Privacy Law – How Do You Verify the Identity of a Data Requestor?

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 and will go into effect in 2020. Among many concerns about the ability of small businesses to comply with obligations imposed by the CCPA is the requirement that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  Whether or not your practice involves regular questions of Privacy Law, your clients may be asking you about the CCPA.  By keeping data minimization objectives in mind and not over-thinking compliance obligations, verifying the identity of a data requestor may be straight-forward.

 

The ability to control how one’s data is used is a cornerstone of the CCPA. However, this puts a burden on a business to ensure that only a “verified” consumer accesses the requested data and avoid fraudulent requests. To access or delete information, a consumer must submit a “verifiable consumer request.” While the term implies that a business must take steps to “verify” the individual making the request, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.

 

With little to go on, a business might be tempted to act over-cautiously and require more information than is actually necessary to verify identity.   With data minimization principles in mind, it is important to recognize privacy risks to avoid.  Don’t over-reach; avoid obtaining more sensitive or potentially harmful information than is necessary to complete the request.  Also, avoid asking for sensitive documents such as a passport.

 

A good rule of thumb is try to use the same method that was used to gather the data in first place. For example, your client operates a consumer website featuring information and users are required to provide a username and password to register with the site. Ask the requestor to provide a username and password to verify. If two-factor authentication was used, then challenge that requestor using the same method. Don’t ask for a driver’s license.

 

If a client is asking for additional resources on how to implement policies and procedures, it is useful to look to industry-standard references, such as  NIST. A good (but technical) explanation Guidelines on verifying identity.  If this is too technical, a client should work with a consultant who can explain the framework. One valuable upside is that if a business is required to respond to a regulator or litigant, the business can point to use of the industry standard as reasonable basis for compliance efforts.

 

Are you tasked with advising a client how to craft a CCPA policy or procedure? There is no requirement that companies create a written policy for processing requests. If a company chooses to create an internal policy or procedure for handling data access and deletion requests, the following four topics are relevant:

 

  1. Data subject verification. Before taking any action, a company should verify that the individual that submitted the request is the individual to whom the data belongs. Verifying identity depends upon the type of data maintained. Remember, if the requestor signed up with a username and password, use this to verify.

 

  1. Communications. A business must respond to a requestor, even if the request is a denial. To streamline a timely response, a company may choose to create template communications and procedures.

 

  1. Evaluating the request. The right to be forgotten is not an absolute right. Some companies choose to include a discussion of when the right does, and does not, have to be granted within their internal policy or procedure. If refused: Reply with a reason and provide options: regulator, court?

 

  1. Completing a Request. Upon verification of the identity of a requestor and a determination that a deletion request should be granted, a business can include instructions for technical steps that should be taken in order to erase an requestor’s information.

 

For clients implementing processes and procedures to respond to individuals who invoke their rights under the CCPA, meeting the requirement to verify the requestor’s identity (and reduce the risk of complying with a fraudulent request) can present a risk. However, with data minimization objectives in mind, using verification methods that make sense in the context of the requestor’s data, may reduce some of the burden of verifying the identity of a data requestor.

 

FOR EDUCATIONAL PURPOSES ONLY. NOT LEGAL ADVICE.

Declaratory Judgment Action for Copyright Infringement

At a time when #media creation & consumption is traveling across a growing number of devices, at increasing speeds, and without care for for borders whether physical, digital, or geographic, licensing, distribution and use of digital content can cause problems.

The case of Fastcase, Inc. v. Lawriter, LLC, Case No. 17-14110 (11th Cir. Oct. 29, 2018) (Tjoflat, J), involved a dispute between two legal publication service companies over the right to re-publish the Georgia Regulations.

The Declaratory Judgment defendant and presumptive rights owner had no enforceable copyright or contract rights in the Regulations. Defendant updated the terms so that unauthorized re-publication of the Regulations would result in liquidated damages of $20,000 per instance, which was relevant to the jurisdictional issues of whether § 411(a) is a jurisdictional bar.

From The National Law Review, source for this story: “Practice Note: A demand letter alleging infringement under the Copyright Act—or even alleging state law claims that would arguably be preempted by the Copyright Act—confers jurisdiction on a federal court to hear the recipient’s declaratory judgment action.”

