Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the "Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. "BEST PRACTICES Act" or "Act").We have put together a summary of the Act in "FAQ" format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the "Safe Harbor" outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.
This post is Part Two of my FAQ on the proposed modifications to the HIPAA Rules issued by HHS last week. Part Two focuses on the proposed modifications to the Privacy Rule.
As reported last week, on Thursday the Department of Health and Human Services ("HHS") issued its long-anticipated Notice of Proposed Rulemaking ("NPRM") on Modifications to the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act (the "HITECH" Act). For those of us who subscribe to numerous technology and law listservs, this meant emailboxes flooded with opinions, criticism, speculation, and flat-out fear mongering. We thought people might like to know what the proposed modifications actually say, and what they mean. So, this post provides Part One of a FAQ on the 234 page NPRM. This post, Part One, addresses general issues (including significant changes involving subcontractors) and proposed modifications to the HIPAA Security and Enforcement Rules. Part Two, later this week, will address the proposed modifications to the HIPAA Privacy Rule.
Dave and I recently spoke with Nymity regarding privacy and data security issues in cloud computing deals. You can read the interview here.
In opening the door to holding credit card processors potentially contributorily liable as a result of the infringing actions of clients selling counterfeit goods online, Judge Baer, Jr.'s decision issues a shot across the bow of companies providing services to online commerce sites that their actions could be construed as providing material support to counterfeiters.
My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. This post extends Tanya's discussion of the intersection between electronic discovery and the cloud.
Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. ("EMI") against Comerica (the "EMI Lawsuit"). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI's online banking login credentials and wire transfer about $560,000 from EMI's account (the original amount was $1.9 million, but Comerica was able to recover some of that). The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties
This blogpost is the third (and final) in our series analyzing the terms of Google's and Computer Science Corporation's ("CSC") cloud contracts with the City of Los Angeles. In Part One, we looked at the information security, privacy and confidentiality obligations Google and CSC agreed to. In Part Two, the focus was on terms related to compliance with privacy and security laws, audit and enforcement of security obligations, incident response, and geographic processing limitations, and termination rights under the contracts. In Part Three, we analyze what might be the most important data security/privacy-related terms of a Cloud contract (or any contract for that matter), the risk of loss terms. This is a very long post looking at very complex and interrelated contract terms. If you have any questions feel free to email me at dnavetta@infolawgroup.com
Yesterday, the Utah Supreme Court, interpreting Utah's version of the Uniform Electronic Transactions Act (UETA) held that electronic "signatures" gathered through the website of an independent candidate for Utah state governor are valid to put the candidate's name on Utah's November ballot. The court's decision is a huge step forward in recognizing the legal efficacy of electronic signatures that may reverberate around the nation.
In the end eSignatures provided a tantalizing glimpse of a potential esigning future, but one that remains firmly in the distance at this time. Certainly eSignatures is in fact useful at the moment - for a limited range of actions and signings. But unless its more notable shortcomings are timely and completely addressed this will remain a beta that doesn't reach the other shore.
Institutions of higher learning are often breeding grounds for experimentation and creative approaches to old problems. Thus, it is far from surprising that universities have represented some of the earliest adopters of enterprise cloud computing solutions. Cloud computing is enormously attractive to universities, for a number of reasons, especially when it comes to email. My article, "The Ivory Tower in the Cloud," recently published in Information Security and Privacy News, a publication of the Information Security Committee, ABA Section of Science & Technology Law, briefly explores some of the information security and privacy legal implications for higher education moving into the cloud, and then discusses some recent developments with respect to highly publicized trials of cloud computing services by universities and colleges. You can read the full article here.
The United States Supreme Court issued its decision today in City of Ontario, California v. Quon, ruling that a public employer's examination of an employee's personal text messages on a government-issued pager did not violate the Fourth Amendment. Justice Kennedy's opinion for the Court remarked that a review of messages on an employer-provided device would similarly be regarded as "reasonable and normal in the private-employer context."
At first glance, the seemingly Grand Canyon-wide gap between a verified signature and eSignature's practice is troubling. However, upon reflection, the lack of individual party verification is less worrying than it appears - at least in corporate scenarios.
This post is Part Two in my review and discussion of some of the comments submitted in the response to the Boucher Bill privacy and data security legislation discussion draft. As in Part One, Part Two will describe and summarize at a high level some (but not all) of the issues identified by the commenters. Part Two covers comments submitted by American Business Media (ABM), which focuses on the Business-to-Business online information market; the Association of National Advertisers (ANA); the Marketing Research Association (MRA), an association of the survey and opinion research profession; the National Retail Federation and Shop.org (collectively, NRF); and the U.S. Chamber of Commerce.