Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

The Sedona Conference® recently published the International Principles on Discovery, Disclosure & Data Protection (“International Principles”) through its Working Group 6 on International Electronic Information Management, Discovery and Disclosure. The Sedona Conference® launched Working Group 6 in 2005 to bring the most experienced attorneys, judges, privacy and compliance officers, technology-thought leaders, and academics from around the world to discuss the management, discovery, and disclosure of electronically stored information (“ESI”) involved in cross-border disputes. The publication of the International Principles comes in light of a number of U.S. court decisions over the last two years ordering the disclosure of information in U.S. litigation despite the existence of foreign privacy laws that otherwise would have prohibited such disclosure. See, e.g., EnQuip Technologies Group, Inc. v. Tycon Technoglass, S.R.L., 2010-Ohio-28, 2010 WL 53151 (Jan. 8, 2010).

• Email This
• Print
• Share Link

 In a statement published on December 8, 2011, the Association of German Data Protection Agencies known as the “Duesseldorfer Kreis,” (“DK”) issued an opinion summarizing the minimum compliance criteria for operators of social networks in Germany:

• Transparent privacy policy and informed consent are essential for protecting the right to data privacy
• Opt-out solutions are insufficient, all privacy settings must be on the basis of opt-in selections
• Users must have simple access to their stored personal data
• Facial recognition features require express, confirmed consent
• No tracking profiles without the informed consent of the user
• Obligation to delete data after the termination of the membership
• Social plug-ins on the websites of German operators are not compliant with data protection laws unless they are covered by informed consent and provide the opportunity for the user to prevent the data transfer
• Social networks must protect user data through implementation of suitable privacy controls; operators must be able to demonstrate that such measures were taken
• Minors require particular protection and information regarding the processing of personal data must be easily comprehensible to them
• Social networks located outside the EEA must nominate an agent in Germany who serves as the contact person for the DPAs

The opinion, however, is not limited to this rather generic list of minimum requirements. Instead, it takes the opportunity to address two of the most pressing issues which have dominated the discussion of social networks and their commitment to data privacy over the past several months.

• Email This
• Print
• Share Link

FTC Audit Agreement
According to various news reports, Facebook and the FTC are about to enter into an agreement which will subject Facebook to privacy audits for the next 20 years. The agreement will apparently require Facebook to obtain prior express consent before making public any information to which the user had granted limited access only. The agreement is a direct response to complaints over the changes Facebook made to its privacy policy in 2009, when previously private information became accessible to the public and users had to take active steps in order to return to their accustomed privacy settings.

• Email This
• Print
• Share Link

The Article 29 Working Party outlined its agenda for 2012 at a recent plenary meeting in Brussels. Not surprisingly, the top priority is a new legal framework for data protection. But other topics, some of interest for US data protection developments, were discussed as well.

1. Revision of the EU data protection framework: To ensure that EU data protection authorities can consistently apply the EU data protection rules, the revisions to the current Data Privacy Directive will emphasize harmonization efforts to advance the cooperation and coordination between the various authorities.
2. WADA: The EU has ongoing concerns related to the current legal framework and the protection of athletes’ personal information. The EU Commission, supported by the Working Party, will provide comments to the proposed revision of WADA’s World Anti-Doping Code, which is planned for 2013.
3. Cooperation with the European Network and Information Security Agency (ENISA): The Working Party and ENISA share common interests with regard to data breach notifications and will intensify their cooperation.
4. EU Agency for Fundamental Rights (FRA): While the discussion addressed projects of the near future such as redress mechanisms and the publication of a Handbook on European data protection case law, FRA has long been critical of Passenger Name Record (PNR) data transmissions and a cooperation with the Working Party may suggest that the use of PNR will come under scrutiny again.

Whether the newly harmonized EU data protection rules will be a curse or a blessing for US companies doing business in the EU remains to be seen. Frustration by certain EU member states over a lack of cooperation between the national data protection authorities is undoubtedly a driving force behind this recent development and, as a result, the current practice of concentrating business operations in the jurisdiction with the least onerous data protection laws may soon come to an end. But if the closing of national loopholes is mitigated by a uniform application of data protection principles, it may be a worthwhile sacrifice.

