Photo of Brian Lam

Brian is an Associate in the firm’s San Diego office. His practice focuses on corporate law matters. He has extensive experience in patent litigation and intellectual property matters, as well as privacy and data protection matters, particularly as to data aggregation, network security, and technology transactions. He is a Certified Information Privacy Professional (US Specialization), and Certified Information Systems Security Professional (CISSP), endorsement pending.

We’ve discussed privacy compliance with regulations, legal requirements, etc. in the space since this blog’s inception.   “Privacy by design” – while not a new concept – is certainly enjoying a new spot in the sunshine thanks to the European Union’s General Data Protection Regulation (“GDPR”) (93 days and counting…) and its codification of “privacy by design and default” in Article 25.

Privacy can also be a key differentiator and a competitive advantage.  Read on for some points that can help drive your data privacy/data management program. Continue Reading How to Leverage Privacy as a Key Competitive Advantage

The U.S. Supreme Court heard oral arguments in what may become one of the defining consumer privacy cases of our generation. The central question in Carpenter v. United States asks whether the government violates the Fourth Amendment by accessing an individual’s historical cell phone locations records without a warrant. The Court’s decision, expected by June 2018, could draw a more concrete legal line for what constitutes “reasonable search and seizure” when government agencies seek to gather potentially incriminating smartphone data from third-party communication providers. The outcome of the case may significantly reshape consumer expectations of electronic privacy, and even alter the disclosures companies across all sectors must make in their privacy policies.

Continue Reading Carpenter v. United States Privacy Case Pushes Supreme Court to Decide Fourth Amendment Protections of Cell Phone Metadata

Recently, there has been a lot of discussion regarding the Spectre and Meltdown vulnerabilities. This alert provides a simple overview of what these vulnerabilities are, what systems could be affected, as well as steps that companies can take to reduce the risks that these vulnerabilities create.

 

  • What Are The Spectre And Meltdown Vulnerabilities?

Spectre and Meltdown are the names of two flaws that can affect a computer’s central processing unit (“CPU”). Certain CPU chips made by Intel and other manufacturers are vulnerable to the Spectre and Meltdown flaws. The CPU allows the computer to carry out instructions provided by a computer program. Unfortunately, security flaws that affect the CPU permeate the functionality of the computer system. As the CPU is a core aspect of the computer system, most every aspect of system functionality is at risk.Both the Spectre and Meltdown flaws work by causing issues with system memory, which computers use to store data. The way that system memory stores information and how it is accessed is crucial to system performance and security.   Security researchers have created a page explaining the different aspects of Spectre and Meltdown in more detail. “Meltdown breaks the mechanism that keeps applications from accessing arbitrary system memory. Consequently, [potentially malicious] applications can access system memory.” Meanwhile, “Spectre tricks other applications into accessing arbitrary locations in their memory. Both attacks use side channels to obtain the information from the accessed memory location.”

 

  • Which Systems Are Impacted By The Spectre And Meltdown Vulnerabilities?

 

Any systems that use or rely upon CPU chips that are vulnerable to the Spectre and Meltdown flaws could be impacted. Unfortunately this is a vast swath of potentially vulnerable systems. Most companies will use some physical computers locally, such as laptops, desktops, tablets, smart phones and others, as well as leveraging certain remotely provided computing resources, maintained by another portion of the same entity or by an external vendor.

As such, every company that leverages computing resources will need to ascertain which systems are exposed to the Spectre and Meltdown vulnerabilities. This will involve:

  1. Identifying and understanding any local physical computing resources that the company allows employees, contractors or others to use on behalf of the company.
  2. Working with qualified personal to identify which of these devices contain CPUs subject to the Spectre or Meltdown vulnerabilities.
  3.  Identifying all externally provided computing resources, such as cloud computing resources leveraged by the company.
  4.  Working with each identified provider of the externally provided computing resource to understand whether the provided computer resource leverages CPUs that are subject to the Spectre or Meltdown vulnerabilities.
  • What Steps can Companies Take to Reduce Spectre and Meltdown Risk?

 

Given the widespread nature of the Spectre and Meltdown vulnerabilities companies may wish to focus on using their limited resources effectively to reduce their risk in the most effective manner possible, while understanding that completely eliminating all Spectre and Meltdown vulnerability risk may not be possible. After performing the steps above to identify which computing systems leveraged by the company are at risk, companies will want to consider taking the steps below:

  1. Run vendor provided software management tools to identify and update applicable computer systems with appropriate released vendor patches to reduce Spectre and Meltdown exploit risk. Ensure that appropriate personnel are aware that system testing should occur after this process runs, as performance and stability issues could be created.
  2. Review and update applicable security policies, incident response, and business continuity plans if these documents are not effectively providing guidance and empowering appropriate stakeholders to identify and remediate Spectre and Meltdown vulnerability risk.
  3. Identify any systems where particularly sensitive data is kept and engage with appropriate internal or external personnel to identify and implement appropriate compensating controls due to any increased risk of data exfiltration as a result of potentially latent Spectre or Meltdown vulnerability risk.
  4. Consider working with appropriate legal counsel to identify whether Spectre and Meltdown present legal risks to the company, as potentially informed by the data being stored, or any products or services being offered by the company to external entities. Companies will likely want to be particularly concerned as to any increased data breach risk, or the risk that products and services being offered to others are subject to known Spectre or Meltdown vulnerabilities that have not been effectively addressed and disclosed.

