USLFG Corporate & Securities Presentation

Armstrong Teasdale Welcomes the

USLFG Corporate &
Securities Committee
October 11, 2013

© 2013 Armstrong Teasdale Teasdale
© 2013 Armstrong
LLP
LLP

HOT RIGHT NOW
Burning Issues in Privacy &
Information Security
October 11, 2013
Daniel Nelson, CIPP/US

© 2013 Armstrong
LLP
LLP

Agenda
 Social Media meets Social Engineering
 HIPAA Hits the Masses
 COPPA: An FTC Hot Spot
 Stored Communications Act, Part VII:
 CalOPPA: …But You Can Never Leave

 Snowden and Angry Dwarves: Europe’s Response to

the NSA leaks
 The Growing Emphasis on Encryption

3
© 2013 Armstrong Teasdale
LLP

# 1 Information Security Threat

HACKERS?
SPIES?

4
LLP

Cyber
terrorists?

INFORMATION SECURITY ENEMY #1

5
LLP

Social Engineering
 Significant majority of external intrusions contain

social engineering element
 Phishing attacks becoming increasingly

sophisticated.
 Use of email/web based attacks
 Personalized emails: information gleaned from

Facebook or Linked In
 Fake Internal Company Emails
6
LLP

Social Engineering Victims
 RSA (the Security Token Company)
 Oak Ridge National Labs
 Google

7
LLP

The Problems:
 Lack of Training

• Employees just don’t know the importance
• Employees don’t know of likely problems
 No Security Culture
• Employee’s don’t think about security implications
 Ineffective Internal Controls
• Too much access to information
8
LLP

HIPAA Hits the Masses
 New HIPAA Omnibus Rule: Effective September 23,

2013.
 Biggest Change: HIPAA Rule Now Covers “Business
Associates”
• Prior Rule only directly regulated much narrower
definition of “Covered Entities”: Providers, Health
Plans, Clearinghouses
• “Covered Entities” now include “Business Associates,”
i.e. those who, at any contracting level, process or
transmit Protected Health Information
9
LLP

HIPAA Changes
 Revised definition of data breach:
• Old standard: risk of harm
• New standard: risk of compromise, irrespective of

harm
 Blanket prohibition on sale of information without
individual authorization
 Increased limits on PHI use/disclosure for marketing
& fundraising
 Expanded patient rights of access to, and right to
restrict disclosure of, PHI
10
LLP

Children’s Online Privacy Protection Act
(“COPPA”)
 Act’s primary focus is to safeguard the children’s PII
• PII includes a large array of information
− The obvious: name, address, etc.
− But also:
• Geolocation data
• Photos and Videos
• Computerized Persistent Identifiers

 If you operate a website, online service, or mobile

app directed towards kids, you must pay attention to
COPPA
11
LLP

COPPA
 The problem: The FTC has stated that the operator’s

intent is not determinative of whether a site, service
or app is primarily or secondarily directed to kids.
Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to

operator’s intent, but to “totality of the circumstances”
test.” The FTC intends to look at the “attributes, look
and feel” of a site. COPPA may apply even if children
are deemed to be a secondary audience.
 Moreover, if you have actual knowledge that your are

gathering kids’ PII, you must comply with COPPA
12
LLP

COPPA
 COPPA is a minefield of stringent rules, including

specific rules on methods of parental notification and
obtaining parental opt-in consent
• If you didn’t know COPPA applied to your

site/service/app, the chances of accidental compliance
are virtually zero
 The FTC takes COPPA violations very seriously. A

COPPA violation may be your surest ticket to an FTC
enforcement action
13
LLP

COPPA Enforcement

14

 U.S. v. Path, Inc.: filed 1/31/13
• Path: social networking site operating through an iOS app
• App collected and stored information from user’s mobile
address book, even if user did not elect this option
• FTC challenged the practice is a Deceptive Trade Practice
because the collection violated Path’s published privacy
policy
• FTC also alleged that violations of the Children’s Online
Privacy Protection Act because, among other things, the
App allowed for the knowing collection of personal data of
children under age 13, and allowed children to post text,
photos, and the child’s precise location
• Settlement with the FTC that included $800,000 payment,
as well as audited monitoring for next 20 years
LLP

COPPA
 I should be thinking about COPPA when:
• I operate a website/service/mobile app that would be

attractive to kids
 Big Picture:
• FTC’s “Look and Feel” test creates uncertainty
• High-value target for FTC enforcement combined with
very low probability of accidental compliance
 Keys to avoiding trouble:
• Take a hard look at your website/service/mobile app
offerings
• Don’t ignore evidence that you are acquiring kid’s data
15
LLP

