I am attending a what turns out to be a wonderful conference so far, "Emerging Trends in Information Security and the Law: Plausible Deniability is Dead" organized by Georgetown CLE. The opening by Paul Kurtz of the Cyber Security Alliance was interesting and set the table for the conference - what information security legal frameworks are out there and what should companies do to protect themselves.

Thomas Smedinghoff of Wildman Harrold went through a great overview of the new developments and trends in the law of Information Security. It was interesting to see how the playing field is shifting from approaching information security and security breaches reactively to adopting security measures and proactively seeking to protect an organization from liability in case of a breach. Also, the balance between the increased push by law enforcement for increased data retention (for preventing counter-terrorism, online child abuse, etc.) on one hand and the security issues on the other hand is becoming very tricky. Many organizations find themselves under an affirmative duty to protect a piece of sensitive information they have, and at the same time there are requirements to preserve more.

Evidentiary Issues

An interesting case related to affirmative duties to properly protect information (especially within litigation context) is American Express v. Vinhnee, 9th Cir. (2005).   In this case, American Express sought to prevent Vinhnee’s debts’ cancellation under bankruptcy proceeding. During a hearing in front of the Bankruptcy Court, American Express brought an expert witness who introduced American Express computer records collected within the regular course of business about Vinhnee’s financial affairs. Vinhnee did not attend the proceeding and the court, after hearing AmEx’s witness, declined to admit the records under the business records exception to the hearsay rule because AmEx’s lawyers could not prove that the information was properly secured.

Although this is one of the rare cases where a party goes to court, unopposed, and still manages to lose, the holding is important in another important way - it shows that the you need to show not only that business records were collected and kept in the regular course of business, but also that they were properly secured. Granted, a corporation such as AmEx would most likely (we all hope) have proper security mechanisms and as long as its lawyers are on notice that they need to present evidence to the court, things should be ok. However, litigants who know that their records are not properly secured may need to do more if they want to prevail in court.