The Recording Industry Association of America is taking dramatic steps to protect its copyrights against free file sharing, and it hasn't ruled out serving subpoenas on companies and universities that offer E-mail and Internet access to employees and students if it suspects that they use those systems to pirate material. So what do you do if worse comes to worst and the RIAA knocks?
Check your privacy policies. What do you say is done with data collected from users at your sites? What do they say you do with the data? Do you have a legal-process exception, and does the exception state that you comply with court orders? Have your privacy lawyers review the language. Are you subject to confidentiality agreements that might be affected by a demand for user information?
Call your data-management contractor. What protections do you have if it's served with a subpoena? Review the contract, and make sure it provides for legal-process exceptions and for sufficient advance notice to you if it's served before your contractor complies.
If you're managing others' data, make sure you're indemnified for complying with a 512(h) subpoena, which can be used to obtain the identities of everyone sharing music online. If you belong to a privacy program like Trust-e, make sure that complying with a 512(h) subpoena doesn't violate its policies. Check with counsel in advance about what information you maintain and how it's collected, stored, and accessed. You don't have to give up data you don't have. Don't collect what you don't have to. If there isn't a valid business purpose for it, the risks will always exceed the benefits of keeping it.
If you are subject to the Children's Online Privacy Protection Act, don't respond to a subpoena unless you get knowledgeable advice. Any response to the 512(h) subpoena in connection with a child under the age of 13 may violate the act, which carries legal consequences.
Talk to your privacy professionals to see if health, securities, or financial-privacy regulations are relevant when complying with a subpoena and make sure your human-resources team knows these issues.
Make sure your data- or Internet-related insurance cover good-faith compliance with a 512(h) subpoena.
Pull together a privacy assault team that includes your legal, data-security, privacy, HR, operations, marketing, and public-relations teams. Working together in the event of a serious privacy-implicated event is key to being able to handle it successfully and with minimal adverse impact.
Warn the applicable departments about the process, and make sure you're informed quickly if a subpoena is served. Response should be done under the watchful eye and informed advice of your privacy professionals, not by a clerk.
Review your acceptable Internet-use policy and make sure you prohibit the misuse of peer-to-peer apps.
Consider offering educational and awareness programs for your employees. Helping your employees talk to their children about the implications of downloading music online is helpful as well.
Run frequent audits to make sure P-to-P apps haven't been installed and, if possible, block access to peer-to-peer services. Remember that you don't want to be served, but if you are served, you don't want to be unprepared.
http://www.informationweek.com/showArticle.jhtml?articleID=15201212