Header graphic for print


privacy. security. technology. media. advertising. intellectual property.

Record Number of Data Breaches for New Yorkers in 2013

Posted in Privacy Law

Over the past eight years, the New York Attorney General’s office has been compiling statistics on data breaches pursuant to the state’s breach notification law.  Earlier this week, Attorney General Eric Schneiderman published a report titled, “Information Exposed: Historical Examination of Data Breaches in New York State,” which provides analysis and insight into how those breaches have affected New York residents.

It should come as no surprise that data breaches are on the rise, increasing both in size and frequency.  Between 2006 and 2013, more than 3,000 businesses, nonprofits and government entities reported data breaches involving New York residents.  In 2013 alone, New York experienced more than 900 data breaches which exposed the personal information of a record setting 7.3 million New Yorkers.  If we include data for the past eight years, that number balloons to 22.8 million.  By way of comparison, New York’s population last year was only 19 million.  If you live in New York, it is a good chance that at some point, your personal information potentially compromised.

The report also revealed that the leading cause of data breaches was hacking, accounting for over 40% of the number of breaches, with lost or stolen equipment in a distance second with only 23% of breaches. This figure is significant because, as noted in the report, not all breaches are created equal.   Hacking tend to compromise more personal records since they are often performed with the explicit goal of stealing information.

And yet, for most consumers, data breaches are merely a nuisance. However, for affected businesses, data breaches can be very costly.  The Attorney General’s office estimates that data breaches cost organizations doing business in New York State over $1.37 billion in 2013 alone.  This figure includes the cost of investigating the breach, notifying the affected individuals, and in some cases, providing free credit monitoring services for the affected individuals.  There, there are the indirect costs such lost sales and decreased stock price.  Any way you slice it, data breaches can be very expensive.  “What’s truly shocking about this report, beyond the fact that hacking is now the greatest threat to our personal information and costs us billions of dollars, is that many of these breaches could have been prevented,” said Attorney General Schneiderman.  “If millions of New Yorkers were exposed, one can only imagine how many have been compromised across the nation.”

The report goes beyond the historical analysis and provides a few simple steps organizations can take to help protect themselves.  These steps include identifying and minimizing data collection practices, as well as the creation and implementation of an information security plan.  The Attorney General also encourages entities to implement technical safeguarding, including:

  • Requiring encryption of all stored sensitive personal information;
  • Minimizing the storage of sensitive personal information on devices connected to the Internet;
  • Implementing hashing and salting of stored user passwords;
  • Incorporation of firewalls and up-to-date security software to protect corporate networks; and
  • Ensuring that all devices issued to employees require secure authentication to access encrypted sensitive personal information. 

There is nothing earth shattering about these recommendations.  However, as the figures in the report suggest, there remain a significant number of organizations that have failed to take these straightforward steps.

The full text of the Attorney General’s report is available on their website at

New COPPA Options for Verifiable Consent

Posted in Children's Privacy

Yesterday, the FTC gave its blessing to some new ways that covered organizations can obtain verifiable parental consent before collecting personal information from children under 13. The updated COPPA Rule FAQs offer expanded options to get consent using payment card information and for developers using a third party such as an app store to get consent.

If you want to collect payment card information to obtain parental consent, you may now have additional ways to get sufficient consent other than having to conduct a monetary transaction. In its updates to the FAQs, the FTC departed from its position that a financial transaction must occur for a parent’s payment card number to be used for consent. Collecting a 16-digit credit or debit card number alone is still insufficient to satisfy the standard, however, the FTC explained that a card number used in conjunction with another safeguard could be sufficient. For example, it may be enough to also ask questions that only the parents would know the answers. The revised FAQ answer suggests that other options could also be sufficient and depend on the available technology and circumstances.

If you are an app developer, the recent FAQ updates offer additional options for using a third party to get consent on your behalf. Formerly, the FAQs generally prohibited covered organizations from relying solely on a third party for consent. Now, app developers can have third parties obtain consent as long as the developers ensure that the COPPA requirements are met, including, for example, that the third party is using a method that is reasonably calculated based on available technology to ensure that the person providing consent is the parent. As one illustration, the third party may not simply require an app store account number or password, but must also require other indicia of reliability, such as knowledge-based authentication questions or verification of government identification. The FTC’s updated FAQ answer also reminds developers to provide direct notice outlining your information collection practices before the parent provides consent.

