legacy, California

Law Review, California Law Review,Vol. 98,Issue 6,

Article No.5, 2010. Ultimately, Prosser’s writings and

thoughts were codified in the 2nd

Restatement of Torts,

Section 652(B-D) in 1997.

Privacy and Confidentiality Issues Chapter 9

2

because the Defendant, when making a call with the

telephone booth door closed, had a “reasonable

expectation of privacy.” 3

B. Privacy and the Constitutions

The word "privacy" is never actually used in the

text of the United States Constitution or any of its

amendments, but certain provisions have been

recognized in case law as implicitly creating protected

“zones of privacy”. 4

Similarly, the Texas Constitution does not

expressly guarantee a right to privacy, but the Supreme

Court in Texas State Employees Union, et al., v. Texas

Department of Mental Health and Mental Retardation,

et al5, recognized implicit privacy protections:

While the Texas Constitution contains no

express guarantee of a right to privacy, it

contains several provisions similar to those in

the United States Constitution that have been

recognized as implicitly creating protected

"zones of privacy."6 Section 19 of the Texas

Bill of Rights protects against arbitrary

deprivation of life and liberty.7 Section 8

provides the freedom to "speak, write or

publish". Section 10 protects the right of an

accused not to be compelled to give evidence

against himself.8 Sections 9 and 25 guarantee

the sanctity of the individual's home and

person against unreasonable intrusion.9

Finally, the Texas Constitution protects the

rights of conscience in matters of religion.10

Each of these provisions gives rise to a

concomitant zone of privacy.11

We do not

doubt, therefore, that a right of individual

privacy is implicit among those "general, great,

and essential principles of liberty and free

government" established by the Texas Bill of

Rights.12

We hold that the Texas Constitution

protects personal privacy from unreasonable

3 See Katz v. U.S., 389 U.S. 349, (1967). 4 See Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35

L. Ed.2d 147 (1972). 5 Texas State Employees Union, et al., Petitioners, v. Texas

Department of Mental Health and Mental Retardation, et al.,

Respondents 746 S.W.2d 203 (Tex. 1987) 6 Cf. Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35

L. Ed.2d 147 (1972). 7 TEX.CONST., art. 1, § 19.

8 TEX.CONST., art. 1, §8, 10.

9 TEX.CONST., art. 1, § 9, 25.

10 TEX.CONST., art. 1,§ 6.

11 Cf. Griswold v. Connecticut, 381 U.S. 479,484, 85 S. Ct.

1678, 1681, 14L.Ed.2d 510 (1965). 12

TEX.CONST., art. I, Introduction to the Bill of Rights.

intrusion. This right to privacy should yield

only when the government can demonstrate

that an intrusion is reasonably warranted for

the achievement of a compelling governmental

objective that can be achieved by no less

intrusive, more reasonable means.”

Based upon these implicit protections, one may assert

that a cause of action for invasion of privacy exists

under Texas law even if a federal or state criminal

statute has not been violated.

C. Right to Privacy in Common Law

Most states have recognized a tort right to privacy

in common law. The common law privacy intrusion

tort is violated if someone intentionally intrudes upon

the private affairs, seclusion or solitude of another

person by means that would be highly offensive to a

person of ordinary sensibilities. In cases where wiretap

acts are not violated, the common law invasion of

privacy tort may apply to the various forms of

surveillance that will be discussed later in this paper.

A violation of the invasion of privacy tort might result

in an award for compensatory damages, but it may not

be a basis for excluding evidence in some court

proceedings.

D. Causes of Action in Tort

1. Statutory

Section 625B of the Restatement (Second) of Torts

(1977) provides a cause of action and liability against:

One who intentionally intrudes, physically or

otherwise, upon the solitude or seclusion of

another or in his private affairs or concerns, is

subject to liability to the other for invasion of

his privacy, if the intrusion would be highly

offensive to a reasonable person.

To recover on the tort of invasion of privacy, the

complainant must show:

conduct in the nature of an intrusion;

the private nature of the thing or place intruded

upon; and

the intrusion was substantial and the conduct

highly offensive or objectionable to the reasonable

person.

In the Handbook of the Law of Torts, Professor

William L. Prosser catalogued four distinct injuries

under the tort of invasion of privacy:

intrusion upon a person’s right to be left alone in

his or her own affairs;

Privacy and Confidentiality Issues Chapter 9

3

publicity given to private information about a

person

appropriation of some element of the person’s

personality for commercial use; and

false light.13

14

2. Texas Case Law

Texas recognizes a cause of action for willful

invasion of privacy.15

The Texas Constitution guarantees the sanctity of

the home and person against unreasonable

intrusion.16

The concept of invasion of privacy covers

intrusion on a party’s seclusion, solitude, or

private affairs.17

Texas has also recognized the following claims

for intrusion on seclusion:

Wiretapping18

Videotaping (defendant liable for videotaping

plaintiff’s bedroom without plaintiff’s

consent)19

;(invasion of privacy when

defendant videotaped himself and plaintiff

engaging in sexual intercourse and later aired

the tape to third parties)20

Privacy at home (telephone company liable

when employee entered home without

customer’s permission and no one present)21

Surveillance (defendant who continuously

stalked, followed and spied on plaintiff

invaded plaintiff’s right to privacy)22

Privacy at work (searching through an

employees locked personal locker constituted

an intrusion of privacy)23

13 TEX.CONST., art. I, Introduction to the Bill of Rights. 14

These four variations of the tort were adopted by the

Second Restatement of Torts. See Restatement (Second) of

Torts § 652A(1977). 15

Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 16

Texas State Employees Union v. Texas Dep’t of Mental

Health and Mental Retardation, 746 S.W.2d 203 (Tex.

1987). 17

See Boyles v. Kerr, 855 S.W.2d 593 (Tex. 1993); Texas

State Employees Union v. Texas Dep’t of Mental Health and

Mental Retardation, 746 S.W.2d 203 (Tex 1987) 18

Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 19

Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). 20

Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). 21

Gonzales v. Southwestern Bell Tel. Co., 555 S.W.2d 219,

222 (Tex. App. – Corpus Christi 1977, no writ). 22

Kramer v. Downey, 680 S.W.2d 524, 525 (Tex.App. –

Dallas 1984, writ ref’d n.r.e.) 23

K-Mart Corp. v. Trotti, 677 S.W.2d 632, 637 (Tex. App. –

Houston [1st Dist.] 1984, writ ref’d n.r.e., 686 S.W.2d 593

(Tex. 1985).

Privacy in public (conversation in public

place was private where the parties to the

conversation used hushed voices, stood away

from other people and close to each other)24

Liability for invasion of privacy does not

depend on any publicity given to the person

whose interest is invaded or to his affairs.25

Punitive damage award of $1,000,000 (21%

of defendant chiropractor husband’s net

worth) where the defendant had bugged

telephones of wife’s attorneys and engaged in

other outrageous conduct.26

E. Practical Analysis of an Invasion of Privacy

Claim

The key to understanding if an invasion of privacy

has occurred is to determine a person’s expectation of

privacy related to the object of the potential intrusion.

The litmus test for claims of invasion of privacy

depends on the answer to the following question:

“Was the material or data preserved in a

manner to give rise to a reasonable

expectation of privacy?”

The following is a typical scenario that a practitioner

might face:

My client has accessed a computer located in

her home, and during this access she observed

her spouse engaged in “x” activity.

In this situation, the practitioner should immediately

contemplate the following: Was the client’s access to

the computer in her residence legal? If it was not, what

kind of trouble am I in, if any, just by looking at the

material my client obtained from the computer?

In order to answer these questions, all relevant

criteria should be examined and weighed:

1. Where in the home was the computer located?

2. Was it in the spouse’s private office, or was it

in a main area of the house?

3. Was the computer or the document that was

viewed password protected? If so, was the

password kept secret by the spouse and not

24

Stephens v. Dolcefino, 126 S.W.3d 120 (Tex. App –

Houston [1st Dist.] 2003).

25 Clayton v. Richards, 47S.W.3d 149 (Tex. App.–Texarkana

2001, no pet.); Restatement (Second) of Torts 752B, cmt. A..

1987). 26 Parker v. Parker, 897 S.W.2d 918, 930 (Tex. App.–Fort

Worth 1995, writ denied) overruled on other grounds by

Formosa Plastics Corp. USA v. Presidio Engineers&

Contractors, Inc., 960 S.W.2d 41

Privacy and Confidentiality Issues Chapter 9

4

disclosed to others, or did other members of

the household have access to the password?

4. Was the computer used by other family

members or 3rd parties?

5. Was the computer a personal or business

computer?

6. Was it used by the accessing spouse regularly

or infrequently, or not at all?

If the answers to the above questions indicate the

computer was located in a common area of the home,

that it was not password protected and it was often

used by the accessing spouse as well as other family

members, it is unlikely the spouse had a reasonable

expectation of privacy to the computer.

Conversely, if the analysis indicates that the

computer in question was housed in the other spouse’s

home office, that it was never used by third parties, and

that it was password protected, it is likely the spouse

had a reasonable expectation of privacy in relation to

the computer, and a claim for invasion of privacy may

exist. In this event, the practitioner would not want to

take possession of or view any of the material accessed

by the client. In addition to advising the client of the

possible impropriety of her actions, the client should

immediately be instructed not to deliver any of the

material to the lawyer or the lawyer’s staff, and the

lawyer’s staff should be instructed accordingly.

There are many components to consider when

analyzing an invasion of privacy claim; in the event of

a close call, a practitioner should always err on the side

of caution.

III. INTERCEPTION OF COMMUNICATION

A. Communications Act (“Stored Communications

Act”)

The primary purpose of the Stored

Communications Act is to protect the privacy interests

in personal information that is stored on the Internet,

and to limit the government’s ability to compel

disclosure of an Internet user’s information contained

on the Internet and held by a third party.

More specifically, the Act prohibits: (1) the

intentional accessing of a facility through which an

electronic communication service is provided without

authorization; or (2) the intentional exceeding of an

authorization to access a facility; and thus obtaining,

altering, or preventing authorized access to a wire or

electronic communication (such as, e-mail or

voicemail) while it is in electronic storage.27

The

Act defines “electronic communication service” as

any service that provides users the ability to send or

27 (71) 18 U.S.C. Sec. 2701(a)

receive wire or electronic communications.28

The Act

defines “electronic storage” as: (1) “any temporary,

immediate storage of a wire or electronic

communication incidental to the electronic

transmission thereof;” and (2) “any storage of such

communication by an electronic communication

service for purposes of backup protection of such

communication.”29

Possible penalties include a fine,

imprisonment, or both.30

1. Conflicting Definitions of “Electronic Storage”

Although the Act defines “electronic storage”,

several courts have interpreted the definition of

“electronic storage” in slightly different ways. At the

time of this writing, what is in “electronic storage”, and

thus regulated by the Act, depends on where the storage

is located, e.g., on a person’s hard drive or saved onto a

remote server such as Hotmail. To wit:

In Fraser v. Nationwide Mutual Insurance Co.31

the Eastern District Court of Pennsylvania held that

access to e-mail on a hard drive was not subject to

the Stored Communications Act. The court reasoned

that the “post-transmission storage [on a hard drive]”

is not commensurate with “electronic storage” as

contemplated by the Act.

A New Jersey court in White v. White tested the

holding of Fraser.32

The state court evaluated the

applicability of the Act, as well as state statutes, to

interspousal access to email stored on a computer in

the family home. After Wife discovered a letter from

Husband to his girlfriend, allegedly in plain view,

Wife hired a computer detective. The detective, at

Wife’s discretion and without using Husband’s

password, copied his e-mails that were stored on the

hard drive.33

The New Jersey Court held that Wife

did not violate the Act because: (1) the email was

not in “electronic storage” when it was accessed

because the family computer’s hard drive was not

“electronic storage” and (2) the access was not

“without authorization” as contemplated by the Act. 34

In partial contrast, the Western District Court of

Wisconsin in Fischer v. Mt. Olive Lutheran Church

held that the Act does apply to stored email – at least

in some situations.35

The court found that emails

from a Hotmail account that were accessed without

authorization were stored by an electronic

28

(72) 18 U.S.C. Sec. 2510 (15) 29

(73) 18 US.C. Sec. 2510(17)(2000) 30

(74) 18 U.S.C. Sec. 2701(b) 31 (75) 135 F. Supp.2d 623 (E.D. Pa. 2001) 32

(76) 781 A.2d 85 (N.J. Super Ct. Ch. Div. 2001) 33

(77) Id. at 87 34

(78) See id. 35

(79) 207 F. Supp.2d 914 (W.D. Wis. 2002)

Privacy and Confidentiality Issues Chapter 9

5

communication service because the e-mails were saved

on Hotmail’s servers.36

2. Social Media and the Stored Communications Act

Currently, it is an unsettled question as to whether

postings on Facebook and MySpace are protected

under the Act. At least one Court has provided

protection to social media sites from producing

information in response to a subpoena. In Crispin v.

