Oklahoma and Louisiana join Wisconsin and Tennessee in recent laws restricting access to applicants’ and employees’ personal online content by prospective and current employers. Adoption of Social Media platforms continues to grow as do new legal and business risks arise as well as state legislatures provide new rules, regulations and guidance. As state by state compliance requirements develop, businesses need to review frequently overlooked elements of key social media guidance, such as how to approach specific areas like Monitoring, Content Approval, Training and Information Security.

This latest round of bandwagon-jumping follows efforts by most other states that have addressed the issue. The key take-away is that business need to take a state-by-state approach to social media legal compliance.

Generally, most of these types of laws prohibit employers from requesting or requiring that applicants or employees disclose a username, password, or other means of authentication for their online accounts.

Employers should be on the lookout for laws that address whether an applicant or employee must accept a “friend” request, change privacy settings to permit access by the employer, or otherwise divulge personal online content.

Another area of concern is the definition of “personal,” “social media” and “account. ” these definitions vary and often cover far more than common notions of social media.

Some laws apply to any online account, including e-mail, instant messaging and media-sharing accounts. Some laws address the scope of use such as “exclusively for personal communications” as opposed to “business purposes of the employer” or “business-related communications.” This carve-out further narrows the scope of the Oklahoma and Louisiana laws.

While these laws generally prohibit adverse actions based based on a refusal to provide user name, password or other authentication information, each law should be scrutinized for broader prohibitions, such as those against penalizing or threatening to penalize an employee or applicant for refusing such requests.

Technology continues to evolve and so does the legal and regulatory environment. Businesses need to continually assess and address the risks created by new laws and new uses of tech in the workplace.

Contact us for a free consultation to learn what we can do to help your business navigate the ever-changing regulatory minefield. What you don’t know can hurt you. We are here to help you avoid getting hurt.

Privacy Law Update: California “Do Not Track” 

Two California laws went into effect at the beginning of the year that  require additional notifications to consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents (in reality anyone with a web site that may be accessed by a CA resident) post a privacy policy that gives notice to consumers regarding behavioral or interest-based advertising practices (“OBA”).

Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.

If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

Are you  concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.

Please contact us for a no-fee consultation.

At the end of August, the California passed an amendment to the California Online Privacy Protection Act that will require commercial websites and services that collect personal data to disclose how they respond to Do Not Track signals from Web browsers.

AB 370, as introduced by California Assemblyman Al Muratsuchi, requires a business that discloses a customer’s personal information to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.

This bill, available here, would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.


Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.

Recent developments highlight the trend in Privacy

In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.

GPS, Location & Privacy

The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.

Proposed Federal Privacy Standards

Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.

FTC Protects Privacy Under Mantle of Consumer Protection

As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

Wyndham’s web site privacy policy claimed that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”

The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.

The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.

Privacy Remains Top Concern

Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.

Organizations can lose contracts, customers and their reputation. That could put some out of business.

Compliance Preparation & Best Practices

Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.

Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.

Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.

Standardize. Set standards of acceptable information security for networks, facilities, and information systems.

Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.

Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.

Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.

THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.

Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.

Canadian Tech Startups More Focused on Revenue than a Big Exit

Techvibes (blog)
According to a PwC report released last week, fewer Canadian tech startups are looking for buyers in order to exit the market, choosing instead to find ways to reach their next growth stage and generate revenue in Canada.

Ben Franklin Technology Partners helps startups arrive.

Lehigh Valley Business
CyOptics, once a startup that received funding and help from Ben Franklin, is just one success story, according to Laura S. Eppler, director of marketing for Ben Franklin Northeastern Pennsylvania.

7 startup lessons from the film industry

Ventureburn
At first glance you might not think there is much in common between the film industry and tech startups. I’m here to tell you differently. Both industries have their own set of challenges, whether you’re starting out, or refining your craft/company.

Database Startup Clustrix Builds Up its Bankroll

Wall Street Journal (blog)
Tech watchers once considered the database market pretty stagnant, at least in terms of new technology and new entrants. Suddenly it is anything but that, with Clustrix a prime example.

1871 anniversary spotlights Chicago startup growth

Techli
Leaders of the Chicago startup community released figures Friday regarding the city’s start-up growth coinciding with the first anniversary of 1871, one of the city’s start-up incubators. “Over the last year, the tech community has really come together.

Biz Stone’s new mystery startup Jelly nabs ex-Twitter veteran Kevin Thau

The Next Web
Rumors about the move have been circulating since late last month and follows the announcement that Ben Finkel is also involved at Jelly as Christopher Isaac “Biz” Stone’s fellow co-founder and Chief Technology Officer.

