Last week, we joined privacy regulators, practitioners and industry representatives from around the world in Jerusalem for the 32nd International Conference of Data Protection and Privacy Commissioners. On numerous panels, conference participants engaged in lively discussions about privacy compliance and enforcement as well as the future of privacy in light of evolving consumer expectations and advances in technology that tracks and identifies individuals.
One issue still bobbing below the social networking surface is disclosure of trade secrets, such as a client/customer list, through use of social networking. With seemingly everyone, including us here at the Info Law Group, connecting to business associates and potential and actual clients, the question is not academic.
Scott Blackmer provides a "discovery" checklist for global enterprises handling personal data from multiple jurisdictions, as well as advice on a global approach to privacy compliance and risk management.
As of late there has been a great deal of news and discussion concerning "web scraping." Web scraping is the practice of using computer software to extract information from a website. In short, a wealth of information exists on the Internet and companies of all stripes are interested in collecting it from websites, compiling and combining it, and using it to further their business.Scraping raises a multitude of legal issues, including issues related to privacy and security intellectual property, and laws concerning unauthorized access to computers and trespass to chattels (in fact, the overlapping issues raised by scraping represent a very good example of what we call "information law"). Many companies attempt to stop scraping of their websites from occurring in the first instance. This can be achieved by implementing technologies such as CAPTCHA (which are becoming ubiquitous) that are intended to ensure that a human is entering the website rather than a computer software program or bot. If technologies like CAPTCHA are evaded by scrapers, some websites might pursue an action under the anti-circumvention provisions of the Digital Millennium Copyright Act (the "DMCA"). The DMCA provides for potential statutory penalties and even criminal sanctions for violations of its anti-circumvention provisions. This post explores how the DMCA might be used in this context and looks at some cases addressing whether circumvention of CAPTCHA (and similar protocols) might result in violation of, and liability under, the DMCA.
So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.
Boiled down, S.3898 essentially modifies FDIC Regulation E implementing portions of the EFTA to extend the $50 limitation of loss from ACH/wire fraud currently covering individual consumers to school districts and municipalities.
Needless to say, due in part to our numerous writings on the legal ramifications of Cloud computing, the InfoLawGroup lawyers have been involved in much Cloud computing contract drafting and negotiating, on both the customer and service provider side. As a result, we have seen a lot in terms of negotiating tactics, difficult contract terms and parties taking a hard line on certain provisions. During the course of our work, especially on the customer side, we have seen certain "roadblocks" consistently appear which make it very difficult for organizations to analyze and understand the legal risks associated with Cloud computing, and in some instances can result in a willing customer walking away from a deal. Talking through some of these issues, InfoLawGroup thought it might be a good idea to create a very basic "Bill of Rights" to serve as the foundation of a cloud relationship, and allow for more transparency and enable a better understanding of potential legal risks associated with the cloud.
Under New York law it's settled doctrine that "contractual provisions that 'clearly, directly and absolutely' limit liability for 'any act or omission' are enforceable, 'especially when entered into at arm's length by sophisticated contracting parties.'" And that New York courts "generally enforce contractual waivers or limitations of liability."
The Maine Supreme Court has rendered its opinion on the "damages" issue in the Hannaford Bros. consumer security breach lawsuit. Again, the plaintiffs have been unable to establish that they suffered any harm as a result of the Hannaford security breach. Specifically, the Court ruled that "time and effort" alone spent to avoid or remediate reasonably foreseeable harm do not constitute "a cognizable injury for which damages may be recovered." In this blogpost we take a closer look at the Court's rationale.
Think there's nothing new in the world of state breach notification laws and regulations? Think again. On a Wednesday in August, the State of Connecticut Insurance Department issued Bulletin IC-25 to all regulated entities in Connecticut, including insurance producers, public adjusters, bail bond agents, appraisers, certified insurance consultants, casualty claim adjusters, property and casualty insurers, life and health insurers, health care centers, fraternal benefit societies, captive insurers, utilization review companies, risk retention groups, surplus line companies, life settlement companies, preferred provider networks, pharmacy benefit managers, and medical discount plans, requiring that ALL licensees and registrants notify the Department of any information security incident which affects any Connecticut residents. This is in addition to, and goes beyond, the existing breach notification requirements under Conn. Gen Stat. 36a-701(b). The procedural requirements set forth in the Bulletin are extensive, detailed, and will require covered organizations to act VERY quickly when they learn of a potential incident. Here are the basics.
Dave and I recently spoke with BNA's Daily Report for Executives about the importance of due diligence and planning for organizations entering into (or considering) enterprise cloud computing arrangements. You can find the article, "'Cloud' Customers Facing Contracts With Huge Liability Risks, Attorneys Say," here.
Manufacturers that fail to comply with the data security notification requirements may receive a civil penalty of up to $1,000 for a first violation; up to $2,500 for a second violation; and up to $5,000 for the third and any following violations within a 12-month period.
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
Individuals or their representatives may inquire directly with the Attorney General's office to learn if any abandoned records containing their PI are being held by downloading an Abandoned Records Request Form," or by calling the Attorney General's Consumer Protection Division at (800) 382-5516 to request a form be mailed.
Many of us have watched over the past few years as dozens of proposed federal data security and breach notification bills have been introduced, often with bipartisan support, but have failed to become law. This year has seen many of the usual proposals. For those of you keeping track, this year's bills include: Rep. Rush's Data Accountability and Trust Act -- HR 2221; Sen. Leahy's Personal Data Privacy and Security Act - S. 1490; Sen. Feinstein's Data Breach Notification Act - S. 139; and Sens. Carper's and Bennett's "Data Security Act of 2010" - S. 3579. However, 2010 has also seen new and expansive proposals for broad and far-reaching data privacy legislation, including Rep. Boucher's "discussion draft" and Rep. Rush's "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (or "BEST PRACTICES Act"). Most recently, on August 5, Sens. Pryor and Rockefeller introduced the "Data Security and Breach Notification Act of 2010" - S. 3742 (hereinafter "S. 3742" or the "Act"). S. 3742 is much more akin to the more traditional proposed breach notification and data security legislation mentioned above, and not nearly as ambitious as the draft Boucher Bill or the BEST PRACTICES Act. This post summarizes the key provisions in S. 3742.
An odd result -- we know. We previously reported on the lawsuit filed by Experi-Metal, Inc. ("EMI") and the subsequent motion for summary judgment (and briefs) filed by Comerica Bank to have the case dismissed. As reported in July, the U.S. District Court for the Eastern District of Michigan has issued a ruling on Comerica's motion for summary judgment. To make a long story short, the Court denied Comerica's motion and this case appears headed toward trial (or potentially settlement). In the course of its ruling the Court found that Comerica had utilized commercially reasonable security procedures. However, that ruling had more to do with the language in Comerica's contracts than an actual substantive analysis of the reasonableness of Comerica's security. In this blogpost, we take a look at the Court's ruling.