W. Scott Blackmer
W. Scott Blackmer has practiced information technology law since 1982. Scott has been listed in several peer-reviewed directories of prominent IT lawyers, including the Legal Media Group’s Guide to the World’s Leading Technology, Media & Telecommunications Lawyers.
Formerly a partner in the Washington, DC and Brussels offices of the firm now known as WilmerHale, Scott is a founding partner of InformationLawGroup and serves on the executive management team of the First Law International legal network (Brussels). He also consults on privacy, data protection, and security issues in association with HR Privacy Solutions (New York) and Jeitosa Group International (San Francisco). Scott now works from a mountaintop home overlooking Salt Lake City (or from a laptop just about anywhere).
A frequent speaker and writer on IT law and information privacy and security issues, Scott has made presentations or taught seminars on these subjects at numerous industry and professional conferences and at the University of Chicago, Johns Hopkins University, Carnegie-Mellon University, George Washington University, the University of London, the University of Toulouse, the Catholic University of Buenos Aires, the US State Department (Washington, Berlin, Brussels, and Shanghai), the European Commission, the Council of Europe, the International Monetary Fund, the Multilateral Investment Fund, and the Electronic Commerce Promotion Council of Japan.
Scott acts as general counsel to the Trusted Computing Group, XDI.org, and OpenID Foundation, and he counsels other industry associations as well as corporations and individual entrepreneurs. He has advised US federal and state agencies and the European Commission on privacy and security issues, and he currently serves as a privacy advisor to the US Social Security Administration. Scott also arbitrates Internet domain name disputes brought before the World Intellectual Property Organization (WIPO) in Geneva.
Scott has worked on transactions and licensing, compliance issues, litigation, and arbitration matters in over 100 countries. He speaks English and French and has a working knowledge of written Spanish, German, Dutch, Italian, and Portuguese.
Practice Areas.- Intellectual property (with a focus on software patent and copyright licensing, technology transfers, trademark and domain names)
- Privacy and information security
- International transactions and multijurisdictional compliance with laws protecting consumers, employees, distributors, franchisees, or investors
- E-commerce, outsourcing, cloud computing, software as a serviceIT standards
- American Bar Association: Information Security Committee; Privacy and Computer Crime Committee
- International Security, Trust & Privacy Alliance (ISTPA) (director and officer)
- International Association of Privacy Professionals (IAPP)
- Identity Workshop of the Berkman Center for Internet and Society (Harvard Law School)
- University of California at Berkeley (Boalt Hall School of Law), JD with honors 1981 (Editor-in-chief, California Law Review)
- University of Nevada, Las Vegas, BA with honors 1975
- Brigham Young University, Provo, Utah (1970-73)
- Université de Grenoble, France (1972)
- District of Columbia
- Maryland
- Utah
- Formerly a registered foreign lawyer in the Law Society of England and Wales and the French Order of the Brussels Bar
EU Adopts New Standard Contract Clauses for Foreign Processors
Last Friday, the European Commission adopted new "controller-processor" standard contractual clauses ("SCCs" or "model contract") to protect personal data transferred from Europe to a data processor located outside the EU/ EEA. Existing contractual arrangements are grandfathered, but any new contracts with data processors must include the new version of the SCCs.
The principal change from the 2002 controller-processor SCCs is that processing contractors are now obliged to obtain prior written consent from the customer before subcontracting any of the processing, and the subcontractor must be contractually bound to the same obligations that apply to the contractor.
Continue Reading...Data Integrity and Evidence in the Cloud
How does cloud computing affect the risks of lost, incomplete, or altered data? Often, the discussion of this question focuses on the security risks in transmitting data over public networks and storing it in dispersed facilities, sometimes in the control of diverse entities. Less often recognized is the fact that cloud computing, if not properly implemented, may jeopardize data integrity simply in the way that transactions are entered and recorded. Questionable data integrity has legal as well as operational consequences, and it should be taken into account in due diligence, contracting, and reference to standards in cloud computing solutions.
Continue Reading...Information Security Clauses and Certifications - Part 1
Outsourcing business and IT functions often means outsourcing compliance and liability risks as well. When a service contract involves protected categories of personal information, both parties need to understand the security requirements and risks. The contract should allocate responsibilities to prevent and respond to security breaches. The contract may also set expectations more precisely by incorporating a written security policy or referring to a widely accepted information security standard, sometimes accompanied by a requirement for a third-party security audit or assessment.
What contractual information security provisions should you consider, as a customer or as a vendor or business partner, when the contract contemplates the exchange of protected information? What do security standards and audits entail for a vendor, and what do they offer for a customer?
Continue Reading...NDAs: Worth the Effort?
Confidentiality or nondisclosure agreements ("NDAs") are widely used but often poorly reasoned or inadequately implemented. When are they worth the effort? How can they be made more effective in protecting a company's secrets or the secrets of others for which it is responsible?
Continue Reading...Merchant Liability for "Time and Effort" Following Security Breach?
The Hannaford saga continues, with possible civil liability implications for retailers.
Earlier this year, a federal judge in Maine dismissed almost all claims in the consolidated class action lawsuit against Hannaford Brothers Co. (In re Hannaford Bros. Co. Customer Data Security Breach Litigation, MDL No. 2:08-MD-1954, USDC Maine). Hannaford had millions of payment card records hacked in 2007 and 2008. Judge Hornby ruled that the common law in Maine allows consumers to seek restitution only for unreimbursed fraudulent charges on their credit or debit cards. Since the card issuers reversed the fraudulent charges under their “zero-liability” policies, the cardholders suffered only “collateral consequences” such as the time and effort involved in changing cards and accounts, monitoring for fraud, and dealing with banks, merchants, and others following notice of the breach. Judge Hornby did not believe such collateral harms were cognizable injuries under state law.
This week the judge reversed that decision and certified to the Maine Law Court (the highest court in the state) the following question:
“Do time and effort alone, spent in a reasonable effort to avert reasonably foreseeable harm, constitute a cognizable injury under Maine common law?”
Continue Reading...Code or Clear? Encryption Requirements (Part 4)
In other posts, I talked about the trend toward more prescriptive encryption requirements in laws and regulations governing certain categories of personal data and other protected information. Here’s an overview of the standards and related products available for safe (and legally defensible) handling of protected data.
Continue Reading...Code or Clear? Encryption Requirements (Part 3)
In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters – especially Social Security Numbers, driver’s license numbers, and bank account or payment card details – as well as for medical information, which individuals tend to consider especially sensitive. These concerns are not, of course, limited to the United States.
Data Protection Laws
Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain “reasonable” or “appropriate” or “proportional” security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.
Code or Clear? Encryption Requirements (Part 2)
In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.
Continue Reading...Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)
“Exactly what data do we have to encrypt, and how?”
That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
But changes in technology and law are making enterprises rethink that decision. Processing is faster and encryption software is cheaper and more reliable. There are now several efficient options for encrypting data in communications and on laptops and mobile storage devices, where historically data is most vulnerable. And at the same time, new compliance obligations and heightened litigation risks are pushing companies, government agencies, and nonprofits to explore these options and adopt a defensible policy toward data encryption.
