In case you missed this year’s ForenSecure Conference on Cyber Security and Data Forensics, there is a link below to my presentation. To give you an idea how fast the law is changing in these areas, you need look no further than the state of New Mexico. New Mexico joined 47 other states when it passed its own state data breach notification law in April 2017.
Other notable and recent observations:
- On March 7, 2017, the CIA got doxed by the anti-secrecy organization WikiLeaks. Nearly 9,000 documents appeared online.
- In 2016, 106 major healthcare data breaches were attributed to hackers.
- Financial Services – Third overall security incidents, but first in number of incidents w/confirmed loss.
- University of Central Florida announced a data breach affected approximately 63,000 current and former students, faculty, and staff.
- Yahoo – general counsel resigned and the CEO lost 2016 cash payout as well as 2017 equity award.
See the full presentation with notes here:
Forensecure 2017 Data At Risk
This article first appeared in THE LEGAL SIDE OF TECH on CIO.com here.
Recent high-profile data breaches highlight the challenges in understanding how laws apply to a wide variety of information management scenarios and a host of other regulatory, compliance and legal issues.
Cybersecurity and privacy continue to make headlines. Experts have more questions than answers addressing risk management concerns in the evolving cybersecurity market.
High-profile data breach incidents
On March 7, 2017, the CIA got doxed by the anti-secrecy organization WikiLeaks. Nearly 9,000 documents appeared online showing the CIA sought to observe conversations, online browsing habits and other activities by infiltrating the systems that contained them, such as Apple and Android smartphones, laptops, TVs and even cars. The government is not alone.
Nearly every industry that handles sensitive data has been breached recently:
- Healthcare: ransomware attacks are projected to rise 250%, and hackers were responsible for 106 major healthcare data breaches in 2016.
- Financial services: Despite ranking only third in volume of security incidents, the financial services industry came in first in number of incidents leading to confirmed data losses.
- Insurance: Risk is twofold in this market, because insurers are not only targets of hackers, they’re also providers of coverage to victims.
- Education: At the beginning of February 2016, the University of Central Florida announced a data breach had affected approximately 63,000 current and former students, faculty and staff.
Third-party vendor risk
Third-party vendors remain a growing source of concern. Companies are well-advised to look beyond their own cybersecurity policies and standards to the potentially bigger risk that arises from giving third-party vendors direct access into their systems. Indeed, low-tech threats like errors by vendors’ employees represent an often-overlooked danger to company data security. Newer technology trends such as enterprise-level SaaS provisioning and cloud data storage and processing offer new possibilities and perils alike.
Given the inevitability of cybersecurity breaches, companies are increasingly looking to insurers to offset the losses they are likely to face after suffering an attack. However, because the cyber insurance market is young and growing rapidly, the scope and availability of policies is still fluid. Companies should carefully review the specifics and limits of coverage. According to one source, most questions right now are focused on coverage for business interruptions and losses related to fraudulent transactions.
Smaller companies may face even bigger challenges. Few small companies have the staff or the resources to actively manage cybersecurity risk, and many assume that their business risks are small. Despite their smaller size, these businesses will incur the same level of breach-related costs as larger companies.
By now it’s hard to say anything new about the U.S. Supreme Court victory of Varsity Brands in the STAR ATHLETICA, L.L.C. v. VARSITY BRANDS, INC. copyright infringement lawsuit.
If you don’t know the case it’s fairly straightforward: Varsity Brands has over 200 copyright registrations for two- dimensional designs (lines, chevrons, and colorful shapes) used on the surface of the cheerleading uniforms that they design, make, and sell. Varsity sued Star Athletica, who also markets cheerleading uniforms, for copyright infringement. Star won in District Court on theory that the designs were ineligible for copyright protection. Varsity won on appeal to the Sixth Circuit who held the graphics could be “identified separately” and were “capable of existing independently” of the uniforms qualifying for protection under the U.S. Copyright Act.
