On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap.

Since the government’s respective plans became public, the new bill has drawn widespread criticism in Germany. First, the content of the new provisions is highly controversial:

  • Compared to most other countries (including the U.S.), where such measures are not permitted, the measures to be introduced by the new law would significantly lower the German standard of protection of individuals’ privacy against governmental access.
  • In 2008, the German Federal Constitutional Court introduced a new fundamental right aimed at protecting end user devices against access and tampering by the authorities. In its decision, the court also set a high level of safeguards that were meant to prevent intrusion into an individual’s private life. Even though the new law also generally contains such safeguards, it is likely that it will be found to violate privacy rights and thus be declared void if brought before the Court.
  • Authorities have to rely on security loopholes or designated backdoors to hack into end user devices – which is diametrically opposed to tech companies’ aim of making their products as safe as possible.

Second, the way the bill was rushed through Parliament was subject to heavy criticism. Ultimately, the governing parties managed to push wide-ranging surveillance powers through Parliament in just a few days by burying these new provisions under seemingly insignificant procedural amendments on short notice. Former Federal Data Protection Commissioner Peter Schaar issued a statement labeling this procedure “reckless” given the grave implications the new law would have for the individual freedoms of the people.

The issue of governmental access to end user devices remains a very hot topic globally, creating complicated (legal) issues between technology companies and law enforcement.

The new law will come into force immediately once it passes the Federal Council (Bundesrat) and after its publication in the Federal Gazette.

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially Aware contributors and Morrison Foerster privacy & data security attorneys Lokke Moerel and Marian A. Waldmann Agarwal for a complimentary, practical webinar explaining where you should be in your efforts to meet the May 2018 compliance deadline, where you need to be in a year, and how to get there.

Lokke and Marian will pay particularly close attention to the aspects of the GDPR that will have the greatest impact on your company’s operations:

  • How to best implement the GDPR’s extensive documentation requirements;
  • How the right to data portability and the individual’s right to be forgotten (RTBF) will impact your business; and
  • How vendors are implementing their new obligations under the GDPR and how vendor contracts will need to evolve to comply with GDPR requirements.

Register for the Data Protection Masterclass here.

In the most recent edition of his CyberSide Chat series, Socially Aware contributor Andy Serwin discusses ransomware attacks, including:

  • the reasons why ransomware attacks are becoming more common;
  • the types of ransomware attacks companies should prepare to address; and
  • the strategies that companies can employ to help guard against, and to help mitigate the damage arising from, these types of cybersecurity breaches.

Andy explains not only the defenses that companies can implement to protect themselves against a ransomware attack, but also the issues a ransomware-attack-response plan must address—a topic that another Socially Aware contributor, Nate Taylor, tackled in his Sept. 26, 2016 blog post 5 Questions to Help Prepare For a Ransomware Attack.

Check out Andy’s insightful presentation:

GettyImages-538899668-600pxWith corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those “Cybersecurity Requirements for Financial Services Companies” (the “Cybersecurity Rule” or “Rule”) finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule’s phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information (“Nonpublic Information”) from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule’s requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule’s reporting, recordkeeping and certification requirements. Continue Reading N.Y.’s New Cybersecurity Regulations: What Financial Services Companies Need to Know

In the most recent edition of his CyberSide Chat series, Socially Aware contributor Andy Serwin discusses emerging cybersecurity issues including:

  • The need to strike a balance between the efficiencies of the Internet of Things and the increased cyberattack vulnerability that usually goes along with using extra devices;
  • The pre- and post-cyber-breach steps a company can take to mitigate the damage that could be caused by a theft of the company’s data or an attempt to shut down its systems;
  • The factors companies should consider when determining how much of their resources to dedicate to preventing a cyberattack.

Check out Andy’s insightful presentation:

BigBrotherEye-GettyImages-149355675-600pxIf your company collects information regarding consumers though Internet-connected devices, you will want to take note of the Federal Trade Commission’s (FTC) recent privacy-related settlement (brought in conjunction with the New Jersey Attorney General) with smart TV manufacturer Vizio, Inc. The settlement is significant for four reasons:

  • The FTC reinforces the position it has taken in other actions that the collection and use of information in a way that would surprise the consumer requires just-in-time notice and choice in order to avoid a charge of deception and/or unfairness under Section 5 of the FTC Act.
  • The FTC takes the position that television viewing activity constitutes sensitive data. This marks a departure from its approach of limiting sensitive data to information that, for example, can facilitate identity theft, precisely locate an individual, is collected online from young children or relates to matters generally considered delicate (such as health information).
  • The settlement includes a payment of $1.5 million to the FTC (as well as payment of civil penalties to New Jersey), but the legal basis for the FTC payment is not stated. This could suggest that the FTC will more aggressively seek to obtain injunctive monetary relief in Section 5 cases.
  • Acting Chairwoman Maureen Ohlhausen explicitly noted in a concurring statement her skepticism regarding both the allegation that TV viewing data is “sensitive” and that the FTC’s complaint adequately established that the practices at issue constitute “substantial injury” under the unfairness prong of Section 5.

