Tag: privacy

Nothing to See in This Story about the Electronic Communications Privacy Act

Check out this story.  In it, we learn this:electronic privacy act

Andrew Ceresney, director of the Division of Enforcement at the Securities and Exchange Commission, [told] the Senate’s Committee on the Judiciary at a hearing on Wednesday morning that the pending Electronic Communications Privacy Act Amendments Act would impede the ability of the SEC and other civil law enforcement agencies to investigate and uncover financial fraud and other unlawful conduct. Ceresney testified that the bill, intended to modernize portions of the Electronic Communications Privacy Act which became law in 1986, would frustrate the SEC’s efforts to gather evidence, including communications such as emails, directly from an Internet services provider.

So.  Let’s talk about what’s really at issue here.  We’re not talking about emails collected from companies with their own domain names and servers.  If a company maintains its own emails for its own purposes, the company is not a “provider of electronic communication service” under the ECPA and those emails are subject to SEC subpoenas just like its other documents.

But take, say, Google and Yahoo, among many others.  They are providers of electronic communication services.  Here’s what 18 U.S.C. § 2703(a) says about them:

A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in electronic storage in an electronic communications system for more than one hundred and eighty days by the means available under subsection (b) of this section.

In plainer English, the SEC may require Google to disclose the contents of its customer’s emails if the emails have been in storage for 181 days.  For newer emails, the government must have a search warrant, which the SEC can’t get as a civil enforcement authority.

For the SEC, the ECPA typically comes up when it is investigating people who are not using corporate email addresses.  For example, Ponzi schemes and prime bank frauds are often going to be run on hotmail.com, not citigroup.com.  The problem for the SEC is, people running Ponzi schemes tend to have few issues with deleting incriminating emails.  And Google isn’t obligated to keep those deleted emails for any particular time period.  So if some guy defrauds a bunch of people and then quickly deletes the emails explaining how the fraud happened, there’s not a lot the SEC can do about it.  So it is very, very rare when the SEC is successful in using the ECPA to get emails from “providers of electronic communication service.”  And so . . . when Andrew Ceresney tells the Senate Judiciary Committee that amendments to the ECPA could impede civil law enforcement’s ability to uncover financial fraud and other unlawful conduct, he’s sort of right.  I might make the same argument if I were in his shoes.  But he’s also saying something that is almost inconsequential.  If the ECPA is not amended, the SEC will have a very hard time getting a hold of useful gmails.  If the ECPA is amended, it will have a very hard time getting a hold of useful gmails.  Just about every other issue in data privacy and securities enforcement is more significant than this one.

Article By David Smyth of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP

Copyright © 2015, Brooks, Pierce, McLendon, Humphrey & Leonard LLP

Part II: Legal Insights on Ashley Madison Hack

As more names emerge from the dark web data dump of Ashley Madison customers, lawyers around the globe have found a very willing group of would-be plaintiffs. Interestingly, all of these plaintiffs are named “Doe,” which must only be a coincidence, and certainly has nothing to do with the backlash that certain well-known ALM clients have experienced. All kidding aside, the size of the claims against ALM is staggering with one suit alleging more than $500 million in damages. How these plaintiffs will prove their damages is a question for another day, but the fact that ALM — which reported earnings of $115 million in 2014 — may soon face financial ruin must give any spectator pause.

The plaintiffs’ bar is certainly not the lone specter haunting ALM’s corridors these days. Although the company touts its cooperation with government officials in attempting to bring criminal charges against the Impact Team, that cooperation will be punctuated by the all-but-certain FTC enforcement action to come — assuming that the FTC’s data breach enforcement team were not among the 15,000 email addresses registered to a .mil or .gov account.

How will that enforcement action proceed? In many cases, the FTC initiates its investigation with a letter, sometimes called an “Access Letter” or an “Informal Inquiry Letter.” Although there is no enforceable authority behind such a letter, companies typically conclude that cooperation is the best course. For more formal investigations (or when the access letter is ignored), the FTC will issue “Civil Investigative Demands,” which are virtually the same as a subpoena, and are enforceable by court order. After collecting materials, the investigators will – in order from best case scenario to worst – drop the matter altogether, negotiate a consent decree, or begin a formal enforcement action via a complaint.

