Successfully reported this slideshow.

USLFG Corporate & Securities Presentation


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

USLFG Corporate & Securities Presentation

  1. 1. Armstrong Teasdale Welcomes the USLFG Corporate & Securities Committee October 11, 2013 © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP
  2. 2. HOT RIGHT NOW Burning Issues in Privacy & Information Security October 11, 2013 Daniel Nelson, CIPP/US © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP
  3. 3. Agenda  Social Media meets Social Engineering  HIPAA Hits the Masses  COPPA: An FTC Hot Spot  Stored Communications Act, Part VII:  CalOPPA: …But You Can Never Leave  Snowden and Angry Dwarves: Europe’s Response to the NSA leaks  The Growing Emphasis on Encryption 3 © 2013 Armstrong Teasdale LLP
  4. 4. # 1 Information Security Threat HACKERS? SPIES? 4 © 2013 Armstrong Teasdale LLP Cyber terrorists?
  5. 5. INFORMATION SECURITY ENEMY #1 5 © 2013 Armstrong Teasdale LLP
  6. 6. Social Engineering  Significant majority of external intrusions contain social engineering element  Phishing attacks becoming increasingly sophisticated.  Use of email/web based attacks  Personalized emails: information gleaned from Facebook or Linked In  Fake Internal Company Emails 6 © 2013 Armstrong Teasdale LLP
  7. 7. Social Engineering Victims  RSA (the Security Token Company)  Oak Ridge National Labs  Google 7 © 2013 Armstrong Teasdale LLP
  8. 8. The Problems:  Lack of Training • Employees just don’t know the importance • Employees don’t know of likely problems  No Security Culture • Employee’s don’t think about security implications  Ineffective Internal Controls • Too much access to information 8 © 2013 Armstrong Teasdale LLP
  9. 9. HIPAA Hits the Masses  New HIPAA Omnibus Rule: Effective September 23, 2013.  Biggest Change: HIPAA Rule Now Covers “Business Associates” • Prior Rule only directly regulated much narrower definition of “Covered Entities”: Providers, Health Plans, Clearinghouses • “Covered Entities” now include “Business Associates,” i.e. those who, at any contracting level, process or transmit Protected Health Information 9 © 2013 Armstrong Teasdale LLP
  10. 10. HIPAA Changes  Revised definition of data breach: • Old standard: risk of harm • New standard: risk of compromise, irrespective of harm  Blanket prohibition on sale of information without individual authorization  Increased limits on PHI use/disclosure for marketing & fundraising  Expanded patient rights of access to, and right to restrict disclosure of, PHI 10 © 2013 Armstrong Teasdale LLP
  11. 11. Children’s Online Privacy Protection Act (“COPPA”)  Act’s primary focus is to safeguard the children’s PII • PII includes a large array of information − The obvious: name, address, etc. − But also: • Geolocation data • Photos and Videos • Computerized Persistent Identifiers  If you operate a website, online service, or mobile app directed towards kids, you must pay attention to COPPA 11 © 2013 Armstrong Teasdale LLP
  12. 12. COPPA  The problem: The FTC has stated that the operator’s intent is not determinative of whether a site, service or app is primarily or secondarily directed to kids. Modified scope definition: sites “directed to children” • Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.  Moreover, if you have actual knowledge that your are gathering kids’ PII, you must comply with COPPA 12 © 2013 Armstrong Teasdale LLP
  13. 13. COPPA  COPPA is a minefield of stringent rules, including specific rules on methods of parental notification and obtaining parental opt-in consent • If you didn’t know COPPA applied to your site/service/app, the chances of accidental compliance are virtually zero  The FTC takes COPPA violations very seriously. A COPPA violation may be your surest ticket to an FTC enforcement action 13 © 2013 Armstrong Teasdale LLP
  14. 14. COPPA Enforcement 14  U.S. v. Path, Inc.: filed 1/31/13 • Path: social networking site operating through an iOS app • App collected and stored information from user’s mobile address book, even if user did not elect this option • FTC challenged the practice is a Deceptive Trade Practice because the collection violated Path’s published privacy policy • FTC also alleged that violations of the Children’s Online Privacy Protection Act because, among other things, the App allowed for the knowing collection of personal data of children under age 13, and allowed children to post text, photos, and the child’s precise location • Settlement with the FTC that included $800,000 payment, as well as audited monitoring for next 20 years © 2013 Armstrong Teasdale LLP
  15. 15. COPPA  I should be thinking about COPPA when: • I operate a website/service/mobile app that would be attractive to kids  Big Picture: • FTC’s “Look and Feel” test creates uncertainty • High-value target for FTC enforcement combined with very low probability of accidental compliance  Keys to avoiding trouble: • Take a hard look at your website/service/mobile app offerings • Don’t ignore evidence that you are acquiring kid’s data 15 © 2013 Armstrong Teasdale LLP
  16. 16. COPPA Amendments  Broadened categories of protected PII: • Geolocation data • Persistent identifiers • Photos/videos  Revised retention requirements  Restrictions on use of data collection by third-parties through plug-ins 16 © 2013 Armstrong Teasdale LLP
  17. 17. COPPA Amendments (continued)  Modified scope definition: sites “directed to children” • Problematic, in that new definition looks not to operator’s intent, but to “totality of the circumstances” test.” The FTC intends to look at the “attributes, look and feel” of a site. COPPA may apply even if children are deemed to be a secondary audience.  COPPA safe-harbor through age-screening 17 © 2013 Armstrong Teasdale LLP
  18. 18. Stored Communications Act (“SCA”)  Passed in 1986: AOL was 1 year old Microsoft Windows 1.0 (1985) No Yahoo! (1994) No Microsoft Outlook (1997) 18 © 2013 Armstrong Teasdale LLP
  19. 19. Stored Communication Act (“SCA”) Basics  Passed in 1986  Generally prohibits unauthorized access to electronically stored communications  Differs from Federal Wiretap statute, which prohibits interception of communications in transit 19 © 2013 Armstrong Teasdale LLP
  20. 20. Recent Decisions  Ehling v. Monmouth-Ocean Hosp. Serv. Corp., Civ. No. 2:11-cv-03305 (U.S.D.C., D. NJ, Aug. 20, 2013): • SCA applies to Non-Public Facebook Wall Posts  Lazette v. Kulmatycki: 3:12CV2416 (U.S.D.C., N.D. Ohio, June 5, 2013): • SCA protected former employee’s personal emails on Blackberry turned back in to employer 20 © 2013 Armstrong Teasdale LLP
  21. 21. California Online Privacy Protection Act (CalOPPA)  Applies to website/online service/mobile app providers who collect California resident’s PII  Requires conspicuous privacy policy  Policy must, at a minimum: • Tell data subject categories of PII being collected • Describe any available means by which data subject can review or request changes to retained PII • Identifies means by which policy changes will be made known to users • Specifies an effective date 21 © 2013 Armstrong Teasdale LLP
  22. 22. California Online Privacy Protection Act  I should be thinking about CalOPPA when: • I operate a website/online service/application that collects or stores consumer’s PII.  Big Picture: • Must have a privacy policy  Keys to avoiding trouble: • Post a meaningful privacy policy that reflects the organization’s actual practices 22 © 2013 Armstrong Teasdale LLP
  23. 23. California v. Delta Air Lines, Inc.  Filed 12/06/12  Complaint alleges that Delta violated California’s Online Privacy Protection Act (“CalOPPA”) and California’s Unfair Competition Law:  The “Fly Delta” mobile app collected user’s PII, including name, contact information, passport information, photographs and geo-location data.  Delta did not conspicuously post a privacy policy, thus depriving users of: • Knowledge of what PII Delta collected • What Delta did with the PII • To whom Delta may have disclosed or sold the PII  While Delta’s website does contain a posted privacy policy, that 23 policy did not mention the Fly Delta app, and the Fly Delta app did not point users to this privacy policy. Moreover, the app © 2013 Armstrong Teasdale LLP collected certain types of PII that the website did not.
  24. 24. Recent CalOPPA Amendments  California SB 568 • Adds a new provision regarding Minors’ privacy rights • prohibits online marketing or advertising certain products to anyone under 18 • Site/App operators must allow minors to remove content or information they posted, and requires that the operator provide instructions on how to do so  California AB 370 • Requires privacy policies to disclose how the website operator responds to Do Not Track 24 © 2013 Armstrong Teasdale LLP
  25. 25. European Data Protection Authorities React to Snowden leaks In Wake of PRISM, German DPAs Threaten To Halt Data Transfers to Non-EU Countries “In the wake of revelations about the U.S. National Security Agency's PRISM internet surveillance program, German data protection authorities July 24 announced a crackdown on privacy violations involving countries outside the European Union and called for the German government to suspend participation in the U.S.-EU Safe Harbor Program.” − Bloomberg BNA, 7.29.13 25 © 2013 Armstrong Teasdale LLP
  26. 26. Proposed General Data Protection Regulation (GDPR)  Potentially broadens purported reach of EU data protection law: Companies that “envisage” doing business with EU residents  Calls for stricter privacy regulation in the wake of PRISM, et al. revelations • Viviane Reding, V.P. of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship is leading the charge 26 © 2013 Armstrong Teasdale LLP
  27. 27. Growing Digital Privacy Divide  Possible ramifications: • Nothing • Modified (i.e. less user-friendly) data transfer regulations • Net loss of data processing & data storage business to other countries 27 © 2013 Armstrong Teasdale LLP
  28. 28. Encryption  Growing body of regulations and enforcement actions requiring some form of encryption  Encryption may come in many forms: • Encryption in transmission (e.g. PCI Rules, TSL/SSL, PGP Email) • File level Encryption • Full disk Encryption 28 © 2013 Armstrong Teasdale LLP
  29. 29. Recent FTC Enforcement Actions  Cbr Systems, Inc. • Cbr’s privacy policy promised to handle personal information securely and in accordance with its Privacy Policy and Terms of Service • After unencrypted data contained on storage media and a laptop were stolen from a Cbr employee’s car, the FTC charged Cbr with deceptive trade practices because Cbr failed to meet its promised security promises. In particular, the FTC focused on Cbr’s failure to employ secure data transport practices, failure to encrypt data, and retention of data for which Cbr no longer had a business need 29 © 2013 Armstrong Teasdale LLP
  30. 30. Enforcement Actions  TRENDnet • SecurView cameras for home monitoring • Software issue allowed anyone with camera's web address to view the live feed  FTC charged: • Failure to utilize reasonable measures to test security; • Unencrypted transmission of user credentials, and unencrypted mobile storage of login information. 30 © 2013 Armstrong Teasdale LLP
  31. 31. HIPAA  Encryption is an “addressable” Implementation Specification under both the Access Control and Transmission Security Standards  Encryption required where “reasonable and appropriate”  Decision not to encrypt must be documented in writing for later Office of Civil Rights review 31 © 2013 Armstrong Teasdale LLP
  32. 32. Massachusetts Data Security Laws  Requires “Comprehensive” data security program that includes: • Designated responsible employee(s) • Identification & assessment of risks • Employee security policies • Oversight of service providers (including requiring such providers, by contract, to maintain appropriate security measures) • Encryption of data that will “travel across public networks” or that will be “transmitted wirelessly” 32 © 2013 Armstrong Teasdale LLP
  33. 33. We discovered something. Our one hope against total domination. A hope that with courage, insight and solidarity we could use to resist. A strange property of the physical universe that we live in. The universe believes in encryption. It is easier to encrypt information than it is to decrypt it. 33 — Julian Assange, in the introduction of Cypherpunks: Freedom and the Future of the Internet © 2013 Armstrong Teasdale LLP
