Tanya Forsheit
Tanya L. Forsheit is one of the Founding Partners of the InformationLawGroup, based in Los Angeles, California. Tanya founded the InformationLawGroup after 12 years as a litigator and privacy/data security counselor at Proskauer Rose LLP, where, most recently, she was Co-Chair of the firm’s international Privacy and Data Security practice group. In 2009, Tanya was named one of the Los Angeles Daily Journal’s Top 100 women litigators in California.
Certified as an information privacy professional by the International Association of Privacy Professionals (IAPP), Tanya works with clients to address legal requirements and best practices for protection of customer and employee information. She regularly advises clients regarding legal restrictions on information-sharing and data retention, and provides guidance regarding state laws requiring notification in the event of data security breaches. Tanya frequently speaks and writes on recent developments in federal and state privacy laws, and launched Proskauer’s popular Privacy Law Blog in early 2007.
Tanya also has extensive experience handling complex commercial and appellate litigation for corporate and individual clients before federal and state courts at all levels. Tanya’s commercial litigation experience includes defense of a wide variety of commercial disputes including breach of contract, business tort, trademark infringement, fraud, employment, and antitrust claims, as well as the prosecution of claims for cybersquatting, copyright infringement, unfair competition, and misappropriation of trade secrets. In June 2008, Tanya obtained summary judgment on behalf of online entertainment company GoPets Ltd. in a trademark infringement and cybersquatting case, resulting in an award of statutory damages and transfer of www.gopets.com and 18 other domain names to GoPets. Tanya was part of the Los Angeles-based Proskauer team that successfully petitioned the United States Supreme Court to grant certiorari, and obtained a landmark decision, in Johnson v. California, 125 S. Ct. 1141 (2005), resulting in a historic settlement with the California Department of Corrections and Rehabilitation calling for the desegregation of California's prison system.
Tanya is a member of the Bar of the State of California, and is admitted to practice before the Supreme Court of the United States, the United States Courts of Appeals for the Ninth and Fourth Circuits, and the United States District Courts for the Central, Northern, and Southern Districts of California. She is an Officer and Board Member of the Women Lawyers Association of Los Angeles, sits on the Executive Committee of the Entertainment Law and Intellectual Property Section of the Los Angeles County Bar Association, and co-chairs the Cloud Computing Working Group of the Information Security Committee, ABA Section of Science & Technology Law.
Practice Areas- Privacy and data security counseling, compliance, and policies
- Security breach notice, incident response, and litigation
- Marketing counseling and compliance
- Commercial litigation, including intellectual property (copyright and trademark)
- E-commerce, outsourcing, cloud computing, software as a service
- American Bar Association, Science & Technology Law, Intellectual Property, and Litigation Sections: active member of the Information Security Committee and the Special Committee On Promotions and Marketing Law
- International Association of Privacy Professionals (IAPP)
- First Vice President, Women Lawyers Association of Los Angeles
- Executive Committee, Los Angeles County Bar Association, Entertainment and Intellectual Property Committee
- University of Pennsylvania Law School, J.D.
- Duke University, AB Political Science and English, cum laude
- California
Privacy's Trajectory
As many of our readers know, the International Association of Privacy Professionals (IAPP) will celebrate 10 years this Tuesday, March 16. In connection with that anniversary, the IAPP is releasing a whitepaper, "A Call For Agility: The Next-Generation Privacy Professional," tomorrow, March 15. Monday morning you can find the whitepaper here. I am honored that the IAPP has given me the opportunity to read and blog about the whitepaper in advance of its official release. Where exactly is privacy going in today's environment? What is the role of the privacy professional over the next 10 years? And, a lot of people I know and love (you know who you are) would ask, what in the world is a privacy professional anyway?
Of late, I have found myself reiterating, and getting a lot of positive feedback for, the following proposition: with data (massive amounts of it) as the new currency, the explosion in outsourcing to "trusted partners," and the growth of legal risks associated with an ever-expanding body of privacy and data security regulation, the role for professionals who understand privacy is becoming increasingly important. Further, such professionals are uniquely positioned to bring together various key stakeholders in an organization, including Information Security, Legal, IT, and various business units. Why? Because privacy professionals are, by virtue of what they do, multidisciplinary. And the growing opportunities for such professionals are inextricably intertwined with that quality. The IAPP has summed this up succinctly, and eloquently in its whitepaper, as follows:
Continue Reading...Thoughts from the RSA Conference
As the partners of InfoLawGroup make our way through the sensory overload of the RSA Conference this week, I am reminded (and feel guilty) that it has been a while since I posted here. I have good excuses - have simply been too busy with work - but after spending several days in the thought-provoking environment that is RSA, I had to break down and write something. A few observations, from a lawyer's perspective, based on some pervasive themes:
- We all need to work together, and we can. Legal, Information Security, Privacy, Compliance, IT, and the affected business units. Now more than ever, it is essential that ALL the stakeholders join forces, as early as possible, to address security and privacy risks, assess and vet business deals, and put in place appropriate procedures - RFPs, due diligence, contract negotiation - to address the risks.
- Cloud, cloud, cloud, yada, yada, yada. Hold up - the technology is not new - but usage and the business model have changed dramatically. I have been having this argument with my information security and technology friends for months. OK, I get it. "Cloud" technology in some form or another has been around for 30 or 40 years. What is new is the massive scale, availability and changes in usage and the business model - in part driven by the economics. Guess what? Those business model changes make the legal risks even more pervasive. Going back to (1) above, all of the stakeholders need to be in the room (or on the phone or videoconference) discussing the issues BEFORE the decision is made to enter into a cloud arrangement. ANY cloud arrangement. Not after the RFP is issued. Not after IS does its due diligence. Not after the contract negotiations have begun. And not after the contract is inked. The same due diligence and attention to risks that would apply in a traditional outsourcing/offshoring relationship must be applied here, too. The cost savings are illusory if the short-term and/or long-term risks are significant. Think about the kind of data at issue. What are the risks? Evidence preservation, data security, breach response, enforcement rights, indemnification. And before we even get to those - can the data be transferred across borders in the first place? Think about it early. And then talk about it before decisions are made.
More after the jump.
Continue Reading...Celebrating Data Privacy from A to Z
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
A is for Advance Encryption Standard or AES, approved by NIST. Are you encrypting transmissions of sensitive data and portable storage devices? See more below.
B is for Breach Notification Laws, including the 45 state laws, District of Columbia, Puerto Rico, Virgin Islands, HITECH Act, and international regulations. (Also Behavioral Advertising.)
C is for . . . what to Choose? -- Contracts? Cloud Computing? How about California - the first state to enact a breach notification law, California Civil Code sections 1798.29, 1798.82 et seq. (SB 1386), and the first state Office of Privacy Protection
D is for Data Protection Authorities in the European Union
E is for the EU Data Protection Directive. Oh, and Encryption, of course. See above and below.
F is for Financial Institutions, regulated by (wait for it . . . after the jump . . .)
Continue Reading...Is Your Organization's Red Flags Rule Identity Theft Prevention Program Ready for Primetime?
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports – Risk & Compliance, reproduced here with the permission of Bloomberg. Read on . . .
Are We Living in a Post-Disclosure, Opt-In World?
Today's New York Times Media Decoder Blog features an "on-the-record" discussion with Federal Trade Commission chairman Jon Leibowitz and Bureau of Consumer Protection chief David Vladeck. The question presented: "Has Internet Gone Beyond Privacy Policies?" The FTC (and Congress, for that matter) continue to signal that change may be imminent in the world of online privacy policies and traditional notions of opt-out consent.
The dilemma remains - if consumers don't want to read privacy policies, what would constitute true notice and consent? And, in the Web 2.0 world with consumers' insatiable appetite for on-demand, customized and interactive content, how can that process be handled in a manner that is both meaningful and consumer-friendly? What do consumers really want? And are their expectations regarding privacy simply inconsistent with the modern realities of social networking? Just yesterday, the blogosphere was abuzz with news of the Facebook CEO's comments at the Crunchies Awards that "[p]eople have really gotten comfortable sharing more information and different kinds but more openly and with more people."
At the end of the day, the real question (and answer) may have more to do with what constitutes "personal information," what consumers "reasonably" expect in today's world, and whether the sharing and use of certain kinds of information should be regulated.
Continue Reading...More on the Cloud, Discovery, and the Stored Communications Act
My former colleague and friend Nolan Goldberg has published this nice piece on "Securing Communications in the Cloud" regarding the Central District of Illinois decision in US v. Weaver (yet another child pornography case contributing to the development of information law). Nolan points out the Weaver court's focus on the unique nature of web (or cloud)-based email services. With webmail, a copy stored by the host in the cloud, in this case Microsoft Hotmail, might be the only copy, not just a backup. Therefore, the logic goes under the Stored Communications Act, the emails sought by the government in Weaver were not in electronic storage and the government only needed a trial subpoena, not a warrant.
I must confess -- civil not criminal litigator (and geek) that I am -- the thing I find most interesting about Weaver is the court's finding that Microsoft, in providing Hotmail, is both an "electronic communications service" and a provider of a "remote computing service." That means that an organization/employer that subscribes to such a web-based or cloud service for use by its employees/contractors (as opposed to the actual sender(s) and/or recipient(s) of such messages alone) may have the ability to consent to disclosures of emails, texts, tweets, etc. in civil discovery . . . or may not. That was the real issue underlying the Ninth Circuit's decision -- the part the Supreme Court is not going to review -- in the now ubiquitous and much hyped Quon decision (aptly described by another former colleague and friend Cliff Davidson, here). I predict many more Stored Communications Act encounters for the cloud in courtrooms -- and not just in child pornography cases.
Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence)
Back by popular demand, this is Part Four in our ongoing series, Legal Implications of Cloud Computing. This installment will focus on digital evidence and e-discovery, and follows up on Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). After all, what better topic than the cloud to tackle on the day after Thanksgiving, recovering from tryptophan and wine? As with many other areas previously discussed in this series, the cloud does not necessarily change the legal analysis, it just highlights the need to think through and anticipate the many areas of legal concern that could/are likely to arise when using the cloud. As a litigator, when I think about the challenges posed by the cloud, the one that seems most intuitive is e-discovery/digital evidence. It is always difficult to fully appreciate and digest the scope and volume of information that may be called for in litigation or in an investigation. The presence of corporate data in the cloud multiplies those considerations.
Some, but by no means all, of the digital evidence issues that should be considered in negotiating cloud arrangements and contracts (whether you are putting data in the cloud or designing and marketing a cloud offering), are as follows:
- preservation/retention/disposal;
- control/access/collection;
- metadata;
- admissibility; and, cutting across all of the foregoing
- cost.
As I will discuss below, like other forms of electronically stored information (ESI), one of the best ways for addressing data in the cloud in the discovery and evidentiary context is to plan ahead and discuss treatment of cloud data (a) in records retention policies well in advance of litigation; and (b) at the Rule 26 conference once litigation has commenced. And, if you read to the end, I will comment on the paucity of case law referencing the cloud (and describe the few references that have appeared in federal and state case law to date).
Continue Reading...More Than Two Years Later, Federal Agencies Issue GLBA Final Model Privacy Form
On Tuesday, the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA), the Federal Trade Commission (FTC), the Commodity Futures Trading Commission (CFTC), and the Securities and Exchange Commission (SEC) (the "Joint Agencies") issued the Final Model Privacy Form under the Gramm-Leach-Bliley Act (GLBA). Financial institutions may rely on the model privacy form as a safe harbor to provide disclosures under the GLBA privacy rule (12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); 12 CFR part 716 (NCUA); 16 CFR part 313 (FTC); 17 CFR part 160 (CFTC); and 17 CFR part 248 (SEC)). Among other things, the Final Model Privacy Form is designed to be more consumer-friendly. The Final Rule can be found here. The opt-out model form can be found here. The no opt-out model form is here. For more on the history, read on.
Continue Reading...Massachusetts Data Security Regulations Final Amendments Released
As we noted earlier this week, Massachusetts indicated late last week it would issue its last round of amendments to its data security regulations scheduled to take effect March 1, 2010, 201 CMR 17.00. The last round of amendments are not particularly significant, although it is worth noting that, contrary to the amendments made in August, this round clarifies that the regulations cover any entity that stores personal information of Massachusetts residents, in addition to those that receive, maintain, process, or otherwise have access to personal information. Here is the press release from the Office of Consumer Affairs and Business Regulation. Here is the final version of the Regulations. Doug Cornelius has a great analysis here. The effective date of the regulations is still March 1, 2010.
Final Amendments to Massachusetts Data Security Regulations to Be Announced Shortly
Friday was a busy day for identity theft and data security regulations. Not long after the Federal Trade Commission announced it was extending the enforcement deadline for the Red Flags Rule for the fourth time, word came from BNA's Privacy & Security Law Report that the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) had filed with the Massachusetts Secretary of State its final amendments to 201 CMR 17.00, the state's data security regulations. BNA reported that OCABR plans to make the amendments public sometime this week. BNA further reported that there are no major changes, but that there will be some clarification with respect to contracts between persons who own or license personal information and third-party service providers (201 CMR17.03(2)(f)(2)). You can check out Dave's post on the last round of significant revisions to the regulations in August, complete with redline. We have seen a lot of activity in the blogosphere about the new changes, but nothing official yet. And so far, no announcements of further delays in the effective date, currently set for March 1, 2010. We will report as soon as we hear more information.