Finally, the FTC added a new FAQ that considers a platform’s liability if it takes advantage of the new options for helping developers obtain consent by providing a verifiable parental consent mechanism. The FAQ makes clear that app stores will not be liable as “operators” under COPPA for failing to investigate the privacy practices of the operators for whom they obtain consent, but points out that the platform may have liability under other laws such as Section 5 of the FTC Act.

Congratulations to Evan Brown

Posted in Announcements

InfoLawGroup congratulates our colleague Evan Brown on being named  by fastcase as one of the fastcase 50 for 2014.  The fastcase 50  honors entrepreneurs who are innovating in the area of legal services.  fastcase has recognized Evan as a “go-to expert for tech law in the media, from Wired to CNN and BBC.” Evan is also recognized for his extensive writing on emerging trends in law nd technology and as co-host for the netcast This Week in Law (TWIL).

Is the Supreme Court’s Aereo Decision a Setback for Cloud Innovation?

Posted in Copyright

One of the big questions preceding the Supreme Court’s decision in the Aereo case earlier this week was whether a holding against Aereo would put cloud services into such a legally precarious position that the innovation and investment climate would chill. While the decision clearly makes Aereo’s use of its technology illegal, one should not be too quick to foretell a drastic impact on all hosted services. Here are some reasons why.

What cloud?

Let’s be clear about what we mean by “the cloud” in this context. Aereo’s technical model – which the court found to infringe copyright – captured over-the-air television content using one tiny antenna per customer, transcoded that content into one copy per customer, which Aereo stored and then streamed on-demand to the customer. The court found that model bore an “overwhelming likeness to the cable companies targeted by the [1976 Copyright Act]” to an extent that Aereo was “for all practical purposes a traditional cable system.” Aereo’s technological attempts such as the one-copy-per-customer method that it used to distinguish itself from traditional cable services were immaterial to the court. Aereo looked like a cable company, so the court treated it as one, with all the copyright consequences that go along with that status.

Aereo was a cloud service inasmuch as it stored the TV content and served it to its users when those users initiated the performances. It was the cable-like functions that got it into trouble, not necessarily the cloud-provider functions. That arguably leaves the rest of what we consider cloud services – online collaboration tools, centralized communications systems, most hosted applications, and the like – outside the scope of the court’s decision. Most software-as-a-service models, whether to the consumer or at the enterprise level, are unlike cable systems and thus likely stand clear of the sweep of the Aereo sickle.

The technology could live on.

One must also be sure to recognize that the court’s decision did not kill the technology altogether, but instead killed the use of the technology in the hands of one who does not have ownership or license to the content being delivered. Since the court found that Aereo’s service was “substantially similar” to cable systems, Aereo, its successors, or other players in the space could look to monetize the technology while paying the compulsory licenses that Section 111 of the Copyright Act spells out in dizzying complexity. Or the broadcasters and other content stakeholders could acquire Aereo-like technology and use it to supplement the other means of content delivery currently at play. In either scenario, the needs for investment and innovation in providing infrastructure (as well as the need for clarity on network neutrality) remain firmly intact.

The real likely effect.

This is not to say that Aereo will have no effect on development of technology in areas outside the particular facts of the case. The court’s decision expands the class of online intermediaries who may be liable for direct copyright infringement. In that respect, the case differs from other important technology-provider copyright cases like the Betamax case, Grokster and the Cablevision case. In those cases, the main question before the courts was whether the providers were secondarily liable for the infringement committed by their users. In Aereo, however, the question was whether Aereo itself was liable for infringement committed by providing the technology to others. The Supreme Court held that Aereo was a direct infringer because its functionality so closely resembled a cable company.

