Popular Internet Service Providers (ISPs) like Google, Dropbox and Yahoo regularly scan content that users upload to their servers. This content may include pictures, documents and even private emails. File encryption may not always prevent ISPs from scanning the information. While ISPs cannot scan encrypted files, unencrypted files later downloaded and stored on ISP may be scanned, effectively eliminating the private nature of the files.
Federal law addresses the use of ISP scanned information, specifically proscribing the circumstances under which this scanned information may be disclosed. For example, ISPs are required to report suspected child pornography to the National Center for Missing and Exploited Children.
State law, on the other hand, prescribes the consequences associated with online security breaches involving personal information. Connecticut General Statute Section 36a-701b defines a security breach as the unauthorized access to electronic files that contain personal information. State law requires certain business owners to report security breaches to the Connecticut Attorney General's Office. The failure to report such a breach may be deemed an unfair trade practice in violation of the Connecticut Unfair Trade Practices Act (CUPTA).
This law can create significant implications for Connecticut business owners and other professionals who store personal and confidential client information on ISPs. At present time, there is insufficient precedent to determine a company’s liability associated with such a breach. Business owners and other professionals need to be aware of the potential implications associated with using these ISPs for storing customer information and use best practices to guard against unauthorized access both inside and outside their organizations.