Invasions of Computer Privacy
By Michael K. McChrystal, William C. Gleisner III, and
Michael J. Kuborn
In the Information Age, the issue of privacy is being discussed with
more passion than ever before. Americans have always cherished their
privacy, perhaps because we also have respected the power of
information. What the Information Age has changed is the ease with which
information can be gathered and stored and then used to threaten
privacy. As collectors, purveyors, and repositories of information,
lawyers need to know the general lay of the land concerning computer
privacy law. Just as importantly, we need to advise our clients about
the law as it relates to protecting and gathering information.
Possessors vs. subjects of information
The law provides one set of
protections for possessors of computerized information and a different
set for the subjects of the information and ne'er the twain shall
meet. |
One crucial point must be recognized at the outset: The law provides
one set of protections for possessors of computerized information and a
different set of protections for the subjects of the information. This
distinction is important because much of the information about ourselves
that we rightly regard as most private is stored in the computers of
others, such as lawyers, doctors, employers, insurers, financial
institutions, government agencies, friends, and coworkers.
With respect to possessors, computer information receives expansive
statutory protection in Wisconsin. It is a crime knowingly to access,
modify, or destroy computer data, programs, or supporting documentation
without authorization.1 In a sense, this
provides a wildly expansive form of privacy protection specific to the
computer as a medium. Imagine similar privacy protection being afforded
paper documents such that it would be a crime "willfully, knowingly, and
without authorization" to "access" a piece of paper containing data of
any kind.2 One would have to be very careful
in picking up someone else's newspaper.
Notwithstanding the sweep of Wisconsin's computer
crimes statute, the extent of computer privacy remains very much in
doubt. Although the statutory language is sweeping, it may be so
sweeping as to be unenforceable and, in some respects, unreliable as a
method of protecting privacy. Moreover, while the statute creates
computer privacy rights, it is unclear whether it provides a private
remedy when those rights are violated. The statute does not, in its own
terms, establish a private cause of action for a violation, and no
reported Wisconsin decision directly addresses the issue. On the other
hand, the statute does define data as property, and tort law typically
provides a remedy for intentional, nonconsensual, and harmful
interference with another's property.3
The statute is most limited, however, in that its protection seems to
run only to the owner or possessor of the data, computer, or program.
While data may be property and protectible as such, data about
me often will not be my property. This is because the computer
crimes statute appears to protect the possessors of data, and
not necessarily the subjects of the data.
It should be emphasized that the subjects of computer information do
receive protection in varied branches of the law. Duties of
confidentiality can arise by statute or contractual agreement or by
virtue of a professional relationship, so that some possessors of
information owe a duty to some subjects of the information they possess.
In many circumstances, tort remedies may be available in addition to any
breach of contract remedy.
A recent federal district court decision in Missouri4 provides a good compendium of the issues that can
arise. In that case, two lawyers left a law firm in which they had
participated in the defense of Chrysler Corp. against class actions
alleging certain defects in Chrysler vehicles. Before leaving the firm,
the lawyers copied various computer files relating to the actions
against Chrysler, allegedly in violation of a state computer crimes
statute similar to the one in Wisconsin.5
The lawyers thereafter were involved in a class action against Chrysler
alleging defects different from those alleged in the cases that they had
helped defend. Chrysler brought suit against the lawyers for breach of
the fiduciary duties of loyalty and confidentiality, violation of the
computer "tampering" statute (which specifically allowed a private
action for damages),6 and breach of written
confidentiality agreements. The court found that triable issues existed
as to all such claims.
Persons who provide professional services and who elicit private
information to do so usually have a duty to protect the confidentiality
of the information they receive. In fields such as health care and
financial services, state and federal statutes and regulations elaborate
these duties. Privacy duties also may arise by contract. For example,
many Web sites announce privacy policies that may contractually bind the
site's sponsor if a transaction is entered into and the protections
promised by the policy aren't delivered.
If someone intentionally steals corporate or business secrets over
the Internet, a host of federal criminal and civil laws also come into
play. These remedies are rather comprehensively cataloged in a recent
article.7 Assuming the culprits can be
identified, criminal remedial responses might include prosecution
pursuant to:
a) the Economic
Espionage Act of 1996, 18
U.S.C. § 670;
b) the National Stolen
Property Act, 18 U.S.C. § 2311, et seq.;
c) the Wire
Fraud Act, 18 U.S.C. § 1343, et seq.;
d) the Intercepted Wire
& Electronic Communications Act, 18 U.S.C. § 2510-1521;
e) the Stored Wire &
Electronic Communications Act, 18 U.S.C. § 2701-2711; or
f) the Computer Fraud
and Abuse Act, 18 U.S.C. § 1030.8
Civil remedies might include an action:
a) for the intentional and wrongful copying or control of trade
secrets;
b) for Civil RICO,
18 U.S.C. § 1964 (a); and
c) under theIntercepted Wire
& Electronic Communications Act, the Stored Wire &
Electronic Communications Act, and the Computer Fraud
and Abuse Act.9
Michael McChrystal, top, Marquette 1975, is a professor of law at the
Marquette University Law School.
William Gleisner, middle, Marquette 1974, both a practicing attorney
and computer consultant, maintains a law firm-based litigation support
service bureau in Milwaukee.
Michael Kuborn, bottom, Marquette 1998, is with Olsen, Kloet,
Gundersen & Conway, and is trained in computer recovery and computer
search and seizure techniques. Products and services mentioned in this
article should not be construed as an endorsement.
|
As you can see, computer privacy can be thought of as involving two
separate spheres. The first sphere is the protection afforded to one's
own computer, programs, and data. The other sphere is the subject's
protection from wrongful transfer of private computer information by a
possessor of that information, usually a service provider.
It is clear that wrongful disclosure of private information may be
actionable by the subject of that information (for example, a client, a
patient, or in some cases, a customer). It is less clear that the
subject of private information has an action against one who wrongly
acquires the information from a third party. Suppose, for example, that
a hacker unlawfully accesses my file on my lawyer's computer system. If
my lawyer failed to use reasonable care to protect the information, I
may have a claim against the lawyer. But do I have rights against the
hacker?
In Wisconsin, the right of privacy statute,10 which generally comports with the invasion of
privacy torts recognized in the Restatement (Second) of Torts,11 provides the starting point for analysis. With
respect to computer privacy, the statute raises at least two important
(and quite separate) questions:
1) Does an invasion of computer privacy involve intrusion "in a place
that a reasonable person would consider private" or "in a manner which
is actionable for trespass"? It is not a great stretch to consider that
computers are places that occupy physical space and so a computer is a
"place that a reasonable person would consider private." It also seems
plausible to conclude that unauthorized access to a computer is a
trespass in the nature of trespass to chattel. While these views may not
have formed part of the legislative intent behind the statute, the
statute directs that it is to be "interpreted in accordance with the
developing common law of privacy."12
2) Is dissemination of information by computer "publicity" for
purposes of the statute? It seems clear that private facts may be
publicized at a Web site that receives thousands of hits each day or
even by an email that goes out one message at a time. What is less clear
is whether "publicizing" a private fact to a small number of individuals
gives rise to a cause of action.
These questions, however, await dispositive treatment by Wisconsin
courts. Indeed, perhaps the answers will be forthcoming first from the
United States Congress.13
Conclusion
Just as many of the technical aspects of protecting (and violating)
the privacy of computer information rapidly change, the law is in a
state of constant development. Much of that development is taking the
form of targeted legislation addressing specific abuses. At the same
time, the law continues to provide a broader structure to analyze the
rights and liabilities involved, such as the Wisconsin computer and
privacy statutes discussed above.
Endnotes
1Wisconsin
Statute section 943.70(2)(a)(2) provides:
"Offenses Against Computer Data and Programs: (a) Whoever willfully,
knowingly and without authorization does any of the following may be
penalized as provided in par. (b):
"1. Modifies data, computer programs, or supporting
documentation.
"2. Destroys data, computer programs, or supporting
documentation.
"3. Accesses data, computer programs, or supporting
documentation.
"4. Takes possession of data, computer programs, or supporting
documentation.
"5. Copies data, computer programs, or supporting documentation.
"6. Discloses restricted access codes or other restricted access
information to unauthorized persons."
This statute establishes a form of privacy protection specific to the
medium of computers. "Data" is statutorily defined as "a representation
of information, knowledge, facts, concepts, or instructions that has
been prepared or is being prepared in a formalized manner and has been
processed, is being processed, or is intended to be processed in a
computer system or computer network. Data may be in any form including
computer printouts, magnetic storage media, punched cards and as stored
in the memory of the computer. Data is property." Wis. Stat.
§ 943.70(1)(f) (1995-97).
2It may be that paper records
receive loosely analogous protection in that they are typically stored
in locations from which others can be effectively excluded.
3See, Restatement (Second)
of Torts § 158 (liability for Intentional Intrusions on Land).
See also, Restatement (Second) of Torts § 217 (Ways of
Committing Trespass to Chattels).
4Chrysler Corp. v. Carey,
1998 U.S. Dist. LEXIS 7878 (E.D. Mo. May 26, 1998).
5Mo. Rev. Stat. § 569.095.
6Mo. Rev. Stat. §
537.525(1).
7See, Ian C. Ballon,
Alternative Corporate Responses to Internet Data Theft, 471
PLI/P at 737 (1997).
8Id. at 746.
9Id. at 748.
10Wisconsin
Statute section 895.50 provides in part:
"(2) In this section, 'invasion of privacy' means any of the
following:
"(a) Intrusion upon the privacy of another of a nature highly
offensive to a reasonable person, in a place that a reasonable person
would consider private or in a manner which is actionable for
trespass."
"(c) Publicity given to a matter concerning the private life of
another, of a kind highly offensive to a reasonable person, if the
defendant has acted either unreasonably or recklessly as to whether
there was legitimate public interest in the matter involved, or with
actual knowledge that none existed. It is not an invasion of privacy to
communicate any information available to the public as a matter of
public record."
11See Restatement
(Second) of Torts § 652B-652D.
12Wis. Stat.
§ 895.50(3) (1995-97).
13See, S. 1368, 105th
Cong., 1st Sess. (1997) (Medical
Information Privacy and Security Act); H.R. 1813, 105th Cong., 1st
Sess. (1997) (Personal
Information Privacy Act); S. 909, 105th Cong., 1st Sess. (1997) (Secure
Public Networks Act); S. 771, 105th Cong., 1st Sess. (1997) (Unsolicited Commercial Electronic Mail Choice
Act); H.R. 3785, 104th Cong., 2nd Sess. (1996) (Background
Security Records Act); H.R. 1964, 105th Cong. 1st Sess. (1997) (Communications
Privacy and Consumer Empowerment Act); H.R. 1367, 105th Cong., 1st
Sess. (1997) (Federal
Internet Privacy Protection Act); H.R. 2372, 105th Cong., 1st Sess.
(1997) (Internet
Protection Act); H.R. 695, 105th Cong., 2nd Sess. (1998) (Security
and Freedom through Encryption Act).
Wisconsin
Lawyer