• Email This
• Print
• Share Link

In my last entry I stressed the importance of complying with the various consent requirements hidden in European data protection laws. To prove my point and to illustrate further the high standards imposed by the German Data Protection Law, a regional German DPA (das “Unabhängige Landeszentrum für Datenschutz” in Schleswig Holstein or “ULD”) has taken aim at Facebook’s data privacy practices by sending cease and desist letters to all website operators located in the area who incorporate the “like” button and other Facebook plugins on their pages. Operators have until the end of September to deactivate these features or face up to € 50,000 in fines.[1]

• Email This
• Print
• Share Link

Any US company that receives data about individuals living in the European Union must be familiar with the basic principles of consent and data protection within the EU to avoid costly mistakes that are easily made in obtaining consent, should the validity of such consent be challenged by the EU data protection agencies. While certain exemptions may apply that allow receipt of data into the US without consent, companies need to analyze their receipt of such data in light of the new consent opinion discussed below.

• Email This
• Print
• Share Link

According to Javelin Strategy & Research's 2011 Identity Fraud Survey Report, there was a 28% drop in the number of victims of identity fraud in 2010.  Additionally, the number of reported data breaches dropped significantly (404 reported breaches in 2010, down from 604 in 2009).  Finally, the report states that "only" 26 million records were reportedly exposed in 2010 compared to a whopping 221 million exposed in 2009.  James Van Dyke, president and founder of Javelin Strategy & Research, attributed (i) increased educational efforts by business, the financial services industry, and government agencies and (ii) "[e]conomic conditions" as contributing factors in the reduction in identity fraud over the past year.   

Not all metrics improved however. The report stated that the consumer out-of-pocket costs rose significantly from $387 in 2009 to $631 in 2010.  The reason for the out-of-pocket increase may be attributed to more "focused" attacks on individuals and an increase in, what the report refers to as, "friendly fraud."  What we don't know is whether the fewer victims facing greater damages is solely the result of more effective, if less widespread, attacks, or if there are other factors at play.  What is also unknown is what caused the almost 10 fold drop in the number of records reportedly exposed in 2010.   Could this be due to more improved data security tools and practices, or an increased resistance by businesses to report breach events, especially in those instances where conclusively determining that a reportable breach occurred is not possible? 

The report also provides six "Safety Tips" to protect consumers:

1. Keep personal data private

2. Don't overshare on social networks

3. Use debit cards wisely

4. Be vigilant in monitoring credit and financial accounts

5. Learn about identity protection services

6. Report problems immediately

Although the Javelin report brings us good news, it will be interesting to see if these trends continue.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Please join us for this informative series focused on the technical, enforcement, and practical aspects of experiencing and responding to a data security incident. For the complete invitation and details on registration please click here.

IDENTITY THEFT, CORPORATE DATA SECURITY BREACHES AND LAW
ENFORCEMENT: SHOULD I CALL THE COPS?

Learn How to Effectively Utilize Law Enforcement and Private Security Resources to
Protect Yourself and Your Business From Computer Criminals

January 20, 2011
11:30 a.m. - 1:30 p.m. Lunch will be provided
Capital Club - 41 South High Street, 7th Floor
Columbus, Ohio

Focus issues:
Trends in Identity Theft
What Can Lead to a Data Breach
Law Enforcement
Identity Theft Investigations

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As recently reported by the Washington Post and others, the FTC has ended an inquiry into privacy concerns over Google's Street View service after Google pledged to stop gathering email, passwords, and other information from residential WiFi networks as its Street View cars creep through neighborhoods with computers on and cameras rolling. For some background on the issue, here is a timeline of related events and announcements:
 

• 4/27/2010: Peter Fleischer, Google’s global privacy counsel states in a blog entry in Google’s European Public Policy blog that while its Street View cars do collect publicly broadcast SSID information (the WiFi network name) and MAC addresses (the unique number given to a device like a WiFi router), Google does not collect payload data (information sent over the network).

• 5/5/2010: The data protection authority (DPA) in Hamburg, Germany asks Google to audit the WiFi data that Google's Street View cars collect for use in location-based products like Google Maps for mobile, which enables people to find local restaurants or get directions.

• 5/14/2010: Google states in a blog entry that it has discovered that its statements in the 4/27 blog were inaccurate--specifically, that Google had been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though Google "never used that data in any Google products".