COPPA Amendments
 Broadened categories of protected PII:
• Geolocation data
• Persistent identifiers
• Photos/videos
 Revised retention requirements
 Restrictions on use of data collection by third-parties

through plug-ins

16
LLP

COPPA Amendments (continued)
 Modified scope definition: sites “directed to children”
• Problematic, in that new definition looks not to

operator’s intent, but to “totality of the circumstances”
test.” The FTC intends to look at the “attributes, look
and feel” of a site. COPPA may apply even if children
are deemed to be a secondary audience.
 COPPA safe-harbor through age-screening

17
LLP

Stored Communications Act (“SCA”)
 Passed in 1986:

AOL was 1 year old

Microsoft Windows 1.0
(1985)
No Yahoo! (1994)
No Microsoft Outlook
(1997)
18
LLP

Stored Communication Act (“SCA”)
Basics
 Passed in 1986

 Generally prohibits unauthorized access to

electronically stored communications
 Differs from Federal Wiretap statute, which prohibits

interception of communications in transit

19
LLP

Recent Decisions
 Ehling v. Monmouth-Ocean Hosp. Serv. Corp., Civ.

No. 2:11-cv-03305 (U.S.D.C., D. NJ, Aug. 20, 2013):
• SCA applies to Non-Public Facebook Wall Posts
 Lazette v. Kulmatycki: 3:12CV2416 (U.S.D.C., N.D.

Ohio, June 5, 2013):
• SCA protected former employee’s personal emails on

Blackberry turned back in to employer

20
LLP

California Online Privacy Protection Act
(CalOPPA)
 Applies to website/online service/mobile app

providers who collect California resident’s PII
 Requires conspicuous privacy policy
 Policy must, at a minimum:
• Tell data subject categories of PII being collected
• Describe any available means by which data subject
can review or request changes to retained PII
• Identifies means by which policy changes will be
made known to users
• Specifies an effective date
21
LLP

California Online Privacy Protection
Act
 I should be thinking about CalOPPA when:
• I operate a website/online service/application that

collects or stores consumer’s PII.
 Big Picture:
• Must have a privacy policy
 Keys to avoiding trouble:
• Post a meaningful privacy policy that reflects the
organization’s actual practices

22
LLP

California v. Delta Air Lines, Inc.
 Filed 12/06/12
 Complaint alleges that Delta violated California’s Online Privacy

Protection Act (“CalOPPA”) and California’s Unfair Competition
Law:
 The “Fly Delta” mobile app collected user’s PII, including

name, contact information, passport information, photographs
and geo-location data.
 Delta did not conspicuously post a privacy policy, thus

depriving users of:
• Knowledge of what PII Delta collected
• What Delta did with the PII
• To whom Delta may have disclosed or sold the PII

 While Delta’s website does contain a posted privacy policy, that
23

policy did not mention the Fly Delta app, and the Fly Delta app
did not point users to this privacy policy. Moreover, the app
LLP
collected certain types of PII that the website did not.

Recent CalOPPA Amendments
 California SB 568
• Adds a new provision regarding Minors’ privacy rights

• prohibits online marketing or advertising certain

products to anyone under 18
• Site/App operators must allow minors to remove
content or information they posted, and requires that
the operator provide instructions on how to do so
 California AB 370
• Requires privacy policies to disclose how the website
operator responds to Do Not Track
24
LLP

European Data Protection Authorities
React to Snowden leaks
In Wake of PRISM, German DPAs Threaten To Halt Data
Transfers to Non-EU Countries
“In the wake of revelations about the U.S. National
Security Agency's PRISM internet surveillance
program, German data protection authorities July 24
announced a crackdown on privacy violations involving
countries outside the European Union and called for the
German government to suspend participation in the
U.S.-EU Safe Harbor Program.”
− Bloomberg BNA, 7.29.13
25
LLP

Proposed General Data Protection
Regulation (GDPR)
 Potentially broadens purported reach of EU data

protection law: Companies that “envisage” doing
business with EU residents
 Calls for stricter privacy regulation in the wake of

PRISM, et al. revelations
• Viviane Reding, V.P. of the European Commission and
Commissioner for Justice, Fundamental Rights and
Citizenship is leading the charge

26
LLP

Growing Digital Privacy Divide
 Possible ramifications:

• Nothing
• Modified (i.e. less user-friendly) data transfer

regulations
• Net loss of data processing & data storage business

to other countries

27
LLP

Encryption
 Growing body of regulations and enforcement

actions requiring some form of encryption
 Encryption may come in many forms:
• Encryption in transmission (e.g. PCI

Rules, TSL/SSL, PGP Email)
• File level Encryption
• Full disk Encryption

28
LLP

Recent FTC Enforcement Actions
 Cbr Systems, Inc.
• Cbr’s privacy policy promised to handle personal

information securely and in accordance with its
Privacy Policy and Terms of Service
• After unencrypted data contained on storage media
and a laptop were stolen from a Cbr employee’s car,
the FTC charged Cbr with deceptive trade practices
because Cbr failed to meet its promised security
promises. In particular, the FTC focused on Cbr’s
failure to employ secure data transport practices,
failure to encrypt data, and retention of data for
which Cbr no longer had a business need
29
LLP