There is, of course, a lot more to an action than what I’ve listed above, which deserves a series of posts of their own. For today, the pressing question is – what’s going to happen to ALM when the FTC calls? Under the circumstances, it would make sense for ALM to push as hard as it can for a consent order, given that the likelihood of succeeding in litigation against the Commission is vanishingly low – there is little doubt that ALM failed to comply with its own promised standards for protecting customer data. And, in light of recent revelations about what really happened when customers paid to “delete” their Ashley Madison accounts, ALM will want to forestall the threat of a separate, non-data breach related unfair business practices suit any way it can.

Every consent order looks different, but the FTC has made a few requirements staples of its agreements with offending businesses over the last two decades. These include:

  • Establishing and maintaining a comprehensive information security program to protect consumers’ sensitive personal data, including credit card, social security, and bank account numbers.

  • Establishing and reporting on yearly data security protocol updates and continuing education for decision makers and data security personnel.

  • Working to improve the transparency of data, so that consumers can access their PII without excessive burdens.

  • Guaranteeing that all public statements and advertisements about the nature and extent of a company’s privacy and data security protocols are accurate.

 ALM will undoubtedly offer to take all of these steps, and more, in negotiations with the Commission. But as I mentioned above, the torrent of lawsuits ALM faces in the next year or so may moot any consent decree with the FTC. If ALM liquidates in the face of ruinous lawsuits and legal bills, the FTC’s demands will be meaningless. ALM, then, is likely an example of a company that would have benefited from a more minor security breach and subsequent FTC imposition of the kind of remedial measures that may have stopped this summer’s catastrophic data breach. An ounce of prevention is worth a pound of cure, they say, and ALM may learn that lesson at the cost of its business.

Article By James J. Ward of Bilzin Sumberg Baena Price & Axelrod LLP

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Legal Insights on the Ashley Madison Hack: Part I

Internet commenters and legal analysts alike are buzzing about the Ashley Madison hack. The website — which billed itself as a networking site for anyone who wanted to discretely arrange an extramarital affair — has already been named in several class action lawsuits, with claims ranging from breach of contract to negligence. As more names are unearthed (and more personal data divulged), additional lawsuits are sure to follow. For those lucky enough to be watching this spectacle from the sidelines, there are some important questions to ask. In the next few posts, I’ll consider some of these issues.

It seems clear that the Impact Team (the group responsible for breaking into Ashley Madison’s servers) were singularly focused on exposing embarrassing personal information as well as sensitive financial data. What is less clear is why they chose Ashley Madison’s parent company Avid Life Media (“ALM”) as the target. Certainly, the general public’s reaction to the data breach was muted if not downright amused, likely because the “victims” here were about as unsympathetic as they come. Still, the choice of Ashley Madison, and the way the hack was announced, demonstrates an important point about data security: self-described “hacktivists” may target secure information for reasons other than financial gain.

The Impact Team appears to be more motivated by shaming than any identifiable monetary benefit, although it is entirely possible that money was a factor. Interestingly, the intended damage from the leak was designed to flow in two directions. The first, and most obvious, was to Ashley Madison users, who clearly faced embarrassment and worse if their behavior were made public. The second direction was to ALM itself, for “fraud, deceit, and stupidity.” In particular, the Impact Team referred to ALM’s promises to customers that it would delete their data permanently, and keep their private information safe. Obviously, that didn’t happen. ALM made matters far worse for itself when it scrambled to provide a response to Impact Team’s threat, and made promises of security it could not keep. Now, in addition to a class action lawsuit alleging half a billion dollars in damages, ALM faces the wrath of a recently emboldened FTC.

