Company computer policies risk becoming obsolete — Policies must reflect new laws and court decisions on data theft, social networking and cloud computing.

BY NICK AKERMAN
Have your client companies’ policies kept
pace with changes in the law affecting
computer technology?
New statutes and court
decisions relating to computer technology
affect every business.

Many companies
overlook opportunities to respond to these
new laws by adopting robust policies to
take advantage of the protections they
afford and to minimize the risks they pose.
This article will review three critical areas
of computer technology that should be
addressed by company policies: theft of data,
social networking and cloud computing.

Theft of data. Federal and state laws
obligate companies to take steps to prevent
data theft, notify consumers of the theft of
their personal data and create new remedies
for companies to sue data thieves. Policies
are a critical complement to these laws.

The most comprehensive of the
prevention laws is the Massachusetts
regulation that requires companies
maintaining personal data belonging to
Massachusetts residents, whether or not the
company does business in Massachusetts,
to institute a data-compliance program
that includes, among other things, security
policies that must be enforced through
technology such as encryption. 201 Mass.
Code Regs. 201, 17.03-17.05. The personal
data at issue—Social Security numbers,
credit card and banking information—are
data that can be used to perpetrate identity
theft. The obligation to protect data is not
limited to personal information. In 2004,
the Sarbanes-Oxley Act caused the New
York Stock Exchange to require its member
companies to promulgate policies as part
of a comprehensive compliance program
to protect both personal and competitively
sensitive data. NYSE’s Listed Company
Manual, § 303A, ¶ 10.

Also, since 2003, 45 states have enacted
statutes requiring businesses to notify
consumers of a breach of their personal data.
Although these notification laws do not
require companies to establish policies, they
do require a company to determine whether
there is a basis to trigger notification
under the statutes and determine how to
comply with the patchwork of 45 state
laws. Performing these tasks without
response policies will inevitably contribute
to an uncoordinated response and delay
when some states like California require
notification in the “most expedient time
possible and without unreasonable delay,”
while other states, such as Wisconsin, define
a more precise time period. Calif. Civ. Code
§ 1789.82(a); Wis. Stat. § 134.98.

A company cannot investigate data
theft unless it has policies that adequately
define an employee’s expectation of
privacy. In Stengart v. Loving Care Agency,
201 N.J. 300, 314 (2010), the New Jersey
Supreme Court, based on an ambiguity in
a company policy that allowed occasional
personal use of the company computer,
concluded that personal e-mails were
private. Also, with many employees now
using personally owned computing devices
to work outside of the office, a policy
permitting the employer to retrieve work related
data from these devices re-enforces
the employer’s rights to its data.

The Computer Fraud and Abuse Act
(CFAA), 18 U.S.C. 1030, the federal
computer crime statute, provides for a civil
remedy for a company that “suffers damage
or loss” by reason of a violation of the statute.
18 U.S.C. 1030(g). Liability for data theft is
based on whether the access to the company
computers was unauthorized or exceeded
authorized access. The “CFAA…is primarily
a statute imposing limits on access and
enhancing control by information providers.”
EF Cultural Travel B.V. v. Zefer Corp., 318 F.3d
58, 63 (1st Cir. 2003). Thus, a company “can
easily spell out explicitly what is forbidden”
through its policies. Id. The violation of the
policy in turn is the predicate for proving the
critical element of the statute that the access
was unauthorized.

Social networking. Social media pose a
number of legal challenges to companies,
including ownership of social-media
accounts, labor and employment risks,
and the protection of the company’s
confidential information.

Businesses commonly market themselves
on major social-networking sites including
Facebook, LinkedIn and Twitter. As
demonstrated by two recent cases,
ownership of this marketing tool is not
always clear. Just last July, PhoneDog.com,
a popular mobile phone site, sued a former
employee who had amassed approximately
17,000 followers on Twitter, claiming that
the followers constituted a company-owned
customer list entitling it to $2.50 per month
per follower or $350,000 in total damages.

In December, an employer and former
employee sued each other, claiming
ownership to the former employee’s
LinkedIn account, the popular socialnetworking
site for business professionals.
Eagle v. Morgan, 2011 WL 6739448 (E.D.
Pa. Dec. 22, 2011). The only way to avoid
the inevitable lawsuits over the ownership
of these accounts is for businesses to be
proactive in establishing up-front policies on
ownership rights prior to adopting employee
social-media accounts as a marketing tool.

Labor And Employment Risks

Social networking is fraught with a
multitude of labor and employment risks.
Indiscriminately using social-networking
sites to conduct background checks of new
hires or current employees can lead to
discrimination or invasion-of-privacy suits
based on protected information discovered
during searches. For example, in Pietrylo
v. Hillstone Restaurant Group
, No. 2:06-cv-
05754 (D.N.J. 2009), management learned
of a password-protected MySpace site used
by its employees, obtained the password
from an employee, viewed the site and then
fired two other employees based on what
they saw. The fired employees sued, and
the employer was found liable for violating
the federal Stored Communications Act,
18 U.S.C. 2701-11. A company policy
defining the circumstances under which
such Internet investigations can properly be
conducted could have avoided this lawsuit.

What an employee can communicate
about the workplace on a social-networking
site should also be addressed in a policy. The
company has a clear interest in preventing
an employee from disparaging it or releasing
to the public its confidential information,
but it cannot deny an employee the
protected right to labor organizing. In

Policies should address
what an employee can
communicate about
the workplace on a
social-networking site.

October 2010, the National Labor Relations
Board filed a complaint on behalf of a
Connecticut ambulance company employee
fired after using vulgarities to ridicule
her supervisor on Facebook. The NLRB
claimed the company maintained overly
broad rules in its employee handbook
regarding blogging, Internet posting and
communications among employees. The
case settled in February 2011 with the
company agreeing not to prohibit discussion
of hours, wages and working conditions on
social-networking sites.

Cloud computing. Cloud computing
outsources the maintenance of company data
to a third party. The potential cost savings
in having data maintained by a third-party
provider can be quickly dissipated if company
policies do not anticipate the potential legal
traps created by entrusting data for safekeeping
to someone else. All of the company’s current
policies on security, record retention, incident
response to a data breach and the obligation to
provide e-discovery in the event of a lawsuit
or government investigation must apply on
the cloud and be reflected in the company’s
contract with its cloud provider.

Although the cloud service is typically the
party in possession of the data, the owner’s
overall policy must be to maintain control
of its data so that the data can be destroyed
in the regular course of the company’s
retention policies and preserved in response
to a litigation hold. For multinational
corporations, this also means policies
to ensure compliance with local laws
governing cross-border data transfers. For
example, in November 2009, the European
Network and Information Security Agency
issued a report on cloud computing warning
that companies remain responsible under
U.K. law for safeguarding their customers’
information even if those data are stored by
a service provider in the cloud.

Policies that worked yesterday will not
necessarily work today or tomorrow. Every
company should review its policies to
ensure that they adequately:
• Protect data and respond properly to
data breaches.
• Minimize the risks posed by social
media.
• Apply established policies and
appropriate foreign laws to data maintained
on the cloud.