Contractual Obligations to Destroy Consumer Information

Consumers and business are expressing increasing concerns over data privacy and security risks. Increasing frequency of data breach headlines show these concerns are not trivial. Recent breaches involving Target and Neiman-Marcus, for example, are just the latest high profile incidents that underscore the need to know that financial transactions are secure. When there is a Target- or Neiman-Marcus-sized breach involving personally identifiable information (PII) resulting in PII landing in the hands of unscrupulous third-parties, there are significant consequences: our own information can be used against us (identity theft) and also to harm retailers and credit card companies. Financial and transactional security and cyber-privacy concern everyone.

Many businesses find themselves covered by a patchwork of state and federal laws governing consumer protection, privacy and data security. A client recently asked us to research the new Delaware law on data destruction (DE Code §50C-101). Specifically at issue was the definition of “consumer” under the Act.

A company in the financial services industry may have several different subsidiaries incorporated in Delaware. Most of them are likely covered by the Graham Leach Bliley Act (“GLBA”) exception for regulated financial institutions with respect to the obligation to protect a consumer’s information. However, a subsidiary may function as a service provider to regulated and unregulated businesses providing administration, accounting and other services and may not regulated. This entity will probably have contractual agreements with these other businesses entities but probably not with the end “consumer.” As such, the service provider may still have an obligation to protect consumer information via these contracts.

When drafting such contracts, the question arises regarding the scope of the information to be protected since the GLBA defines consumer differently than the Delaware Act. GLBA mentions “financial products or services” where Delaware talks about “entering into a transaction.”

Delaware statute: “A commercial entity shall take all reasonable steps to destroy or arrange for the destruction of a consumer’s personal identifying information within its custody and control that is no longer to be retained by the commercial entity by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means …”

Delaware Definition of Consumer: “an individual who enters into a transaction primarily for personal, family, or household purposes.”

GLBA Definition of Consumer: “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes.”

The Delaware definition of consumer appears to require a service provider to destroy the “consumer” information irrespective of any contractual agreement. This would appear to place responsibility for data destruction with the service provider rather than the entities it serves, e.g. those that have the true relationship with the consumers according to GLBA.

The Delaware definition of consumer is fairly standard and is used by most states in their “Unfair Trade  Practices and Consumer Protection” type laws.  The definition can be reasonably understood as intended to exclude businesses from the protection of such laws.  It appears that a “Consumer” under Delaware law is a broader and more inclusive than under the GLBA.  Since state courts may have more expansive powers to protect a consumer under state law than the would be permitted under the GLBA (a law primarily intended to regulate financial institutions) and since the Delaware Act is consumer protection statute, it is wise to presume that Delaware courts would interpret and apply the alw as expansively as possible to protect consumers.

From a contractual relationship standpoint, it is incumbent on service providers to clearly address these issues in their contract and balance compliance risks and burdens among the parties best situated to ensure compliance.

NOTE: THIS IS NOT LEGAL ADVICE. If you have questions regarding application and interpretation of any laws, rules or regulations, you should consult a qualified attorney regarding your specific situation.

You may contact the Adler Law Group to schedule a free consultation by calling (866) 734-2568.

Originally posted on TechCrunch:

The good folks at the new Beijing and San Francisco-based startup Landscape Mobile have launched Sight today, an app that makes it easier to organize articles on mobile devices.

Copying and pasting on mobile devices is a huge pain in the caboose, and Sight solves that problem by allowing users to take a screen shot of whatever they’re reading through the Sight app (available on iOS and Android), which then scours the web for the story and saves it to the app’s own clipboard.

The technology and talent behind Sight was persuasive enough for IDG Capital to sign on for a $1.85 million seed round.

“An image is the new URL on the mobile web,” says Landscape Mobile’s co-founder and chief executive Yue Zhuge. Yue, a former executive at Yahoo and Microsoft in Beijing and Silicon Valley, has a lot of experience with mobile advertising.

