Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Legal issues of domain names & trademarks


Published on

Legal issues of domain names and trademarks - Pubcon Vegas 2011 - with David Mink

Published in: Education, Technology, Business
  • Be the first to comment

Legal issues of domain names & trademarks

  1. 1. PRIVACY DEVELOPMENTS 2011  David Mink, CLO [email_address] @dmmink
  2. 2. “ Information security experts are calling 2011 one of the worst years for data security breaches in the last decade.” Security Breach Legislation 2011 
  3. 3.   Hypothetical: Ecommerce Store <ul><li>Database of more than 100,000 customers is hacked and that database contained sensitive personal information for the customers (e.g., name + credit card) </li></ul><ul><ul><li>What do you do? </li></ul></ul><ul><ul><li>What are you responsible for? </li></ul></ul><ul><ul><li>What liabilities do you face? </li></ul></ul><ul><ul><li>What obligations do you have? </li></ul></ul>
  4. 4. Security Breach Notification Statutes <ul><li>Require organizations to give notification of security breaches involving personal information </li></ul><ul><li>Require organizations use security measurements to prevent breaches that are “ reasonable ” and “ adequate ” </li></ul><ul><li>* 46 states have passed these laws. The hold outs are Alabama, Kentucky, New Mexico, and South Dakota </li></ul>
  5. 5. TX, CA, IL <ul><li>These three states are requiring more specific disclosure in the event of a breach including the following examples: </li></ul><ul><ul><li>Name and contact info of the reporting business </li></ul></ul><ul><ul><li>List of the types of personal info reasonably believed to have been the subject of the breach </li></ul></ul><ul><ul><li>Date or estimated date range of the breach </li></ul></ul><ul><ul><li>General description of the breach incident </li></ul></ul><ul><ul><li>Toll free tel. numbers of the major credit reporting agencies </li></ul></ul><ul><ul><li>Notify persons affected in other states even if their state has no notification law (TX) </li></ul></ul>
  6. 6. State Movements: Encryption Laws & Payment Card Laws <ul><li>States like Massachusetts and Nevada have enacted encryption laws, providing a clear standard for “reasonable and adequate” </li></ul><ul><li>States like Washington and Minnesota have enacted payment card laws </li></ul><ul><ul><li>Minn. law states any company that is breached and is found to have been storing “prohibited” PCI (Payment Card Industry Data Security Standard) data (e.g.,  magnetic stripe , CVV codes, track data, etc.) is required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up these companies to private lawsuits </li></ul></ul>
  7. 7. Encryption Law Ex.: Massachussetts <ul><li>Massachusetts was the first state to adopt enhanced encryption standards for organizations that own, license, store or maintain “sensitive personal information” about its residents </li></ul><ul><li>This law “added teeth” that many security notification breach laws lack by specifically stating security requirements (i.e., encryption) to be met by organizations to ensure their security measures are “reasonable and adequate” </li></ul>
  8. 8. Case Study: Belmont Savings Bank <ul><li>Belmont Savings Bank had a security breach in May 2011 when a surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew </li></ul><ul><li>No evidence that any customer SPI has been leaked </li></ul><ul><li>Bank has agreed to pay a civil penalty of $7,500 </li></ul><ul><li>Bank has agreed to institute new security training procedures </li></ul><ul><li>*This is the first settlement related to a violation of the relatively new data security regulation since it went into effect on Mar 1, 2010. </li></ul>
  9. 9. Public Companies Take Notice: SEC Guidance <ul><li>How many of you consult or work for a publicly traded company? </li></ul><ul><li>SEC has issued guidance on the disclosure of cybersecurity risks and incidents by publicly traded companies to investors </li></ul><ul><li>Not an SEC rule, regulation, or statement </li></ul><ul><li>It is guidance on cyber-security disclosures for public companies issuing quarterly and annual reports and other mandatory disclosures </li></ul>