• 9/2010: The Czech Office for Personal Data Protection bans Street View in the Czech Republic after more than half a year of unsuccessful negotiation between the Czech Republic and Google.

• 10/19/2010: Canadian Privacy Commissioner’s investigation reveals “that Google did capture personal information–and, in some cases, highly sensitive personal information such as complete emails.”

• 10/22/2010: Google states, that it is "mortified" over the unintended data collection and admits, "We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here." Google outlines changes and steps it is taking to strengthen privacy controls.

• 10/27/2010: As explained in a letter from the FTC to Google's attorney, The FTC ends its enquiry into the Google Street View data collection.

• 10/28/2010: IDG News Service reports that Italian prosecutors have opened an investigation into Google for allegedly violating the country's privacy laws through the data collected for the Internet company's Street View service.

In the United States, the general rule is that there is no reasonable expectation of privacy in a public place, and is therefore no right of privacy which would prohibit Google or anyone else from taking photographs or videos of public places and the people who happen to be in those locations. Some European countries, however, have laws prohibiting the filming without consent of an individual on public property for the purpose of public display. Further, while many European nations have laws which serve to proactively protect individual privacy and the collection and sharing of personal information, the United States generally addresses such issues with a sector by sector approach, and then allows companies and other data collectors to do with the information what they please so long as the individuals are properly informed of, and agree to, the use in advance.  Given these different approaches, it is not surprising that European governments would respond more forcefully to Google's data collection.

The reasons behind the differences between the U.S. and European approaches to privacy are many, with some potential historical and cultural factors including: European distrust for corporations compared to American distrust of government, European first hand experience with Nazi use of public and church records to identify Jews and others during the Holocaust, American state-based structure of government with limitations on federal powers, preference in American law to honor individual contracts, EU pro-consumer approach compared to American pro-market approach, and the right of privacy having been "read into" the U.S. Constitution as compared to the EU Convention on Human Rights which expressly addresses and sets forth a right to privacy (in Article 8).  With information collection and sharing growing increasingly global in reach, the differences between the U.S. and European approaches to privacy will undoubtedly continue to result in criminal and civil investigations into the collection, storage, and distribution of private information.

• Email This
• Print
• Trackbacks
• Share Link

While nothing new by now, the practice of recording images or video of others without their knowledge and then disseminating the content on a worldwide basis has come under particular scrutiny over the past week.  The tragic story of the Rutgers University student (as reported by ABC News here, where I first learned of it) has become the basis of a worldwide conversation regarding privacy and civility.   Also in the news this week was the story reported by Jon Yates of the Chicago Tribune of a Chicago woman who discovered a photo of herself on a website called People of Public Transit and the woman's efforts (and Jon Yates' efforts) to get the photo removed from the site. 

While videotaping someone in their own living quarters behind locked doors may seem a clear invasion of privacy, the capturing of someone's image while that person is in a public space is generally not an invasion of privacy, as someone on a sidewalk or on a public transit bus would not have an expectation of privacy.  Given the modern day implications of that lack of a right to privacy--witness the People of Public Transit website and many others like it--one could argue that there is something missing in the law.

This issue was well framed by the Chicago woman in that story noted above when she said,  "Most people walking around just want to be left alone. That's the nature of living in cities. It seems kind of peculiar to hold people up for ridicule." 

In other words, while we might expect to wind up in the background of someone else's vacation video of a tourist site, some might argue that it seems improper if the video winds up going viral because it happened to catch us tripping and injuring ourselves.  While those who knowingly post their own foolish exploits for the world to see may garner less sympathy, any list of the most viral videos of all time (such as MSNBC's, here) seems to have a Star Wars Kid for every Numa Numa Guy. 

Another element of this discussion is the right of publicity and the potential for a new federal law.  Traditionally, the right of publicity--which varies from state to state--addresses an individual's right to control the exploitation of their image, name, and identity.  In some states the right of publicity is limited to situations in which the misappropriation of the individual's identity has value--meaning that the individual (usually a celebrity of some kind) has previously commercially exploited his/her identity.  Given the public's apparent thirst for People of Public Transit, People of Walmart, FAILBlog, and similar sites, perhaps the time is right for a discussion about the expansion of privacy rights, through a federal law or expanded state laws, to address unintentional and unwanted celebrity. 

