|
SECURITY AND CONFIDENTIALITY IN THE WORLD OF E-MAIL AND THE INTERNET A legal analysis of How to Keep a Business' Secrets Secret in the World of Electronic Communications or, How E-mail Never Dies... Introduction: There seems to be something about the Internet and e-mail that causes people to believe that they are somehow in a more private arena than when drafting a letter or memo, or engaging in a telephone call or a public discussion. Somehow the intimate and silent connection between a person and the computer screen leads people to think and act in ways that they would never consider in any other forum. One writer likened it to the way a person alters his or her conduct when behind the wheel of a car. Polite docile individuals who would never barge into a line cheerfully and aggressively honk and maneuver in traffic with the maturity of a teenager. The closed windows of a car seem to create an aura of isolation that allows one to demonstrate aggression yet remain in a seemingly private setting. In front of a computer screen, mature and sophisticated business people often seem to lose their usual conservative caution and create documents and communications which often return to haunt them...and are easily obtained by competitors, governmental agencies and other assorted miscreants. Nor are experts or large corporate executives immune. Both Microsoft and the cigarette companies were ultimately impeached by various e-mails and electronic memos that they were careless enough to create. Once one clicks a mouse and either stores or sends data, it does not "disappear" into a different dimension: it is retrieved, often by thousands of computers, and automatically stored in dozens perhaps hundreds of locations, many unknown to the user. Each and every electronic transaction is not only stored by the vendor, but also analyzed and forwarded to various other entities that peruse it for their own purposes, usually building a database of who you are as a consumer, as a business person and as a user of the Internet. The simple fact is that one does not know the ultimate location of such information and the forum is more public and more accessible to your competitors or adversaries than any telephone conversation or public discussion. While laws are being considered to attempt to limit such use of information, the laws are not yet effective and, as discussed below, may never be effective. Even when one "erases" a document on one’s own drive, it often is not truly erased but merely stored in another location and your erasure has usually no effect on other persons who may have had access to the information. Erasing information on your own computer is rather like burning one copy of a document that has a thousand copies. You simply make it harder for yourself to know what other people are reading. Put even more simply, if one is willing to spend some money, one can quickly discover everything you have ever bought on the Internet, every Website you have visited and, if lucky, each person who sent you or received an e-mail from you and the contents of the e-mail. The Internet is a powerful and convenient tool...but not only for you. It is an excellent way for vendors, governments...and your competitors to learn nearly everything you have ever bought, said, read, or stored in that medium...provided you do not take appropriate countermeasures. It should be emphasized that it is not using a computer that is the issue, but using a computer that is connected to a telephone line, whether using a service provider such as AOL or Yahoo, or not. Once you leave the security of keeping your computer offline, you open your data to the perusal of the world. In June of 2000, effective October of 2000, the Federal government recognized the power and durability of electronic documentation by allowing the formation, execution and even notarization of documents into legally binding agreements solely by means of electronic notation: thus, e-mail can make a contract that can bind you to a million dollar obligation. The government was careful to seek to protect consumers by various safeguards, but businesses are expected to protect themselves; a whole array of technological methods are being devised to allow the formation, execution and enforcement of agreements and obligations- all electronically. In short, touch the mouse at the wrong time and you are bound as much as if you signed a fifty-page contract in a dignified conference room surrounded by attorneys and before a notary using a golden pen. In short, the world of electronic commerce...and electronic invasion of your private and business secrets... has fully arrived and the business person who does not learn the intricacies of how to use e-mail and the Internet will soon find him or herself in remarkably unfortunate situations. It is incumbent upon any person engaged in commercial transactions to master the requirements and learn the dangers and advantages of this new method of business. This article shall discuss the basics of how to seek to protect your privacy and confidentiality with e-mail and Internet communications and record keeping and explains the paucity of protection available to those who only rely on the seeming isolation of the e-mail forum to protect their secrets and