Christian Audigier, Inc., the Central District of

California held that Facebook and MySpace were

protected under the Stored Communications Act.37

B. The Electronic Communications Privacy Act

(ECPA)

The Electronic Communications Privacy Act of

1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat.

1848,18 U.S.C. § 2510[2]) was enacted by the United

States Congress to extend government restrictions on

wiretaps from only telephone calls to include

transmissions of electronic data by computer.

Specifically, the ECPA was an amendment to Title

III of the Omnibus Crime Control and Safe Streets Act

of 1968 (the Wiretap Statute), which was primarily

designed to prevent unauthorized government access to

private, electronic communications. The ECPA also

added new provisions prohibiting access to stored

electronic communications, i.e., the Stored

Communications Act,18 U.S.C. §§2701-2712, and also

included so-called pen/trap provisions that permit the

tracing of telephone communications. §§ 3121-3127.

Later, the ECPA was amended, and weakened to

some extent, by provisions of the USA PATRIOT Act.

Additionally, Section 2709 of the Act, which allowed

the FBI to issue National Security Letters (NSLs) to

Internet service providers (ISPs) ordering them to

disclose records about their customers, was ruled

unconstitutional under the First (and possibly Fourth)

Amendments in ACLU v. Ashcroft (2004).

1. Criticisms of ECPA

Since the enactment of the ECPA in 1986, there

have been sweeping advancements in communication

technology and the way in which people use it. Some

of these changes include:

Email: Most Americans have embraced email

in their professional and personal lives and use

it daily for confidential communications of a

personal or business nature. Because of the

importance of email and unlimited storage

capabilities available today, most people save

36

(80) Id. at 925 37

Buckley H. Crispin v. Christian Audigier, Inc., et al CV

09-09509-MMM-JEMx C.D. Cal.) (May 26, 2010)

their email indefinitely, just as they previously

saved letters and other correspondence. The

difference, of course, is that it is easier to save,

search and retrieve digital communications.

Many of us now have many years’ worth of

stored email; for many people, much of that

email is stored on the computers of service

providers.

Mobile location: Cell phones and mobile

Internet devices constantly generate location

data that supports both the underlying service

and a growing range of location-based services

of great convenience and value. This location

data can be intercepted in real-time, and is

often stored in easily accessible log files.

Location data can reveal a person’s

movements, from which inferences can be

drawn about activities and associations.

Location data is augmented by very precise

GPS data being installed in a growing number

of devices.

Cloud computing: Increasingly, businesses

and individuals are storing data "in the cloud,"

with potentially huge benefits in terms of cost,

security, flexibility and the ability to share and

collaborate.

Social networking: One of the most striking

developments of the past few years has been

the remarkable growth of social networking.

Hundreds of millions of people now use these

social media services to share information with

friends and as an alternative platform for

private communications.

Because the ECPA has been significantly outpaced by

technology, there are wide scale issues associated with

the interpretation and application of the Act, and the

ECPA does not provide protection suited to the way

technology is used today. For example:

a. Conflicting Standards

The ECPA sets rules for governmental access to

email and stored documents that are not consistent. A

single email is subject to multiple different legal

standards in its lifecycle, from the moment it is being

typed to the moment it is opened by the recipient to the

time it is stored with the email service provider. The

Act does not clearly state the standard for

governmental access to local information.

b. Illogical Distinctions

A document stored on a desktop computer is

protected by the warrant requirement of the Fourth

Amendment, but the ECPA says that the same

Privacy and Confidentiality Issues Chapter 9

6

document stored with a service provider may not be

subject to the warrant requirement.

c. Judicial Criticism

The courts have repeatedly criticized ECPA for

being confusing and difficult to apply. The Ninth

Circuit in 2002 said that Internet surveillance was "a

confusing and uncertain area of the law." In the past

five years, no fewer than 30 federal opinions have been

published on government access to cell phone location

information, reaching a variety of conclusions.

d. Constitutional Uncertainty

The courts are equally conflicted about the

application of the Fourth Amendment to new services

and information. A district court in Oregon recently

opined that email is not covered by the constitutional

protections, while the Ninth Circuit has held precisely

the opposite. Last year, a panel of the Sixth Circuit

first ruled that email was protected by the Constitution,

and then a larger panel of the court vacated the

opinion.

This murky legal landscape does not serve the

government, customers or service providers well.

Customers are, at best, confused about the security of

their data in response to an access request from law

enforcement. Companies are uncertain of their

responsibilities and unable to assure their customers

that subscriber data will be uniformly protected. The

current state of the law does not well serve law

enforcement interests, either. Resources are wasted on

litigation over applicable standards, and prosecutions

are in jeopardy should the courts ultimately rule on the

Constitutional questions.

2. Digital Due Process – the Movement

In response to these issues, a recently formed

group aims to revise the ECPA. Information about this

group’s work and relevant resources associated with

the Act can be found at http://digitaldueprocess.org.

C. The Federal Wiretap Act

The Federal Wiretap Act specifically prohibits

“any person” from intercepting a wire, oral, or

electronic communication without a court order or the

consent of one of the parties to the conversation.38

The Act defines “intercept” as the “aural or other

acquisition of the contents of any wire, electronic, or

oral communication through the use of any electronic,

mechanical, or other device.”39

The interception

must be intentional.40

The penalty for violations may

be a fine, imprisonment for up to five years, or both.

38 (81) 18 U.S.C. Sec. 2510-2520 39

(82) 18 U.S.C. Sec. 2510(4) 40

(83) 18 U.S.C. Sec. 2511(1)

1. Exceptions to the Federal Wiretap Act

a. Exception: Consent of a Party

It is not unlawful for a person to intercept an oral

or wire communication if the person is a party to the

communication or if a party to the communication has

given prior consent to the interception.41

b. Exception: Spousal Consent

Though most federal circuits have not recognized

an interspousal exception to the wiretapping statute,

the Second and Fifth circuit courts of appeals have held

that there is such an exception to the statute.42

In Simpson v. Simpson, the Fifth Circuit Court of

Appeals held that the recording of telephone

conversations in the marital home by Husband who

suspected Wife of infidelity did not violate the

Federal Wiretap Act.43

The Court reasoned that

because federal courts have typically left family

matters to state courts, Congress did not intend to

counteract this tradition through the Federal Wiretap

Act. This opinion has been widely criticized.

