Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.

Ah, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.

Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes.  Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.

These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.

Some weeks ago I experienced that sinking feeling that comes with locking your keys in the car. Fortunately, I was only a phone call and a 20-minute wait away from rescue. But how can that happen, you ask, given all the modern safeguards built into automotive key technology? Don’t cars these days alert you or automatically unlock the doors when you leave the key inside?

Admit it – it feels strange, in an e-discovery world, to include “tangible things” in a legal hold notice. Litigation has always been document-intensive, and preserving ESI has been the crux of compliant legal hold practice ever since Judge Scheindlin took us to school in Zubulake. But as Starbucks recently learned the hard way, we forget “things” at our peril.

Starbucks not only sells lots of coffee – it provides the ambiance to enjoy it, such as by hanging out on a Starbucks deck in a patio chair, sipping an Americano while perusing the blogosphere. With thousands of such chairs and ensconced customers, something was bound to go awry.

It’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.

In 2012, the Federal Trade Commission filed suit in federal court against hotelier Wyndham and its various subsidiaries (“Wyndham”), claiming that Wyndham’s allegedly unreasonable data security practices allowed hackers to steal personal information and payment data of Wyndham’s customers. The FTC’s claims were not unusual – by 2012 the FTC had spent a decade pursuing companies for unreasonable data security in administrative actions under Section 5 of the FTC Act, which forbids unfair or deceptive acts or practices in or affecting commerce.  In each of these prior enforcement actions the company settled with the FTC, agreeing to comprehensive data security controls, program monitoring, and reporting, usually extending for 20 years.

But Wyndham’s response was highly unusual – it pushed back, and continues to do so, challenging the FTC’s authority to enforce “reasonable” data security under the FTC Act.

In its motion to dismiss, Wyndham argued that the unfairness prong of FTC Act Section 5 does not empower the FTC to regulate cybersecurity, and also that the FTC has not provided constitutionally adequate notice of what cybersecurity practices are required to satisfy a “reasonableness” standard.

The federal district court denied Wyndham’s motion to dismiss, but later allowed an interlocutory appeal on Wyndham’s arguments. The stage is now set for the Third Circuit Court of Appeals, in a case of first impression, to decide whether the FTC has authority under the unfairness prong of FTC Act Section 5 to enforce reasonable data security. Will the Third Circuit resolve this issue, or will it dodge the question?

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.

I write this post on the three-year anniversary (Cheers!) of Judge Andrew Peck’s Da Silva Moore v. Publicis Groupe et al, S.D. New York, 11-1279, 2-24-2012 opinion, widely cited as the first case ruling to endorse the use of predictive coding or “technology-assisted review” (TAR) as a discovery tool.

TAR is the process of training a computer system to make decisions about the responsiveness of a document that would otherwise be reviewed and coded by a manual reviewer. With TAR, human effort is not eliminated, but rather used throughout the review process to train the system on what is responsive and what is not. The documents used to train the system are called the “training set” or “seed set.”   Once the system is trained, the computer reviews and codes the documents.

Since Da Silva Moore, the use of TAR in cases has gained some traction with litigants and courts. Commentary on the cost-savings and increased accuracy of TAR versus human review is relatively old news, and it seems well-established in case law that, as a general matter, TAR is an appropriate method for reviewing electronic data. But the defensibility of the particular TAR process used in a specific case is not yet predictable (pun intended). For example:

The Target data breach disrupted the 2013 holiday shopping season, shook the retail industry, and shocked many who assumed that a nationwide retailer would have the security controls in place to prevent such an attack. The breach exposed credit card data of 40 million individuals and personal data of approximately 70 million consumers. A quarter billion dollars and a slew of lawsuits later, lessons have emerged and questions remain.