A start-up’s cool solution to manage heat – The Business Times

Business Times (subscription)
Thermal management solutions for lithium-ion batteries are also exactly what Gcorelab, a local clean tech startup, specialises in. Gcorelab is developing what it calls a “small liquid-based thermal management system” for electric vehicles.

Bowei Gai: A Worldwide Crusade to Connect the Global Startup Community

Tech in Asia
Gai When you’ve been co-founder and CEO of Snapture Labs, held the same titles at CardMunch, Inc. and are currently founder and chief ambassador at World Startup Report, you tend to attract attention when you enter the tech and startup community.

Tech Startup Develops Two-Click Checkout. – Yahoo! Finance

Finance: ALBUQUERQUE, N.M., May 2, 2013 /PRNewswire/ — Tech start-up @ Pay released its first public Application Programming Interface (API) today.

Silicon Valley based high tech start up in the Golf business, developing a cool product, is looking to expand its team in different disciplines including R&D.

AUSTIN, Texas — A divided House vote provides momentum for Texas employees who wish to shield personal text messages, email passwords under a bill backed by Democratic State Rep. Hellen Giddings and given preliminary approval Thursday.

Proponents say Texas workers need the same social media protections provided in several other states. The bill prohibits employers from asking job applicants or employees for passwords to access their Facebook, Twitter or other personal accounts. Opponents argue it will provide “safe harbor” for employees to steal proprietary information at the workplace through their personal accounts.

No specific penalties are spelled out for employers who would violate the law.

The Texas law is another reminder of the ongoing evolution of Social Media law and regulation as legislators and private businesses struggle to understand how these technologies affect everyone’s rights, obligations and remedies.

If you or your business is concerned about social media legal and regulatory compliance, contact David Adler at Leavens, Strand, Glover & Adler. 866-734-2568 dadler@lsglegal.com.

Intel Mobile Device

Intel Mobile Device (Photo credit: Frank Gruber)

On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.

The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.

Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:

  1. provide your engineering (programming) staff with security training
  2. review or test your software on mobile devices for potential security vulnerabilities
  3. follow well-known and commonly accepted secure coding practices
  4. establish a process for receiving and addressing vulnerability reports from third parties

Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.

Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.

Please comment, tweet and forward!

Image representing CloudFlare as depicted in C...

Image via CrunchBase

I just returned from RSAConference 2013 where I had the privilege and honor of giving a presentation of the legal risks caused by social media in the workplace. As a speaker-attendee, I had the priceless benefit of access to all the other speakers and programs held during the conference.

One such program I attended was “We Were Hacked: Here’s What You Should Know”. The speakers, Matthew Prince (@eastdakota) CEO of CloudFlare, and Mat Honan (@mat) writer for Wired Magazine, shared their common experience as targets of high profile hacks. Hearing the details from them first hand, including information from interviews with the hackers themselves, I learned how easy it is to be the victim of hacking and how it’s the little things that create exploitable seams in our information security barriers.

Rather than rewrite their stories, I thought I would share three simple lessons I learned that I’ve already implemented and you should too. Besides, Matt does a better job telling his own story which can be found here.

Here are the three things I learned about how you can protect yourself and others in your organization.

First, security attacks go after the “low hanging fruit” and that often means figuring out a way to exploit your personal email address. With so many web-based services and so much login information to remember, many of us use our personal email as our username for everything from the web sites on which we comment, to our online photo gallery, to our online banking service. Unfortunately, this is probably the address we use for password recovery if we forget. Given that our digital lives are easily mapped, hackers already have one piece of the two-piece login puzzle: they know your user name.

TIP NO. 1: Use a private, obscure email address for your more sensitive information.

Second, once a hacker has accessed your accounts, your computer and your files, the fun has just begun for them. As Matt Honan described, these often adolescent script kiddies simply don’t understand the value of your stored memories and other information. In his case, all the photos of his children were permanently deleted. Regardless of a hacker attack, stuff happens and you don’t want to lose everything because you we’re too lazy to back up.

TIP NO. 2: Back Up your digital life, early and often.

Third, today’s’ Internet is an interdependent ecosystem. Just because you or your organization takes security seriously, doesn’t mean that other do as well. Your internal systems are not enough. Like it or not, the seams of your security perimeter are intertwined and permeated by the services and systems of customers and vendors. For most consumers, the there is a Hobbesian choice of Security v. Convenience. Multiple login usernames and super long passwords are difficult to remember and tedious to use. As a result, most people choose the least secure means of authentication on the assumption that using astringent password is enough. Unfortunately, some people don’t even bothers with that. A recent ZoneAlarm study found that “password” was the fourth most commonly used password by consumers.