  34. 34. Why Encrypt?  May be required by existing law  Best protection against data breach notification requirements  Fast becoming a “reasonable” or “industry standard” security measure • Most privacy policies assure users that the company employs “reasonable” security measures or the like • Growing body of law and regulatory decisions provides bases for plaintiff’s experts to claim encryption is required 34 © 2013 Armstrong Teasdale LLP
  35. 35. Questions? Dan Nelson, CIPP/US, Partner Armstrong Teasdale LLP 314.552.6650 35 © 2013 Armstrong Teasdale LLP
  36. 36. The Interactive Web and the Law: Emerging Technologies’ Impact on Your Practice October 11, 2013 Jeff Schultz, Armstrong Teasdale LLP © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP
  37. 37. The Challenge “If I'm applying the First Amendment, I have to apply it to a world where there's an Internet, and there's Facebook, and there are movies like ... The Social Network, which I couldn't even understand.” — Justice Stephen Breyer 37 Justice Roberts: “I thought, you know, you push a button; it goes right to the other thing.” Justice Scalia: “You mean it doesn't go right to the other thing?” — Justice John Roberts to Justice Antonin Scalia Regarding How a TextMessaging Service Works © 2013 Armstrong Teasdale LLP
  38. 38. What is the Interactive Web  Web 2.0  Includes social media, blogs, interactive websites, and more  A tool for communicating  Information is shared globally  Web 3.0? 38 © 2013 Armstrong Teasdale LLP
  39. 39. It’s Unavoidable  Pinterest overtook LinkedIn to become No. 3  Almost 1 billion Facebook users • 54% access via mobile • 23% check Facebook 5 times or more daily • 1 Million websites have integrated with Facebook  Over 40 million photos are uploaded to Instagram every     day More apps using location data to connect users Fastest growing segment for use: 45-54 year olds Political campaigns using social media 56% of customer tweets are being ignored 39 © 2013 Armstrong Teasdale LLP
  40. 40. Zuckerberg’s Law of Information Sharing  “I would expect that next year, people will share twice as much information as they share this year, and the next year, they will be sharing twice as much as they did the year before.” 40 © 2013 Armstrong Teasdale LLP
  41. 41. Is the Interactive WebChanging Our Definition of “Privacy”?  Courts allowing access to user accounts  Questions arising about who owns the data you share?  Courts dealing with issues concerning GPS tracking, phone location records, and other location data collected by social media applications  Do privacy settings actually make your data private? 41 © 2013 Armstrong Teasdale LLP
  42. 42. What Data Does Facebook Really Collect (and Keep)?  The obvious: what you see on the screen  “Europe v. Facebook” Group Information Request: • All friend requests and your responses; • All Event invitations and your responses; • IP address used for each Facebook login; • Camera metadata, even for photos where you untagged yourself; • Credit card information; • Geo-location information, including latitude, longitude, and time/date. - See 42 © 2013 Armstrong Teasdale LLP
  43. 43. Many areas of the law are impacted • Corporate • Securities • Labor and • • • • 43 © 2013 Armstrong Teasdale LLP Employment Litigation Intellectual Property Discovery Ethics
  44. 44. Legislation Regarding Individuals’ Use of the Interactive Web  California: illegal to impersonate others online  Missouri: briefly made it illegal for teacher to “friend” students  Potential liability under state computer tampering statutes for accessing, using, disclosing, receiving or retaining data without authorization 44 © 2013 Armstrong Teasdale LLP
  45. 45. Legislation (continued)  California, Illinois, Maryland, and Michigan: illegal for 45 employers to ask job applicants or workers for social media passwords  California, Delaware, Michigan, and New Jersey: illegal to ask students to disclose social media passwords  At least 14 states (including Missouri) introduced legislation in 2012 that would restrict employers from requesting access to social networking usernames and passwords of applicants, students or employees  SNOPA (Social Network Online Protection Act): Congress wants to make it illegal for employers and schools to ask for social media passwords of employees, students, and applicants © 2013 Armstrong Teasdale LLP