• Email This
• Print
• Trackbacks
• Share Link

The Department of Health and Human Services (HHS) announced yesterday that it was temporarily withdrawing the breach notification final rule from review of the Office of Management and Budget (OMB) to allow HHS further time to consider these regulations.  The breach notification rule, among other things, requires covered entities to notify individuals whose protected health information (as defined by HIPAA) has been compromised or breached. HHS's explanation for the withdrawal was that breach notification was "a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur."  HHS stated that it intends to publish a final rule in the coming months.

• Email This
• Print
• Share Link

This week, the Identity Theft Resource Center released its 2010 data breach statistics report for data breaches through June 22, 2010. According to this weekly report, 2010 has already seen 325 reported data breaches exposing approximately 8.3 million records. Considering that the 2009 report shows 498 reported data breaches for all of last year, it looks like 2010 will see an increase in overall data breaches.

Companies collecting personal information should take proactive measures to avoid data breaches. Proactive measures include maintaining an up-to-date security policy, safeguarding sensitive data, encrypting data, turning on and monitoring system logs, and restricting access to only those who need it. (See our previous post for an example of why security implementations should be kept up to date.)

It is also important to have a preemptive response plan in place to deal with a data breach should one occur. A response plan should include means of investigating the data breach, notifying those whose records or information are potentially affected, addressing legal concerns, addressing public relations concerns, making other required notifications (such as those described here), and ensuring the data breach is not ongoing or recurring.

• Email This
• Print
• Share Link

Is your phone ringing off the hook? Then you’d better check your bank account. According to the Federal Bureau of Investigation, a new “telephone denial-of-service” attack is combining high-tech and low-tech fraud techniques to steal money from the bank accounts of unsuspecting victims.

As reported in the alert issued by the FBI, the scam begins with the suspect obtaining a victim’s personal and banking information, perhaps including bank account numbers, PINs, and passwords. Scammer can obtain a victim’s personal and banking information in a variety of ways, such as through phishing emails, social engineering tactics, or malware surreptitiously installed on a person’s computer.

Once the scammers have the victim’s personal information, they begin tying up the victim’s telephone line by using automated resources to place hundreds or thousands of calls to the victim’s telephone, not unlike a Distributed Denial of Service attack aimed at a computer network that overwhelms a computer with requests for information resulting in a slowing or failure of the network.

While the victim is busy dealing with the onslaught of telephone calls, the scammers quickly drain the victim’s bank account using the previously obtained personal and banking information to gain access to the account. If the banking institution calls its customer to verify the transactions they find the victim’s telephone line to be busy. In some cases, scammers are brazen enough to change a victim’s contact information listed with the bank. As a result, calls from a bank to verify fraudulent transactions are redirected to the scammers. According to the FBI, “[b]y the time the victim or the financial institution realize what happens, it’s too late.”

Although the FBI did not disclose how much money it believes to have been stolen in this matter, it highlighted the case of a Florida dentist who lost $400,000 from his retirement account through such a scam. Based on the Bureau’s alert, it appears that such crimes will continue to increase in frequency.

Ultimately, the telephone calls serve as a diversion to occupy the victim and a barrier to prevent a bank from verifying the authenticity of fraudulent transactions. If you believe you have been targeted in such a scam, or if you believe you have been the victim of any other online fraud, visit the Internet Crime Complaint Center for resources and guidance.

• Email This
• Print
• Trackbacks
• Share Link

On Tuesday May 4, a new privacy bill, known as the Boucher-Stearns Bill was released by Representative Rick Boucher, Democrat of Virginia, and Representative Cliff Stearns, Republican of Florida. If the bill were to become law, it would represent a dramatic shift in U.S. Privacy governance. To date, privacy regulation in the U.S. has generally fallen along industry lines such as (i) HIPAA's regulation of a hospital's use of medical information or (ii) Gramm Leach Bliley's regulation of a bank's use of an individual's financial information. The Boucher-Stearns Bill represents the first non-industry specific federal privacy law moving American regulation of personal information closer to that of the European Union and other countries. The impact on businesses and online commerce would be significant by adding broad-based constraints on how businesses collect, use, and disclose information related to individuals. 

In general the Boucher-Stearns Bill, among other things, (i) requires businesses to provide notice and receive consent from individuals prior to the collection of various pieces of information from such individuals, (ii) obligates businesses to establish reasonable procedures to assure the accuracy, privacy, and security of information collected, and (iii) empowers the Federal Trade Commission to implement regulations to enforce the bill's provisions. 

A few of the bill's key provisions are highlighted below:

• Email This
• Print
• Share Link

In January 2008, the Davidson Companies, a financial services holding company, announced that a database containing current and past customer records had been hacked during a SQL injection attack. On April 14, 2010—more than two years after the network intrusion—the Financial Industry Regulatory Authority (FINRA) fined the company $375,000 for the breach.

• Email This
• Print
• Share Link

A new Massachusetts data security regulation — the "Standards for the Protection of Personal Information of Residents of the Commonwealth" (.PDF) — has gone into effect as of March 1, 2010.  The new regulation is intended to apply to any business that collects or retains personal information of Massachusetts residents.

Personal information, as defined under the regulation, includes a first name or first initial and last name in combination with any one of a (i) Social Security number; (ii) driver’s license number or state identification card number; or (iii) financial account or credit card number with access codes.

• Email This
• Print
• Share Link

According to an FTC press release on March 3, 2010 and as reported in various media outlet reports, like this one from The New York Times, LifeLock, Inc., an identity theft protection company, has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services.

The FTC claims and state attorneys general actions appear to have been centered around LifeLock's representations that its protections against identity theft were complete, absolute, and guaranteed.  FTC Chairman Jon Leibowitz noted in the FTC’s press release,

"While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it."

• Email This
• Print
• Trackbacks
• Share Link

Having your laptop or smartphone searched or detained by Customs on your way back from a business trip would be a nightmare for most travelers, including bankers and other finance professionals. However, this scenario is quite possible under new governmental policies.

In 2009, U.S. Customs and Border Protection (“CBP”) and U.S. Immigration and Customs Enforcement (“ICE”) both issued their respective new policies on border searches of electronic devices. This was a coordinated effort of CBP and ICE to update and harmonize their border policies to detect an array of illegal activities, including terrorism, cash smuggling, contraband, child pornography, copyright, and export control violations.

With all the technology innovations that allow business travelers to carry massive amounts of information in small electronic devices, CBP and ICE are facing an enormous challenge. On the one hand, travelers have a legitimate right to carry information on electronic devices. In that respect, there are serious concerns regarding the traveler’s expectation of privacy. On the other hand, the government has a duty to combat illegal activities and to enforce U.S. law at the border. The difficulty is finding the right balance between the government’s duty to enforce the law and the rights of travelers.

The legal basis for ICE and CBP policies is the border search exception to the Fourth Amendment requirement that officers obtain a warrant before searching someone’s property. But, assuming that they have this power, another key issue is exactly what CBP and ICE are allowed to do with one’s laptop. In short, they have authority to search and share information on laptops, disks, drives, tapes, mobile phones, Blackberries, cameras, music players, and any other electronic or digital devices — with or without “reasonable suspicion1” of illegality. Detention of the devices and/or information requires probable cause that an illegal activity is underway or is about to occur.

Searches
CBP searches may be conducted with or without suspicion of an unlawful activity. To the extent practicable, CBP searches should be conducted in the presence of a supervisor. ICE searches should be conducted by an ICE Special Agent, CBP Officer, or Border Patrol Agent. The searches should be conducted in the presence of, or with the knowledge of, the traveler.

Naturally, the guidelines provide for exceptions to the traveler’s presence under certain circumstances where national security or operational considerations are an issue. ICE guidelines specifically state that the traveler’s consent for the search is not needed.

Detention
CBP detention of a device should not exceed five days, but that period can be extended. ICE detention periods may be longer — up to 30 calendar days or longer — if circumstances warrant. CBP is required to issue a Custody Receipt to the owner of the device (CBP Form 6051D) at the time of detention. ICE will also give the owner of the device documentation regarding its custody.

Detention of electronic devices requires probable cause to believe that the device, or its contents, contains evidence of illegality that CBP and ICE are authorized to enforce.

• Email This
• Print
• Trackbacks
• Share Link