Clicky

Header graphic for print

InfoLawGroup

privacy. security. technology. media. advertising. intellectual property.

NIST to Launch Big Data Working Group

By Richard Santalesa on Posted in Big Data

The National Institute of Standards and Technology (“NIST”), which we’ve written about at length in the past in connection with its ongoing data security and cloud computing related work, announced the formation of a Big Data Working Group today, with a “kick off” conference call this Wed., June 19, from 1-3pm EDT.  The group is spearheaded by co-chairs Bob Marcus and Wo Chang and will meet weekly  online and via phone conference on the road to producing draft deliverables by Sept. 2013.

NIST’s announcement highlights:

“Despite the widespread agreement on the opportunities and current limitations of Big Data, a lack of consensus on some important, fundamental questions is confusing potential users and holding back progress. What are the attributes that define Big Data solutions? How is Big Data different from the traditional data environments and related applications that we have encountered thus far? What are the essential characteristics of Big Data environments? How do these environments integrate with currently deployed architectures? What are the central scientific, technological, and standardization  challenges that need to be addressed to accelerate the deployment of robust Big Data solutions?”

Among announced deliverables are the development of: Big Data Definitions, Big Data Taxonomies, a Big Data Reference Architectures and a Big Data Technology Roadmap. General questions to the NIST Big Data Working Group can be sent to BigDataInfo@nist.gov

See you on the kick off call on Wednesday.

Damien Wint Joins InfoLawGroup as Counsel in the New York City Office

By InfoLawGroup LLP on Posted in Announcements

New York attorney Damien Wint has joined InfoLawGroup LLP as Counsel. Mr. Wint comes to InfoLawGroup by way of Weil, Gotshal & Manges LLP and Manatt, Phelps & Phillips, LLP with significant experience related to digital advertising, data security, privacy, new media licensing, and intellectual property.  He is a member of the International Association of Privacy Professionals and has earned the organization’s Certified Information Privacy Professional designation.  Mr. Wint has both an A.B. and J.D. from Harvard University, and was Senior Editor of the Harvard Negotiation Law Review.

InfoLawGroup Thanks Clients, Attorneys and Staff for Chambers Recognition

By InfoLawGroup LLP on Posted in InfoLawGroup

InfoLawGroup is honored to be named by Chambers and Partners as one of the nation’s leading Privacy & Data Security law firms.

This recognition comes ahead of the firm celebrating its fourth birthday this fall.  In 2009, partners Scott Blackmer, Tanya Forsheit and David Navetta launched InfoLawGroup with the goal of offering clients a broad range and depth of “information law” advice.  In the founders’ vision, the firm would bring together an experienced bench that would compete head to head with information management, privacy and data security law practices at the nations’ largest law firms.  Intrigued by InfoLawGroup’s vision and the ground-level opportunity, partner Boris Segalis became part of the firm in 2010.  Two nationally-recognized privacy and advertising partners, Justine Gottshall and Jamie Rubin, joined the firm in 2011.

From the three partners in 2009, the firm has grown to an integrated national boutique practice of fifteen attorneys and staff, including partners Scott Blackmer, Tanya Forsheit, Justine Gottshall, David Navetta, Heather Nolan, Paul Paray, Alexis Payne, Jamie Rubin and Boris Segalis, senior counsel Evan Brown and Richard Santalesa, counsel Shannon Harell, Andrew Hoffman and Benjamin Stein, and firm administrator Kristin Tucker.  The firm’s attorneys practice in New York, Chicago, Los Angeles, Denver and Salt Lake City.

Over the past four years, we all have worked to establish InfoLawGroup as the go-to firm for data, security and technology law, writing our in-depth blog, and speaking, writing and teaching about information law.  While the primary recognition for which we strive is that from our clients and colleagues, we are delighted to receive public acknowledgment from Chambers in their national ranking.

