The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.

DATA PRIVACY DAY 

Do You Understand Your Data Privacy Rights?

Data Privacy Day was started in 2007 in response to widespread lack of understanding about how personal data was being protected. Today, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies, according to a recent Pew Research Center Survey.

Data is one of the natural resources of the 21st century. It should be treated like all other precious resources. Understanding, responsibility, and accountability are key. Ubiquitous Internet connections, unprecedented processing power and speed combined with staggeringly large databases have the ability to help both the private and public sectors. However, there is a growing split between the benefits of data-driven activities and perceptions of decreased privacy rights needs to be addressed. There is a balance that needs to be found between the responsibility of governments and that of businesses in ensuring an adequate level of protection to citizens and consumers, while supporting technological innovation.

The purpose of Data Privacy Day is raise awareness among digital citizens and empower them with understanding how their data is being collected, stored and consumed. Often, that starts with being educated about the privacy policies of online companies and web properties.

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government.

Whether you are a consumer, an application developer, a technology platform provider, consultant, or enterprise that relies on the collection, analysis and commercialization of data (who doesn’t these days) Adler Law Group can help you navigate this emerging area by 1) assessing and prioritizing privacy risks, 2) creating a baseline understanding of data assets, data flows and contractual commitments, 3) developing internal Privacy Polciies and processes, and 4) creating and delivering training programs for executives and employees that increases awareness and mitigate risk.

GEAR UP FOR FALL! Now Is A Good Time To Take A Look At Those Contracts

Contracts

One of the most important tools to protect your business – your ideas, customer relationships and talent pool – is your written contract. A solid contract is the foundation for a reliable relationship for you, your customers and your employees. More importantly, it helps to prevent misunderstandings and false expectations that can lead to a breakdown in your customer relationship, jeopardize the project and result in litigation.

Many companies start with a model or “form” contract adapted from forms available online or drafted when the business first started. As businesses develop over time, you may have revised your contracts, adding a little here, removing a little there. Maybe you read an article about an important case in your industry and decided to add some text from the contract discussed in the court’s legal opinion. In many cases, over time, the agreements become “Franken-contracts” an odd amalgamation of trade lingo, inconsistent terms and even contradictory conditions. At best these are ambiguous and confusing to read. At worst, they become unenforceable.

At some point, you should review, revise and generally “tighten” existing contracts. You should have your lawyer review them to make sure that there are no mistakes, ambiguities or omissions that could cost you or your customers. I urge clients to have their contract forms reviewed on an annual basis. Depending on changes in the law, changes in the industry or changes in your own business, this process should only take a few hours.

The following are six things to consider as you review your existing contract forms and business practices.

First, are you using a written contract? Simply having a written agreement in place will help prevent the often difficult, time-consuming and expensive dispute that comes down to a “he said / she said” situation.

Second, make sure that the key terms of your contract are consistent and understandable. Pricing and payment terms, clear descriptions of the services to be performed or the goods to be delivered, as well as due dates and acceptance criteria will go a long way toward preventing breach of contract claims. More importantly, ambiguous and internally-contradictory terms may expose you to fraud claims or claims under an unfair business practices act. These types of claims are typically much more difficult and more expensive to defend against.

Third, create a mechanism for changes in your contract. Circumstances change. When they do, make sure that you document them and that your customer initials and dates any additions or changes to the contract after it is signed.

Fourth, don’t overlook intellectual property (“IP”) rights, Many business relationships involve collaborative sharing or development of knowledge, skills and protectable IP assets such as copyrights, trademarks, patents and trade secrets. Intangible assets are often the most important drivers of revenue creation and value. Overlooking creation, ownership and control of IP rights may result in the loss of these assets.

Fifth, ensure that your contracts are up-to-date with respect to local laws and industry regulations. Recent developments in technology, e.g., BYOD, Social Media, Mobile commerce, and online privacy had produced a raft of state, federal and industry specific laws, rules and regulations. Do you regularly update your forms to make sure they comply with changes to local laws?

Sixth, understand your “escape” options. Not every relationship is meant to last forever. Your contracts should have clear and concise terms for ending the relationship such as failure to perform, failure to pay or adverse business conditions.