  46. 46. Regulations Regarding Social Media  FTC: • Employees/contractors who endorse their employer’s 46 products must clearly and conspicuously disclose their relationship  SEC: • Risk Alert issued January 4, 2012 by the Office of Compliance Inspections and Examinations (Investment Adviser Use of Social Media) • Threatened action against Netflix CEO for alleged violation of Reg FD (CEO congratulated Netflix team on Facebook for surpassing 1 billion hours in monthly viewing) © 2013 Armstrong Teasdale LLP
  47. 47. Regulation (continued)  NLRB: • Closely reviewing policies for compliance with section 47 7 rights • Problems created by confidentiality provisions  FDA (regulations not final; long delayed): • Only addresses responses to requests re off label uses. Does not address how to utilize space limited sites like Twitter to convey risk and safety information for a fair balance • Does not provide clear guidance on the dos and don’ts of social media marketing © 2013 Armstrong Teasdale LLP
  48. 48. Location Data Patterns of Movement Awareness of Location 48 © 2013 Armstrong Teasdale LLP
  49. 49. Location Data 49 © 2013 Armstrong Teasdale LLP
  50. 50. Social Media and Discovery: Many Different Approaches  Considered social media under Stored Communications Act and denied production  One side ordered to turn over its passwords  Parties ordered to friend the judge for review of photos and comments in camera  Review of accounts in camera to identify potentially relevant and discoverable information 50 © 2013 Armstrong Teasdale LLP
  51. 51. Where Will the Balance be Found?  Social Media is not “privileged” or 51 entitled to special protections (i.e. no “expectation of privacy)  But, not “open season” on everything in one’s Social Media space • No “generalized right to rummage” through private posts • Application of established rules regarding “Relevant or reasonably calculated to lead to the discovery of relevant information”  Turnover of username/password: courts have not yet addressed conflict this creates with site’s Terms of Use © 2013 Armstrong Teasdale LLP
  52. 52. Authentication  Rule 901: To satisfy the requirement of authenticating or 52 identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that item is what the proponent claims.  Consensus among many courts and legal commentators that the rules of evidence already in place for determining authenticity are at least generally “adequate to the task” with respect to electronically generated, transmitted and/or stored information (including social networking sites). See Tienda v. State, 358 S.W.3d 633 (Tx. Ct. App. 2012).  There is no single approach to authentication that will work in all instances. The best approach will depend upon the nature of the evidence and the circumstances of the particular case. © 2013 Armstrong Teasdale LLP
  53. 53. The Aspiring Firefighter  Employee had back surgery in October • Employee claimed leave ran until December 30, 2009 • Employer claimed leave ran until December 2, 2009.  Employee terminated when he didn’t return to work  Claim: disability discrimination and violation of FMLA rights 53 © 2013 Armstrong Teasdale LLP
  54. 54. 54 © 2013 Armstrong Teasdale LLP
  55. 55. The Double-Sting  The Sting: • Ex-Wife sets up a fake Facebook account for “Jessica” (a 17 year old girl) to get info for child custody battle • Ex-Husband asks “Jessica” to find a hit man to kill Ex-Wife: “you should find someone at your school…that would put a cap in her ass for $10,000.” • Ex-Husband is arrested  The Double-Sting: • • 55 Ex-Husband freed after proving he knew all along that Ex-Wife was “Jessica” Ex-Husband played along with Ex-Wife’s ruse to use itagainst her in their custody case. © 2013 Armstrong Teasdale LLP
  56. 56. Contact Information Jeff Schultz Partner, Armstrong Teasdale LLP 314.259.4732 56 © 2013 Armstrong Teasdale LLP
  57. 57. Recent Delaware Corporate Law Developments October 11, 2013 Greg Williams, Richards, Layton & Finger © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP
  58. 58. Open Discussion October 11, 2013 © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP
  59. 59. Business Meeting of the Committee October 11, 2013 © 2013 Armstrong Teasdale Teasdale © 2013 Armstrong LLP LLP