Cyber Insurance: An Efficient Way to Manage Security and Privacy Risk in the Cloud?
As organizations of all stripes increasingly rely on cloud computing services to conduct their business, (with many organizations entering into cloud computing arrangements with multiple cloud providers), the need to balance the benefits and risks of cloud computing is more important than ever. This is especially true when it comes to data security and privacy risks. Cloud providers are sitting on reams of data from thousands of customers, including sensitive information such as personal information, trade secrets, and confidential and proprietary information. To criminals Cloud providers are prime targets. At the same time, based in large part on the amount of risk aggregated by Cloud providers, most Cloud customers are unable to secure favorable contract terms when it comes to data security and privacy. While customers may enjoy some short term cost-benefits by going into the Cloud, they may be retaining more risk then they want (especially where Cloud providers refuse to accept that risk contractually). In short, the players in this industry are at an impasse. Cyber insurance may be a solution to help solve the problem.
Continue Reading...NLRB Issues Second Report Reviewing Social Media Enforcement Actions
On January 25, 2012 the National Labor Relations Board (“NLRB”) Office of the General Counsel released a report summarizing fourteen cases that were before the NLRB concerning the “protected and/or concerted nature of employees’ social media postings and the lawfulness of employers’ social media policies and rules” (“Report”). The Report followed up on an earlier report issued by the NLRB Office of the General Counsel on August 18, 2011 and reiterated two main principles set forth in that earlier report:
- Employer policies should not be so broad such that they prohibit, discourage or chill activity that is protected by Section 7 of the National Labor Relations Act (“NLRA”) (e.g., discussion of wages or working conditions). Specifically, the Report made clear that:
- Specific examples of the type of conduct prohibited should be included in any social media policy (i.e., do not disclose “trade secrets”, as opposed to do not post “sensitive information” about the company).
- The policy should carefully carve out and protect employee’s specific rights under NLRA; a general saving clause is insufficient.
- The policy should not use vague terms like “appropriate” or “professional” without providing clear definitions for those terms.
- Employee comments on social media networks generally are not protected if those comments are mere complaints about or general dissatisfaction with the job (e.g., “I hate my job!” or “My boss is mean!”). The comments will be protected if they are associated with an expression of shared concern, such as a dialogue about how bad the work environment is and what employees can do to fix it in response to a single employee’s wall post about the job.
NIST Issues Finalized Guidelines for Managing Security & Privacy in Public Cloud Computing
Say what you will about the federal government, the Nat'l Institute of Standards & Technology ("NIST"), part of the Department of Commerce, has certainly been busy over the past year releasing numerous special drafts and reports addressing cloud computing recommendations, security and issues. [Full disclosure: I'm a member of several NIST working groups, including one currently working on the NIST draft of Challenging Security Requirements for US Government Cloud Computing Adoption.]
Carrying on with its cloud mission, NIST last week released the finalized 80-page version of its special publication Guidelines on Security and Privacy in Public Cloud Computing (NIST SP 800-144) (the "Guidelines"). The Guidelines provide, in NIST's description: "an overview of the security and privacy challenges facing public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. The document provides insights on threats, technology risks and safeguards related to public cloud environments to help organizations make informed decisions about this use of this technology."
Continue Reading...The Legal Implications of Social Networking Part Three: Data Security
In 2011, InfoLawGroup began its “Legal Implications” series for social media by posting Part One (The Basics) and Part Two (Privacy). Well, after 4th quarter year-end madness and a few holidays Part Three is ready to go. In this post, we explore how security concerns and legal risk arise and interact in the social media environment. Again, the intended audience for this blogpost are organizations seeking to leverage social media, and understand and address the risks associated with its use.
As might be expected criminals view social media networks as fertile ground for committing fraud. There are three main security-related issues that pose potential security-related legal risk. First, to the extent that employees are accessing and using social media sites from company computers (or increasingly from personal computer devices connected to company networks or storing sensitive company data), malware, phishing and social engineering attacks could result in security breaches and legal liability. Second, spoofing and impersonation attacks on social networks could pose legal risks. In this case, the risk includes fake fan pages or fraudulent social media personas that appear to be legitimately operated. Third, information leakage is a risk in the social media context that could result in an adverse business and legal impact when confidential information is compromised.
Continue Reading...Twitter Followers = Trade Secrets?
Phonedog v. Kravitz, currently pending in the Northern District of California, raises unprecedented issues regarding social media. Is a list of Twitter followers protected as trade secret under California law? What is the value of a Twitter follower? $2.50 per month? I discussed these questions today with Fox News.
Privacy Hot Topics for 2012
As 2011 has come to a close, many of us are thinking about what 2012 will bring. With regard to privacy, there are numerous key issues to choose from (and I am sure many privacy professionals would add to this list) – but from a corporate compliance standpoint, here are my top five picks for hot topics to address in 2012:
Continue Reading...A Handful of 2012 Privacy & Security Predictions
Even though 2011 was an extremely active year on the information security and privacy fronts – with a blizzard of proposed legislation, near weekly front page data breaches and the continued full leap into the cloud with its securities issues – I predict that 2012 events across the privacy and data security landscape will make 2011 look like a walk in the park. A handful of thoughts on what 2012 may hold:
Continue Reading...FTC Seeks Public Comments on Facial Recognition Technology
Although Christmas, the holiday season and the end of year break are on most people's minds, the FTC soldiers on. Right before Christmas it announced that it's seeking public comments on facial recognition technology, the latest bete noire to hit the privacy stage in some circles. The deadline for filing a public comment is January 31, 2012 and directions for electronic filing of comments are available at https://ftcpublic.commentworks.com/ftc/facialrecognition, while those favoring paper-based comments can find directions at the bottom of the press release at http://www.ftc.gov/opa/2011/12/facefacts.shtm.