“Because of mobile devices, the…

View original 131 more words

Technology Continues to Test The Bounds of Copyright Law

The Internet is an unprecedented source of disruption. From retail services (e.g. Amazon) to media and entertainment, almost every industry has been forced to rethink its business model due to the accessibility, ubiquity and democratizing force of the Internet. Aereo was positioned to disrupt the traditional media distribution model by giving consumers greater control over what were otherwise “free” over-the-air transmissions.

The Aereo service was premised on the idea that consumers should be able to watch and record over-the-air broadcast television programming via the Internet. Major broadcast networks that owned the content made accessible through Aereo challenged the model on the grounds that Aereo was violating the exclusive “public performance” right guaranteed by the Copyright Act.

Copyright law provides copyright owners six exclusive rights. One of those rights is the exclusive right to publicly perform the copyrighted work. Because this right is a statutory construct, one must look to the statute to determine its meaning. To “perform” and to perform “publicly” means “to transmit or otherwise communicate a performance or display the work to a place … or to the public, by means of any device or process, whether the members of the public capable of receiving the performance or display receive it in the same place or in separate places and at the same time or at different times.”

While many reacted by asking whether the case would stifle innovation and have a chilling effect on start-ups, this case does highlight the increasing tension between technological advances and copyright law.

From a practical standpoint, one need not be alarmed about the impact of the decision on most types of innovation. For one thing, the Court went to some lengths to craft a reasonably narrow decision, which applies only to broadcast TV retransmitted over the Internet.

As with any type of innovation, there are different types of risk. On the one hand, there is technology risk: the risk that whatever technology is necessary for some business plan simply won’t work. On the other hand, there is legal risk, highlighted by the Aereo decision: the risk that the entrepreneur’s interpretation of some act or case law won’t ultimately prevail. That’s what happened to Aereo.

As an IP lawyer, I am somewhat perplexed. It is hard for me to understand why Aereo made such a bold move. However, at least the district court agreed with Aereo’s interpretation.

Oklahoma and Louisiana join Wisconsin and Tennessee in recent laws restricting access to applicants’ and employees’ personal online content by prospective and current employers. Adoption of Social Media platforms continues to grow as do new legal and business risks arise as well as state legislatures provide new rules, regulations and guidance. As state by state compliance requirements develop, businesses need to review frequently overlooked elements of key social media guidance, such as how to approach specific areas like Monitoring, Content Approval, Training and Information Security.

This latest round of bandwagon-jumping follows efforts by most other states that have addressed the issue. The key take-away is that business need to take a state-by-state approach to social media legal compliance.

Generally, most of these types of laws prohibit employers from requesting or requiring that applicants or employees disclose a username, password, or other means of authentication for their online accounts.

Employers should be on the lookout for laws that address whether an applicant or employee must accept a “friend” request, change privacy settings to permit access by the employer, or otherwise divulge personal online content.

Another area of concern is the definition of “personal,” “social media” and “account. ” these definitions vary and often cover far more than common notions of social media.

Some laws apply to any online account, including e-mail, instant messaging and media-sharing accounts. Some laws address the scope of use such as “exclusively for personal communications” as opposed to “business purposes of the employer” or “business-related communications.” This carve-out further narrows the scope of the Oklahoma and Louisiana laws.

While these laws generally prohibit adverse actions based based on a refusal to provide user name, password or other authentication information, each law should be scrutinized for broader prohibitions, such as those against penalizing or threatening to penalize an employee or applicant for refusing such requests.

Technology continues to evolve and so does the legal and regulatory environment. Businesses need to continually assess and address the risks created by new laws and new uses of tech in the workplace.

Contact us for a free consultation to learn what we can do to help your business navigate the ever-changing regulatory minefield. What you don’t know can hurt you. We are here to help you avoid getting hurt.

Contracts for Interior Design Professionals

This crash course on legal contracts is designed for interior designers who are drafting a contract for the first time or wanting to make an existing one airtight.

There’s a reason you became a designer, and it probably didn’t have anything to do with lawyers and contracts.

You’re the expert in color, fabric, floor plans, and furniture schemes, not intellectual property and arbitration provisions. If you’re already confused, don’t fret. This crash course is designed for those drafting a contract for the first time or wanting to make an existing one airtight. Led by David Adler, an actual lawyer who understands the ins and outs of the design industry, this workshop will cover the clauses you need to protect yourself in the unfortunate event that something doesn’t work out as planned. Clients can be difficult enough. Don’t let legal trouble slow you down.

In this class, you will learn how to:

  • Define what you are doing for your client, as well as NOT doing for them
  • Make sure you get paid on time and in full
  • Protect yourself against outside factors that may affect cost and ability to complete a project
  • Give yourself a way to get out of your contract if things aren’t working

By the end of class, you will have:

  • A basic understanding of key contract terms and the reasons as to why they are there
  • A basic client agreement that you can use or customize

The Instructor, David Adler, is an attorney, nationally-recognized speaker, and founder of a boutique law practice focused on serving the needs of creative professionals in the areas of intellectual property, media, and entertainment law. He provides advice on choosing business structures, protecting creative concepts and ideas through copyright, trademark, related intellectual property laws and contracts, and structuring professional relationships. He has 17 years experience practicing law, including drafting and negotiating complex contracts and licenses with Fortune 500 companies, advising on securities laws (fundraising) and corporate governance, prosecuting and defending trademark applications, registrations, oppositions, and cancellations before the US Patent & Trademark Office (USPTO), and managing outside counsel. Currently recognized as an Illinois SuperLawyer® in the areas of Media and Entertainment Law, he was also a “Rising Star” for three years prior. He received his law degree from DePaul University College of Law in 1997 and a double BA in English and History from Indiana University in Bloomington, Indiana. Outside the practice of law, David is an Adjunct Professor of Music Law at DePaul College of Law, formerly chaired the Chicago Bar Association’s Media and Entertainment Law Committee, and is currently a member of the Illinois State Bar Association Intellectual Property Committee.

A recent case involving a Spanish lawyer and his lawsuit to remove information about decade old yet repaid debts from a widely-circulated Spanish newspaper and Google Internet search engine results, was a case of first impression for the European Court of Justice (ECJ), requiring the examination of the EU Privacy Directive in the context internet search engines.

Of note to U.S. companies are the ECJ’s discussions relating to the legal position of an Internet search engine service provider and the so-called “right to be forgotten,” e.g., the right to request that some or all search results related to the individual be removed. More specifically, the classification of Google’s search engine as a “Data Processor” has broad implications for digital business applications such as cloud services and web-based information.

By statute, the European Union (EU) protects the personal data of individuals and regulates both the processing and free movement of such data. Generally known as the EU Privacy Directive, this law applies to defined players called “Data Processors” and “Data Controllers.” A Data Controller is a legal person or any other entity that determines the purposes and means of the processing of “personal data.” A Data Processor is one who processes data on behalf of a Controller.

For companies doing business on the Internet, the ECJ’s decision has four key take-aways: 1) certain automated processes conducted over the Internet are inherently “data processing” subject to the Directive; 2) it is almost axiomatic that a service operator will also be a “controller” because the operator determines the purpose and method of processing the data; 3) a territorial nexus to an EU member state exists where the data processing is in relation other commercial activities that occur within or are directed at the member state; and 4) an individual has the right to request removal of links to information related to his name because the additional information has the potential to create a broader data profile affecting the subject’s privacy rights.

1. Certain Automated Processes Are Inherently “Data Processing”

The ECJ began its analysis by discussing the services offered by Google. The ECJ held that by searching automatically, constantly and systematically for information published on the Internet, by indexing, storing and retrieving those information records, by organizing the data in question, and storing it on servers and, ultimately, disclosing and making it available in the form of structured lists of results, Google is expressly and unconditionally a “Processor” of data, regardless of the fact that it conducts these activities without distinguishing personal data from other types of information, even under circumstances that exclusively concern material that has already been published as it stands in the media.

For U.S. companies the implication is clear. Whether providing or utilizing most, if not all, of today’s cloud-based digital business services, the acts of automatically searching, indexing, storing, organizing, retrieving, disclosing or otherwise making data available, makes such companies data processors subject to the Directive.

2. A Service Operator Will Almost Always Be A “Controller”

After determining that Google was a data processor, it was nearly a forgone conclusion that Google was also a “Processor” of data. According to the ECJ, Google is the controller since it determines the purposes and means of the processing. Without saying as much, the ECJ concluded that Google’s activity of locating, indexing, storing and retrieving information published by third-parties (e.g. original source web sites such as the newspaper) was in addition to that of publishers of web sites and, therefore, liable to affect the fundamental rights to privacy and to the protection of personal data. Google’s liability was derivative of the original publisher with the same responsibilities, powers and capabilities, to ensure compliance with the Directive.

3. Commercial Activities Directed At A Member State Create A Territorial Nexus

U.S. based companies would do well to note the territorial scope of the Directive since a U.S.-based company could be subject to the ECJ’s jurisdiction on questions of compliance with the Directive. With respect to the territorial scope, the ECJ stated that Google Spain – a subsidiary of Google Inc. – was located on Spanish territory and, therefore, an ‘establishment’ within the meaning of the Directive. Importantly, the ECJ explicitly rejected the argument that processing of personal data by Google Search is not carried out as part of the business activities conducted in Spain. According to the ECJ “data processed for the purposes of a search engine operated by an entity that has an establishment in a Member State [has] a nexus if [it conducts] other commercial activities within in the Member State.” For example, Google search engine results were connected to Google’s commercial activity of selling advertising to users located in Span.

4. An Individual Has The Right To Request Removal Of Personally-identifiable Links

One aspect of the judgment has gotten the most media coverage: “the right to be forgotten.” This stems largely from the fact that there is no U.S. equivalent. Given our broad freedom of speech and press, enshrined in the nation’s Constitution, the idea that one’s past can be ‘scrubbed’ is anathema to most U.S. citizens. Nevertheless, given the broad EU focus on protecting the privacy of the individual, the ECJ upheld an individual’s right to request removal of links to information related to the individual’s name on the theory that the additional information has the potential to create a broader data profile affecting the subject’s privacy rights. According to the Court the real risk is that an Internet user, who searches an individual’s name, can obtain other information concerning “a vast number of aspects” of his private life enabling Internet users to establish a detailed profile of the person. This “profiling effect is heightened since the Internet and search engines now make access to such information ubiquitous. Hence, Google is, in certain circumstances, obliged to remove links to web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person’s name. The ECJ underscored that the obligation may also exist in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even when its publication on those pages is lawful.

A Murky Future

Recognizing that the information sought may affect a legitimate interest in having access to that information, the ECJ cautioned in its holding that “a fair balance should be sought in particular between [the data subject’s privacy] interest and the data subject’s fundamental rights, in particular the right to privacy and the right to protection of personal data.” Unfortunately, the ECJ’s framework for achieving that balance was anything but clear: “the balance may … depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life.” The touchstone inquiry appears to be an examination of whether “even initially lawful processing of accurate data may, over time, become incompatible … where the data appear to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed and in the light of the time that has elapsed.” The ECJ gave no insight as to how or under what circumstances that would occur.

If you find this content useful or if you believe that your colleagues or other members of your network might find it useful please feel free to share thank you.

As more devices are connected, there is a real opportunity to enhance security. The DropCam Tab is a “connected device” that isn’t creepy.

Follow

Get every new post delivered to your Inbox.

Join 3,228 other followers

%d bloggers like this: