More Related Content Similar to USLFG Corporate & Securities Presentation Similar to USLFG Corporate & Securities Presentation (20) More from Armstrong Teasdale More from Armstrong Teasdale (20) USLFG Corporate & Securities Presentation1. Armstrong Teasdale Welcomes the
USLFG Corporate &
Securities Committee
October 11, 2013
© 2013 Armstrong Teasdale Teasdale
© 2013 Armstrong
LLP
LLP
2. HOT RIGHT NOW
Burning Issues in Privacy &
Information Security
October 11, 2013
Daniel Nelson, CIPP/US
© 2013 Armstrong Teasdale Teasdale
© 2013 Armstrong
LLP
LLP
3. Agenda
Social Media meets Social Engineering
HIPAA Hits the Masses
COPPA: An FTC Hot Spot
Stored Communications Act, Part VII:
CalOPPA: …But You Can Never Leave
Snowden and Angry Dwarves: Europe’s Response to
the NSA leaks
The Growing Emphasis on Encryption
3
© 2013 Armstrong Teasdale
LLP
4. # 1 Information Security Threat
HACKERS?
SPIES?
4
© 2013 Armstrong Teasdale
LLP
Cyber
terrorists?
6. Social Engineering
Significant majority of external intrusions contain
social engineering element
Phishing attacks becoming increasingly
sophisticated.
Use of email/web based attacks
Personalized emails: information gleaned from
Facebook or Linked In
Fake Internal Company Emails
6
© 2013 Armstrong Teasdale
LLP
8. The Problems:
Lack of Training
• Employees just don’t know the importance
• Employees don’t know of likely problems
No Security Culture
• Employee’s don’t think about security implications
Ineffective Internal Controls
• Too much access to information
8
© 2013 Armstrong Teasdale
LLP
9. HIPAA Hits the Masses
New HIPAA Omnibus Rule: Effective September 23,
2013.
Biggest Change: HIPAA Rule Now Covers “Business
Associates”
• Prior Rule only directly regulated much narrower
definition of “Covered Entities”: Providers, Health
Plans, Clearinghouses
• “Covered Entities” now include “Business Associates,”
i.e. those who, at any contracting level, process or
transmit Protected Health Information
9
© 2013 Armstrong Teasdale
LLP
10. HIPAA Changes
Revised definition of data breach:
• Old standard: risk of harm
• New standard: risk of compromise, irrespective of
harm
Blanket prohibition on sale of information without
individual authorization
Increased limits on PHI use/disclosure for marketing
& fundraising
Expanded patient rights of access to, and right to
restrict disclosure of, PHI
10
© 2013 Armstrong Teasdale
LLP
11. Children’s Online Privacy Protection Act
(“COPPA”)
Act’s primary focus is to safeguard the children’s PII
• PII includes a large array of information
− The obvious: name, address, etc.
− But also:
• Geolocation data
• Photos and Videos
• Computerized Persistent Identifiers
If you operate a website, online service, or mobile
app directed towards kids, you must pay attention to
COPPA
11
© 2013 Armstrong Teasdale
LLP
12. COPPA
The problem: The FTC has stated that the operator’s
intent is not determinative of whether a site, service
or app is primarily or secondarily directed to kids.
Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to
operator’s intent, but to “totality of the circumstances”
test.” The FTC intends to look at the “attributes, look
and feel” of a site. COPPA may apply even if children
are deemed to be a secondary audience.
Moreover, if you have actual knowledge that your are
gathering kids’ PII, you must comply with COPPA
12
© 2013 Armstrong Teasdale
LLP
13. COPPA
COPPA is a minefield of stringent rules, including
specific rules on methods of parental notification and
obtaining parental opt-in consent
• If you didn’t know COPPA applied to your
site/service/app, the chances of accidental compliance
are virtually zero
The FTC takes COPPA violations very seriously. A
COPPA violation may be your surest ticket to an FTC
enforcement action
13
© 2013 Armstrong Teasdale
LLP
14. COPPA Enforcement
14
U.S. v. Path, Inc.: filed 1/31/13
• Path: social networking site operating through an iOS app
• App collected and stored information from user’s mobile
address book, even if user did not elect this option
• FTC challenged the practice is a Deceptive Trade Practice
because the collection violated Path’s published privacy
policy
• FTC also alleged that violations of the Children’s Online
Privacy Protection Act because, among other things, the
App allowed for the knowing collection of personal data of
children under age 13, and allowed children to post text,
photos, and the child’s precise location
• Settlement with the FTC that included $800,000 payment,
as well as audited monitoring for next 20 years
© 2013 Armstrong Teasdale
LLP
15. COPPA
I should be thinking about COPPA when:
• I operate a website/service/mobile app that would be
attractive to kids
Big Picture:
• FTC’s “Look and Feel” test creates uncertainty
• High-value target for FTC enforcement combined with
very low probability of accidental compliance
Keys to avoiding trouble:
• Take a hard look at your website/service/mobile app
offerings
• Don’t ignore evidence that you are acquiring kid’s data
15
© 2013 Armstrong Teasdale
LLP
16. COPPA Amendments
Broadened categories of protected PII:
• Geolocation data
• Persistent identifiers
• Photos/videos
Revised retention requirements
Restrictions on use of data collection by third-parties
through plug-ins
16
© 2013 Armstrong Teasdale
LLP
17. COPPA Amendments (continued)
Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to
operator’s intent, but to “totality of the circumstances”
test.” The FTC intends to look at the “attributes, look
and feel” of a site. COPPA may apply even if children
are deemed to be a secondary audience.
COPPA safe-harbor through age-screening
17
© 2013 Armstrong Teasdale
LLP
18. Stored Communications Act (“SCA”)
Passed in 1986:
AOL was 1 year old
Microsoft Windows 1.0
(1985)
No Yahoo! (1994)
No Microsoft Outlook
(1997)
18
© 2013 Armstrong Teasdale
LLP
19. Stored Communication Act (“SCA”)
Basics
Passed in 1986
Generally prohibits unauthorized access to
electronically stored communications
Differs from Federal Wiretap statute, which prohibits
interception of communications in transit
19
© 2013 Armstrong Teasdale
LLP
20. Recent Decisions
Ehling v. Monmouth-Ocean Hosp. Serv. Corp., Civ.
No. 2:11-cv-03305 (U.S.D.C., D. NJ, Aug. 20, 2013):
• SCA applies to Non-Public Facebook Wall Posts
Lazette v. Kulmatycki: 3:12CV2416 (U.S.D.C., N.D.
Ohio, June 5, 2013):
• SCA protected former employee’s personal emails on
Blackberry turned back in to employer
20
© 2013 Armstrong Teasdale
LLP
21. California Online Privacy Protection Act
(CalOPPA)
Applies to website/online service/mobile app
providers who collect California resident’s PII
Requires conspicuous privacy policy
Policy must, at a minimum:
• Tell data subject categories of PII being collected
• Describe any available means by which data subject
can review or request changes to retained PII
• Identifies means by which policy changes will be
made known to users
• Specifies an effective date
21
© 2013 Armstrong Teasdale
LLP
22. California Online Privacy Protection
Act
I should be thinking about CalOPPA when:
• I operate a website/online service/application that
collects or stores consumer’s PII.
Big Picture:
• Must have a privacy policy
Keys to avoiding trouble:
• Post a meaningful privacy policy that reflects the
organization’s actual practices
22
© 2013 Armstrong Teasdale
LLP
23. California v. Delta Air Lines, Inc.
Filed 12/06/12
Complaint alleges that Delta violated California’s Online Privacy
Protection Act (“CalOPPA”) and California’s Unfair Competition
Law:
The “Fly Delta” mobile app collected user’s PII, including
name, contact information, passport information, photographs
and geo-location data.
Delta did not conspicuously post a privacy policy, thus
depriving users of:
• Knowledge of what PII Delta collected
• What Delta did with the PII
• To whom Delta may have disclosed or sold the PII
While Delta’s website does contain a posted privacy policy, that
23
policy did not mention the Fly Delta app, and the Fly Delta app
did not point users to this privacy policy. Moreover, the app
© 2013 Armstrong Teasdale
LLP
collected certain types of PII that the website did not.
