#DataProtection

Internet of Things Sensors and Data Ownership: Some Legal Implications of Smart Construction Sites

Smart sensors now monitor everything from concrete curing temperatures to worker safety conditions, generating vast amounts of real-time data that inform critical project decisions. However, this technological advancement raises complex legal questions about data ownership, privacy protection, and liability for sensor-based decisions that the construction industry is only beginning to address. Data Ownership and Access Rights Construction IoT implementations typically involve multiple stakeholders contributing to and accessing shared data streams. Environmental sensors provided by concrete suppliers, safety monitoring systems installed by general contractors, and progress tracking devices deployed by project owners create interconnected data ecosystems. Determining ownership rights and usage permissions for this collectively generated information requires careful contractual planning that most standard construction agreements do not address. Data ownership disputes can arise when sensor information becomes crucial to dispute resolution or change order documentation. IoT Use Raises Many Critical Questions If temperature sensors indicate that concrete curing conditions required schedule adjustments, who controls access to the underlying data? When safety sensors detect conditions that influence project decisions, what rights do various stakeholders have to access and use this information? Privacy Regulation Compliance Privacy regulations add significant complexity to construction IoT deployments. Worker monitoring sensors may collect personal information subject …

Read more

RISKY BUSINESS: Technologies Requiring a Data Protection Impact Assessment (DPIA) under the GDPR

Roulette Wheel seen from space

Under the European Union GDPR privacy compliance obligations, Data Protection Impact Assessments (DPIA) are mandatory for data processing “likely to result in a high risk to the rights and freedoms of data subjects.” Failure to conduct such a risk assessment is a breach of the GDPR that is subject to significant fines. Whether an organization is required to comply with the GDPR is beyond the scope of this article but if your organization processes any of the following types of “risky” Personal Data of EU or UK citizens listed in the table below, now is the time to find out. …

Read more

Solar Winds Supply Chain Hack Wins Password Contest

In this picture, the Sun's surface is quite dark. A frame from a movie recorded on November 9th by the orbiting TRACE telescope, it shows coronal loops lofted over a solar active region. Glowing brightly in extreme ultraviolet light, the hot plasma entrained above the Sun along arching magnetic fields is cooling and raining back down on the solar surface.

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management. The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery …

Read more

Eureka – Privacy Discovered in California?

The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents. California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US …

Read more

Boards and C-Level Executives Are Sailing in Dangerous Waters

Great White Shark

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance.  It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious.  Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection.  But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk.  Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel.  While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …

Read more

Information Governance – A Principled Framework

Gartner defines Information Governance as an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to reach its goals.  One of the core requirements of a legally defensible Information Governance program is a reasonable and consistently applied records & information management (RIM) system.  Accountability and defensibility hinge on the ability of an organization to govern its information in all formats and on all media, and to ensure or prove that it is compliant with all legal requirements. Building an information governance framework is by necessity a …

Read more

Cloudy Laws I – Cloud Computing Security and Legal Challenges

Supercell clouds over Nebraska

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges.  While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011.  NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145): Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Essential …

Read more