Recent Court Decisions Provide Some Clarity in Ever-changing Techlaw Landscape

As every CIO knows, today all business is digital business.  From the corner mom and pop bodega using Square to process credit cards up to Cisco Systems global network of devices supporting Zetabytes of data over an increasing number of devices.

What began as largely static website e-commerce at the turn of the millennium is now every day operations across multiple devices and the many different brands of platform and content delivery network.  In case you missed it, two recent cases will have a wide impact regardless of industry period

Law Enforcement Access To Cell Phone Location Data Requires Warrant

In the case of Carpenter v. United States, the Supreme Court ruled that law enforcement must obtain a warrant to have access to location and other data contained on a suspect’s cell phone.  In case you’re not familiar with the case, the facts in the Carpenter case are worth mentioning. In 2011, the government, conducting a criminal investigation in Detroit, obtained months’ worth of time-stamped records known as cell-site location information (CSLI) for suspects.  Wireless carriers produced CSLI for petitioner Timothy Carpenter’s phone, and the Government was able to obtain 12,898 location points cataloging Carpenter’s movements over 127 days—an average of 101 data points per day.  Carpenter moved to suppress the data, arguing that the Government’s seizure of the records without obtaining a warrant supported by probable cause violated the Fourth Amendment.  The District Court denied the motion, and prosecutors used the records at trial.  Carpenter was convicted, based in part on the cell-site records, and he appealed. holding that the government’s acquisition of historic cell-site location information (HCSLI) – at least to the extent it includes 7 days or more of cell-site records – was a search and thereby required a warrant.

In reversing the conviction, a majority of the Court has recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements and a warrant is required only in the rare case where the suspect has a legitimate privacy interest in records held by a third party.  The Court downplayed the significance of its ruling, calling its decision “a narrow one” that “does not express views on “real-time CSLI” or question the application to … a range of other information-gathering tools, such as security cameras.”

What this means for business.  While pundits are wisely praising the decision as a victory for privacy, I for one, do not believe it applies that broadly. Even so, there is a tangible benefit for corporate counsel at technology companies, especially those that maintain location information about their customers. Lawyers and compliance pros will feel some relief knowing that they do not have to scramble, prevaricate or litigate with law enforcement when a company receives a subpoena or other demand for location data without a warrant attached.

For additional views on this decision, please see an article from the International Association of Privacy Professionals here, and another from the Electronic Frontier Foundation here.

States Can Now Require That Internet Retailers Collect Sales Tax

The other notable decision to come down from the Supreme Court involves the long-simmering issue of state taxation on internet sales.

The decision, in South Dakota v. Wayfair Inc., was a victory for brick-and-mortar businesses that have long complained they are put at a disadvantage by having to charge sales taxes while many online competitors do not. And it was also a victory for states that have said that they are missing out on tens of billions of dollars in annual revenue.

The South Dakota Legislature enacted a law requiring out-of-state sellers to collect and remit sales tax “as if the seller had a physical presence in the State” to address the erosion of its sales tax base causing a corresponding loss of critical funding for state and local services (“Act”).  The Act covers only sellers that, on an annual basis, deliver more than $100,000 of goods or services into the State or engage in 200 or more separate transactions for the delivery of goods or services into the State.  Top online retailers with no employees or real estate in South Dakota who met the Act’s minimum sales or transactions requirement, but do not collect the State’s sales tax opposed the Act. South Dakota filed suit in state court, seeking a declaration that the Act’s requirements are valid and applicable to respondents and an injunction requiring respondents to register for licenses to collect and remit the sales tax. At trial and on appeal, courts held that the Act is unconstitutional.

The ruling effectively overturned a system that it created.  In 1992, the Supreme Court held that the Constitution bars states from requiring businesses to collect sales tax unless they have a substantial connection to the state. That case was Quill Corporation v. North Dakota.  The Quill decision helped pave the way for the growth of online retail by letting companies sell nationwide without navigating the complex patchwork of state and local tax codes.

South Dakota’s attorney general, called the ruling “a big win for South Dakota and Main Streets across America.”  The case should benefit both rural businesses where local businesses have been hit hard by competition from online retailers and municipal coffers as well, because in some states local sales taxes are collected at the state level.  Owners of brick-and-mortar stores like the decision as a means of leveling the playing field because they feel they often missed out on sales of big-ticket items since sales tax could have had an amplified effect on the price.  For consumers, this could mean paying more for products bought online.  Although most have a “use tax” that works like a state sales tax for online purchases, few if any consumers actually pay it.

Since the beginning of my practice in 1999, I suggested businesses take a state-by-state approach when it comes to issues like sales tax, since it can vary widely by jurisdiction.  No business is entirely virtual. All businesses will need to examine their ecommerce strategy to see whether and to what extent this case affects the business model.

Advertisements

David Adler continues focus on Cyber Security Conferences

Soem prior conferences:

Data at Risk: Regulatory and Privacy Concerns in a Data Breach. – Enfuse Conference 2018, Las Vegas, NV, May 23, 2018.

Trends in Cyber-Law 2017– ISACA CSX North America 2017, Washington, DC October 2-4, 2017

The Human Side of IT Acquisitions– Assoc. of Technology Acquisition Professionals CAUCUS IT Procurement Summit, New Orleans, LA, November 7-8, 2017

My topic, Assessing and Responding to Cyber Legal Risk,was chosen for presentation at the 2018 New York State Cyber Security Conference. 

#nyscyber 

Privacy & Security Issues In Smart Home and IoT Devices

Comprised of connected devices such as thermostats, automobiles, electricity, televisions, fitness trackers, security/baby-monitoring cameras, medical devices, cell phones and tablets, IoT adoption is penetrating some of the world’s most regulated industries such as healthcare, energy, government, financial services, and retail. The potential size of the IoT market is staggering. Commercial-device-focused GE estimates the “Industrial Internet” market will reach $10-$15 trillion over the next 20 years. Consumer-focused Cisco estimates the “Internet of Everything” will be $19 trillion by 2020.

Several recent examples from researchers and manufacturers have shown just how easily privacy and security can be comprised by these devices. In April of 2014, research on Nest Smart Thermostats by Matthew Burrough and Jonathan Gill at U. of I. at Urbana-Champaign revealed two observations impacting privacy and security.

First, Nest appears to be “offline,” yet responds immediately to cloud-based (online) temperature control changes. Second, by interacting with the thermostat or triggering the motion sensors, persistent connections can be made. Taken together, the potential exists to exploit seemingly reasonable functional expectations (e.g., monitoring temp changes).

These technology and privacy legal issues are only likely to proliferate. Regardless of the outcome, the case highlights lessons for IT departments and others charged with safeguarding data on devices. As a precaution, it is useful to consult with the outside technology counsel to better understand you’re rates, obligations, and any limitations to your responsibilities for disclosure.

Best Practices EU/US Privacy Shield

In case you missed it, Ken Dort at Drinker Biddle held a discussion covering high points of the EU/US Privacy Shield. Talking points covered:

1. Application Overview
2. Certification Issues
3. Privacy Shield Principles and Supplemental Principles
4. Implementation Timelines (Expected)
5. Best Practices Going Forward Pending Implementation

The draft EU-U.S. Privacy Shield “adequacy decision” includes the Privacy Shield Principles companies must follow. Suggested Best Practices for compliance with EU-U.S. Privacy Shield Principles include: evaluating disclosures about data collection and use to determine whether they are sufficiently clear and evident to consumers, and 2) giving strong consideration for implementation of a formal opt-in mechanism. European government trade regulators are concerned about whether consumers are being sufficiently informed about the nature and scale of data collection.

Ken graciously provided this great list of resources for the discussion:

* Full text of the Privacy Shield can be found here.

* European Commission draft adequacy decision can be found here.

* Department of Commerce Fact Sheet can be found here.

* European Commission Fact Sheet can be found here.

* European Commission FAQs can be found here.

* Statement from U.S. Secretary of Commerce Penny Pritzker on release of the Privacy Shield text can be found here.

* European Commission statement on the Privacy Shield text can be found here.

Article 29 Working Party statement on the Privacy Shield can be found here.

As part of Adler Law Group’s Privacy & Information Security Practice, we continue to follow the developments in this area. We can help you review, enhance and adopt standardized contracts and implement methodologies for approaching these challenges by setting objectives, determining scope, allocating resources, and developing agreements that will efficiently and effective manage risks.

Changes in Global Privacy Affect Small Business Too

Changes in Global Privacy Affect Small Business Too

In case you missed it, on October 6, 2015 the Court of Justice of the European Union (CJEU) issued a long-awaited privacy ruling in the case involving Maximilian Schrems, the Ireland Data Protection Authority (DPA) and Facebook. Back in 2000, the EU Commission decided that personal data sent to US organizations that sign up to the Safe Harbor scheme is adequately protected. Safe Harbor organizations self-certify compliance with certain privacy principles, and the scheme is enforced by the US FTC.

