John C. Montaña J.D., FIIM, FAI
We live in a world where data systems are increasingly complex and interrelated, not only within organizations, but more and more, between organizations. The range of interdependency is complex, ranging from purely passive data hosted by a third party – think Box or Alfresco – to very complex interdependencies in which a third-party provider is collecting, aggregating and analyzing data on behalf of the nominal custodian.
Often, these relationships are invisible to users of the systems such as consumers. You want, for example, to apply for a mortgage, so you find a lender and enter your information online. Insofar as you are aware, you’re sending your information to the lender. Except that in many cases, you’re not. You’re sending it to an unknown third party acting on behalf of the mortgage lender. And therein lies the rub. You know – or at least, you think you know – what sort of relationship you have with the lender. But what relationship do you have with the third party? Indeed, do you have any relationship with them at all? Maybe, maybe not. You certainly don’t have a contractual relationship with them; and the contract between the lender and third party may or may not address these sorts of things. You might be able to argue that they’re responsible to you under a theory of agency – they’re acting as the agent of the lender – but courts have given mixed results on this one. So, if as often there is, a problem, the situation is often muddled and uncertain, resulting in protracted litigation with often speculative outcomes.
This example is but one of many of an increasingly large number of scenarios where third parties collect and manage data on behalf of other organizations. And it is not limited to consumer financial data. Increasingly, it includes significant health data such as medical files and other types of information that is both valuable and sensitive. Any time you enter any data into an online form, the possibility exists that it’s being collected and managed by someone other than the party you’re trying to transact business with.
Health data is illustrative of the complexities of this landscape. Diagnostic and treatment information is governed by a large and complex body of law. In the U.S., this law is found on both the federal and state level, resulting in many dozens of unharmonized requirements potentially applicable to any record. In the European Union, a similar relationship between Union and national law exists. Questions abound: Who owns it? Who is responsible for complying with the many data retention, privacy and other laws that govern it? Who is liable to whom in the event of a data breach or other significant adverse event?
The answers to these and many other relevant questions are uncertain and evolving. Contracts involving these arrangements are often vague or silent on these points; consumers are rarely informed in any meaningful way about the arrangement; and it is only recently that the law has recognized the issue and begun to respond with legal requirements – resulting, of course in even more complexity, since every state has a different response, and so different legal requirements.
We’re at the beginning of a long road here. As technology and information systems become more complex, this situation will become ever more complex. If you find yourself as any of the parties in such a situation, you’d be well advised to take whatever steps you can to protect the position of yourself and your organization. Even in the absence of clear legal guidance, there are things you can do to protect yourself and your organization – clear disclosures, strong contractual terms and protections, and of course, robust and secure information technology. You can’t resolve this quagmire alone, but you can help yourself a lot with prudent and proactive thinking.
John C. Montaña J.D., FIIM, FAI
LexiTimes December 2018