We are grateful to our clients for recommending us, and thank all of our attorneys and staff whose hard work has made InfoLawGroup a success.

Court Refuses to Enter Injunction Requiring Tortious Content to be Taken Off Website

By Evan Brown on Posted in Damages

Plaintiff obtained a jury verdict and almost $200,000 in damages over an article in a trade association publication that cast him in a false light. When the publication kept the offending article on its website, plaintiff sought relief for the alleged “continued tortious conduct.”

Defendant moved to dismiss, arguing, among other things, that the question was barred by res judicata, and that the plaintiff sought an impermissible remedy. The court granted the motion and dismissed the case.

On the res judicata question, the parties were the same, the legal claim was the same and pertained to the same article. The jury had made a final determination and the court denied post-trial relief. So dismissal on res judicata was warranted.

As for the sought-after relief being impermissible, the court considered whether the case should be subject to an exception of the equitable maxim providing that a court will not enjoin a libel. In this case, the court found no basis for applying that exception, especially given that plaintiff had received a remedy at law and six figures in damages.

Graboff v. American Ass’n of Orthopaedic Surgeons, 2013 WL 1875819 (E.D.Pa. May 3, 2013)

NIST Releases Cloud Computing “Security Reference Architecture” (SP 500-299) for Public Comment

By Richard Santalesa on Posted in Cloud Computing

The National Institute of Standards and Technology (“NIST”) loves its “Special Publications” the way IRS agents love new tax forms. NIST’s SP’s, however, are much more useful, and its latest Special Publication release in draft form for public comment, SP 500-299 “Cloud Computing Security Reference Architecture” introduces NIST’s Cloud Computing Security Reference Architecture (“SRA”) as the latest piece in NIST’s broader cloud computing review.

The SRA provides a “comprehensive formal model to serve as security overlay” to NIST’s earlier cloud “reference” architecture, detailed in yet another NIST SP, namely, 500-292: Cloud Computing Reference Architecture. NIST is seeking public comments on the draft SRA, due July 12, 2013 per instructions at NIST’s Cloud Security Twiki page.

Concerns regarding “GRC” matters – governance, risk management and compliance issues – have dogged the cloud landscape since the phrase first hit the common lexicon. As one response, NIST is tasked, pursuant to FISMA, with producing and promulgating federal guidance and standards regarding cloud definitions, security and reference architectures to be adopted by Federal agencies. For the past several years NIST cloud-related working groups, in cooperation with various public and private stakeholders, have done yeoman’s work in developing a reference library of special publications addressing cloud operations, management and security as guidance for federal agencies. (Full disclosure: I’ve taken part in various NIST cloud-related work groups.)

Continue Reading

InfoLawGroup to address Connecticut Association of Paralegals

By Richard Santalesa on Posted in Events

Senior Counsel, Richard Santalesa will address the Connecticut Association of Paralegals at its June 12, 2013 member event on how technological developments have effected the practice of law, from the way we now conduct legal research and present evidence at a trial to the way law firms are managed, with links to the changing expectations attorneys have of paralegals in today’s digital world.

Lessons From When Cyber Security Meets Physical Security

By Richard Santalesa on Posted in Cybersecurity, Reasonable Security

Data security and what qualifies as “reasonable” security is on everyone’s mind these days – at least if you’re involved in IT, or responsible for addressing any aspect of the “GRC” troika of governance, risk management and compliance issues.

Sometimes overlooked on the cyber side, however, is the interaction of cyber with real world, physical security and how the two can mutually reinforce and benefit each other and security overall.

This fact was brought home as I attended in New York City this week ASIS International’s Security Conference and Expo, which was colocated with the Computer Forensics Show  and CyBit (Cyber security and IT security) Expo.

The frequently beefy, bull-necked attendees at the NYC ASIS conference, where you couldn’t turn around without running into someone wearing the dress uniform of a federal, state or municipal law enforcement agency, were a far cry from the populace that generally patrols and sits on panels at cyber security events. But we should rub elbows with our colleagues manning the physical security wall more, for a variety of reasons, not the least of which is that many physical “security” solutions will soon or already have embraced the digital and increasingly digital security controls and contracts address – or should be addressing – physical security specifics with more particularly that in days past.

Continue Reading

California’s Right to Know Law Put on Hold

By Paul Paray on Posted in Advertising Law, California, Data Privacy Law or Regulation

As reported by the LA Times, “a powerful coalition of technology companies and business lobbies, the California Chamber of Commerce, insurers, bankers and cable television companies as well as direct marketers and data brokers” were able to stop a California bill aimed at giving consumers greater insight as to the use of their personal data.

First introduced in February by Assemblywoman Bonnie Lowenthal (D-Long Beach), the proposed Right to Know Law (AB 1291) would have implemented major revisions to existing law and created new rights for consumers.  Specifically, the proposed law would require

any business that has a customer’s personal information, as defined, to provide at no charge, within 30 days of the customer’s specified request, a copy of that information to the customer as well as the names and contact information for all 3rd parties with which the business has shared the information during the previous 12 months, regardless of any business relationship with the customer.

This new level of transparency might have helped sooth consumer concerns.  According to a 2012 USC Dornsife/Los Angeles Times poll, “82 percent of Californians said they are “very concerned” or “somewhat concerned” about Internet and smartphone companies collecting their personal information.”   On the other hand, providing a full and accurate accounting of who had access to a consumer’s data – even to only the small percentage of consumers who would actually take the time to request it – would have generated a major undertaking for a wide range of companies.  It is not surprising that the companies who fought so hard to pull the plug on this bill represent a very diverse coalition of businesses.

Even if this bill does not get revived in a new form sometime in the future, the prospect of what it might have brought to the table should serve as a wake up call to those businesses deep into online behavioral advertizing.  It may be time to better understand just who has access to what information – and it may not eventually matter whether that information belongs to a current client or consumer or whether it was anonymized.  As usual, staying in front of the regulatory curve remains a sound business practice.

Arkansas Becomes Seventh State to Enact Employer Social Media Law; Questions Arise Regarding Supervisor-Employee Connections

By Andrew Hoffman on Posted in Employment Law, Privacy Law, Social Networking, Workplace Privacy

Last week, Arkansas enacted H.B. 1901, joining California, Illinois, Maryland, Michigan, New Mexico, and Utah in restricting employer access to social media or personal accounts. A total of seven states now have such laws. New Jersey’s harsh bill, which we have covered, has cleared the Assembly and is awaiting the Governor’s signature. The Arkansas law provides in pertinent part:

An employer shall not require, request, suggest, or cause a current or prospective employee to:

(A) Disclose his or her username and password to the current or prospective employee’s social media account;

(B) Add an employee, supervisor, or administrator to the list or contacts associated with his or her social media account; or

(C) Change the privacy settings associated with his or her social media account.

Although the Arkansas law closes potential loopholes created by some other similar state laws that did not prohibit employers from requiring employees or job applicants to become a “friend” or “connection” with the employer or its employees, this provision may also raise potential new concerns that could be tested in a future case. For instance:

  • Is a supervisor prohibited from sending a friend request to an employee he or she supervises? One could argue that the act of sending a request constitutes a ‘request’ or ‘suggestion’ that is prohibited by the statute. If so, potential First Amendment problems may arise. Is this particular act of the supervisor imputed to the employer if the employer otherwise has no hand in causing the friend request to be sent?
  • From whose perspective is it determined whether a connection request is a statutory “request?” Employers and employees or job applicants may have different perspectives on this question.

Even those employers that do not maintain a policy of requiring access to employee social media accounts may wish to keep an eye on the development of these laws, based on possible issues noted above. As more states will likely enact similar laws in the future and tinker with the restrictions on employer conduct, the waters could get murkier still. Proactive employers may wish to begin considering potential revisions to their social media policies.

FTC UPDATED FAQs FOR AMENDED COPPA RULE: KEY POINTS

By Justine Gottshall on Posted in Apps, Children's Privacy, Marketing, Privacy Law

For operators of web sites, apps and other online services, change is definitely coming – and quickly.  On April 25, 2013, the Federal Trade Commission (“FTC”) issued updated Frequently Asked Questions (the “FAQs”) for its amended implementing rule (the “Rule”) for the Children’s Online Privacy Protection Act (“COPPA”).  The FAQs give some additional insight regarding the changes and updates to the Rule (for a summary of those changes, click here).  Key takeaways of the FAQs include:

  • The Rule will take effect on July 1, 2013 – the FTC has not granted an extension.

Anticipate the FTC may act quickly to enforce the new Rule.  All web sites and other online services should evaluate whether they are in full compliance with COPPA and the amended Rule and, if applicable, take immediate steps to compliance in order to meet the July 1 deadline.

  • The FTC clarified the extent to which the new Rule will apply to previously collected data:

Geolocation Data:  The Rule only covers geolocation information precise enough to identify street name and city or town.  The FTC considers its specific delineation of this type of data a mere clarification of existing regulation.  Accordingly, if prior to July 1 an online service collected precise geolocation data without parental consent, the online service must immediately obtain parental consent.  Note that this data may be collected passively and unintentionally, as geolocation information is sometimes automatically associated with uploaded files (such as pictures and video).

Photos, Videos and Audio Files:  Online services may retain previously collected files containing a child’s image or voice without obtaining parental consent.  However, the FTC recommends ceasing use or disclosure of this type of information without parental consent — as a “best practice.”  Thus, businesses should consider carefully whether they will continue to use, disclose or retain photographs, videos and audio files after the Rule takes effect July 1.  Note, too, that the FTC states it is acceptable to post photos where the child’s face is blurred and not recognizable.

User Names and Screen Names:  The amended Rule is more broad in its definition of user and screen names as personal information, such that as of July 1, these types of identifiers are “personal information” if they permit direct online contact with a person.  Similar to photos, videos and audio files, organizations may retain previously collected user and screen names (and similar identifiers) that are newly included as subject to the Rule without parental consent.  However, the Rule will apply to these identifiers if an organization associates any new information with the identifier after the Rule takes effect July 1.  In addition, the FTC recommends obtaining parental consent — as a “best practice.”  Thus, online services should fully analyze their use of screen names and similar identifiers to determine if they will trigger the new Rule and consider obtaining parental consent.

Persistent Identifiers:  Starting July 1, a persistent identifier (such as an IP address) is “personal information” subject to the Rule if it can be used to recognize a user over time and across different web sites or online services (whether or not combined with individually identifiable information).  Here, too, organizations may retain, without parental consent, persistent identifiers that are now covered by the Rule but were not previously subject to it.  However, the Rule applies to any collection on or after July 1 of that persistent identifier or any association of information with that persistent identifier (e.g., association of an IP address with browsing activity on a web site).  Accordingly, beginning July 1, online services will need prior parental consent to collect data using persistent identifiers unless the information is used solely for support of internal operations or falls within another exception under the Rule.

  • Mobile phone numbers are not “online contact information” as defined by the Rule.

Accordingly, operators of online services must not collect mobile phone numbers from children as part of the process to obtain parental consent.  Instead, operators should collect an email address, IM user identifier, VOIP identifier, video chat user identifier or other substantially similar identifier.  However, once in contact with the parent, the parent may provide his or her mobile phone number for further communications.