  10. 10. SEC Guidance: Specific Disclosures <ul><li>Management Discussion & Analysis: &quot;Registrants should address cyber-security risks and cyber-incidents in their MD&A if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition.&quot; </li></ul><ul><li>Description of Business: &quot;If one or more cyber-incidents materially affect a registrant's products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure in the registrant's 'Description of Business.'&quot; </li></ul><ul><li>Legal Proceedings: &quot;If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber-incident, the registrant may need to disclose information regarding this litigation in its &quot;Legal Proceedings&quot; disclosure.&quot; </li></ul><ul><li>Financial Statement Disclosures: &quot;Cyber-security risks and cyber-incidents may have a broad impact on a registrant's financial statements, depending on the nature and severity of the potential or actual incident.&quot; </li></ul><ul><li>Disclosure Controls and Procedures: &quot;Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures.&quot; </li></ul>
  11. 11. SEC Guidance: Reputation Management Suggestion <ul><li>Companies &quot;should consider&quot; customer incentives to maintain relationships after a cyber-attack (like enhanced credit monitoring. e.g., After the Play Station Network outage* Sony issued Identity Theft insurance polices in the amount of $1 million USD per user through Clear ID) </li></ul><ul><li>*77 million accounts were stolen </li></ul>
  12. 12. Mobile Marketing Association: Privacy Policy Guidelines <ul><li>“ More than 58% of U.S. mobile users worried that their data can be easily accessed by others” - Alan Chapell, Co-chair of the MMA Privacy Committee </li></ul><ul><li>Why? </li></ul><ul><ul><li>Recent FTC actions </li></ul></ul><ul><ul><li>Congressional hearings </li></ul></ul><ul><ul><li>Proposed legislation </li></ul></ul><ul><ul><li>Class action law suits </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
  13. 13. Enter MMA Mobile Application Privacy Policy Guidelines <ul><li>Goal is to encourage self regulation of mobile app data processing and privacy </li></ul><ul><li>Privacy policy “should” cover </li></ul><ul><ul><li>What information is obtained </li></ul></ul><ul><ul><li>What information is automatically collected </li></ul></ul><ul><ul><ul><li>Including real time “check in” data </li></ul></ul></ul><ul><ul><li>Do 3 rd parties have access to the information </li></ul></ul><ul><ul><li>Does the app work with 3 rd parties to deliver targeted ads </li></ul></ul><ul><ul><li>Opt out rights </li></ul></ul><ul><ul><li>How long is information retained </li></ul></ul><ul><ul><li>Rights of children </li></ul></ul><ul><ul><li>Security procedures </li></ul></ul><ul><ul><li>*MMA is seeking public comment on the guidance through Nov. 18, 2011 </li></ul></ul>
  14. 14.   Privacy Chatter & Legislation is Rampant <ul><li>46 states have passed a security breach notification statute (starting with CA in 2003) </li></ul><ul><li>This year 3 states (TX, CA, IL) have amended their security breach notification statutes to require more specific disclosure </li></ul><ul><li>Several states have passed laws requiring heightened security safeguards like encryption (i.e. Mass., Nev., etc.) </li></ul>
  15. 15.   Privacy Chatter & Legislation is Rampant Continued <ul><li>The SEC just issued new guidelines on the disclosure of cyber security risks and cyber incidents (for publicly traded companies) </li></ul><ul><li>The Whitehouse has published a Cyber Security Legislative Proposal </li></ul><ul><li>Mobile Marketing Association (“MMA”) has issued the MMA Privacy Policy Guidelines </li></ul><ul><li>This is not an exhaustive list! </li></ul>
  16. 16. Best Privacy Practices <ul><li>Review the SPI of individuals that you are collecting information from and the residencies of those individuals. Determine which state laws apply. </li></ul><ul><li>Is it necessary to collect and store the SPI? Or, to electronically transfer the information? </li></ul><ul><li>3. If so, where and how do you store the SPI? Do you send the SPI to any third parties? </li></ul><ul><li>4. Review your Privacy Policy to make sure it is consistent with your business practice of collecting and storing data. </li></ul><ul><li>5. Take inventory of how customer and employee data is being protected. Should it be encrypted? </li></ul><ul><li>Do you have a “comprehensive information security plan?” How about third parties with access to the SPI? </li></ul><ul><li>If you are a public company, how are you presenting cyber security history and practices to investors? </li></ul><ul><li>If you have a mobile app., do you also have a privacy policy which informs users adequately? </li></ul><ul><li>If you have a mobile app., have you taken security precautions to protect the information you collect from being easily intercepted? </li></ul>
  17. 17.   David Mink, CLO dmink @ dreamsystemsmedia .com @dmmink THANK YOU! Download: