Fenwick & West LLPSilicon Valley Center801 California Street

Mountain View, CA 94041Phone: 650.988.8500

www.fenwick.com

Robert D. Brownstone

NCC

Audio Conference

April 22, 2010

Internet Policies for Information-Security

and Data Privacy

Legal Compliance and IT Best-Practices

THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.

THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.

THOSE WITH PARTICULAR QUESTIONS SHOULD SEEK ADVICE OF COUNSEL.

EIM

GR

OU

P© 2

Agenda/Outline

Introduction

I. Key Duties of Every Organization

A. Protecting its Own Proprietary and Sensitive Information

B. Protecting Clients’/Customers’ & Related Entities’ Confidential Info.

C. Protecting Individuals’ Personal Info.

D. Risk-Management as to Liability to Employees and/or to Third-parties

EIM

GR

OU

P© 3

II. Liability Risks & Data Leakage

A. Intentionally Harmful Intentional Disclosures

B. Inadvertently Harmful Intentional Disclosures

C. Unintentional Losses of Sensitive Information

III. Compliance Overview

A. Big Picture – Three E’s

B. Top 10 InfoSec Tips

Conclusion/Questions

Agenda/Overview

EIM

GR

OU

P© 4

Internet Security Policy is a piece of a Technology-Acceptable-Use Policy (TAUP) = No-Expectation- of-Privacy Policy (NoEPP)

Many SAMPLES linked off Appendix A

TWO KEYS TO DEFENSIBLE POLICIES:

POLICY CONTENTS

CONSISTENT ENFORCEMENT

I. INTRO – Basics ofLegal Defensibility

EIM

GR

OU

P© 5

Modern additional concerns: MANY more ways information

can be posted or shared

E-mail volume, persistence, “forwardability,” etc.

Now, MANY other forums; everyone can be a publisher

I. INTRO – OurDigital World

EIM

GR

OU

P© 6

INTRO – Today’sHeightened Concerns

“37 percent of workers say they could be bought”

Tim Wilson, Many Users Say They'd Sell Company Data For The Right Price, dark reading (4/24/09)<www.darkreading.com/shared/printableArticle.jhtml?articleID=217100330>

“41% of workers have already taken sensitive data with them to their new position”

Help Net Security, Workers stealing data for competitive edge (11/23/09) <www.net-security.org/secworld.php?id=8534>

EIM

GR

OU

P© 7

INTRO – HeightenedConcerns (c’t’d)

Many company failures and dissolutions of service-providers such as law firms ...

lot more places information (electronic and/or hardcopy) can be left unattended

more info. potentially susceptible to theft and/or loss while in transit or at rest

EIM

GR

OU

P© 8

I. Key Duties – A. ProtectingOwn Sensitive Info.

IP, incl. Trade Secrets, Work Product, etc.

Proprietary information:

strategic plans

Customer/client lists

Other Sensitive Information

EIM

GR

OU

P© 9

I. Key Duties – B. OtherEntities’ Confidential Info.

Friendly entities . . . .

Obligations to a Client Based on:

Obligations Travelling with Transferred Information (regulatory and contractual)

Professional-Responsibility Duties. Exs: Lawyers

Attorney-Client Privilege

Ethical Duty of Confidentiality

Accountants

Broker-dealers & other financial service pros.

Consultants, etc.

EIM

GR

OU

P© 10

I(B). Other Entities’Confidential Info. (c’t’d)

Obligations to a Customer (c’t’d):

Some matters even more confidential than others

M&A activity

contemplated or threatened lawsuits

criminal investigations

administrative agency inquiries

information subject to protective order

EIM

GR

OU

P© 11

Friendly entities . . . .

As to entity customers and those customers’ entity- customers, parents, subsidiary/ies and joint venturers

All same categories as on prior slides

I(B). Other Entities’Confidential Info. (c’t’d)

EIM

GR

OU

P© 12

Adverse Entities, under NDA and/or Protective Order

entities on other sides of transactions

litigation opponents

third-party subpoena recipients

I(B). Other Entities’Confidential Info. (c’t’d)

EIM

GR

OU

P© 13

I. Key Duties (c’t’d) –C. Individuals’ Info.

WHO? Employees and individual customers of:

own organization

affiliates

adverse parties

WHAT?

all sorts of documents posted on, or transmitted via, web

Exs.: databases’ and spreadsheets’ contents

EIM

GR

OU

P© 14

I(C). Key Duties –Individuals’ PII (c’t’d)

Wrongful acquisition of Personally Identifiable Information (PII) can lead to identity theft

PII legal protections include:

Miscellaneous information:

State constitutional right of privacy

Common-law invasion torts

European Union (EU) Privacy Directive

EIM

GR

OU

P© 15

I(C). Individuals’ PII –Legal Protections (c’t’d)

Personal financial information:

> 40 States’ notice-of-breach and other anti-identity-theft (credit-freeze) statutes <www.ncsl.org/IssuesResearch/TelecommunicationsInformationTec

hnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx>

Pending federal legislation

H.R. 2221 http://frwebgate.access.gpo.gov/cgi-

bin/getdoc.cgi?dbname=111 cong bills&docid=f:h2221rh.txt.pdf

S. 1490 http://frwebgate.access.gpo.gov/cgi-

bin/getdoc.cgi?dbname=111 cong bills&docid=f:s1490rs.txt.pdf

EIM

GR

OU

P© 16

I(C). Key Duties –Individuals’ PII (c’t’d)

Personal Health/Medical Information (PHI):

Federal: HIPAA (& HI-TECH)

State Ex.: Cal. AB 1298

Personally identifying information:

FRCP 5.2 (redaction)

Consumer credit report information:

FTC’s Disposal Rule (FACTA; FCRA)

EIM

GR

OU

P© 17

I(C). PII (& PHI) Loss/Theft –Scope of Problem

Statistics on Breaches

See “Chronology of Data Breaches” for 2005-2010 (350M+ records)<www.privacyrights.org/ar/ChronDataBreaches.htm#CP>

85% of large orgs. have had major network security incident

Solera/Trusted-Strategies Study (10/1/09)<www.soleranetworks.com/news/survey-despite-expected-attacks-most-networks-are-unprepared-for-quick-response/>

Each missing record can cost $200+ . . . .Angela Moscaritolo, Data breaches cost organizations $204 per record in 2009, SC Magazine (1/25/09) (36 % of situations from loss of laptop or mobile device)

<scmagazineus.com/data-breaches-cost-organizations-204-per-record-in-2009/printarticle/162259/> (linking to <www.encryptionreports.com/2009cdb.html>

EIM

GR

OU

P© 18

I. D. Risk-Management

© Native Intelligence 2001

Direct claims based on breaches and/or leaks

Third parties’ claims based on bad employee conduct, e.g.,postings, copyright infringe-ment via downloads, etc.

Harassment claims by employees or by clients

EIM

GR

OU

P© 19

A. Intentionally Harmful Disclosures

Direct misuse of IP, trade secrets and/or customer lists to compete with ex-employer

“Whistleblower” leaks, i.e. “Wikileaks”

If content violates a site-use policy or infringes copyright, ask for takedown . . .

If neither but if it harms organization and (ex-) employee will not take it down, . . . then what?

Cf. Fred von Lohmann, Improving DMCA Takedowns at Blogger, Flickr, EFF Commentary (9/29/09)<eff.org/deeplinks/2009/09/improving-dmca-takedowns-blogger-flickr>

II. Liability Risks & Data Leakage

EIM

GR

OU

P© 20

Strange Things People Memorialize

E-mail communications generally less formal and thoughtful than other correspondence

"Candid comments" can have significant impact

Can’t go back in time and “terminate” an e-mail

So use best efforts to refrain from writing and from over-saving . . .

"Quick, delete that e-mail before Eliot Spitzer sees it!"

(Corante NY 7/29/05)

II. B. Inadvertently HarmfulIntentional Disclosures

EIM

GR

OU

P© 21

Now . . . bigger universe of miscellaneous web activities

II(B). IntentionalConduct (c’t’d) –

EIM

GR

OU

P© 22

II(B). Social-Media/Web 2.0 (c’t’d)

Search-ability keeps increasing:

Google Launches Social Search, Info. Week (10/27/09) (“ . . . more likely to find what friends and associates have to say . . .”) <www.informationweek.com/shared/printableArticle.jhtml;jsessionid=X2SFWWL1CJBP3QE1GHOSKH4ATMY32JVN?articleID=220900747>

Twitter in Google, Microsoft licensing talks: report, Reuters (10/8/09)<www.reuters.com/articlePrint?articleId=USTRE5974C420091008>

Scoopler.com – New Real Time Search Engine Aggregates Web 2.0 Content (beSpacific 5/10/09) <www.bespacific.com/mt/archives/021321.html#021321>

EIM

GR

OU

P© 23

II(B). Web 2.0 (c’t’d) –Risk Management

Wonderful for networking/transparency. . . BUT:

“76 percent of companies . . . block employees' use of social networking –up 20 percent from February . . .

“[N]ow a more popular category of sites to block than those involving shopping, weapons, sports or alcohol.”

Tresa Baldas, Companies Say No to Friending or Tweeting, Nat’l. L. J. (10/8/09) (citing recent survey and another survey showing 54% . . . .) <www.law.com/jsp/cc/PubArticleCC.jsp?id=1202434373430>

EIM

GR

OU

P© 24

One key issue = (ostensible) authority to speak on behalf of city re: work-related matter

Also: Direct misuse of confidential information to harm (ex-)employer

II(B). Web 2.0 Risks (c’t’d) –Intentional Conduct

EIM

GR

OU

P© 25

II(B). Web 2.0 (c’t’d) –Twittering . . .

From <http://twitter.com/petehoekstra/statuses/1182334669>:

Rafe Needleman, Congressman twitters secret trip to Iraq (CNET news 2/6/09) <http://news.cnet.com/8301-17939 109-10159054-2.html>

See also <http://GovTwit.com> and President Obama’s New Twitter Feed (NYT 5/1/09)

EIM

GR

OU

P© 26

II(B). Web 2.0 (c’t’d) –“Off-Duty” Posts

Codes of Conduct and Current Employees’ Personal Postings

Public Sector Exs.: – Teachers and Police

Ian Shapira, When Young Teachers Go Wild on the Web; Public Profiles Raise Questions of Propriety and Privacy, Wash. Post (4/28/08) <http://www.washingtonpost.com/wp-

dyn/content/article/2008/04/27/AR2008042702213 pf.html>

Michelle Yoffee-Beard, Oviedo officer resigns after online sex ads, photos uncovered, Seminole Chronicle (8/6/08)<www.seminolechronicle.com/vnews/display.v/ART/2008/08/06/489a38bf11c0e>

TO LEARN MORE about a variety of related issues, see Ken Strutin, Criminal Law Resources: Social Networking Online and Criminal Justice, LLRX (2/28/09) <http://www.llrx.com/node/2150/print>

EIM

GR

OU

P© 27

II(B). Damaging Posts (c’t’d) –Confidential Docs.

Web 2.0 posting of link to wrong document in June ‘09:

City check registry posted on web by mayor of Battle Creek, Michigan

Contained personally identifiable information on 65 city employees, including Soc. Sec. No for 6 of them

Claimed an employee had mistakenly given him the wrong item

Taken down quickly (within a day)

But employees offered free identity protection for 1 year

EIM

GR

OU

P© 28

Tresa Baldas, Lawyers warn employers against giving glowing reviews on LinkedIn, Nat’l L. J. (7/6/09) <www.law.com/jsp/nlj/PubArticleNLJ.jsp?id=1202432039774>

II(B). Damaging Posts (c’t’d) –Online References

EIM

GR

OU

P© 29

II(B). Damaging Posts (c’t’d) –Anonymous Praise

“[Wild] OATS [Markets] has lost their way and no longer has a sense of mission or even a well-thought-out theory of the business. They lack a viable business model . . . .”

“Perhaps the OATS Board will wake up and dump [C.E.O. Perry] Odak and bring in a visionary and highly competent C.E.O.”

“I like [OATS rival Whole Foods Markets Chair and C.E.O. John P.] Mackey’s haircut. I think he looks cute!”• Some of 7 years of postings by Whole

Foods co-founder Mackey himself on Yahoo Finance’s bulletin board

EIM

GR

OU

P© 30

II(B). Damaging Posts (c’t’d) –Anonymous Praise

Whole Foods did change its Code of Conduct Chelsea Peters, Whole Foods, Unwholesome Practices: Will Sock

Puppeteers be Held Accountable for Pseudonymous Web Postings?, 5 Shidler J.L. Com. & Tech. 4 (9/23/08) <www.lctjournal.washington.edu/Vol5/A04Peters.html>

Compare this VERY recently adjudicated one

Full decision: SEC v. Curshen, No. 09-1196 (10th Cir. 4/13/10) <www.ca10.uscourts.gov/opinions/09/09-1196.pdf>

Also discussed in Amy E. Bivens, Anonymity of Golf Company Promoter's Online Praise May Have Destroyed Haven for Puffery, BNA Elec. Comm. & L. Rep. (4/13/10)

EIM

GR

OU

P© 31

II. C. Unintentional Lossesof Sensitive Information

Unencrypted portable devices and/or removable media lost or stolen: laptops; smartphones; DVD’s & CD’s; and USB sticks, thumb-drives, etc.

Encryption is protective AND typically exempts an incident from the reach of notice-of-breach statutes

Remedial efforts are COSTLY

See Tech//404® Data Loss Cost Calculator <http://www.tech-404.com/calculator.html>

Sites/Networks Attacked/Hacked

Extranets – misuse of access control/ rights settings

EIM

GR

OU

P© 32

Improper disposal of paper or digital data – enabling “dumpster-diving”

Human error, e.g.: NELI conference hotel PC incident

Commuter Indiscretions, typed and spoken

David Lat, A Funny Thing Happened on the Way to New York (Or: Pillsbury associates, brace yourselves.), Above The Law (2/19/09) <http://abovethelaw.com/2009/02/pillsbury winthrop partner indiscretion.php

Bob Lewis, Computer security when travelling by train – an expert’s observation, Computer Weekly (10/21/08)www.computerweekly.com/Articles/ArticlePage.aspx?ArticleID=232765&PrinterFriendly=true

<http //www.newsfactor.com/story.xhtml?story id=52124>

II(C). UnintentionalLosses (c’t’d)

EIM

GR

OU

P© 33

II(C). UnintentionalLosses (c’t’d)

Incoming – Viruses, Worms & Malware, Oh My

Attachments not only potential culprits.

So are:

P2P file-sharing software

malicious links to suspect websites

“phishing” and “whaling” (latter a/k/a “spear-phishing”)

EIM

GR

OU

P© 34

II(C). UnintentionalLosses (c’t’d)

Outgoing

“Reply All” OR “suggest name”/“auto-complete”

Dan Slater, Lawyer’s Email Slip-up Leads to Zyprexa Leak, WSJ Law Blog (2/2/08) < http://blogs.wsj.com/law/2008/02/05/report-lawyers-email-slip-up-leads-to-zyprexa-leak/>

E-mailing an attachment to B if attach-ment contains metadata exposing confidential information about A

Computer unattended and unlocked

EIM

GR

OU

P© 35

IV. ComplianceBasics

A. Big Picture of Defensible Policies -- KUMBAYA?!

Clear, well-thought-out language on which multiple constituencies have weighed in . . .

Compliance’s “3 E’s” = Establish/Educate/Enforce

© TOSHIBA

EIM

GR

OU

P© 36

See Samples links in Appendix A

NEVER blindly follow a sample

DON’T GO TOO FAR

Right to monitor vs. taking on duty to monitor

Examples: harassing language filter; IM logs

BE REASONABLE/REALISTIC

Incidental/limited personal use exception

Dep’t Of Education v. Choudhri, OATH Index No. 722/06 (N.Y.C. Office Of Admin. T & H 3/9/06)<files.findlaw.com/news.findlaw.com/hdocs/docs/nyc/doechoudri30906opn.pdf>

IV(A). ImplementingDefensible Policies

IV(A). ImplementingDefensible Policies

BE CAREFUL WITH

Defensible Policies

BE CAREFUL WITH:

Attorney-Client Privilege

EIM

GR

OU

P

For split in case law, see Appendix B, §§ I - II

Avoid unauthorized intrusions into

E

employees’ personal Web 2.0 pages, passwords and/or e-mail

Can violates ECPA Title I (Wiretap) or Title II (SCA)

For 3 recent decisions, see Appendix B, § III(A)

© 37

EIM

GR

OU

P© 38

IV. B. Top Ten Info-Sec Tips

10. Strong Passwords

Ex. of flawed basic security measure: login and password = e-mail-address + last-name

Andrew Clevenger, Lawyer admits computer breach; [s]pying on firm may cost license, Charleston Gazette (3/2/08) <http://seclists.org/isn/2008/Mar/6>

Lawyers Disciplinary Bd. v. Markins, No. 33256 (W. Va. Sup. Ct. App. 5/23/08) <http://www.state.wv.us/WVSCA/docs/Spring08/33256.pdf>

9. Warn as to “Reply All”

(but see PDA’s and OWA)<www.sperrysoftware.com/outlook/Reply-To-All-Monitor.asp>

EIM

GR

OU

P© 39

IV(B). Top Ten Info-Sec Tips (c’t’d)

8. “Pseudonymised data” Use apps that replace live Social

Security numbers and credit card numbers with “dummy figures”?

Brian Bergstein, Why would sensitive data ever need to be on portable computers? AP (7/7/06) <www.usatoday.com/tech/news/computersecurity/infotheft/2006-07-09-stolen-laptop-data x.htm?csp=34>

7. Central vs. Local Storage Firewall and password protection for:

Document Management System (DMS)

Shared network drives

Illustration by Keith Simmons

EIM

GR

OU

P© 40

6. Screen Saver Settings:

IV(B). Top Ten Info-Sec Tips (c’t’d)

EIM

GR

OU

P© 41

5. Mobile/Portable Devices/Media

Laptops

Encrypt

Ex: <www.guardianedge.com/shared/Case Study Fenwick West.pdf>

Impose some responsibility on individuals http://web.archive.org/web/20061016130614/http://www.pcguardian.com/p

dfs/computertheftpolicy 082003.rtf (sample “computer theft” policy)

USB sticks, et al.

Great for transferring data quickly

Many legitimate uses

But, unless use DRM . . .

IV(B). Top Ten Info-Sec Tips (c’t’d)

EIM

GR

OU

P© 42

4. Proper Disposal

Remember it’s an administrative issue, too

Manage entire data life cycle, including recycling, donating and throwing away

Securely shred hard-drives & back-up tapes

Periodic auditing needed, too . . . .

IV(B). Top Ten Info-Sec Tips (c’t’d)

EIM

GR

OU

P© 43

3. Internet Access

Location, Location, Location

public computer (in a hotel lobby or a café)

PC at your friend’s or relative’s house

Don’ts: save file to Desktop or My Documents

leave computer with logged-in browser session open to:

work e-mail or personal webmail e-mail Inbox

a secure extranet site

allow browser to save login/password

IV(B). Top Ten Info-Sec Tips (c’t’d)

EIM

GR

OU

P© 44

2. Outsourcing Reasonable care . . . careful contract

drafting . . . synch protocols . . .

Especially important given emergence of: “Cloud”

Electronic PHR era

1. Metadata Scrubbing & Electronic Redaction

Let’s be careful out there . . .

IV(B). Top Ten Info-Sec Tips (c’t’d)

EIM

GR

OU

P© 45

Conclusion/Questions

Q+A

Robert D. Brownstone <fenwick.com/attorneys/4.2.1.asp?aid=544>

650.335.7912 or <rbrownstone@fenwick.com>

Please visit F&W EIM & Privacy Groups

<www.fenwick.com/services/2.23.0.asp?s=1055>

<www.fenwick.com/services/2.14.0.asp?s=1045>

APPENDIX A -- Brownstone – Materials & Resources – SAMPLE TECHNOLOGY-ACCEPTABLE-USE POLICIES (“TAUP’s”) – @ 3/21/10

� Generic TAUP’s – Samples appended to 8/28/09 NELI White Paper:

o Pages D-1 through D-17 (.pdf pp. 142-58) (blogging policy should be expanded to cover all Web 2.0 sites)

<http://fenwick.com/docstore/publications/EIM/eWorkplace Policies Materials Public Sector EEO 8-28-09.pdf#page=142>

� Web-2.0/Social-Media Policies – Non-Fenwick-Drafted Generic Samples:

o <http://op.bna.com/pl.nsf/id/dapn-7vak72/$File/AP.pdf>

o <http://socialmediagovernance.com/policies.php>

o <http://mashable.com/2009/04/28/facebook-privacy-settings>

o <www.records.ncdcr.gov/guides/best practices socialmedia usage 20091217.pdf>

o <http://Utah-Guidelines-10-12-09.notlong.com>

o <www.law.com/jsp/ca/PubArticleFriendlyCA.jsp?id=1202431342723>, linking to sample:

� <www.jaffeassociates.com/pages/articles/view.php?article id=330>; OR � <http://jaffeassociates.com/uploads/userfiles/file/Social.pdf>

o <http://www.lehrmiddlebrooks.com/SocialMedia.html>

o <www.epolicyinstitute.com/bin/loadpage.cgi?1254863981+forms/index.asp> ($99)

o <www.messagelabs.com/white papers/epolicy form> (free registration)

� Related Helpful Resources

o <http://www.records.ncdcr.gov/>

o <www.pbpexecutivereports.com/er.asp?O=13P&L=NetH> ($99)

o <www.law.com/jsp/cc/PubArticleCC.jsp?id=1202428377614>

o <www.delawareemploymentlawblog.com/technology/the internet as a hiring tool/>

A-1

APPENDIX B -- Brownstone <rbrownstone@fenwick.com> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)

B-1

I. Attorney-Client Privilege Decisions

• Stengart v. Loving Care Agency, Inc., ___ A.2d ___, 2010 WL 1189458 (N.J. 3/30/10) <http://www.judiciary.state.nj.us/opinions/supreme/A1609StengartvLovingCareAgency.pdf>

o affirming and modifying 408 N. J. Super. 54, 973 A.2d 390, 393, 106 Fair Empl. Prac. Cas. (BNA) 1177, 158 Lab. Cas. ¶ 60,829, 29 IER Cases 588 (N.J. App. Div. 6/26/09) (“[f]inding that the policies undergirding the attorney-client privilege substantially outweigh the employer's interest in enforcement of its unilaterally imposed regulation, we reject the employer's claimed right to rummage through and retain the employee's emails to her attorney”) <lawlibrary.rutgers.edu/decisions/appellate/a3506-08.opn.html>

reversing 2009 WL 798044 (N.J. Super. L. Div. 2/5/09), available at <privacyblog.littler.com/uploads/file/Stengart%20v%20Loving%20Care.pdf>

• Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866, 2009 WL 3669741 D. Idaho 11/2/09) (pro-employer/subpoena recipient; e-mails to and from lawyer as opposed to cc’s to lawyer; FHA case) <http://www.steptoe.com/assets/attachments/3958.pdf>

• Fiber Materials, Inc. v. Subilia, 974 A.2d 918 (Me. 7/16/09) (split between pro-employee majority and pro-employer concurring opinions) <courts.state.me.us/court info/opinions/2009%20documents/09me71fi.pdf>

• Scott v. Beth Israel Medical Ctr., 17 N.Y. Misc. 3d 934, 2007 N.Y. Slip Op. 27429 (N.Y. Sup. N.Y. 10/17/07) (distinguishing Jiang, in employment breach of contract action; finding Plaintiff's communications with attorney regarding litigation, transmitted over Defendant's email system, not protected by attorney-client privilege or work-product, in light of "no personal use" e-mail policy combined with stated policy allowing for employer monitoring) <http://www.nycourts.gov/reporter/3dseries/2007/2007 27429.htm>

• Sims v. Lakeside School, 2007 WL 2745367, 2007 U.S. Dist. LEXIS 69568 (W.D. Wash. 9/20/07) (“unequivocally clear [contents of] policy on computer networks” partially trumped by “public policy” such that employer “not permitted to review any web-based [sic] generated e-mails, or materials created by plaintiff . . . to communicate with his counsel or his wife”) <jenner.com/files/tbl s69NewsDocumentOrder/FileUpload500/3492/Sims%20v.%20Lakeside%20School.pdf>

• Long v. Marubeni America Corp., 2006 WL 2998671, at *1, *3 (S.D.N.Y. 10/19/06) (where temporary internet files contained “residual images of e-mail messages” sent by employees to their attorney via private e-mail accounts, policy’s “admonishment to . . . employees that they would not enjoy privacy when using [their employer]'s computers or automated systems is clear and unambiguous[; P]laintiffs disregarded the admonishment voluntarily and, as a consequence, have stripped from the e-mail messages . . . the confidential cloak”) <http://wolfs2cents.files.wordpress.com/2007/03/usdc-sdny long v marubeni2006usdistlex76594 19oct.pdf>

• Nat'l Econ. Research Assocs. (NERA) v. Evans, 21 Mass. L. Rep. 337, 2006 WL 2440008, 2006 Mass. Super. LEXIS 371(Mass. Super. Ct. 8/3/06) (“if an employer wishes to read an employee's attorney-client communications unintentionally stored in a temporary file on a company-owned computer that were made via a private, password-protected e-mail account accessed through the Internet, not the company's Intranet, the employer must plainly communicate to the employee that: (1) all such e-mails are stored on the hard disk of the company's computer in a "screen shot" temporary file; and (2) the company expressly reserves the right to retrieve those temporary files and read them.”) <http://www.gesmer.com/upload/download.php?id files=65>

APPENDIX B -- Brownstone <rbrownstone@fenwick.com> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)

B-2

I. Attorney-Client Privilege Decisions (c’t’d)

• Curto v. Medical World Communics., Inc., 2006 WL 1318387, 99 Fair Empl. Prac. Cas. (BNA) 298 (E.D.N.Y. 5/15/06) (ex-employee had not waived privilege or work product immunity as to information recovered forensically from work-at-home laptop provided by employer) <www.internetlibrary.com/pdf/curto.pdf> (distinguishing U.S. v. Simons, 206 F.3d 392 (4th Cir. 2000))

• Jiang, People v., 31 Cal. Rptr. 3d 227 (Cal App. 6 Dist. 7/14/05) (unpublished decision holding that attorney-client privilege covered documents on employer-issued laptop where employee had “made substantial efforts to protect the documents from disclosure by password-protecting them and segregating them in a clearly marked and designated folder”) <http://caselaw.lp.findlaw.com/data2/californiastatecases/H026546.PDF>

• Asia Global Crossing, Ltd., In re, 322 B.R. 247, 251, 259 (Bankr. S.D.N.Y. 3/21/05) (“[a]ssuming a communication is otherwise privileged, the use of the company’s e-mail system does not, without more, destroy the privilege; however, no waiver of attorney-client privilege because “evidence [wa]s equivocal regarding the existence or notice of corporate policies”) <http://www.internetlibrary.com/pdf/In-re-Asia-Global-Crossing-SD-NY-Bankruptcy.pdf>

II. Attorney-Client Privilege Articles

• Michael Booth, Privilege Trumps Company E-Mail Surveillance, N.J.L.J. (4/1/10) <http://www.law.com/jsp/nj/PubArticleNJ.jsp?id=1202447264728>

• Anthony E. Davis, Attorney-Client Privilege in Work E-Mails, N.Y.L.J. (11/5/09) <http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202435191463>

• Fernando M. Pinguelo and Andrew K. Taylor, New Jersey Court Finds Waiver of Privilege in ‘Loving’ Way, Fios (4/14/09) <http://Fios-Stengart.notlong.com>

• Philip L. Gordon and Kate H. Bally, Web-Based E-mail Accounts Accessed At Work: Private Or Not? Look To The Handbook, Littler Workplace Privacy Counsel (3/24/09) <http://Gordon-Bally-Littler.notlong.com>

• Mary Pat Gallagher, E-Mail Sent on Company Laptop Waives Privilege, N.J.L.J. (3/10/09) <http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202428912956&rss=ltn>

• Michael F. Urbanski and Timothy E. Kirtner, Employee Use of Company Computers – A Privilege Waiver Mine Field , 57 Va. Lawyer 40 (2/1/09) <http://www.vsb.org/docs/valawyermagazine/vl0209 computers.pdf>

• Cecil Lynn, Public ESI or Privileged? Enforcement of Workplace Computer Privacy Policies, BNA Privacy & Security Law Report (11/17/08) (as does Robert Brownstone, this author calls them “ ‘No Expectation of Privacy’ – ‘NEoP’ – policies,” too) (subscription needed) <http://news.bna.com/pvln/PVLNWB/split display.adp?fedfid=11020416&vname=pvlrnotallissues&fn=11020416&jd=A0B7H5F8A2&split=0>

• Herrington, Matthew J. and Gordon, William T., Are You at Risk of Waiving the Attorney-Client Privilege by Using Your Employer's Computer Systems to Communicate With a Personal Attorney?, 7 BNA Privacy & Security Law Report No. 18, at 685 (5/5/08) <http://pubs.bna.com/ip/bna/pvl.nsf/eh/a0b6k4w6m5>