Leaving aside what the chairwoman’s concurrence may portend for future enforcement efforts, the FTC again seems to be using allegedly bad facts about privacy practices to push the envelope of its authority. Accordingly, with the Internet of Things boom fueling a dramatic increase in the number of Internet-connected devices, companies that either collect information via such devices or make use of such collected information should consider the implications of this enforcement action.

Continue Reading Watch Out: The Federal Trade Commission Continues to Watch the (Alleged) Watchers

Gradient and transparent effect used.

In a major development for cloud and other data storage providers, and further complicating the legal landscape for the cross-border handling of data, a Federal Magistrate Judge in the Eastern District of Pennsylvania ruled for the Department of Justice and ordered Google, Inc., to comply with two search warrants for foreign-stored user data. The order was issued on February 3, 2017 pursuant to the Stored Communications Act, (SCA), and the reasoning of the Court rested heavily on the court’s statutory analysis of the SCA. The ruling is a marked departure from a recent, high-profile Second Circuit decision holding that Microsoft could refuse to comply with a similar court order for user data stored overseas.

The SCA regulates how service providers like Google and Microsoft who store user data can disclose user information. The Magistrate Judge issued two warrants under the SCA for emails sent from Google users in the United States to recipients in the United States. Google refused to fully comply, invoking Microsoft, and the Government moved to compel. In its briefing, Google argued that the SCA can only reach data stored in the United States and that, because Google constantly shuffles “shards” of incomplete user data between its servers across the world, Google could never know for certain what information is stored domestically and what is stored overseas. Therefore, Google argued, the data sought under the warrants was beyond the reach of the SCA. Continue Reading Google Ordered to Comply with Warrant for Foreign-Stored User Data

A close-up on an abstract design of a display, which is warning about a cyber attack. Multiple rows of hexadecimal code are interrupted by red glowing warning text. Part of the display is reflected on a shiny surface. The image can represent a variety of threats in the digital world: data theft, data leak, security breach, intrusion, etc...

Is your company prepared to respond to a data security breach? For many companies, even reading this question causes some anxiety. However, being prepared for what seems like the inevitable—a security breach—can be the difference between successfully navigating the event or not. While we still hear some companies say, “That would never happen to our company!” a significant breach can happen to any company.

In light of this and the close scrutiny that the high-profile breaches reported over the past year have received, many companies have taken the opportunity to consider their preparedness and ability to respond quickly and decisively to such an incident. We have prepared for our readers who are in-house attorneys or privacy officers the following checklist highlighting some steps that companies may consider taking so that they can be better prepared in the event that a significant breach incident occurs.

  1. Make Friends With Your IT/IS Department.

It is important to be familiar with your company’s risk tolerance and approach to information security in order to develop an understanding of your company’s security posture. The time to explore these issues isn’t after a breach has happened, so ask your colleagues in your company’s information technology or information security departments the basic questions (e.g., What’s DLP?) and the tough questions (e.g., Why haven’t we addressed the data security concerns raised in last year’s audit?). You would rather learn, for example, that your company does not encrypt its laptops before one is stolen. Continue Reading Preparing for a Data Security Breach: Ten Important Steps to Take

CaptureThe latest issue of our Socially Aware newsletter is now available here.

In this edition, we provide five tips for reducing potential liability exposure in seeking to exploit user-generated content; we examine a Ninth Circuit decision highlighting the control that social media platform operators have over the content and data that users post to those platforms; we discuss five questions that companies should ask themselves to help prepare for a ransomware attack; we explore a controversial California court decision that narrows an important liability safe harbor for website operators; we review a federal court decision that illustrates the importance of securing clear and affirmative assent to electronic contracts; we take a look at some recent enforcement actions that indicate a shift toward requiring clearer and potentially more burdensome disclosures from companies engaged in interest-based advertising; and  we examine a recent Northern District of California decision holding that a mobile app developer was not be liable under the Telephone Consumer Protection Act for a text initiated by one of the app’s users.

All this—plus an infographic illustrating the impact of incorporating user-generated content in marketing campaigns.

Read our newsletter.

The Internet of Things is apparently to blame for the Web outage that paralyzed the online world earlier this month.

Justin Timberlake took down his “ballot selfie” from Instagram after Tennessee authorities made clear that it was illegal.

Presumably in order to help facilitate compliance with guidance from regulators in the United States, United Kingdom and elsewhere, YouTube is making available to video creators an easy-to-use “sponsored content” notification that they can opt to have appear during the first few seconds of their videos.

Will blockchain technology be the next big wave of disruption for the music industry?

With Tinder’s new feature, online daters can be sure their profiles feature the photos most likely to get right-swipes.

When the chief digital officer at New York’s Metropolitan Museum of Art lost his job, he turned to social media for advice.

The NFL’s new social media policy promises to impose hefty fines on member teams that post videos or animated GIFs of games, or use Facebook Live or Periscope to stream anything in the stadium.

When a Russian tech entrepreneur’s friend died, she used artificial intelligence and his old text messages to create a futuristic memorial.

Employed but curious about new job opportunities? Now you can change your LinkedIn profile to secretly signal to recruiters that you’re in the market for a new gig.

Guess what percentage of Americans one researcher predicts will own a virtual reality headset in 2016?

Could Google Flights be the ticket to finding the best possible fare to your 2016 winter holiday destination?