AUSTIN, Texas — A divided House vote provides momentum for Texas employees who wish to shield personal text messages, email passwords under a bill backed by Democratic State Rep. Hellen Giddings and given preliminary approval Thursday.
Proponents say Texas workers need the same social media protections provided in several other states. The bill prohibits employers from asking job applicants or employees for passwords to access their Facebook, Twitter or other personal accounts. Opponents argue it will provide “safe harbor” for employees to steal proprietary information at the workplace through their personal accounts.
No specific penalties are spelled out for employers who would violate the law.
The Texas law is another reminder of the ongoing evolution of Social Media law and regulation as legislators and private businesses struggle to understand how these technologies affect everyone’s rights, obligations and remedies.
If you or your business is concerned about social media legal and regulatory compliance, contact David Adler at Leavens, Strand, Glover & Adler. 866-734-2568 dadler@lsglegal.com.
Three Things I Learned About Personal Cybersecurity At RSAConference That You Should Be Doing Right Now
February 28, 2013
Image via CrunchBase
I just returned from RSAConference 2013 where I had the privilege and honor of giving a presentation of the legal risks caused by social media in the workplace. As a speaker-attendee, I had the priceless benefit of access to all the other speakers and programs held during the conference.
One such program I attended was “We Were Hacked: Here’s What You Should Know”. The speakers, Matthew Prince (@eastdakota) CEO of CloudFlare, and Mat Honan (@mat) writer for Wired Magazine, shared their common experience as targets of high profile hacks. Hearing the details from them first hand, including information from interviews with the hackers themselves, I learned how easy it is to be the victim of hacking and how it’s the little things that create exploitable seams in our information security barriers.
Rather than rewrite their stories, I thought I would share three simple lessons I learned that I’ve already implemented and you should too. Besides, Matt does a better job telling his own story which can be found here.
Here are the three things I learned about how you can protect yourself and others in your organization.
First, security attacks go after the “low hanging fruit” and that often means figuring out a way to exploit your personal email address. With so many web-based services and so much login information to remember, many of us use our personal email as our username for everything from the web sites on which we comment, to our online photo gallery, to our online banking service. Unfortunately, this is probably the address we use for password recovery if we forget. Given that our digital lives are easily mapped, hackers already have one piece of the two-piece login puzzle: they know your user name.
TIP NO. 1: Use a private, obscure email address for your more sensitive information.
Second, once a hacker has accessed your accounts, your computer and your files, the fun has just begun for them. As Matt Honan described, these often adolescent script kiddies simply don’t understand the value of your stored memories and other information. In his case, all the photos of his children were permanently deleted. Regardless of a hacker attack, stuff happens and you don’t want to lose everything because you we’re too lazy to back up.
TIP NO. 2: Back Up your digital life, early and often.
Third, today’s’ Internet is an interdependent ecosystem. Just because you or your organization takes security seriously, doesn’t mean that other do as well. Your internal systems are not enough. Like it or not, the seams of your security perimeter are intertwined and permeated by the services and systems of customers and vendors. For most consumers, the there is a Hobbesian choice of Security v. Convenience. Multiple login usernames and super long passwords are difficult to remember and tedious to use. As a result, most people choose the least secure means of authentication on the assumption that using astringent password is enough. Unfortunately, some people don’t even bothers with that. A recent ZoneAlarm study found that “password” was the fourth most commonly used password by consumers.
Google, Facebook and others have started using two-factor authentication. Two-factor authentication requires that one enter a code after entering the username/password combo. The code is sent via, text message, voice call or email. This greatly reduces the chances of unauthorized access because hackers would need to have your phone, in addition to your username/password combo.
TIP NO. 3: Whenever possible enable two-factor authentication.
Please understand that there is no “magic bullet” when it comes to Cybersecurity. Taking these precautions does not guarantee that you won’t be attached or that your account information won’t be accessed. However, these are important and easy steps that you can take to improve your personal data security.
Please comment and follow!
Related articles
- Twitter looks to add two-factor authentication to stop password hacks (arstechnica.com)
Whose Social Media Account Is It Anyway?
December 23, 2012
As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.
This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.
First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.
Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.
Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.
As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.
FTC Privacy Update: Recent Guidance and Settlements
December 11, 2012
Company Sanctioned for ” History Sniffing”
FTC Settlement Puts an End to “History Sniffing” by Online Advertising Network Charged With Deceptively Gathering Data on Consumers
You know the old adage, the Internet is forever. Well, so is your browsing history, apparently. On December 5, 2012, the FTC announced that an online advertising company agreed to settle Federal Trade Commission charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.
“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”
The defendant, Epic Marketplace shared information with a large advertising network that has a presence on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.
Mobile Applications (Apps) Continue to Threaten Childrens’ Privacy
Kids’ Data Still Collected, Shared without Parents’ Knowledge, Consent
The Federal Trade Commission issued a new staff report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” [PDF here ] examining the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores. The report details the results of the FTC’s second survey of kids’ mobile apps.
The FTC first surveyed kids’ mobile apps in 2011. Since then there has been little progress toward giving parents the information they need to determine what data is being collected from their children, how it is being shared, or who will have access to it. Many any of the apps examined included interactive features, such as connecting to social media, and sent information from the mobile device to ad networks, analytics companies, or other third parties, without disclosing these practices to parents.
Disturbingly, the shared information included login information across multiple sites, GPs location information and device ID information.
Adlerlaw’s International Cyber Security Legal News
November 12, 2012
Experts: State Needs Long-Term Cyber Security Plan
WLTX.com
By TIM SMITH — The Greenville News. A month after state officials learned of a massive data breach at the Department of Revenue, officials are still discussing what security measures to take to protect all of the state’s computer systems.
How Obama’s reelection may spur work on cybersecurity in the United States
The Next Web (blog)
Now that the President’s electoral and popular vote victories are in the books, their various ramifications are still being felt. One key element of the addition of four more years to the President’s legacy is the issue of cybersecurity.
Israel’s HLS 2012 Event Highlights Cyber Security Innovations
Defense Update
The Cyber Security panel taking place in Tel-Aviv this week at the HLS 2012 event is attracting considerable interest on the backdrop of the recent revelations of massive Iranian cyber attacks crippling the networks of Aramco Oil Company in Saudi Arabia.
Cyber security facility launched
Alpena News
YPSILANTI, Mich. (AP) — Michigan Gov. Rick Snyder has announced the opening of a facility designed to help electronic security professionals detect and prevent cyber threats and attacks.
Evolving Cyber Crooks Waiting For That Click
The Borneo Post
On the final day of the three-day Cyber Security Awareness campaign, Mohd Izuddin bin Hj Md Hussin, Learning Solution Specialist from Tech One Global, who delivered a public talk on ‘Protect your Computer, Your Family and Yourself’ at Times Square.
Is Obama’s Cybersecurity Executive Order Imminent?
Of course, there remains the chance that Congress will pass some version of a cybersecurity bill before the president can issue his edict.
Outrageous! Seven Rent To Own Firms Used Nefarious Software to Spy on Customers in Their Homes
October 19, 2012
On September 25, 2012, the Federal Trade Commission announced a settlement with seven rent-to-own companies that secretly installed software on rented computers, clandestinely collected information, took pictures of consumers in their homes (WTF?!) and tracked these consumers’ locations.
If you haven’t vomited on your computer from the sickening outrage, you can read the FTC press release here.
Software design firm DesignerWare, LLC licensed software to rent-to-own stores ostensibly to help them track and recover rented computers. The software collected the data that enabled rent-to-own stores, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase, to track the location of rented computers without consumers’ knowledge
According to the FTC, the software enabled remote computer disabling if it was stolen, or if the renter failed to make payments. It included an add-on purportedly to help stores locate rented computers and collect late payments. Alarmingly, the software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.
When activated, the nefarious feature logged key strokes, captured screen shots and took photographs using a computer’s webcam, according to the FTC. It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.
“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”
“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.
A complete collection of the 38 federal acts governing U.S. information privacy law.
October 4, 2012
A complete collection of the 38 federal acts governing U.S. information privacy law.
1. Bank Secrecy Act
2. Cable Communications Policy Act
3. CAN-SPAM Act
4. Children’s Online Privacy Protection Act
5. Computer Fraud and Abuse Act
6. Communication’s Assistance for Law Enforcement Act
7. Computer Security Act
8. DNA Identification Act
9. Dodd-Frank Wall Street Reform and Consumer Protection Act
10. Drivers Privacy Protection Act
11. Economic Espionage and Protection of Proprietary Information Act
12. Electronic Communications Privacy Act
13. Electronic Signatures in Global National Commerce Act (ESIGN)
14. Employee Polygraph Protection Act
15. Fair and Accurate Credit Transactions Act of 2003 (FACTA)
16. Fair Credit Reporting Act
17. Family Educational Rights and Privacy Act
18. Federal Computer Crime Act
19. Federal Privacy Act
20. Federal Trade Commission Act
21. Foreign Intelligence Surveillance Act
22. Freedom of Information Act
23. Gramm-Leach-Bliley Act
24. HIPAA Regulations
25. Identity Theft Assumption and Deterrence Act
26. Medical Computer Crime Act
27. OECD Privacy Guidelines
28. PATRIOT Act
29. PIPEDA Privacy Act
30. Privacy Protection Act
31. Real ID Act
32. Right to Financial Privacy Act
33. Safe Harbor Privacy Principles
34. Telecommunications Act
35. Telephone Consumer Protection Act
36. Uniform Computer Information Transactions Act (UCITA)
37. Veteran’s Affairs Information Security Act
38. Video Privacy Protection Act
World Information, Data & Cyber Security News & Legal Roundup
September 20, 2012
German cybersecurity agency prods users to ditch IE
Computerworld – Germany’s cybersecurity agency on Monday urged users to drop Internet Explorer (IE) and switch to a rival, like Chrome or Firefox, until Microsoft patches a new critical bug in its browser.
Democratic senators call for ‘cybersecurity’ executive order
CNET
Senators call for ‘cybersecurity’ executive order. This summer’s partisan sparring that derailed a federal cybersecurity law has resumed, with Democrats proposing an executive order and Republicans saying it would levy “more mandates.”
Cybersecurity scholarships to be offered
UPI.com
“The nation is in dire need of people who are capable of handling the cybersecurity challenges we face,” professor of computing and information sciences Xinming “Simon” Ou said. “We are lagging behind in the number of experts we have versus the threats.
Cybersecurity: Kay Bailey Hutchison condemns Obama’s ‘heavy handed …
Houston Chronicle (blog)
Amid escalating partisan rhetoric over the bipartisan goal of protecting U.S. computer systems from terrorist attacks, Texas Kay Bailey Hutchison criticized President Obama for a “heavy handed, regulatory regime” that would be created.
National Cyber Security Alliance Announces Theme for Data Privacy Day
The Herald | HeraldOnline.com
18, 2012 /PRNewswire-USNewswire/ — The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online and official coordinator of Data Privacy Day (DPD), today …
When it comes to cybersecurity law, where do we draw the line?
ZDNet
Over the past few years, the Obama administration and Congress have taken a variety of legislative runs at creating comprehensive cybersecurity law. See Also: How cybersecurity is like Star Trek’s transporter.
Cyber security biggest challenge for universal credit, says David Freud
ComputerWeekly.com
Cyber security is the biggest challenge for the government’s universal credit roll-out, welfare reform minister David Freud has told a select committee. Speaking to a select committee, pensions minister Ian Duncan Smith said government had consulted …
NetLib teams with CIS to fight cyber security
Mass High Tech
Neil Weicher wants to win the battle in cyber security. NetLib, a Stamford, Conn.-based provider of encryption software founded by Weicher, has partnered with the Center for Internet Security, a non-profit focused on cyber security readiness.
UK spy agency tests Britons’ cyber skills
Reuters
The Government Communications Headquarters (GCHQ) said those aged 16 or over and not already working in cyber security could apply to test their ability to guard a computer network but only 150 contestants at most would be eventually allowed.
Former FBI Cybersecurity Official Steven Chabinsky Thinks FBI is Doing Great …
ticklethewire.com
The FBI’s former top attorney for cybersecurity, Steven Chabinsky, who stepped down this month, thinks the FBI is doing a great job battling the problem, but told the Washington Post that the “federal government” has taken a “failed approach”.
FTC Publishes Guide to Help Mobile App Developers Observe Truth-in-Advertising, Privacy Principles
September 7, 2012
Sept. 5 2012:
From the FTc web site:
The Federal Trade Commission has published a guide to help mobile application developers observe truth-in-advertising and basic privacy principles when marketing new mobile apps. The FTC’s new publication, “Marketing Your Mobile App: Get It Right from the Start,” notes that there are general guidelines that all app developers should consider. They include:
Tell the Truth About What Your App Can Do. – “Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth,” the publication advises;
Disclose Key Information Clearly and Conspicuously. – “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
Build Privacy Considerations in From the Start. – Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need. “For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
Offer Choices that are Easy to Find and Easy to Use. – “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
Honor Your Privacy Promises. – “Chances are you make assurances to users about the security standards you apply or what you do with their personal information. App developers – like all other marketers – have to live up to those promises.”
