Privacy Issues in Civil Litigation and Government Investigations

1. This chapter examines privacy issues that arise when a company is responding to civil litigation and government investigations.

2. Before trial, a company may receive civil “discovery” requests (requests for information by each party in a lawsuit)

3. Disclosures in investigations and litigation are more likely to be made through cooperative efforts of lawyers with a company’s privacy and information technology professionals.

4. Covers how disclosures may be required, permitted or forbidden by law.

5. Organizations sometimes are required by law either to disclose or not to disclose personal information.

12.1 Disclosures Required, Permitted or Forbidden by Law

1. For investigations and litigation

   1. The law can be complex about when information must be disclosed

      1. When the organization has a choice about whether to disclose

      2. When the organization is prohibited from disclosing.

2. Disclosures Required by Law

   1. Certain U.S. laws require disclosure of personal information held by an organization.

      1. As discussed by the Bank Secrecy Act and related reporting requirements designed to reduce money laundering.

      2. Other disclosures:

         1. U.S. Food and Drug Administration (FDA) requires health professionals and drug manufacturers to report serious adverse events, product problems or medication errors.

         2. U.S. Department of Labor’s Occupational Health and Safety Administration (OSHA) requires compilation and reporting of information about certain workplace injuries and illnesses.

         3. Health Insurance Portability and Accountability Act (HIPAA) permits disclosure of protected health information where disclosure is required by law.

         4. Companies with information relevant to a government investigation or in civil litigation may receive a subpoena, which is an instruction to produce a witness or records.

3. Disclosures Permitted by Law

   1. For some categories of information, an organization is permitted, but not required, to disclose personal information.

      1. HIPAA requires very few disclosures.

         1. Privacy Rule requires covered entities to disclose protected health information (PHI) only to

            1. the individual to whom it pertains

            2. the U.S. Department of Health and Human Services (HHS) in the course of an enforcement action

      2. Computer trespasser” exception (sometimes called the “hacker trespasser” exception)

         1. USA PATRIOT Act

         2. Law enforcement officer needs to have a court order or some other lawful basis to intercept wire or electronic communications

4. Disclosures Forbidden by Law

   1. Many of the privacy laws discussed in this book forbid disclosures

      1. These laws often use either an opt- in or an opt-out requirement to help accomplish their restrictions.

         1. Gramm-Leach-Bliley Act (GLBA) forbids disclosures to third parties if the individual has opted out.

         2. HIPAA and the Children’s Online Privacy Protection Rule (COPPA) forbid disclosures of covered information to third parties, unless there is opt-in consent

12.2 Privacy and Civil Litigation

1. A large amount of personal information may be disclosed to parties in the course of civil litigation.

2. Although the United States has a strong tradition of public access to court records, privacy concerns are also recognized.

3. Courts can issue protective orders to prohibit disclosure of personal information revealed in litigation

4. Attorneys increasingly are required to redact Social Security numbers and other sensitive information (FPI, ESI) when filing documents with the courts (P 308)

   1. Trademark, Trade Secrets, other sensitive information can b reddacted

5. Public Access to Court Records, Protective Orders and Required Redaction

   1. The U.S. has a strong tradition of public access to government records, including under the federal Freedom of Information Act (FOIA) and state open records laws.

   2. Placing court records on the Internet, however, also raised privacy issues

   3. One response to public access to court records has been

      1. Litigants to seek protective orders for personal information.

      2. With a protective order, a judge determines what information should not be made public and what conditions apply to those who may access the protected information.

6. Electronic Discovery

   1. Prior to trial, the parties usually engage in discovery.

   2. In discovery, the information typically is exchanged with the other party or parties and their attorneys.

   3. Managing e-discovery and privacy begins with a well-managed data retention program.

      1. Designing a retention policy, it should be remembered that ESI takes not only obvious forms such as email or word processing documents, but can also manifest itself as databases, web pages, server logs, and others.