So the court has given copyright plaintiffs some new, additional angles to consider when pursuing infringement litigation against technology providers. Does the technology so resemble the technical model of a cable delivery system, particularly from the perspective of the end user, such that it de facto publicly performs the works delivered by the system? If so, then the Aereo test forbids it. Moreover, the case fuzzies the relatively bright line that began to be drawn almost 20 years ago with Religious Technology Center v. Netcom, requiring that for an internet intermediary to be liable for direct infringement, it need undertake some volitional conduct in furtherance of the infringement. That fuzziness will no doubt embolden some plaintiffs who otherwise would not have seen the potential for a cause of action against future defendant-innovators.

In reality, few platforms are likely to actually get “Aereoed” in litigation. The ones at greatest risk will be those that facilitate access to streaming content provided by others. But the fact that ultimate liability may not lie against a provider will likely do little to stop aggressive copyright plaintiffs from trying out the theory against all forms of remote storage providers. That’s the problem Justice Scalia identified in his dissent when he said the decision “will sow confusion for years to come.” Let’s hope that’s mostly an overstatement.

Alert: The NAD Rejects Use of Aggregated Online Consumer Reviews As Substantiation for “Most Recommended” Claim

Posted in Advertising Law

In a case of first impression, the National Advertising Division (NAD) recently issued a decision concerning substantiation for consumer preference claims that should put advertisers on alert.

In, Euro-Pro Operating, LLC, Shark-brand Vacuum Cleaners, NAD Case Reports #5717 (May 29, 2014), the NAD reviewed an advertising claim Euro-Pro made for its Shark-branded vacuum cleaners in various media, including television commercials, infomercials, online advertising, and on product packaging. Euro-Pro’s competitor, Dyson, Inc., brought the claim to the NAD’s attention.

Continue Reading

Approaching the CASL: The Compliance Date for Canada’s Anti-Spam Legislation Draws Near

Posted in Uncategorized

The first phase of Canada’s Anti-Spam Legislation (CASL) goes into effect on July 1, 2014.  Accordingly, all businesses engaged in the transmission of Commercial Electronic Messages (CEMs) in Canada should assess their business practices and take steps to adhere to any applicable provisions of the law.  To that end, my February blog post summarizing several key elements of CASL is presented below.

Continue Reading

Are Data Breach Investigations Privileged?

Posted in Privacy Law

Over the past year, the number of data breaches has skyrocketed and, as a result, companies are facing increased risk of litigation for any perceived failure to protect their customer data.  In the context of data breach litigation, organizations routinely withheld from production documents related to internal compliance investigations on the grounds of the attorney-client or work product privilege.  A recent decision from a U.S. District Court in the District of Columbia calls into question the privileged status of those documents.

In U.S. ex rel Barko v Halliburton Co., a former contract administrator for Kellogg, Brown and Root (“KBR”) alleged that Halliburton and other KBR contractors inflated the costs of construction services on military bases in Iraq.  In connection with a qui tam suit, the administrator Harry Barko sought documents relating to possible violations of the corporate code of conduct.  KBR withheld documents related to internal compliance investigations on the grounds that they were privileged and Barko moved to compel production.  After an in camera review, a District Court Judge for the District of Columbia held that the documents were not protected by the attorney-client or work product privilege, but the reasoning behind that decision may surprise you.

In concluding that the documents were not privileged, the court highlighted the involvement of non-attorneys in the investigation process, the timing of the investigation in relation to the litigation, and the representations made to those involved, specifically that those being interviewed were not told about the legal nature of the inquiry.  However, the lynchpin of the court’s logic was that the investigations were taken pursuant to regulatory law rather than for purpose of obtaining legal advice.  Here, the court cited Department of Defense regulations that require contractors to have internal controls for compliance, including a mechanism, such as a hotline, by which employees may report suspected instances of improper conduct.  The court reasoned that an investigation would have been conducted regardless of whether legal advice was sought because compliance investigations were required by regulatory law and corporate policy.