One takeaway from this situation from a legal perspective is how ALM was targeted. Black hat groups often solicit suggestions for whom to attack, but typically in a secure fashion that would prevent early warning. LulzSec, responsible for the data breach at Sony Pictures in 2011, made a habit of seeking input as to what government entity or business to target, but kept those suggestions, and the contributors, secret. The Impact Team broke from that pattern, and announced before the breach, that they would release private information unless ALM shut down Ashley Madison and sister site “Established Men.” Other than a similar demand made to Sony Pictures Studios regarding the film The Interview, I can think of no other instances where hackers/hacktivists telegraphed that a cyber attack was coming.

Realizing this, a few questions immediately sprang to mind:

  • What do you do if your company gets a warning from a web group?
  • How many businesses have received such warnings and silently complied, just to avoid loss of sensitive information or damage to their reputation?
  • What happens to officers and directors who receive these warnings and do nothing? Is that a breach of fiduciary duties? Negligence? A civil conspiracy?

Ultimately, all of these questions merge into the two ongoing themes of data security: How do you protect critical information, and what do you do if you can’t?

In my upcoming articles I will get into the particulars of how some companies respond to cyberattacks, but for now, it makes sense to highlight the importance of planning ahead for your business. Even a basic cyber security protocol is better than a haphazard, post hoc response, and there are many resources that provide guidance about best practices. Longer-term planning requires expertise and commitment, but education can begin any time.

I’ll paraphrase Ashley Madison — Life is short: make a plan.

Article By James J. Ward of Bilzin Sumberg Baena Price & Axelrod LLP

© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Reasonable Expectation of Privacy: Are You Free To Eavesdrop on Pocket Dials?

Most people have experienced a “pocket dial” – be it as the sender or receiver – and some have found themselves in embarrassing situations as a consequence.  But should people reasonably expect that conversations overhead during a “pocket dial” call are private and protected? Should the recipient feel obligated to end the call?  The Sixth Circuit says no.

Yesterday, the Sixth Circuit decided whether a reasonable expectation of privacy exists with respect to “pocket dialed” communications.  Carol Spaw, assistant to the CEO of Cincinnati/Northern Kentucky International Airport, received a call from James Huff, chairman of the airport board.  It didn’t take long for Spaw to figure out that she had received a pocket dial, and that the conversation in the background was not intended for her ears.  Spaw stayed on the line for an hour and a half – taking notes and recording the audio as Huff discussed private business matters with another board member, and later with his wife. Spaw sent the recording to a third party company to enhance the quality, and shared the recording with other board members. Huff and his wife sued Spaw for intentionally intercepting their private conversation in violation of Title III of the Omnibus Crime Control and Safe Street Act of 1968. The district court granted summary judgement in favor of Spaw, finding no “reasonable expectation” that the conversation would not be heard.  On appeal, the Sixth Circuit affirmed in part, reversed in part, and remanded.

Title III only protects communication when the expectation of privacy is subjectively and objectively reasonable.  The Sixth Circuit agreed with the district court that James Huff did not have a reasonable expectation that his conversation was private. Although Mr. Huff did not deliberatelydial the call, he knew that “pocket dials” were possible, and did not take any precautions to prevent them.  The court analogized Huff’s situation to a homeowner who neglects to cover his windows with drapes; under the plain view doctrine, the homeowner has no expectation of privacy in his home when the windows are uncovered. Huff could have easily utilized protective settings on his phone to prevent pocket dials.

The Sixth Circuit reversed with respect to Bertha Huff’s claim.  Bertha Huff was communicating with her husband in the privacy of a hotel room. She had a reasonable expectation of privacy in that context, and she was not responsible for her husband’s pocket dial. The Sixth Circuit feared that affirming the district court’s decision with respect to Bertha’s claim would undermine what we currently consider a reasonable expectation of privacy in face-to-face conversations. The court remanded the case back to the district court to decide whether Spaw’s actions made her liable for “intentionally” intercepting oral communications.

