Posts in Encryption

20/20, ABA, client confidentiality, COPRAC, encrypt, encryption, ethics, Formal Opinion Interim No- 08-0002, lawyers, New York State Bar Association, online storage, Opinion 842, professional responsibility, State Bar of California, technology, wifi

Legal Implications of Cloud Computing -- Part Five (Ethics or Why All Lawyers-Not Just Technogeek Lawyers Like Me-Should Care About Data Security)

By InfoLawGroup LLP on October 19, 2010

So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.

AICPA, best practices, BITS, cloud computing, COBIT, contracts, FIPS, information security, ISO 27001, ISO 27002, NIST, outsourcing, PCI DSS, SAS 70, SP 800-53, standards

Information Security Standards and Certifications in Contracting

By W. Scott Blackmer on May 26, 2010

It often makes sense to refer to an information security management framework or standard in an outsourcing contract, but this is usually not very meaningful unless the customer also understands what particular security measures the vendor will apply to protect the customer's data.

Alberta, breach notice, British Columbia, Canada, Ontario, Quebec

Security Breach Notices for Canadian Data

By W. Scott Blackmer on March 19, 2010

Notice of significant security breaches involving personal information is recommended under federal Privacy Commissioner guidelines and legally required for custodians of personal health information in Ontario. Albert's new Bill 54, not yet in force, sets a new standard for mandatory notification to the provincial Privacy Commissioner, who can determine whether and how individuals must be notified.

201 CMR 17-00, AES, anonymity, behavioral advertising, breach notification, California, cloud computing, contracts, DPA, Eavesdropping, encryption, EU Data Protection Directive, GLBA, HIPAA, HITECH, IAPP, Kearney, Massachusetts, personally identifiable information, pii, RFID, social networking, spam, SSN, TCPA, telemarketing, text messages, UK ICO, VPPA

Celebrating Data Privacy from A to Z

By InfoLawGroup LLP on January 28, 2010

In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!

agreements, breach notice, certification, compliance, confidentiality, contracts, incident response, indemnification, information security, insurance, liability, risk management, standards

Information Security Clauses and Certifications - Part 1

By W. Scott Blackmer on January 17, 2010

Service contracts that involve protected personal information should include provisions allocating responsibility for protecting that information and responding to security breaches. Increasingly, this means incorporating specific references to applicable laws and information security standards, and often certifications of conformance.

256-bit key, AES, assymetric cryptography, data at rest, DES, file encryption, FIPS 197, FIPS 200, hardward-based encryption, mobile encryption, NIST, NIST 800-53, OMB, OMB M-07-16, PKI, RSA Security, software disk encryption

Code or Clear? Encryption Requirements (Part 4)

By W. Scott Blackmer on October 04, 2009

In other posts, I talked about the trend toward more prescriptive encryption requirements in laws and regulations governing certain categories of personal data and other protected information. Here's an overview of the standards and related products available for safe (and legally defensible) handling of protected data.

appropriate, EU, EU Data Protection Directive, international, reasonable, security measures

Code or Clear? Encryption Requirements (Part 3)

By W. Scott Blackmer on October 01, 2009

In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters - especially Social Security Numbers, driver's license numbers, and bank account or payment card details - as well as for medical information, which individuals tend to consider especially sensitive. These concerns are not, of course, limited to the United States. Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain "reasonable" or "appropriate" or "proportional" security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.

appropriate, civil litigation, compliance, FTC, legal requirements, negligence, portable devices, public networks, reasonable, security measures, unfair practices, wireless

Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)

By W. Scott Blackmer on October 01, 2009

"Exactly what data do we have to encrypt, and how?" That's a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.