Friday, November 30, 2012

Risk Highlight: Syrian Government Turns Off Internet

In the latest salvo between the Syrian government and opposition forces, the government has reportedly used its control over Syria's telecommunications infrastructure to completely cut off the nation's Internet access. (The shut off can be seen in Renesys' Internet traffic graph for Syria, showing the complete cessation of all globally reachable Syrian networks between 10:20 and 10:30 UTC on November 29th:

Renesys Internet Traffic Graph for Syria

In response, other nations and companies have stepped in to try to provide at least limited connectivity to Syrians. Google has reactivated its Speak2Tweet service, although the limited telephone service in Syria may reduce its usefulness, and the U.S. State Department announced that it had previously provided 2,000 communications kits, with computers, telephones and cameras, that are "designed to be independent from and able to circumvent the Syrian domestic network precisely for the reason of keeping them safe, keeping them secure from regime tampering, regime listening, regime interruption."

Beyond the clear local and geopolitical aspects, this latest governmental cutoff of Internet access, as with the outages caused by recent storms in the United States, highlights that the telecommunications infrastructure on which businesses depend is largely out of their control. Effective risk management, involving backup systems, contracts, insurance and other means, must take that reality (and its potential implications) into account.

Wednesday, November 28, 2012

Mobile App Privacy: A Slowly Expanding Area

The area of consumer privacy is a broad area that has been discussed, analyzed and given guidance by both the Federal Trade Commission and the White House. Mobile application privacy, an important subset of consumer privacy, is an area of privacy that has been receiving significant attention over the past year as the importance of the mobile platform increases.

The push for protection in mobile app privacy most clearly began with a Joint Statement of Principles laid out by the California Attorney General, created in February 2012. The California Joint Principles represent an agreement by several top companies in the mobile industry. The agreement, which includes Apple, Google, Research In Motion, HP, and Microsoft (in addition to Facebook, which signed on in June), states what these companies promise to do in their mobile app store. The agreement reached by the major mobile companies provides that the California Online Privacy Protection Act is applicable to any application that collects personal data from a consumer. Such an app requires a “conspicuously posted” privacy policy. The agreement provides that when an app is submitted to a mobile app store by the developer there should be a hyperlink to the privacy policy or the actual privacy policy for that particular app. The privacy policy, whether a hyperlink or the full text, should be available in the mobile app store prior to download of the app. The major mobile companies must also provide a method for users to report apps that do not have such a policy or whose policy does not comply with applicable law.

In addition to the Joint Principles, the FTC has released a new Report on marketing mobile applications, in September of 2012, that contains suggestions on how to limit privacy concerns in a mobile app.  The FTC suggests that mobile app creators:

Build privacy considerations in from the start.  The FTC calls this “privacy by design.”… Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need.  Apply these principles in selecting the default settings for your app and make the default settings consistent with what people would expect based on the kind of app you’re selling.  For any collection or sharing of information that’s not apparent, get users’ express agreement.  That way your customers aren’t unwittingly disclosing information they didn’t mean to share.
Be transparent about your data practices….Offer choices that are easy to find and easy to use…Honor your privacy promises…The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises in the day-to-day operation of their business.  The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers…Protect kids’ privacy…
Collect sensitive information only with consent.  Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.  It’s a mistake to assume they won’t mind.
Keep user data secure...The wisest policy is to:
  •  collect only the data you need;
  • secure the data you keep by taking reasonable precautions against well-known security risks;
  • limit access to a need-to-know basis; and
  • safely dispose of data you no longer need.
As mobile app privacy is a new and growing area, the actual implications on businesses are not yet clear. The California Joint Statements only require that those mobile app store providers will provide a location for the individual app’s privacy policy. This only implicitly requires that mobile app creators should have a privacy policy. The FTC guidelines are less stringent. As stated in its report on consumer privacy, the FTC does not believe that they have the powers, at this time, to broadly regulate the area of privacy. However, the FTC suggestions show what the the Commission might enforce if given the power to do so by Congress.

(Written by Brett Alazraki, Fall 2012 IBLT Entrepreneurship Assistance Fellow)

Tuesday, November 27, 2012

HIPAA De-Identification Guidance from HHS OCR

The Office of Civil Rights ("OCR") of the U.S. Department of Health and Human Services recently issued guidance for appropriate ways to de-identify (remove personally identifiable information from) electronically stored health records. De-identification is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule in order to permit scientific analyses and other publicly beneficial uses of health records without violating the privacy of the patients whose health information is being shared for analysis. Section 164.514(b) of the HIPAA privacy rule provides two methods for de-identification: Expert Determination and the so-called "Safe Harbor."