The Sixth Circuit’s decision leaves us with this: if you receive a pocket-dialed call, feel free to listen, record, and share (but be wary of the privacy interest of the other participants in the conversation); if you are a pocket dialer, lock your phone.

ARTICLE BY Pierre H. Bergeron of Squire Patton Boggs (US) LLP
Lauren Maynard contributed to this article.

© Copyright 2015 Squire Patton Boggs (US) LLP

U.S., U.K. Governments Seek Cyber Innovations from Private Sector

The private sector is likely to produce critical cyber innovations—at least, that is what the U.S. Defense Advanced Research Projects Agency (“DARPA”) and the U.K. Centre for Defence Enterprise (“CDE”) would like to see.

In the United States, although the internet may have been invented at DARPA, DARPA is turning to a private sector competition to protect it.  In March 2014, DARPA solicited a “Cyber Security Grand Challenge”: an open competition to devise automated security systems that can defend against cyberattacks as fast as they are launched.  DARPA pitched the Grand Challenge as a “first of its kind,” “capture the flag”-style competition for computer security experts in academia, industry, and the broader security community.  Over 100 teams registered to compete.  Some likely saw the cash prizes—$2 million for first place, $1 million for second, and $750,000 for third—as nominal incentives compared to the value of shaping future cybersecurity efforts.  On July 8, 2015, DARPA announced its selection of seven finalists for the final round of the competition.  The finalists include computer security experts from industry, start-up incubators, and academia.

Not one of DARPA’s Grand Challenge finalists?  Take heart: DARPA is said to be developing technology that would allow spectators to watch the final contest in real time.  Or better yet, look to the United Kingdom, where the CDE has an open competition seeking “novel approaches to human interaction with cyberspace to increase military situational awareness.”  CDE is asking for “revolutionary approaches” to “rapidly convey” cyberspace information, events, and courses of action to military commanders, analysts, and decision-makers.  Just as DARPA officials acknowledged the limitations of existing cybersecurity strategy and technology, CDE officials have recognized that “the traditional human-computer interface” is inadequate for “current military information processing and sense-making in the cyber domain.”  Up to £500,000 in research funding will be awarded.  A July 9, 2015 presentation given by CDE is available online; slides from a July 16, 2015 webinar soon could be available, as well.  The competition closes on September 3, 2015.  Proposals must be submitted through CDE’s online portal.

ARTICLE BY Jade C. Totman & Alan A. Pemberton of Covington & Burling LLP

© 2015 Covington & Burling LLP

Federal Trade Commission: Start with Security

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses”(the Guide).

The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:

FTC_FederalTradeCommission-Seal

  1. Start with security;

  2. Control access to data sensibly;

  3. Require secure passwords and authentication;

  4. Store sensitive personal information securely and protect it during transmission;

  5. Segment networks and monitor anyone trying to get in and out of them;

  6. Secure remote network access;

  7. Apply sound security practices when developing new products that collect personal information;

  8. Ensure that service providers implement reasonable security measures;

  9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and

  10. Secure paper, physical media and devices that contain personal information.

The FTC also offers an online tutorial titled “Protecting Personal Information.”

We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.

ARTICLE BY Julia Jacobson & Jennifer S. Geetter of McDermott Will & Emery
© 2015 McDermott Will & Emery

June 24th – Healthcare Quarterly Update: Cybersecurity and Health Data Privacy by Bloomberg BNA

Washington, DC

Join Bloomberg BNA for this essential event that explores concerns relating to cyber-security and health data privacy. Healthcare industry experts Kirk Nahra and David Holtzman will join HHS’s Iliana Peters for a comprehensive examination of:
• Big data in the healthcare sector and how to protect information
• Protecting patient and organization information
• Federal enforcement of HIPAA Privacy, Security, Data Breach rules
• Practical up to date information on current issues
• And so much more.

Click here to register today!

Identify actionable issues, secure your organization, and earn CLE credits.

A breakfast panel with accomplished scholars and an HHS representative. This conversation will address practical considerations for ensuring that patient’s data is being properly handled in full compliance with all regulations and ethical responsibilities. Healthcare practitioners are increasingly required to address concerns of Data privacy and Cyber-security; attending this panel will assist you in identifying actionable points in the law common to many legal practices.

Home Depot Moves to Dismiss Consumer Data Breach Claims for Lack of Standing

Home Depot has staked its defense of consumer claims arising from the 2014 theft of payment card data from the home improvement retailer on the asserted absence of injuries sufficient to confer standing to sue.  Because consumers rarely sustain out-of-pocket losses when their payment card numbers are stolen, lack of standing is typically the primary ground for seeking dismissal of consumer data breach claims. While many courts have been receptive to arguments seeking dismissal of consumer data breach claims for lack of standing, decisions in recent cases – including, most significantly, the Target data breach case – have found that non-pecuniary harms constitute sufficient injury to confer standing.  The survival of the consumer claims will depend on which line of precedent the Home Depot court follows.

Arguments as to standing are grounded in Article III, Section 2 of the United States Constitution, which limits the jurisdiction of federal courts to “cases” or “controversies.”   To constitute a case or controversy, a claim cannot arise from a speculative or potential harm, but rather must concern an actual or imminent injury.  Thus, in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), the Supreme Court ruled that mere interception of private data – in that case, by the National Security Agency, through its wiretaps of telephone and email communications – did not confer standing to sue.  Clapper held that speculation that intercepted data might be misused did not confer Article III standing; actual use or misuse of the intercepted information was required.  Defendants in privacy cases, citing Clapper, have succeeded in dismissing data breach claims for lack of standing where data breach plaintiffs have not alleged actual misuse of their data.  See, e.g., Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sep. 3, 2013); Yunker v. Pandora Media, Inc., No. 11-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013).

Home Depot’s brief in support of its motion to dismiss relies heavily on Clapper to support its argument that none of the named plaintiffs have suffered actionable injuries.  Home Depot contends that consumers could not have been injured when card issuers hold consumers harmless for fraudulent charges and Home Depot offered free credit monitoring to affected customers.  The Home Depot brief dismisses plaintiffs’ attempts to plead non-monetary harms, alleging that none of the alleged harms constitute injuries that are cognizable under Article III.  For example, some plaintiffs alleged that they suffered inconvenience and embarrassment as a result of temporarily frozen bank accounts.  According to Home Depot, in the absence of any out-of-pocket losses such alleged harms are not actionable injuries.  Some plaintiffs incurred out-of-pocket credit monitoring costs, but Home Depot takes the position that doing so was gratuitous in light of the free services offered by Home Depot.  Some plaintiffs also alleged out-of-pocket costs associated with fraudulent charges on their payment cards, but Home Depot contends that such injuries are not fairly traceable to Home Depot because such charges should have been covered by the card issuers.

There are also plaintiffs who alleged that they suffered identity theft.  Home Depot argues that such allegations should be rejected as implausible because, based on plaintiffs’ own allegations, the data theft did not result in the theft of social security numbers or date of birth information, both of which would be required to successfully steal an identity was not compromised in the HD data breach.

Although Home Depot makes strong arguments why plaintiffs lack standing, it is constrained to admit in its brief that the court hearing the Target data breach cases rejected an identical standing argument that and been advanced by Target.  In the opinion denying Target’s motion to dismiss, the court gave Target’s standing arguments cursory treatment, finding that “Plaintiffs have alleged injury” in the form of “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”  Although Target, like Home Depot, contended that such alleged injuries are insufficient to confer standing because “Plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts . . . ,” the court rejected this argument, stating that Target had “set a too-high standard for Plaintiffs to meet at the motion-to-dismiss stage.”

Home Depot characterizes the Target decision as an outlier that offers no support for its rejection of Target’s standing arguments.  Further, the Target decision did not rule out the possibility injuries alleged would not be fairly traceable to Target’s conduct, stating that, “[s]hould discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”  Although the settlement of Target’s consumer claims means that the proposition will not be tested in that case, the Target court’s recognition that injury matters for standing purposes provides some support for Home Depot’s position that the Target decision should be disregarded if it is apparent at the pleading stage that no injury has occurred.