HealthCare & IT: mHealth, Telehealth and Telemedicine Developments

Global and China mHealth App Market Size and Forecast up to 2014: Acute Market Reports

The report introduced MHealth App basic information about international market analysis, China domestic market analysis, Macroeconomic environment and economic situation analysis, MHealth App industry policy and plan, MHealth App product specification, manufacturing process, cost structure and statistics in China.

‘meHealth’ for HIV in Africa

Combination of mHealth and e-health technologies and services to give personalized health support to anyone in the health system.
M-health: Set to Grow Its Clout

On the back of growing awareness about information and communications technology (ICT)-led healthcare services among users, m-health saw healthcare become a buzzing and interesting space in India.
Diabetes tools progressing from monitoring to proactive disease management

Developing diabetes care management strategies that extend beyond the clinic environment, reports mHealth Intelligence.

App, portal help spina bifida patients with self-care tasks

“The objective of this research is to develop an innovative mHealth system to support self-skincare tasks, skin condition monitoring, adherence to self-care regimens, etc…

Digital healthcare services in 2016 (and beyond)

Solving the complex problem of medication adherence could have a huge impact on lowering cost of care; It’s no surprise that millions of dollars have already been invested in digital health software to guide the process. In 2016, expect the basics of digital adherence — self-reporting, tracking refills and chronic disease outcomes, etc. — will receive a boost from the use of sensors to collect confirming data, whether it’s via breath analysis, urine sampling, or another non-invasive method.

DATA PRIVACY DAY 

Do You Understand Your Data Privacy Rights?

Data Privacy Day was started in 2007 in response to widespread lack of understanding about how personal data was being protected. Today, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies, according to a recent Pew Research Center Survey.

Data is one of the natural resources of the 21st century. It should be treated like all other precious resources. Understanding, responsibility, and accountability are key. Ubiquitous Internet connections, unprecedented processing power and speed combined with staggeringly large databases have the ability to help both the private and public sectors. However, there is a growing split between the benefits of data-driven activities and perceptions of decreased privacy rights needs to be addressed. There is a balance that needs to be found between the responsibility of governments and that of businesses in ensuring an adequate level of protection to citizens and consumers, while supporting technological innovation.

The purpose of Data Privacy Day is raise awareness among digital citizens and empower them with understanding how their data is being collected, stored and consumed. Often, that starts with being educated about the privacy policies of online companies and web properties.

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government.

Whether you are a consumer, an application developer, a technology platform provider, consultant, or enterprise that relies on the collection, analysis and commercialization of data (who doesn’t these days) Adler Law Group can help you navigate this emerging area by 1) assessing and prioritizing privacy risks, 2) creating a baseline understanding of data assets, data flows and contractual commitments, 3) developing internal Privacy Polciies and processes, and 4) creating and delivering training programs for executives and employees that increases awareness and mitigate risk.

Failure to Mind Corporate Details Leads to Loss of Copyright, Infringement Lawsuit

The case of Clarity Software, LLC v. Financial Independence Group, LLC is a great example the serious, negative consequences to intellectual property ownership when business owners and legal counsel fail to ensure that tasks are completed.

The short version is that the creator of computer software, Vincent Heck, sold the copyright in his software to settle a debt to a creditor, Eric Wallace, who intended to form Clarity Software, LLC to own and distribute the software. The lawsuit was for infringement of the copyright in the software.

As they say, “the devil is in the details.” In this case, the detail that became a devil, and ultimately prevented Wallace from enforcing a copyright in the software, was the fact that Clarity Software, LLC was never properly formed and therefore lacked standing to sue for infringement.

Forgive me for employing yet another trite phrase, but “truth is often stranger than fiction.” The Defendant proved that a veritable comedy of errors had occurred resulting in no record of the formation, including 1) the Department of State of Pennsylvania losing the certificate of organization, along with all records of the submission and filing of the certificate of organization, 2) the Plaintiff’s bank (PNC Bank) losing its copy certificate of organization provided when Wallace opened a bank account (even though PNC Bank still had the signature card completed when the account was opened), and 3) Wallace, himself a former President of the Pennsylvania Institute of Certified Public Accountants, losing his copy of the certificate of organization and all records of his communications with his attorney.