• Talcott, Kelly D., “Cutting Out Privacy in the Office,” N.Y.L.J. (12/19/07) <http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1198010085253>

• Bick, Jonathan, “E-Communications Policy: Getting It Right, “E-Commerce Law & Strategy (Oct. 12, 2006) <http://www.bicklaw.com/Publications/E-ComPol.htm>

APPENDIX B -- Brownstone <rbrownstone@fenwick.com> eWorkplace Privacy – Decisions and Articles re: Attorney-Client Privilege, etc. (4/1/10)

B-3

III. More Privacy Decisions in Other Contexts re: Laptop or Desktop Contents:

• A. ECPA decisions re: employer obtaining password and accessing private webmail account or Web 2.0 page:

o Pietrylo v. Hillstone Rest. Group d/b/a Houston's, 2009 WL 3128420 (D. N.J. 9/25/09) (MySpace group page; SCA violation; punitive damages) <http://www.employerlawreport.com/uploads/file/Opinion%209-25-09.pdf>

o Brahmana v. Lembo, 2009 WL 1424438 (N.D. Cal. 5/20/09) (key-logging to obtain login/password to personal e-mail account; Wiretap Act claim survives motion to dismiss) <http://op.bna.com/pl.nsf/id/dapn-7sfhhx/$File/brahmana.pdf>

o Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (9th Cir. 3/18/09) (personal e-mail account accessed as part of defense of sexual harassment claim; SCA violation; punitive damages) <http://pacer.ca4.uscourts.gov/opinion.pdf/071892.P.pdf>

• B. Employee Laptop/Desktop Decisions in Other Contexts: o 1. Various decisions compiled at these footnotes & accompanying text

Robert D. Brownstone, Workplace Privacy Policies, Nat’l Emp. L. Inst. (NELI) (Aug. 2009) <fenwick.com/docstore/publications/EIM/eWorkplace Policies Materials Public Sector EEO 8-28-09.pdf > (more recent, shorter version available from author on request):

footnote 60 @ .pdf p. 20 (White Paper p. 14); footnotes 305-09 @ .pdf pp. 75-77 (White Paper pp. 69-71); and footnote 325 @ .pdf p. 79 (White Paper p. 73)

o 2. Various decisions compiled at these pages

Robert D. Brownstone, Preserve or Perish; Destroy or Drown – eDiscovery Morphs Into EIM, 8 N.C.J. L. & Tech. (N.C. JOLT), No. 1, at 1 (Fall 2006) <http://jolt.unc.edu/sites/default/files/8 nc jl tech 1.pdf>

2006 L. Rev. article, at pp. 32-33 <http://jolt.unc.edu/sites/default/files/8 nc jl tech 1.pdf#page=32>

2007 Supp., at p. 8 <fenwick.com/docstore/publications/EIM/NC JOLT eDiscovery Supplement.pdf#page=8>

o 3. Overbreadth of discovery via forensics

Bennett v. Martin, 2009-Ohio-6195, 2009 WL 4048111(10th App. Dist. 11/24/09) <http://www.supremecourt.ohio.gov/rod/docs/pdf/10/2009/2009-ohio-6195.pdf>

Cornwall v. Northern Ohio Surgical Ctr., Ltd., 2009-Ohio-6975, 2009 WL 5174172 (6th App. Dist. 12/31/09) <www.supremecourt.ohio.gov/rod/docs/pdf/6/2009/2009-ohio-6975.pdf>

In re Weekley Homes L.P., 295 S.W. 3d 309 (Tex. 8/28/09) (conclusory assertions as to hoped-for circumstantial evidence insufficient to warrant capture of four hard disc images) <www.supreme.courts.state.tx.us/historical/2009/aug/080836.pdf>

John B. v. Goetz, 2008 WL 2520487, 2008 U.S. App. LEXIS 13459 (6th Cir. 6/26/08) (vacating district court order that had required forensic captures of > 50 computers’ hard drives, based in part on privacy/confidentiality concerns) <www.ca6.uscourts.gov/opinions.pdf/08a0226p-06.pdf>

Full Brownstone Bibliography at <fenwick.com/attorneys/4.2.1.asp?aid=544>