Recent Court Decisions Provide Some Clarity in Ever-changing Techlaw Landscape

As every CIO knows, today all business is digital business.  From the corner mom and pop bodega using Square to process credit cards up to Cisco Systems global network of devices supporting Zetabytes of data over an increasing number of devices.

What began as largely static website e-commerce at the turn of the millennium is now every day operations across multiple devices and the many different brands of platform and content delivery network.  In case you missed it, two recent cases will have a wide impact regardless of industry period

Law Enforcement Access To Cell Phone Location Data Requires Warrant

In the case of Carpenter v. United States, the Supreme Court ruled that law enforcement must obtain a warrant to have access to location and other data contained on a suspect’s cell phone.  In case you’re not familiar with the case, the facts in the Carpenter case are worth mentioning. In 2011, the government, conducting a criminal investigation in Detroit, obtained months’ worth of time-stamped records known as cell-site location information (CSLI) for suspects.  Wireless carriers produced CSLI for petitioner Timothy Carpenter’s phone, and the Government was able to obtain 12,898 location points cataloging Carpenter’s movements over 127 days—an average of 101 data points per day.  Carpenter moved to suppress the data, arguing that the Government’s seizure of the records without obtaining a warrant supported by probable cause violated the Fourth Amendment.  The District Court denied the motion, and prosecutors used the records at trial.  Carpenter was convicted, based in part on the cell-site records, and he appealed. holding that the government’s acquisition of historic cell-site location information (HCSLI) – at least to the extent it includes 7 days or more of cell-site records – was a search and thereby required a warrant.

In reversing the conviction, a majority of the Court has recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements and a warrant is required only in the rare case where the suspect has a legitimate privacy interest in records held by a third party.  The Court downplayed the significance of its ruling, calling its decision “a narrow one” that “does not express views on “real-time CSLI” or question the application to … a range of other information-gathering tools, such as security cameras.”

What this means for business.  While pundits are wisely praising the decision as a victory for privacy, I for one, do not believe it applies that broadly. Even so, there is a tangible benefit for corporate counsel at technology companies, especially those that maintain location information about their customers. Lawyers and compliance pros will feel some relief knowing that they do not have to scramble, prevaricate or litigate with law enforcement when a company receives a subpoena or other demand for location data without a warrant attached.

For additional views on this decision, please see an article from the International Association of Privacy Professionals here, and another from the Electronic Frontier Foundation here.

States Can Now Require That Internet Retailers Collect Sales Tax

The other notable decision to come down from the Supreme Court involves the long-simmering issue of state taxation on internet sales.

The decision, in South Dakota v. Wayfair Inc., was a victory for brick-and-mortar businesses that have long complained they are put at a disadvantage by having to charge sales taxes while many online competitors do not. And it was also a victory for states that have said that they are missing out on tens of billions of dollars in annual revenue.

The South Dakota Legislature enacted a law requiring out-of-state sellers to collect and remit sales tax “as if the seller had a physical presence in the State” to address the erosion of its sales tax base causing a corresponding loss of critical funding for state and local services (“Act”).  The Act covers only sellers that, on an annual basis, deliver more than $100,000 of goods or services into the State or engage in 200 or more separate transactions for the delivery of goods or services into the State.  Top online retailers with no employees or real estate in South Dakota who met the Act’s minimum sales or transactions requirement, but do not collect the State’s sales tax opposed the Act. South Dakota filed suit in state court, seeking a declaration that the Act’s requirements are valid and applicable to respondents and an injunction requiring respondents to register for licenses to collect and remit the sales tax. At trial and on appeal, courts held that the Act is unconstitutional.

The ruling effectively overturned a system that it created.  In 1992, the Supreme Court held that the Constitution bars states from requiring businesses to collect sales tax unless they have a substantial connection to the state. That case was Quill Corporation v. North Dakota.  The Quill decision helped pave the way for the growth of online retail by letting companies sell nationwide without navigating the complex patchwork of state and local tax codes.

South Dakota’s attorney general, called the ruling “a big win for South Dakota and Main Streets across America.”  The case should benefit both rural businesses where local businesses have been hit hard by competition from online retailers and municipal coffers as well, because in some states local sales taxes are collected at the state level.  Owners of brick-and-mortar stores like the decision as a means of leveling the playing field because they feel they often missed out on sales of big-ticket items since sales tax could have had an amplified effect on the price.  For consumers, this could mean paying more for products bought online.  Although most have a “use tax” that works like a state sales tax for online purchases, few if any consumers actually pay it.

Since the beginning of my practice in 1999, I suggested businesses take a state-by-state approach when it comes to issues like sales tax, since it can vary widely by jurisdiction.  No business is entirely virtual. All businesses will need to examine their ecommerce strategy to see whether and to what extent this case affects the business model.

Advertisements

David Adler continues focus on Cyber Security Conferences

Soem prior conferences:

Data at Risk: Regulatory and Privacy Concerns in a Data Breach. – Enfuse Conference 2018, Las Vegas, NV, May 23, 2018.

Trends in Cyber-Law 2017– ISACA CSX North America 2017, Washington, DC October 2-4, 2017

The Human Side of IT Acquisitions– Assoc. of Technology Acquisition Professionals CAUCUS IT Procurement Summit, New Orleans, LA, November 7-8, 2017

My topic, Assessing and Responding to Cyber Legal Risk,was chosen for presentation at the 2018 New York State Cyber Security Conference. 

#nyscyber 

8 ideas for Lawyers on Cyber Risk, Privacy & Data Protection

While already on many people’s minds after the recent presidential debate, Cyber Risk, Privacy and Data Protection are growing concerns for businesses and consumers alike.

Here are eight (8) suggestions for building a stronger Cyber Risk, Privacy and Data Protection foundation.

The challenge with cyber security and data privacy has always been their breadth of reach. The most pressing IT security and legal issues facing lawyers and businesses continue to come from these areas. Mindful of information overload, lawyers, law firms, and businesses should develop specific cyber security measures from an IT perspective that you can use to be more secure.

Such strategies might include

1) ensuring familiarity with U.S. privacy legislation such as HIPAA, CAN-SPAM, COPPA, FCRA, GLBA, stated privacy laws, state data breach laws,

2) ensuring familiarity with international privacy legislation including the EU, Asia, Australia, and Canada,

3) knowledge of industry standard risk assessment processes, procedures and reporting (e.g., ISO 27001 , NIST 800-53, COBIT, ISO 27001/02),

4) performing privacy and/or security gap assessments,

5) conducting due diligence with or on third parties,

6) knowledge of technologies used to collect, share, access and use personal data,

7) training employees on best practices and techniques and empowering employees to seek CIPP or equivalent certification, and

8) regular evaluation of cyber insurance policies and coverages.

A recent study published in the Journal of Cybersecurity, found that security breaches were on the upswing, and sectors with the highest number of reported hacks were finance and insurance, health care and government entities. Ccosts include investigating the causes of a breach, notifying consumers, increasing customer support, paying for identity theft insurance or credit monitoring, and dealing with legal actions. Following these 8 steps is a good place to start strengthening a Cyber Risk, Privacy and Data Protection foundation

DISCLAIMER. This is not nor is it intended to be legal advice. Each situation is unique. You should direct any questions you have about your specific situation to competent counsel.

CyberRisk Privacy Data Protection