In this regard, the court’s holding appears to be flawed because regulations are of course enforced by criminal investigations and civil actions, such as the one brought by the plaintiff.  While the regulations may require an investigation, the goal is not to force companies to conduct investigations for the sake of investigations, but instead to detect and respond to violations of those regulations.  Even without a mandate, a corporation must undertake an investigation before it can assess its potential liability and determine next steps.   Granted, some aspects of regulatory compliance will not involve rendering legal advice, such as employee training.  Nevertheless, Barko involved allegations of false claims and overbilling the federal government.  It seems counter-intuitive that an investigation into such allegations would not be in anticipation of litigation or, at a minimum, for the purpose of rendering legal advice to the corporation on how to proceed.

The court also appears to have overreached when concluding that the investigation would have been conducted regardless of whether legal advice was sought.  The idea, the court reasoned, was that the Department of Defense regulations require contractors to have internal control systems, such as KBR’s Code of Business Conduct, to facilitate the timely discovery and disclosure of improper conduct in connection with government contracts.  However, simply being required to investigate potential violations does not supplant nor override the ultimate purpose of the investigation, which is to determine whether there has been a violation of the law.

The facts in Barko are similar to those often encountered in the data breach context.  Consider a typical data breach under the Health Insurance Portability and Accountability Act (“HIPAA”).  As with Barko, the initial investigation may be handled by non-attorney personnel such as a member of the IT department, and may be guided by corporate policy and Department of Health and Human Services (“DHHS”) regulations.  Additional similarities can be seen in the Department of Defense regulations cited in Barko which required contractors to 1) have a written code of business ethics, 2) implement internal controls for compliance, 3) conduct internal and/or external audits, 4) enact disciplinary action for improper conduct, 5) timely report to appropriate government offices, and 6) fully cooperate with any government agencies.   Similarly, HIPAA requires covered entities to have 1) written policies and procedures regarding the protection of personal health information, 2) appropriate safeguards for protecting that information, 3) regular risk assessments, 4) sanctions against members who fail to comply with HIPAA rules, and 5) notification to the DHHS within 60 days for breaches, and imposes a duty on covered entities to provide records and cooperate with the DHHS in compliance reviews and investigations.


DOD Regs cited by Barko

HIPAA Requirements

Have a written code of ethics. Have written policies and procedures for protecting personal health information (“PHI”).
Implement internal controls for compliance. Implement appropriate safeguards for safeguarding PHI.
Conduct internal and/or external audits. Conduct regular risk assessments.
Enact disciplinary action for improper conduct. Enact sanctions against employees who fail to comply with the HIPAA rules.
Timely reporting to appropriate government offices. Notification to DHHS is required within 60 days for certain breaches.
Full cooperation with any government agencies is required. Imposes a duty to cooperate with DHHS in compliance reviews and investigations.


Given these parallels, it is likely only a matter of time before Barko is cited in the context of data breach litigation.  Nearly every U.S. state and several federal agencies have regulations that effectively require an organization to conduct an investigation any time there is security incident.  If the court’s reasoning in Barko is adopted by other districts, it may hinder an organization’s ability to assert the attorney-client or work product privilege over documents related to the investigation and response.

That being said, it is important to note that the precedential value of the Barko decision is currently limited to the D.C. District.  In addition, most significantly, the opinion does not purport to overturn, challenge or reinterpret existing jurisprudence, but instead relies entirely on existing case law as applied to the facts of the case.  As a result, organizations can and should take steps to avoid some of the same pitfalls that plagued KBR.  Specifically, organizations should clearly identify (from the outset and throughout) those investigations that are intended to be legally privileged – i.e., for the purpose of obtaining legal advice and at the direction of counsel – both in written documents and in communications with employees.  Further, internal and external counsel should lead or be heavily involved in any investigation where the organization may want to assert the attorney-client or work product privilege.