Protect Kids’ Privacy. – “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
Collect Sensitive Information Only with Consent. – Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
Keep User Data Secure. – Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information.
The Impact of Social Media on Privacy is Unsettled
August 28, 2012
Illustration of Facebook mobile interface (Photo credit: Wikipedia)
A recent New Jersey District Court case underscores the rise in tensions between employers and employees when it comes to Social Media Accounts. In Ehling v. Monmouth-Ocean Hospital Service Corp., the Court denied an employer’s motion to dismiss a former employee’s invasion of privacy claim that alleged a supervisor accessed the employee’s Facebook account. Ehling worked for Monmouth-Ocean Hospital Service Corporation (“MONOC”) and became Acting President of the local union for Professional Emergency Medical Services. Ehling alleged that MONOC began engaging in a pattern of retaliatory conduct against her eventually leading to termination of her employment.
Posting Limited to “Friends”
Ehling maintained an account on Facebook, but kept access to her wall post limited to Facebook “friends,” many of whom were coworkers, but none of whom were members of MONOC’s management. Ehling alleged that MONOC surreptitiously gained access to her Facebook account when a supervisor summoned a MONOC employee, who was a Facebook friend, and coerced, strong-armed, and/or threatened the employee to access his Facebook account in the supervisor’s presence for the purpose of viewing and copying Ehling’s posts.
Ehling alleged that MONOC then sent letters regarding a certain posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Ehling alleged the letters were malicious and meant to damage her professionally.
Accessing Wall Postings Alleged to be Common Law Invasion of Privacy
Ehling’s claim for common law invasion of privacy was premised on Defendants’ alleged unauthorized “access of her private Facebook postings” The Court denied MONOC’s motion to dismiss which argued that Ehliong did not have a reasonable expectation of privacy in her Facebook posting. The Court stated that Under New Jersey law, to state a claim for intrusion upon one’s seclusion or private affairs, a plaintiff must allege sufficient facts to demonstrate that (1) her solitude, seclusion, or private affairs were intentionally infringed upon, and that (2) this infringement would highly offend a reasonable person. See Bisbee v. John C. Conover Agency Inc., 186 N.J. Super. 335, 339 (App. Div. 1982). “[E]xpectations of privacy are established by general social norms” and must be objectively reasonable – a plaintiff’s subjective belief that something is private is irrelevant. White, 344 N.J. Super. 211, 223 (Ch. Div. 2001).
The Impact of Social Media on Privacy is Unsettled
The Court went on to make further observations on the impact of Social Media on Privacy:
“Privacy in social networking is an emerging, but underdeveloped, area of case law. See Robert Sprague, Invasion of the Social Networks: Blurring the Line between Personal Life and the Employment Relationship, 50 U. Louisville L. Rev. 1, 13 (2011) (discussing the undefined legal boundary between public and private communications on social networking websites).
No Reasonable Expectation of Privacy
There appears to be some consistency in the case law on the two ends of the privacy spectrum. On one end of the spectrum, there are cases holding that there is no reasonable expectation of privacy for material posted to an unprotected website that anyone can view. See, e.g., United States v. Gines-Perez, 214 F.Supp.2d 205, 225 (D.P.R. 2002), rev’d on other grounds, 90 F. App’x 3 (1st Cir. 2004) (“[I]t it strikes the Court as obvious that a claim to privacy is unavailable to someone who places information on an indisputably, public medium, such as the Internet, without taking any measures to protect the information”); Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 44(Minn. Ct. App. 2009) (holding that privacy was lost when private information was posted on a publicly accessible Internet website and “[a]ccess to the publication was not restricted”).
Some Reasonable Expectation of Privacy
On the other end of the spectrum, there are cases holding that there is a reasonable expectation of privacy for individual, password-protected online communications. See, e.g., Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (N.J. 2010) (employee could have reasonably expected that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008) (employee had a reasonable expectation of privacy in personal, password-protected e-mail messages stored on a third party’s server, although the employee had accessed that outside server while at work).
Legal Approaches Continue to Develop
The Court note that a consistent approach hasn’t yet developed. While most courts hold that a communication is not necessarily public just because it is accessible there is disagreement as to how far that theory extends. Some courts have adopted the rule that when one shares private information to one or more persons, there may still be a reasonable expectation that the recipients of the information will not disseminate it further. What is clear is that privacy determinations are made on a case-by-case basis, in light of all the facts presented.