24. Recent CalOPPA Amendments
California SB 568
• Adds a new provision regarding Minors’ privacy rights
• prohibits online marketing or advertising certain
products to anyone under 18
• Site/App operators must allow minors to remove
content or information they posted, and requires that
the operator provide instructions on how to do so
California AB 370
• Requires privacy policies to disclose how the website
operator responds to Do Not Track
24
© 2013 Armstrong Teasdale
LLP
25. European Data Protection Authorities
React to Snowden leaks
In Wake of PRISM, German DPAs Threaten To Halt Data
Transfers to Non-EU Countries
“In the wake of revelations about the U.S. National
Security Agency's PRISM internet surveillance
program, German data protection authorities July 24
announced a crackdown on privacy violations involving
countries outside the European Union and called for the
German government to suspend participation in the
U.S.-EU Safe Harbor Program.”
− Bloomberg BNA, 7.29.13
25
© 2013 Armstrong Teasdale
LLP
26. Proposed General Data Protection
Regulation (GDPR)
Potentially broadens purported reach of EU data
protection law: Companies that “envisage” doing
business with EU residents
Calls for stricter privacy regulation in the wake of
PRISM, et al. revelations
• Viviane Reding, V.P. of the European Commission and
Commissioner for Justice, Fundamental Rights and
Citizenship is leading the charge
26
© 2013 Armstrong Teasdale
LLP
27. Growing Digital Privacy Divide
Possible ramifications:
• Nothing
• Modified (i.e. less user-friendly) data transfer
regulations
• Net loss of data processing & data storage business
to other countries
27
© 2013 Armstrong Teasdale
LLP
28. Encryption
Growing body of regulations and enforcement
actions requiring some form of encryption
Encryption may come in many forms:
• Encryption in transmission (e.g. PCI
Rules, TSL/SSL, PGP Email)
• File level Encryption
• Full disk Encryption
28
© 2013 Armstrong Teasdale
LLP
29. Recent FTC Enforcement Actions
Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal
information securely and in accordance with its
Privacy Policy and Terms of Service
• After unencrypted data contained on storage media
and a laptop were stolen from a Cbr employee’s car,
the FTC charged Cbr with deceptive trade practices
because Cbr failed to meet its promised security
promises. In particular, the FTC focused on Cbr’s
failure to employ secure data transport practices,
failure to encrypt data, and retention of data for
which Cbr no longer had a business need
29
© 2013 Armstrong Teasdale
LLP
30. Enforcement Actions
TRENDnet
• SecurView cameras for home monitoring
• Software issue allowed anyone with camera's web
address to view the live feed
FTC charged:
• Failure to utilize reasonable measures to test security;
• Unencrypted transmission of user credentials, and
unencrypted mobile storage of login information.
30
© 2013 Armstrong Teasdale
LLP
31. HIPAA
Encryption is an “addressable” Implementation
Specification under both the Access Control and
Transmission Security Standards
Encryption required where “reasonable and
appropriate”
Decision not to encrypt must be documented in
writing for later Office of Civil Rights review
31
© 2013 Armstrong Teasdale
LLP
32. Massachusetts Data Security Laws
Requires “Comprehensive” data security program
that includes:
• Designated responsible employee(s)
• Identification & assessment of risks
• Employee security policies
• Oversight of service providers (including requiring
such providers, by contract, to maintain appropriate
security measures)
• Encryption of data that will “travel across public
networks” or that will be “transmitted wirelessly”
32
© 2013 Armstrong Teasdale
LLP
33. We discovered something. Our one hope against
total domination. A hope that with courage,
insight and solidarity we could use to resist. A
strange property of the physical universe that we
live in.
The universe believes in encryption.
It is easier to encrypt information than it is to
decrypt it.
