Dave and I recently spoke with Nymity regarding privacy and data security issues in cloud computing deals. You can read the interview here.
In opening the door to holding credit card processors potentially contributorily liable as a result of the infringing actions of clients selling counterfeit goods online, Judge Baer, Jr.'s decision issues a shot across the bow of companies providing services to online commerce sites that their actions could be construed as providing material support to counterfeiters.
My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. This post extends Tanya's discussion of the intersection between electronic discovery and the cloud.
Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. ("EMI") against Comerica (the "EMI Lawsuit"). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI's online banking login credentials and wire transfer about $560,000 from EMI's account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
Yesterday, the Utah Supreme Court, interpreting Utah's version of the Uniform Electronic Transactions Act (UETA) held that electronic "signatures" gathered through the website of an independent candidate for Utah state governor are valid to put the candidate's name on Utah's November ballot. The court's decision is a huge step forward in recognizing the legal efficacy of electronic signatures that may reverberate around the nation.
In the end eSignatures provided a tantalizing glimpse of a potential esigning future, but one that remains firmly in the distance at this time. Certainly eSignatures is in fact useful at the moment - for a limited range of actions and signings. But unless its more notable shortcomings are timely and completely addressed this will remain a beta that doesn't reach the other shore.
Institutions of higher learning are often breeding grounds for experimentation and creative approaches to old problems. Thus, it is far from surprising that universities have represented some of the earliest adopters of enterprise cloud computing solutions. Cloud computing is enormously attractive to universities, for a number of reasons, especially when it comes to email. My article, "The Ivory Tower in the Cloud," recently published in Information Security and Privacy News, a publication of the Information Security Committee, ABA Section of Science & Technology Law, briefly explores some of the information security and privacy legal implications for higher education moving into the cloud, and then discusses some recent developments with respect to highly publicized trials of cloud computing services by universities and colleges. You can read the full article here.
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as "reasonable and normal in the private-employer context."
At first glance, the seemingly Grand Canyon-wide gap between a verified signature and eSignature's practice is troubling. However, upon reflection, the lack of individual party verification is less worrying than it appears - at least in corporate scenarios.
This post is Part Two in my review and discussion of some of the comments submitted in the response to the Boucher Bill privacy and data security legislation discussion draft. As in Part One, Part Two will describe and summarize at a high level some (but not all) of the issues identified by the commenters. Part Two covers comments submitted by American Business Media (ABM), which focuses on the Business-to-Business online information market; the Association of National Advertisers (ANA); the Marketing Research Association (MRA), an association of the survey and opinion research profession; the National Retail Federation and Shop.org (collectively, NRF); and the U.S. Chamber of Commerce.
It was recently reported that an insurance carrier (Colorado Casualty Insurance Co.) denied coverage (and filed a lawsuit) for the $3.3 million in costs the University of Utah incurred to provide notice of a security breach involving the records of 1.7 million patients from the University's hospitals. You can find a copy of Colorado Casualty's declaratory judgment action complaint here. The University also filed its own counter claim, cross-claim and third party claim. As discussed further below, the University's cross-claim is against Perpetual Storage (the service provider that allegedly lost the data) and its third party claim is against Perpetual Storage's insurance broker (the broker that placed the insurance coverage with Colorado Casualty).
A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
We are very pleased to announce that David K. Isom and Richard L. Santalesa have joined the firm as Senior Counsel. David, an e-discovery authority and 30-year trial lawyer, was formerly co-chair of Greenberg Traurig's Electronic Discovery Practice Group. Rich, based in New York City and Fairfield, Connecticut, has had a career of representing clients in electronic commerce and Internet and privacy issues and other commercial arrangements involving intellectual property and technology-savvy companies.
As previously reported, in early May Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a discussion draft of proposed federal privacy and data security legislation. Reps. Boucher and Stearns sought comments on the discussion draft, setting a deadline of last Friday, June 4, 2010. Numerous organizations have submitted comments. This multi-part post will describe and summarize, at a high level, some (but not all) of the issues identified by the commenters.
Does "segregation" of records from another organization's records in a cloud that prevents "intermingling" preserve an organization's reasonable expectation of privacy vis-a-vis the government under the Fourth Amendment? One recent case, although not about a cloud of any shape or form, suggests that it might. In In re SK Foods Inc., No. 2:09-cv-02938, the United States District Court for the Eastern District of California stayed the Bankruptcy Court's order that would have allowed the Trustee to continue to possess and review information relating to third party non-debtors pending appeal. Why? There was evidence suggesting that, despite residing on shared computer servers, the data of the third parties had not been "intermingled" with the debtor's data, the servers belonged to a third party, the debtor could not access the third party records without authorization, and the third parties demanded return of their records once the Trustee intervened. Read on for a detailed review of the District Court's order and consideration of its implications for the cloud.
Social networking entails some risks and responsibilities. It may implicate privacy and labor law, confidentiality and nondisclosure agreements, advertising regulations, defamation, and other legal regimes, across borders in a global medium. Users, and their employers, need to be aware of these risks and responsibilities in deciding how to make best use of social media.