If you have any questions regarding these issues, please do not hesitate to contact the team at Mintz Levin.

 

The National Association of Insurance Commissioners (NAIC) has approved its draft of the Insurance Data Security Model Law (Model Law) via a meeting of its Executive and Plenary Committees.  This important development follows New York Department of Financial Services (“DFS”) Cybersecurity Requirements for Financial Services Companies regulation that took effect on March 1, 2017 (DFS Cybersecurity Regulation) that we have covered previously.

NAIC likely recognizes that the numerous data breaches that have occurred over the past year have created an opportunity to build upon the momentum created by the DFS Cybersecurity Regulation, and provide an environment of comprehensive compliance requirements to protect Licensees and Consumers.  Indeed, the Model Law even contains Drafting Note stating that:

The drafters of this Act intend that if a Licensee, as defined in Section 3, is in compliance with N.Y. Comp. Codes R. & Regs. tit.23, § 500, Cybersecurity Requirements for Financial Services Companies, effective March 1, 2017, such Licensee is also in compliance with this Act.

In many cases, model laws approved by NAIC, a U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories, are approved within these jurisdictions as binding law.  Below is a high level overview of particularly salient points of the Model Law. Continue Reading Insurance Commissions Approve Data Security Model Law

 

Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.

Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).

Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.

The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.

The Federal Trade Commission (FTC) clarified in recent guidance how the Children’s Online Privacy Protection Act (COPPA) applies to internet-connected device companies and other businesses that collect and use children’s voice recordings.

COPPA compliance is necessary for all commercial websites and online or mobile service operators that collect personal information of children under the age of 13. Previously, the FTC has released clarifying updates regarding requirements for companies obtaining verifiable parental consent and the applicability of the law to educational institutions and businesses that provide online services to educational institutions. More recently, it has become important for new business models, such as those involved with Internet of Things devices, to understand how they can remain in compliance with COPPA obligations. In light of COPPA enforcement actions in recent years, we have prepared a helpful guide to ensure businesses know how to avoid violations. Continue Reading FTC Provides Additional Guidance on COPPA Policy for Voice Recordings

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.

 

 

Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.”  The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”

The significance of this is immense.  No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products.  Continue Reading FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”

The Internet of Things (“IoT”) can be thought of as a group of different devices that can communicate with each other, perhaps over a network such as the internet. We have written extensively about many of the privacy challenges that IoT devices can create. Recently, the Federal Trade Commission (“FTC”) made clear that its Children’s Online Privacy Protection Rule (the “COPPA Rule”) would continue to be applicable to new business models, including “the growing list of connected devices that make up the Internet of Things. That includes connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data.”

To assist companies in complying with their COPPA obligations, the FTC has released an updated Six Step Compliance Plan. These steps are:

Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.

Step 2: Post a Privacy Policy that Complies with COPPA.

Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.

Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.

Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.

Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.

Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

Notably, per Step 1, the FTC has made it clear that COPPA defines “Website or Online Service” broadly, to include “mobile apps that send or receive information online (like network-connected games, social networking apps, or apps that deliver behaviorally-targeted ads), internet-enabled gaming platforms, plug-ins, advertising networks, internet-enabled location-based services, voice-over internet protocol services, connected toys or other Internet of Things devices.” A key takeaway for companies everywhere is that, if your service collects personal information from kids under 13, it is unlikely that the FTC will be swayed by an argument that your service is not subject to the COPPA Rule. Instead, entitles would be wise to either limit their data collection activities such that personal information is not collected, or take the time to understand and comply with their COPPA obligations from the outset.

If your IoT device or app does collect personal information from kids under 13, “verifiable parental consent” is the most important compliance concept, and also tricky to implement. There are exceptions to this “verifiable parental consent” requirement in the COPPA Rule, but those exceptions are limited and reliance on any exception should only be done with careful consideration of your collection practices and the COPPA Rule.

Similarly, the FBI has warned consumers, regarding Internet connected toys presenting privacy concerns for children. Companies may wish to pay particular attention to the recommendations that the FBI has for consumers, as many of them involve the consumer researching whether the company has used basic measures to protect the privacy of children that use these toys, including using authentication and encryption as well as providing for security patches at the device level. Companies may wish to consider whether these suggestions could form part of the basis for a reasonable standard of care, and whether, given their IoT devices “use case,” a failure to support one or more of these measures could subject them to additional liability.

If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz Levin.