33
— Julian Assange, in the introduction of
Cypherpunks: Freedom and the Future of the
Internet
© 2013 Armstrong Teasdale
LLP
34. Why Encrypt?
May be required by existing law
Best protection against data breach notification
requirements
Fast becoming a “reasonable” or “industry standard”
security measure
• Most privacy policies assure users that the company
employs “reasonable” security measures or the like
• Growing body of law and regulatory decisions
provides bases for plaintiff’s experts to claim
encryption is required
34
© 2013 Armstrong Teasdale
LLP
35. Questions?
Dan Nelson, CIPP/US, Partner Armstrong Teasdale LLP
314.552.6650 dnelson@armstrongteasdale.com
http://twitter.com/DanNelsonEsq
www.linkedin.com/in/danielcnelson
35
© 2013 Armstrong Teasdale
LLP
36. The Interactive Web and the
Law: Emerging Technologies’ Impact on
Your Practice
October 11, 2013
Jeff Schultz, Armstrong Teasdale
LLP
© 2013 Armstrong Teasdale Teasdale
© 2013 Armstrong
LLP
LLP
37. The Challenge
“If I'm applying the First Amendment, I have to apply it to a
world where there's an Internet, and there's Facebook, and
there are movies like ... The Social Network, which I
couldn't even understand.”
— Justice Stephen Breyer
37
Justice Roberts: “I thought, you know, you push a button;
it goes right to the other thing.”
Justice Scalia: “You mean it doesn't go right to the other
thing?”
— Justice John Roberts to
Justice
Antonin Scalia
Regarding How a
TextMessaging Service Works
© 2013 Armstrong Teasdale
LLP
38. What is the Interactive Web
Web 2.0
Includes social media, blogs,
interactive websites, and more
A tool for communicating
Information is shared
globally
Web 3.0?
38
© 2013 Armstrong Teasdale
LLP
39. It’s Unavoidable
Pinterest overtook LinkedIn to become No. 3
Almost 1 billion Facebook users
• 54% access via mobile
• 23% check Facebook 5 times or more daily
• 1 Million websites have integrated with Facebook
Over 40 million photos are uploaded to Instagram every
day
More apps using location data to connect users
Fastest growing segment for use: 45-54 year olds
Political campaigns using social media
56% of customer tweets are being ignored
39
© 2013 Armstrong Teasdale
LLP
40. Zuckerberg’s Law of Information
Sharing
“I would expect that next year, people will share twice
as much information as they share this year, and the
next year, they will be sharing twice as much as they
did the year before.”
40
© 2013 Armstrong Teasdale
LLP
41. Is the Interactive WebChanging Our
Definition of “Privacy”?
Courts allowing access to user
accounts
Questions arising about who owns
the data you share?
Courts dealing with issues concerning
GPS tracking, phone location records,
and other location data collected by
social media applications
Do privacy settings actually make
your data private?
41
© 2013 Armstrong Teasdale
LLP
42. What Data Does Facebook Really Collect
(and Keep)?
The obvious: what you see on the screen
“Europe v. Facebook” Group Information Request:
• All friend requests and your responses;
• All Event invitations and your responses;
• IP address used for each Facebook login;
• Camera metadata, even for photos where you untagged yourself;
• Credit card information;
• Geo-location information, including latitude, longitude, and
time/date.
- See europe-v-facebook.org/fb_cat1.pdf
42
© 2013 Armstrong Teasdale
LLP
43. Many areas of the law are impacted
• Corporate
• Securities
• Labor and
•
•
•
•
43
© 2013 Armstrong Teasdale
LLP
Employment
Litigation
Intellectual Property
Discovery
Ethics
44. Legislation Regarding Individuals’ Use of
the Interactive Web
California: illegal to impersonate
others online
Missouri: briefly made it illegal for teacher to
“friend” students
Potential liability under state
computer tampering statutes
for accessing, using, disclosing,
receiving or retaining data
without authorization
44
© 2013 Armstrong Teasdale
LLP
45. Legislation (continued)
California, Illinois, Maryland, and Michigan: illegal for
45
employers to ask job applicants or workers for social
media passwords
California, Delaware, Michigan, and New Jersey:
illegal to ask students to disclose social media passwords
At least 14 states (including
Missouri) introduced legislation in 2012 that would restrict
employers from requesting access to social networking
usernames and passwords of applicants, students or
employees
SNOPA (Social Network Online Protection Act):
Congress wants to make it illegal for employers and
schools to ask for social media passwords of employees,
students, and applicants
© 2013 Armstrong Teasdale
LLP
46. Regulations Regarding Social Media
FTC:
• Employees/contractors who endorse their employer’s
46
products must clearly and conspicuously disclose their
relationship
SEC:
• Risk Alert issued January 4, 2012 by the Office of
Compliance Inspections and Examinations
(Investment Adviser Use of Social Media)
• Threatened action against Netflix CEO for alleged
violation of Reg FD (CEO congratulated Netflix team
on Facebook for surpassing 1 billion hours in monthly
viewing)
© 2013 Armstrong Teasdale
LLP
47. Regulation (continued)
NLRB:
• Closely reviewing policies for compliance with section
47
7 rights
• Problems created by confidentiality provisions
FDA (regulations not final; long delayed):
