Invasions of Computer Privacy

By Michael K. McChrystal, William C. Gleisner III, and Michael J. Kuborn

In the Information Age, the issue of privacy is being discussed with more passion than ever before. Americans have always cherished their privacy, perhaps because we also have respected the power of information. What the Information Age has changed is the ease with which information can be gathered and stored and then used to threaten privacy. As collectors, purveyors, and repositories of information, lawyers need to know the general lay of the land concerning computer privacy law. Just as importantly, we need to advise our clients about the law as it relates to protecting and gathering information.

Possessors vs. subjects of information

One crucial point must be recognized at the outset: The law provides one set of protections for possessors of computerized information and a different set of protections for the subjects of the information. This distinction is important because much of the information about ourselves that we rightly regard as most private is stored in the computers of others, such as lawyers, doctors, employers, insurers, financial institutions, government agencies, friends, and coworkers.

With respect to possessors, computer information receives expansive statutory protection in Wisconsin. It is a crime knowingly to access, modify, or destroy computer data, programs, or supporting documentation without authorization.¹ In a sense, this provides a wildly expansive form of privacy protection specific to the computer as a medium. Imagine similar privacy protection being afforded paper documents such that it would be a crime "willfully, knowingly, and without authorization" to "access" a piece of paper containing data of any kind.² One would have to be very careful in picking up someone else's newspaper.

Notwithstanding the sweep of Wisconsin's computer crimes statute, the extent of computer privacy remains very much in doubt. Although the statutory language is sweeping, it may be so sweeping as to be unenforceable and, in some respects, unreliable as a method of protecting privacy. Moreover, while the statute creates computer privacy rights, it is unclear whether it provides a private remedy when those rights are violated. The statute does not, in its own terms, establish a private cause of action for a violation, and no reported Wisconsin decision directly addresses the issue. On the other hand, the statute does define data as property, and tort law typically provides a remedy for intentional, nonconsensual, and harmful interference with another's property.³

The statute is most limited, however, in that its protection seems to run only to the owner or possessor of the data, computer, or program. While data may be property and protectible as such, data about me often will not be my property. This is because the computer crimes statute appears to protect the possessors of data, and not necessarily the subjects of the data.

It should be emphasized that the subjects of computer information do receive protection in varied branches of the law. Duties of confidentiality can arise by statute or contractual agreement or by virtue of a professional relationship, so that some possessors of information owe a duty to some subjects of the information they possess. In many circumstances, tort remedies may be available in addition to any breach of contract remedy.

A recent federal district court decision in Missouri⁴ provides a good compendium of the issues that can arise. In that case, two lawyers left a law firm in which they had participated in the defense of Chrysler Corp. against class actions alleging certain defects in Chrysler vehicles. Before leaving the firm, the lawyers copied various computer files relating to the actions against Chrysler, allegedly in violation of a state computer crimes statute similar to the one in Wisconsin.⁵ The lawyers thereafter were involved in a class action against Chrysler alleging defects different from those alleged in the cases that they had helped defend. Chrysler brought suit against the lawyers for breach of the fiduciary duties of loyalty and confidentiality, violation of the computer "tampering" statute (which specifically allowed a private action for damages),⁶ and breach of written confidentiality agreements. The court found that triable issues existed as to all such claims.

Persons who provide professional services and who elicit private information to do so usually have a duty to protect the confidentiality of the information they receive. In fields such as health care and financial services, state and federal statutes and regulations elaborate these duties. Privacy duties also may arise by contract. For example, many Web sites announce privacy policies that may contractually bind the site's sponsor if a transaction is entered into and the protections promised by the policy aren't delivered.

If someone intentionally steals corporate or business secrets over the Internet, a host of federal criminal and civil laws also come into play. These remedies are rather comprehensively cataloged in a recent article.⁷ Assuming the culprits can be identified, criminal remedial responses might include prosecution pursuant to:

a) the Economic Espionage Act of 1996, 18 U.S.C. § 670;

b) the National Stolen Property Act, 18 U.S.C. § 2311, et seq.;

c) the Wire Fraud Act, 18 U.S.C. § 1343, et seq.;

d) the Intercepted Wire & Electronic Communications Act, 18 U.S.C. § 2510-1521;

e) the Stored Wire & Electronic Communications Act, 18 U.S.C. § 2701-2711; or

f) the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.⁸

Civil remedies might include an action:

a) for the intentional and wrongful copying or control of trade secrets;

b) for Civil RICO, 18 U.S.C. § 1964 (a); and

c) under theIntercepted Wire & Electronic Communications Act, the Stored Wire & Electronic Communications Act, and the Computer Fraud and Abuse Act.⁹

As you can see, computer privacy can be thought of as involving two separate spheres. The first sphere is the protection afforded to one's own computer, programs, and data. The other sphere is the subject's protection from wrongful transfer of private computer information by a possessor of that information, usually a service provider.

It is clear that wrongful disclosure of private information may be actionable by the subject of that information (for example, a client, a patient, or in some cases, a customer). It is less clear that the subject of private information has an action against one who wrongly acquires the information from a third party. Suppose, for example, that a hacker unlawfully accesses my file on my lawyer's computer system. If my lawyer failed to use reasonable care to protect the information, I may have a claim against the lawyer. But do I have rights against the hacker?

In Wisconsin, the right of privacy statute,¹⁰ which generally comports with the invasion of privacy torts recognized in the Restatement (Second) of Torts,¹¹ provides the starting point for analysis. With respect to computer privacy, the statute raises at least two important (and quite separate) questions:

1) Does an invasion of computer privacy involve intrusion "in a place that a reasonable person would consider private" or "in a manner which is actionable for trespass"? It is not a great stretch to consider that computers are places that occupy physical space and so a computer is a "place that a reasonable person would consider private." It also seems plausible to conclude that unauthorized access to a computer is a trespass in the nature of trespass to chattel. While these views may not have formed part of the legislative intent behind the statute, the statute directs that it is to be "interpreted in accordance with the developing common law of privacy."¹²

2) Is dissemination of information by computer "publicity" for purposes of the statute? It seems clear that private facts may be publicized at a Web site that receives thousands of hits each day or even by an email that goes out one message at a time. What is less clear is whether "publicizing" a private fact to a small number of individuals gives rise to a cause of action.

These questions, however, await dispositive treatment by Wisconsin courts. Indeed, perhaps the answers will be forthcoming first from the United States Congress.¹³

Conclusion

Just as many of the technical aspects of protecting (and violating) the privacy of computer information rapidly change, the law is in a state of constant development. Much of that development is taking the form of targeted legislation addressing specific abuses. At the same time, the law continues to provide a broader structure to analyze the rights and liabilities involved, such as the Wisconsin computer and privacy statutes discussed above.

Endnotes

¹Wisconsin Statute section 943.70(2)(a)(2) provides:

"Offenses Against Computer Data and Programs: (a) Whoever willfully, knowingly and without authorization does any of the following may be penalized as provided in par. (b):

"1. Modifies data, computer programs, or supporting documentation.

"2. Destroys data, computer programs, or supporting documentation.

"3. Accesses data, computer programs, or supporting documentation.

"4. Takes possession of data, computer programs, or supporting documentation.

"5. Copies data, computer programs, or supporting documentation.

"6. Discloses restricted access codes or other restricted access information to unauthorized persons."

This statute establishes a form of privacy protection specific to the medium of computers. "Data" is statutorily defined as "a representation of information, knowledge, facts, concepts, or instructions that has been prepared or is being prepared in a formalized manner and has been processed, is being processed, or is intended to be processed in a computer system or computer network. Data may be in any form including computer printouts, magnetic storage media, punched cards and as stored in the memory of the computer. Data is property." Wis. Stat. § 943.70(1)(f) (1995-97).

²It may be that paper records receive loosely analogous protection in that they are typically stored in locations from which others can be effectively excluded.

³See, Restatement (Second) of Torts § 158 (liability for Intentional Intrusions on Land). See also, Restatement (Second) of Torts § 217 (Ways of Committing Trespass to Chattels).

⁴Chrysler Corp. v. Carey, 1998 U.S. Dist. LEXIS 7878 (E.D. Mo. May 26, 1998).

⁵Mo. Rev. Stat. § 569.095.

⁶Mo. Rev. Stat. § 537.525(1).

⁷See, Ian C. Ballon, Alternative Corporate Responses to Internet Data Theft, 471 PLI/P at 737 (1997).

⁸Id. at 746.

⁹Id. at 748.

¹⁰Wisconsin Statute section 895.50 provides in part:

"(2) In this section, 'invasion of privacy' means any of the following:

"(a) Intrusion upon the privacy of another of a nature highly offensive to a reasonable person, in a place that a reasonable person would consider private or in a manner which is actionable for trespass."

"(c) Publicity given to a matter concerning the private life of another, of a kind highly offensive to a reasonable person, if the defendant has acted either unreasonably or recklessly as to whether there was legitimate public interest in the matter involved, or with actual knowledge that none existed. It is not an invasion of privacy to communicate any information available to the public as a matter of public record."

¹¹See Restatement (Second) of Torts § 652B-652D.

¹²Wis. Stat. § 895.50(3) (1995-97).

¹³See, S. 1368, 105th Cong., 1st Sess. (1997) (Medical Information Privacy and Security Act); H.R. 1813, 105th Cong., 1st Sess. (1997) (Personal Information Privacy Act); S. 909, 105th Cong., 1st Sess. (1997) (Secure Public Networks Act); S. 771, 105th Cong., 1st Sess. (1997) (Unsolicited Commercial Electronic Mail Choice Act); H.R. 3785, 104th Cong., 2nd Sess. (1996) (Background Security Records Act); H.R. 1964, 105th Cong. 1st Sess. (1997) (Communications Privacy and Consumer Empowerment Act); H.R. 1367, 105th Cong., 1st Sess. (1997) (Federal Internet Privacy Protection Act); H.R. 2372, 105th Cong., 1st Sess. (1997) (Internet Protection Act); H.R. 695, 105th Cong., 2nd Sess. (1998) (Security and Freedom through Encryption Act).

Wisconsin Lawyer