The U.S. District Court for the Southern District of California recently granted class certification in a Song-Beverly Credit Card Act case, refusing to exclude from the class individuals who joined the retailer's rewards program months after the alleged Song-Beverly violation. See Yeoman v. IKEA U.S. West, Inc., No. 11CV701, 2012 WL 1598051 (S.D. Cal. May 4, 2012). The Court's discussion suggests that a retailer may also face Song-Beverly liability even if it requests personal information at the register that it already holds by virtue of the customer's membership in its rewards program.
So, you thought our cloud series was over? Wishful thinking. It is time to talk about ethics. Yes, ethics. Historically, lawyers and technologists lived in different worlds. The lawyers were over here, and IT was over there. Here's the reality: Technology - whether we are talking cloud computing, ediscovery or data security generally - IS very much the business of lawyers. This post focuses on three recent documents, ranging from formal opinions to draft issue papers, issued by three very prominent Bar associations -- the American Bar Association (ABA), the New York State Bar Association (NYSBA), and the State Bar of California (CA Bar). These opinions and papers all drive home the following points: as succinctly stated by the ABA, "[l]awyers must take reasonable precautions to ensure that their clients' confidential information remains secure"; AND lawyers must keep themselves educated on changes in technology and in the law relating to technology. The question, as always, is what is "reasonable"? Also, what role should Bar associations play in providing guidelines/best practices and/or mandating compliance with particular data security rules? Technology, and lawyer use of technology, is evolving at a pace that no Bar association can hope to meet. At the end of the day, do the realities of the modern business world render moot any effort by the Bar(s) to provide guidance or impose restrictions? Read on and tell us - and the ABA - what you think.
This post is Part Two in my review and discussion of some of the comments submitted in the response to the Boucher Bill privacy and data security legislation discussion draft. As in Part One, Part Two will describe and summarize at a high level some (but not all) of the issues identified by the commenters. Part Two covers comments submitted by American Business Media (ABM), which focuses on the Business-to-Business online information market; the Association of National Advertisers (ANA); the Marketing Research Association (MRA), an association of the survey and opinion research profession; the National Retail Federation and Shop.org (collectively, NRF); and the U.S. Chamber of Commerce.
A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
As previously reported, in early May Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a discussion draft of proposed federal privacy and data security legislation. Reps. Boucher and Stearns sought comments on the discussion draft, setting a deadline of last Friday, June 4, 2010. Numerous organizations have submitted comments. This multi-part post will describe and summarize, at a high level, some (but not all) of the issues identified by the commenters.