Archive for the ‘Business Law’ Category

Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?

When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.


Read Full Post »

In response to the thousands of mobile applications hitting the market that often rely on consumer data (i.e. contact information, location, photos, etc.), the Federal Trade Commission (“FTC”) released a suggested list of security guidelines for mobile app developers to follow when designing a program. While a no one-size-fits-all checklist can exist, the FTC views these security tips as a way to help protect the developers, consumers, and reputation of the app. The following are 12 suggested security guidelines for mobile application developers to consider:

1. Make someone responsible for security;
2. Take stock of the data you collect and retain;
3. Understand the differences between mobile platforms;
4. Don’t rely on a platform alone to protect your users;
5. Generate credentials securely;
6. Use transit encryption for usernames, passwords, and other important data;
7. Use due diligence on libraries and other third-party code;
8. Consider protecting data you store on a user’s device;
9. Protect your servers, too;
10. Don’t store passwords in plaintext;
11. You’re not done once you release your app. Stay aware and communicate with your users;
12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations

Before getting into the core aspects of this security guideline, make sure to evaluate the ecosystem upon which the app will reside. The FTC comments that while it is important to get the mobile app working and accepted by an app store, a critical third step, the anticipation and prevention of security glitches, is vital to the apps long-term viability.

Read Full Post »

A bipartisan group of House and Senate members introduced the USA FREEDOM Act last month in an attempt to restore Americans’  privacy rights by ending the bulk collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance programs.  The Sensenbrenner-Rokita NSA Reform Bill (another name for the USA FREEDOM Act) includes significant privacy and oversight provisions, detailed reporting on the number and types of FISA (Foreign Intelligence Surveillance Act) orders issued, and the creation of a Special Advocate post, whose purpose is to advocate for the civil liberties and privacy rights before the FISA (Foreign Intelligence Surveillance Act) Court.

Sen. Patrick Leahy (D-VT) and Rep. Jim Sensenbrenner (R-WI) co-authored an op-ed article published in the Politico whereby they highlighted the need to ensure the protection of Americans’ civil liberties, while preserving the intelligence communities ability “to gather information in a more focused way, as was the intent of the PATRIOT Act.”  Both Messrs. Leahy and Sensenbrenner agree that Congress must provide our intelligence community with the necessary tools to keep our country safe, but to date, acknowledge that the intelligence community has failed to adequately justify their expansive use of current laws.

If passed and signed into law, the Bill would require that the Applicant (i.e. Government) establish “reasonable grounds” that the tangible things sought are “relevant” and “material” to an ongoing investigation.  The Applicant would be required to create a statement of proposed “minimization procedures” to ensure that the search would be as narrowly tailored as possible.  The Applicant would also have to submit a statement of facts showing reasonable grounds that disclosure of the Government’s interest in collecting data would result in (a) endangering the life or physical safety of any person; (b) flight from investigation; (c) destruction or tampering with evidence; (d) intimidation of potential witness; (e) interference with diplomatic relations; (f) altering a target that the government has an interest; (g) seriously endangering the national security of the U.S.; and (h) an explanation of how the nondisclosure requirement is narrowly tailored to address a specific harm.

Are these parameters sufficient enough to balance the civil liberties of Americans’ versus protecting our national security?  What type of “minimization procedures” would put your mind at rest to ensure that the intelligence community has not overstepped their bounds?  Does the legislation go far enough, if at all, in reclaiming what we lost as a result of 9/11, in regards to our privacy rights, business interests, and standing in the international community?

Read Full Post »

Thank god for the world of make-believe.  We know pigs cannot talk or drive cars, but in a poorly imagined metaphor, GEICO, Inc., released a commercial a few weeks back whereby a pig (meant to be us “insureds,” as they are called in the industry) was pulled over for an apparent traffic violation.  The pig downloads his insurance verification documents (a requirement in the State of WA, as well as most other States) through the “GEICO” app on his smartphone.  The pig, very willingly, hands the entire phone over to the citing police officer. 

Obviously, or hopefully,  the legal department at GEICO was not approached by the Technology or Marketing Department at GEICO.  If they were, one would hope they would help those departments understand why such a business venture was not advisable.  By handing over the entire smartphone to the citing police officer, has the pig unintentionally consented to a warrantless search of his smartphone?  This may seem like a benign thought on the part of this Cyber Lawyer (fair enough), but just wait, coming soon to a courthouse near you…Plaintiff gives smartphone to police officer at traffic stop, and winds up in jail on “sexting” charges.  Such salacious facts, makes for fun case law.  Plaintiff will undoubtedly like to thank his/her insurance company for creating such a legal mess.

Read Full Post »

Last Week, State of Washington Governor Jay Inslee signed SB 5211 into law, which prohibits employers from requiring or requesting that prospective or current employees disclose their username and password to their personal social media accounts.  Washington State now joins a growing list of states (Maryland, California, Illinois, Michigan, Utah, New Mexico, Arkansas, and Colorado) who have enacted similar laws.  In general, laws that prohibit disclosure of social media passwords to employers are designed to protect the privacy of the individual and prevent potential retaliatory action based on the individual’s social media use.

Additionally, SB 5211, known as, Washington’s Employer Social Networking Law,  prohibits the employer from compelling or coercing an employee or applicant to (1) add the employer to their social networking network; (2) accessing, in the presence of an employer, their personal social networking account in a manner that allows the employer to observe the content of the account; or (3) alter the settings of the account to enable third party’s to view the content of the account.  

Exceptions to SB 5211 allow employers to retrieve content from an employee’s social networking account when trying (1) to ascertain factual information over the course of an investigation; (2) undertake an investigation in response to information about an employee’s social media activity; or (3) to ensure compliance with (i) applicable laws, regulatory requirements, and work-related employee misconduct, or (ii) an investigation into the unauthorized transfer of company mission-critical information (i.e. proprietary information, confidential information, financial data, etc.).  Moreover, the law allows for employers to enforce existing personnel policies; comply with federal statutes, regulations, and rules; nor does it apply to technology that is intended for work-related information exchange, collaboration, or communication by virtue of the employee’s relationship with the employer.

Damages for violation of SB 5211 include injunctive relief, actual damages, a penalty in the amount of $500, and reasonable attorneys’ fees and costs

Read Full Post »

Verizon recently released its 2013 Data Breach Investigations Report, and the outlook for organizations trying to protect their intellectual property is dire.  Cyber-based corporate and industrial espionage has risen so dramatically in the last year that intelligence officials are asking boardrooms across the U.S. to be more vigilant against cyber-criminals who are motivated by financial gain to steal intellectual property and trade secrets.  Former U.S. intelligence chief, John “Mike” McConnell stated that “unless urgent action is taken, the U.S. faces a ‘cyber’ equivalent of the World Trade Center attack.”

The Chinese and U.S. economies are so inextricably linked that China naturally is the main culprit for targeted theft of confidential business information and proprietary technologies.  However, there are many other state-sponsored and political “hacktivist” groups that are actively stealing corporate digital assets.  The proliferation of employee-owned mobile devices in the workplace, along with antiquated network systems, has allowed cyber-criminals to access corporate databases at unprecedented levels.  Saudi Arabian oil producer, Aramco, was recently a victim of a massive cyber-attack where 30,000 desktop PCs were wiped in what some can only presume was designed to disrupt oil production.  Additionally, JP Morgan Chase, Wells Fargo, and Bank of America were victims of a sustained distributed denial of service (DDoS) attack that appears to have been commenced overseas.

What frustrates investigators most when a breach of corporate data occurs is the lack of internal and external controls within the organization.  While readily available technology allows organizations to address security issues, it is often a failure to properly train and educate employees that makes theft of intellectual property so easy for cyber-criminals to obtain.  Technology alone will not prevent the theft of intellectual property.  Organizations must have a tone at the top mentality when it comes to awareness training and policy creation around cyber-security.

Read Full Post »

As reported in The Wall Street Journal today, Netflix, Inc., has filed documents with the Securities and Exchange Commission (“SEC”) stating its intent to disclose “material information” on its corporate Twitter feed, Facebook page, and blog, as well as the Facebook page of its CEO.  The Los Gatos-based company will continue to file traditional disclosures, regarding important company information, but the filing is a first for any publicly-traded company and will likely not be the last.

How quickly other organizations adopt Netflix’s example will be dependent upon an internal assessment of risk for potentially running afoul against decades-old rules that are designed to protect consumers and investors from fraudulent activities.  The SEC has signaled an unwillingness to update years of regulatory legislation, in response to new technology, out of fear that doing so would create a slippery slope of deceptive or “puffed” disclosures/activities.  Frustrated by this unwillingness, many financial industry and Wall Street firms are trying to seek guidance on how to apply social-media disclosures to antiquated regulatory requirements.

An example of this frustration is whether a third-party’s use of the “like” button on a financial services company Facebook page, or endorsing an advisor’s skills on LinkedIn, could be viewed as an improper testimonial defined under applicable regulations.  Such an act, could potentially subject the company, and/or individual, to penalties and jail time.  Financial services firms seek relief from these regulatory bans that prohibit testimonials in advertisements, but the SEC considers them to be “inherently misleading,” and suggests they get pre-clearance before posting on social media sites.

Therefore, while the SEC seems to have acknowledged the presence of social media in our daily routines, it still remains skeptical on how it is going to be applied in our everyday world and will leave it up to the organizations to police themselves.  In this regard, a proper assessment of social-media use within an organization is an emerging talking point across most boardrooms in America.

Read Full Post »

Older Posts »