Court Opinion: US ex rel Barko v Halliburton Co

FTC Report on Data Brokers: An Analysis of the Call for Stronger Controls and Legislation

Posted in Big Data, FTC

Earlier this week, the Federal Trade Commission released its long awaited report on the data brokerage industry – Data Brokers:  A Call for Transparency and Accountability.  This report is the culmination of approximately two years of information collection, public workshops, and analysis by the FTC staff.  Notably, the Report recommends that Congress enact legislation to address several areas of concern.  The Report also discusses best practices that the data broker industry may adopt on its own.  Following up on issues raised in previous FTC Staff Reports, such as Protecting Consumer Privacy in an Era of Rapid Change published in March 2012, the FTC expresses significant concern about the growing data broker industry and its impact on consumers.  The Report acknowledges that the data broker industry provides substantial benefits to the U.S. economy as a whole and efficiencies that improve the lives of consumers.  However, the FTC expressed concerns that the industry operates in a manner that is largely unseen and unrecognized by consumers, creating a potential for substantial harm.

While the report focuses on the practices of the companies that provide data broker services, it should be noted that the recommendations would impact all participants in the data broker marketplace.  This would include the businesses that acquire information from data brokers for marketing, risk mitigation, people search, and other purposes.  This also includes the organizations that share information about consumers with data brokers.  It also bears notice that the Report defines data broker broadly – including “companies that collect consumers’ personal information and resell or share that information with others”.  In practice, this definition could sweep in a wide array of businesses involved in Internet publishing and advertising.  Accordingly, data broker customers, data sources, and service providers to all of these entities should proceed with caution as the regulatory and legislative landscape evolves, including the concerns and proposals presented by the Report discussed in detail below.

Continue Reading

InfoLawGroup Thanks Clients, Attorneys and Staff for 2014 Chambers Recognition

Posted in InfoLawGroup

InfoLawGroup is again honored to be named by Chambers and Partners as one of the nation’s leading law firms in Media & Entertainment and Privacy & Data Security. Of special note, three of our leading attorneys Justine Gottshall (click here for firm profile), Jamie Rubin (click here for firm profile), and Boris Segalis (click here for firm profile) were also recognized as leaders in their field in this year’s guide.

This recognition comes just ahead of the firm celebrating its fifth birthday this fall. From the three founding partners in 2009 (David Navetta (click here for firm profile), Tanya Forsheit (click here for firm profile)  and Scott Blackmer), the firm has grown to an integrated national boutique practice of fourteen attorneys and staff. The firm’s attorneys practice in New York, Chicago, Los Angeles, Denver,  Salt Lake City, Palo Alto and Washington D.C.

We are a go-to firm for privacy, data security, technology, media, advertising and intellectual property legal matters and continue to focus on our in-depth blog, and speaking, writing and teaching about all things information law. We are delighted to receive public acknowledgment from Chambers in their national ranking.  And we are grateful to our clients for recommending us, and thank all of our attorneys and staff whose hard work continues to make InfoLawGroup a success.

Say What You Do and Do What You Say: Guidance for Privacy Policies, and for Life

Posted in California, Data Privacy Law or Regulation, FTC, Massachusetts 210 CMR 17.00, PII, Privacy Law

Last Wednesday, California Attorney General Kamala Harris issued much anticipated guidance on public-facing privacy statements – “Making Your Privacy Practices Public” (the “Guidance”). The result of months of discussions with stakeholders, the recommendations are largely common sense.  They are “intended to encourage companies to craft privacy policy statements that address significant data collection and use practices, use plain language, and are presented in a readable format.” Many of the recommendations are nothing new – and our readers are likely to find that their privacy policies already incorporate many of the suggested approaches. But some of the recommendations are new and/or might not be appropriate for certain kinds of organizations. In that respect, it is important to point out that the AG’s recommendations “are not regulations, mandates or legal opinions. Rather, they are part of an effort to encourage the development of privacy best practices.” Further, with respect to the significant portion of the Guidance focused on the new Do Not Track disclosure requirements, the AG is quick to note that “[t]here is no legal requirement for how operators of web sites or online services must respond to a browser’s DNT signal.”

Like so many things in privacy, the best approach is the one you would teach your kids. To quote the AG: the California Online Privacy Protection Act (“CalOPPA”) requires operators of commercial web sites and online services that collect personally identifiable information (PII) about Californians to “say what they do and do what they say.” Following is a brief overview of the highlights of the Guidance itself, and (perhaps more interestingly) more insight on some of the telling language in the AG’s Introduction.

Continue Reading