Legal issues of domain names & trademarks

PRIVACY DEVELOPMENTS 2011 David Mink, CLO [email_address] @dmmink

“ Information security experts are calling 2011 one of the worst years for data security breaches in the last decade.” Security Breach Legislation 2011

Hypothetical: Ecommerce Store
Database of more than 100,000 customers is hacked and that database contained sensitive personal information for the customers (e.g., name + credit card)
What do you do?
What are you responsible for?
What liabilities do you face?
What obligations do you have?

Security Breach Notification Statutes
Require organizations to give notification of security breaches involving personal information
Require organizations use security measurements to prevent breaches that are “ reasonable ” and “ adequate ”
* 46 states have passed these laws. The hold outs are Alabama, Kentucky, New Mexico, and South Dakota

TX, CA, IL
These three states are requiring more specific disclosure in the event of a breach including the following examples:
Name and contact info of the reporting business
List of the types of personal info reasonably believed to have been the subject of the breach
Date or estimated date range of the breach
General description of the breach incident
Toll free tel. numbers of the major credit reporting agencies
Notify persons affected in other states even if their state has no notification law (TX)

State Movements: Encryption Laws & Payment Card Laws
States like Massachusetts and Nevada have enacted encryption laws, providing a clear standard for “reasonable and adequate”
States like Washington and Minnesota have enacted payment card laws
Minn. law states any company that is breached and is found to have been storing “prohibited” PCI (Payment Card Industry Data Security Standard) data (e.g., magnetic stripe , CVV codes, track data, etc.) is required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits

Encryption Law Ex.: Massachussetts
Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain “sensitive personal information” about its residents
This law “added teeth” that many security notification breach laws lack by specifically stating security requirements (i.e., encryption) to be met by organizations to ensure their security measures are “reasonable and adequate”

Case Study: Belmont Savings Bank
Belmont Savings Bank had a security breach in May 2011 when a surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew
No evidence that any customer SPI has been leaked
Bank has agreed to pay a civil penalty of $7,500
Bank has agreed to institute new security training procedures
*This is the first settlement related to a violation of the relatively new data security regulation since it went into effect on Mar 1, 2010.

Public Companies Take Notice: SEC Guidance
How many of you consult or work for a publicly traded company?
SEC has issued guidance on the disclosure of cybersecurity risks and incidents by publicly traded companies to investors
Not an SEC rule, regulation, or statement
It is guidance on cyber-security disclosures for public companies issuing quarterly and annual reports and other mandatory disclosures

SEC Guidance: Specific Disclosures
Management Discussion & Analysis: "Registrants should address cyber-security risks and cyber-incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition."
Description of Business: "If one or more cyber-incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's 'Description of Business.'"
Legal Proceedings: "If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber-incident, the registrant may need to disclose information regarding this litigation in its "Legal Proceedings" disclosure."
Financial Statement Disclosures: "Cyber-security risks and cyber-incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident."
Disclosure Controls and Procedures: "Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures."

SEC Guidance: Reputation Management Suggestion
Companies "should consider" customer incentives to maintain relationships after a cyber-attack (like enhanced credit monitoring. e.g., After the Play Station Network outage* Sony issued Identity Theft insurance polices in the amount of $1 million USD per user through Clear ID)
*77 million accounts were stolen

Mobile Marketing Association: Privacy Policy Guidelines
“ More than 58% of U.S. mobile users worried that their data can be easily accessed by others” - Alan Chapell, Co-chair of the MMA Privacy Committee
Why?
Recent FTC actions
Congressional hearings
Proposed legislation
Class action law suits
etc.

Enter MMA Mobile Application Privacy Policy Guidelines
Goal is to encourage self regulation of mobile app data processing and privacy
Privacy policy “should” cover
What information is obtained
What information is automatically collected
Including real time “check in” data
Do 3 rd parties have access to the information
Does the app work with 3 rd parties to deliver targeted ads
Opt out rights
How long is information retained
Rights of children
Security procedures
*MMA is seeking public comment on the guidance through Nov. 18, 2011

Privacy Chatter & Legislation is Rampant
46 states have passed a security breach notification statute (starting with CA in 2003)
This year 3 states (TX, CA, IL) have amended their security breach notification statutes to require more specific disclosure
Several states have passed laws requiring heightened security safeguards like encryption (i.e. Mass., Nev., etc.)

Privacy Chatter & Legislation is Rampant Continued
The SEC just issued new guidelines on the disclosure of cyber security risks and cyber incidents (for publicly traded companies)
The Whitehouse has published a Cyber Security Legislative Proposal
Mobile Marketing Association (“MMA”) has issued the MMA Privacy Policy Guidelines
This is not an exhaustive list!

Best Privacy Practices
Review the SPI of individuals that you are collecting information from and the residencies of those individuals. Determine which state laws apply.
Is it necessary to collect and store the SPI? Or, to electronically transfer the information?
3. If so, where and how do you store the SPI? Do you send the SPI to any third parties?
4. Review your Privacy Policy to make sure it is consistent with your business practice of collecting and storing data.
5. Take inventory of how customer and employee data is being protected. Should it be encrypted?
Do you have a “comprehensive information security plan?” How about third parties with access to the SPI?
If you are a public company, how are you presenting cyber security history and practices to investors?
If you have a mobile app., do you also have a privacy policy which informs users adequately?
If you have a mobile app., have you taken security precautions to protect the information you collect from being easily intercepted?

David Mink, CLO dreamsystemsmedia.com dmink @ dreamsystemsmedia .com @dmmink THANK YOU! Download: http://www.SlideShare.net/MattSiltala

http://www.dreamsystemsmedia.com	1573
http://dreamsystemsmedia.com	31
http://feeds.feedburner.com	30
http://a0.twimg.com	5
http://paper.li	4
http://ioweb.timersys.com	4
http://tweetedtimes.com	2
http://us-w1.rockmelt.com	1

Legal issues of domain names & trademarks

by Dream Systems Media on Nov 10, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

8 Embeds 1,650

Statistics

Legal issues of domain names & trademarks — Presentation Transcript