Tracking Tech Case Provides Guidance on Customer Opt Outs

From healthcare apps, to mobile devices, to utilities, services are collecting and aggregating customer data across many different types of connected devices. Many mobile apps and services rely on a consumer’s location information. As more mobile apps connect to the Internet to send and receive location data, the FTC, legislators, privacy advocates, and others have identified location information as a particularly sensitive category of data. A recent study conducted by Carnegie Mellon University contained shocking revelations about the frequency with which location information is gathered and transmitted to companies through their mobile apps. At the same time, the recent settlement with in-store retail customer tracking provider Nomi highlights the FTC’s increased scrutiny of data gathering practices and disclosures of mobile application developers.

It is no secret that retailers could derive significant business intelligence from the real-time moments through stores. This is one of the areas around which companies innovate around customers’ private information. For example, Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores, made headlines when it agreed to settle Federal Trade Commission charges that it misled consumers about opting out of their tracking services. This is not why you want to have your company’s innovations in the news.

Business counsel both inside and outside of companies developing applications that leverage mobile geolocation data of consumers and employees should be aware of the many issues that are developing around this area such as: How is geolocation information gathered and how does data flow from device, to app to, third party? How is it shared and used in mobile advertising? When is consent required and how should stakeholders obtain such consent?

 

The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.

DATA PRIVACY DAY 

Do You Understand Your Data Privacy Rights?

Data Privacy Day was started in 2007 in response to widespread lack of understanding about how personal data was being protected. Today, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies, according to a recent Pew Research Center Survey.

Data is one of the natural resources of the 21st century. It should be treated like all other precious resources. Understanding, responsibility, and accountability are key. Ubiquitous Internet connections, unprecedented processing power and speed combined with staggeringly large databases have the ability to help both the private and public sectors. However, there is a growing split between the benefits of data-driven activities and perceptions of decreased privacy rights needs to be addressed. There is a balance that needs to be found between the responsibility of governments and that of businesses in ensuring an adequate level of protection to citizens and consumers, while supporting technological innovation.

The purpose of Data Privacy Day is raise awareness among digital citizens and empower them with understanding how their data is being collected, stored and consumed. Often, that starts with being educated about the privacy policies of online companies and web properties.

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government.

Whether you are a consumer, an application developer, a technology platform provider, consultant, or enterprise that relies on the collection, analysis and commercialization of data (who doesn’t these days) Adler Law Group can help you navigate this emerging area by 1) assessing and prioritizing privacy risks, 2) creating a baseline understanding of data assets, data flows and contractual commitments, 3) developing internal Privacy Polciies and processes, and 4) creating and delivering training programs for executives and employees that increases awareness and mitigate risk.

Contracts & Copyright: Issues for Authors, Writers & Creative Professionals

To find out more about how the Adler Law Group can help your business identify risk and issues related to intellectual property ownership, corporation or LLC formation, or just assess risk associated with your business, contact us for a freeno-obligation consultation by emailing David @ adler-law.com, visiting our web site www.adler-law.com, or calling toll free to (866) 734-2568.

Failure to Mind Corporate Details Leads to Loss of Copyright, Infringement Lawsuit

The case of Clarity Software, LLC v. Financial Independence Group, LLC is a great example the serious, negative consequences to intellectual property ownership when business owners and legal counsel fail to ensure that tasks are completed.

The short version is that the creator of computer software, Vincent Heck, sold the copyright in his software to settle a debt to a creditor, Eric Wallace, who intended to form Clarity Software, LLC to own and distribute the software. The lawsuit was for infringement of the copyright in the software.

As they say, “the devil is in the details.” In this case, the detail that became a devil, and ultimately prevented Wallace from enforcing a copyright in the software, was the fact that Clarity Software, LLC was never properly formed and therefore lacked standing to sue for infringement.

Forgive me for employing yet another trite phrase, but “truth is often stranger than fiction.” The Defendant proved that a veritable comedy of errors had occurred resulting in no record of the formation, including 1) the Department of State of Pennsylvania losing the certificate of organization, along with all records of the submission and filing of the certificate of organization, 2) the Plaintiff’s bank (PNC Bank) losing its copy certificate of organization provided when Wallace opened a bank account (even though PNC Bank still had the signature card completed when the account was opened), and 3) Wallace, himself a former President of the Pennsylvania Institute of Certified Public Accountants, losing his copy of the certificate of organization and all records of his communications with his attorney.

Defendant successfully moved for summary judgment based on its argument that Plaintiff did not own the copyright at issue in the litigation since it was not properly organized as a Pennsylvania limited liability company and never acquired valid ownership of the copyright.

Hat tip to Pamela Chestek and her blog, Property Intangible, where she first wrote about this case October 13, 2014. The opinion and order can be found here: Clarity Software, LLC v. Financial Independence Group, LLC, No. 2:12-cv-1609-MRH (W.D. Pa. Sept. 30, 2014).

To find out more about how the Adler Law Group can help your business identify risk and issues related to intellectual property ownership, corporation or LLC formation, or just assess risk associated with your business, contact us for a free, no-obligation consultation by emailing David @ adler-law.com, visiting out web site www.adler-law.com, or calling toll free to (866) 734-2568..

AEREO LOSES COPYRIGHT CASE

Technology Continues to Test The Bounds of Copyright Law

The Internet is an unprecedented source of disruption. From retail services (e.g. Amazon) to media and entertainment, almost every industry has been forced to rethink its business model due to the accessibility, ubiquity and democratizing force of the Internet. Aereo was positioned to disrupt the traditional media distribution model by giving consumers greater control over what were otherwise “free” over-the-air transmissions.

The Aereo service was premised on the idea that consumers should be able to watch and record over-the-air broadcast television programming via the Internet. Major broadcast networks that owned the content made accessible through Aereo challenged the model on the grounds that Aereo was violating the exclusive “public performance” right guaranteed by the Copyright Act.

Copyright law provides copyright owners six exclusive rights. One of those rights is the exclusive right to publicly perform the copyrighted work. Because this right is a statutory construct, one must look to the statute to determine its meaning. To “perform” and to perform “publicly” means “to transmit or otherwise communicate a performance or display the work to a place … or to the public, by means of any device or process, whether the members of the public capable of receiving the performance or display receive it in the same place or in separate places and at the same time or at different times.”

While many reacted by asking whether the case would stifle innovation and have a chilling effect on start-ups, this case does highlight the increasing tension between technological advances and copyright law.

From a practical standpoint, one need not be alarmed about the impact of the decision on most types of innovation. For one thing, the Court went to some lengths to craft a reasonably narrow decision, which applies only to broadcast TV retransmitted over the Internet.

As with any type of innovation, there are different types of risk. On the one hand, there is technology risk: the risk that whatever technology is necessary for some business plan simply won’t work. On the other hand, there is legal risk, highlighted by the Aereo decision: the risk that the entrepreneur’s interpretation of some act or case law won’t ultimately prevail. That’s what happened to Aereo.

As an IP lawyer, I am somewhat perplexed. It is hard for me to understand why Aereo made such a bold move. However, at least the district court agreed with Aereo’s interpretation.

Oklahoma, Louisiana, join growing list of States with Social Media Laws

Oklahoma and Louisiana join Wisconsin and Tennessee in recent laws restricting access to applicants’ and employees’ personal online content by prospective and current employers. Adoption of Social Media platforms continues to grow as do new legal and business risks arise as well as state legislatures provide new rules, regulations and guidance. As state by state compliance requirements develop, businesses need to review frequently overlooked elements of key social media guidance, such as how to approach specific areas like Monitoring, Content Approval, Training and Information Security.

This latest round of bandwagon-jumping follows efforts by most other states that have addressed the issue. The key take-away is that business need to take a state-by-state approach to social media legal compliance.

Generally, most of these types of laws prohibit employers from requesting or requiring that applicants or employees disclose a username, password, or other means of authentication for their online accounts.

Employers should be on the lookout for laws that address whether an applicant or employee must accept a “friend” request, change privacy settings to permit access by the employer, or otherwise divulge personal online content.

Another area of concern is the definition of “personal,” “social media” and “account. ” these definitions vary and often cover far more than common notions of social media.

Some laws apply to any online account, including e-mail, instant messaging and media-sharing accounts. Some laws address the scope of use such as “exclusively for personal communications” as opposed to “business purposes of the employer” or “business-related communications.” This carve-out further narrows the scope of the Oklahoma and Louisiana laws.

While these laws generally prohibit adverse actions based based on a refusal to provide user name, password or other authentication information, each law should be scrutinized for broader prohibitions, such as those against penalizing or threatening to penalize an employee or applicant for refusing such requests.

Technology continues to evolve and so does the legal and regulatory environment. Businesses need to continually assess and address the risks created by new laws and new uses of tech in the workplace.

Contact us for a free consultation to learn what we can do to help your business navigate the ever-changing regulatory minefield. What you don’t know can hurt you. We are here to help you avoid getting hurt.