Data Integrity and Evidence in the Cloud
How does cloud computing affect the risks of lost, incomplete, or altered data? Often, the discussion of this question focuses on the security risks in transmitting data over public networks and storing it in dispersed facilities, sometimes in the control of diverse entities. Less often recognized is the fact that cloud computing, if not properly implemented, may jeopardize data integrity simply in the way that transactions are entered and recorded. Questionable data integrity has legal as well as operational consequences, and it should be taken into account in due diligence, contracting, and reference to standards in cloud computing solutions.
Continue Reading...Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
Continue Reading...California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes
On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California's Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer's name to obtain even MORE personal identification information, the customer's address, through the use of a "reverse search" database. Second, the court held that a retailer's use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer's privacy under California law.
Continue Reading...Johnson, et al. v Microsoft: Court Docs on Motion Ruling IP Address Does Not Equal PII
For those interested in digging deeper into the recent ruling in the UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON, SEATTLE DIVISION that IP addresses do not constitute "personally identifiable information," I have complied all of the relevant pleadings, motions, and response/reply/surreply briefs for your viewing pleasure....
Continue Reading...
