Post on 13-May-2015
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
Armstrong Teasdale Welcomes the
USLFG Corporate &Securities CommitteeOctober 11, 2013
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
HOT RIGHT NOWBurning Issues in Privacy & Information Security
Daniel Nelson, CIPP/US
October 11, 2013
© 2013 Armstrong Teasdale LLP
3
Agenda
Social Media meets Social Engineering HIPAA Hits the Masses COPPA: An FTC Hot Spot Stored Communications Act, Part VII: CalOPPA: …But You Can Never Leave Snowden and Angry Dwarves: Europe’s
Response to the NSA leaks The Growing Emphasis on Encryption
© 2013 Armstrong Teasdale LLP
4
# 1 Information Security Threat
HACKERS?
SPIES?
Cyber terrorists?
© 2013 Armstrong Teasdale LLP
5
INFORMATION SECURITY ENEMY #1
© 2013 Armstrong Teasdale LLP
6
Social Engineering
Significant majority of external intrusions contain social engineering element
Phishing attacks becoming increasingly sophisticated.
Use of email/web based attacks
Personalized emails: information gleaned from Facebook or Linked In
Fake Internal Company Emails
© 2013 Armstrong Teasdale LLP
7
Social Engineering Victims
RSA (the Security Token Company)
Oak Ridge National Labs
© 2013 Armstrong Teasdale LLP
8
The Problems:
Lack of Training
• Employees just don’t know the importance
• Employees don’t know of likely problems
No Security Culture
• Employee’s don’t think about security implications
Ineffective Internal Controls
• Too much access to information
© 2013 Armstrong Teasdale LLP
9
HIPAA Hits the Masses
New HIPAA Omnibus Rule: Effective September 23, 2013.
Biggest Change: HIPAA Rule Now Covers “Business Associates”• Prior Rule only directly regulated much
narrower definition of “Covered Entities”: Providers, Health Plans, Clearinghouses
• “Covered Entities” now include “Business Associates,” i.e. those who, at any contracting level, process or transmit Protected Health Information
© 2013 Armstrong Teasdale LLP
10
HIPAA Changes
Revised definition of data breach: • Old standard: risk of harm• New standard: risk of compromise, irrespective
of harm Blanket prohibition on sale of information
without individual authorization Increased limits on PHI use/disclosure for
marketing & fundraising Expanded patient rights of access to, and
right to restrict disclosure of, PHI
© 2013 Armstrong Teasdale LLP
11
Children’s Online Privacy Protection Act (“COPPA”) Act’s primary focus is to safeguard the
children’s PII• PII includes a large array of information
−The obvious: name, address, etc.−But also:
• Geolocation data• Photos and Videos• Computerized Persistent Identifiers
If you operate a website, online service, or mobile app directed towards kids, you must pay attention to COPPA
© 2013 Armstrong Teasdale LLP
12
COPPA
The problem: The FTC has stated that the operator’s intent is not determinative of whether a site, service or app is primarily or secondarily directed to kids. Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.
Moreover, if you have actual knowledge that your are gathering kids’ PII, you must comply with COPPA
© 2013 Armstrong Teasdale LLP
13
COPPA COPPA is a minefield of stringent rules,
including specific rules on methods of parental notification and obtaining parental opt-in consent
• If you didn’t know COPPA applied to your site/service/app, the chances of accidental compliance are virtually zero
The FTC takes COPPA violations very seriously. A COPPA violation may be your surest ticket to an FTC enforcement action
© 2013 Armstrong Teasdale LLP
14
COPPA Enforcement U.S. v. Path, Inc.: filed 1/31/13
• Path: social networking site operating through an iOS app
• App collected and stored information from user’s mobile address book, even if user did not elect this option
• FTC challenged the practice is a Deceptive Trade Practice because the collection violated Path’s published privacy policy
• FTC also alleged that violations of the Children’s Online Privacy Protection Act because, among other things, the App allowed for the knowing collection of personal data of children under age 13, and allowed children to post text, photos, and the child’s precise location
• Settlement with the FTC that included $800,000 payment, as well as audited monitoring for next 20 years
© 2013 Armstrong Teasdale LLP
15
COPPA I should be thinking about COPPA when:
• I operate a website/service/mobile app that would be attractive to kids
Big Picture:• FTC’s “Look and Feel” test creates uncertainty• High-value target for FTC enforcement
combined with very low probability of accidental compliance
Keys to avoiding trouble:• Take a hard look at your website/service/mobile
app offerings• Don’t ignore evidence that you are acquiring
kid’s data
© 2013 Armstrong Teasdale LLP
16
COPPA Amendments Broadened categories of protected PII:
• Geolocation data
• Persistent identifiers
• Photos/videos
Revised retention requirements
Restrictions on use of data collection by third-parties through plug-ins
© 2013 Armstrong Teasdale LLP
17
COPPA Amendments (continued)
Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.
COPPA safe-harbor through age-screening
© 2013 Armstrong Teasdale LLP
18
Stored Communications Act (“SCA”)
Passed in 1986:
No Yahoo! (1994)
No Microsoft Outlook (1997)
AOL was 1 year old
Microsoft Windows 1.0 (1985)
© 2013 Armstrong Teasdale LLP
19
Stored Communication Act (“SCA”) Basics Passed in 1986
Generally prohibits unauthorized access to electronically stored communications
Differs from Federal Wiretap statute, which prohibits interception of communications in transit
© 2013 Armstrong Teasdale LLP
20
Recent Decisions
Ehling v. Monmouth-Ocean Hosp. Serv. Corp., Civ. No. 2:11-cv-03305 (U.S.D.C., D. NJ, Aug. 20, 2013):
• SCA applies to Non-Public Facebook Wall Posts
Lazette v. Kulmatycki: 3:12CV2416 (U.S.D.C., N.D. Ohio, June 5, 2013):
• SCA protected former employee’s personal emails on Blackberry turned back in to employer
© 2013 Armstrong Teasdale LLP
21
California Online Privacy Protection Act (CalOPPA) Applies to website/online service/mobile app
providers who collect California resident’s PII
Requires conspicuous privacy policy Policy must, at a minimum:
• Tell data subject categories of PII being collected
• Describe any available means by which data subject can review or request changes to retained PII
• Identifies means by which policy changes will be made known to users
• Specifies an effective date
© 2013 Armstrong Teasdale LLP
22
California Online Privacy Protection Act I should be thinking about CalOPPA when:
• I operate a website/online service/application that collects or stores consumer’s PII.
Big Picture:• Must have a privacy policy
Keys to avoiding trouble:• Post a meaningful privacy policy that reflects
the organization’s actual practices
© 2013 Armstrong Teasdale LLP
California v. Delta Air Lines, Inc. Filed 12/06/12
Complaint alleges that Delta violated California’s Online Privacy Protection Act (“CalOPPA”) and California’s Unfair Competition Law:
The “Fly Delta” mobile app collected user’s PII, including name, contact information, passport information, photographs and geo-location data.
Delta did not conspicuously post a privacy policy, thus depriving users of:
• Knowledge of what PII Delta collected
• What Delta did with the PII
• To whom Delta may have disclosed or sold the PII
While Delta’s website does contain a posted privacy policy, that policy did not mention the Fly Delta app, and the Fly Delta app did not point users to this privacy policy. Moreover, the app collected certain types of PII that the website did not.
23
© 2013 Armstrong Teasdale LLP
24
Recent CalOPPA Amendments California SB 568
• Adds a new provision regarding Minors’ privacy rights
• prohibits online marketing or advertising certain products to anyone under 18
• Site/App operators must allow minors to remove content or information they posted, and requires that the operator provide instructions on how to do so
California AB 370 • Requires privacy policies to disclose how the
website operator responds to Do Not Track
© 2013 Armstrong Teasdale LLP
25
European Data Protection Authorities React to Snowden leaks
In Wake of PRISM, German DPAs Threaten To Halt Data Transfers to Non-EU Countries
“In the wake of revelations about the U.S. National Security Agency's PRISM internet surveillance program, German data protection authorities July 24 announced a crackdown on privacy violations involving countries outside the European Union and called for the German government to suspend participation in the U.S.-EU Safe Harbor Program.”
−Bloomberg BNA, 7.29.13
© 2013 Armstrong Teasdale LLP
26
Proposed General Data Protection Regulation (GDPR) Potentially broadens purported reach of EU
data protection law: Companies that “envisage” doing business with EU residents
Calls for stricter privacy regulation in the wake of PRISM, et al. revelations• Viviane Reding, V.P. of the European
Commission and Commissioner for Justice, Fundamental Rights and Citizenship is leading the charge
© 2013 Armstrong Teasdale LLP
27
Growing Digital Privacy Divide
Possible ramifications:
• Nothing
• Modified (i.e. less user-friendly) data transfer regulations
• Net loss of data processing & data storage business to other countries
© 2013 Armstrong Teasdale LLP
28
Encryption Growing body of regulations and
enforcement actions requiring some form of encryption
Encryption may come in many forms:
• Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email)
• File level Encryption
• Full disk Encryption
© 2013 Armstrong Teasdale LLP
29
Recent FTC Enforcement Actions Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service
• After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need
© 2013 Armstrong Teasdale LLP
30
Enforcement Actions
TRENDnet
• SecurView cameras for home monitoring
• Software issue allowed anyone with camera's web address to view the live feed
FTC charged:
• Failure to utilize reasonable measures to test security;
• Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.