  • The FTC provided App-specific guidance:

Parental Notice and Consent:  All operators of online services (whether App, website or other online service) may collect from the child the parent’s online contact information for the sole purpose of providing direct notice to the parent.  The FTC also recognizes that other acceptable means are available through Apps, and operators may use those other means, such as through the mobile device, so long as the mechanism used provides notice and obtains the parent’s consent prior to collection of personal information from the child and is reasonably designed to ensure that it is the parent who receives the notice and gives consent.  Note, however, that an App may not rely on collection of an app account number or password to fulfill the Rules’ notice and consent requirements without other indicia or reliability, which may include knowledge-based authentication questions, because it is too unlikely that the app store account information (user name or account number and password) is provided by the child and not the parent.

Locally Stored Content: An app is not “collecting” personal information and does not trigger compliance obligations merely because it includes features that allow a user to upload photos or otherwise interact with personal information stored on the device — so long as that information remains locally stored and is never transmitted from the device.

Privacy Policies.  All operators of online services — including apps — must post a clear and prominent link to the applicable privacy policy on the home or landing page or screen and any place where personal information is collected from children (e.g., on a registration form).  The Rule does not require a privacy policy at point of purchase for apps, but note that operators must provide direct notice and obtain verifiable parental consent prior to collecting personal information from children.  Thus, if an app subject to COPPA collects personal information as soon as it is downloaded, the operator must provide notice and obtain consent at the point of purchase or through a landing page prior to the completion of the download.  In addition, the FTC encourages all apps to provide the privacy policy link at the point of purchase as a “best practice.”

  • The FTC provided specific guidance regarding online advertising:

Key points from the FAQs with regard to how the Rule impacts online advertising include:

  • Behavioral advertising triggers the Rule; it does not fall within the term “support for internal operations,” and thus there is no exception for collecting persistent identifiers if they are used for behavioral advertising.
  • A child-directed content provider will be strictly liable for any collection of personal information (including persistent identifiers such as IP address) by a third party.
  • A child-directed content provider must provide notice and obtain prior parental consent before allowing any third party to collect personal information from visitors.
  • It is acceptable for a child-directed content provider to allow for contextual advertising on the site – but it must ensure that doing so does not otherwise violate COPPA or the Rule.
  • A company (for example, an online advertising service) that collects information through a third party web site or other online service will have “actual knowledge” that it has collected personal information from users of a child-directed site or service if: (1) the content provider directly provides that information; (2) if a representative of the company recognizes that the nature of the content on the third party site or service is child-directed.
  • Online services partially directed to children may age-screen but may not block users who are younger than age 13

The Rule allows a web site, app or other online service that falls under the definition of being directed toward children — but where children are not the primary audience — to use an age screen to differentiate between child and non-child users.  Businesses must then either obtain parental consent or not allow children to participate in features and activities that collect personal information as defined by the Rule.  However, the FTC makes clear repeatedly in the FAQs that businesses must not altogether prohibit children from participating in a site or service that is “child-directed” as determined by a preponderance of factors as set forth in the Rule and FAQs.  Organizations should take care in determining whether their online service is “directed to children” and, if so, whether it is directed to children as the “primary audience.”  Any age-screening mechanism should comply with FTC guidance (including with regard to not blocking child-users for at least certain types of sites and taking care not to encourage children to falsify their information).

  • Reasonable security measures include contract provisions and periodic monitoring

Organizations must determine that third parties have reasonable practices in place to maintain the confidentiality and security of data prior to sharing personal information of children with those third parties.  The FAQs state that contracts with service providers should specifically address this issue and that the entity sharing the data must use reasonable means, such as periodic monitoring, to confirm that the third party is, in fact, maintaining the confidentiality and security of the information.

  • Operators of online services may need to update their privacy policies and online practices.

All businesses operating websites, apps and other online services, particularly those targeting children and teenagers, should evaluate whether their business practices trigger the Rule and take appropriate compliance steps, including updating the privacy policy as needed.  For example, an online operator may need to update the description of personal information it collects from children to reflect the updated definition of “personal information” in the Rule and may need to address third parties (such as those providing plug-ins or online advertising services).