To find out more about how the Adler Law Group can help you tighten your contracts, or even draft new ones, contact us for a free, no-obligation consultation.

Identifying Intellectual Property Issues in Start-Ups – Live Webcast!

Do you work with start-up companies and need a basic understanding of the various intellectual property issues that can arise?

I will be co-presenting in this online seminar that will help you:

  • understand the trademark and copyright problems your client may encounter with branding;
  • learn how to protect your client’s branding once established;
  • familiarize your practice with patents, including what they protect, timing, and strategies to prevent inadvertent loss of patent rights before filing the application;
  • understand trade secrets and the importance of non-disclosure and confidentiality agreements;
  • recognize intellectual property issues relating to technology, including open source code and the cloud;
  • establish a proactive approach toward intellectual property ownership between cofounders, employees, and vendors; understand business names, domain names, promotional issues, and website content concerns.

The program qualifies for 1.5 hours MCLE credit.

I would like to personally invite you to attend the upcoming Law Ed program titled, “Identifying Intellectual Property Issues in Start-Ups,” which I will be co-presenting via live webcast on Tuesday, May 27th.

Presented by the ISBA Business Advice and Financial Planning Section

Co-Sponsored by the ISBA Intellectual Property Section

Is Your Company’s Web Site Privacy Policy Compliant With New California Law?

Privacy Law Update: California “Do Not Track” 

Two California laws went into effect at the beginning of the year that  require additional notifications to consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents (in reality anyone with a web site that may be accessed by a CA resident) post a privacy policy that gives notice to consumers regarding behavioral or interest-based advertising practices (“OBA”).

Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.

If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

Are you  concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.

Please contact us for a no-fee consultation.

Amended California Do Not Track Disclosure Law Requires Websites Disclose Do Not Track Signal Response

At the end of August, the California passed an amendment to the California Online Privacy Protection Act that will require commercial websites and services that collect personal data to disclose how they respond to Do Not Track signals from Web browsers.

AB 370, as introduced by California Assemblyman Al Muratsuchi, requires a business that discloses a customer’s personal information to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.

This bill, available here, would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.


Proposed Amedments To Computer Fraud & Abuse Act

Enacted by Congress in 1986, the Computer Fraud and Abuse Act (CFAA) builds upon existing computer fraud law (18 U.S.C. § 1030). Initially, the CFAA was intended to limit federal jurisdiction to cases “with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.” Notably, the CFAA criminalized certain computer-related acts such as distribution of malicious software code, propagating denial of service attacks as well as trafficking in passwords and similar items. Recently, the CFAA has gained prominence as a bludgeon used to prosecute a wide-range of activities, some broadly labelled “hacking” and other stretching the boundaries of “unauthorized” computer access.

Two recently introduced bills, one by Representative Zoe Lofgren (D-CA) in the House and one by Senator Ron Wyden (D-OR) in the Senate aim to amend the CFAA in hopes of ameliorating application of the CFAA to claims of breach of terms of service, employment agreements. Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.

In short the bills would amend the meaning of “exceeds authorized access,” changing it to “access without authorization,” which is defined to mean:

“to obtain information on a protected computer”;
“that the accesser lacks authorization to obtain”; and
“by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.”

For a well-documented discussion of the application and boundaries of the CFAA, check out the Electronic Frontier Foundations Legal Treatise on civil and criminal cases involving the Computer Fraud and Abuse Act here.

As businesses become ever more dependent on digital assets and systems, a working knowledge of the legal and regulatory framework that defines and protects those assets is paramount.

If you or your executive teams has questions about securing and protecting digital assets, please feel free to contact David M. Adler for a free consultation. LSGA advises a wide range of businesses on creating, protecting and leveraging digital assets as well as computer, data and information security and privacy.

Please tweet, comment on, and forward is article!

David M. Adler | Leavens, Strand, Glover & Adler, LLC
203 North LaSalle Street, Suite 2550
Chicago, Illinois 60601
Direct: (866) 734-2568
Direct Fax: (312) 275-7534
http://www.lsglegal.com
http://www.ecommerceattorney.com

*2012 Illinois Super Lawyer http://bit.ly/gFfpAt

Twitter: http://twitter.com/#!/adlerlaw
LinkedIn: http://linkedin.com/in/adlerlaw