© 2013 Armstrong Teasdale LLP
31
HIPAA Encryption is an “addressable”
Implementation Specification under both the Access Control and Transmission Security Standards
Encryption required where “reasonable and appropriate”
Decision not to encrypt must be documented in writing for later Office of Civil Rights review
© 2013 Armstrong Teasdale LLP
32
Massachusetts Data Security Laws Requires “Comprehensive” data security
program that includes:• Designated responsible employee(s)• Identification & assessment of risks• Employee security policies• Oversight of service providers (including
requiring such providers, by contract, to maintain appropriate security measures)
• Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly”
© 2013 Armstrong Teasdale LLP
33
We discovered something. Our one hope against total domination. A hope that with courage, insight and solidarity we could use to resist. A strange property of the physical universe that we live in.
The universe believes in encryption.
It is easier to encrypt information than it is to decrypt it.
— Julian Assange, in the introduction of Cypherpunks: Freedom and the Future of the Internet
© 2013 Armstrong Teasdale LLP
34
Why Encrypt?
May be required by existing law
Best protection against data breach notification requirements
Fast becoming a “reasonable” or “industry standard” security measure
• Most privacy policies assure users that the company employs “reasonable” security measures or the like
• Growing body of law and regulatory decisions provides bases for plaintiff’s experts to claim encryption is required
© 2013 Armstrong Teasdale LLP
35
Questions?
Dan Nelson, CIPP/US, Partner Armstrong Teasdale LLP314.552.6650 dnelson@armstrongteasdale.com
http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
The Interactive Web and the Law: Emerging Technologies’ Impact on Your Practice
Jeff Schultz, Armstrong Teasdale LLP
October 11, 2013
© 2013 Armstrong Teasdale LLP
37
The Challenge
“If I'm applying the First Amendment, I have to apply it to a world where there's an Internet, and there's Facebook, and there are movies like ... The Social Network, which I couldn't even understand.”
— Justice Stephen Breyer
Justice Roberts: “I thought, you know, you push a button; it goes right to the other thing.”Justice Scalia: “You mean it doesn't go right to the other thing?”
— Justice John Roberts to Justice Antonin Scalia Regarding How
a Text-Messaging Service Works
© 2013 Armstrong Teasdale LLP
What is the Interactive Web
Web 2.0
Includes social media, blogs, interactive websites, and more
A tool for communicating
Information is shared globally
Web 3.0?
38
© 2013 Armstrong Teasdale LLP
It’s Unavoidable
Pinterest overtook LinkedIn to become No. 3 Almost 1 billion Facebook users
• 54% access via mobile• 23% check Facebook 5 times or more daily• 1 Million websites have integrated with Facebook
Over 40 million photos are uploaded to Instagram every day
More apps using location data to connect users Fastest growing segment for use: 45-54 year
olds Political campaigns using social media 56% of customer tweets are being ignored
39
© 2013 Armstrong Teasdale LLP
Zuckerberg’s Law of Information Sharing “I would expect that next year, people will
share twice as much information as they share this year, and the next year, they will be sharing twice as much as they did the year before.”
40
© 2013 Armstrong Teasdale LLP
Is the Interactive WebChanging Our Definition of “Privacy”? Courts allowing access to user
accounts Questions arising about who owns
the data you share? Courts dealing with issues concerning
GPS tracking, phone location records, and other location data collected by social media applications
Do privacy settings actually make your data private?
41
© 2013 Armstrong Teasdale LLP
What Data Does Facebook Really Collect (and Keep)?
