Data Security

Subscribe to Data Security

As close observers of the implications of privacy law on companies’ data collection, usage and disclosure practices, we at Socially Aware were among the many tech-law enthusiasts anticipating the U.S. Supreme Court’s recent decision in Carpenter v. United States, in which the Court held that the government must obtain a warrant to acquire customer location information maintained by cellular service providers, at least where that information covers a period of a week or more.

Authored by Chief Justice John Roberts, the 5-4 opinion immediately enshrines greater protections for certain forms of location data assembled by third parties. It also represents the Court’s growing discomfort with the so-called “third-party doctrine”—a line of cases holding that a person does not have a reasonable expectation of privacy in records that he or she voluntarily discloses to a third party. In the longer run, there will likely be further litigation over whether the same logic should extend Fourth Amendment protections to other types of sensitive information in the hands of third parties as courts grapple with applying these principles in the digital age.

Background

Anytime a cell phone uses its network, it must connect to the network through a “cell site.” Whenever cell sites make a connection, they create and record Cell Site Location Information (CSLI). Cell phones may create hundreds of data points in a normal day, and providers collect and store CSLI to spot weak coverage areas and perform other business functions. Continue Reading Location Information Is Protected by the 4th Amendment, SCOTUS Rules

Companies that offer services, whether online or offline, to consumers on a subscription or other automatic renewal basis should be aware that such offers are heavily regulated at both the federal and state levels. A recent amendment to Section 17602 of California’s Business and Professions Code provides a good opportunity for businesses that make subscription offers to review their practices. As of July 1, 2018, the obligations under California law will expand in two ways that may require businesses to update those practices.

The first change relates to the information that businesses must provide to consumers regarding the terms of a subscription offer. The current law already requires a business to provide certain information about the renewal process—such as the amount of the recurring charges, the length of the renewal period, and the cancellation policy—both before the consumer accepts the agreement, and afterwards in an acknowledgement. The amendment provides that, as of July 1, 2018, if the offer includes any free trial or gift component, the information provided to consumers must also include a “clear and conspicuous explanation of the price that will be charged after the trial ends or the manner in which the subscription or purchasing agreement pricing will change upon conclusion of the trial.” Continue Reading Amended California Law Expands Requirements for Consumer Subscriptions

After British police unsuccessfully tried to get the blogging platform WordPress.com to remove offensive and threatening posts, the deputy leader of the UK’s Labour Party vowed to urge changes that would make the country’s laws less tolerant of online abuse.

As bipartisan U.S. legislation to prevent the appearance of foreign-entity-funded political ads on social media gains traction, Twitter announced that it will impose a “promoted by political account” label on election ads and allow everyone to see all ads currently running on the platform regardless of whom those ads target. These efforts will not prevent automated accounts known as “bots” from influencing voters or spreading fake news on Twitter, but an op-ed in The Guardian suggests the technology to overcome the bots problem exists.

While we’re on the subject of potential solutions for the problems that plague social media, one industry observer suggests that blockchain technology, which records digital events on a public ledger and requires consensus among users, could cure social networks’ fake-news and trolling problems, and prevent brands from purchasing fake followers.

Legislation is another way of discouraging undesirable online behavior. In Texas, “David’s Law” now requires school districts to create cyberbullying policies and to investigate bullying reports that involve students but take place off-campus or after school hours. And legislation that cleared a committee in Tallahassee would make threatening someone on social media in Florida a felony punishable by up to 15 years in prison.

Should artificial intelligence be regulated? Some experts believe that the time is now, on the cusp of the AI revolution.

Facebook acquired a nine-week-old startup whose app encourages teens to anonymously exchange positive feedback.

This piece quoting Socially Aware contributor Julie O’Neill explains how cross-device tracking can cause employees to expose their organizations to significant data security risks—especially if the employees use their personal devices to perform work-related tasks.

The online marketplace eBay launched a service for sellers of certain luxury wallets and handbags that relies on experts to verify the authenticity of the goods being sold, backed by a 200% money-back guarantee.

Instagram has become such an integral part of promoting restaurants that the Culinary Institute of America will begin offering electives in food photography and food styling.

Tips for becoming a social media influencer from a pair of fashion bloggers who made it big.

With much fanfare, the Federal Trade Commission (FTC) continues to take actions relating to so-called “social media influencers” who allegedly fail to disclose material connections to the products or brands they endorse. Recurring enforcement actions and guidance—and the FTC’s ongoing promotion of its own efforts, such as through Twitter chats—make it clear that the FTC believes that its message has still not been heard by all of the players in this advertising ecosystem, including influencers themselves.

In short, any endorsements in any medium where the endorser has a material connection of any kind to the endorsed advertiser must be disclosed.

