By Eric D. Morton
Data is in the news this year. New data privacy laws are coming into effect in California and other states. More companies are doing business overseas and must contend with foreign data laws. However, a more practical and immediate concern for businesses is where is their data?
What is data and why is it important?
For the purposes of this article, data is information. It can be emails, trade secrets, customer lists, minutes of the board of directors meetings, consumer information, etc. Any information that can be useful to a company or that would be harmful to a company if it were obtained by unauthorized persons. The harm to the business can be damage to its bottom line or it can be legal damage for due to a leak of consumer information, commonly known as a data breach.
Knowing where your information is located is important for a few reasons. Your data may contain consumer information. Consumer information that is covered by the California Consumer Protection Act (“CCPA”), which will go into effect in January 2020, must be protected. Consumer information must also be produced in certain circumstances under the CCPA.
Speaking of production, if you are involved in litigation (and we hope not!), you will be required to produce all written information regarding the subject of the lawsuit. Such a production will include all electronically stored communications and data. If you don’t know where your information is stored, then you might be subject to court ordered sanctions for failing to produce. Furthermore, you might also fail to find documents and data useful to your case, or you might be surprised by documents, emails and texts that the other side found but you didn’t.
Types of information
The types of information that may be important to a business can take many forms. Electronically stored information includes, audio recordings, databases, voicemails, word processing documents, .pdf and .xps files, chats, blogs, geolocation data, social media posts, internet activity, logs, software code, email, video, presentations, telephone records, text messages, images, etc. All of these may contain sensitive information such a consumer information, documents relevant to litigation, or proprietary information and trade secrets.
Where can information be stored
Sensitive information can be stored in numerous places. Computer hard drives, local backup, network drives, cloud backups, cloud computing sites, cameras, printers, digital cameras, tablets, thumb drives, discs, etc. A major problem is information on personal devices such as laptops and smart phones. Those can’t be controlled by a company or its officers.
What to do?
- Inventory. Start by asking: What sensitive information does our company have? What proprietary information do we want to protect? What consumer information are we obligated to protect? Where do we store information about our business transactions?
- Where is the information. Once a company understands what sensitive information is has and generates, it needs to discover where the information is stored. In addition to computers and servers, information may be stored in personal laptops, smart phones and other unofficial places. Companies are sometimes surprised to find that sensitive information is sometimes scattered in a variety of places. The only effective way to find out is to ask. Ask employees and contractors how and where do they work on company matters and in what way.
- Information policies. Develop policies that ensure that information can be found and is adequately protected. Discourage or prohibit the use of personal devices. We recommend that companies insist that written communications regarding company business be done in email on an official company email account. Discourage extensive use of text messaging. If employees balk, point out to them that their smart phones will be subject to subpoena and all their texts might be reviewed by a forensic analyst. Enforce policies that ensure that really sensitive information and data is only stored in certain, secure places under the company’s control.
- Security. Among a company’s policies must include strict rules for the storage and use of sensitive information. Trade secrets and other company confidential information must be carefully handled. Storage and use of consumer information must comply with the law.
Data is becoming more important and more regulated. Businesses must be aware of the data that they have, how it is used, and where it is stored. Business owners will want to consult with an attorney regarding compliance with the CCPA and guidance in safeguarding trade secrets and other confidential information.
Eric D. Morton, is the principal attorney of Clear Sky Law Group. He can be reached concerning data, privacy, business, and intellectual property matters at firstname.lastname@example.org, 760-722-6582, or 510-556-0367.