Enforcement Actions
 TRENDnet

• SecurView cameras for home monitoring
• Software issue allowed anyone with camera's web

address to view the live feed
 FTC charged:
• Failure to utilize reasonable measures to test security;
• Unencrypted transmission of user credentials, and

unencrypted mobile storage of login information.
30
LLP

HIPAA
 Encryption is an “addressable” Implementation

Specification under both the Access Control and
Transmission Security Standards
 Encryption required where “reasonable and

appropriate”
 Decision not to encrypt must be documented in

writing for later Office of Civil Rights review

31
LLP

Massachusetts Data Security Laws
 Requires “Comprehensive” data security program

that includes:
• Designated responsible employee(s)
• Identification & assessment of risks
• Employee security policies
• Oversight of service providers (including requiring
such providers, by contract, to maintain appropriate
security measures)
• Encryption of data that will “travel across public
networks” or that will be “transmitted wirelessly”
32
LLP

We discovered something. Our one hope against
total domination. A hope that with courage,
insight and solidarity we could use to resist. A
strange property of the physical universe that we
live in.

The universe believes in encryption.
It is easier to encrypt information than it is to
decrypt it.

33

— Julian Assange, in the introduction of
Cypherpunks: Freedom and the Future of the
Internet
LLP

Why Encrypt?
 May be required by existing law
 Best protection against data breach notification

requirements
 Fast becoming a “reasonable” or “industry standard”

security measure
• Most privacy policies assure users that the company

employs “reasonable” security measures or the like
• Growing body of law and regulatory decisions

provides bases for plaintiff’s experts to claim
encryption is required
34
LLP

Questions?
Dan Nelson, CIPP/US, Partner Armstrong Teasdale LLP
314.552.6650 dnelson@armstrongteasdale.com
http://twitter.com/DanNelsonEsq
www.linkedin.com/in/danielcnelson
35
LLP

The Interactive Web and the
Law: Emerging Technologies’ Impact on
Your Practice
October 11, 2013
Jeff Schultz, Armstrong Teasdale
LLP

© 2013 Armstrong
LLP
LLP

The Challenge
“If I'm applying the First Amendment, I have to apply it to a
world where there's an Internet, and there's Facebook, and
there are movies like ... The Social Network, which I
couldn't even understand.”
— Justice Stephen Breyer

37

Justice Roberts: “I thought, you know, you push a button;
it goes right to the other thing.”
Justice Scalia: “You mean it doesn't go right to the other
thing?”
— Justice John Roberts to
Justice
Antonin Scalia
Regarding How a
TextMessaging Service Works
LLP

What is the Interactive Web
 Web 2.0

 Includes social media, blogs,

interactive websites, and more
 A tool for communicating
 Information is shared

globally
 Web 3.0?

38
LLP

It’s Unavoidable
 Pinterest overtook LinkedIn to become No. 3
 Almost 1 billion Facebook users
• 54% access via mobile
• 23% check Facebook 5 times or more daily
• 1 Million websites have integrated with Facebook
 Over 40 million photos are uploaded to Instagram every





day
More apps using location data to connect users
Fastest growing segment for use: 45-54 year olds
Political campaigns using social media
56% of customer tweets are being ignored

39
LLP

Zuckerberg’s Law of Information
Sharing
 “I would expect that next year, people will share twice

as much information as they share this year, and the
next year, they will be sharing twice as much as they
did the year before.”

40
LLP

Is the Interactive WebChanging Our
Definition of “Privacy”?
 Courts allowing access to user

accounts
 Questions arising about who owns
the data you share?
 Courts dealing with issues concerning
GPS tracking, phone location records,
and other location data collected by
social media applications
 Do privacy settings actually make
your data private?
41
LLP

What Data Does Facebook Really Collect
(and Keep)?
 The obvious: what you see on the screen
 “Europe v. Facebook” Group Information Request:
• All friend requests and your responses;
• All Event invitations and your responses;
• IP address used for each Facebook login;
• Camera metadata, even for photos where you untagged yourself;
• Credit card information;
• Geo-location information, including latitude, longitude, and

time/date.
- See europe-v-facebook.org/fb_cat1.pdf

42
LLP

Many areas of the law are impacted
• Corporate
• Securities
• Labor and
•

•
•
•

43
LLP

Employment
Litigation
Intellectual Property
Discovery
Ethics

Legislation Regarding Individuals’ Use of
the Interactive Web
 California: illegal to impersonate

others online
 Missouri: briefly made it illegal for teacher to

“friend” students

 Potential liability under state

computer tampering statutes
for accessing, using, disclosing,
receiving or retaining data
without authorization
44
LLP