Background

Simply put, Schrems sued to prohibit transfer of his personal data from Facebook Ireland to Facebook in the U.S. due to widely perceived flaws in U.S. data protection following the Edward Snowden NSA revelations.

Why it Matters

Over 5,000 U.S. companies “self-certify” under Safe Harbor, and their European partners and customers rely on Safe Harbor for data transfers into the U.S. The decision may impact many small to medium sized business who use social media for marketing and business development, as well as businesses that use cloud-based services for gathering, processing and sharing data. Transfers of Personally Identifiable Information (PII) from the EU to the U.S must either be authorized by national data protection authorities, or be able to rely on one of the legal exceptions.

Although the Safe Harbor companies publicly committed to apply the Safe Harbor Privacy Principles to the personal data they brought into the U.S. (and some companies passed these commitments on to other entities under Onward Transfer agreements), companies that disregard those commitments, with regard to either stored data or new data transfers, could expose itself to FTC enforcement against “unfair or deceptive practices” or judicial complaints based on U.S. contract, fraud, or tort law, as well as to enforcement in the EU – such as complaints before labor tribunals, courts, and data protection authorities.

Don’t Panic, Yet

While the decision is likely to have a significant impact on the transfer of personal data from the EU to U.S. recipients, EU leaders say it’s not time to panic yet. Experts have pointed out the alternative legal bases for transatlantic data transfers that exist, such as contracts, Binding Corporate Rules or actual, express consent. Many businesses may be able to use these methods and continue their transatlantic data transfers.

Domestic Developments

At the same time, California leads the U.S. in enacting new privacy legislation. Last week California passed legislation that may equate to what the EU wants to see on the federal level. According to §1546.1 b) of CalECPA any government entity must have a warrant, wiretap order, order of electronic reader or a subpoena if they want to compel any individual or a service provider to disclose information stored on their devices (mobile phones, computer, tablets, tv, servers you name it). §1546.1 c) states that government agencies cannot access, either physically or remotely, a device unless they have a warrant, wiretap order, consent of the authorized possessor of the device, if the government in good faith, believes there is an emergency that could jeopardize someone’s life or physical integrity (in which case they’ll have to get a warrant within 3 days later) or in case the devices are confiscated from inmates in state prisons.

Concerned about whether your business is at risk for violating EU data protection rules? Don’t be. We offer a FREE, no-obligation one (1) hour consultation to identify potential issues. The professionals at the Adler Law Group can help you review, enhance and adopt standardized contracts and implement methodologies for approaching these challenges by setting objectives, determining scope, allocating resources, and developing agreements that will efficiently and effective manage risks, while keeping pace with the business.

Please call: (866) 734-2568, click: http://www.adler-law.com, or write: David @ adler-law.com.

Illinois Updates Eavesdropping Law, Ambiguities Remain

Illinois has recently enacted a revised version of the Eavesdropping Act. (720 ILCS 5/14, et. seq.) Prior to 2015, Illinois was a “two-party consent” state. The Act prohibited recording police and other public officials without their consent. There were several prosecutions under the old version of the law. The new law makes it legal to make such recordings in public without consent.

Under the old law, the statute had the effect of barring the recording of loud arguments on the street, political debates in the park, or even public interactions between citizens and police officers. While the new law attempts to create a balance between privacy and the need to preserve the details of conversations with authorities, it is being criticized for creating a new set of problems.

Chief among the concerns from both criminal defense attorneys and prosecutors are the definitions of “surreptitious” and “reasonable expectation” of privacy.

For example. although the statute protects one right o secretly record one’s conversations, the reality is that with today’s ubiquity of cell phones, even if someone has a cell phone out on the table or is checking a cell phone during the conversation, it may be unclear whether that person is also using the cell phone to record a conversation.

Furthermore, the concept of a “reasonable expectation of privacy” is problematic. Critics say that ultimately this opens the door for a debate about whether one’s expectation of privacy was a reasonable or not.

Lastly, some have criticized the Act for creating a fast track for police to conduct surveillance on citizens private communications without a warrant. The law allows police to get a approval from a local states attorney under a broad set of circumstances as opposed to having to go in front of a judge and show probable cause.

Given these ambiguities in the law, many believe that it will take time and lawsuits in order to clarify some of the boundaries of these issues.

The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.