      2. Federal Rules of Civil Procedure

         1. Discusses electronically stored information (ESI)

         2. Discovery of ESI, generally known as e-discovery

      3. When a court finds conflict between a corporate retention policy and a discovery request, the court will likely apply a three-factor test:

         1. The retention policy should be reasonable considering the facts of the situation

         2. Courts may consider similar complaints against the organization

         3. Courts may evaluate whether the organization instituted the policy in bad faith.

   4. Issue of transborder data flows creates a more complicated situation.

      1. When engaged in pretrial discovery in U.S. courts, parties can be caught between conflicting demands.

      2. On the one hand, they must comply with U.S. discovery rules that expressly recognize the importance of broad preservation, collection and production.

      3. Aerospaciale v. S.D. of Iowa outlines the factors that an American court may use to reconcile the conflict.

         1. These factors include:

            1. The importance of the documents or data to the litigation at hand

            2. The specificity of the request

            3. Whether the information originated in the United States

            4. The availability of alternative means of securing the information

            5. The extent to which the important interests of the U.S. and the foreign state would be undermined by an adverse ruling

12.3 Law Enforcement and the Role of Privacy Professionals

1. With civil litigation, a company can face requests to provide personal information in connection with criminal investigations and litigation.

2. Fourth Amendment Limits on Law Enforcement Searches

   1. The Fourth Amendment to the Constitution provides:

      1. “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched.

   2. Limits on government power stem in part from objections to “general warrants” used by the British king’s customs inspectors before the American Revolution.

   3. Evidence gathered by the government in violation of the Fourth Amendment is generally subject to what is called the “exclusionary rule,” meaning that the evidence can be excluded from the criminal trial.

   4. Telephone wiretap law

      1. has been important to the last century of Fourth Amendment jurisprudence.

      2. 1928 case of Olmstead v. United States, a majority of the Supreme Court held that no warrant was required for wiretaps conducted on telephone company wires outside of the suspect’s building

      3. Supreme Court overruled Olmstead in the 1967 case of Katz v. United States. (warrantless wiretapping is not okay, Olmstead was on a telephone wire, not protected by 4th amendment) not allowed right now except for exception - Unless suspected of terrorism hard to get info

         1. The majority stated: “What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection.

         2. What he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected

   5. Statutes That Go Beyond Fourth Amendment Protections

      1. A number of federal statutes affect law enforcement access to personal information.

      2. Some of the statutes placed additional requirements on law enforcement after the Supreme Court held that the Constitution did not require search warrants in the relevant circumstances.

      3. The Wiretap Act, Electronic Communications Privacy Act, and Stored Communications Act

         1. From strictest to most permissive, federal law has different rules for

            1. Telephone monitoring and other tracking of oral communications

            2. Privacy of electronic communications

            3. Video surveillance, for which there is little applicable law.

         2. Intercepting Communications

            1. Federal law is generally strict in prohibiting wiretaps of telephone calls.

            2. applies to “wire communications,” which includes a phone call or other aural communication made through a network.

            3. The Electronic Communications Privacy Act ("ECPA") was passed in 1986 to expand and revise federal wiretapping and electronic eavesdropping provisions.

            4. It was enacted to create and promote " the privacy expectations of citizens and the legitimate needs of law enforcement.

         3. Stored Communications

            1. The SCA was enacted as part of ECPA in 1986.

            2. Creates a general prohibition against the unauthorized acquisition, alteration or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.

            3. ECPA included amendments to the Wiretap Act, created the Stored Communications Act, and created the Pen Register Act.

            4. As for interceptions, violations can lead to criminal penalties or a civil lawsuit.

            5. United States itself cannot be sued under ECPA, but evidence that is gathered illegally cannot be introduced in court.

            6. Under § 2703, an administrative subpoena, a National Security Letter ("NSL"), can be served on a company to compel it to disclose basic subscriber information

3. The Communications Assistance to Law Enforcement Act

   1. The U.S. Communications Assistance to Law Enforcement Act of 1994 (CALEA) (sometimes referred to as the Digital Telephony Bill) lays out the duties of defined actors in the telecommunications industry to cooperate in the interception of communications for law enforcement and other needs relating to the security and safety of the public

4. Cybersecurity Information Sharing Act

   1. The Cybersecurity Information Sharing Act (CISA) became law in 2015.

   2. The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out.

   3. Specific provisions of CISA include:

      1. Authorization for a company to share or receive “cyber threat indicators” or “defensive measures.”

      2. Requirement for company to remove personal information before sharing.

      3. Sharing information with federal government does not waive privileges.

      4. Shared information exempt from federal and state FOIA laws.

      5. Prohibition on government using shared information to regulate or take enforcement actions against lawful activities

      6. Authorization for company’s monitoring and operating defensive measures.

      7. Protection from liability for monitoring activities.

5. Right to Financial Privacy Act

   1. The special requirements of the Right to Financial Privacy Act (RFPA) of 1978 apply to disclosures by a variety of financial institutions, including banks, credit card companies and consumer finance companies.

   2. RFPA states that “no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least one of these conditions:

      1. The customer authorizes access

      2. There is an appropriate administrative subpoena or summons

      3. There is a qualified search warrant

      4. There is an appropriate judicial subpoena

      5. There is an appropriate formal written request from an authorized government authority

6. Media Records and the Privacy Protection Act

   1. The Privacy Protection Act (PPA) of 1980 provides an extra layer of protection for members of the media and media organizations from government searches or seizures in the course of a criminal investigation.

   2. Newspapers/Journalists - benefit of this act and protection unreasonable turnover.

7. Evidence Stored in a Different Country

   1. With the growth of cloud storage of records, including by web email and social network providers, evidence for a criminal case is more frequently held in a different country, a phenomenon that has been called “the globalization of criminal evidence.”

   2. other governments have had to meet the requirements of U.S. law, such as ECPA, to gain access to email, social network, or other electronic evidence held by these companies.

12.4. National Security and the Role of Privacy Professionals

1. Compared with the law enforcement issues discussed in the previous section, somewhat different rules and issues arise when the government seeks personal information for national security purposes.

2. Introduction to Debates About National Security Surveillance

   1. National security wiretaps and other national security searches create a fundamental constitutional question

   2. USA PATRIOT Act

      1. Supporters of broader surveillance argued that foreign intelligence wiretaps should be used more often and with more flexible legal limits.

   3. FISA

      1. Congress accessed FISA once again, notably in the FISA Amendment Act of 2008.

      2. This statute gave legal authorization to some of the new surveillance practices, especially where one party to the communication is reasonably believed to be outside of the United States.

      3. Overview of The Foreign Intelligence Surveillance Act

         1. FISA establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the United States

         2. FISA orders can issue when foreign intelligence gathering is “a significant purpose” of the investigation.

         3. Section 702 applies to collection of electronic communications that take place within the United States and only authorizes access to the communications of targeted individuals for listed foreign intelligence purposes.

3. Section 702

   1. Section 702 refers to a provision in the Foreign Intelligence Surveillance Act Amendments Act of 2008, which revised FISA

   2. Section 702 can provide access to the full contents of communications, and not just metadata such as to/from information.

4. Section 215 Orders

   1. Section 215 of the USA PATRIOT Act stated that the National Security Agency (NSA) had created a database containing a substantial fraction of call detail information for domestic U.S. telephone calls.

5. National Security Letters

   1. An NSL is a category of subpoena that, prior to the PATRIOT Act in 2001, was used narrowly, only for certain financial and communication records of an agent of a foreign power, and only with approval of FBI headquarters.

   2. Separate and sometimes differing statutory provisions now govern access, without a court order, to communication providers, financial institutions, consumer credit agencies and travel agencies

   3. NSLs can be issued by authorized officials, often the special agent in charge of an FBI field office.

   4. The precise language in the statutes varies, but NSLs generally can seek records relevant to protect against international terrorism or clandestine intelligence activities.

   5. NSLs can be issued without any judicial involvement.

12.5 Conclusion

1. Many privacy issues can arise in the course of investigations and litigation.

2. Companies can face complex legal rules about when they are required to or forbidden from disclosing personal information, and when they have a choice about whether to do so.