For Texas state law holding differently than

Simpson, see Collins v. Collins, 904 S.W.2d 792

(Tex.App.–Houston [1st Dist.] 1995, writ denied)

discussed below.

Similarly, the Second Circuit Court of Appeals in

Anonymous v. Anonymous found that interspousal

wiretaps involve marital disputes, which are an area

generally left to the discretion of states.44

These

opinions have been widely criticized and rejected by

other federal courts which have found no

Congressional intent to except willful, intercepted

spousal communications.45

c. Exception: Vicarious Consent for Minors

With respect to parents who tape record the phone

conversations of their minor children within the home,

some courts have recognized a limited “vicarious

consent” exception, whereby parents and guardians of

minors have the authority to consent for their minor

child when it is perceived by the parent or guardian to

be in the best interests of the child.46

The Federal

41 (84) 18 U.S.C. Sec. 2511(d)(d) 42

(85) Simpson v. Simpson, 490 F.2d 803 (5th

Cir. 1974);

Anonymous v. Anonymous, 558 F.2d 677 (2d Cir. 1977). 43

(86) 490 F.2d 803 (5th

Cir. 1974) 44

(87) 558 F.2d 677 (2d Cir. 1977) 45

(88) See United States v. Jones, 542 F.2d 661, 669 (6th

Cir.

1976). See also Pritchard v. Pritchard, 732 F.2d 372 (4th

Cir. 1984); Kempf v. Kempf, F.2d 1537, 1539 (10th

Cir.

1991); Platt v. Platt, 951 F.2d 159 (8th

Cir. 1989) 46

(89) See e.g., Wagner v. Wagner, 64 F. Supp. 895, 896 (D.

Minn. 1999); March v. Levine, 136 F. Supp.2d 831, 849

(M.D. Tenn. 2000), aff’d, 248 F.3d 462 (6th

Cir. 2001); Allen

Privacy and Confidentiality Issues Chapter 9

7

Wiretap Act may not be violated if a party to the

intercepted conversation has “vicariously” consented

to the recording.

In Pollock v. Pollock, the Sixth Circuit Court of

Appeals articulated a “good faith” test.47

If the parent

has a “good faith, reasonable basis for believing such

consent was necessary for the welfare of the child,”48

then a recording of a child’s conversation would be

admissible. The Court also found that the parent

doing the recording on behalf of the minor child

must demonstrate a reasonable belief “…that the minor

child is being abused, threatened, or intimidated by the

other parent.”49

The exception does not apply to every situation.

The West Virginia Supreme Court of Appeals in West

Virginia Dep’t of Health and Human Resources v.

David L., found that a parent did not have a right to

record conversations with the other parent while the

children were in the other parent’s house.50

D. Texas Wiretap Statutes – the Federal

Counterpart

1. Texas Civil Practice and Remedies Code

A party to a communication may sue a

person who:

1) intercepts, attempts to intercept or employs or

obtains another to intercept o r attempt t o

i n te rc ept a communication;

2) uses or divulges information that the person

knows or reasonably should know was

obtained by interception of the

communication; or

3) as a landlord, building operator, or

communication common carrier, either

personally or through an agent or employee,

aids or knowingly permits interception or

attempted interception of the communication.

For purposes of the statute, “interception” means

“the aural acquisition of the contents for a

communication through the use of an electronic,

mechanical, or other device that is made without the

consent of a party to the communication.”

TEX.CIV. PRAC.& REM. CODE§123.001(2).

A person who establishes a cause of action

under the statute is entitled to:

v. Mancini, 170 S.W.3d 167 (Tex. App. – Eastland 2005,

pet. filed) 47

(90) 154 F.3d 601 (6th

Cir. 1998) 48

(91) See id at 610 49

(92) See id; Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ.

App. 1996). 50

(93) 453 S.E.2d 646, 654 (1994).

1) an injunction prohibiting further interception

or divulgence or use of the information

obtained by an interception;

2) statutory damages of $10,000 for each

occurrence;

3) all actual damages in excess of $10,000;

4) punitive damages in an amount to be

determined by the court or jury; and

5) reasonable a t torney’s fees a n d costs.” T E X . C

IV . P R A C . &R M CODE §123.004.

2. Texas Penal Code

Section 16.02 of the Texas Penal Code provides

that a person commits the offense of unlawful

interception, use, or disclosure of wire, oral, or

electronic communications “if the person

intentionally intercepts, endeavors to intercept, or

procures another person to intercept or endeavor to

intercept a wire, oral or electronic communication.”51

An offense under this section is a second degree

felony.52

3. Exception to the Texas Wiretap Act

a. Exception: Express or Implied Consent Texas law allows one party to a conversation to

tape or intercept the conversation. 53

b . Non-exception: Spousal Consent –

Unlike the Federal counterpart, Texas does not

recognize the interspousal exception to

wiretapping.54

55

Texas courts generally have

declined to follow the Simpson case to attach a

spousal immunity exception to applicable federal or state

wiretap statues.

E. Computer Breach – the Penal Code

Section 33.02 of the Texas Penal Code provides

that “a person commits an offense if the person

knowingly accesses a computer, computer network, or

computer system without the effective consent of the

owner.” An offense under this section is a class B

misdemeanor. If the person who commits the offense

knowingly obtains a benefit, defrauds or harms

51 Texas Penal Code 16.02 (b)(1) 52

Tex Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ. App.

1996). 93 453 S.E.2d 646, 654 (1994 ).as Penal Code

16.02(f) 53

Kotria v. Kotria, 718 S.W.2d 853, 855 (Tex.App.– Corpus

Christi 1986, writ ref’d n.r.e.). 54

Collins v. Collins, 904 S.W.2d 792 (Tex.App.–Houston

[1st Dist.] 1995, writ denied) 55

See Kent v. State, 809 S.W.2d 664 (Tex.App.–Amarillo

1992, writ ref’d).

