The attorneys of InfoLawGroup have been very busy this summer, and August is no exception. In addition to our regular day-to-day work, we will (somehow) find the time to attend some great events in August. If you will be in San Francisco and/or Seattle later this month, please join us, we would love to see you.
We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. "BEST PRACTICES Act" or "Act"). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for de-identified information and application and enforcement.
Be forewarned: if you are going to challenge a forum selection clause used by a website named "CrankyApe.com" you may be the one that winds up looking like a monkey at the end of the day.
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the "Law") was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. "BEST PRACTICES Act" or "Act").We have put together a summary of the Act in "FAQ" format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part Two focuses on the proposed modifications to the Privacy Rule.
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
Dave and I recently spoke with Nymity regarding privacy and data security issues in cloud computing deals. You can read the interview here.
In opening the door to holding credit card processors potentially contributorily liable as a result of the infringing actions of clients selling counterfeit goods online, Judge Baer, Jr.'s decision issues a shot across the bow of companies providing services to online commerce sites that their actions could be construed as providing material support to counterfeiters.
My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. This post extends Tanya's discussion of the intersection between electronic discovery and the cloud.
Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. ("EMI") against Comerica (the "EMI Lawsuit"). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI's online banking login credentials and wire transfer about $560,000 from EMI's account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
Yesterday, the Utah Supreme Court, interpreting Utah's version of the Uniform Electronic Transactions Act (UETA) held that electronic "signatures" gathered through the website of an independent candidate for Utah state governor are valid to put the candidate's name on Utah's November ballot. The court's decision is a huge step forward in recognizing the legal efficacy of electronic signatures that may reverberate around the nation.
In the end eSignatures provided a tantalizing glimpse of a potential esigning future, but one that remains firmly in the distance at this time. Certainly eSignatures is in fact useful at the moment - for a limited range of actions and signings. But unless its more notable shortcomings are timely and completely addressed this will remain a beta that doesn't reach the other shore.