I will be speaking on various aspects of cloud computing at two upcoming webinars in May:* Cloud Computing: Emerging E-Discovery Trends, Strafford webinar, May 4, 2010 (1:00 pm Eastern) * Negotiating and Preparing Cloud Contracts, IAPP web conference, May 13, 2010 (1:00 pm Eastern)
As some of you know, I tweeted my notes from the IAPP Global Privacy Summit 2010 yesterday and today (@Forsheit for those of you on Twitter). Since many of our readers are not on Twitter, I thought I would provide you with those notes here (minus the usual Twitter hashtags and abbreviations). Please note that there were multiple sessions, and this reflects only those I was able to attend, and only the information I could quickly record, putting virtual pen to paper. These are not direct quotes, unless specifically designated as such. Overall, I think it was a great conference, a wonderful opportunity to reconnect with other lawyers and privacy professionals, and to meet students, lawyers, and others looking to learn more about this constantly evolving legal and compliance space. For me, the conference highlight was Viktor Mayer-Schonberger's keynote this morning on The Virtue of Forgetting in the Digital Age. Without further ado, here are my notes. Would love to hear your thoughts/reactions.
This week, I will be providing short updates from the IAPP Global Privacy Summit in Washington, DC. The conference will be in full swing tomorrow, and I will report on various panels and topics of interest. In the meantime, as I prepare to see old and new friends at the Welcome Reception this evening, a few thoughts on what I expect to see and hear a lot over the next few days.
Yesterday, Mississippi Governor Haley Barbour approved Mississippi's first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota). Here are the most important basics of the Mississippi law.
What does workplace privacy have to do with the cloud? Everything. On Tuesday, the New Jersey Supreme Court issued its opinion in Stengart v. LovingCare Agency, Inc., --- A.2d ----, 2010 WL 1189458 (N.J. March 30, 2010), and came out on the side of protecting employee privacy and the attorney-client privilege in personal Yahoo! webmail (a cloud service) even though the employee used a company computer. While everyone has been busy writing about the implications of LovingCare for company policies governing employee expectations of privacy (and for good reason), few have stopped to note that LovingCare is a cloud case. LovingCare is one of only a few published opinions addressing the difficult issues surrounding employee use of webmail and other cloud services on company computers where the attorney-client privilege is at stake, and the impact of the LovingCare decision will undoubtedly be felt for years to come by nearly every employer across the country, both in crafting policies for employee use of company computer systems and in conducting discovery in nearly every employment-related litigation. The machine may be the employer's, but, in the post-LovingCare world, the data may be the employee's - at least where the cloud and the attorney-client privilege are involved. You can read my detailed case analysis in this post.
We are seeing more and more private litigation and regulatory enforcement actions around the issue of what constitutes "reasonable security." This week we see another. Once again the FTC asserts that a company has failed to take "reasonable and appropriate security measures" to protect personal information. Yesterday, in its 27th case challenging inadequate data security practices by organizations that handle sensitive consumer information, the FTC announced settlement of its complaint against Dave & Buster's, the restaurant chain. The FTC alleged in its complaint that, from April 30, 2007 to August 28, 2007, a hacker exploited vulnerabilities in Dave & Buster's systems to install unauthorized software and access approximately 130,000 credit and debit cards.
The European Court of Justice rules that Google is not liable for automated keyword advertising based on brand names. Advertisers, however, may be liable under trademark and fair competition laws if the ads misleadingly suggest that they link to the trademark owner.
Notice of significant security breaches involving personal information is recommended under federal Privacy Commissioner guidelines and legally required for custodians of personal health information in Ontario. Albert's new Bill 54, not yet in force, sets a new standard for mandatory notification to the provincial Privacy Commissioner, who can determine whether and how individuals must be notified.
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.
As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes.