USLFG Corporate & Securities Presentation

© 2013 Armstrong Teasdale LLP


Armstrong Teasdale Welcomes the

USLFG Corporate &Securities CommitteeOctober 11, 2013



HOT RIGHT NOWBurning Issues in Privacy & Information Security

Daniel Nelson, CIPP/US

October 11, 2013


3

Agenda

Social Media meets Social Engineering HIPAA Hits the Masses COPPA: An FTC Hot Spot Stored Communications Act, Part VII: CalOPPA: …But You Can Never Leave Snowden and Angry Dwarves: Europe’s

Response to the NSA leaks The Growing Emphasis on Encryption


4

# 1 Information Security Threat

HACKERS?

SPIES?

Cyber terrorists?


5

INFORMATION SECURITY ENEMY #1


6

Social Engineering

Significant majority of external intrusions contain social engineering element

Phishing attacks becoming increasingly sophisticated.

Use of email/web based attacks

Personalized emails: information gleaned from Facebook or Linked In

Fake Internal Company Emails


7

Social Engineering Victims

RSA (the Security Token Company)

Oak Ridge National Labs

Google


8

The Problems:

Lack of Training

• Employees just don’t know the importance

• Employees don’t know of likely problems

No Security Culture

• Employee’s don’t think about security implications

Ineffective Internal Controls

• Too much access to information


9

HIPAA Hits the Masses

New HIPAA Omnibus Rule: Effective September 23, 2013.

Biggest Change: HIPAA Rule Now Covers “Business Associates”• Prior Rule only directly regulated much

narrower definition of “Covered Entities”: Providers, Health Plans, Clearinghouses

• “Covered Entities” now include “Business Associates,” i.e. those who, at any contracting level, process or transmit Protected Health Information


10

HIPAA Changes

Revised definition of data breach: • Old standard: risk of harm• New standard: risk of compromise, irrespective

of harm Blanket prohibition on sale of information

without individual authorization Increased limits on PHI use/disclosure for

marketing & fundraising Expanded patient rights of access to, and

right to restrict disclosure of, PHI


11

Children’s Online Privacy Protection Act (“COPPA”) Act’s primary focus is to safeguard the

children’s PII• PII includes a large array of information

−The obvious: name, address, etc.−But also:

• Geolocation data• Photos and Videos• Computerized Persistent Identifiers

If you operate a website, online service, or mobile app directed towards kids, you must pay attention to COPPA


12

COPPA

The problem: The FTC has stated that the operator’s intent is not determinative of whether a site, service or app is primarily or secondarily directed to kids. Modified scope definition: sites “directed to children”

• Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.

Moreover, if you have actual knowledge that your are gathering kids’ PII, you must comply with COPPA


13

COPPA COPPA is a minefield of stringent rules,

including specific rules on methods of parental notification and obtaining parental opt-in consent

• If you didn’t know COPPA applied to your site/service/app, the chances of accidental compliance are virtually zero

The FTC takes COPPA violations very seriously. A COPPA violation may be your surest ticket to an FTC enforcement action


14

COPPA Enforcement U.S. v. Path, Inc.: filed 1/31/13

• Path: social networking site operating through an iOS app

• App collected and stored information from user’s mobile address book, even if user did not elect this option

• FTC challenged the practice is a Deceptive Trade Practice because the collection violated Path’s published privacy policy

• FTC also alleged that violations of the Children’s Online Privacy Protection Act because, among other things, the App allowed for the knowing collection of personal data of children under age 13, and allowed children to post text, photos, and the child’s precise location

• Settlement with the FTC that included $800,000 payment, as well as audited monitoring for next 20 years


15

COPPA I should be thinking about COPPA when:

• I operate a website/service/mobile app that would be attractive to kids

Big Picture:• FTC’s “Look and Feel” test creates uncertainty• High-value target for FTC enforcement

combined with very low probability of accidental compliance

Keys to avoiding trouble:• Take a hard look at your website/service/mobile

app offerings• Don’t ignore evidence that you are acquiring

kid’s data


16

COPPA Amendments Broadened categories of protected PII:

• Geolocation data

• Persistent identifiers

• Photos/videos

Revised retention requirements

Restrictions on use of data collection by third-parties through plug-ins


17

COPPA Amendments (continued)

Modified scope definition: sites “directed to children”

• Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.

COPPA safe-harbor through age-screening


18

Stored Communications Act (“SCA”)

Passed in 1986:

No Yahoo! (1994)

No Microsoft Outlook (1997)

AOL was 1 year old

Microsoft Windows 1.0 (1985)


19

Stored Communication Act (“SCA”) Basics Passed in 1986

Generally prohibits unauthorized access to electronically stored communications

Differs from Federal Wiretap statute, which prohibits interception of communications in transit


20

Recent Decisions

Ehling v. Monmouth-Ocean Hosp. Serv. Corp., Civ. No. 2:11-cv-03305 (U.S.D.C., D. NJ, Aug. 20, 2013):

• SCA applies to Non-Public Facebook Wall Posts

Lazette v. Kulmatycki: 3:12CV2416 (U.S.D.C., N.D. Ohio, June 5, 2013):

• SCA protected former employee’s personal emails on Blackberry turned back in to employer


21

California Online Privacy Protection Act (CalOPPA) Applies to website/online service/mobile app

providers who collect California resident’s PII

Requires conspicuous privacy policy Policy must, at a minimum:

• Tell data subject categories of PII being collected

• Describe any available means by which data subject can review or request changes to retained PII

• Identifies means by which policy changes will be made known to users

• Specifies an effective date


22

California Online Privacy Protection Act I should be thinking about CalOPPA when:

• I operate a website/online service/application that collects or stores consumer’s PII.

Big Picture:• Must have a privacy policy

Keys to avoiding trouble:• Post a meaningful privacy policy that reflects

the organization’s actual practices


California v. Delta Air Lines, Inc. Filed 12/06/12

Complaint alleges that Delta violated California’s Online Privacy Protection Act (“CalOPPA”) and California’s Unfair Competition Law:

The “Fly Delta” mobile app collected user’s PII, including name, contact information, passport information, photographs and geo-location data.

Delta did not conspicuously post a privacy policy, thus depriving users of:

• Knowledge of what PII Delta collected

• What Delta did with the PII

• To whom Delta may have disclosed or sold the PII

While Delta’s website does contain a posted privacy policy, that policy did not mention the Fly Delta app, and the Fly Delta app did not point users to this privacy policy. Moreover, the app collected certain types of PII that the website did not.

23


24

Recent CalOPPA Amendments California SB 568

• Adds a new provision regarding Minors’ privacy rights

• prohibits online marketing or advertising certain products to anyone under 18

• Site/App operators must allow minors to remove content or information they posted, and requires that the operator provide instructions on how to do so

California AB 370 • Requires privacy policies to disclose how the

website operator responds to Do Not Track


25

European Data Protection Authorities React to Snowden leaks

In Wake of PRISM, German DPAs Threaten To Halt Data Transfers to Non-EU Countries

“In the wake of revelations about the U.S. National Security Agency's PRISM internet surveillance program, German data protection authorities July 24 announced a crackdown on privacy violations involving countries outside the European Union and called for the German government to suspend participation in the U.S.-EU Safe Harbor Program.”

−Bloomberg BNA, 7.29.13


26

Proposed General Data Protection Regulation (GDPR) Potentially broadens purported reach of EU

data protection law: Companies that “envisage” doing business with EU residents

Calls for stricter privacy regulation in the wake of PRISM, et al. revelations• Viviane Reding, V.P. of the European

Commission and Commissioner for Justice, Fundamental Rights and Citizenship is leading the charge


27

Growing Digital Privacy Divide

Possible ramifications:

• Nothing

• Modified (i.e. less user-friendly) data transfer regulations

• Net loss of data processing & data storage business to other countries


28

Encryption Growing body of regulations and

enforcement actions requiring some form of encryption

Encryption may come in many forms:

• Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email)

• File level Encryption

• Full disk Encryption


29

Recent FTC Enforcement Actions Cbr Systems, Inc.

• Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service

• After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need


30

Enforcement Actions

TRENDnet

• SecurView cameras for home monitoring

• Software issue allowed anyone with camera's web address to view the live feed

FTC charged:

• Failure to utilize reasonable measures to test security;

• Unencrypted transmission of user credentials, and unencrypted mobile storage of login information.


31

HIPAA Encryption is an “addressable”

Implementation Specification under both the Access Control and Transmission Security Standards

Encryption required where “reasonable and appropriate”

Decision not to encrypt must be documented in writing for later Office of Civil Rights review


32

Massachusetts Data Security Laws Requires “Comprehensive” data security

program that includes:• Designated responsible employee(s)• Identification & assessment of risks• Employee security policies• Oversight of service providers (including

requiring such providers, by contract, to maintain appropriate security measures)

• Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly”


33

We discovered something. Our one hope against total domination. A hope that with courage, insight and solidarity we could use to resist. A strange property of the physical universe that we live in.

The universe believes in encryption.

It is easier to encrypt information than it is to decrypt it.

— Julian Assange, in the introduction of Cypherpunks: Freedom and the Future of the Internet


34

Why Encrypt?

May be required by existing law

Best protection against data breach notification requirements

Fast becoming a “reasonable” or “industry standard” security measure

• Most privacy policies assure users that the company employs “reasonable” security measures or the like

• Growing body of law and regulatory decisions provides bases for plaintiff’s experts to claim encryption is required


35

Questions?

Dan Nelson, CIPP/US, Partner Armstrong Teasdale LLP314.552.6650 [email protected]

http://twitter.com/DanNelsonEsq www.linkedin.com/in/danielcnelson

http://twitter.com/DanNelsonEsq

http://www.linkedin.com/in/danielcnelson



The Interactive Web and the Law: Emerging Technologies’ Impact on Your Practice

Jeff Schultz, Armstrong Teasdale LLP

October 11, 2013


37

The Challenge

“If I'm applying the First Amendment, I have to apply it to a world where there's an Internet, and there's Facebook, and there are movies like ... The Social Network, which I couldn't even understand.”

— Justice Stephen Breyer

Justice Roberts: “I thought, you know, you push a button; it goes right to the other thing.”Justice Scalia: “You mean it doesn't go right to the other thing?”

— Justice John Roberts to Justice Antonin Scalia Regarding How

a Text-Messaging Service Works


What is the Interactive Web

Web 2.0

Includes social media, blogs, interactive websites, and more

A tool for communicating

Information is shared globally

Web 3.0?

38


It’s Unavoidable

Pinterest overtook LinkedIn to become No. 3 Almost 1 billion Facebook users

• 54% access via mobile• 23% check Facebook 5 times or more daily• 1 Million websites have integrated with Facebook

Over 40 million photos are uploaded to Instagram every day

More apps using location data to connect users Fastest growing segment for use: 45-54 year

olds Political campaigns using social media 56% of customer tweets are being ignored

39


Zuckerberg’s Law of Information Sharing “I would expect that next year, people will

share twice as much information as they share this year, and the next year, they will be sharing twice as much as they did the year before.”

40


Is the Interactive WebChanging Our Definition of “Privacy”? Courts allowing access to user

accounts Questions arising about who owns

the data you share? Courts dealing with issues concerning

GPS tracking, phone location records, and other location data collected by social media applications

Do privacy settings actually make your data private?

41


What Data Does Facebook Really Collect (and Keep)?

The obvious: what you see on the screen “Europe v. Facebook” Group Information

Request:• All friend requests and your responses;• All Event invitations and your responses;• IP address used for each Facebook login;• Camera metadata, even for photos where you untagged

yourself;• Credit card information;• Geo-location information, including latitude, longitude,

and time/date.- See europe-v-facebook.org/fb_cat1.pdf

42


43

Many areas of the law are impacted

• Corporate• Securities • Labor and

Employment• Litigation• Intellectual

Property• Discovery• Ethics


Legislation Regarding Individuals’ Use of the Interactive Web California: illegal to impersonate

others online

Missouri: briefly made it illegal for teacher to “friend” students

Potential liability under state computer tampering statutes for accessing, using, disclosing,receiving or retaining data without authorization