Legislation (continued)
 California, Illinois, Maryland, and Michigan: illegal for

45

employers to ask job applicants or workers for social
media passwords
 California, Delaware, Michigan, and New Jersey:
illegal to ask students to disclose social media passwords
 At least 14 states (including
Missouri) introduced legislation in 2012 that would restrict
employers from requesting access to social networking
usernames and passwords of applicants, students or
employees
 SNOPA (Social Network Online Protection Act):
Congress wants to make it illegal for employers and
schools to ask for social media passwords of employees,
students, and applicants
LLP

Regulations Regarding Social Media
 FTC:
• Employees/contractors who endorse their employer’s

46

products must clearly and conspicuously disclose their
relationship
 SEC:
• Risk Alert issued January 4, 2012 by the Office of
Compliance Inspections and Examinations
(Investment Adviser Use of Social Media)
• Threatened action against Netflix CEO for alleged
violation of Reg FD (CEO congratulated Netflix team
on Facebook for surpassing 1 billion hours in monthly
viewing)
LLP

Regulation (continued)
 NLRB:
• Closely reviewing policies for compliance with section

47

7 rights
• Problems created by confidentiality provisions
 FDA (regulations not final; long delayed):
• Only addresses responses to requests re off label
uses. Does not address how to utilize space limited
sites like Twitter to convey risk and safety information
for a fair balance
• Does not provide clear guidance on the dos and
don’ts of social media marketing
LLP

Location Data
Patterns of Movement
Awareness of Location

48
LLP

Location Data

49
LLP

Social Media and Discovery:
Many Different Approaches
 Considered social media under Stored

Communications Act and denied production
 One side ordered to turn over its passwords

 Parties ordered to friend the judge for review of

photos and comments in camera
 Review of accounts in camera to identify potentially

relevant and discoverable information
50
LLP

Where Will the Balance be Found?
 Social Media is not “privileged” or

51

entitled to special protections
(i.e. no “expectation of privacy)
 But, not “open season” on everything
in one’s Social Media space
• No “generalized right to rummage” through private
posts
• Application of established rules regarding “Relevant or
reasonably calculated to lead to the discovery of
relevant information”
 Turnover of username/password: courts have not yet
addressed conflict this creates with site’s Terms of
Use
LLP

Authentication
 Rule 901: To satisfy the requirement of authenticating or

52

identifying an item of evidence, the proponent must produce
evidence sufficient to support a finding that item is what the
proponent claims.
 Consensus among many courts and legal commentators that
the rules of evidence already in place for determining
authenticity are at least generally “adequate to the task” with
respect to electronically generated, transmitted and/or stored
information (including social networking sites). See Tienda v.
State, 358 S.W.3d 633 (Tx. Ct. App. 2012).
 There is no single approach to authentication that will work
in all instances. The best approach will depend upon the
nature of the evidence and the circumstances of the
particular case.
LLP

The Aspiring Firefighter
 Employee had back surgery in

October
• Employee claimed leave ran
until December 30, 2009
• Employer claimed leave ran
until December 2, 2009.
 Employee terminated when he
didn’t return to work
 Claim: disability discrimination
and violation of FMLA rights
53
LLP

54
LLP

The Double-Sting
 The Sting:
• Ex-Wife sets up a fake Facebook account for

“Jessica” (a 17 year old girl) to get info for
child custody battle
• Ex-Husband asks “Jessica” to find a hit man
to kill Ex-Wife: “you should find someone at
your school…that would put a cap in her ass
for $10,000.”
• Ex-Husband is arrested
 The Double-Sting:
•
•

55

Ex-Husband freed after proving he knew all
along that Ex-Wife was “Jessica”
Ex-Husband played along with Ex-Wife’s
ruse to use itagainst her in their custody
case.

LLP

Contact Information
Jeff Schultz
Partner, Armstrong Teasdale LLP
314.259.4732
jschultz@armstrongteasdale.com
www.armstrongteasdale.com

http://twitter.com/JeffSchultzEsq
http://twitter.com/AT_Law
http://twitter.com/AT_Live
http://twitter.com/AT_Innovate

56
LLP

Recent Delaware
Corporate
Law Developments
October 11, 2013
Greg Williams, Richards, Layton & Finger

© 2013 Armstrong
LLP
LLP

USLFG Corporate & Securities Presentation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to USLFG Corporate & Securities Presentation

Similar to USLFG Corporate & Securities Presentation (20)

More from Armstrong Teasdale

More from Armstrong Teasdale (20)

Recently uploaded

Recently uploaded (20)

USLFG Corporate & Securities Presentation

Editor's Notes