Continue Reading...Contracting for Cloud Computing Services
The Knowledge Group/The Knowledge Congress Live Webcast Series, a leading producer of regulatory focused webcasts, has announced that InfoLawGroup attorney, Richard Santalesa, will be speaking at the Knowledge Congress’ webcast entitled: “Contracting for Cloud Computing Services: What You Need to Know” scheduled for February 14, 2012 from 12:00 PM to 2:00 PM ET.
For more details and to register for this event, please visit the event homepage: http://www.knowledgecongress.org/event_2012_Cloud_Computing.html
InfoLawGroup and ACE USA Social Media Risk Podcast
InfoLawGroup attorneys recently joined risk management professionals from the ACE USA, the U.S.-based retail operating division of the ACE Group, to record a companion podcast to our whitepaper “Social Media: The Business Benefits May be Enormous, But Can the Risks – Reputational, Legal, Operational – be Mitigated?”
The free podcast is available for download at http://infolawgroup.com/files/ACESocialMediaRisks.mp3 or through ACE at http://traffic.libsyn.com/lubetkin/ACESocialMediaRisks.mp3
The white paper was co-authored by Toby Merrill, VP, ACE Professional Risk, Kenneth Latham, VP, ACE Professional Risk, InfoLawGroup Partner David Navetta, Esq., CIPP, and InfoLawGroup Senior Counsel, Richard Santalesa, Esq.
InfoLawGroup Senior Counsel To Brief Risk Management Executives
Richard Santalesa will be briefing senior executives with responsibility for risk management this Wednesday, Dec 14th, at a Symantec & Conventus event in Minneapolis. Registration is still open and additional information registration is available here.
The topic: 2011 has been heralded as the year of the security breach. But what does that mean for you and your organization?
Nitro, Duqu, Stuxnet are threats that made the headlines but what is the potential impact to our organization? You have read about these threats, but what do you do about it?
- What are the realities of these new threats?
- What are the legal ramifications of being impacted by one of these threats?
- How will this impact you and your organization?
Joining Attorney Santalesa is Tim Gallo, Senior Technical Product Manager, DeepSight & Security Intelligence Group (S*I*G) Symantec Corporation.
Continue Reading...W3C Publishes Draft "Do-Not-Track" Standards
After a flurry of "Do-Not-Track" announcements and proposals early this year by the IETF, CDT, Microsoft and Mozilla, in response to the FTC's release of its December 2010 draft privacy framework, which we covered in detail, the W3C's Tracking Protection Working Group recently released the second draft of its Do-Not-Track standards in two parts: a Tracking Preference Expression (DNT) and a Tracking Compliance and Scope Specification.
Continue Reading...Location, Location, Location
Tanya Forsheit recently appeared on Fox to discuss the Supreme Court’s evaluation of GPS surveillance under the Fourth Amendment in US v. Jones. The case raises important issues regarding technology, aggregation of data, and privacy expectations with respect to location information.
Google+ Pages Allow Linking, but Not Hosting Promotions
Google+ just opened itself up for businesses and now allows entities to set up company Google+ pages. With this launch, Google announced a number of policies dictating what page owners can and cannot do on their Google+ page, including its “Contest and Promotion Policies.” These new policies outright prohibit anyone from running “contests, sweepstakes, offers, coupons or other such promotions” ("Promotions") directly on their Google+ Page. The policies, however, specifically allow linking to Promotions being hosted elsewhere - on a company's own site and, presumably, third party social networking sites - but only as long as the Promotion does not conflict with other Google+ policies, including the Google+ Privacy Policy, the User Conduct and Content Policy and the Google+ Pages Additional Terms of Service. These policies prohibit various actions that a company may want to take in connection with a Promotion, including, "aggressively" adding users to circles and displaying third party advertising on a Google+ page. Also, any applications linked to on a Google+ page must comply with the Google+ Platform Development Policies. The Google+ Contest and Promotion Policies also contain a laundry list of indemnities in favor of Google for any claims associated with a Promotion linked to on your company's Google+ page, even though it cannot be hosted on the page.
33rd Annual PMA Marketing Law Conference
This week, Jamie Rubin and Heather Nolan from the InfoLawGroup will speak at the industry’s leading marketing law conference, hosted by the Promotion Marketing Association. The 33rd Annual Marketing Law Conference will take place this Tuesday and Wednesday, November 15-16, at the Downtown Chicago Marriott/Magnificent Mile in Chicago, Illinois. Jamie Rubin will speak on a panel discussing “Using Current Technologies to Jumpstart Legally Compliant Promotions” in a Wednesday afternoon session. Heather Nolan will present a roundtable discussion about “Best Practices for Virtual Marketing, Blogs and Testimonials” on Wednesday morning. Registration is still available here.
