Four Legal Land Mines for CIOs

CIOs struggling with the technical implications of the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act may be wondering what other ticking bombs are hidden under the IT landscape. We asked lawyers who specialize in technology to identify some of the more explosive risks and mitigation strategies. Here's what they said:


In the realm of IT security, there are new legal risks every day. California Senate Bill 1386, which took effect July 1, requires that companies conducting business in that state notify California residents if they know or reasonably believe there has been a breach in security that might have put their personal information at risk. The purpose of the law is to enable customers to take protective measures -- such as informing their credit card companies - to minimize any damage.

Why you should care

Your company doesn't need to be based in California or even have an office there to be affected, says Maureen Dorney, an attorney at Gray Cary Ware & Freidenrich LLP in Palo Alto, Calif. If you have customers in California, own or license data containing personal information on such residents, or even maintain such data on behalf of another company, this law affects you. If your company suspects a breach and fails to quickly notify customers who suffer as a result, the law authorizes them to institute civil actions against your company to recover damages.

From a legal standpoint, Dorney says, your company is better off notifying customers even if you're not certain their data has been compromised, because the customers are expected under law to take action upon notification, and your liability is lessened.

"But most companies would consider that to be a very unpleasant and damaging disclosure," she says. Notification could lead to bad publicity, a dip in stock price and even shareholder suits over ineffective security. As a result, Dorney says, "historically, companies have bent over backward" to keep security breaches secret.

"Two things are going on that the business has to balance: the potential legal liability and the business realities," she concludes.

What you can do

• Make sure your board of directors understands security risks and approves the appropriate level of funding to address them properly.

• Work with your legal department to determine whether the law affects your company.

• Develop or amend information security policies to guide company employees on how to handle security breaches under the new law, and train employees on the new requirements.

• See that security policies and procedures are followed.

• Consider implementing encryption technology, which will eliminate the need to comply with the disclosure requirement.

• Develop a system for coordinating with law enforcement authorities in the event of a security breach.

Data Retention

Electronic document retention poses problems never dreamed of in the days of paper and file cabinets, says Cliff Greene, an attorney at Greene Espel PLLP in Minneapolis. "We're all concerned about the lack of uniform standards governing preservation issues," he says. The policy question facing every business, he says, is "whether to keep information a long time for protection or for the most minimal term because you don't want to have to be litigating ancient history."

Why you should care

If your company becomes involved in a lawsuit, your electronic document-retention policy suddenly becomes an issue. "A standard part of litigation wars now is to request all data and e-mail regarding the transaction," says Doug Ey, an attorney at Helms Mulliss & Wicker PLLC in Charlotte, N.C. If the CIO can't explain the company's document-retention policy, or if the policy is administered haphazardly or inconsistently, innocent deletions can seem sinister.

Not only do you need a policy about how long data will be retained, Greene says, but you also need to know how to effectively suspend that policy when your company needs to preserve data relevant to litigation. "This can be very difficult," he says, "because you're not just dealing with main systems, but also with all the different ways in which data can be stored."

If relevant data is inadvertently destroyed, the company can be charged with "spoliation of evidence," and consequences can be as severe as if your company had defied a court order, says Greene. Even knowing when you need to preserve data can be complicated, he says. In some states, you're notified to do so; in others, just the threat of a lawsuit requires you to preserve data. And since you're not always sued in your own state, you need to know the rules in other states as well.

What you can do

• Consult the guidelines of the Sarbanes-Oxley Act and search the Web for additional document-retention protocols.

• Work with your legal department and business colleagues to develop a policy that makes sense.

• Make sure the policy is applied consistently regardless of a particular document's content or location.

• Develop a standard plan for how to effectively suspend the policy to preserve documents in the face of lawsuits.


On June 18, the Federal Trade Commission announced an enforcement action against Guess Inc. involving online security. According to the FTC complaint, Guess's online privacy policy assured customers that their information was safe, but in reality, its databases were vulnerable to common hacking strategies and the company had failed to take "reasonable and appropriate measures to secure and protect the databases."

The FTC concluded that Los Angeles-based Guess hadn't lived up to its privacy assurances and had therefore violated FTC regulations. It required that Guess establish a "comprehensive information security program" and specified the components of that program (see below). If Guess fails to comply, each violation is punishable by a civil penalty of up to $11,000 per day for as long as the violation lasts.

Why you should care

What happened to Guess could happen to your company. "When you make public statement on what kind of security and privacy protection you have, you've created a contract with the public," Dorney explains. "It can be bad for a company if it makes promises it can't keep." Private lawsuits and class-action suits are also possible, she says, adding, "Potentially, there's even fraud if the company made statements it knew were not true."

What you can do

The steps the FTC required for Guess can serve as guidelines for any prudent company. Here are some of them:

• Designate an employee to head the online security program.

• Conduct a comprehensive assessment of the risks to personal information security.

• Design safeguards to control the risks identified in the assessment.

• Monitor the safeguards' effectiveness and adjust them as needed.

• Obtain periodic audits by independent, qualified professionals attesting that the safeguards adequately protect consumer information.

Software License Violations

"People expect problems with sexy things like security and privacy, but based on my experience in lawsuits involving CIOs, the biggest litigation risk is still the nuts and bolts" such as software piracy or violating a software license, says Ey. "Too many users using software in too many locations -- that's ground zero for lawsuits."

Despite the publicity this issue has received, wherever there's a software license, there's still ample opportunity for a copyright infringement, attorneys say. "It's an issue of asset management and failure to manage," says Brian Balow, an attorney at Dickinson Wright PLLC in Detroit. "That is a real and significant risk all CIOs face."

It can happen easily, Balow says. For example, a bare-bones departmental budget can lead a manager to copy software. "If the company doesn't have a standard procedure in place to monitor what they have installed, the CIO has no idea," he explains. Then a disgruntled employee calls the vendor or the Business Software Alliance (BSA) and reports the infringement.

Why you should care

The softening economy may be hardening vendors. "I've seen an increase in activity," Barlow says, adding that companies he knows have recently been approached directly by Oracle Corp., Microsoft Corp., SAS Institute Inc. and the BSA.

If they come calling, don't expect a slap on the wrist. "I've never seen them say, 'Stop and we'll let you go,' " Balow says. And your liability can be huge. "We're talking literally millions of dollars," he adds.

What you can do

• Understand your license agreements.

• Educate upper management about the importance of keeping the company honest, and enlist their support in the effort.

• Keep a good inventory of software and hardware.

• Ask your big vendors to provide resources for an annual accounting of your software use, and buy additional licenses as needed. "They're getting what they want and you're not getting sued," Balow says.

Melymuka is a Computerworld contributing writer. You can contact her at

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon