Attorneys deal with electronic information on a daily basis, presenting challenges to attorneys who practice in various fields. This often leads to “fitting” electronic information into existing legal principles, although new statutory or regulatory regimes may be created to address topics such as privacy and cybersecurity. It is critical for attorneys to understand how issues with electronic information fit into their legal practice in order to fulfill the basic duty of competency required by ABA Model Rule 1.6.
This post will address some key areas in which electronic information must be considered: defensible disposition of electronic records, the employer-employee relationship, trust and estate planning, and compliance with the GDPR.
Defensible disposition. Corporate and government organizations create, use, and store electronic information in large and increasing volumes and in different forms. This information must be managed so it will be available for organizational needs, presumably through, among other things, records retention policies. Retention policies should also dictate when electronic information might be disposed of subject to requirements to retain certain information imposed by statute or regulation or preservation obligations imposed when litigation is pending or reasonably foreseeable. Those policies may also require periodic reevaluation to incorporate information created by new sources (such as cell phones) or to address privacy and security requirements imposed by laws such as the GDPR and the California Consumer Privacy Act. All of this means that, whenever an organization disposes of electronic information it should do so in a manner that complies with records retention policies and legal obligations. That need suggests that organizations should have processes in place to enable disposition to be defensible.
Electronic information in the workplace. A major issue for lawyers as employees and employers as well as counselors is how the rights of employers may conflict with those of employees to engage in protected activities through social media. In order to understand the legality of employer policies, it is important to understand Sections 7 and 8(1) of the National Labor Relations Act and the three categories defined by the recent Boeing Co. decision of the NLRB. Category 1 rules are those that are those that are “Generally Lawful to Maintain” such as those addressing civility in the workplace. Category 3 rules are those that are “Unlawful to Maintain” such as those that prohibit conduct protected by the Act. Category 2 rules are those which are “not obviously lawful or unlawful, and must be evaluated on a case-by-case basis to determine whether the rule would interfere with rights guaranteed by the NLRA, and if so, whether any adverse impact on those rights is outweighed by legitimate justifications.”
Digital Assets and Estate Planning. The key questions in this arena are what constitutes a digital asset, how that asset might be valued, and who has ownership rights. These questions could arise with regard to, for example, the content of a decedent’s electronic communications. Basic contract law principles come into play, raising the question of whether the act of “clicking” or “browsing” an electronic document might be sufficient to bind someone to a contract that purports to allocate ownership to assets created by the contract. When it comes to allocating rights by testators, the Revised Fiduciary Access to Digital Assets Act, recently adopted by both New Jersey and New York, provides some guidance, and other states will likely pass similar legislation soon.
The General Data Protection Regulation. Promulgated by the European Union, the GDPR went into effect in May of 2018. The intent of the GDPR is to create a uniform approach to the creation, capture, and use of personal data of European residents. Since many American business organizations are doing business internationally, the GDPR will have effects here as well. At the same time, American businesses must consider the applicability of other laws that impose privacy obligations, including the newly-enacted but not yet in-effect California Consumer Privacy Act. Attorneys working with businesses must be helping them understand these new regulations and develop best practices to manage privacy and cybersecurity obligations.