It can be challenging, though, to completely de-identify any health information, since those with other sources of information may be able to combine those databases with the de-identified data to "re-identify" individual patients. (In a non-health context, this was demonstrated in 2006 after AOL released a supposedly anonymized search query database of its users, and reporters were able to positively identify at least one user by her particular searches.) With its latest guidance (which can be downloaded here), OCR answers questions about the use and limitations of its approved de-identification methods.

(via IAPP)

Facebook “Hoax” Shows Privacy A Serious Matter for Users


In recent days, numerous Facebook users have posted a legal-sounding statement as an update to their pages containing some version of the following:

“In response to the new Facebook guidelines I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, professional photos and videos, etc. (as a result of the Berner Convention). For any commercial use of the above my written consent is needed at all times! Anyone reading this can copy this text and paste it on their Facebook Wall. This will place you under protection of copyright laws. By the present communiqué, I notify Facebook that it is strictly forbidden to disclose, copy, distribute, disseminate, or take any other action against me on the basis of this profile and/or its contents.

The aforementioned prohibited actions also apply to employees, students, agents and/or any staff of Facebook or under their direction or control. The content of this profile is private and confidential information. A violation of my privacy is punishable by law (UCC 1 1-308-308 1-103 and the Rome Statute).

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version. If you do not publish a statement at least once, you will be tacitly allowing the use of elements such as your photos as well as the information contained in your profile status updates.”

This is not the first time Facebook users have felt the need to add a legal disclaimer to their statuses in an effort to protect their rights. A similar statement made the rounds a few months ago, with a greater focus on privacy:

Facebook is now a publicly traded entity. Unless you state otherwise, anyone can infringe on your right to privacy once you post to this site. It is recommended that you and other members post a similar notice as this, or you may copy and paste this version. If you do not post such a statement once, then you are indirectly allowing public use of items such as your photos and the information contained in your status updates.

PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile.

You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee , agent , student or any personnel under your direction or control.

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law. UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE

These two statements have a few elements in common. First, there was no new policy (or change to a policy) at Facebook to trigger these notices. Next, even had there been such a policy, the notices themselves were ineffectual and inaccurate from a legal perspective (e.g. profile notices do not modify contracts; there is a Berne Convention regarding copyright but no “Berner Convention”; the U.C.C., or Uniform Commercial Code, is a state law regarding the sale of goods, having nothing to do with Facebook profiles or privacy). Additionally, both notices went viral very quickly, spreading to literally tens of thousands or more Facebook users, even as others posted rebuttals and links to sites such as Snopes.com and news sites covered and furthered debunk the warnings about “new Facebook guidelines.”

The main factor that these viral postings share, though, is the lesson that they can provide to Facebook and numerous other organizations: namely, that users care deeply about, and do whatever they think they can to ensure, their privacy. This is not a new idea, nor is this the first time a rumored (though inaccurate) threat to privacy generated vast consumer and even legislative response. In late 1996, e-mails spread warning about the supposed revelation by Lexis/Nexis of Social Security numbers and mothers’ maiden names (two important pieces of data that could be misused by identity thieves to steal account access) in its new P-Trak consumer information database. In reality, P-Trak had originally included Social Security numbers but had been quickly revised to allow only searching by such numbers if the searcher already knew them, and the database had never contained mothers’ maiden names. Nonetheless, consumers jammed Lexis/Nexis’ customer service lines demanding to be removed, and the incident sparked a letter from three senators to the FTC and a resulting FTC public workshop and report to Congress on privacy of social security numbers and other information.

The overall idea of consumers and other users being able to know and manage the information being collected about them has long been a significant part of privacy best practices. The FTC and numerous other bodies in the U.S. and throughout the world have promulgated some version of Fair Information Practice Principles (“FIPP”), which generally include sections on notice, choice and participation. More recently, in February 2012, the Obama Administration published a report entitled Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy, which included a Consumer Privacy Bill of Rights incorporating individual control, transparency, and access and accuracy among its elements. The whole concept of a Web site’s “privacy policy” is that it serves as a disclosure document, informing and empowering consumers with regard to the personal information collection and use by the site’s owner, and even absent general federal mandates for privacy policies in the United States, the vast majority of sites offer them, largely because consumers might otherwise suspect a site without a privacy policy of misusing their personal data.

Unfortunately, the theory of privacy policies and fair information practices does not always translate into reality. The double wave of Facebook viral postings, which were frequently made by those who weren’t either privacy advocates or lawyers, shows both that accurate information about Facebook’s practices was not being effectively communicated to its millions of users, and that users did not know how to find and use Facebook’s actual privacy controls. As confusing as Facebook’s controls may be, those of search/software/service giant Google are substantially more challenging, given how many different products Google offers, the numerous platforms on which they run, and the sheer volume of information being collected and used by Google.

If Facebook is paying attention to its users, it can do a huge service to them and the overall Internet community by taking this latest viral reaction to heart. Facebook should use this incident as a spark to substantially improve user access to and understanding of, its information collection practices. Other sites, including those many news sites that covered the story, should likewise reexamine and improve their own user privacy experiences. Otherwise, they may face not only unhappy and confused users, but regulatory and legislative actions that have a much more severe and longlasting impact on their businesses and their ability to properly (and transparently) use what they learn about their customers.

Friday, November 23, 2012

ABA Adopts New Cybersecurity Policy

The Board of Governors of the American Bar Association ("ABA"), the U.S.' largest legal professional organization, has recently adopted a cybersecurity policy recommended by the association's Cybersecurity Legal Task Force. The ABA hopes that its new effort will guide "the executive and legislative branches" of the government in "making policy determinations for improving cybersecurity for the U.S. public and private sectors."

The ABA's policy consists of five principles:
  • Principle 1: Public–private frameworks are essential to successfully protect U.S. assets, infrastructure, and economic interests from cybersecurity attacks.
  • Principle 2: Robust information sharing and collaboration between government agencies and private industry are necessary to manage global cyber risks.
  • Principle 3: Legal and policy environments must be modernized to stay ahead of or, at a minimum, keep pace with technological advancements.
  • Principle 4: Privacy and civil liberties must remain a priority when developing cybersecurity law and policy.
  • Principle 5: Training, education, and workforce development of government and corporate senior leadership, technical operators, and lawyers require adequate investment and resourcing in cybersecurity to be successful.
Beyond their stated goal of governmental guidance, the ABA's principles also form a useful roadmap for every organization, public and private, considering and implementing cybersecurity efforts. Further, even if an organization is not itself managing network security (for example, if it outsources its IT functions), the new guidelines will assist it in understanding and specifying the level of service it receives from the entity that is responsible for cybersecurity.

The new policy is one of many recent initiatives by the ABA seeking to raise both the awareness and diligence of attorneys and lawmakers about technology's impact on law and legal ethics. While the ABA has no formal enforcement authority, its recommendations can be very influential on state and federal governments as well as courts.

Friday, November 9, 2012

Hurricane Sandy and Force Majeure Provisions

Large numbers of individuals and companies (and those firms with which they do business) have been seriously impacted over the past week by Hurricane Sandy. Power failures, gasoline shortages, flood and wind damage and other factors may make it difficult or impossible to conduct business normally, and may raise the possibility of potentially breaching contracts.

Fortunately, many agreements contain a so-called “force majeure” clause, which can temporarily excuse a failure to perform under a contract caused by circumstances outside the party’s control, as with this example:
Neither party shall be deemed in default of this Agreement to the extent that performance of its obligations or attempts to cure any breach are delayed or prevented by reason of any act of God, fire, natural disaster, accident, riots, acts of government, shortage of materials or supplies, or any other cause beyond the reasonable control of such party; provided, that the party interfered gives the other party written notice thereof within ten (10) working days of any such event or occurrence.

Some clauses specify the types of circumstances that trigger the right not to perform, while others are more general. A force majeure clause may also carve out certain obligations that are not excused, such as a requirement to make payments.

Even where a contract does provide for a force majeure excuse, it may require certain actions by a party in order to take advantage of the clause. One possible requirement is notice; in the sample provision above, the party that couldn’t perform must provide the other party with written notice “within ten (10) working days of any such event or occurrence.” If this notice is not given (or given late), the failure to perform may be deemed a breach of the contract. In other agreements, the party seeking to take advantage of a force majeure right may be obligated to do what it can to mitigate (or reduce) the damages caused by its non-performance in order to be generally excused, whether after the fact or in anticipation of a possible force majeure event.

However you may have been affected by Hurricane Sandy or other major situations out of your control, we would advise you to review all of your relevant contracts, particularly any force majeure sections. Whether you need to take advantage of such a right, or you may anticipate others with which you have contracts doing so, it’s crucial you are aware of any restrictions and requirements contained in the language of the provision, and particularly that you ensure you meet any deadlines to notify other parties’ of your business’ problems.