Privacy and Confidentiality Issues Chapter 9

8

another, or alters, damages or deletes property, the

offense is based on the value of the harm done.56

Tracking Devices and Vehicles

Section 16.06 of the Texas Penal Code provides

that a person commits the offense of unlawful

installation of a tracking device “if the person

knowingly installs an electronic or mechanical tracking

device on a motor vehicle owned or leased by another

person.” Such an offense is a Class A misdemeanor.57

1. Caveat Emptor – vehicle ownership required

Occasionally, a client will inquire about hiring a

Private Investigator to place a GPS device on the

spouses’ car. Be advised that it is a violation of Texas

law to install a tracking device on a vehicle unless the

vehicle is registered in the client’s name.58

2. Exception: Law enforcement

Note that the same rules may not apply to law

enforcement. In United States of America v. Bernardo

Garcia,59

the police attached a GPS device to a suspect

and the court held that the suspect’s constitutional

rights had not been violated.

F. Spyware

Spyware equipment can range from simple

(Maxwell Smart) to highly complex. A tape recorder,

a mobile phone, an EZ tag, a webcamera and a

computer all can all be used to find information.

1. Spyware on the Mobile Phone

For a nominal fee beginning as low as $40.00,

spyware can be purchased and installed on

unsuspecting party’s mobile phone to record

information such as call and SMS contact history,

appointments, Internet browsing, bookmark and email

history, location tracking and location history, sound

recording of phone calls, picture and video history, text

messages, it can remotely activate the cell phone’s

microphone and record every call made.

2. Spyware on your computer – key logger programs

Most key logger programs are available for less

than $100.00 and can readily be purchased in computer

stores and via the internet. What the programs share in

56

TEX. PEN. CODE 33.02(2) 57

TEX.PEN.CODE § 16.06(c). 58

See United States of America, Plaintiff-Appellee, v.

Bernardo Garcia, Defendant- Appellant. United States of

Appeals for the Seventh Circuit, No. 06-2741, January 10,

2007, Argued- February 2, 2007, Decided 474 F.3d 994e

Occupations Code Chapter 1702, Section 17.02.332. 59 United States v. Ropp 347 F.Supp.2d 831 (C.D.Cal.2004)

common is the ability to capture email, text messages,

websites visited, keystrokes, including name and

passwords, it can screen shot program activity and

capture photographs.

The key logger programs also run in stealth mode

and some now provide web access - no longer

requiring access to the actual computer where the

spyware was installed versus emailing you the content.

In United States v. Ropp, because a key logger

recorded keystroke information in transit between the

keyboard and the CPU, the court found that the system

transmitting the information did not affect interstate

commerce, and the keystroke signals, therefore, were

not “electronic communication” under the Wiretap

Act.60

In Potter v. Havlicek, Mr. Havlicek admitted to

installing monitoring software on the family computer.

He also admitted to downloading e-mail from his

wife’s web-based email account, but claimed it was

authorized because she had chosen to save her

username and password through the browser’s

“remember me” feature. The District Court for the

Southern District of Ohio ruled that evidence obtained

in a divorce case through the use of spyware could be

admitted, noting that the ECPA does not permit courts

to disallow such evidence. The Court did say that

“disclosure of the information in state court by Jeffery

Havlicek or his attorney might be actionable civilly or

criminally”, and it was suggested that the “remember

me” option probably did not give Mr. Havlicek an

implied right to view his wife’s e- mail messages.61

Additionally, the Havlicek Court questioned

whether Ropp’s construction of “affecting interstate

commerce” is correct. It suggested that Ropp reads the

statute as requiring that the communication must be

traveling in interstate commerce as opposed to merely

“affecting interstate commerce.” The keystrokes,

while not traveling in interstate commerce, do “affect

inter-state commerce.”

The following portions of this paper are adapted

from the article entitled “Tips for Safeguarding

Confidentiality & Privacy of Client Information in

Compliance with Professional Rules, HIPPA & other

Statutory Requirements,” written by Al Harrison and

Randy Claridge, and presented at the State Bar of

Texas 2010 Annual Meeting in Fort Worth, Texas, and

“A Lawyer’s Work is Never Done” written by Esther

Chaves and moderated by Caren K. Lock, Esther

Chaves and W. Reid Wittliff at the State Bar of Texas

9th Annual Advanced Consumer & Commercial Law

Course in August of 2013 in Houston, Texas. The

60 Ropp, 347 F.Supp.2d 837-38 61

The case may be found on Westlaw at 2007 WL 539534

(S.D.Ohio) Potter v. Havlicek

Privacy and Confidentiality Issues Chapter 9

9

author would like to thank all of the authors for their

excellent contributions.

IV. CONFIDENTIALITY

Gone are the days where adding an additional lock

to the client file room door would almost guarantee

client information was protected. Today, law firms

transfer confidential information via email almost

daily. An entire client file can be placed on a flash

drive the size of a stick of gum. In the “paperless

office”, all of a client’s information is stored

electronically on servers, on hard drives or in the

cloud. Whether through the loss of a laptop or a flash

drive, or data breaches due to lack of proper

protections or due to hacking, lawyers face new

challenges in protecting client information. In addition

to the disciplinary rules historically imposed upon

lawyers, emerging and evolving federal and state laws

may be applicable to certain client information.

A. Texas Rules of Professional Conduct

The Texas Disciplinary Rules of Professional

Conduct provide that except as otherwise permitted

or required, a lawyer shall not knowingly “reveal

confidential information of a client or a former client

to: (i) a person that the client has instructed is not to

receive the information; or (ii) anyone else, other

than the client, the client’s representatives, or the

members, associates, or employees of the lawyer’s

law firm.” Confidential information includes both

privileged information and unprivileged client

information. Unprivileged client information means

all information relating to a client, other than

privileged information, acquired by the lawyer

during the course of or by reason of the

representation of the client. Comment 4 related to

Rule 1.05 notes that the rule generally extends

ethical protection to unprivileged information

relating to the client or furnished by the client during

the course of or by reason of the representation of

the client. See, Tex. Disciplinary R. Prof’l Conduct

1.05(a) and (b), reprinted in Tex. Gov’t Code Ann.,

tit. 2, subtit. G, app. A (West 2005 & Supp. 2009).

B. ABA Model Rule

In August 2012, the American Bar Association

added a new Model Rule 1.6(c) which provides: “A

lawyer shall make reasonable efforts to prevent the

inadvertent or unauthorized disclosure of, or

unauthorized access to, information relating to the

representation of a client.” New language in the

comment to this rule identifies factors that lawyers

should take into account in determining whether their

efforts are reasonable, including the cost of the

safeguards and the sensitivity of the information.

See, August 2012 Amendments to ABA Model Rules

of Professional Conduct.

In addition to the duties imposed upon lawyers by

the disciplinary rules, there are many federal and

state rules and regulations that impose additional

requirements of confidentiality on certain classes of

personal information, including requirements

associated with the destruction of personal

information.

C. Texas Business & Commerce Code

Texas is among the many states that has enacted

legislation that creates a duty for businesses to protect

personal information provided in the regular course of

business. Law firms are included among those

businesses that have a duty to protect the information

and to notify clients in the event of a breach of

security. The following is a sampling of duties created

by the Texas Business & Commerce Code.

1. The Texas Identity Theft Enforcement and

Protection Act (ITEPA): Requires businesses to (i)

implement and maintain reasonable procedures to

protect from unlawful use or disclosure any sensitive

personal information (SPI) collected or maintained by

the business in the regular course of business; (ii)

destroy or arrange for the destruction of customer

records containing SPI (that are not to be retained)

by shredding, erasing or otherwise making the

information unreadable or undecipherable. Tex. Bus.

& Com. Code Ann. § 521.052 (West 2009). Section

521.053 requires businesses that operate in Texas,

and own or license computerized data that includes

sensitive personal information, to disclose any breach

of its system security (which means unauthorized

acquisition of computerized data that compromises the

security, confidentiality, or integrity of sensitive

personal information maintained by a person,

including data that is encrypted if the person accessing

the data has the key required to decrypt the data) to

any person whose information was, or is reasonably

believed to have been, acquired by an unauthorized

person. Tex. Bus. & Com. Code Ann. §521.053 (West

2009).

There are monetary penalties for violations of the

Act. Fines of up to $500.00 for each record that could

potentially be exposed to unintended or unauthorized

review can be imposed. Additional penalties of up to

$20,000.00 per violation can be assessed against

businesses that give customers specific assurances

about protection of confidential information and then

fail to provide that protection.

2. Privacy Policy Necessary to Require

Disclosure of Social Security Number: A person

may not require an individual to disclose the

individual’s social security number (SSN) to obtain

goods or services from or enter into a business

transaction with the person unless the person (i) adopts

Privacy and Confidentiality Issues Chapter 9

10

a privacy policy; (ii) makes the privacy policy

available to the individual; and (iii) maintains under the

privacy policy the confidentiality and security of the

SSN disclosed to the person. Tex. Bus. & Com.

Code Ann. § 501.052 (West 2009). The privacy

policy must include: (i) how personal information is

collected; (ii) how and when the personal information

is used; (iii) how the personal information is

protected; (iv) who has access to the personal

information; and (v) method of disposal of the

personal information. Id. Certain entities are exempt

including those required to maintain privacy policies

under the federal Gramm-Leach Bliley Act, the

federal Family Educational Rights and Privacy Act of

1974, and the Health Insurance Portability and

Accountability Act of 1996. Tex. Bus. & Com. Code

Ann. § 501.051 (West 2009)

3. Disposal of Business Records Containing

Personal Identifying Information: When a business

disposes of a business record that contains personal

identifying information of a customer of the business,

the business shall modify, by shredding, erasing, or

other means, the personal identifying information so

as to make the information unreadable or

undecipherable. Tex. Bus. & Com. Code Ann. §

72.004 (West 2009). Exceptions include financial

institutions as defined by 15 U.S.C. 6809 and entities

defined by 601.001 of the Texas Insurance Code. Id.

Violators are subject to a civil penalty of up to $500

for each business record. Id. A business is considered

to be in compliance if it contracts with a person

engaged in the business of disposing of records for the

modification of PII on behalf of the business. Id.

D. HIPPA/HiTECH

Most practitioners are familiar with the Health

Insurance Privacy Portability and Accountability Act

of 1996 (HIPPA). It requires releases for obtaining

medical records and information frequently sought

during family law disputes. It was updated in 2010 by

the Health Information Technology for Economic and

Clinical Health Act (HiTECH). The purpose of the

update was to require any business that handles

personal health information to comply with HIPPA

regulations.

E. Texas Health Privacy Law

Recent law was enacted to specifically target

patient data privacy, see HB 300 amended Chapter

181, Health and Safety Code and became effective on

September 1, 2012. According to health care

providers, the law mandates patient privacy protections

and harsher penalties for privacy violations related to

electronic health records (EHR). The requirements of

the Texas law are more stringent than those of its

federal counterpart, the Health Insurance Privacy

Portability and Accountability Act (“HIPPA”). It

expands the definition of the term “covered entity” in

the existing health privacy law and requires all

employees of covered businesses to undergo training

on HIPPA and Texas’ health privacy law within sixty

(60) days of hiring and once every two (2) years

thereafter. Additionally, the Texas Attorney General,

Texas Health Services Authority, or Texas Department

of Insurance is authorized to conduct compliance

audits of covered entities that have consistently

violated the Texas law. Fines for violations range from

$5,000.00 up to $1,500,000.00 per year for violations.

For a more detailed discussion see: Updates to the

Texas Medical Privacy Act: How Texas Covered

Entities Should Prepare By George R. Gooch, J.D

http://www.law.uh.edu/healthlaw/perspectives/2012/H

LPGoochHIPrivacy.pdf

F. Protecting Your Clients’ Confidentiality

Practicing law in today’s high-tech environment

while being faced with constantly evolving rules and

regulations associated with privacy concerns require

practitioners take proactive steps to protect your clients

and yourselves. The following are relatively easy to

implement steps that may go a long way in protecting

client information while protecting yourself from

liability.

1. Encryption

Encryption refers to a process of converting

information into a form which is unusable, unreadable,

and indecipherable to parties not possessing the

requisite decryption algorithm. There currently exist

several popular encryption paradigms including: file or

folder encryption, full-disk encryption, and encrypted

communications to and from networked computers.

Regardless of the approach taken, encryption is quickly

becoming a standard requirement of the contemporary

law office because the loss of an encrypted computer

or encrypted data file often does not trigger notification

rules, thereby potentially protecting attorneys and

clients from the expenses and other ramifications

associated with a breach of client confidentiality.

a. Individual File Encryption

Individual file or folder encryption is perhaps the

first form of encryption adopted by many attorneys

using software programs such as Adobe Acrobat

Professional (Acrobat). Using Acrobat, a Portable

Document Format (PDF) file, or set of PDF files, can

be converted to a form that renders the file unreadable

to anyone lacking a corresponding password or digital

certificate. An encrypted file may then be stored on a

computer network or e-mailed to a client without fear

of inadvertent disclosure of confidential information.

Although easily implemented, individual file

encryption poses a significant challenge when dealing

Privacy and Confidentiality Issues Chapter 9

11

with numerous clients and client matters that implicate

multiple passwords. If the password required for a

particular file were destroyed or otherwise were to

become unavailable, the contents of the encrypted file

would be in all likelihood lost and thus effectively

digitally “shredded.”

b. Full Disk Encryption (FDE)

Another encryption approach, typically

implemented on business-class laptops, is full-disk

encryption (FDE), either hardware-based or software-

based. With FDE, the contents of the entire hard drive

are stored in an encrypted state. In a hardware-based

implementation of FDE, a decryption key is stored

within the circuitry of the hard drive and data is

seamlessly decoded following initial entry of a

password by the user. In a software-based

implementation of FDE, pre-installed software such as

the open-source program TrueCrypt serve as boot-time

gatekeepers requiring password entry prior to decoding

of user data. The ease of FDE is readily apparent;

however, care should be taken following initial

password entry because data is automatically decoded

until the system is turned off or rebooted.62

Unlike

individual file encryption, FDE does not require

password entry beyond a single boot-time entry. A

single password can be used for each computer which

stores confidential client information thereby rendering

the information unreadable should the computer be

stolen or otherwise misplaced.

c. Encryption of client communications

In addition to secure storage of client information

on internal office computers, electronic

communications with client should also be encrypted.

Fortunately, most Internet services, including e-mail, e-

commerce, and document storage incorporate the

Secure Sockets Layer (SSL) protocol specified within

the settings of an e-mail software application or

identifiable by “https://” preceding a website address.

If “https://” does not precede a website address, then

the communications to and from that website are not

encrypted and are potentially readable by unknown

third parties.

2. Procedural Tips for Protecting Client Information

a. Security Prerequisites for Laptops and

Handhelds

Recommended security prerequisites for laptops

and handhelds: (1) password protected with an

62 Information on TrueCrypt can be found at

(http://truecrypt.com), PGP Whole Disk Encryption

(http://pgp.com), and Windows proprietary Bit Locker

(http://microsoft.com/windows/windows-

7/features/bitlocker.aspx).

inherently strong password; (2) relatively short laptop

or handheld inactivity or the placement of handheld in

holster causes timeout that blanks screen, or shuts

down hard drive, deactivates keys or touch screen, and

requires password for reactivation; (3) email should

preferably be encrypted in transit to and from user; (4)

stored files encrypted - text, images; (5) all data should

preferably be remotely purged if laptop or handheld

has gone missing.

b. Password Logistics

The propriety of passwords must be assured and

sustained or else the integrity of the safeguarding

protocol is undermined. This is a very serious and

crucial aspect of safeguarding client data. While

inconvenient and introducing another level of

complexity to the law firm environment, password

protocol must be carefully established and rigorously

practiced and enforced. Use common sense with

password protocol. For example, do not keep

passwords in plain view near computers and do not

generously share core or private passwords and be

discriminating when determining which personnel have

access to core passwords.

c. Secure the laptops, mobile and memory devices

Be vigilant about properly caring for each and

every storage device containing proprietary and

confidential client information ― both in the office

and contained on a portable electronic device or

storage medium. According to the FBI’s National

Crime Information Center, the number of reported

laptop and mobile device thefts are rising exponentially

from year to year.

One of the most prevalent venues for laptop losses

to occur are U.S. airports: as many 12,000 laptops are

lost or stolen weekly at domestic airports, as estimated

by the Ponemon Institute. This Institute has also

guesstimated that as many as 800,000 memory devices,

laptops, smartphones and thumb drive memory sticks

are lost or stolen annually; and that major corporations

are inflicted by annual robberies devolving to about

600 laptops, 2000 USB thumb drive memory sticks,

1000 smartphones, and 1,500 other portable electronic

data storage devices.

Caution should be exercised in virtually every

venue the attorneys visit or travel, not just airports and

train stations, but also coffee shops, government

buildings and offices, clients' offices and sites. It

appears that contemporary criminals have adopted the

protocol for stealing or demanding popular, easily

liquidated electronic devices besides cash money.

Laptops and netbooks should be held securely to

prevent thieves from engaging in a snatch-and-run

maneuver at an attorney's expense.

Privacy and Confidentiality Issues Chapter 9

12

d. Remote Laptop Security

A recent fail-safe application to be considered by

law firms is Remote Laptop Security ("RLS")

corresponding to a procedure that enables users to

control access to files on a laptop even if the laptop has

gone missing. Proprietary files for safeguarding are

selected a priori and are implicated in a protocol for

either restoring or terminating the account that owns

the data files. The designated administrator selects

which files to be safeguarded using the RLS

application. Duly safeguarded files are then converted

and encrypted to permit only authorized access. For a

laptop which has gone missing, access to secured files

is unequivocally denied. There are RLS tools

dependent upon Internet or WiFi connections, and even

cellular access. In the abundance of caution, RLS

applications should periodically authenticate user

identity. Of course, under circumstances in which

access to proprietary files on a particular laptop has

been deactivated, that laptop ceases to be

authenticated.

e. Client Confidentiality and Third Parties

The Supreme Court of Texas Professional Ethics

Committee Opinion Number 572, June 2006,

addresses the use of an independent contractor, such as

a copy service, hired by the lawyer to perform services

in connection with the lawyer’s representation of the

client. The Committee concluded:

A lawyer's delivery of materials containing

privileged information to an independent

contractor providing a service, such as

copying, to facilitate the lawyer's

representation of a client (and not for the

purpose of disclosing information to others)

does not constitute "revealing" such privileged

information within the meaning of Rule 1.05,

provided that the lawyer reasonably expects

that the independent contractor will not

disclose or use such items or their contents

except as directed by the lawyer and will

otherwise respect the confidential character of

the information. In these circumstances, the

independent contractor owes a duty of

confidentiality both to the lawyer and to the

lawyer's client.

Although not explicitly addressed by the Committee,

use of independent contractors in the form of Internet-

based services would not necessarily constitute

revealing of privileged client information. However,

attaining a reasonable expectation that Internet-based

service providers will neither disclose nor use such

privileged information, except as directed by the

lawyer, may prove problematic.

3. Maintaining Client Confidentiality 101

In its article, Preventing Law Firm Data Breaches,

the Texas Bar Journal discussed security basics that

every lawyer should know, including:

Have a strong password of at least 12 characters.

A strong 12-character password takes roughly 17

years to crack.

Don’t use the same password everywhere.

