Articles | Publications | Popular Blog Posts

Privacy Infographic: Blueprint for GDPR & CCPA Compliance, 2022.
Infographic describing our best-practices approach involving data mapping, risk assessment, and gap analysis. We team with IT specialists to guide organizations through their privacy compliance journey. Whatever your current privacy law compliance, you can safely start here with a completely confidential consultation. Download our free one-page infographic, GDPR / CCPA Privacy Compliance Blueprint.

CCPA / CCPR Privacy White Paper: CALIFORNIA DREAMIN' - A Blueprint for Compliance, 2022
A review of the actual and potential impact of large states like California and New York, adopting GDPR-like legislation. GDPR principles such as Privacy by Design (PbD), are becoming the law in the U.S. "Foreign" laws like California's CCPA are actually enforceable against organizations here in the Northeast. Fortunately, it is possible to build compliance solutions that can meet both current existing and anticipated requirements. The white paper outlines a series of actionable best practices that can be adopted to nearly any organizational structure. Read about our approach to compliance in California Dreamin’ – A Blueprint for CCPA/CPRA Compliance.

Data Protection & Privacy Article: RISKY BUSINESS - Familiar Technologies that Require a Data Protection Impact Statement (DPIA) under the GDPR, 2021
Some everyday technologies are considered so inherently risky to privacy rights that organizations using them are required to analyze and report on the risks, at least in the EU so far. The risky technology list is long and surprising: AI, Covid-19 contact tracing, online exam proctoring, IoT, genetic data, social media, etc. Any organization handling Personal Information (PI or PII or PHI) using these technologies, and not already GDPR compliant, must prepare comply with similar U.S. laws.. Learn which technologies are considered inherently risky in RISKY BUSINESS: Technologies Requiring a Data Protection Impact Assessment (DPIA) under the GDPR.

GDPR Privacy White Paper: The Top 10 Things to Know About GDPR, 2018.
A concise description of the European Union General Data Protection Regulation (GDPR) as applied to U.S. based organizations. GDPR establishes and enforces a set of seven data protection principles designed to protect the privacy rights of EU citizens. While it may not directly impact U.S. enterprises not doing business in the EU, any organization with a website that may reach EU citizens should review its procedures. Learn what is important about GDPR by reading and downloading our white paper, The Top 10 Things to Know About GDPR.

Information Governance White Paper: C-Level Guide to Covering Your Information Assets, 2015.
How the revised FRCP 37(e) sanctions rule adopted in December 2015 provide a game-changing “green light” to organizations wanting to automate the deletion / destruction of unneeded legacy and other data in a legally defensible way. Contact us for a privileged and confidential consultation or evaluation. Read more here...

Legally Defensible Data Remediation (Blog Post) Read here...

Information & Data Governance: Why Boards and C-Level Executives Are Sailing in Dangerous Waters (Blog Post) Read here...

Information Governance: A Principled Approach (Blog Post) Read here...

Legal Hold 101: Data Retention and Destruction (Blog Post) Read here...

The Top 10 Things to Know About the EPA RRP (Lead Paint) Rule Read more...

Legal Aspects of Managing Construction Projects in Massachusetts (© 2009, 120 pg.) A legal and practical guide to risk management in construction. Focused on Massachusetts law with free mechanic's lien forms. Also contains useful information on AIA and ConsensusDocs contracts applicable to any state. Read Chapter 5 excerpt on best practices for construction recordkeeping and documenting a claim.

The Top 10 Things to Know About Electronic Discovery (eDiscovery) Free Download Top 10 Things to Know About eDiscovery

The Top 10 Reasons to Have a Document Retention Policy Read more...

The Top 10 Things to Know About Information Security Programs (rev. September 2009) Read more... (note - compliance deadline for 201 CMR 17.00 began March 1, 2010)

Unintended Consequences of the Adoption of New Building Technologies: Galvanic Corrosion and Pressure Treated Wood Read full article...

2002 Connecticut Construction Law Section Review: Bonds Read more...

Blogs

Built Environment Blog

Design and construction law topics from the perspective of an attorney with a background in the construction industry

Emerging Technology Blog

Technology nearly always outpaces the development of the law. This blog looks at a variety impactful developments in tech.

