Protect your business records on the Internet

Most readers of this online column conduct business extensively over the Internet. Customers are contacted, contracts are negotiated, transaction records are stored, and employees are hired, fired and promoted all via electronic communications on the web.

Brad Stoll
Brad Stoll

Order histories, credit card numbers, and employee records are private information that is being readily shared and, more importantly, stored, on the web with the click of a mouse. This widespread use of the Internet can inadvertently result in more private data being subject to government investigations. Businesses should take care to ensure that private information is not inadvertently released.

Even courts have started to recognize this trend. In a 2010 federal court case filed in Cincinnati, the judge noted that “the telephone call and the letter have waned in importance, and an explosion of Internet-based communications has taken place. People are now able to send sensitive and intimate information, instantaneously, to friends, family, and colleagues half a world away. By obtaining access to someone’s email, government agents gain the ability to peer deeply into his activities.”

As more and more business data is transmitted and stored in “the cloud,” companies should be aware that different types of data receive different types of protections from government requests. The more places a business’s data ends up, the more places it is susceptible to government review. Companies that are concerned about the privacy of their proprietary data may benefit from a review of their online practices and policies.

Generally speaking, there are three major categories of digital communications. Each receives a different level of protection from government requests:

  • 1. Emails, Facebook messages, and Twitter direct messages are all “protected” communications and require a court order before being disclosed. This protection includes the to-and-from portions of the message, not just the actual content of the email or message. By virtue of the federal statute that governs these types of communications, this standard applies to all communications that take place over the Internet.
  • 2. Text messages, however, are less protected. Cell phone companies like AT&T have stated that the sender and recipient of text messages can be disclosed with a mere subpoena, no court order is required. Courts have held that this sort of information is similar to pen registers, which allow the government to determine what numbers are being called on a particular phone line without listening to the phone conversations, and should therefore be governed by the same standard.
  • 3. Content stored in a cloud on services like Dropbox, Evernote or Google Docs is accessible only with a court order. However, the court order is not difficult to obtain. It does require notice to the content owner, so the government cannot examine your content without your knowledge.

The possibility that any sensitive data might be susceptible to government scrutiny should concern any business, not because businesses are doing anything wrong or illegal, but because there is no reason to subject your data or your customers’ data to unnecessary government review, and to subject the business to the time and expense of a government investigation.

To make it less likely that private information slips into the wrong hands, review the data security policies of all the Internet services your business uses.

  • 1. Do the policies clearly spell out the situations in which your data will be disclosed?
  •  2. Do the data policies provide you notice before data is disclosed?
  • 3. Are you able to remove or delete old information from the service to ensure it isn’t disclosed?
  • 4. What happens if there are changes in the law? Are you able to remove your data?

Compare the answers to these questions to the level of your data privacy to determine whether you are comfortable with the privacy protections your service providers offer, and consider whether other service providers might be better suited to your needs.

If services don’t provide the protections you need, consider taking steps to ensure that your business records aren’t transmitted on these services by your employees. It may also be necessary to update the contracts you sign with your clients to account for the possibility that their data might be subject to government review.

Considering these privacy matters now (before they become an emergency) helps to ensure that the data and communications you wish to keep private remain so. More importantly, it ensures that your clients and customers can have as much confidence as possible that the private information they give your businesses will be kept safe from unnecessary scrutiny.