Lessors and lenders involved in equipment leasing and financing need to be mindful of the new paradigm developing around privacy and data security as this area of the law continues to develop.
In recent years, there has been an explosion of laws addressing privacy and data security, creating a complex patchwork of federal and state laws and regulations. Additionally, state common law claims, such as negligence and invasion of privacy, have been used by plaintiffs in privacy litigation.
As such laws and regulations expand, so does the universe of data that is potentially protected and businesses that may be subject to liability. At the same time, as technology becomes more sophisticated, more products have become able to collect and store data. Equipment lessors should be aware that the equipment they are leasing may automatically collect data that could be subject to one of these laws, and such companies need to examine company forms and procedures in order to protect themselves from liability.
In some ways, the proliferation of privacy and data security laws are driven by rapid improvements in technology and the evolution of equipment from “dumb” to “smart.” (The cell phone in your pocket is vastly different than your grandfather’s rotary model.) Many types of equipment now have the ability to collect and store data, and lessors should ensure that they understand what, if any, capabilities their equipment has to do so.
In addition to the obvious abilities of computers to store data, less obvious examples include equipment such as the following:
It is clear that lessors who obtain equipment (whether at the end of a true lease or otherwise under any form of lease as a result of repossessing equipment during the term) could be subject to liability if data is not properly wiped from equipment before it is sold or re-leased to third parties. Note that “deleting” the information is not sufficient. Deleting a file does not remove the file, but only changes the way that it is retrieved, and the data may still be recoverable. Instead, the files should be overwritten, which actually changes the values of the bits that make up the file, and the more times a file is overwritten, the harder it is to reconstruct. The U.S. Department of Defense recommends triple data overwriting for the destruction of sensitive data. Although lease forms used by prudent lessors often require the lessee to wipe the data at the end of the term, it is a good idea for the lessor to independently overwrite hard drives before the equipment is sold or re-leased. If lessors use a third party provider to sanitize data, the lessors should ensure that the firm is reputable, certified by a third-party organization that ensures best practices are used for data destruction, and provides documentation that the service was performed for each individual piece of equipment.
Similarly, there is some concern that lessors could be liable during the term of the lease for collecting data or disclosing data without authorization. A growing number of products connected to the internet, sometimes referred to as the “internet of things,” collect and transmit data to third parties concerning the usage of the products, such as locational data. Given the rapidly changing legal landscape, lessors should remain vigilant to ensure that they are compliant with applicable laws in the states in which they operate.
A discussion of the specific state laws and regulations governing these issues is beyond the scope of this article, especially given that the application of various laws depends upon the nature of the transactions, the parties and the equipment. However, the key concern is clear: Lessors and lenders involved in equipment leasing and financing need to be mindful of the new paradigm developing around privacy and data security as this area of the law continues to develop.