The most recent developments include an enforcement action against a company—and two of its officers—in connection with endorsements of the company made by the officers in YouTube videos and in social media.  Before turning to this case, however, we provide a brief overview of how the FTC has gotten here. Continue Reading Brands Beware: FTC Continues Campaign on Social Media Influencer Disclosures

Recent challenges to the Federal Trade Commission’s (FTC) authority to police data security practices have criticized the agency’s failure to provide adequate guidance to companies.

In other words, the criticism goes, businesses do not know what they need to do to avoid a charge that their data security programs fall short of the law’s requirements.

A series of blog posts that the FTC began on July 21, 2017, titled “Stick with Security,” follows promises from acting Chair Maureen Ohlhausen to provide more transparency about practices that contribute to reasonable data security. Some of the posts provide insight into specific data security practices that businesses should take, while others merely suggest what, in general, the FTC sees as essential to a comprehensive data security program. Continue Reading More Insight From the FTC on Data Security—or More of the Same?

As Socially Aware readers know, privacy and data security issues are among the most critical legal issues confronting companies that do business online. With ransomware attacks and hacking incidents on the rise, and with privacy and data security laws becoming increasingly burdensome, companies are spending more time and resources than ever before addressing privacy and data security issues. Indeed, Morrison & Foerster recently collaborated with ALM Intelligence to take an in-depth look at the types of privacy and data security issues with which in-house legal departments are wrestling, and how such departments are dealing with these issues. The resulting report is interesting and informative, and can be found here.

On June 22, 2017, the German Parliament passed a bill that, among other things, awards extensive surveillance powers to law enforcement authorities. The new law, once in force, will allow law enforcement to covertly install software on end user devices allowing the interception of ongoing communications via Internet services such as WhatsApp or Skype. These new measures may be used for investigating a wide array of crimes (the “Catalog Crimes”), which are classified as “severe” but range from murder to sports betting fraud to everything in between.

Today, the German Federal Criminal Police Office (BKA) is only allowed to engage in similar activities to prevent international terrorism. All other law enforcement authorities are only allowed to intercept regular text messages and listen to phone conversations in cases of Catalog Crimes. However, these investigators are currently fighting a losing battle against end-to-end encrypted Internet services. With respect to such services, the current legal framework only allows for access via the respective telecom operators. These operators, however, can only provide law enforcement with the encrypted communications streams. By introducing the new law, the German government now aims to prevent “legal vacuums” allegedly resulting from this surveillance gap. Continue Reading German Parliament Enacts Wide-ranging Surveillance Powers Allowing End User Devices to Be Hacked by Authorities

Live Webinar: June 6, 2017 at 12:00 PM (ET) / 9:00 AM (PT)

The May 2018 compliance deadline for the EU’s new General Data Protection Regulation (GDPR) is fast approaching and—with non-compliance penalties of up to €20 million or 4% of annual global turnover at stake—you cannot afford to miss the deadline.

Please join Socially Aware contributors and Morrison Foerster privacy & data security attorneys Lokke Moerel and Marian A. Waldmann Agarwal for a complimentary, practical webinar explaining where you should be in your efforts to meet the May 2018 compliance deadline, where you need to be in a year, and how to get there.

Lokke and Marian will pay particularly close attention to the aspects of the GDPR that will have the greatest impact on your company’s operations:

  • How to best implement the GDPR’s extensive documentation requirements;
  • How the right to data portability and the individual’s right to be forgotten (RTBF) will impact your business; and
  • How vendors are implementing their new obligations under the GDPR and how vendor contracts will need to evolve to comply with GDPR requirements.

Register for the Data Protection Masterclass here.

In the most recent edition of his CyberSide Chat series, Socially Aware contributor Andy Serwin discusses ransomware attacks, including:

  • the reasons why ransomware attacks are becoming more common;
  • the types of ransomware attacks companies should prepare to address; and
  • the strategies that companies can employ to help guard against, and to help mitigate the damage arising from, these types of cybersecurity breaches.

Andy explains not only the defenses that companies can implement to protect themselves against a ransomware attack, but also the issues a ransomware-attack-response plan must address—a topic that another Socially Aware contributor, Nate Taylor, tackled in his Sept. 26, 2016 blog post 5 Questions to Help Prepare For a Ransomware Attack.

Check out Andy’s insightful presentation:

GettyImages-538899668-600pxWith corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those “Cybersecurity Requirements for Financial Services Companies” (the “Cybersecurity Rule” or “Rule”) finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule’s phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information (“Nonpublic Information”) from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule’s requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule’s reporting, recordkeeping and certification requirements. Continue Reading N.Y.’s New Cybersecurity Regulations: What Financial Services Companies Need to Know