Eureka – Privacy Discovered in California?

The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents. California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US culture. Well-known regulations and restrictions on air quality such as CARB (CA Air Resources Board), on “chemicals known to the state to cause cancer or reproductive toxicity” such as Proposition 65, and on offshore drilling have been very influential. Facebook, Google, Apple, AirBnB, Tesla, and yes, Theranos are all California companies. Beauty is in the eye of the beholder In 1976, a wealthy acquaintance in the Bel Air hills invited me for drinks to survey the skyline overlooking Los Angeles at dusk from his poolside perch. Like the successful Mr. McGuire in The Graduate urging Ben to steer his career towards the …

Read more

GDPR Privacy by Default – Will the US Senate Follow Europe?

On May 25th, Senators Edward J. Markey (D-Mass.), Dick Durbin (D-Ill.), Richard Blumenthal (D-Conn.), and Bernie Sanders (I-Vt.) introduced a Senate resolution calling for U.S. companies and institutions covered by the European Union’s (EU) new privacy law, the General Data Protection Regulation (GDPR), to provide Americans with privacy protections included in the European law. The 5 page Resolution summarizes the GDPR as requiring: that data processors have a legal basis for processing the data of users; and that opt-in, freely given, specific, informed, and unambiguous consent from users is a primary legal basis. The Resolution is not a bill and has not yet been debated or adopted. However, it was symbolically introduced on the very same day that European GDPR became law. Many US enterprises are impacted by the new EU law, because they control or process the personal data of people in the EU. Some US companies have announced full compliance with the GDPR for all people worldwide. Others have geofenced and blocked EU data subjects. Others, like the Washington Post, have erected a supposedly compliant paywall to provide GDPR-compliant and ad-free access to the EU countries. The Markey Resolution “encourages entities” already covered by the impact of the …

Read more

The GDPR is Coming

  Does GDPR Apply in the US? Yes. GDPR (European Union General Data Protection Regulation) is a comprehensive new law protecting the data privacy of EU citizens. GDPR takes effect on May 25, 2018.  It consists of 99 articles and will have sweeping impact on U.S. enterprises. It requires that all personal data be handled according to the GDPR Data Protection Principles. These includes the famous “right to be forgotten,” as well as transparency, data portability, breach notification, information security, etc. If you have a public facing website that collects user data and operates in EU countries, it is not too late to get advice. Watch this space as we roll out solutions for enterprises that are not ready.

Information Governance Challenges in the Life Sciences, and Financial Services Industries

While many of the high-level principles of Information Governance (IG) and the technologies supporting their implementation are almost universally applicable, each industry sector presents different challenges – one-size solution does not fit all. For example, unregulated privately held technology start-ups that are experiencing rapid growth may not have any retention / destruction policies in place; they will expand their IT storage until they crash into a big event, such as litigation, an IPO, or a merger. At that point they might require a top to bottom reconstruction – akin to an emergency room visit after a car crash. Other organizations already function within the constraints of a regulatory regime such as life sciences or financial services. Especially in publicly traded companies, regulated industries are further along the continuum in almost all of the metrics associated with IG principles such as: existence of a RIM program; adoption of a retention schedule; legal hold procedures; and protection of sensitive information. Unlike the emergency room metaphor above, the relative maturity of IG initiatives in these organizations requires more of a performance coach than an emergency room doctor to improve their well-being. Organizations also differ greatly in the need for dispersal of their information …

Read more

Cloudy Laws II – Only 65 Challenges to eDiscovery Forensics in the Cloud

Among the many types of challenges presented by the adoption of cloud computing are those involving computer forensics. Computer forensics can be thought of as the set of tools and techniques that make eDiscovery possible and reliable. It is defined in Wikipedia as, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.” The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) defines cloud computing forensic science more specifically as, the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation and reporting of digital evidence As with other legal evidence, digital evidence is subject to challenge in court. It has to be what it purports to be. Therefore, the accurate identification of the creator, custodian, chain of custody, authenticity and other attributes of digital evidence is essential in any eDiscovery setting. Essentially, a computer forensic investigation must locate and identify “documents” and other information that can be traced to the actions, knowledge and information available to parties and other witnesses involved in a lawsuit, arbitration or investigation While a number of technical tools and techniques have been developed to …

Read more

Cloudy Laws – Cloud Computing Security and Legal Challenges

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges. While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011. NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145) Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Essential Characteristics Service Models Deployment Models On demand self service Broad network access Resource Pooling Rapid Elasticity Measured Service Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Private Cloud Community Cloud Public Cloud Hybrid Cloud The rapid increase in the availability of cloud computing solutions ranging from Enterprise systems, to Office 365, to the ad hoc use of unencrypted Dropbox accounts, has profound implications for privacy, information security, eDiscovery and legally defensible document retention policies. Hardly a day passes without news of another serious security breach or weakness. The security risks and the costs of misjudgments, mistakes or …

Read more

LocationGate – Where in the World Was Waldo?

Just look at his iPhone data Apparently I am not the only person troubled by the 2011 revelation that Google and Apple collect location data from smart phones.  Mike Elgan wrote a thoughtful piece for Computerworld. Who owns your location? – Computerworld The idea of tracking files existing on phones and on the computers used to synch data raises eDiscovery issues as well as obvious privacy and data security concerns.  Will employers be tempted to look at the data collected by company issued phones to see if their sales team or delivery drivers were on task?  Employers defending discrimination cases are always on the lookout for employee misconduct that would justify termination of employment on non-discriminatory grounds.  Did she lie to the boss about that sick day as shown by the trip to the Foxwoods Casino? Warrantless Searches A January 2011 decision by the California Supreme Court held that police may make a warrantless search of a person’s cell phone incident to a lawful arrest – in California.  In the opinion, the court considers and dismisses the privacy argument: Regarding the quantitative analysis of defendant and the dissent, the salient point of the high court‟s decisions is that a “lawful custodial arrest …

Read more