Oklahoma and Louisiana join Wisconsin and Tennessee in recent laws restricting access to applicants’ and employees’ personal online content by prospective and current employers. Adoption of Social Media platforms continues to grow as do new legal and business risks arise as well as state legislatures provide new rules, regulations and guidance. As state by state compliance requirements develop, businesses need to review frequently overlooked elements of key social media guidance, such as how to approach specific areas like Monitoring, Content Approval, Training and Information Security.
This latest round of bandwagon-jumping follows efforts by most other states that have addressed the issue. The key take-away is that business need to take a state-by-state approach to social media legal compliance.
Generally, most of these types of laws prohibit employers from requesting or requiring that applicants or employees disclose a username, password, or other means of authentication for their online accounts.
Employers should be on the lookout for laws that address whether an applicant or employee must accept a “friend” request, change privacy settings to permit access by the employer, or otherwise divulge personal online content.
Another area of concern is the definition of “personal,” “social media” and “account. ” these definitions vary and often cover far more than common notions of social media.
Some laws apply to any online account, including e-mail, instant messaging and media-sharing accounts. Some laws address the scope of use such as “exclusively for personal communications” as opposed to “business purposes of the employer” or “business-related communications.” This carve-out further narrows the scope of the Oklahoma and Louisiana laws.
While these laws generally prohibit adverse actions based based on a refusal to provide user name, password or other authentication information, each law should be scrutinized for broader prohibitions, such as those against penalizing or threatening to penalize an employee or applicant for refusing such requests.
Technology continues to evolve and so does the legal and regulatory environment. Businesses need to continually assess and address the risks created by new laws and new uses of tech in the workplace.
Contact us for a free consultation to learn what we can do to help your business navigate the ever-changing regulatory minefield. What you don’t know can hurt you. We are here to help you avoid getting hurt.
Privacy Law Update: California “Do Not Track”
Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services
In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.
If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.
Are you concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.
Please contact us for a no-fee consultation.
Tagged: Advertising, Business, compliance, cybersecurity, data, Intellectual property, internet, Law, legislation, Privacy, technology
Amended California Do Not Track Disclosure Law Requires Websites Disclose Do Not Track Signal Response
October 8, 2013
At the end of August, the California passed an amendment to the California Online Privacy Protection Act that will require commercial websites and services that collect personal data to disclose how they respond to Do Not Track signals from Web browsers.
AB 370, as introduced by California Assemblyman Al Muratsuchi, requires a business that discloses a customer’s personal information to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.
This bill, available here, would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.
Tagged: Advertising, Business, compliance, data, government, internet, Internet Marketing, Law, Legal, legislation, Marketing, Marketing and Advertising, media, Privacy, regulation
June 4, 2013
Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.
Recent developments highlight the trend in Privacy
In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.
GPS, Location & Privacy
The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.
Proposed Federal Privacy Standards
Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.
FTC Protects Privacy Under Mantle of Consumer Protection
As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.
The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.
The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.
Privacy Remains Top Concern
Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.
Organizations can lose contracts, customers and their reputation. That could put some out of business.
Compliance Preparation & Best Practices
Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.
Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.
Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.
Standardize. Set standards of acceptable information security for networks, facilities, and information systems.
Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.
Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.
Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.
THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.
Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.
Tagged: applications, cell photo data, consumers, databases, Design, disclose, exposure, government, HTC, legislators, manufacturing, Mobile, personal information, Privacy, protection, regulators, security, South Carolina
May 7, 2013
According to a PwC report released last week, fewer Canadian tech startups are looking for buyers in order to exit the market, choosing instead to find ways to reach their next growth stage and generate revenue in Canada.
Lehigh Valley Business
CyOptics, once a startup that received funding and help from Ben Franklin, is just one success story, according to Laura S. Eppler, director of marketing for Ben Franklin Northeastern Pennsylvania.
At first glance you might not think there is much in common between the film industry and tech startups. I’m here to tell you differently. Both industries have their own set of challenges, whether you’re starting out, or refining your craft/company.
Wall Street Journal (blog)
Tech watchers once considered the database market pretty stagnant, at least in terms of new technology and new entrants. Suddenly it is anything but that, with Clustrix a prime example.
Leaders of the Chicago startup community released figures Friday regarding the city’s start-up growth coinciding with the first anniversary of 1871, one of the city’s start-up incubators. “Over the last year, the tech community has really come together.
The Next Web
Rumors about the move have been circulating since late last month and follows the announcement that Ben Finkel is also involved at Jelly as Christopher Isaac “Biz” Stone’s fellow co-founder and Chief Technology Officer.
Business Times (subscription)
Thermal management solutions for lithium-ion batteries are also exactly what Gcorelab, a local clean tech startup, specialises in. Gcorelab is developing what it calls a “small liquid-based thermal management system” for electric vehicles.
Tech in Asia
Gai When you’ve been co-founder and CEO of Snapture Labs, held the same titles at CardMunch, Inc. and are currently founder and chief ambassador at World Startup Report, you tend to attract attention when you enter the tech and startup community.
Tech Startup Develops Two-Click Checkout. – Yahoo! Finance
Finance: ALBUQUERQUE, N.M., May 2, 2013 /PRNewswire/ — Tech start-up @ Pay released its first public Application Programming Interface (API) today.
Silicon Valley based high tech start up in the Golf business, developing a cool product, is looking to expand its team in different disciplines including R&D.
AUSTIN, Texas — A divided House vote provides momentum for Texas employees who wish to shield personal text messages, email passwords under a bill backed by Democratic State Rep. Hellen Giddings and given preliminary approval Thursday.
Proponents say Texas workers need the same social media protections provided in several other states. The bill prohibits employers from asking job applicants or employees for passwords to access their Facebook, Twitter or other personal accounts. Opponents argue it will provide “safe harbor” for employees to steal proprietary information at the workplace through their personal accounts.
No specific penalties are spelled out for employers who would violate the law.
The Texas law is another reminder of the ongoing evolution of Social Media law and regulation as legislators and private businesses struggle to understand how these technologies affect everyone’s rights, obligations and remedies.
If you or your business is concerned about social media legal and regulatory compliance, contact David Adler at Leavens, Strand, Glover & Adler. 866-734-2568 email@example.com.
Tagged: email, employe, employer, Facebook, Privacy, security, Social media, Texas, Twitter, Workplace
On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
Tagged: "Privacy By Design" guidelines, developers, device, Federal Trade Commission, FTC, HTC, HTC Corporation, legal risks, manufacturer, Mobile, mobile application, Mobile device, Smartphone, Tablet computer, Vulnerability (computing)