Justice Thomas writing for the Court held: “an artistic feature of the design of a useful article is eligible for copyright protection if the feature (1) can be perceived as a two- or three-dimensional work of art separate from the useful article and (2) would qualify as a protectable pictorial, graphic, or sculptural work either on its own or in some other medium if imagined separately from the useful article.”
What seems plain and simple on its face may prove otherwise. The Star Athletica decision is simply the jumping-off point for future controversies regarding the existence and scope of protection for fashion designs and concepts. While the Court does note the commercial aspect of the situation, “two- dimensional designs—consisting of various lines, chevrons, and colorful shapes—appearing on the surface of the cheerleading uniforms that they design, make, and sell,” little is made of this fact elsewhere in the opinion. Given the $2.4 Trillion global value of the Fashion Industry, I suspect the case will form the basis of many IP enforcement cases soon to come.
Ever had an Interior Design client refuse to pay, not give you credit for your work, or use your design without actually hiring you? As unfair as these situations sound, the truth is they happen often. Poor planning, client management or incomplete contracts account for most of these situations. Get expert legal advice from a Chicago-based lawyer who understands the ins and outs of the design industry and learn how to address some of the biggest risk factors designers face today and how your contract can (and more importantly, should) protect you. Follow the link for access to the free informational prevention about improving your interior design contracts.
From film to fashion, creative industries are taking steps to protect and promote original work. Designers and manufacturers need to know what steps they can take to protect their designs, their businesses, and their profits. As more interior designers develop signature styles and product lines, protecting original design is more important than ever. Many industry leaders have honed in on this idea, and are exploring the line between inspiration and replication.
In my recent CEU presentation “Contract Basics for Interior Designers,” I discussed repetitional harm that comes from bad clients, bad projects and competitors. My lecture is part of the Business of Design Lecture Series curated by Design Center at The Merchandise Mart. This event was held February 23, 2017. The growth of sites like Yelp! and other unmoderated opinion sites create an easy way to vent frustrations that may end up causing problems or designer professionals later.
Curiously, few have studied the application of State rights of privacy or right of publicity rights to Interior Design.
Right of publicity law is defined solely by reference to a patchwork of of state statutes and common law decisions. Different states have widely divergent right of publicity laws. This creates risks and uncertainty for a wide range of content producers. At the same time, strong federal protection to free speech rights often color these risks.
For example, take the State of Indiana. This state’s right of publicity statute is the most plaintiff-friendly in the nation, and it contains sweeping jurisdictional and choice of law provisions.
Comprised of connected devices such as thermostats, automobiles, electricity, televisions, fitness trackers, security/baby-monitoring cameras, medical devices, cell phones and tablets, IoT adoption is penetrating some of the world’s most regulated industries such as healthcare, energy, government, financial services, and retail. The potential size of the IoT market is staggering. Commercial-device-focused GE estimates the “Industrial Internet” market will reach $10-$15 trillion over the next 20 years. Consumer-focused Cisco estimates the “Internet of Everything” will be $19 trillion by 2020.
Several recent examples from researchers and manufacturers have shown just how easily privacy and security can be comprised by these devices. In April of 2014, research on Nest Smart Thermostats by Matthew Burrough and Jonathan Gill at U. of I. at Urbana-Champaign revealed two observations impacting privacy and security.
First, Nest appears to be “offline,” yet responds immediately to cloud-based (online) temperature control changes. Second, by interacting with the thermostat or triggering the motion sensors, persistent connections can be made. Taken together, the potential exists to exploit seemingly reasonable functional expectations (e.g., monitoring temp changes).
These technology and privacy legal issues are only likely to proliferate. Regardless of the outcome, the case highlights lessons for IT departments and others charged with safeguarding data on devices. As a precaution, it is useful to consult with the outside technology counsel to better understand you’re rates, obligations, and any limitations to your responsibilities for disclosure.