Google, Facebook and others have started using two-factor authentication. Two-factor authentication requires that one enter a code after entering the username/password combo. The code is sent via, text message, voice call or email. This greatly reduces the chances of unauthorized access because hackers would need to have your phone, in addition to your username/password combo.

TIP NO. 3: Whenever possible enable two-factor authentication.

Please understand that there is no “magic bullet” when it comes to Cybersecurity. Taking these precautions does not guarantee that you won’t be attached or that your account information won’t be accessed. However, these are important and easy steps that you can take to improve your personal data security.

Please comment and follow!

 

I will be speaking at Affiliate Management Days SF 2013 (April 16-17, 2013) on the topic of “Managing Risk: Legal Issues for Merchants & Affiliate Managers.”

 

Affiliate marketing is one of the most cost-effective techniques for monetizing web site traffic and driving sales. Unfortunately, it has a reputation for high risk. While the industry is unlikely to ever be risk-free, it is possible to manage risk by: (1) understanding how techniques like behavioral and contextual targeting affect consumers, affiliates and merchants, (2) understanding the legal and regulatory environment, (3) understating risks involved with prospective marketing partners, (4) using and maintaining proper contracts that allocate risk and provide appropriate indemnifications, and (5) keeping informed about the changes in technology, marketing practices and the regulatory environment. Attendees will learn how to identify these issues and develop policies and procedures to keep informed about the current technology, marketing strategies and regulatory compliance.

 

Topics covered include:

 

  • Behavioral/Contextual Advertising
  • Regulatory/Industry Compliance : FTC Guides & Enforcement Actions
  • CAN-SPAM compliance
  • IP Law: Rules governing use of others™ Trademarks/Keywords, Right of Publicity/Endorsement Issues.
  • Identifying, protecting against, and disputing accusations of Click-Fraud

 

Geno Prussakov, the Founder & Chair of Affiliate Management Days and the CEO & founder of AM Navigator LLC did a pre-interview with me on Small Business Trends that can be found here.

 

 

 

Entertainment Law News & Events

Entertainment Law Initiative Luncheon Set For Feb. 8 | GRAMMY.com
The GRAMMY Foundation announced today that the keynote discussion at the 15th Annual Entertainment Law Initiative Luncheon & Scholarship Presentation

Colorado IP and entertainment lawyer David Ratner forms ‘Creative …
‘Creative Law Network,’ a Denver-based law firm, will focus on small to mid-size businesses and artists.

Florida Bar Hosts Entertainment Law Event | Billboard
NEW YORK–The Florida Bar Assn.’s Entertainment Arts and Sports Law Section will host its sixth annual legal symposium on music, film and TV on March 26.

UNH Law to debut sports and entertainment law institute
Concord Monitor
The University of New Hampshire’s School of Law will open a Sports and Entertainment Law Institute next fall, giving students the opportunity to focus their studies for a law career in either field.

Entertainment lawyer Mike Novak dies
The Macomb Daily
For nearly three decades, Mike Novak’s name was synonymous with entertainment in the Detroit area. During his career the Troy-based attorney, a resident of Grosse Pointe Shores, represented the likes of artists such as Bob Seger and Kid Rock.

Use a Law Degree to Enter Environmental or Entertainment Fields
U.S. News & World Report (blog)
If you have a question about law school, E-mail me for a chance to be featured next month. This week, I will address questions from readers about pursuing environmental and entertainment law.

Fashion Law News

Minnetonka’s Trademark Suit Against Target Tip-Toes Away http://t.co/sF6vtszP via @FemmeLegale

VIDEO: First Ever Northern California Fashion Law Panel Produced …
First Ever Northern California Fashion Law Panel

Following the Dress Code: Fundamentals of Fashion Law with BK
February 13th – 6:00-8:00pm 2 MCLE Credits (Professional Practice) 123 Remsen Street, BrooklyModerator: Allegra Selvaggio, Esq.

About The Author

David M. Adler, Esq. is a 2012 Illinois SuperLawyer, author, educator, entrepreneur and partner with Leavens, Strand, Glover & Adler, LLC, a boutique law firm in Chicago, Illinois created with a specific mission: provide businesses with a competitive advantage by enabling them to leverage their intangible assets and creative content in order to drive innovation and increase overall business value.

Follow

Get every new post delivered to your Inbox.

Join 3,111 other followers

%d bloggers like this: