Privacy and Confidentiality Issues - TexasBarCLE › Materials › Events › 12694 ›...
Transcript of Privacy and Confidentiality Issues - TexasBarCLE › Materials › Events › 12694 ›...
PRIVACY AND CONFIDENTIALITY ISSUES
REGINALD A. HIRSCH
1980 Post Oak Boulevard
Suite 2210
Houston, Texas 77056
(713) 961-7800
State Bar of Texas
eDISCOVERY IN YOUR CASE
February 7, 2014
Austin
CHAPTER 9
REGINALD A. HIRSCH Law Office of Reginald A. Hirsch
1980 Post Oak Boulevard, Suite 2210, Houston, Texas 77056 (713) 961-7800 FAX: (713) 961-3453 E-Mail:[email protected]
BIOGRAPHICAL INFORMATION
DATE OF BIRTH: February 24, 1947, Houston, Texas MARRIED: Patricia Wicoff, Attorney at Law
Child: Sarah Lauren Hirsch, Age 26, Law Student STCL
EDUCATION: Lamar High School, Houston, Texas, 1965 B.S., University of Houston, 1970 J.D., University of Houston, 1973
Chief Justice Student Court, University of Houston Student Court, 1972-1973 Student Regent to the University of Houston Board of Regents, 1972-1973
PROFESSIONAL EMPLOYMENT: Assistant Attorney General for State Bar of Texas, Environmental Division, 1973-1974 Balasco, Clark, Hirsch and Stern, 1974 - 1979 Lipstet & Hirsch, 1979 - 2008 Law Office of Reginald A. Hirsch, 2008 to present
PROFESSIONAL LICENSES: State Bar of Texas, 1973; U.S. District Court, Southern District of Texas, 1974; U.S. Court of Appeals, Fifth Circuit, 1974
PROFESSIONAL ACTIVITIES: Board Certified in Family Law, 1979-2014 President, Harris County Young Family Lawyers Association, 1977 President, Family Law Section, Houston Bar Association, 1980-1981 Member, State Bar of Texas, Family Law Counsel, 1985-1989 Chairman, Houston Volunteer Lawyers Association, 1983-1984 Director, The Association of Trial Lawyers of America, 1985 President, Family Law Forum, 1983-1985 Director, Association of Gulf Coast Family Law Specialists, 1989-1990 President, Gulf Coast Legal Foundation, 1986 Texas Association of Family Law Specialists International Society of Family Law National Association of Counsel for Children American Academy of Matrimonial Lawyers Adjunct Professor, South Texas College of Law, Environmental Law, 1975-1977 Guest Lecturer at Baylor College of Medicine Guest Lecturer at University of Houston Law School, South Texas College of Law, TSU Marshall School of Law Master, American Inns of Court Chairperson, Family Law Task Force 2000 Treasurer, American Inns of Court, Burta Raborn Chapter 2005-2009 President, American Inns of Court, Burta Raborn Chapter, 2010-2011 Council Member, State Bar of Texas, Computer and Technology Section, 2013-2016
Recent Article and Speeches
Recipient, David Gibson Award, Gulf Coast Family Law Specialist, Houston, Tx, May 11, 2006 http://www.youtube.com/watch?v=Y1TjcxaAZ3U&feature=relmfu Recipient, Texas Super Lawyer, 2007-2013, Family Law, Texas Monthly Magazine Author, Speaker, University of Texas, The Definitive Short Course on Parent Child Relationships, “The World of Court Appointees: Amicus Attorneys, Attorney Ad Litems, Guardian Ad Litems and Social Studies,” Austin, Tx, November 8, 2007 Author, Speaker, State of Texas Judicial College, "Electronic Evidence Issues,” Richardson, Tx, April 17,
2008 Author, Speaker, Co-Panelist, 8th Annual Family Law on the Front Line, “Electronic Evidence –Fighting the War of the Roses in the Electronic Age,” Galveston, Tx, June 20, 2008 Recipient, Judge Judy Warne’s Weekly Acknowledgment of Contribution to the Bench and Bar, June 9, 2008 Author, Speaker, Advanced Family Law Course, “When Technology and Family Law Collide”, San Antonio, August 11, 2008 Speaker, HAL-PC Legal Sig, Electronic Evidence, January 21, 2009 Houston, Tx Author, Speaker, The Impact of Technology on the Parent-Child Relationships: Critical Thinking For Critical Issues, University of Texas, Austin, Tx January 29, 2009 Author, Speaker, Using Electronic Evidence, 23rd Annual Family Law Conference, South Texas College of Law, March 5, 2009 Author, Speaker, What every CPA should know about Electronic Evidence, Houston CPA Society, April 24, 2009 Author, Co-Speaker, Using the Latest Technology in the Courtroom and Electronic Evidence Workshop, Advanced Family Law, Dallas, Tx, August 3-6, 2009 Speaker, Judges and Social Media, Bar to Bench: So You Want to Be a Judge?, Web Cast, State Bar of Texas, Austin, Tx, November 4, 2009 Author, Speaker, Electronic Evidence-How to Avoid Getting Shocked, Ultimate Trial Notebook, San Antonio, Tx, December 3-4, 2009 Speaker, Windows 7 and Office 2010, HAL-PC, Houston, Tx, January 20, 2010 Co-Speaker, Author, Electronic Evidence and Discovery, South Texas School of Law, 24th Annual Family Law Conference, Houston, Tx, March 10, 2010 Presiding, Parent Child Relationships: Advanced ,UT, Houston, TX, January 27, 2011 Author, Co-Speaker, 30 Hot Tips in 30 Minutes, Advanced Family Law Conference, San Antonio, Tx, August 1, 2011 Author, Co-Speaker, Cutting Edge Apps and High Tech Tools for Family Lawyers, Advanced Family Law Conference, San Antonio, Tx, August 4, 2011 Author, Speaker, Electronic Evidence, Texas College of Judicial Studies, Austin, Tx, April 10, 2012 Author, Co-Speaker, Inventories and Internet Resources, Advanced Family Law Conference, August 8, 2012, Houston, Tx Author, Speaker, Family Law Technology Course, Latest Tech Tools for Your Office, Austin, Tx, December 13-14, 2012 http://www.youtube.com/watch?v=k9vukNBfM80 Author, Co-Speaker, Family Law Technology Course, Looking Beyond the Horizon, Austin, Tx, December 13-14, 2012 Author, Co-Speaker, Enhancing Your Case Through Technology ,Innovations-Breaking Boundaries in Custody Litigation, UTCLE/AMML, .January 24-25, 2013. Author, Co-Speaker, Discovery and Electronic Evidence, 27th Annual Family Law Conference, South Texas College of Law, March 8,2013 Houston, Tx Speaker,12th Annual Biennial Sampson and Tindall, Family Law Update, June 2013 Houston and Dallas, Tx Speaker, Author, Forensic Examination of Cell Phones, American Academy of Matrimonial Lawyers, Video, June 2013, http://www.aaml.org/member-resources/launch-learn Speaker, Author, iPads for Lawyers, A Marriage Made in Heaven, Advanced Family Law Conference, San Antonio, Tx, August 6, 2013 Speaker, Author, Gulf Coast Family Law Specialist, Interesting Apps for Family Lawyers, September 12, 2013, Houston, Tx Speaker, Author, AAML, Top Ten Tech Tools for Family Lawyers, Chicago, Illinois, November 7, 2013 Rece ipen t ,Hous ton ia Magaz ine ,Li s t o f Bes t Hous ton Fami ly Law yer ,Dec . ,2013 Co-Author, Texas Perspective on E-discovery, Chapter 23, Practical E-Discovery Advice in Family Law Cases, TexasBarCle. Author, Speaker,E-Discovery In Your Case, Chapter 9, Confidentiality and Privacy Issues, February 7,2014, Austin,Tx , TexasBarCLE
Privacy and Confidentiality Issues Chapter 9
i
TABLE OF CONTENTS I. INTRODUCTION ............................................................................................................................................. 1
II. PRIVACY .......................................................................................................................................................... 1 A. A Short History of Privacy ......................................................................................................................... 1 B. Privacy and the Constitutions ..................................................................................................................... 2 C. Right to Privacy in Common Law.............................................................................................................. 2 D. Causes of Action in Tort ............................................................................................................................ 2
1. Statutory ............................................................................................................................................. 2 2. Texas Case Law.................................................................................................................................. 3
E. Practical Analysis of an Invasion of Privacy Claim ................................................................................... 3
III. INTERCEPTION OF COMMUNICATION ..................................................................................................... 4 A. Communications Act (“Stored Communications Act”) ............................................................................. 4
1. Conflicting Definitions of “Electronic Storage” ................................................................................ 4 2. Social Media and the Stored Communications Act ............................................................................ 5
B. The Electronic Communications Privacy Act (ECPA) .............................................................................. 5 1. Criticisms of ECPA ............................................................................................................................ 5 2. Digital Due Process – the Movement ................................................................................................. 6
C. The Federal Wiretap Act ............................................................................................................................. 6 1. Exceptions to the Federal Wiretap Act ............................................................................................... 6
D. Texas Wiretap Statutes – the Federal Counterpart ..................................................................................... 7 1. Texas Civil Practice and Remedies Code ........................................................................................... 7 2. Texas Penal Code ............................................................................................................................... 7 3. Exception to the Texas Wiretap Act ................................................................................................... 7
E. Computer Breach – the Penal Code ........................................................................................................... 7 1. Caveat Emptor – vehicle ownership required .................................................................................... 8 2. Exception: Law enforcement ............................................................................................................. 8
F. Spyware ...................................................................................................................................................... 8 1. Spyware on the Mobile Phone ............................................................................................................ 8 2. Spyware on your computer – key logger programs ............................................................................ 8
IV. CONFIDENTIALITY........................................................................................................................................ 9 A. Texas Rules of Professional Conduct ......................................................................................................... 9 B. ABA Model Rule ....................................................................................................................................... 9 C. Texas Business & Commerce Code ........................................................................................................... 9
V. HELPFUL LINKS TO FEDERAL LAWS, ACTS AND POLICIES ON PRIVACY AND
CONFIDENTIALITY ...................................................................................................................................... 13
VI. CONCLUSION ................................................................................................................................................ 14
Privacy and Confidentiality Issues Chapter 9
1
PRIVACY AND CONFIDENTIALITY
ISSUES
By Reginald A. Hirsch
I. INTRODUCTION
Our first introduction to issues regarding privacy
and confidentiality was probably the school yard,
where we were introduced to “shh” and “secrets” and
realized that there was another world of
communication. As most practitioners are aware,
technology is advancing at a break-neck pace. Almost
every day we are presented with a new electronic
device or app that records or intercepts information.
With the touch of few keys on a computer or mobile
device, and often at a nominal cost, telephone
conversations can be intercepted, the key strokes you
make on your home computer can be transmitted to
another location, and the act of carrying a cellular
telephone can mean that your every move is being
tracked and recorded. As a result of this evolution in
technology, the once seemingly sacred right of privacy
has been battered and pummeled, and our lawmakers
struggle to keep the pace with this ever-changing, often
hostile environment. With the revelations of the
programs being used by the NSA, we may reasonably
ask what is left regarding privacy and privacy rights.
On October 31, 2013, in an article entitled “No U.S.
Action, So States Move on Privacy Law”, the New
York Times pointed out that with the lack of federal
oversight and laws, individual states are now moving
into the area of protecting privacy rights. See:
http://nytimes.com/2013/10/31/technology/no-us-
action-so-states-move-on-privacy-law.html
This rush of 21st Century technology impacts us as
lawyers as we are confronted weekly with substantive
issues concerning technology that are being used by or
against our clients. The guidance available to assist in
determining what is proper or, more importantly, what
is improper is often conflicting and dated when
compared with the technology in question. It is a
caveat emptor environment: being forewarned is being
forearmed.
The goal of this paper is to reduce fear, supplant it
with knowledge and remind everyone that the struggle
to protect your client and yourself requires constant
vigilance.
Finally, I would like to thank Lacy LaFour of the
LaFour Law Firm, P.C. in Houston, Texas who
assisted me in the accumulation of materials, writing
and editing of this paper. After reviewing the materials
in this article, she announced that she is terminating
her cell and internet services and moving to SriLanka.
The following portions of this paper were adapted
from Reginald A. Hirsch’s paper, “Spy vs. Spy – The
Legality of using Wiretaps, Spwyare, GPS and Other
Eavesdropping Technologies,” which was presented
during the State Bar of Texas Soaking up Some CLE
course in May 2010, and the excellent paper written by
Reginald A. Hirsch, Rick Robertson and Cindy V.
Tisdale entitled, “Electronic Evidence: How to Avoid
Getting Shocked”, State Bar of Texas Best of 2009
Part Two, February 2010.
II. PRIVACY
A. A Short History of Privacy
In order to understand how technology may impact
or invade privacy, it is important to understand the
right to privacy and the related causes of action.
The idea of a legal right to privacy was first
addressed in the United States in an 1890 Harvard Law
Review article entitled “The Right to Privacy” by Louis
Brandeis (later a Supreme Court Justice) and Samuel
D. Warren.1 Brandeis and Warren argued that the
Constitution and the common law allowed for the
deduction of a general “right to privacy”. Their article
was the result of a late 1800s outbreak of what we now
call “sensational journalism” and their attempt to
provide a legal framework for protecting intrusions
into privacy.
Later, the renowned tort expert, Dean Prosser,
argued that “privacy was composed of four separate
torts, the only unifying element of which was a (vague)
‘right to be left alone’.” The four torts addressed by
Dean Prosser were:
1. Intrusion upon the plaintiff’s seclusion or
solitude or into his private affairs;
2. Public disclosure of embarrassing private
facts about the plaintiff;
3. Publicity which places the plaintiff in a false
light in the public eye; and
4. Appropriation, for the defendant's advantage,
of the plaintiff s name or likeness2.
In 1967, the United States Supreme Court was
confronted with a case in which the Defendant walked
into a telephone booth, closed the door and made a
call. The FBI had previously placed a recording device
on the outside of the glass telephone booth and the
Defendant’s telephone call was recorded. The issue
addressed by the court was whether this action by the
FBI violated the Defendant’s Fourth Amendment
rights. Ultimately, the Court concluded that the
Defendant’s constitutional protections were violated
1 Harvard Law Review,Volume VI,12-15-1890, No.5.
2 See, Prosser’s Privacy Law; A Mixed Legacy, California
Law Review, California Law Review,Vol. 98,Issue 6,
Article No.5, 2010. Ultimately, Prosser’s writings and
thoughts were codified in the 2nd
Restatement of Torts,
Section 652(B-D) in 1997.
Privacy and Confidentiality Issues Chapter 9
2
because the Defendant, when making a call with the
telephone booth door closed, had a “reasonable
expectation of privacy.” 3
B. Privacy and the Constitutions
The word "privacy" is never actually used in the
text of the United States Constitution or any of its
amendments, but certain provisions have been
recognized in case law as implicitly creating protected
“zones of privacy”. 4
Similarly, the Texas Constitution does not
expressly guarantee a right to privacy, but the Supreme
Court in Texas State Employees Union, et al., v. Texas
Department of Mental Health and Mental Retardation,
et al5, recognized implicit privacy protections:
While the Texas Constitution contains no
express guarantee of a right to privacy, it
contains several provisions similar to those in
the United States Constitution that have been
recognized as implicitly creating protected
"zones of privacy."6 Section 19 of the Texas
Bill of Rights protects against arbitrary
deprivation of life and liberty.7 Section 8
provides the freedom to "speak, write or
publish". Section 10 protects the right of an
accused not to be compelled to give evidence
against himself.8 Sections 9 and 25 guarantee
the sanctity of the individual's home and
person against unreasonable intrusion.9
Finally, the Texas Constitution protects the
rights of conscience in matters of religion.10
Each of these provisions gives rise to a
concomitant zone of privacy.11
We do not
doubt, therefore, that a right of individual
privacy is implicit among those "general, great,
and essential principles of liberty and free
government" established by the Texas Bill of
Rights.12
We hold that the Texas Constitution
protects personal privacy from unreasonable
3 See Katz v. U.S., 389 U.S. 349, (1967). 4 See Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35
L. Ed.2d 147 (1972). 5 Texas State Employees Union, et al., Petitioners, v. Texas
Department of Mental Health and Mental Retardation, et al.,
Respondents 746 S.W.2d 203 (Tex. 1987) 6 Cf. Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35
L. Ed.2d 147 (1972). 7 TEX.CONST., art. 1, § 19.
8 TEX.CONST., art. 1, §8, 10.
9 TEX.CONST., art. 1, § 9, 25.
10 TEX.CONST., art. 1,§ 6.
11 Cf. Griswold v. Connecticut, 381 U.S. 479,484, 85 S. Ct.
1678, 1681, 14L.Ed.2d 510 (1965). 12
TEX.CONST., art. I, Introduction to the Bill of Rights.
intrusion. This right to privacy should yield
only when the government can demonstrate
that an intrusion is reasonably warranted for
the achievement of a compelling governmental
objective that can be achieved by no less
intrusive, more reasonable means.”
Based upon these implicit protections, one may assert
that a cause of action for invasion of privacy exists
under Texas law even if a federal or state criminal
statute has not been violated.
C. Right to Privacy in Common Law
Most states have recognized a tort right to privacy
in common law. The common law privacy intrusion
tort is violated if someone intentionally intrudes upon
the private affairs, seclusion or solitude of another
person by means that would be highly offensive to a
person of ordinary sensibilities. In cases where wiretap
acts are not violated, the common law invasion of
privacy tort may apply to the various forms of
surveillance that will be discussed later in this paper.
A violation of the invasion of privacy tort might result
in an award for compensatory damages, but it may not
be a basis for excluding evidence in some court
proceedings.
D. Causes of Action in Tort
1. Statutory
Section 625B of the Restatement (Second) of Torts
(1977) provides a cause of action and liability against:
One who intentionally intrudes, physically or
otherwise, upon the solitude or seclusion of
another or in his private affairs or concerns, is
subject to liability to the other for invasion of
his privacy, if the intrusion would be highly
offensive to a reasonable person.
To recover on the tort of invasion of privacy, the
complainant must show:
conduct in the nature of an intrusion;
the private nature of the thing or place intruded
upon; and
the intrusion was substantial and the conduct
highly offensive or objectionable to the reasonable
person.
In the Handbook of the Law of Torts, Professor
William L. Prosser catalogued four distinct injuries
under the tort of invasion of privacy:
intrusion upon a person’s right to be left alone in
his or her own affairs;
Privacy and Confidentiality Issues Chapter 9
3
publicity given to private information about a
person
appropriation of some element of the person’s
personality for commercial use; and
false light.13
14
2. Texas Case Law
Texas recognizes a cause of action for willful
invasion of privacy.15
The Texas Constitution guarantees the sanctity of
the home and person against unreasonable
intrusion.16
The concept of invasion of privacy covers
intrusion on a party’s seclusion, solitude, or
private affairs.17
Texas has also recognized the following claims
for intrusion on seclusion:
Wiretapping18
Videotaping (defendant liable for videotaping
plaintiff’s bedroom without plaintiff’s
consent)19
;(invasion of privacy when
defendant videotaped himself and plaintiff
engaging in sexual intercourse and later aired
the tape to third parties)20
Privacy at home (telephone company liable
when employee entered home without
customer’s permission and no one present)21
Surveillance (defendant who continuously
stalked, followed and spied on plaintiff
invaded plaintiff’s right to privacy)22
Privacy at work (searching through an
employees locked personal locker constituted
an intrusion of privacy)23
13 TEX.CONST., art. I, Introduction to the Bill of Rights. 14
These four variations of the tort were adopted by the
Second Restatement of Torts. See Restatement (Second) of
Torts § 652A(1977). 15
Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 16
Texas State Employees Union v. Texas Dep’t of Mental
Health and Mental Retardation, 746 S.W.2d 203 (Tex.
1987). 17
See Boyles v. Kerr, 855 S.W.2d 593 (Tex. 1993); Texas
State Employees Union v. Texas Dep’t of Mental Health and
Mental Retardation, 746 S.W.2d 203 (Tex 1987) 18
Billings v. Atkinson, 489S.W.2d 858 (Tex. 1973). 19
Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). 20
Boyles v. Kerr, 855 S.W.2d 593 (Tex.1993). 21
Gonzales v. Southwestern Bell Tel. Co., 555 S.W.2d 219,
222 (Tex. App. – Corpus Christi 1977, no writ). 22
Kramer v. Downey, 680 S.W.2d 524, 525 (Tex.App. –
Dallas 1984, writ ref’d n.r.e.) 23
K-Mart Corp. v. Trotti, 677 S.W.2d 632, 637 (Tex. App. –
Houston [1st Dist.] 1984, writ ref’d n.r.e., 686 S.W.2d 593
(Tex. 1985).
Privacy in public (conversation in public
place was private where the parties to the
conversation used hushed voices, stood away
from other people and close to each other)24
Liability for invasion of privacy does not
depend on any publicity given to the person
whose interest is invaded or to his affairs.25
Punitive damage award of $1,000,000 (21%
of defendant chiropractor husband’s net
worth) where the defendant had bugged
telephones of wife’s attorneys and engaged in
other outrageous conduct.26
E. Practical Analysis of an Invasion of Privacy
Claim
The key to understanding if an invasion of privacy
has occurred is to determine a person’s expectation of
privacy related to the object of the potential intrusion.
The litmus test for claims of invasion of privacy
depends on the answer to the following question:
“Was the material or data preserved in a
manner to give rise to a reasonable
expectation of privacy?”
The following is a typical scenario that a practitioner
might face:
My client has accessed a computer located in
her home, and during this access she observed
her spouse engaged in “x” activity.
In this situation, the practitioner should immediately
contemplate the following: Was the client’s access to
the computer in her residence legal? If it was not, what
kind of trouble am I in, if any, just by looking at the
material my client obtained from the computer?
In order to answer these questions, all relevant
criteria should be examined and weighed:
1. Where in the home was the computer located?
2. Was it in the spouse’s private office, or was it
in a main area of the house?
3. Was the computer or the document that was
viewed password protected? If so, was the
password kept secret by the spouse and not
24
Stephens v. Dolcefino, 126 S.W.3d 120 (Tex. App –
Houston [1st Dist.] 2003).
25 Clayton v. Richards, 47S.W.3d 149 (Tex. App.–Texarkana
2001, no pet.); Restatement (Second) of Torts 752B, cmt. A..
1987). 26 Parker v. Parker, 897 S.W.2d 918, 930 (Tex. App.–Fort
Worth 1995, writ denied) overruled on other grounds by
Formosa Plastics Corp. USA v. Presidio Engineers&
Contractors, Inc., 960 S.W.2d 41
Privacy and Confidentiality Issues Chapter 9
4
disclosed to others, or did other members of
the household have access to the password?
4. Was the computer used by other family
members or 3rd parties?
5. Was the computer a personal or business
computer?
6. Was it used by the accessing spouse regularly
or infrequently, or not at all?
If the answers to the above questions indicate the
computer was located in a common area of the home,
that it was not password protected and it was often
used by the accessing spouse as well as other family
members, it is unlikely the spouse had a reasonable
expectation of privacy to the computer.
Conversely, if the analysis indicates that the
computer in question was housed in the other spouse’s
home office, that it was never used by third parties, and
that it was password protected, it is likely the spouse
had a reasonable expectation of privacy in relation to
the computer, and a claim for invasion of privacy may
exist. In this event, the practitioner would not want to
take possession of or view any of the material accessed
by the client. In addition to advising the client of the
possible impropriety of her actions, the client should
immediately be instructed not to deliver any of the
material to the lawyer or the lawyer’s staff, and the
lawyer’s staff should be instructed accordingly.
There are many components to consider when
analyzing an invasion of privacy claim; in the event of
a close call, a practitioner should always err on the side
of caution.
III. INTERCEPTION OF COMMUNICATION
A. Communications Act (“Stored Communications
Act”)
The primary purpose of the Stored
Communications Act is to protect the privacy interests
in personal information that is stored on the Internet,
and to limit the government’s ability to compel
disclosure of an Internet user’s information contained
on the Internet and held by a third party.
More specifically, the Act prohibits: (1) the
intentional accessing of a facility through which an
electronic communication service is provided without
authorization; or (2) the intentional exceeding of an
authorization to access a facility; and thus obtaining,
altering, or preventing authorized access to a wire or
electronic communication (such as, e-mail or
voicemail) while it is in electronic storage.27
The
Act defines “electronic communication service” as
any service that provides users the ability to send or
27 (71) 18 U.S.C. Sec. 2701(a)
receive wire or electronic communications.28
The Act
defines “electronic storage” as: (1) “any temporary,
immediate storage of a wire or electronic
communication incidental to the electronic
transmission thereof;” and (2) “any storage of such
communication by an electronic communication
service for purposes of backup protection of such
communication.”29
Possible penalties include a fine,
imprisonment, or both.30
1. Conflicting Definitions of “Electronic Storage”
Although the Act defines “electronic storage”,
several courts have interpreted the definition of
“electronic storage” in slightly different ways. At the
time of this writing, what is in “electronic storage”, and
thus regulated by the Act, depends on where the storage
is located, e.g., on a person’s hard drive or saved onto a
remote server such as Hotmail. To wit:
In Fraser v. Nationwide Mutual Insurance Co.31
the Eastern District Court of Pennsylvania held that
access to e-mail on a hard drive was not subject to
the Stored Communications Act. The court reasoned
that the “post-transmission storage [on a hard drive]”
is not commensurate with “electronic storage” as
contemplated by the Act.
A New Jersey court in White v. White tested the
holding of Fraser.32
The state court evaluated the
applicability of the Act, as well as state statutes, to
interspousal access to email stored on a computer in
the family home. After Wife discovered a letter from
Husband to his girlfriend, allegedly in plain view,
Wife hired a computer detective. The detective, at
Wife’s discretion and without using Husband’s
password, copied his e-mails that were stored on the
hard drive.33
The New Jersey Court held that Wife
did not violate the Act because: (1) the email was
not in “electronic storage” when it was accessed
because the family computer’s hard drive was not
“electronic storage” and (2) the access was not
“without authorization” as contemplated by the Act. 34
In partial contrast, the Western District Court of
Wisconsin in Fischer v. Mt. Olive Lutheran Church
held that the Act does apply to stored email – at least
in some situations.35
The court found that emails
from a Hotmail account that were accessed without
authorization were stored by an electronic
28
(72) 18 U.S.C. Sec. 2510 (15) 29
(73) 18 US.C. Sec. 2510(17)(2000) 30
(74) 18 U.S.C. Sec. 2701(b) 31 (75) 135 F. Supp.2d 623 (E.D. Pa. 2001) 32
(76) 781 A.2d 85 (N.J. Super Ct. Ch. Div. 2001) 33
(77) Id. at 87 34
(78) See id. 35
(79) 207 F. Supp.2d 914 (W.D. Wis. 2002)
Privacy and Confidentiality Issues Chapter 9
5
communication service because the e-mails were saved
on Hotmail’s servers.36
2. Social Media and the Stored Communications Act
Currently, it is an unsettled question as to whether
postings on Facebook and MySpace are protected
under the Act. At least one Court has provided
protection to social media sites from producing
information in response to a subpoena. In Crispin v.
Christian Audigier, Inc., the Central District of
California held that Facebook and MySpace were
protected under the Stored Communications Act.37
B. The Electronic Communications Privacy Act
(ECPA)
The Electronic Communications Privacy Act of
1986 (ECPA Pub. L. 99-508, Oct. 21, 1986, 100 Stat.
1848,18 U.S.C. § 2510[2]) was enacted by the United
States Congress to extend government restrictions on
wiretaps from only telephone calls to include
transmissions of electronic data by computer.
Specifically, the ECPA was an amendment to Title
III of the Omnibus Crime Control and Safe Streets Act
of 1968 (the Wiretap Statute), which was primarily
designed to prevent unauthorized government access to
private, electronic communications. The ECPA also
added new provisions prohibiting access to stored
electronic communications, i.e., the Stored
Communications Act,18 U.S.C. §§2701-2712, and also
included so-called pen/trap provisions that permit the
tracing of telephone communications. §§ 3121-3127.
Later, the ECPA was amended, and weakened to
some extent, by provisions of the USA PATRIOT Act.
Additionally, Section 2709 of the Act, which allowed
the FBI to issue National Security Letters (NSLs) to
Internet service providers (ISPs) ordering them to
disclose records about their customers, was ruled
unconstitutional under the First (and possibly Fourth)
Amendments in ACLU v. Ashcroft (2004).
1. Criticisms of ECPA
Since the enactment of the ECPA in 1986, there
have been sweeping advancements in communication
technology and the way in which people use it. Some
of these changes include:
Email: Most Americans have embraced email
in their professional and personal lives and use
it daily for confidential communications of a
personal or business nature. Because of the
importance of email and unlimited storage
capabilities available today, most people save
36
(80) Id. at 925 37
Buckley H. Crispin v. Christian Audigier, Inc., et al CV
09-09509-MMM-JEMx C.D. Cal.) (May 26, 2010)
their email indefinitely, just as they previously
saved letters and other correspondence. The
difference, of course, is that it is easier to save,
search and retrieve digital communications.
Many of us now have many years’ worth of
stored email; for many people, much of that
email is stored on the computers of service
providers.
Mobile location: Cell phones and mobile
Internet devices constantly generate location
data that supports both the underlying service
and a growing range of location-based services
of great convenience and value. This location
data can be intercepted in real-time, and is
often stored in easily accessible log files.
Location data can reveal a person’s
movements, from which inferences can be
drawn about activities and associations.
Location data is augmented by very precise
GPS data being installed in a growing number
of devices.
Cloud computing: Increasingly, businesses
and individuals are storing data "in the cloud,"
with potentially huge benefits in terms of cost,
security, flexibility and the ability to share and
collaborate.
Social networking: One of the most striking
developments of the past few years has been
the remarkable growth of social networking.
Hundreds of millions of people now use these
social media services to share information with
friends and as an alternative platform for
private communications.
Because the ECPA has been significantly outpaced by
technology, there are wide scale issues associated with
the interpretation and application of the Act, and the
ECPA does not provide protection suited to the way
technology is used today. For example:
a. Conflicting Standards
The ECPA sets rules for governmental access to
email and stored documents that are not consistent. A
single email is subject to multiple different legal
standards in its lifecycle, from the moment it is being
typed to the moment it is opened by the recipient to the
time it is stored with the email service provider. The
Act does not clearly state the standard for
governmental access to local information.
b. Illogical Distinctions
A document stored on a desktop computer is
protected by the warrant requirement of the Fourth
Amendment, but the ECPA says that the same
Privacy and Confidentiality Issues Chapter 9
6
document stored with a service provider may not be
subject to the warrant requirement.
c. Judicial Criticism
The courts have repeatedly criticized ECPA for
being confusing and difficult to apply. The Ninth
Circuit in 2002 said that Internet surveillance was "a
confusing and uncertain area of the law." In the past
five years, no fewer than 30 federal opinions have been
published on government access to cell phone location
information, reaching a variety of conclusions.
d. Constitutional Uncertainty
The courts are equally conflicted about the
application of the Fourth Amendment to new services
and information. A district court in Oregon recently
opined that email is not covered by the constitutional
protections, while the Ninth Circuit has held precisely
the opposite. Last year, a panel of the Sixth Circuit
first ruled that email was protected by the Constitution,
and then a larger panel of the court vacated the
opinion.
This murky legal landscape does not serve the
government, customers or service providers well.
Customers are, at best, confused about the security of
their data in response to an access request from law
enforcement. Companies are uncertain of their
responsibilities and unable to assure their customers
that subscriber data will be uniformly protected. The
current state of the law does not well serve law
enforcement interests, either. Resources are wasted on
litigation over applicable standards, and prosecutions
are in jeopardy should the courts ultimately rule on the
Constitutional questions.
2. Digital Due Process – the Movement
In response to these issues, a recently formed
group aims to revise the ECPA. Information about this
group’s work and relevant resources associated with
the Act can be found at http://digitaldueprocess.org.
C. The Federal Wiretap Act
The Federal Wiretap Act specifically prohibits
“any person” from intercepting a wire, oral, or
electronic communication without a court order or the
consent of one of the parties to the conversation.38
The Act defines “intercept” as the “aural or other
acquisition of the contents of any wire, electronic, or
oral communication through the use of any electronic,
mechanical, or other device.”39
The interception
must be intentional.40
The penalty for violations may
be a fine, imprisonment for up to five years, or both.
38 (81) 18 U.S.C. Sec. 2510-2520 39
(82) 18 U.S.C. Sec. 2510(4) 40
(83) 18 U.S.C. Sec. 2511(1)
1. Exceptions to the Federal Wiretap Act
a. Exception: Consent of a Party
It is not unlawful for a person to intercept an oral
or wire communication if the person is a party to the
communication or if a party to the communication has
given prior consent to the interception.41
b. Exception: Spousal Consent
Though most federal circuits have not recognized
an interspousal exception to the wiretapping statute,
the Second and Fifth circuit courts of appeals have held
that there is such an exception to the statute.42
In Simpson v. Simpson, the Fifth Circuit Court of
Appeals held that the recording of telephone
conversations in the marital home by Husband who
suspected Wife of infidelity did not violate the
Federal Wiretap Act.43
The Court reasoned that
because federal courts have typically left family
matters to state courts, Congress did not intend to
counteract this tradition through the Federal Wiretap
Act. This opinion has been widely criticized.
For Texas state law holding differently than
Simpson, see Collins v. Collins, 904 S.W.2d 792
(Tex.App.–Houston [1st Dist.] 1995, writ denied)
discussed below.
Similarly, the Second Circuit Court of Appeals in
Anonymous v. Anonymous found that interspousal
wiretaps involve marital disputes, which are an area
generally left to the discretion of states.44
These
opinions have been widely criticized and rejected by
other federal courts which have found no
Congressional intent to except willful, intercepted
spousal communications.45
c. Exception: Vicarious Consent for Minors
With respect to parents who tape record the phone
conversations of their minor children within the home,
some courts have recognized a limited “vicarious
consent” exception, whereby parents and guardians of
minors have the authority to consent for their minor
child when it is perceived by the parent or guardian to
be in the best interests of the child.46
The Federal
41 (84) 18 U.S.C. Sec. 2511(d)(d) 42
(85) Simpson v. Simpson, 490 F.2d 803 (5th
Cir. 1974);
Anonymous v. Anonymous, 558 F.2d 677 (2d Cir. 1977). 43
(86) 490 F.2d 803 (5th
Cir. 1974) 44
(87) 558 F.2d 677 (2d Cir. 1977) 45
(88) See United States v. Jones, 542 F.2d 661, 669 (6th
Cir.
1976). See also Pritchard v. Pritchard, 732 F.2d 372 (4th
Cir. 1984); Kempf v. Kempf, F.2d 1537, 1539 (10th
Cir.
1991); Platt v. Platt, 951 F.2d 159 (8th
Cir. 1989) 46
(89) See e.g., Wagner v. Wagner, 64 F. Supp. 895, 896 (D.
Minn. 1999); March v. Levine, 136 F. Supp.2d 831, 849
(M.D. Tenn. 2000), aff’d, 248 F.3d 462 (6th
Cir. 2001); Allen
Privacy and Confidentiality Issues Chapter 9
7
Wiretap Act may not be violated if a party to the
intercepted conversation has “vicariously” consented
to the recording.
In Pollock v. Pollock, the Sixth Circuit Court of
Appeals articulated a “good faith” test.47
If the parent
has a “good faith, reasonable basis for believing such
consent was necessary for the welfare of the child,”48
then a recording of a child’s conversation would be
admissible. The Court also found that the parent
doing the recording on behalf of the minor child
must demonstrate a reasonable belief “…that the minor
child is being abused, threatened, or intimidated by the
other parent.”49
The exception does not apply to every situation.
The West Virginia Supreme Court of Appeals in West
Virginia Dep’t of Health and Human Resources v.
David L., found that a parent did not have a right to
record conversations with the other parent while the
children were in the other parent’s house.50
D. Texas Wiretap Statutes – the Federal
Counterpart
1. Texas Civil Practice and Remedies Code
A party to a communication may sue a
person who:
1) intercepts, attempts to intercept or employs or
obtains another to intercept o r attempt t o
i n te rc ept a communication;
2) uses or divulges information that the person
knows or reasonably should know was
obtained by interception of the
communication; or
3) as a landlord, building operator, or
communication common carrier, either
personally or through an agent or employee,
aids or knowingly permits interception or
attempted interception of the communication.
For purposes of the statute, “interception” means
“the aural acquisition of the contents for a
communication through the use of an electronic,
mechanical, or other device that is made without the
consent of a party to the communication.”
TEX.CIV. PRAC.& REM. CODE§123.001(2).
A person who establishes a cause of action
under the statute is entitled to:
v. Mancini, 170 S.W.3d 167 (Tex. App. – Eastland 2005,
pet. filed) 47
(90) 154 F.3d 601 (6th
Cir. 1998) 48
(91) See id at 610 49
(92) See id; Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ.
App. 1996). 50
(93) 453 S.E.2d 646, 654 (1994).
1) an injunction prohibiting further interception
or divulgence or use of the information
obtained by an interception;
2) statutory damages of $10,000 for each
occurrence;
3) all actual damages in excess of $10,000;
4) punitive damages in an amount to be
determined by the court or jury; and
5) reasonable a t torney’s fees a n d costs.” T E X . C
IV . P R A C . &R M CODE §123.004.
2. Texas Penal Code
Section 16.02 of the Texas Penal Code provides
that a person commits the offense of unlawful
interception, use, or disclosure of wire, oral, or
electronic communications “if the person
intentionally intercepts, endeavors to intercept, or
procures another person to intercept or endeavor to
intercept a wire, oral or electronic communication.”51
An offense under this section is a second degree
felony.52
3. Exception to the Texas Wiretap Act
a. Exception: Express or Implied Consent Texas law allows one party to a conversation to
tape or intercept the conversation. 53
b . Non-exception: Spousal Consent –
Unlike the Federal counterpart, Texas does not
recognize the interspousal exception to
wiretapping.54
55
Texas courts generally have
declined to follow the Simpson case to attach a
spousal immunity exception to applicable federal or state
wiretap statues.
E. Computer Breach – the Penal Code
Section 33.02 of the Texas Penal Code provides
that “a person commits an offense if the person
knowingly accesses a computer, computer network, or
computer system without the effective consent of the
owner.” An offense under this section is a class B
misdemeanor. If the person who commits the offense
knowingly obtains a benefit, defrauds or harms
51 Texas Penal Code 16.02 (b)(1) 52
Tex Silas v. Silas, 680 So.2d 368, 371 (Ala. Civ. App.
1996). 93 453 S.E.2d 646, 654 (1994 ).as Penal Code
16.02(f) 53
Kotria v. Kotria, 718 S.W.2d 853, 855 (Tex.App.– Corpus
Christi 1986, writ ref’d n.r.e.). 54
Collins v. Collins, 904 S.W.2d 792 (Tex.App.–Houston
[1st Dist.] 1995, writ denied) 55
See Kent v. State, 809 S.W.2d 664 (Tex.App.–Amarillo
1992, writ ref’d).
Privacy and Confidentiality Issues Chapter 9
8
another, or alters, damages or deletes property, the
offense is based on the value of the harm done.56
Tracking Devices and Vehicles
Section 16.06 of the Texas Penal Code provides
that a person commits the offense of unlawful
installation of a tracking device “if the person
knowingly installs an electronic or mechanical tracking
device on a motor vehicle owned or leased by another
person.” Such an offense is a Class A misdemeanor.57
1. Caveat Emptor – vehicle ownership required
Occasionally, a client will inquire about hiring a
Private Investigator to place a GPS device on the
spouses’ car. Be advised that it is a violation of Texas
law to install a tracking device on a vehicle unless the
vehicle is registered in the client’s name.58
2. Exception: Law enforcement
Note that the same rules may not apply to law
enforcement. In United States of America v. Bernardo
Garcia,59
the police attached a GPS device to a suspect
and the court held that the suspect’s constitutional
rights had not been violated.
F. Spyware
Spyware equipment can range from simple
(Maxwell Smart) to highly complex. A tape recorder,
a mobile phone, an EZ tag, a webcamera and a
computer all can all be used to find information.
1. Spyware on the Mobile Phone
For a nominal fee beginning as low as $40.00,
spyware can be purchased and installed on
unsuspecting party’s mobile phone to record
information such as call and SMS contact history,
appointments, Internet browsing, bookmark and email
history, location tracking and location history, sound
recording of phone calls, picture and video history, text
messages, it can remotely activate the cell phone’s
microphone and record every call made.
2. Spyware on your computer – key logger programs
Most key logger programs are available for less
than $100.00 and can readily be purchased in computer
stores and via the internet. What the programs share in
56
TEX. PEN. CODE 33.02(2) 57
TEX.PEN.CODE § 16.06(c). 58
See United States of America, Plaintiff-Appellee, v.
Bernardo Garcia, Defendant- Appellant. United States of
Appeals for the Seventh Circuit, No. 06-2741, January 10,
2007, Argued- February 2, 2007, Decided 474 F.3d 994e
Occupations Code Chapter 1702, Section 17.02.332. 59 United States v. Ropp 347 F.Supp.2d 831 (C.D.Cal.2004)
common is the ability to capture email, text messages,
websites visited, keystrokes, including name and
passwords, it can screen shot program activity and
capture photographs.
The key logger programs also run in stealth mode
and some now provide web access - no longer
requiring access to the actual computer where the
spyware was installed versus emailing you the content.
In United States v. Ropp, because a key logger
recorded keystroke information in transit between the
keyboard and the CPU, the court found that the system
transmitting the information did not affect interstate
commerce, and the keystroke signals, therefore, were
not “electronic communication” under the Wiretap
Act.60
In Potter v. Havlicek, Mr. Havlicek admitted to
installing monitoring software on the family computer.
He also admitted to downloading e-mail from his
wife’s web-based email account, but claimed it was
authorized because she had chosen to save her
username and password through the browser’s
“remember me” feature. The District Court for the
Southern District of Ohio ruled that evidence obtained
in a divorce case through the use of spyware could be
admitted, noting that the ECPA does not permit courts
to disallow such evidence. The Court did say that
“disclosure of the information in state court by Jeffery
Havlicek or his attorney might be actionable civilly or
criminally”, and it was suggested that the “remember
me” option probably did not give Mr. Havlicek an
implied right to view his wife’s e- mail messages.61
Additionally, the Havlicek Court questioned
whether Ropp’s construction of “affecting interstate
commerce” is correct. It suggested that Ropp reads the
statute as requiring that the communication must be
traveling in interstate commerce as opposed to merely
“affecting interstate commerce.” The keystrokes,
while not traveling in interstate commerce, do “affect
inter-state commerce.”
The following portions of this paper are adapted
from the article entitled “Tips for Safeguarding
Confidentiality & Privacy of Client Information in
Compliance with Professional Rules, HIPPA & other
Statutory Requirements,” written by Al Harrison and
Randy Claridge, and presented at the State Bar of
Texas 2010 Annual Meeting in Fort Worth, Texas, and
“A Lawyer’s Work is Never Done” written by Esther
Chaves and moderated by Caren K. Lock, Esther
Chaves and W. Reid Wittliff at the State Bar of Texas
9th Annual Advanced Consumer & Commercial Law
Course in August of 2013 in Houston, Texas. The
60 Ropp, 347 F.Supp.2d 837-38 61
The case may be found on Westlaw at 2007 WL 539534
(S.D.Ohio) Potter v. Havlicek
Privacy and Confidentiality Issues Chapter 9
9
author would like to thank all of the authors for their
excellent contributions.
IV. CONFIDENTIALITY
Gone are the days where adding an additional lock
to the client file room door would almost guarantee
client information was protected. Today, law firms
transfer confidential information via email almost
daily. An entire client file can be placed on a flash
drive the size of a stick of gum. In the “paperless
office”, all of a client’s information is stored
electronically on servers, on hard drives or in the
cloud. Whether through the loss of a laptop or a flash
drive, or data breaches due to lack of proper
protections or due to hacking, lawyers face new
challenges in protecting client information. In addition
to the disciplinary rules historically imposed upon
lawyers, emerging and evolving federal and state laws
may be applicable to certain client information.
A. Texas Rules of Professional Conduct
The Texas Disciplinary Rules of Professional
Conduct provide that except as otherwise permitted
or required, a lawyer shall not knowingly “reveal
confidential information of a client or a former client
to: (i) a person that the client has instructed is not to
receive the information; or (ii) anyone else, other
than the client, the client’s representatives, or the
members, associates, or employees of the lawyer’s
law firm.” Confidential information includes both
privileged information and unprivileged client
information. Unprivileged client information means
all information relating to a client, other than
privileged information, acquired by the lawyer
during the course of or by reason of the
representation of the client. Comment 4 related to
Rule 1.05 notes that the rule generally extends
ethical protection to unprivileged information
relating to the client or furnished by the client during
the course of or by reason of the representation of
the client. See, Tex. Disciplinary R. Prof’l Conduct
1.05(a) and (b), reprinted in Tex. Gov’t Code Ann.,
tit. 2, subtit. G, app. A (West 2005 & Supp. 2009).
B. ABA Model Rule
In August 2012, the American Bar Association
added a new Model Rule 1.6(c) which provides: “A
lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the
representation of a client.” New language in the
comment to this rule identifies factors that lawyers
should take into account in determining whether their
efforts are reasonable, including the cost of the
safeguards and the sensitivity of the information.
See, August 2012 Amendments to ABA Model Rules
of Professional Conduct.
In addition to the duties imposed upon lawyers by
the disciplinary rules, there are many federal and
state rules and regulations that impose additional
requirements of confidentiality on certain classes of
personal information, including requirements
associated with the destruction of personal
information.
C. Texas Business & Commerce Code
Texas is among the many states that has enacted
legislation that creates a duty for businesses to protect
personal information provided in the regular course of
business. Law firms are included among those
businesses that have a duty to protect the information
and to notify clients in the event of a breach of
security. The following is a sampling of duties created
by the Texas Business & Commerce Code.
1. The Texas Identity Theft Enforcement and
Protection Act (ITEPA): Requires businesses to (i)
implement and maintain reasonable procedures to
protect from unlawful use or disclosure any sensitive
personal information (SPI) collected or maintained by
the business in the regular course of business; (ii)
destroy or arrange for the destruction of customer
records containing SPI (that are not to be retained)
by shredding, erasing or otherwise making the
information unreadable or undecipherable. Tex. Bus.
& Com. Code Ann. § 521.052 (West 2009). Section
521.053 requires businesses that operate in Texas,
and own or license computerized data that includes
sensitive personal information, to disclose any breach
of its system security (which means unauthorized
acquisition of computerized data that compromises the
security, confidentiality, or integrity of sensitive
personal information maintained by a person,
including data that is encrypted if the person accessing
the data has the key required to decrypt the data) to
any person whose information was, or is reasonably
believed to have been, acquired by an unauthorized
person. Tex. Bus. & Com. Code Ann. §521.053 (West
2009).
There are monetary penalties for violations of the
Act. Fines of up to $500.00 for each record that could
potentially be exposed to unintended or unauthorized
review can be imposed. Additional penalties of up to
$20,000.00 per violation can be assessed against
businesses that give customers specific assurances
about protection of confidential information and then
fail to provide that protection.
2. Privacy Policy Necessary to Require
Disclosure of Social Security Number: A person
may not require an individual to disclose the
individual’s social security number (SSN) to obtain
goods or services from or enter into a business
transaction with the person unless the person (i) adopts
Privacy and Confidentiality Issues Chapter 9
10
a privacy policy; (ii) makes the privacy policy
available to the individual; and (iii) maintains under the
privacy policy the confidentiality and security of the
SSN disclosed to the person. Tex. Bus. & Com.
Code Ann. § 501.052 (West 2009). The privacy
policy must include: (i) how personal information is
collected; (ii) how and when the personal information
is used; (iii) how the personal information is
protected; (iv) who has access to the personal
information; and (v) method of disposal of the
personal information. Id. Certain entities are exempt
including those required to maintain privacy policies
under the federal Gramm-Leach Bliley Act, the
federal Family Educational Rights and Privacy Act of
1974, and the Health Insurance Portability and
Accountability Act of 1996. Tex. Bus. & Com. Code
Ann. § 501.051 (West 2009)
3. Disposal of Business Records Containing
Personal Identifying Information: When a business
disposes of a business record that contains personal
identifying information of a customer of the business,
the business shall modify, by shredding, erasing, or
other means, the personal identifying information so
as to make the information unreadable or
undecipherable. Tex. Bus. & Com. Code Ann. §
72.004 (West 2009). Exceptions include financial
institutions as defined by 15 U.S.C. 6809 and entities
defined by 601.001 of the Texas Insurance Code. Id.
