In U.S. Regulators, Legislators Fill Privacy Void

Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.

Recent developments highlight the trend in Privacy

In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.

GPS, Location & Privacy

The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.

Proposed Federal Privacy Standards

Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.

FTC Protects Privacy Under Mantle of Consumer Protection

As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

Wyndham’s web site privacy policy claimed that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”

The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.

The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.

Privacy Remains Top Concern

Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.

Organizations can lose contracts, customers and their reputation. That could put some out of business.

Compliance Preparation & Best Practices

Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.

Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.

Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.

Standardize. Set standards of acceptable information security for networks, facilities, and information systems.

Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.

Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.

Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.

THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.

Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.

#Bank Information #Security: The Evolving Threat From Insiders

VIDEO: The Evolving Insider Threat– Dawn Cappelli, Randy Trzeciak of CMU’s Insider Threat Center

This video from RSA Conference 2013 discusses:

  • Who typically commits insider crimes – and how;
  • How employees are being victimized from outside;
  • Why our critical infrastructure is at heightened risk.

Even if you are an employer using standard commercial verification measures, you should be cautious about misuse of any information by employees, managers and contractors. Accordingly, you should be careful with training and education and not on only newly-hired employees. Further, plan on how login credential and access to sensitive information will be handled and/or turned over when training or when terminating, suspending, withholding pay, lowering pay, or taking any other adverse action against an employee.

Three Things I Learned About Personal Cybersecurity At RSAConference That You Should Be Doing Right Now

Image representing CloudFlare as depicted in C...
Image via CrunchBase

I just returned from RSAConference 2013 where I had the privilege and honor of giving a presentation of the legal risks caused by social media in the workplace. As a speaker-attendee, I had the priceless benefit of access to all the other speakers and programs held during the conference.

One such program I attended was “We Were Hacked: Here’s What You Should Know”. The speakers, Matthew Prince (@eastdakota) CEO of CloudFlare, and Mat Honan (@mat) writer for Wired Magazine, shared their common experience as targets of high profile hacks. Hearing the details from them first hand, including information from interviews with the hackers themselves, I learned how easy it is to be the victim of hacking and how it’s the little things that create exploitable seams in our information security barriers.

Rather than rewrite their stories, I thought I would share three simple lessons I learned that I’ve already implemented and you should too. Besides, Matt does a better job telling his own story which can be found here.

Here are the three things I learned about how you can protect yourself and others in your organization.

First, security attacks go after the “low hanging fruit” and that often means figuring out a way to exploit your personal email address. With so many web-based services and so much login information to remember, many of us use our personal email as our username for everything from the web sites on which we comment, to our online photo gallery, to our online banking service. Unfortunately, this is probably the address we use for password recovery if we forget. Given that our digital lives are easily mapped, hackers already have one piece of the two-piece login puzzle: they know your user name.

TIP NO. 1: Use a private, obscure email address for your more sensitive information.

Second, once a hacker has accessed your accounts, your computer and your files, the fun has just begun for them. As Matt Honan described, these often adolescent script kiddies simply don’t understand the value of your stored memories and other information. In his case, all the photos of his children were permanently deleted. Regardless of a hacker attack, stuff happens and you don’t want to lose everything because you we’re too lazy to back up.

TIP NO. 2: Back Up your digital life, early and often.

Third, today’s’ Internet is an interdependent ecosystem. Just because you or your organization takes security seriously, doesn’t mean that other do as well. Your internal systems are not enough. Like it or not, the seams of your security perimeter are intertwined and permeated by the services and systems of customers and vendors. For most consumers, the there is a Hobbesian choice of Security v. Convenience. Multiple login usernames and super long passwords are difficult to remember and tedious to use. As a result, most people choose the least secure means of authentication on the assumption that using astringent password is enough. Unfortunately, some people don’t even bothers with that. A recent ZoneAlarm study found that “password” was the fourth most commonly used password by consumers.

Google, Facebook and others have started using two-factor authentication. Two-factor authentication requires that one enter a code after entering the username/password combo. The code is sent via, text message, voice call or email. This greatly reduces the chances of unauthorized access because hackers would need to have your phone, in addition to your username/password combo.

TIP NO. 3: Whenever possible enable two-factor authentication.

Please understand that there is no “magic bullet” when it comes to Cybersecurity. Taking these precautions does not guarantee that you won’t be attached or that your account information won’t be accessed. However, these are important and easy steps that you can take to improve your personal data security.

Please comment and follow!

 

Whose Social Media Account Is It Anyway?

As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.

This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.

First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.

Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.

Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.

As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.

Three Key Factors That Small Business Owners Must Consider To Enhance Their Cybersecurity

Awareness
Awareness (Photo credit: Emilie Ogez)

By now most small business owners are aware that Cybersecurity is an issue. But, how much time and capital should be spent on cybersecurity protection? This article discusses three key factors that should play into that decision.

Factor #1 Awareness.

According to some experts, the biggest problem that small business owners face is simply awareness of the risk. This includes awareness by employees as well.

Most data leaks and other security incidents are caused by employees who are either unaware of security protocols or indifferent to them. Regardless of the level of security in your data center  or the strength of encrypted communications, the weakest link will almost always be the human beings interacting with the network.

To address this risk, small business owners need to focus on training and awareness for employees. However, company management is usually focused on sales and customer service. Further, owners often lack the time and expertise needed to properly assess security risks. Companies in any industry should look to partner with a third-party security firm to asses risks and develop appropriate training.

Factor #2 Employee Training.

Training is the first line of defense against cyber threats. This training needs to include the entire company, and should cover three key areas: (a) proper password management on all company services and devices, including clear procedures for new and departing employees, as well as day-to-day usage; (b) clear guidelines for the sharing of information with remote employees, partners and third parties; and (c) a plan for monitoring usage and privileges to the company’s digital assets.

Employee training needs to account for how the public will access your company’s products or services. For example, what if a hacker got into a system by pretending to be another user? By rolling out new features slowly, its easier to identify and fix security loopholes.

All stakeholders need awareness of: (a) the type of information you’re transmitting (e.g. payment information), (b) the visibility of information you’re transmitting (e.g. highly-publicized public launch vs. a quiet rollout of some new software), and (c) the level of security inherent in the transmission (e.g. encrypted emails and documents shared via a secure server or data shared publicly through public networks and via social media sites.

Factor #3 Vigilance (Monitoring).

For some companies everything is available and accessed online. Since online relationships are built upon trust, it is critical that the company actively monitor the security and transparency of this relationship. Many tools are available to measure and respond to risk factors and gauge likelihood of an impact to help determine the level of investment required. Resources can be assigned to anything with high likelihood and high impact.

For example, monitoring potentially fraudulent user accounts has an immediate commercial benefit as well as reducing risk.

Unfortunately, a common misconception is that putting up basic defenses like firewalls will protect security vulnerabilities. However, after reinforcing your Cybersecurity defense, the focus should shift to monitoring and alerting. In many cases, this may require up-front investments to enable tracking and alerting to irregularities in network and data activity. Fortunately, in the event of a breach or a loss of data, this monitoring information will be the key factor in addressing the problem and pinpointing the issue. Managers, employees and business partners need to understand that Cybersecurity is an ongoing process. Awareness, training and monitoring will go a long way toward enhancing a small business’ Cybersecurity preparedness.

About the Author:

David M. Adler, Esq. is a partner in the Chicago office of Leavens, Strand, Glover & Adler, LLC, a boutique intellectual property and entertainment law firm in Chicago, Illinois whose mission is providing businesses with a competitive advantage by enabling them to leverage their intangible assets and creative content in order to drive innovation and increase overall business value. The practice is organized around five major substantive areas of law: Intellectual Property Law, Commercial & Finance Law, Entertainment & Media Law, Corporate Law and Contract Law.

Contact us for a free consultation today. Dadler @ lsglegal (dot) com or (866) 734 2568

Outrageous! Seven Rent To Own Firms Used Nefarious Software to Spy on Customers in Their Homes

On September 25, 2012, the Federal Trade Commission announced a settlement with seven rent-to-own companies that secretly installed software on rented computers, clandestinely collected information, took pictures of consumers in their homes (WTF?!) and tracked these consumers’ locations.

If you haven’t vomited on your computer from the sickening outrage, you can read the FTC press release here.

Software design firm DesignerWare, LLC licensed software to rent-to-own stores ostensibly to help them track and recover rented computers. The software collected the data that enabled rent-to-own stores, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase, to track the location of rented computers without consumers’ knowledge

According to the FTC, the software enabled remote computer disabling if it was stolen, or if the renter failed to make payments. It included an add-on purportedly to help stores locate rented computers and collect late payments. Alarmingly, the software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.

When activated, the nefarious feature logged key strokes, captured screen shots and took photographs using a computer’s webcam, according to the FTC. It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC. “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers. These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Lisa Madigan.

World Social Media Legal News Roundup

Law professor says social media can pose legal problems in Courtroom
Winnipeg Free Press
SASKATOON – The dean of law at the University of Saskatchewan says using social media can have negative consequences in the Courtroom – Business – Winnipeg Free Press.

Eight Ways Your Employee Social-Media Policy May Violate Federal law
AdAge.com (blog)
All employees have certain rights under federal law that social-media policies can’t restrict.

New Law to Force Identification of Trolls Set to be Unveiled
Technorati
Home / Social Media / Articles / New Law to Force Identification of Troll. … is behind the attacks on them online without having to resort to expensive legal action.

A blue wave of change Cleveland County law enforcers join move toward social media alerts
Norman Transcript
Lauri Stevens, a social media strategist at LAwS Communications, a Boston-area company, said law enforcement agencies nationwide are beginning to embrace social media.

Social media helped, hurt in hunt for suspect in triple shooting
Washington Post
Social media at times was a help, other times a hindrance in the search and eventual arrest of a suspect in the triple fatal shooting at an Alabama apartment complex.

Use social media, but use it responsibly, UAE conference hears
gulfnews.com
He said, “We do not monitor social media networks. People have the freedom to speak within the legal framework. There is no law specifically for twitter, but …

Police: Street gangs embrace social media, too
Kansas.com
Beard gave a presentation on gangs, the Internet and social media at last week’s Midwest Law Enforcement Conference on Gangs and Drugs, held in Wichita.

And…don’t forget to check out my presentation on the Law & Social Data panel at #TechWeek Chicago 2012.

The past few years have witnessed an explosion of legal and regulatory activity involving social and other new media. This session will examine several key areas, including copyright, trademark and related intellectual property concerns; defamation, obscenity and related liability; false advertising and marketing restrictions; gaming; data privacy issues presented by social media; and impacts of social media on employees and the workplace. Attendees will learn how to identify legal risks and issues before they become full-scale emergencies and how to develop appropriate policies and guidelines covering social media activity.

If you can’t make it, check out the Slideshare presentation here.