their assets. THE NEW JURISDICTION OF THE INTERNET AND ETHER SPACE Go back fifteen years. If someone wanted to steal a business asset, be it a customer list, formula of your best product, your trade name, or your best marketing plan, the thief would usually have to come into your particular locale to achieve the theft. Someone would have to go into your files or desk, someone would have to pull a formula from your safe, someone would have to rifle through your correspondence file...all of those things normally occurring in your home state. This is vital to note for two reasons. First, by locking your door or your safe, you could achieve some security. Second, assuming you caught the wrong doer, you could have him or her arrested...or sue him or her...in your local courts, subject to your local laws. Why is that significant? It means that the place of the "wrongful act," a legal term meaning place where the evil deed was done and jurisdiction allowed, was within the local state, be it California or Iowa, or wherever you were engaged in business. And that meant that your local law would apply, that you could enforce those laws in your local courts, and while you might have to chase the defendant into another jurisdiction, most jurisdictions, by law or treaty, were required to enforce the judgment of a sister state or country. You might be a victim, but at least you knew that the law courts were available to enforce the law that your legislators passed that would presumably protect you. Now come to the present. By means of clever entry into your computer, (called "hacking" in the trade), your best formula or trade secret can easily be stolen late at night by a fifteen-year-old student in Bolivia, Xian, Rostov or Bombay. They never entered your locale, indeed, never came within the boundaries of your state or country. Often the theft occurs and you will never even know it happened...and even if you do, you face a truly frightening fact: there is no agreed upon law to protect you and no agreed upon courts to hear your case. A clever programmer or "hacker" can break into your computer despite the usual pass words that the typical business person uses and quickly retrieve and download all your files...including all e-mails you have sent or received whether you have erased or deleted them or not. Assuming your thief resides in Russia, China, Iraq, Israel, Libya, North Korea, Cuba, Greece, any of the former Soviet Republics, Pakistan, India, Burma or Iran, not to mention three dozen other nations in Asia, Africa or South America, you will soon discover that the courts there simply do not work or protect you, that often no laws have been passed to even consider the matter, and that even if by some miracle you achieved a judgment, there is no way to enforce it. Some countries are so corrupt that one simply buys justice. Some countries are so inept in their legal systems that a typical trial takes over a decade. And some countries are so hostile that you cannot even appear to argue much less win the case. And the central fact is this: the moment you are on the Internet or use e-mail available outside of your local in-office network, you are open to the entire world...if you are on the Internet you are automatically connected to each and every nation on earth...including those hostile to the United States and our courts. You say you would never elect to do business in Bosnia or Burma? If you are on the net, you already are! Nations are just beginning to react to that startling fact of the new market place. Assume you have a Website. Instantly your information is available to anyone in any nation, including nations that could consider your information as subversive, pornographic or a violation of their moral code. Just as you have little practical relief available if they steal your ideas, they have little practical methods to stop you from invading their borders with whatever information you wish to develop. But it is not the Website by itself that opens you up to hackers (at least so far) but your use of the Internet for e-mail, whether it is taking orders, answering inquiries, or sending your own e-mail. Assuming you use your website to actually exchange information with the Internet, then hackers can enter your computer system via your Website. There are some technological protections available ("firewalls" they are called) by which your communication with the outside world is achieved via servers separated from the computers that handle your own internal files and e-mails. But, as discussed below, such systems are not only quite expensive, but are easily voided by careless procedures or employees and must be carefully monitored and adjusted as the hackers improve their methods. WHEN MAY YOU BE CONSIDERED AS CONSENTING TO A FOREIGN JURISDICTION? One of our clients recently received an irate complaint from a European company stating that our clients were violating German law by underselling their services to German citizens. We replied truthfully that no one from our client’s entity have ever stepped inside of Germany or even advertised in Germany...we simply had a Website and German citizens ordered services from our clients who engaged in business solely in the United States. The German company was outraged, accused our client of hypocrisy, and threatened to file suit. "Under which law?" we asked. For our client had never entered Germany, had not subjected itself to its jurisdiction, nor used any of the public services, airwaves, or private entities located in that country. After three weeks, the German company slunk away, realizing that no United States court would uphold such a German law and that Germany had no jurisdiction over our client. The Courts are beginning to grasp the enormity of the problem and have begun to develop guidelines as to what constitutes "doing business" in a jurisdiction sufficient to vest the right to be pulled into the court. Most of the cases relate to consumer protection but it can be expected that the same rationale will be ultimately be extended to commercial and business transactions as well. Essentially, the courts are requiring more than merely having a Website which is opened in a foreign jurisdiction. Most jurisdictions require the company to both seek to and succeed in engaging in a series of transactions within the jurisdiction on a regular basis and simply having a Website which is opened in a jurisdiction has not been held to vest jurisdiction within that region. However, by providing in your Website a method for the consumer or business to purchase something directly from the web page, many jurisdictions have stated that you are using their locale sufficient to be subject to their laws. On the other hand, merely advertising your qualities on your web page without giving a methodology to order your products from your web page does not usually result in you "doing business" in that locale. While that may be reassuring to American companies who do not wish to find themselves pulled into foreign and possibly hostile jurisdiction, it also means that wrongful attacks on one’s Internet connection from that foreign jurisdiction do NOT vest local jurisdiction for relief in the United States. It means that an attack from Iran may be considered by Iran as allowing one to sue...but only in Iran. And, for the purposes of this article, it may very well mean that if I, as your competitor, obtain your trade secrets using a means located in Burma, Israel, Russia, Yemen, or any one of three dozen other distant locales, your effective legal remedy is nil. SOLUTIONS International law will eventually catch up with the new technology and one can expect, in five to ten years, a whole series of statutes being passed regulating and protecting not only the Internet, but the secrecy of data in computers. How and if these statutes will be enforceable in various "pirate" countries, such as Libya, Iraq, Burma, and the like, is quite another matter. It is probably safe to say that the protection that must be achieved for data on computers connected by modem to the outside world will have to derive from internal policies and procedures created by the individual and the companies holding the data. The following procedures should be carefully considered for implementation by companies seeking protection for the sensitive materials. 1. LEARN THE DANGERS AND KEEP UP TO DATE Most people think deletion
of data on one’s computer deletes it. Most people think that putting
a password on the data protects it. Most people think that encryption
codes offer fool proof protection of data. Most people simply don’t
think about the contents of their computer at all and somehow feel that the
data stored inside is privileged from the scrutiny of the courts and opposing
parties in the event of litigation and that there is some "right to privacy"
which makes data in computers sacrosanct. While one can shred written documents and destroy all copies, to do the same with computers is much more difficult and if one has sent the data via modem to any other party, nearly impossible. Further, even in-house e-mails within a single company are often stored on other computers, servers, or laptops or palm tops. All these computers may be accessed both by competitors and opposing parties in litigation. (An increasingly common practice when one commences a law suit is to serve a demand to inspect all such computers before the other side even realizes that critical evidence may be stored on such discs...even when the author thought they were all erased.) One should hire excellent computer professionals to both advise and accomplish any destruction or protection of data one wishes on computers (provided no effort at discovery has already commenced, for if it has, one cannot destroy such evidence legally.) Further one should adopt rigid rules as to what may be placed on a data base, who has access to same, who has access to modems and the Internet, and who decides what is deleted and how it is to be accomplished. Do not just send copies of e-mails about the office freely or to other parties over modem...unless one is content to have the documents surface years later in litigation. 2. CLASSIFY WHAT DATA IS SENSITIVE AND ISOLATE IT FROM MODEMS AND TRANSFER It is unrealistic to operate a business without access to e-mail or the Internet any more, but one can select which data is not to be sent by e-mail or stored on equipment connected via modem to the outside world. Any truly sensitive material must never be sent by e-mail and one should have a list of each and every computer which stores such data and ensure that such data is protected by appropriate firewall. Assign someone in your organization to enforce these rules and update that person with the latest bulletins on new technologies; ensure that all new employees and independent contractors are aware of such procedures and adhere to them closely. 3. PLACE CHOICE OF LAW AND JURISDICTION CLAUSES IN ALL CONTRACTS AND TERMS AND CONDITIONS While this will not act to create effective enforcement of all judgments, it certainly can give one more area of protection for business people. Assuming a party executes a contract (including one on the Internet) one is bound by the law recited in the contract or terms and conditions, as well as clauses awarding attorneys fees to the prevailing party or even imposing private arbitration on the parties. (See Articles in this web site on Arbitration and Contracts.) This may force a hostile jurisdiction to enforce local law or protect the web user from being exposed to hostile courts...IF the other party agrees to the contract with those provisions. 4. USE TECHNOLOGY TO PROTECT TECHNOLOGY Those who wish to compete successfully can no longer avoid the use of the powerful technologies of the Internet; but those who will survive the world wide aspect of the new business will be those who use technology to counter the dangers involved. That means recognizing the need for a fire wall (a server whose sole purpose is to stop access to your net from the outside world); for encryption codes and truly effective passwords; for training of personnel that "delete" does NOT mean delete and should more accurately be termed "hide from the screen"; and truly effective and updated anti-virus software. Due to publicity, probably the only aspect of the new technology well known by the average business user is anti-virus software and this is indeed critical. (Our own office is hit by an attempt to place a virus in the system on the average of once a month.) However, the war between those who create viruses and those who stop them is continuing to escalate and an anti-virus program that is six months old is useless. (Again, remember that viruses are often not created in the United States and those creating them seldom are caught or punished. It is not just vandalism but an entire subculture that is being created, a type of mental chess game of the new era in which the "winner" obtains publicity by damaging software around the world.) Someone in the office must be trained to update anti-virus software AND keep up to date on all aspects of e-mail and modem security. That person should also plan on training users in the new technology and defensive tools at least quarterly and more if international e-mails are a common event in the office. 5. DO NOT USE E-MAIL FOR TRULY CRITICAL AND SENSITIVE INFORMATION E-mail and its attachments are convenient and cheap. It is also a party line telephone call, subject to abuse. If you truly are concerned about security, do not use it. Simple as that. Mail may take longer, a telephone call may require that both sender and receiver be there at the same moment to communicate: but laws now exist and are enforced to protect both mail and telephone tapping and such laws regarding data security or e-mails either do not exist in most countries or are in their infancy. Another tremendous advantage to mail and telephone is that you can determine by physical non-expert inspection how many copies have been made and where they are: an impossibility with most e-mail. Keep in mind that if your faxes are connected to a fax server or are themselves converted to e-mail and sent to another computer that it is no different than sending e-mail. And keep in mind that anything scanned into a computer is equivalent to be sent by e-mail. CONCLUSION It took only a few months after the telephone was invented to discover how to "tap" a line and listen into another’s conversation. It was over five decades later that the law finally developed statutes prohibiting such acts by private people and seventy years after that the courts were still arguing about the right of the police, even with a search warrant, to engage in such eavesdropping. The newer technologies, international in scope, thus subject to hundreds of jurisdictions about the world, may be expected to require decades to develop protection by the various laws and given the rapidly changing nature of the technology, it is quite possible that the laws will never catch up with the changing requirements...until the advance in technology finally slows down long enough to allow the legislatures and courts to finally adapt. In the mean time, the wise businessperson will realize that when turning on a computer, one enters an area largely outside of the protections of American law and will adjust methods and protections according. "Let the User Beware" may be the replacement for the old adage, "Caveat Emptor" (Let the Buyer Beware.) These Articles are to give the reader a general description of certain areas of the law. Legal advice is necessary to apply these legal concepts to your particular situation. The Reader should obtain competent legal advice before relying on the Articles. Return to Articles Index Page |
