Privacy & Security Issues In Smart Home and IoT Devices

Comprised of connected devices such as thermostats, automobiles, electricity, televisions, fitness trackers, security/baby-monitoring cameras, medical devices, cell phones and tablets, IoT adoption is penetrating some of the world’s most regulated industries such as healthcare, energy, government, financial services, and retail. The potential size of the IoT market is staggering. Commercial-device-focused GE estimates the “Industrial Internet” market will reach $10-$15 trillion over the next 20 years. Consumer-focused Cisco estimates the “Internet of Everything” will be $19 trillion by 2020.

Several recent examples from researchers and manufacturers have shown just how easily privacy and security can be comprised by these devices. In April of 2014, research on Nest Smart Thermostats by Matthew Burrough and Jonathan Gill at U. of I. at Urbana-Champaign revealed two observations impacting privacy and security.

First, Nest appears to be “offline,” yet responds immediately to cloud-based (online) temperature control changes. Second, by interacting with the thermostat or triggering the motion sensors, persistent connections can be made. Taken together, the potential exists to exploit seemingly reasonable functional expectations (e.g., monitoring temp changes).

These technology and privacy legal issues are only likely to proliferate. Regardless of the outcome, the case highlights lessons for IT departments and others charged with safeguarding data on devices. As a precaution, it is useful to consult with the outside technology counsel to better understand you’re rates, obligations, and any limitations to your responsibilities for disclosure.

The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.

DATA PRIVACY DAY 

Do You Understand Your Data Privacy Rights?

Data Privacy Day was started in 2007 in response to widespread lack of understanding about how personal data was being protected. Today, 91% of adults “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies, according to a recent Pew Research Center Survey.

Data is one of the natural resources of the 21st century. It should be treated like all other precious resources. Understanding, responsibility, and accountability are key. Ubiquitous Internet connections, unprecedented processing power and speed combined with staggeringly large databases have the ability to help both the private and public sectors. However, there is a growing split between the benefits of data-driven activities and perceptions of decreased privacy rights needs to be addressed. There is a balance that needs to be found between the responsibility of governments and that of businesses in ensuring an adequate level of protection to citizens and consumers, while supporting technological innovation.

The purpose of Data Privacy Day is raise awareness among digital citizens and empower them with understanding how their data is being collected, stored and consumed. Often, that starts with being educated about the privacy policies of online companies and web properties.

The National Cyber Security Alliance (NCSA) officially kicked off today’s Data Privacy Day events with a broadcast from George Washington University Law School featuring Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government.

Whether you are a consumer, an application developer, a technology platform provider, consultant, or enterprise that relies on the collection, analysis and commercialization of data (who doesn’t these days) Adler Law Group can help you navigate this emerging area by 1) assessing and prioritizing privacy risks, 2) creating a baseline understanding of data assets, data flows and contractual commitments, 3) developing internal Privacy Polciies and processes, and 4) creating and delivering training programs for executives and employees that increases awareness and mitigate risk.

GEAR UP FOR FALL! Now Is A Good Time To Take A Look At Those Contracts

One of the most important tools to protect your business – your ideas, customer relationships and talent pool – is your written contract. A solid contract is the foundation for a reliable relationship for you, your customers and your employees. More importantly, it helps to prevent misunderstandings and false expectations that can lead to a breakdown in your customer relationship, jeopardize the project and result in litigation.

Many companies start with a model or “form” contract adapted from forms available online or drafted when the business first started. As businesses develop over time, you may have revised your contracts, adding a little here, removing a little there. Maybe you read an article about an important case in your industry and decided to add some text from the contract discussed in the court’s legal opinion. In many cases, over time, the agreements become “Franken-contracts” an odd amalgamation of trade lingo, inconsistent terms and even contradictory conditions. At best these are ambiguous and confusing to read. At worst, they become unenforceable.

At some point, you should review, revise and generally “tighten” existing contracts. You should have your lawyer review them to make sure that there are no mistakes, ambiguities or omissions that could cost you or your customers. I urge clients to have their contract forms reviewed on an annual basis. Depending on changes in the law, changes in the industry or changes in your own business, this process should only take a few hours.

