Lawyers Can Ignore Red Flags, But What About Vendors?
U.S. District Court Judge Reggie Walton recently dealt what many in the legal profession hope is the death blow to the Federal Trade Commission’s most recent efforts to extend consumer-protection regulations to attorneys engaged in the practice of law.
In an Oct. 29 decision in which he promised to provide a more detailed memorandum opinion by the end of November, Judge Walton stated he did not accept the FTC’s argument that law firms were “creditors” within the meaning of the Fair and Accurate Credit Transactions Act of 2003. As a result, he ruled that law firms aren't required to comply with the FTC’s so-called Red Flags Rule.
The FTC may appeal.
Like Sarbanes-Oxley’s emphasis on internal controls at financial institutions, Credit Payment Industry data security rules and other recent consumer laws and regulations, the FTC’s Red Flags Rule is an effort to protect against fraud and abuse by addressing the most obvious and emergent concerns. The Red Flags Rule is specifically focused on preventing identity theft.
The Red Flags Rule requires affected organizations to define and implement processes to identify obvious “red flags” of identity theft. It also requires that compliance programs be put into place for affected entities’ vendors – just as, for example, privately held suppliers to the Boeing Co. are effectively required to comply with elements of Sarbanes-Oxley.
This is round two of the FTC’s efforts to apply consumer-protection rules to law firms. Round one, resolved in the ABA’s favor in 2003, attempted to include certain law firms within the Gramm-Leach-Bliley Act’s definition of a “financial institution.”
You may recall that, for years following its enactment in 1999 – before the courts rejected the FTC’s definition – large law firms’ email messages contained signature blocks that included the financial institutions’ privacy warnings mandated by Gramm-Leach-Bliley.
What does this mean for e-discovery vendors?
Well, to begin with, according to the FTC (unless, at present, you are a law firm), e-discovery vendors that provide services prior to payment must comply with the Red Flags Rule. The good news: The FTC just extended the deadline for compliance from Nov. 1 to June 1, 2010.
The bad news is that the level of effort that needs to go into Red Flags compliance depends, again according to the FTC, on how complex a business is. Exactly how this test is administered remains bogged down in FTC administrative processes. However, it’s generally agreed that the more “personally identifying information” a business holds, the more “complex” it is for the purposes of the Red Flags Rule.
This is where the situation is problematic for the e-discovery industry. It’s not uncommon for an e-discovery or computer forensics vendor to have control of terabytes of data including personally identifying information such as social security numbers, birthdates, addresses, credit card numbers, bank account numbers and so forth.
For example, in wage and hour class actions alleging underpayment of plaintiffs, e-discovery vendors commonly extract, process and host payroll information – containing all of the personal data described above except for credit cards – for hundreds of thousands of current and former employees. For the purposes of the Red Flags Rule, this would certainly qualify as a “complex” company and require elaborate consumer protection safeguards.
Now, don’t get me wrong. Responsible e-discovery vendors already have many protections in place, including those anticipated by the Red Flags Rule: secure data hosting, physical security, logged access to data and the like. However, I doubt many e-discovery firms have processes in place to alert individuals whose data is hosted in the event of a password compromise or data loss incident. It’s also apparent from first-hand experience that chains of custody are not always managed carefully.
It may not help that e-discovery vendors are not in the consumer business, and therefore have little exposure to identity-theft attempts. The FTC makes it clear that such a test is unimportant in its imposition of consumer-protection regulations.
The point is this: As e-discovery matures, vendors and manufacturers will need to do more than structure their products and services to comply with computer and network security best practices. They’ll also have to ensure their products comply with much more esoteric rules and regulations governing organizations that handle private data. Especially private consumer data. The ABA may have bought some time, but the FTC and other organizations are steadfast in their determination to cast as wide a net as possible.
Be on the lookout for Judge Walton’s memorandum opinion sometime this month. The grounds for his decision, which may range from lawyer-specific to an indictment against the FTC’s entire approach to the definition of a creditor, may shed light on how soon these issues may affect the e-discovery industry.
Eric P. Blank is the founder and managing attorney of Blank Law + Technology PS. His practice focuses on electronic discovery counseling, e-security response planning and implementation, investigations and computer forensics. Mr. Blank has conducted more than 300 investigations into computer and software-related torts and employee misconduct since 2001 and has frequently been a court-appointed special master or neutral in e-discovery matters.
Comments