Future-Proof Your Data Governance for Changing Privacy Laws

Matthew Campbell filed a class-action lawsuit in 2013 against Facebook.

He did so on behalf of US users who sent or received private messages containing website links. The suit alleges that Facebook unlawfully read these messages to collect data about user behavior it would later use for targeted advertisements. 

The Electronic Communications Privacy Act (ECPA) of 1986 governs how businesses can monitor user data. The law states that business may be exempt if they monitor communications in “the ordinary course of business.” US District Judge Phyllis Hamilton argued that Facebook “had not offered a sufficient explanation of how the challenged practice falls within the ordinary course of its business.” 

Laws Play Catch Up to Technology

Regardless of the suit’s outcome, the anecdote suggests that, while technology has evolved into new forms of communication like Facebook, the law governing the user information this technology creates has remained stagnant.

This year, the US House of Representatives voted to pass the Email Privacy Act. The act updates the ECPA, and it will require government entities to obtain a warrant before accessing citizens’ emails, photos, texts and other forms of electronic communications, regardless of how old they are. If the act becomes a law, it will be part of the legislation patchwork that governs how service providers address data privacy.

The sheer volume and variety of communications data, coupled with heightened concern for privacy, ensure the patchwork that governs electronic information will continue to add new pieces and evolve. Service providers like Google, Facebook and Dropbox must change their thinking and policies with this evolution in mind. They must proactively address data-privacy concerns or risk losing their customers’ trust.

The Email Privacy Act makes it more difficult for the government to obtain customer data from third-party service providers and e-discovery firms representing those service providers. 

The Email Privacy Act would require government agencies to obtain a warrant before searching “any wire or electronic communication that is stored, held, or maintained by the provider” or “person or entity that provides an electronic communication service to the officers, directors, employees, or agents of the person or entity.” This fact does not mean these organizations can relax their e-discovery and data governance strategies — it means the opposite.

Organizations must establish a process whereby the correct people are notified of an impending government information request. The people responsible for e-discovery and communications compliance should be able to provide evidence they’ve made a reasonable effort to preserve electronically stored information (ESI) in the event the government requires access. 

Establishing an effective process requires taking the time to train employees and enforcing e-discovery and information-retention policies. Give employees the power to proactively take action in the case of impending warrants.

While a strong information governance strategy requires human oversight to implement, organizations need to support their personnel with the appropriate technologies. 

The act is called the Email Privacy Act, but its guidelines pertain to all ESI a service provider produces from a number of sources, including texts and social media. Service providers that must disclose information to government agencies have to disclose the pertinent information by the date listed on the warrant or, in the absence of a date, they must “promptly respond to the warrant.” Technology exists to ensure organizations can respond quickly and with only the information that pertains to the warrant.

Tools must empower compliance and legal teams to manage, preserve, search and act in a timely manner. 

As the variety of communications data continues to grow at a rapid rate, capturing that information in context will become paramount for lowering e-discovery costs and mitigating compliance risks. A tool that captures data in context retains an entire email thread, rather than the single email in question. It can provide an entire tweet stream, rather than the single tweet. 

To make e-discovery an efficient process, tools must archive data in context, integrate with existing applications and help facilitate regulatory compliance. Implementing the right tools to support legal and compliance teams will lower legal costs and help the service provider in question avoid further scrutiny from the investigating government agency.

Service providers’ information-governance strategies must be flexible. The Email Privacy Act modernizes a decades-old piece of legislation. 

Other laws have also recently undergone change. The Federal Rules of Civil Procedure (FRCP) saw amendments late in 2015, that altered the scope of what constitutes “reasonable efforts” to preserve ESI. 

Privacy topics continue to crop up frequently in the news. Undoubtedly we will see changes to existing privacy laws or additional new laws. With the emergence of new types of corporate communication channels, compliance strategies cannot remain rigid. They must be built to adapt to a constantly changing environment.

Preserving the vast amount of data that is transferred on a daily basis is no easy task. Service providers simply cannot retain each and every piece of customer-generated communication data. Information-governance strategies should help service providers delineate between valueless and necessary information — information that customers will continue to create in massive volumes and new varieties.

The Email Security Act focuses on how service providers make customer information available to government entities during e-discovery. Customers will want to know their information is safe at all times. As a result, information security professionals need to take part in any organization’s information-governance strategy to ensure privacy, no matter how regulations change.

The Email Privacy Act reshapes an old law to fit modern communications practices. Service providers must understand that these changes are not the last amendments to alter communications regulation. 

Privacy law exists as a patchwork. From healthcare regulations to e-discovery practices, existing compliance standards are changing and new standards are cropping up to govern new types of information and information usage. In order to simultaneously fulfill privacy demands and compliance ordinances, organizations must implement technologies that support flexible information-governance strategies. 

Efficient data-governance strategies will enable organizations to maintain privacy compliance even as the patchwork legislature changes. Those that do not adapt their strategies to prepare for future changes will incur high costs during e-discovery processes, risk future sanctions and lose customer trust — a recipe for disaster in today’s customer-obsessed business world. 

Title image by Janus Y