The obvious: what you see on the screen “Europe v. Facebook” Group Information
Request:• All friend requests and your responses;• All Event invitations and your responses;• IP address used for each Facebook login;• Camera metadata, even for photos where you untagged
yourself;• Credit card information;• Geo-location information, including latitude, longitude,
and time/date.- See europe-v-facebook.org/fb_cat1.pdf
42
© 2013 Armstrong Teasdale LLP
43
Many areas of the law are impacted
• Corporate• Securities • Labor and
Employment• Litigation• Intellectual
Property• Discovery• Ethics
© 2013 Armstrong Teasdale LLP
Legislation Regarding Individuals’ Use of the Interactive Web California: illegal to impersonate
others online
Missouri: briefly made it illegal for teacher to “friend” students
Potential liability under state computer tampering statutes for accessing, using, disclosing,receiving or retaining data without authorization
44
© 2013 Armstrong Teasdale LLP
Legislation (continued)
California, Illinois, Maryland, and Michigan: illegal for employers to ask job applicants or workers for social media passwords
California, Delaware, Michigan, and New Jersey: illegal to ask students to disclose social media passwords
At least 14 states (including Missouri) introduced legislation in 2012 that would restrict employers from requesting access to social networking usernames and passwords of applicants, students or employees
SNOPA (Social Network Online Protection Act): Congress wants to make it illegal for employers and schools to ask for social media passwords of employees, students, and applicants
45
© 2013 Armstrong Teasdale LLP
Regulations Regarding Social Media
FTC: • Employees/contractors who endorse their
employer’s products must clearly and conspicuously disclose their relationship
SEC: • Risk Alert issued January 4, 2012 by the Office
of Compliance Inspections and Examinations (Investment Adviser Use of Social Media)
• Threatened action against Netflix CEO for alleged violation of Reg FD (CEO congratulated Netflix team on Facebook for surpassing 1 billion hours in monthly viewing)46
© 2013 Armstrong Teasdale LLP
Regulation (continued)
NLRB: • Closely reviewing policies for compliance with
section 7 rights • Problems created by confidentiality provisions
FDA (regulations not final; long delayed): • Only addresses responses to requests re off
label uses. Does not address how to utilize space limited sites like Twitter to convey risk and safety information for a fair balance
• Does not provide clear guidance on the dos and don’ts of social media marketing
47
© 2013 Armstrong Teasdale LLP
Location Data
48
Patterns of MovementAwareness of Location
© 2013 Armstrong Teasdale LLP
Location Data
49
© 2013 Armstrong Teasdale LLP
Social Media and Discovery: Many Different Approaches
Considered social media under Stored Communications Act and denied production
One side ordered to turn over its passwords
Parties ordered to friend the judge for review of photos and comments in camera
Review of accounts in camera to identify potentially relevant and discoverable information
50
© 2013 Armstrong Teasdale LLP
Where Will the Balance be Found? Social Media is not “privileged” or
entitled to special protections (i.e. no “expectation of privacy)
But, not “open season” on everything in one’s Social Media space• No “generalized right to rummage” through private
posts• Application of established rules regarding “Relevant
or reasonably calculated to lead to the discovery of relevant information”
Turnover of username/password: courts have not yet addressed conflict this creates with site’s Terms of Use
51
© 2013 Armstrong Teasdale LLP
52
Authentication
Rule 901: To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that item is what the proponent claims.
Consensus among many courts and legal commentators that the rules of evidence already in place for determining authenticity are at least generally “adequate to the task” with respect to electronically generated, transmitted and/or stored information (including social networking sites). See Tienda v. State, 358 S.W.3d 633 (Tx. Ct. App. 2012).
There is no single approach to authentication that will work in all instances. The best approach will depend upon the nature of the evidence and the circumstances of the particular case.
© 2013 Armstrong Teasdale LLP
The Aspiring Firefighter
Employee had back surgery in October• Employee claimed leave
ran until December 30, 2009
• Employer claimed leave ran until December 2, 2009.
Employee terminated when he didn’t return to work
Claim: disability discrimination and violation of FMLA rights
53
© 2013 Armstrong Teasdale LLP
54
© 2013 Armstrong Teasdale LLP
55
The Double-Sting The Sting:
• Ex-Wife sets up a fake Facebook account for “Jessica” (a 17 year old girl) to get info for child custody battle
• Ex-Husband asks “Jessica” to find a hit man to kill Ex-Wife: “you should find someone at your school…that would put a cap in her ass for $10,000.”
• Ex-Husband is arrested The Double-Sting:
• Ex-Husband freed after proving he knew all along that Ex-Wife was “Jessica”
• Ex-Husband played along with Ex-Wife’s ruse to use itagainst her in their custody case.
© 2013 Armstrong Teasdale LLP
56
Contact Information
Jeff SchultzPartner, Armstrong Teasdale LLP
314.259.4732
jschultz@armstrongteasdale.comwww.armstrongteasdale.com
http://twitter.com/JeffSchultzEsq http://twitter.com/AT_Lawhttp://twitter.com/AT_Live
http://twitter.com/AT_Innovate
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
Recent Delaware Corporate Law Developments Greg Williams, Richards, Layton & Finger
October 11, 2013
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
Open Discussion
October 11, 2013
© 2013 Armstrong Teasdale LLP
© 2013 Armstrong Teasdale LLP
Business Meeting of the Committee
October 11, 2013