Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Tag Archives: compliance

Alcohol Ads In the Digisphere – New-ish Guides In Town

Posted in Advertising Law, Apps, E-Commerce, Marketing, Mobile Apps, Privacy, Social Media, Standards

At the end of September, thirteen leading beer, wine and spirits producers published the Digital Guiding Principles (DGPs) as part of their global commitment to reducing harmful drinking.  These are self-regulatory guidelines — they are not law, although some of the principles track legal requirements in the U.S.  Moreover, these principles do not replace any other guidelines… Continue Reading

“Big Data” for Educational Institutions: A Framework for Addressing Privacy Compliance and Legal Considerations

Posted in Big Data

Educational institutions at all levels have begun to realize that they hold a treasure trove of student-related information, that if analyzed using “Big Data” techniques, could yield valuable insights to further their educational missions.  Educational institutions hold a broad variety of student-related information that may be analyzed, including grades, financial information, health information, location-related information… Continue Reading

Please Tune In Monday, January 31, 2011

Posted in Cloud Computing, Events

I hope you will tune in Monday, January 31, 2011, 8-9 am Pacific (11-12 Eastern), to Privacy Piracy, audio streaming on (or locally in Southern California on KUCI 88.9 FM in Irvine, CA). Mari Frank will interview me on hot topics in information law and compliance.

Appeals Court Considers Applicability of the Red Flags Rule to Attorneys

Posted in FCRA and FACTA

Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission’s Identity Theft Red Flags Rule.
The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule’s definition of “creditor” to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.

FTC Launches Privacy Portal

Posted in Information Security, Recent News

Today, the Federal Trade Commission announced the launch of a business center portal to help businesses understand and comply with privacy and information security requirements that the FTC enforces. The new portal provides centralized access to the FTC’s privacy and information security regulations, enforcement actions and guides. The main portal also offers information about compliance with advertising, credit, telemarketing and myriad other requirements. A series of short videos explain what businesses need to know to comply, and the business center blog offers latest compliance tips and information.

BREAKING NEWS: FTC Extends Compliance Deadline for Red Flags Rule AGAIN to December 31, 2010

Posted in Red Flags Identity Theft Rules, Red Flags Rule

In the last hour, the news broke that the FTC has again extended the compliance deadline for the FACTA Red Flags Rule, this time to December 31, 2010, “[a]t the request of several Members of Congress.” The FTC’s press release of this morning is here. This is the fifth time the FTC has extended the enforcement deadline. As usual, the FTC’s extension does not affect “other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight.”

Contracting for Cloud Computing Services

Posted in Breach Notice, Breach Notification, Breach of Contract, Cloud Computing, Cloud Computing Series, Damages, Data Destruction, Data Privacy Law or Regulation, Digital Evidence and E-Discovery, Information Security, Information security contracts, Reasonable Security, Service Provider Breach, Standards

Nearly every day, businesses are entering into arrangements to save the enterprise what appear to
be significant sums on information technology infrastructure by placing corporate data ”in the cloud.” Win-win, right? Not so fast. If it seems too good to be true, it probably is. Many of these deals are negotiated quickly, or not negotiated at all, due to the perceived cost savings. Indeed, many are closed not in a conference room with signature blocks, ceremony, and champagne, but in a basement office with the click of a mouse. Unfortunately, with that single click, organizations may be putting the security of their sensitive data (personal information, trade secrets, intellectual property, and more) at risk, and may be overlooking critical compliance requirements of privacy and data security law (not to mention additional regulations). My article “Contracting for Cloud Computing Services: Privacy and Data Security Considerations,” published this week in BNA’s Privacy & Security Law Report, explores a number of contractual provisions that organizations should consider in purchasing cloud services. You can read the full article here, reprinted with the permission of BNA.

Information Governance

Posted in Breach Notice, Breach Notification, Data Destruction, Data Privacy Law or Regulation, Enforcement, EU, FCRA and FACTA, Identity Theft, Information Security, Information security contracts, International, Massachusetts Data Security Regulations, PCI, PII, Privacy and Security Litigation, Privacy Law, Reasonable Security, Red Flags Rule, Regulations, Standards, Workplace Privacy

Security governance is often well established in large organizations, but privacy governance typically lags. It is time for a broader approach to “information governance” that focusses on the kinds of sensitive data handled by the enterprise and establishes policies to assure compliance and effective risk management, as well as better customer, employee, government, and business relations.

Privacy’s Trajectory

Posted in Breach Notice, Breach Notification, Cloud Computing, Data Privacy Law or Regulation, Digital Evidence and E-Discovery, Information Security, Massachusetts 210 CMR 17.00, Massachusetts Data Security Regulations, Nevada Security of Personal Information Law, PCI, Privacy Law, Regulations

As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, “A Call For Agility: The Next-Generation Privacy Professional,” tomorrow, March 15. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release.

Information Security Clauses and Certifications – Part 1

Posted in Breach Notice, Breach of Contract, Cloud Computing, Damages, Data Privacy Law or Regulation, Encryption, Enforcement, EU, Information Security, International, NDA / Confidentiality Agreement, Standards

Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance.

Legal Implications of Cloud Computing — Part Three (Relationships in the Cloud)

Posted in Cloud Computing, Cloud Computing Series, Special Series

While there is much debate on the IT side as to whether Cloud computing is revolutionary, evolutionary or “more of the same” with a snazzy marketing label, in the legal context, Cloud computing does have a potential significant impact on legal risk. Part three of our ongoing Cloud legal series explores the relationships in the Cloud, and the potential legal implications and impacts suggested by them.

Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)

Posted in Encryption

“Exactly what data do we have to encrypt, and how?” That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.