44


Legislation (continued)

California, Illinois, Maryland, and Michigan: illegal for employers to ask job applicants or workers for social media passwords

California, Delaware, Michigan, and New Jersey: illegal to ask students to disclose social media passwords

At least 14 states (including Missouri) introduced legislation in 2012 that would restrict employers from requesting access to social networking usernames and passwords of applicants, students or employees

SNOPA (Social Network Online Protection Act): Congress wants to make it illegal for employers and schools to ask for social media passwords of employees, students, and applicants

45


Regulations Regarding Social Media

FTC: • Employees/contractors who endorse their

employer’s products must clearly and conspicuously disclose their relationship

SEC: • Risk Alert issued January 4, 2012 by the Office

of Compliance Inspections and Examinations (Investment Adviser Use of Social Media)

• Threatened action against Netflix CEO for alleged violation of Reg FD (CEO congratulated Netflix team on Facebook for surpassing 1 billion hours in monthly viewing)46


Regulation (continued)

NLRB: • Closely reviewing policies for compliance with

section 7 rights • Problems created by confidentiality provisions

FDA (regulations not final; long delayed): • Only addresses responses to requests re off

label uses. Does not address how to utilize space limited sites like Twitter to convey risk and safety information for a fair balance

• Does not provide clear guidance on the dos and don’ts of social media marketing

47


Location Data

48

Patterns of MovementAwareness of Location


Location Data

49


Social Media and Discovery: Many Different Approaches

Considered social media under Stored Communications Act and denied production

One side ordered to turn over its passwords

Parties ordered to friend the judge for review of photos and comments in camera

Review of accounts in camera to identify potentially relevant and discoverable information

50


Where Will the Balance be Found? Social Media is not “privileged” or

entitled to special protections (i.e. no “expectation of privacy)

But, not “open season” on everything in one’s Social Media space• No “generalized right to rummage” through private

posts• Application of established rules regarding “Relevant

or reasonably calculated to lead to the discovery of relevant information”

Turnover of username/password: courts have not yet addressed conflict this creates with site’s Terms of Use

51


52

Authentication

Rule 901: To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that item is what the proponent claims.

Consensus among many courts and legal commentators that the rules of evidence already in place for determining authenticity are at least generally “adequate to the task” with respect to electronically generated, transmitted and/or stored information (including social networking sites). See Tienda v. State, 358 S.W.3d 633 (Tx. Ct. App. 2012).

There is no single approach to authentication that will work in all instances. The best approach will depend upon the nature of the evidence and the circumstances of the particular case.


The Aspiring Firefighter

Employee had back surgery in October• Employee claimed leave

ran until December 30, 2009

• Employer claimed leave ran until December 2, 2009.

Employee terminated when he didn’t return to work

Claim: disability discrimination and violation of FMLA rights

53


54


55

The Double-Sting The Sting:

• Ex-Wife sets up a fake Facebook account for “Jessica” (a 17 year old girl) to get info for child custody battle

• Ex-Husband asks “Jessica” to find a hit man to kill Ex-Wife: “you should find someone at your school…that would put a cap in her ass for $10,000.”

• Ex-Husband is arrested The Double-Sting:

• Ex-Husband freed after proving he knew all along that Ex-Wife was “Jessica”

• Ex-Husband played along with Ex-Wife’s ruse to use itagainst her in their custody case.


56

Contact Information

Jeff SchultzPartner, Armstrong Teasdale LLP

314.259.4732

[email protected]

http://twitter.com/JeffSchultzEsq http://twitter.com/AT_Lawhttp://twitter.com/AT_Live

http://twitter.com/AT_Innovate



Recent Delaware Corporate Law Developments Greg Williams, Richards, Layton & Finger

October 11, 2013



Open Discussion

October 11, 2013



Business Meeting of the Committee

October 11, 2013

USLFG Corporate & Securities Presentation

Technology

Transcript of USLFG Corporate & Securities Presentation