The following are six things to consider as you review your existing contract forms and business practices.

First, are you using a written contract? Simply having a written agreement in place will help prevent the often difficult, time-consuming and expensive dispute that comes down to a “he said / she said” situation.

Second, make sure that the key terms of your contract are consistent and understandable. Pricing and payment terms, clear descriptions of the services to be performed or the goods to be delivered, as well as due dates and acceptance criteria will go a long way toward preventing breach of contract claims. More importantly, ambiguous and internally-contradictory terms may expose you to fraud claims or claims under an unfair business practices act. These types of claims are typically much more difficult and more expensive to defend against.

Third, create a mechanism for changes in your contract. Circumstances change. When they do, make sure that you document them and that your customer initials and dates any additions or changes to the contract after it is signed.

Fourth, don’t overlook intellectual property (“IP”) rights, Many business relationships involve collaborative sharing or development of knowledge, skills and protectable IP assets such as copyrights, trademarks, patents and trade secrets. Intangible assets are often the most important drivers of revenue creation and value. Overlooking creation, ownership and control of IP rights may result in the loss of these assets.

Fifth, ensure that your contracts are up-to-date with respect to local laws and industry regulations. Recent developments in technology, e.g., BYOD, Social Media, Mobile commerce, and online privacy had produced a raft of state, federal and industry specific laws, rules and regulations. Do you regularly update your forms to make sure they comply with changes to local laws?

Sixth, understand your “escape” options. Not every relationship is meant to last forever. Your contracts should have clear and concise terms for ending the relationship such as failure to perform, failure to pay or adverse business conditions.

To find out more about how the Adler Law Group can help you tighten your contracts, or even draft new ones, contact us for a free, no-obligation consultation.

Identifying Intellectual Property Issues in Start-Ups – Live Webcast!

Do you work with start-up companies and need a basic understanding of the various intellectual property issues that can arise?

I will be co-presenting in this online seminar that will help you:

  • understand the trademark and copyright problems your client may encounter with branding;
  • learn how to protect your client’s branding once established;
  • familiarize your practice with patents, including what they protect, timing, and strategies to prevent inadvertent loss of patent rights before filing the application;
  • understand trade secrets and the importance of non-disclosure and confidentiality agreements;
  • recognize intellectual property issues relating to technology, including open source code and the cloud;
  • establish a proactive approach toward intellectual property ownership between cofounders, employees, and vendors; understand business names, domain names, promotional issues, and website content concerns.

The program qualifies for 1.5 hours MCLE credit.

I would like to personally invite you to attend the upcoming Law Ed program titled, “Identifying Intellectual Property Issues in Start-Ups,” which I will be co-presenting via live webcast on Tuesday, May 27th.

Presented by the ISBA Business Advice and Financial Planning Section

Co-Sponsored by the ISBA Intellectual Property Section

Is Your Company’s Web Site Privacy Policy Compliant With New California Law?

Privacy Law Update: California “Do Not Track” 

Two California laws went into effect at the beginning of the year that  require additional notifications to consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents (in reality anyone with a web site that may be accessed by a CA resident) post a privacy policy that gives notice to consumers regarding behavioral or interest-based advertising practices (“OBA”).

Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.

If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

Are you  concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.

Please contact us for a no-fee consultation.

Amended California Do Not Track Disclosure Law Requires Websites Disclose Do Not Track Signal Response

At the end of August, the California passed an amendment to the California Online Privacy Protection Act that will require commercial websites and services that collect personal data to disclose how they respond to Do Not Track signals from Web browsers.

AB 370, as introduced by California Assemblyman Al Muratsuchi, requires a business that discloses a customer’s personal information to a third party for direct marketing purposes to provide the customer, within 30 days after the customer’s request, as specified, in writing or by e-mail the names and addresses of the recipients of that information and specified details regarding the information disclosed.

This bill, available here, would declare the intent of the Legislature to enact legislation that would regulate online behavioral tracking of consumers.