Here in the 21st century, we in-house lawyers work in a virtual business world made up of electronic data: e-commerce, electronic records, social media sites, hacking, file sharing, e-discovery, etc.. Rows of storage racks in data centers and miles of fiber optic cables are our new frontiers, not the wide open plains of the Old West or the humming smoke stacked factories of post-World War II. At the same time that we have sailed into this unexplored ocean of electronic data, governments in America and abroad have submersed companies in regulations to a depth heretofore unfathomed.
Companies are generating and storing electronic data, transmitting data, or accessing and processing data from somewhere else, 24 hours a day. Data may be your company’s business, or your company may outsource the management of its internal data to other companies. Or both. The electronic data that your company touches may contain many different types of information. Data may be proprietary to your company, or it may be deemed proprietary by someone else and accessed by your company for a fee. Data may be copyrighted. Even if it has no intellectual property value, data may nevertheless be protected by law. These laws are meant to protect the privacy of individuals, by imposing duties on companies to safeguard data and not use it without authorization. Data protection laws can impose heavy monetary penalties and some provide standing for private lawsuits. Your company cannot contractually waive its way out of liability under these laws. In fact, the laws often require your company’s contracts to extend the law’s reach to others.
In my current job, I work for a company that provides information technology and professional services to hospitals and physician groups. Healthcare-related electronic data is governed by the Health Insurance Portability and Accountability Act (HIPAA). Within the HIPAA regulations, there is an often overlooked concept called “minimum necessary,” which says that electronic data should only be used to satisfy a particular purpose or carry out a function.
I am required to take two opposing views of electronic data in my job. When my company is providing professional services, the consultants work on site at hospitals. For these transactions, I point out to customers during negotiation that our consultants will only be accessing data using the hospital’s own systems and that access is almost exclusively within the control of the hospital. For some consulting projects, after asking the right questions, I find out that the consultants can do their work using dummy data and don’t need to see real patient data.
When providing cloud computing services, on the other hand, my company is asking the hospital to entrust it with their electronic data. Still, I’m looking for ways to minimize our touching of data. For one of our managed service products, I discovered that while we install the hospital’s copy of a well-known hospital software product at our data center, the hospital is solely responsible for uploading patient and hospital administrative data to our data center and that we have no access to the data other than backup. There is nothing wrong with me pointing out the limits of our service for purpose of minimizing our exposure to data, as long as my point is in line with the service’s standard terms.