Goldfish in a Concrete Aquarium

Most of my pre-law school building experience was in New England. Besides the ever changing weather, differing subsurface site conditions presented a variety of challenges. Ledge is commonplace but very hard to predict whether a nearby outcropping would interfere with excavation. Water well depth was typically difficult to predict even by drillers with local experience. And, most challenging was dealing with groundwater, especially flooded basements. Even with perc test holes, the distance from the septic field to the foundation increased the odds that the groundwater level in the excavation was different, or upon digging a spring was found. In Seattle, as a construction lawyer in the 1990s, I was called on frequently by owners to help diagnose and remedy wet or flooded foundations. One memorable project was a dream house being constructed by a tech millionaire. Soon after the foundation and then the slab were poured, the basement filled up …

California Dreamin’ – A Blueprint for CCPA/CPRA Compliance

New U.S. Privacy Laws Follow GDPR Trend With the approval of the CPRA citizen’s initiative (Consumer Privacy Reform Act amending the CCPA – Proposition 24) and the introduction of new privacy legislation in New York and elsewhere all moving toward a U.S. equivalent of GDPR, it is time to face the fact that U.S. privacy compliance obligations are here to stay. When GDPR enforcement began in 2018, many U.S. businesses that were not operating in the EU considered it something that was happening “over there.” Enforcement of the California CCPA (California Consumer Privacy Act) began in January 2020. Now, …

RISKY BUSINESS: Technologies Requiring a Data Protection Impact Assessment (DPIA) under the GDPR

Under the European Union GDPR privacy compliance obligations, Data Protection Impact Assessments (DPIA) are mandatory for data processing “likely to result in a high risk to the rights and freedoms of data subjects.” Failure to conduct such a risk assessment is a breach of the GDPR that is subject to significant fines. Whether an organization is required to comply with the GDPR is beyond the scope of this article but if your organization processes any of the following types of “risky” Personal Data of EU or UK citizens listed in the table below, now is the time to find out. …

In this picture, the Sun's surface is quite dark. A frame from a movie recorded on November 9th by the orbiting TRACE telescope, it shows coronal loops lofted over a solar active region. Glowing brightly in extreme ultraviolet light, the hot plasma entrained above the Sun along arching magnetic fields is cooling and raining back down on the solar surface.

Solar Winds Supply Chain Hack Wins Password Contest

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management. The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery …

Ajax lower left holding a shield aloft, at the right stands Agamemnon surrounded by his soldiers (1540–50).

US-EU Privacy Shield Perforated – GDPR after Schrems II

On July 16, 2020, the European Court of Justice (ECJ – the European Union’s high court) invalidated the EU-US Privacy Shield Framework as a potential mechanism for meeting the GDPR’s cross-border personal data transfer restrictions. Effective immediately, U.S. companies that process EU “personal data” can no longer rely on registration under the Privacy Shield and must establish an alternative legal basis for any continued EU-US transfers. Previously, cross-border transfers to the US were permitted under three mechanisms: 1) the Privacy Shield (http://privacyshield.gov), 2) Standard Contractual Clauses (SCC), and 3) Binding Corporate Rules (BCR). The Privacy Shield was originally developed in …

Florentine Codex - infection of Aztecs with smallpox

Death Trap Buildings

On July 9, 2020, the World Health Organization (WHO) bowed to pressure from scientists to concede that the novel coronavirus (SARS-CoV-2) could cause infection via aerosols. (See https://bit.ly/39EHerk.) Aerosols are simply small droplets (generally described as under 5 microns) containing the virus that can linger in the air for hours. The author of the linked New York Times opinion article, engineering professor Linsey Marr, writes that a 5 micron droplet takes about a half-hour to drop from the mouth of an average height adult to the floor – longer if there are air currents. Link to article, https://nyti.ms/3ggetDM. This is not rocket science, even the Aztecs knew that smallpox was airborne. The implications of this fact are enormous, for the legal liability of design professionals responsible for maintaining healthy buildings, for employers responsible for employee safety under the general duty clause of OSHA, and for people with a statistically higher …

Map showing area in MA and CT with pyrrhotite contaminated concrete

Pyrrhotite Contaminated Concrete – A Call for Collaboration

In Biblical fashion, more than 34,000 residential foundations in Connecticut and Massachusetts were built on sand between 1983 and 2016. Not literally, but many if not most residential concrete foundations containing pyrrhotite aggregate from Becker’s Quarry in Willington, CT and mixed by JJ Mottes Concrete in Stafford Springs, CT will need to be repaired or replaced eventually. Those that contain pyrrhotite and have not (yet) shown evidence of failure will remain suspect and likely impact the value of the real estate. This article focuses on the single-family residential sector but the problem may be wider. Connecticut DOT asserted that pyrrhotite concrete has not impacted its structures. However, there is visual evidence that some commercial and multi-family residential structures are showing telltale signs of pyrrhotite deterioration. What is known is that thousands of pyrrhotite foundations are crumbling in a slow-motion disaster. The cost of correction currently ranges from $150,000 to $350,000, for lifting and fully replacing foundations. The economic impact on the region is immense. Connecticut officials have already identified approximately 50 towns affected by pyrrhotite foundations. Only about 700 buildings have been officially reported to date in Connecticut. However, Governor Malloy estimates that over 34,000 homes might be affected. Massachusetts …

Title Page - AGC Managing Risk in the Digital Age

Constructuring

Associated General Contractors (AGC) and FMI recently published a survey of contractors’ perceptions of risk together with an analysis of factors expected to drive change in the U.S. engineering & construction (E&C) industry in the coming years. See Managing Risk in the Digital Age. The survey (completed late 2017 and published in 2018) yielded in four key findings: The “people factor” remains one of the biggest risks for E&C firms in today’s business environment. Industry stakeholders expect to see more change in the built environment within the next five years than there has been in the last 50 years. Most survey respondents are innovating “around the edges” and adopting technology in a piecemeal fashion (or not at all) but not fundamentally transforming their business approaches. For years, contractors have tackled risk by purchasing insurance programs and managing claims. Today that is no longer enough. The survey notes that business is …

Big Sur California ocean view from Cafe Kevah

California Consumer Privacy Act – GDPR Principles Arrive in the U.S.

In the wake of the Cambridge Analytica scandal, restrictions on monetization of personal information (aka PI or PII) are coming to California in 2020. The California legislature unanimously passed a historic bill to adopt many of the core privacy principles of the EU General Data Protection Initiative (GDPR) for California consumers. The bill was fast-tracked into law in order to avoid the likely passage of a more rigorous ballot initiative in the November election. The key difference between the ballot initiative and the adopted law is that the legislative version can be more easily amended to avoid unintended consequences. Indeed, …

Eureka – Privacy Discovered in California?

The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents. California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US …

Reality Bites – Caught “Lead Handed” on TV

Do TV contractors poison their real world customers? According to an EPA press release dated June 5, 2018: “The U.S. Environmental Protection Agency (EPA) and Magnolia Waco Properties, LLC, which does business as Magnolia Homes, have reached a settlement to resolve alleged violations of the Toxic Substances Control Act (TSCA) Lead Renovation, Repair and Painting Rule (RRP Rule), related to home renovations conducted without adequate lead paint protections as depicted on the television program Fixer Upper. Under the terms of the settlement, Magnolia will take steps to ensure compliance with lead-based paint regulations in future renovation projects, address lead-based paint hazards at high-risk homes in Waco, Texas, and educate the public to lead-based paint hazards and appropriate renovation procedures.” Allegedly, according to a November 29, 2017 administrative complaint, Chip and Joanna Gaines, stars of HGTV’s “Fixer Upper” and owners of Magnolia Waco Properties, LLC (d/b/a Magnolia Homes), “did not comply with all of the requirements of the RRP Rule in renovations it performed in 33 properties in the Waco, Texas.“ Getting caught “lead handed” on national TV is sort of the opposite of demonstrating competence in the building industry. Who would have thought that the RRP applied on television or …

GDPR Privacy by Default – Will the US Senate Follow Europe?

On May 25th, Senators Edward J. Markey (D-Mass.), Dick Durbin (D-Ill.), Richard Blumenthal (D-Conn.), and Bernie Sanders (I-Vt.) introduced a Senate resolution calling for U.S. companies and institutions covered by the European Union’s (EU) new privacy law, the General Data Protection Regulation (GDPR), to provide Americans with privacy protections included in the European law. The 5 page Resolution summarizes the GDPR as requiring: that data processors have a legal basis for processing the data of users; and that opt-in, freely given, specific, informed, and unambiguous consent from users is a primary legal basis. The Resolution is not a bill and …

The GDPR is Coming

Does GDPR Apply in the US? Yes. GDPR (European Union General Data Protection Regulation) is a comprehensive new law protecting the data privacy of EU citizens. GDPR takes effect on May 25, 2018. It consists of 99 articles and will have sweeping impact on U.S. enterprises. It requires that all personal data be handled according to the GDPR Data Protection Principles. These includes the famous “right to be forgotten,” as well as transparency, data portability, breach notification, information security, etc. If you have a public facing website that collects user data and operates in EU countries, it is not too late to …

The Top 10 Things to Know About GDPR

The GDPR protects “personal data” of EU citizens. So, if you are only doing business outside the European Union then you don’t have to consider it at all, right? Think again. What about any business with a website?

