Guest post written by Thomas Barnett
Thomas Barnett is the e-Discovery practice leader at Stroz Friedberg, a global digital risk management and investigations firm.
New privacy legislation could cause a seismic shift in how U.S. businesses manage their data and what they pay to do it. Legislation pending in Congress would prevent employers from requiring current or prospective employees to disclose user names and passwords to social networking sites, personal email and messaging applications. That sounds straight forward enough. But creating a new protected class of information in an environment of virtually unfettered access to data for litigation discovery and regulatory compliance will challenge businesses already overwhelmed with a tidal wave of information.
Beginning at the state level with a law recently passed in Maryland, protecting employees’ social networking passwords has gone viral with at least 10 other states considering similar legislation. Joining the fray, Congress is seeking to extend protection to smartphones, personal email and personal computers.
Expanding workplace privacy has an intuitive and understandable appeal. Seriously questioning possible side effects for U.S. businesses, especially in an election year, is probably not on most politicians to-do list. In fact, there hasn’t been much opposition. A few assert that such laws are unnecessary because asking for employees’ passwords isn’t widespread. Others raise security concerns - the original Maryland case involved prison officials investigating possible gang affiliations of employees.
The backdrop to all this is a dramatic shift in how we communicate - and really, how we live and work. The sophistication and versatility of portable devices like smartphones, tablets and ultra-mobile computers has forever altered the notion of work within specific time and location boundaries. Seeing people walking along busy streets talking on cell phones or texting furiously in restaurants is now commonplace.
But there is more to it than 24-7 accessibility. Accessibility goes both ways. Communicating with friends and family during work hours is just as commonplace. The distinction between personal devices and work equipment is fast becoming obsolete. Accessing work email on personal smart phones has become routine. So has communicating with friends and family on social networking sites from work provided devices. Few would voluntarily opt to carry two separate devices for reasons of economy and convenience.
Now add to the mix an unprecedented information explosion. The trendy phrase "Big Data" doesn’t do it justice. A 2012 study by International Data Corporation estimates that the total amount of digital data worldwide will reach 2.7 zettabytes - almost tripling since 2010. When new words need to be invented to describe how much data we have you should worry. A zettabyte is one trillion (1,000,000,000,000) gigabytes. To try to grasp that, a gigabyte is estimated to be 50,000 to 100,000 printed pages of email and documents. Most alarming for businesses, IDC estimates that 85% of that data passes through or is controlled by a corporate enterprise during its lifecycle.
A significant amount of this information explosion is attributable to the rising use of social networking and messaging platforms. For example, Facebook has about 900 million members as of March 2012 and it’s expected to grow to one billion by year end — that’s about 1 in 7 people on earth. When you add in texting and messaging platforms like Twitter, the numbers start to make sense.
Not only is the volume of data exploding, the variety of formats such as video files, pictures and text is increasing as well. Many businesses are deciding that storing and managing all of this data inside the corporate network with the required investment in infrastructure and maintenance is too great and the risk of liability for mishandling it is too high.
Enter the cloud: a trendy buzzword for outsourcing data management. Amazon is gaining great traction providing large scale IT infrastructure for companies looking to outsource database management, data storage, networking and processing. Others, like Google, are following suit.
Dealing with this data deluge has not included worrying about personal communication privacy. The approach - until now - for U.S. businesses has been self-regulating and laissez faire. This fits well with the extremely broad and liberal approach to accessing and exchanging information generally. Monitoring employees’ communications on company equipment such as keystrokes, email and messaging is allowed and practiced with regularity. So, when a company gets hit by litigation in the U.S., all that data is potentially fair game if it is relevant to the lawsuit and not privileged.
The European approach, on the other hand, is highly protective of privacy. Limiting access and disclosure has been a core value for decades. Strict rules are imposed both by individual countries and, since 1995, by the European Union itself. This approach is believed to have evolved in reaction to the use of information in identifying, persecuting and often killing individuals by fascist and totalitarian regimes before and during World War II.
But along with this highly protective attitude is a streamlined and stripped down approach to access and sharing of data generally. Unlike litigating in the U.S., a business litigating in the EU is not required to comb through and review masses of information in response to a litigation discovery request. Their approach is more akin to U.S. arbitration - the only documents exchanged are those that the parties and the judge determine are essential to resolving the matter.
The proposed legislation echoing European privacy values combined with our broad unfettered discovery is a data management disaster waiting to happen. Just ask someone who has responded to a U.S. discovery demand in a matter involving business in the EU. It’s not pretty. In some cases, a government official is required to oversee an email-by-email review by an employee deciding whether or not each communication is personal. There are strict penalties for improperly accessing, viewing or transferring personal information even if it’s intermingled with business communications. Litigants in the U.S. are used to getting most of what they think is coming to them and busy judges are not generally interested in foreign blocking statutes, EU Privacy Directives or the nuances of the Hague Convention.
No one would argue against a person’s right to privacy. But in the U.S. the workplace it doesn’t exist in a vacuum. There are ripple effects for U.S. businesses that need to be considered - whether it’s reexamining our open-ended approach to discovery or our regulatory data preservation requirements. The cost of turning a blind eye and not seeing the bigger picture could be staggering.
