Beagle Research Group, LLC

Insight + Advice + Results

  • Increase font size
  • Default font size
  • Decrease font size
Home Thought Leaders Cameron Shilling

Cameron Shilling

Thursday, 29 September 2011 09:57 Denis Pombriant
E-mail Print PDF

Thought Leader on Data Privacy

 

Cameron G. Shilling is a partner at McLane, Graf, Raulerson & Middleton and leads McLane’s Privacy and Data Security Group.

Shilling comes from a background of handling technology, business litigation, and employment matters.  His expertise in data security includes managing security audits, preparing and implementing written data security policies, addressing day-to-day security issues, and investigating and remediating data security breaches.   Shilling’s expertise in data privacy matters includes creating and implementing information security policies, advising employers with respect to workplace privacy, advising clients with respect to social media, advising companies with respect to customer and consumer privacy, and handling claims against companies for invasion of data privacy.

When Shilling offered to tell us about data privacy at a breakfast seminar we were all ears. This interview was a follow up to that meeting. Shilling can be reached at This e-mail address is being protected from spambots. You need JavaScript enabled to view it "> This e-mail address is being protected from spambots. You need JavaScript enabled to view it .  His direct dial is 603-628-1351

 

Denis Pombriant: Is everything on the Internet fair game for corporations to search through? I thought it was. What's the issue?

Cameron Shilling: No, definitely not. I know just from being in this business that there's been a huge explosion of data on the Internet, particularly the last five years. Not just email, which has been big for over a decade, but social media and other forms of two-way communications.

So, there's been an explosion of data, but there has not been a corresponding explosion of rules and regulations on what you can do with data, what type of data is private, and how to deal with the security of data. So, we as lawyers, and businesses too, are dealing with a relative shortage of guidelines that tell us how businesses can behave.    

But, there are a couple of very significant guideposts in the area. One of which is the Stored Communications Act. I'll give you a little bit of background here. The federal legislature in the mid '80s decided that this electronic world that we're entering into needed to have some regulation. So, the Congress passed a bill that extended the Wiretap Statute to electronic communications, and that's called the Electronic Communication Privacy Act.

In doing so, Congress realized that, if they protected only electronic communications, there'd be this huge gap of privacy accorded to data that's not in transit; in other words, stored data. So, in addition to extending the Wiretap Statute to electronic communications, they created this other law called the Stored Communications Act, which protects data that is stored in certain types of computer systems.

That law applies to the Internet. For example, a place like Facebook, a blog database, and other types of repositories of information out there on the Internet are protected computer facilities under the Stored Communications Act. For instance, data maintained by Gmail, Yahoo, and any of those types of web mail providers is considered a protected computer facility.

So, there are huge amounts of data out there on the Internet that can't be appropriately accessed or disclosed “without authorization.” Those are the key words under the Stored Communications Act – a person cannot, without authorization, access data in a protected computer facility.

Does that make sense so far?

DP:            So far it does.

CS:            That is deep background. So, how do we know when something on the Internet is okay to look at and when it's not. Largely, anything that any search engine – Google, Yahoo, MSN, any other search engine – can hit is in the public domain. Search engines have access to things that are not access restricted. So, if Google can get it, it's public information, and there's no privacy that is afforded to that information, whether under the Stored Communications Act or anything other law.

But, there's a lot of data on the Internet that is subject to privacy restrictions or conditions. For instance, on Facebook you can allow certain people to be your friends and only those people have access to certain information on your Facebook page. You might set different levels of privacy for your friends, and different people may have access to different types of information. The same thing holds true for other media, like blogs, Flickr. However, that doesn't hold true for certain other types of social media. For example,there is very little privacy for anything on LinkedIn, Twitter, and YouTube. So, the short answer to your question is yes, there is information available on the Internet that is privacy protected.

DP:            Interesting. Let me ask you this. Are you familiar with products like Chatter or Yammer? Chatter from Salesforce.com and Yammer from a company called "Yammer."

CS:            I am not.

DP:            Okay. This is squirrely because each of these products positions themselves as a social network for the Enterprise, so, it's like Facebook, but it's primarily used within the Enterprise. And recently, one of the companies, Salesforce, decided it would open it up to customers of the Enterprise, too, so you could have this back and forth dialogue, if you will, between the Enterprise and its customers.

Okay. So, there's that level. Now, each of these products is a software as a service product, meaning that a third party vendor — in this one case, Salesforce — would actually store and control the data used in this Facebook-like intramural conversation.

What does the Stored Communications Act, do you think, have to say about that kind of storage and access?

CS:            Data stored by a third party service provider is covered by the Stored Communications Act. So, there would absolutely be a prohibition against someone hacking into that data or, for instance, an employee of Yammer or Chatter [Salesforce], making unauthorized disclosure of that data. There probably is a right on behalf of whatever company is operating this CRM module to gather that data, but not necessarily.

For instance, if an employee of a company using Salesforce.com is having conversations with another employee or a customer or prospective customer, and that data gets stored on a third party server, it's not entirely clear to me that the employer has the unfettered ability to get at that data.

There was a U.S. Supreme Court case recently called City of Ontario v. Quon in which the judges debated and came to different conclusions about whether or not an employer, which happened to be a city in that case, had the right under the Stored Communications Act to obtain text messages from the third party service provider that were communicated on city-owned pagers by employees during work hours. So, it's certain that data in Chatter or Yammer — whether it's held by the third party service provider or the employer — is covered by the Stored Communications Act. It's going to be protected from hacking and otherwise.

The companies that store this data, whether it's a third party service provider or the employer, have data security or should have data security measures that prevent hacking or otherwise unauthorized disclosure of that information. That also may be incorporated into those platforms.

DP:            Right. Exactly. And, the employers, the enterprises, that employ these technologies, do it to give everybody in the organization access to the latest thinking or inventions or whatever of their employees so that they can share all of that.

CS:            It's never the legitimate use that you really worry about, because by and large, no one cares about the privacy of business related communications. It's always the stuff that shouldn't have been communicated in the medium that gets you into trouble.

DP:            Okay. Let me ask you a related question. Do users of these collaboration solutions have any responsibility to preserve records?

CS:            The answer is they might. There are a variety of different reasons why an entity would be obligated to preserve electronic data. A couple of the biggies are, if someone is a financial investment company, or a financial advisor, and these communications have anything to do with their trading activity, then, SEC regulations require that all sorts of communications be preserved for a certain period of time. There are other regulatory schemes that require preservation of these types of communications.

There are other reasons why you would just want to do that as well. For instance, if a medical provider ever used this type of program, there may be reasons why you either have to or want to preserve.

Then the other biggie on preservation is for litigation. If litigation is reasonably foreseeable — and those are the legal words — if businesses can reasonably see that litigation may occur and that the data that is sitting on the system might be discoverable in the litigation, then you've got to preserve it.

DP:            So, I'm not asking you to endorse any product or strategy, but it would seem to me that an organization that can offload the responsibility for that storage and preservation would have a far easier time than trying to take care of that all in-house.

CS:            Perhaps. There could be reasons to offload it, and there could be reasons to keep it in-house. I can see for some companies that are small particularly, and don't have an established IT structure, then outsourcing might be a really good option. I'd say anybody who outsources — big or small company — needs to ensure a couple of things about the person they hire to do that. They need to ensure, number one, that the person has appropriate data security measures in place. And, I'm cognizant that if you're in Massachusetts and I practice in Massachusetts, then you probably are aware that Massachusetts has some of the strictest regulations on data security measures.

One of those is requirements is that , if third party service providers are holding covered data, you must ensure that they have adequate data security measures in place. The company hiring the third party service provider has a legal obligation conduct due diligence and obtain contractual assurances that the third party service provider has appropriate data security measures in place. So, that's the number one thing you want to ensure.

The other thing is you want to ensure that if you're going to outsource this, that you have some ability to control the way the third party service provider holds your data, preserves your data, gives you access to the data, that type of stuff.

On the other hand, there are companies — some of them big; some of them medium-sized; some of them small — that have the capability in-house to manage their own data, from a security perspective and from a preservation perspective. If you can do it, and you know you're going to need routine access to the data, managing it in-house might be a better solution. I think you could go either way, just depending on what your business's needs are.

DP:            That's very interesting. I'm out of questions thanks for taking the time to enlighten us.

CS:            My pleasure.

 

Last Updated on Monday, 10 October 2011 10:37  

Main Menu

CRM feed

CRM Buyer
CRM Buyer -- "The Essential Guide for CRM System Purchasers"
CRM Buyer
  • People, Processes and Standout Service Experiences
    Customer service is a crucial part of the customer experience. That seems immediately obvious. And customer experience is the big buzzword right now, so companies are going bonkers revamping their customer service operations. Right? Would that it were so. Almost paradoxically, many businesses are still stuck in the mode of tweaking with utterly defective customer service processes.


  • Federal Cloud Adoption, Part 2: Raining Contracts
    The U.S. government's pursuit of cloud-based technology has been characterized by a blizzard of policies, directives, technical studies, proposed contract vehicles and conferences. The federal "cloud first" initiative, requiring agencies to give priority consideration to cloud solutions for IT operations, began in December 2012. Now, an idea of how much business is at stake for IT vendors has surfaced -- and it's impressive.


  • The Rise of Open Source
    SugarCon, the SugarCRM user meeting held in San Francisco a couple of weeks ago, did some important things for Sugar. It was a coming out party of sorts for a company with a distinct business model and strategy, namely open source. It was also validation of that strategy and, for many, a new realization of what open source means.

Search CRM feed

SearchCRM: News on CRM trends and technology
News on technology and trends in CRM, customer interaction and customer data.

Key Findings

How often do you forecast?

Monthly = 46.5%