ARTICLE BY Kevin M. McGinty of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Think Your Cellphone Usage is Private? Think Again

In a closely-watched case out of Miami, the Eleventh Circuit Court of Appeals redefined the zone of privacy for cell phone users. As the Tech World was focused on Miami for the second annual eMerge conference, the court issued an opinion permitting prosecutors to obtain records from mobile carriers—without a search warrant—allowing the tracking of an individual’s movements through his or her cell phone’s interaction with cell towers.

In U.S. v. Davis, the Eleventh Circuit, sitting en banc, considered the appeal of Quartavious Davis who was convicted by a Miami jury of participating in seven armed robberies. At trial, the prosecution presented accomplice and eye witness testimony that Davis was involved in seven separate armed robberies in a two-month period. The prosecutors also introduced historical cell tower records obtained from Davis’ mobile carrier for the time period spanning the robberies. The records contained a history of numbers dialed by Davis and the cell tower that connected each call. The prosecutors called a police officer that was able to pinpoint on a map the exact location of each robbery and—using the data obtained from Davis’ mobile carrier—the location of the cell tower that connected Davis’ calls around the time of each robbery. While Davis’ location was not precise, the evidence gave the government a basis to argue that the calls to and from Davis’ cell phone were connected through cell tower locations near the robbery locations. Several witnesses testified that Davis used his cell phone around the time of the robberies. These facts allowed the prosecutors to assert that Davis was necessarily near the locations of the robberies at the times they occurred.

The government acquired Davis’ mobile carrier’s records pursuant to the Stored Communications Act (the “SCA”), under which a governmental entity may require a telephone service provider to disclose “a record … pertaining to a subscriber to or a customer of such service (not including the contents of communications) … if a court of competent jurisdiction” finds “specific and articulable fact showing that there are reasonable grounds to believe” that the records sought are “relevant and material to an ongoing investigation.” Importantly, the government is not required to show probable cause—as it would to obtain a search warrant—before a court will issue an order mandating the release of the records.

Following the guilty jury verdict, Davis appealed on the grounds that that the government violated his Fourth Amendment rights by obtaining his mobile carrier’s records without a search warrant and a showing of probable cause.

The Eleventh Circuit rejected Davis’ arguments on two independent grounds. First, the court held that the government’s acquisition of Davis’ mobile carrier’s records did not constitute a search for purposes of the Fourth Amendment. The court reasoned that Davis did not have ownership or possession of the records, and, moreover, Davis did not have a reasonable expectation of privacy in records of the transmissions between his cell phone and his mobile carrier’s cell phone towers—particularly given that it was information captured in the mobile carrier’s records. Second, the court found that even if the government’s acquisition of the mobile carrier’s records did constitute a search under the Fourth Amendment, the government’s acquisition of the information was nonetheless reasonable because the government relied upon and adhered to the strictures of the SCA.

The full implications of the Davis case still remain to be seen, but the case raises important questions about privacy interests in respect of information transmitted over the airwaves and through the internet. For example—and as several judges concurring with the court’s opinion pointed out—what differentiates a third-party internet site’s tracking of a user’s movements on its site through the use of cookies from a mobile carrier’s tracking of a user’s location? One thing that we can say for certain is that as Miami continues to develop as an incubator for technology, start-ups and innovation, the Davis case certainly will not be the last word from our courts on the intersection of privacy and technology.