EPA Still Says Get the Lead Out

Through back channels only at the time of this writing, EPA announced the results of its “Section 610” review of the lead safe rules (RRP). One of the interesting findings is that since the RRP rules were first issued, the science behind lead contamination has changed. In the announcement of the EPA Office of Pollution Prevention and Toxics dated April 2018, the EPA recognizes that lead is even more toxic than previously understood. On first reading of the 67-page announcement, it appears that this fact is significant in EPA’s reasoning behind keeping the rule intact and not re-instituting the old opt-out waiver. The conclusion is that danger still exists, that the overall economic costs of lead poisoning outweigh the costs of compliance, and finally that the issue of high false positive lead test kits is not sufficient to weaken the lead protection. [Copy of EPA Section 610 Review here or see …

Risk Management – How to Avoid the Construction Wheel of Misfortune

Risk management is everywhere. The principles, definitions, and plans involving risk management can be applied to almost any industry or endeavor. Depending on the industry, the sources of risk and the consequences of a particular risk, the approach to risk management will vary. Some risk management is mandatory. For instance, the EPA requires facilities that use extremely hazardous substances to submit a risk management plan (RMP) every five years to be in compliance with Sec. 112(r) of the 1990 Clean Air Act Amendments. On the national level, the Department of Homeland Security developed a National Infrastructure Protection Plan outlining, “how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes.” Some risk management plans are recommended by government agencies as industry standards. The US DOT Federal Highway Administration published a guidebook, Risk Assessment and Allocation for Highway Construction Management, concluding that, “(t)he business case for including risk assessment and allocation as a standard project management component of major capital projects is unambiguous: The ability to better understand potential risks and how to manage them yields benefits far in excess of the costs of adopting risk management practices.” CalTrans has …

Green Light for Defensible Data Remediation

In December 2015, the electronic discovery provisions of the Federal Rules of Civil Procedure (FRCP) were amended to substantially expand the Safe Harbor against sanctions for destruction of electronic data. In my November 2015 white paper, C-Level Guide to Covering Your Information Governance Assets, I predicted that the amended rules signaled a pivot away from one of the main sources of eDiscovery uncertainty – the inconsistent imposition of severe sanctions for the loss of electronically stored information (ESI) relevant to dispute resolution. The prediction holds. The prior Safe Harbor under the 2006 FRCP provided modest protections against sanctions where ESI …

Information Governance Challenges in the Life Sciences, and Financial Services Industries

While many of the high-level principles of Information Governance (IG) and the technologies supporting their implementation are almost universally applicable, each industry sector presents different challenges – one-size solution does not fit all. For example, unregulated privately held technology start-ups that are experiencing rapid growth may not have any retention / destruction policies in place; they will expand their IT storage until they crash into a big event, such as litigation, an IPO, or a merger. At that point they might require a top to bottom reconstruction – akin to an emergency room visit after a car crash. Other organizations already function within the constraints of a regulatory regime such as life sciences or financial services. Especially in publicly traded companies, regulated industries are further along the continuum in almost all of the metrics associated with IG principles such as: existence of a RIM program; adoption of a retention schedule; legal hold procedures; and protection of sensitive information. Unlike the emergency room metaphor above, the relative maturity of IG initiatives in these organizations requires more of a performance coach than an emergency room doctor to improve their well-being. Organizations also differ greatly in the need for dispersal of their information …

Legally Defensible Data Remediation

A document retention policy is in reality a document destruction policy. Therefore, a key reason for an organization to adopt a document retention policy is to establish a program for the deletion/destruction of information that is not required for business, regulatory and other needs. This reality is made necessary by the fact that digital information is growing at an unprecedented rate and that much of it is contained in “unstructured” storage such as email, SharePoint and shared network drives. Data hoarding not only increases direct information technology costs but it presents other substantial risks and costs to an organization ranging from discovery of “smoking gun” documents during investigation, litigation or audit; to reputational damage from information security breaches (hacking). Document retention/destruction policies have long been recognized as a good business practice. Inherent in the practice is the notion that information has a life cycle and that there are valid reasons to protect that information from competitors, thieves, snoops and even government investigators. In the context of an appeal of an obstruction of justice conviction against Arthur Andersen LLP, this practice was blessed by the U.S. Supreme Court. Chief Justice William Rehnquist delivered the opinion of the Court: ‘Document Retention Policies,’ …