Defendant successfully moved for summary judgment based on its argument that Plaintiff did not own the copyright at issue in the litigation since it was not properly organized as a Pennsylvania limited liability company and never acquired valid ownership of the copyright.

Hat tip to Pamela Chestek and her blog, Property Intangible, where she first wrote about this case October 13, 2014. The opinion and order can be found here: Clarity Software, LLC v. Financial Independence Group, LLC, No. 2:12-cv-1609-MRH (W.D. Pa. Sept. 30, 2014).

To find out more about how the Adler Law Group can help your business identify risk and issues related to intellectual property ownership, corporation or LLC formation, or just assess risk associated with your business, contact us for a free, no-obligation consultation by emailing David @ adler-law.com, visiting out web site www.adler-law.com, or calling toll free to (866) 734-2568..

AEREO LOSES COPYRIGHT CASE

Technology Continues to Test The Bounds of Copyright Law

The Internet is an unprecedented source of disruption. From retail services (e.g. Amazon) to media and entertainment, almost every industry has been forced to rethink its business model due to the accessibility, ubiquity and democratizing force of the Internet. Aereo was positioned to disrupt the traditional media distribution model by giving consumers greater control over what were otherwise “free” over-the-air transmissions.

The Aereo service was premised on the idea that consumers should be able to watch and record over-the-air broadcast television programming via the Internet. Major broadcast networks that owned the content made accessible through Aereo challenged the model on the grounds that Aereo was violating the exclusive “public performance” right guaranteed by the Copyright Act.

Copyright law provides copyright owners six exclusive rights. One of those rights is the exclusive right to publicly perform the copyrighted work. Because this right is a statutory construct, one must look to the statute to determine its meaning. To “perform” and to perform “publicly” means “to transmit or otherwise communicate a performance or display the work to a place … or to the public, by means of any device or process, whether the members of the public capable of receiving the performance or display receive it in the same place or in separate places and at the same time or at different times.”

While many reacted by asking whether the case would stifle innovation and have a chilling effect on start-ups, this case does highlight the increasing tension between technological advances and copyright law.

From a practical standpoint, one need not be alarmed about the impact of the decision on most types of innovation. For one thing, the Court went to some lengths to craft a reasonably narrow decision, which applies only to broadcast TV retransmitted over the Internet.

As with any type of innovation, there are different types of risk. On the one hand, there is technology risk: the risk that whatever technology is necessary for some business plan simply won’t work. On the other hand, there is legal risk, highlighted by the Aereo decision: the risk that the entrepreneur’s interpretation of some act or case law won’t ultimately prevail. That’s what happened to Aereo.

As an IP lawyer, I am somewhat perplexed. It is hard for me to understand why Aereo made such a bold move. However, at least the district court agreed with Aereo’s interpretation.

Identifying Intellectual Property Issues in Start-Ups – Live Webcast!

Do you work with start-up companies and need a basic understanding of the various intellectual property issues that can arise?

I will be co-presenting in this online seminar that will help you:

  • understand the trademark and copyright problems your client may encounter with branding;
  • learn how to protect your client’s branding once established;
  • familiarize your practice with patents, including what they protect, timing, and strategies to prevent inadvertent loss of patent rights before filing the application;
  • understand trade secrets and the importance of non-disclosure and confidentiality agreements;
  • recognize intellectual property issues relating to technology, including open source code and the cloud;
  • establish a proactive approach toward intellectual property ownership between cofounders, employees, and vendors; understand business names, domain names, promotional issues, and website content concerns.

The program qualifies for 1.5 hours MCLE credit.

I would like to personally invite you to attend the upcoming Law Ed program titled, “Identifying Intellectual Property Issues in Start-Ups,” which I will be co-presenting via live webcast on Tuesday, May 27th.

Presented by the ISBA Business Advice and Financial Planning Section

Co-Sponsored by the ISBA Intellectual Property Section