• Only addresses responses to requests re off label
uses. Does not address how to utilize space limited
sites like Twitter to convey risk and safety information
for a fair balance
• Does not provide clear guidance on the dos and
don’ts of social media marketing
© 2013 Armstrong Teasdale
LLP
50. Social Media and Discovery:
Many Different Approaches
Considered social media under Stored
Communications Act and denied production
One side ordered to turn over its passwords
Parties ordered to friend the judge for review of
photos and comments in camera
Review of accounts in camera to identify potentially
relevant and discoverable information
50
© 2013 Armstrong Teasdale
LLP
51. Where Will the Balance be Found?
Social Media is not “privileged” or
51
entitled to special protections
(i.e. no “expectation of privacy)
But, not “open season” on everything
in one’s Social Media space
• No “generalized right to rummage” through private
posts
• Application of established rules regarding “Relevant or
reasonably calculated to lead to the discovery of
relevant information”
Turnover of username/password: courts have not yet
addressed conflict this creates with site’s Terms of
Use
© 2013 Armstrong Teasdale
LLP
52. Authentication
Rule 901: To satisfy the requirement of authenticating or
52
identifying an item of evidence, the proponent must produce
evidence sufficient to support a finding that item is what the
proponent claims.
Consensus among many courts and legal commentators that
the rules of evidence already in place for determining
authenticity are at least generally “adequate to the task” with
respect to electronically generated, transmitted and/or stored
information (including social networking sites). See Tienda v.
State, 358 S.W.3d 633 (Tx. Ct. App. 2012).
There is no single approach to authentication that will work
in all instances. The best approach will depend upon the
nature of the evidence and the circumstances of the
particular case.
© 2013 Armstrong Teasdale
LLP
53. The Aspiring Firefighter
Employee had back surgery in
October
• Employee claimed leave ran
until December 30, 2009
• Employer claimed leave ran
until December 2, 2009.
Employee terminated when he
didn’t return to work
Claim: disability discrimination
and violation of FMLA rights
53
© 2013 Armstrong Teasdale
LLP
55. The Double-Sting
The Sting:
• Ex-Wife sets up a fake Facebook account for
“Jessica” (a 17 year old girl) to get info for
child custody battle
• Ex-Husband asks “Jessica” to find a hit man
to kill Ex-Wife: “you should find someone at
your school…that would put a cap in her ass
for $10,000.”
• Ex-Husband is arrested
The Double-Sting:
•
•
55
Ex-Husband freed after proving he knew all
along that Ex-Wife was “Jessica”
Ex-Husband played along with Ex-Wife’s
ruse to use itagainst her in their custody
case.
© 2013 Armstrong Teasdale
LLP
56. Contact Information
Jeff Schultz
Partner, Armstrong Teasdale LLP
314.259.4732
jschultz@armstrongteasdale.com
www.armstrongteasdale.com
http://twitter.com/JeffSchultzEsq
http://twitter.com/AT_Law
http://twitter.com/AT_Live
http://twitter.com/AT_Innovate
56
© 2013 Armstrong Teasdale
LLP
59. Business Meeting of the
Committee
October 11, 2013
© 2013 Armstrong Teasdale Teasdale
© 2013 Armstrong
LLP
LLP
Editor's Notes § 162.069 RSMo.Maryland: has made it illegal for employers to ask job applicants or workers for social media passwords (California, Illinois, Minnesota, New Jersey and Washington also considering legislation).U.S.: considering privacy legislation that would prohibit tracking children online. Europe already has “do not track” privacy laws, and many privacy laws that impact Google Street View