Violators are subject to a civil penalty of up to $500
for each business record. Id. A business is considered
to be in compliance if it contracts with a person
engaged in the business of disposing of records for the
modification of PII on behalf of the business. Id.
D. HIPPA/HiTECH
Most practitioners are familiar with the Health
Insurance Privacy Portability and Accountability Act
of 1996 (HIPPA). It requires releases for obtaining
medical records and information frequently sought
during family law disputes. It was updated in 2010 by
the Health Information Technology for Economic and
Clinical Health Act (HiTECH). The purpose of the
update was to require any business that handles
personal health information to comply with HIPPA
regulations.
E. Texas Health Privacy Law
Recent law was enacted to specifically target
patient data privacy, see HB 300 amended Chapter
181, Health and Safety Code and became effective on
September 1, 2012. According to health care
providers, the law mandates patient privacy protections
and harsher penalties for privacy violations related to
electronic health records (EHR). The requirements of
the Texas law are more stringent than those of its
federal counterpart, the Health Insurance Privacy
Portability and Accountability Act (“HIPPA”). It
expands the definition of the term “covered entity” in
the existing health privacy law and requires all
employees of covered businesses to undergo training
on HIPPA and Texas’ health privacy law within sixty
(60) days of hiring and once every two (2) years
thereafter. Additionally, the Texas Attorney General,
Texas Health Services Authority, or Texas Department
of Insurance is authorized to conduct compliance
audits of covered entities that have consistently
violated the Texas law. Fines for violations range from
$5,000.00 up to $1,500,000.00 per year for violations.
For a more detailed discussion see: Updates to the
Texas Medical Privacy Act: How Texas Covered
Entities Should Prepare By George R. Gooch, J.D
http://www.law.uh.edu/healthlaw/perspectives/2012/H
LPGoochHIPrivacy.pdf
F. Protecting Your Clients’ Confidentiality
Practicing law in today’s high-tech environment
while being faced with constantly evolving rules and
regulations associated with privacy concerns require
practitioners take proactive steps to protect your clients
and yourselves. The following are relatively easy to
implement steps that may go a long way in protecting
client information while protecting yourself from
liability.
1. Encryption
Encryption refers to a process of converting
information into a form which is unusable, unreadable,
and indecipherable to parties not possessing the
requisite decryption algorithm. There currently exist
several popular encryption paradigms including: file or
folder encryption, full-disk encryption, and encrypted
communications to and from networked computers.
Regardless of the approach taken, encryption is quickly
becoming a standard requirement of the contemporary
law office because the loss of an encrypted computer
or encrypted data file often does not trigger notification
rules, thereby potentially protecting attorneys and
clients from the expenses and other ramifications
associated with a breach of client confidentiality.
a. Individual File Encryption
Individual file or folder encryption is perhaps the
first form of encryption adopted by many attorneys
using software programs such as Adobe Acrobat
Professional (Acrobat). Using Acrobat, a Portable
Document Format (PDF) file, or set of PDF files, can
be converted to a form that renders the file unreadable
to anyone lacking a corresponding password or digital
certificate. An encrypted file may then be stored on a
computer network or e-mailed to a client without fear
of inadvertent disclosure of confidential information.
Although easily implemented, individual file
encryption poses a significant challenge when dealing
Privacy and Confidentiality Issues Chapter 9
11
with numerous clients and client matters that implicate
multiple passwords. If the password required for a
particular file were destroyed or otherwise were to
become unavailable, the contents of the encrypted file
would be in all likelihood lost and thus effectively
digitally “shredded.”
b. Full Disk Encryption (FDE)
Another encryption approach, typically
implemented on business-class laptops, is full-disk
encryption (FDE), either hardware-based or software-
based. With FDE, the contents of the entire hard drive
are stored in an encrypted state. In a hardware-based
implementation of FDE, a decryption key is stored
within the circuitry of the hard drive and data is
seamlessly decoded following initial entry of a
password by the user. In a software-based
implementation of FDE, pre-installed software such as
the open-source program TrueCrypt serve as boot-time
gatekeepers requiring password entry prior to decoding
of user data. The ease of FDE is readily apparent;
however, care should be taken following initial
password entry because data is automatically decoded
until the system is turned off or rebooted.62
Unlike
individual file encryption, FDE does not require
password entry beyond a single boot-time entry. A
single password can be used for each computer which
stores confidential client information thereby rendering
the information unreadable should the computer be
stolen or otherwise misplaced.
c. Encryption of client communications
In addition to secure storage of client information
on internal office computers, electronic
communications with client should also be encrypted.
Fortunately, most Internet services, including e-mail, e-
commerce, and document storage incorporate the
Secure Sockets Layer (SSL) protocol specified within
the settings of an e-mail software application or
identifiable by “https://” preceding a website address.
If “https://” does not precede a website address, then
the communications to and from that website are not
encrypted and are potentially readable by unknown
third parties.
2. Procedural Tips for Protecting Client Information
a. Security Prerequisites for Laptops and
Handhelds
Recommended security prerequisites for laptops
and handhelds: (1) password protected with an
62 Information on TrueCrypt can be found at
(http://truecrypt.com), PGP Whole Disk Encryption
(http://pgp.com), and Windows proprietary Bit Locker
(http://microsoft.com/windows/windows-
7/features/bitlocker.aspx).
inherently strong password; (2) relatively short laptop
or handheld inactivity or the placement of handheld in
holster causes timeout that blanks screen, or shuts
down hard drive, deactivates keys or touch screen, and
requires password for reactivation; (3) email should
preferably be encrypted in transit to and from user; (4)
stored files encrypted - text, images; (5) all data should
preferably be remotely purged if laptop or handheld
has gone missing.
b. Password Logistics
The propriety of passwords must be assured and
sustained or else the integrity of the safeguarding
protocol is undermined. This is a very serious and
crucial aspect of safeguarding client data. While
inconvenient and introducing another level of
complexity to the law firm environment, password
protocol must be carefully established and rigorously
practiced and enforced. Use common sense with
password protocol. For example, do not keep
passwords in plain view near computers and do not
generously share core or private passwords and be
discriminating when determining which personnel have
access to core passwords.
c. Secure the laptops, mobile and memory devices
Be vigilant about properly caring for each and
every storage device containing proprietary and
confidential client information ― both in the office
and contained on a portable electronic device or
storage medium. According to the FBI’s National
Crime Information Center, the number of reported
laptop and mobile device thefts are rising exponentially
from year to year.
One of the most prevalent venues for laptop losses
to occur are U.S. airports: as many 12,000 laptops are
lost or stolen weekly at domestic airports, as estimated
by the Ponemon Institute. This Institute has also
guesstimated that as many as 800,000 memory devices,
laptops, smartphones and thumb drive memory sticks
are lost or stolen annually; and that major corporations
are inflicted by annual robberies devolving to about
600 laptops, 2000 USB thumb drive memory sticks,
1000 smartphones, and 1,500 other portable electronic
data storage devices.
Caution should be exercised in virtually every
venue the attorneys visit or travel, not just airports and
train stations, but also coffee shops, government
buildings and offices, clients' offices and sites. It
appears that contemporary criminals have adopted the
protocol for stealing or demanding popular, easily
liquidated electronic devices besides cash money.
Laptops and netbooks should be held securely to
prevent thieves from engaging in a snatch-and-run
maneuver at an attorney's expense.