Legal Hold 101 – Data Retention and Destruction

Every gambler knows That the secret to survivin’ Is knowin’ what to throw away And knowin’ what to keep ‘Cause every hand’s a winner And every hand’s a loser And the best that you can hope for is to die In your sleep The Gambler lyrics © Sony/ATV Music Publishing LLC Some of the more frequent questions asked of eDiscovery attorneys when teaming with IT professionals on archiving and other retention policy projects, relate to the timing, scope and especially the release of legal holds. Misconceptions about “Legal Hold” abound, many of them (unfortunately) coming from litigation attorneys stuck in the paper document past or those who do not understand data systems architecture. One common source of over-broad Legal Hold retention is the misapprehension of the risk of severe judicial sanctions for the destruction (aka spoliation) of evidence. Too many attorneys take what they consider to be the safe route and continue to advise enterprises to keep too much for too long. As Kenny Rogers’ Grammy award-winning song reminds us, risk can cut both ways. Not only does an overbroad legal hold increase the cost of maintenance and infrastructure, it increases the cost of legal review of held documents, and …

Boards and C-Level Executives Are Sailing in Dangerous Waters

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance. It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious. Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection. But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk. Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel. While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …

Information Governance – A Principled Framework

Gartner defines Information Governance as an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to reach its goals. One of the core requirements of a legally defensible Information Governance program is a reasonable and consistently applied records & information management (RIM) system. Accountability and defensibility hinge on the ability of an organization to govern its information in all formats and on all media, and to ensure or prove that it is compliant with all legal requirements. Building an information governance framework is by necessity a cross-disciplinary effort. In a world where virtually all information is created in digital form, IT departments are commonly given the lead. However, even the most advanced and elegant technical solutions must be guided by at least two other disciplines: legal, and records management. Especially in the wake of hacking scandals like Sony Pictures, the importance of Information Governance is increasingly recognized as a board level and C-Level concern. Information is an asset and a source of risk, it must be treated with great care. Information is an asset and a source of risk, it must be treated with great care. …

Cover Your Assets

C-Level Guide to Covering Your Information Assets The management and protection of information assets increasingly represent both the greatest potential value and the greatest risk to the enterprise. Big Data and analytics are now being leveraged by companies well beyond Amazon, Facebook, Uber and Google. Beginning with the Enron scandal and the advent of penalties (civil and criminal) for the improper destruction of electronically stored information (ESI), the existential risk from the disclosure of corporate mistakes or malfeasance through investigation, litigation discovery, or hacking has increased on pace with the explosion of digital data. The reputational damage to Target, Sony, Home Depot and even the U.S. Office of Personnel Management is substantial. Many organizations now report a literal doubling of stored data each year. The oft-heard antidote that the hardware cost of data storage has decreased over time obscures the reality that the combined hard and soft costs of this explosion are enormous. The exponential growth of new data combined with an ocean of unstructured legacy data can only increase management costs and litigation response costs / risks. Too much data affects the bottom line in many ways. Multiple surveys report that employees spend excessive time searching for and managing …

Create a Legally Defensible Document Retention / Destruction Policy

My February 2015 NARI Legal Corner guest blog titled Build a Record You’ll Be Proud Of, addressed the importance of recordkeeping for contractors and provided practical guidelines for creating project records. It showed that the successful management of construction projects requires proper management of a company’s records and other “information assets.” Information asset management should be viewed as a key component of every contractor’s overall risk management program. The article concluded by recommending that organizations develop and implement a document retention policy and legal retention schedule, which together allow old records to be destroyed in a legally defensible manner. This article describes an approach to managing and retiring (destroying) information assets that is based on industry standards and best practices. A document retention policy is really a document destruction policy Information as Assets Broadly defined, information assets include not only project records, accounting records and official documents but all other …

Build a Record That You’ll Be Proud Of

The management of construction projects involves the management of information. Frequently, decisions need to be made on-the-fly, before the written information necessary to document the decision is available. Under time pressure and with no reliable systems in place, project documentation (building a record) is regularly neglected. Unfortunately, a poorly built record can have serious negative legal, and financial consequences. Why Build a Record? One good measure of the success of a construction project is whether the completed building meets the needs and vision of the owner. Even small projects require a written proposal containing references to plans and specifications. Without good documentation, there is a greatly increased risk that the customer’s vision may not be converted to reality, leading to a dispute. A key attribute of project documentation is the extent to which it enables any given stakeholder (general contractor, subcontractor, designer, supplier, owner, lender, insurer) to protect its own …

Documents on this website

Table of contents for hosted documents, infographics, etc.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Blogs

Other Documents