Change your passwords regularly.

Do not have a file named “passwords” on your

computer.

Change the defaults. Whether you are configuring

a wireless router or installing a server operating

system, make sure you change any default

values.

Laptops should be protected with whole disk

encryption—no exceptions.

Backup media should be encrypted. If you use an

online backup service, make sure the data is

encrypted in transit and while being stored. Also,

be sure that employees of the backup vendor do

not have access to decrypt keys.

Thumb drives should be encrypted.

Keep your server in a locked rack in a locked

closet or room. Physical security is essential.

Most smartphones write some amount of data to

the phone. Opening a client document may

write it to the smart-phone. The iPhone is data

rich. Make sure you have a PIN for your phone.

This is a fundamental protection. Don’t use

“swiping” to protect your phone as thieves can

discern the swipe the vast majority of the time due

to the oils from your fingers. Also make sure that

you can wipe the data remotely if you lose your

phone.

Solos and small firms should use a single

integrated product to deal with spam, viruses

and malware.

Wireless networks should be set up with the

proper security. First and foremost, encryption

should be enabled on the wireless device.

Whether using Wired Equivalent Privacy

(WEP) 128-bit or WPA encryption, make sure

that all communications are secure. WEP is

weaker and can be cracked. The only wireless

encryption standards that have not been cracked

(yet) are WPA with the AES (Advanced

Encryption Standard) or WPA2.

Make sure all critical patches are applied. This

may be the job of your IT provider, but too often

this is not done.

If software is no longer being supported, its

security may be in jeopardy. Upgrade to a

supported version to ensure that it is secure.

Control access.

Privacy and Confidentiality Issues Chapter 9

13

Using cloud providers for software applications is

fine, provided that you made reasonable inquiry

into their security. Read the terms of service

carefully and check your state for current ethics

opinions on this subject.

Be wary of social media applications, as they are

now frequently invaded by cybercriminals.

Giving another application access to your

credentials for Facebook, as an example, could

result in your account being hijacked. And even

though Facebook now sends all hyperlinks

through Websense first (a vast improvement), be

wary of clicking on them.

Consider whether you need cyber insurance to

protect against the possible consequences of a

breach. Most insurance policies do not cover the

cost of investigating a breach, taking remedial

steps or notifying those who are affected.

Dispose of anything that holds data, including a

digital copier, securely. For computers, you can

use a free product like DBAN to securely wipe the

data.

Use wireless hot spots with great care. Do not

enter any credit card information or login

credentials prior to seeing the https: in the URL.

For remote access, use a VPN or other encrypted

connection.

See, Sharon D. Nelson and John W. Simek,

Preventing Law Firm Data Breaches, Texas Bar

Journal, May 2012, p 364.

V. HELPFUL LINKS TO FEDERAL LAWS,

ACTS AND POLICIES ON PRIVACY AND

CONFIDENTIALITY

1. The Patient Safety and Quality Improvement

Act of 2005 (PSQIA) Patient Safety Rule:

Confidentiality protections to encourage the

reporting and analysis of medical errors.

http://ahrq.gov/qual/psoact.htm

2. The Confidential Information and Statistical

Efficiency Act of 2002(CIPSEA): This act

ensures that information provided to statistical

agencies for statistical purposes under a

pledge of confidentiality can be used only for

statistical purposes, and that individuals' or

organizations' data confidential data should be

kept confidential.

http://bls.gov/opub/mlr/cwc/confidentiality-

information-protection-and-statistical-

efficiency-act-of-2002.pdf

3. Freedom of Information Act: This website

provides guidelines as to which data may and

may not be disclosed under the terms of the

Freedom of Information Act. http://foia.gov

4. The American Bar Association’s Legal

Technology Resource Center provides

information regarding the latest legal

technology and an extensive resource list on

technology related ethics matters.

http://americanbar.org/groups/departments_of

fices/legal_technology_resources.html.

5. The Federal Trade Commission is responsible

for many business related privacy laws, and

its website provides an extensive listing of

legal resource statutes relating to consumer

protection, including The Children’s Online

Privacy Protection Act, Health Information

Technology Provisions of American Recovery

and Reinvestment Act of 2009, Title XIII,

Subtitle D, the Gram-Leach Bliley Act, and

the Fair Credit Reporting Act. http://ftc.gov.

6. TRUSTe operates a privacy seal program

which certifies how businesses collect and

manage personally identifiable information.

http://truste.com/about-TRUSTe/.

7. The Better Business Bureau offers a data

security guide which includes checklists for

small businesses to secure sensitive data,

safely transmit data, properly dispose of paper

and electronic records and includes steps to

take in the event of a data breach.

http://bbb.org/us/bbb-online-business/.

8. Privacy Act of 1974: Provides an overview of

the Privacy Act, which safeguards personal

information held by government agencies

from queries by others.

http://justice.gov/opcl/privstat.htm

9. Family Educational Rights and Privacy Act

(FERPA): Protects privacy of educational

data.

http://ed.gov/policy/gen/guid/fpco/ferpa/index

.html

10. Library of Congress' Thomas Search Engine

for U.S. Federal Legislation: A search engine

for the text of bills. You can search by exact

bill number, if known, or by a topic such as

"HIPAA," "Confidentiality," "Patriot Act," or

"E-Government Act of 2002" which will

produce a list of direct links to the legislation.

http://thomas.loc.gov/home/thomas.php

11. Legal Information Institute at the Cornell Law

School: This website has materials to make

law more accessible to students, teachers, and

the general public. http://law.cornell.edu/

12. The Code of (U.S.) Federal Regulations

(CFR): This website allows users to access

all the Federal regulations issued by any

agency. The CFR is a codification of the

general and permanent rules published in the

Federal Register by the Executive

Privacy and Confidentiality Issues Chapter 9

14

departments and agencies of the Federal

Government.

http://gpo.gov/fdsys/browse/collectionCfr.acti

on?collectionCode=CFR

13. Several statistical agencies have their own

confidentiality statutes, e.g., the Census

Bureau, the National Center for Education

Statistics and the National Science

Foundation. Search their web sites for specific

details.

VI. CONCLUSION

It is often said that the best defense is a good

offense. The smart practitioner will heed this advice

and take proactive steps to remain abreast of the

evolution of privacy laws and requirements for the

protection of confidential client information. It may

never be possible to fully insulate client information in

today’s environment, but self-educating and taking

precautionary measures may prevent you from having

to phone your malpractice carrier in the event of a data

breach.