ARTICLE BY Naomi R. Alzate & Scott N. Wagner of Bilzin Sumberg Baena Price & Axelrod LLP
© 2015 Bilzin Sumberg Baena Price & Axelrod LLP

Data Privacy and Data Security; Two Sides of the Same Coin A Conversation with Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc

The National Law Review - Legal Analysis Expertly Written Quickly Found

Cybersecurity is an important issue facing companies and legal departments across the country.  With high profile, and sometimes embarrassing, data breaches dominating news coverage, data security and privacy have become major concerns.  Patrick Manzo, Executive Vice President, Global Customer Service and Chief Privacy Officer of Monster Worldwide, Inc. will be speaking at the Inside Counsel SuperConference on May 12th, 2015 to give insight into these very important issues.  He will speak on a panel entitled: Cybersecurity Regulations: What you Need to Know.

Manzo says, “There is a drumbeat of data security issues permeating both the mainstream and legal press, and while individuals may have different levels of understanding and engagement, I’m sure that awareness of these issues is high.” There are differing perspectives and approaches on the issue– risk management and policy on one end of the spectrum, technical issues on the other–but importantly, the conversation is underway and there is cognizance at companies, at all levels, of the important of these issues.

Manzo believes a discussion of cybersecurity must consider both data security and data privacy.  He defines data security as, simply, knowing where your data is located, and who may access the data. Data privacy is predicated on data security and requires further understanding how personal data is being collected, processed (and by whom), and transferred, and the consistency of these practices with applicable laws, regulations, and the reasonable expectations of the relevant consumers.   Manzo says, “Data security and data privacy are two sides of the same coin, and we trade that coin for consumer trust.”

Since our modern world is so dominated by data, by its collection, its use, and its analysis, both companies and consumers realize that who we share information with and what they do with it is an important issue.  Manzo uses the term “good data hygiene” to describe what consumers and companies should work towards, and how it is both a company and a consumer’s responsibility to be aware of these issues.  Consumers would do well to acquire a basic understanding of what data they’re sharing and with whom, while companies, Manzo says, “need to be responsible stewards of consumers’ personal information.”

Manzo says, “Data security and privacy should be part of the DNA of a company.”

Data security and privacy are clearly not just IT issues anymore, but instead, Manzo says, “extend into all areas of an organization.”  From a company perspective, good data hygiene requires a strong command of data security and a robust privacy program.  Manzo also advocates that companies be transparent with consumers and customers about their data security and privacy practices.  Transparency requires a company to be aware of what data is being collected and from whom, and what is done with that data–who processes the information, if it is not done in house, and where the information is stored or transferred.  Beyond that, a company should have rules and policies in place to protect the information, and should incorporate data security and privacy into employee training, so that all employees are aware of the issues and concerns.

Manzo says, “Transparency allows you to be upfront and clear with consumers.  You can say, here’s what data I collect, here’s how I use and protect your data, and here’s what might happen to that data.”  Consumers, in turn, need to understand the data they are sharing and reasonably evaluate the attendant risks and benefits, and thereby make an informed decision about sharing their information.

However, it is not just between consumers and companies.  Legislation and regulation have a role to play as well.  “The Federal Trade Commission has a significant role to play in data privacy and security issues, and they have raised consumer and industry awareness of the responsibilities that go hand in hand with using personal information,” Manzo says.  Looking forward, legislation and regulation will play a major role in how companies manage data privacy and security. A clearer, more unified set of rules and laws governing data security and privacy practices, as well as breach notifications, likely enacted on the federal level, would be helpful for consumers and companies.

Right now, companies struggle with a patchwork of laws and regulations.  For example, Manzo says, “to respond to a breach, a company must first pull out a matrix of laws and regulations and determine which apply to the situation.  The patchwork of rules creates unnecessary complexity and slows breach response and notification efforts.”  Moving forward, Manzo says, “more unification of breach response and breach notification laws will be a benefit to consumers and industry.”

Our data soaked society is here to stay, and most have accepted that the risks of having our information available is outweighed by the benefits and the convenience it affords.  That said, more understanding, transparency, awareness and clarification can help consumers and companies move forward in this brave, new, information-saturated world.

You can find more information about the Inside Counsel Super Conference here.

ARTICLE BY

Eilene Spear
The National Law Review / The National Law Forum LLC