Privacy and Confidentiality Issues Chapter 9
12
d. Remote Laptop Security
A recent fail-safe application to be considered by
law firms is Remote Laptop Security ("RLS")
corresponding to a procedure that enables users to
control access to files on a laptop even if the laptop has
gone missing. Proprietary files for safeguarding are
selected a priori and are implicated in a protocol for
either restoring or terminating the account that owns
the data files. The designated administrator selects
which files to be safeguarded using the RLS
application. Duly safeguarded files are then converted
and encrypted to permit only authorized access. For a
laptop which has gone missing, access to secured files
is unequivocally denied. There are RLS tools
dependent upon Internet or WiFi connections, and even
cellular access. In the abundance of caution, RLS
applications should periodically authenticate user
identity. Of course, under circumstances in which
access to proprietary files on a particular laptop has
been deactivated, that laptop ceases to be
authenticated.
e. Client Confidentiality and Third Parties
The Supreme Court of Texas Professional Ethics
Committee Opinion Number 572, June 2006,
addresses the use of an independent contractor, such as
a copy service, hired by the lawyer to perform services
in connection with the lawyer’s representation of the
client. The Committee concluded:
A lawyer's delivery of materials containing
privileged information to an independent
contractor providing a service, such as
copying, to facilitate the lawyer's
representation of a client (and not for the
purpose of disclosing information to others)
does not constitute "revealing" such privileged
information within the meaning of Rule 1.05,
provided that the lawyer reasonably expects
that the independent contractor will not
disclose or use such items or their contents
except as directed by the lawyer and will
otherwise respect the confidential character of
the information. In these circumstances, the
independent contractor owes a duty of
confidentiality both to the lawyer and to the
lawyer's client.
Although not explicitly addressed by the Committee,
use of independent contractors in the form of Internet-
based services would not necessarily constitute
revealing of privileged client information. However,
attaining a reasonable expectation that Internet-based
service providers will neither disclose nor use such
privileged information, except as directed by the
lawyer, may prove problematic.
3. Maintaining Client Confidentiality 101
In its article, Preventing Law Firm Data Breaches,
the Texas Bar Journal discussed security basics that
every lawyer should know, including:
Have a strong password of at least 12 characters.
A strong 12-character password takes roughly 17
years to crack.
Don’t use the same password everywhere.
Change your passwords regularly.
Do not have a file named “passwords” on your
computer.
Change the defaults. Whether you are configuring
a wireless router or installing a server operating
system, make sure you change any default
values.
Laptops should be protected with whole disk
encryption—no exceptions.
Backup media should be encrypted. If you use an
online backup service, make sure the data is
encrypted in transit and while being stored. Also,
be sure that employees of the backup vendor do
not have access to decrypt keys.
Thumb drives should be encrypted.
Keep your server in a locked rack in a locked
closet or room. Physical security is essential.
Most smartphones write some amount of data to
the phone. Opening a client document may
write it to the smart-phone. The iPhone is data
rich. Make sure you have a PIN for your phone.
This is a fundamental protection. Don’t use
“swiping” to protect your phone as thieves can
discern the swipe the vast majority of the time due
to the oils from your fingers. Also make sure that
you can wipe the data remotely if you lose your
phone.
Solos and small firms should use a single
integrated product to deal with spam, viruses
and malware.
Wireless networks should be set up with the
proper security. First and foremost, encryption
should be enabled on the wireless device.
Whether using Wired Equivalent Privacy
(WEP) 128-bit or WPA encryption, make sure
that all communications are secure. WEP is
weaker and can be cracked. The only wireless
encryption standards that have not been cracked
(yet) are WPA with the AES (Advanced
Encryption Standard) or WPA2.
Make sure all critical patches are applied. This
may be the job of your IT provider, but too often
this is not done.
If software is no longer being supported, its
security may be in jeopardy. Upgrade to a
supported version to ensure that it is secure.
Control access.
Privacy and Confidentiality Issues Chapter 9
13
Using cloud providers for software applications is
fine, provided that you made reasonable inquiry
into their security. Read the terms of service
carefully and check your state for current ethics
opinions on this subject.
Be wary of social media applications, as they are
now frequently invaded by cybercriminals.
Giving another application access to your
credentials for Facebook, as an example, could
result in your account being hijacked. And even
though Facebook now sends all hyperlinks
through Websense first (a vast improvement), be
wary of clicking on them.
Consider whether you need cyber insurance to
protect against the possible consequences of a
breach. Most insurance policies do not cover the
cost of investigating a breach, taking remedial
steps or notifying those who are affected.
Dispose of anything that holds data, including a
digital copier, securely. For computers, you can
use a free product like DBAN to securely wipe the
data.
Use wireless hot spots with great care. Do not
enter any credit card information or login
credentials prior to seeing the https: in the URL.
For remote access, use a VPN or other encrypted
connection.
See, Sharon D. Nelson and John W. Simek,
Preventing Law Firm Data Breaches, Texas Bar
Journal, May 2012, p 364.
V. HELPFUL LINKS TO FEDERAL LAWS,
ACTS AND POLICIES ON PRIVACY AND
CONFIDENTIALITY
1. The Patient Safety and Quality Improvement
Act of 2005 (PSQIA) Patient Safety Rule:
Confidentiality protections to encourage the
reporting and analysis of medical errors.
http://ahrq.gov/qual/psoact.htm
2. The Confidential Information and Statistical
Efficiency Act of 2002(CIPSEA): This act
ensures that information provided to statistical
agencies for statistical purposes under a
pledge of confidentiality can be used only for
statistical purposes, and that individuals' or
organizations' data confidential data should be
kept confidential.
http://bls.gov/opub/mlr/cwc/confidentiality-
information-protection-and-statistical-
efficiency-act-of-2002.pdf
3. Freedom of Information Act: This website
provides guidelines as to which data may and
may not be disclosed under the terms of the
Freedom of Information Act. http://foia.gov
4. The American Bar Association’s Legal
Technology Resource Center provides
information regarding the latest legal
technology and an extensive resource list on
technology related ethics matters.
http://americanbar.org/groups/departments_of
fices/legal_technology_resources.html.
5. The Federal Trade Commission is responsible
for many business related privacy laws, and
its website provides an extensive listing of
legal resource statutes relating to consumer
protection, including The Children’s Online
Privacy Protection Act, Health Information
Technology Provisions of American Recovery
and Reinvestment Act of 2009, Title XIII,
Subtitle D, the Gram-Leach Bliley Act, and
the Fair Credit Reporting Act. http://ftc.gov.
6. TRUSTe operates a privacy seal program
which certifies how businesses collect and
manage personally identifiable information.
http://truste.com/about-TRUSTe/.
7. The Better Business Bureau offers a data
security guide which includes checklists for
small businesses to secure sensitive data,
safely transmit data, properly dispose of paper
and electronic records and includes steps to
take in the event of a data breach.
http://bbb.org/us/bbb-online-business/.
8. Privacy Act of 1974: Provides an overview of
the Privacy Act, which safeguards personal
information held by government agencies
from queries by others.
http://justice.gov/opcl/privstat.htm
9. Family Educational Rights and Privacy Act
(FERPA): Protects privacy of educational
data.
http://ed.gov/policy/gen/guid/fpco/ferpa/index
.html
10. Library of Congress' Thomas Search Engine
for U.S. Federal Legislation: A search engine
for the text of bills. You can search by exact
bill number, if known, or by a topic such as
"HIPAA," "Confidentiality," "Patriot Act," or
"E-Government Act of 2002" which will
produce a list of direct links to the legislation.
http://thomas.loc.gov/home/thomas.php
11. Legal Information Institute at the Cornell Law
School: This website has materials to make
law more accessible to students, teachers, and
the general public. http://law.cornell.edu/
12. The Code of (U.S.) Federal Regulations
(CFR): This website allows users to access
all the Federal regulations issued by any
agency. The CFR is a codification of the
general and permanent rules published in the
Federal Register by the Executive
Privacy and Confidentiality Issues Chapter 9
14
departments and agencies of the Federal
Government.
http://gpo.gov/fdsys/browse/collectionCfr.acti
on?collectionCode=CFR
13. Several statistical agencies have their own
confidentiality statutes, e.g., the Census
Bureau, the National Center for Education
Statistics and the National Science
Foundation. Search their web sites for specific
details.
VI. CONCLUSION
It is often said that the best defense is a good
offense. The smart practitioner will heed this advice
and take proactive steps to remain abreast of the
evolution of privacy laws and requirements for the
protection of confidential client information. It may
never be possible to fully insulate client information in
today’s environment, but self-educating and taking
precautionary measures may prevent you from having
to phone your malpractice carrier in the event of a data
breach.