How drones made it easy for Americans to kill a particular person anywhere on the planet.
July 1, 2013
Enacted by Congress in 1986, the Computer Fraud and Abuse Act (CFAA) builds upon existing computer fraud law (18 U.S.C. § 1030). Initially, the CFAA was intended to limit federal jurisdiction to cases “with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.” Notably, the CFAA criminalized certain computer-related acts such as distribution of malicious software code, propagating denial of service attacks as well as trafficking in passwords and similar items. Recently, the CFAA has gained prominence as a bludgeon used to prosecute a wide-range of activities, some broadly labelled “hacking” and other stretching the boundaries of “unauthorized” computer access.
Two recently introduced bills, one by Representative Zoe Lofgren (D-CA) in the House and one by Senator Ron Wyden (D-OR) in the Senate aim to amend the CFAA in hopes of ameliorating application of the CFAA to claims of breach of terms of service, employment agreements. Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.
In short the bills would amend the meaning of “exceeds authorized access,” changing it to “access without authorization,” which is defined to mean:
“to obtain information on a protected computer”;
“that the accesser lacks authorization to obtain”; and
“by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.”
For a well-documented discussion of the application and boundaries of the CFAA, check out the Electronic Frontier Foundations Legal Treatise on civil and criminal cases involving the Computer Fraud and Abuse Act here.
As businesses become ever more dependent on digital assets and systems, a working knowledge of the legal and regulatory framework that defines and protects those assets is paramount.
If you or your executive teams has questions about securing and protecting digital assets, please feel free to contact David M. Adler for a free consultation. LSGA advises a wide range of businesses on creating, protecting and leveraging digital assets as well as computer, data and information security and privacy.
Please tweet, comment on, and forward is article!
David M. Adler | Leavens, Strand, Glover & Adler, LLC
203 North LaSalle Street, Suite 2550
Chicago, Illinois 60601
Direct: (866) 734-2568
Direct Fax: (312) 275-7534
*2012 Illinois Super Lawyer http://bit.ly/gFfpAt
The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.
Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.
FTC Privacy Enforcement Actions
Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
Congressional Privacy Laws, Bills & Initiatives
Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.
The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.
App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
Learn more David M. Adler here.
HHS Office of Civil Rights (OCR) releases guidance for de-identification under the HIPAA Privacy Rule.
December 13, 2012
HHS has provided guidance about methods and approaches to achieve de- identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule‘s de-identification standard: Expert Determination and Safe Harbor1. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de- identified information is created, and the options available for performing de- identification.