Companies urged to maintain privacy, security or face legal trouble

Computerworld - Companies face many snares, some of which are hidden, when protecting sensitive information and maintaining security, said lawyers addressing the Massachusetts Software and Internet Council today.

Security and privacy issues are mixed together, and companies must understand that their security and ability to maintain privacy are only as good as those of others who have access to their systems.

"I was amused to read in the paper that the Harvard Medical School was giving PalmPilots out to all its medical students," said David S. Szabo, a lawyer at Nutter, McClennen & Fish LLP in Boston. "This is a radioactive device filled with medical data."

Szabo said that it's impossible to guessthe school's liability if one of the devices were lost or stolen. Privacy rules laid out in the Health Insurance Portability and Accountability Act say such data has to be protected. A question, he said, then arises: What would constitute protection in such a case?

Donna Sherry, a lawyer at Boston-based Goodwin Procter LLP, said companies need to keep liability in mind when they send private information via e-mail.

All the lawyers at the conference said they consider e-mail open to privacy and security risks, which points to the need for clear policies for e-mail and Internet usage.

"When you send an e-mail, it goes 20 different places and it is stored forever," said Nicholas M. Gess, a lawyer at Boston-based Bingham Dana LLP.

Szabo advised users to consider who will read the e-mail before sending one containing sensitive information.

Sherry cited a case in which an information services manager at a small, privately held company was reading incoming e-mail from a larger, publicly held company that was looking into buying it. The manager found the details of the sale and other confidential business information and told his colleagues what he had learned. If the information had gone public, there could have been wider consequences, including problems with the Securities and Exchange Commission, Sherry said.

Companies should draft clear policies for Internet and e-mail usage and make sure that employees get copies of these policies at least twice a year, said Neil McKittrick, a lawyer at Hill & Barlow of Boston.

He said every new employee should be given a copy of the policy when he starts, adding that the company should follow up with updated versions of the policy at least every six months.

When one member of the audience asked if there is an authority or anyone who can define the "industry standard" for dealing with these issues,