BizTech Law Blog

Now is a busy time for businesses as they wrap things up before year-end. But the holiday season can be stressful for a different reason when the owner or some of the employees are responsible for the care of aging family members on top of working full-time.

With the rise of generative artificial intelligence (AI) and its various synthetic media outputs, deepfakes are just one of many new risks to businesses. Deepfakes pose considerable threats to companies, potentially damaging reputation, trust, and financial stability through malicious impersonation and manipulation of digital content.

Yesterday, on October 16, the Federal Trade Commission (“FTC”) issued final amendments to the “Rule Concerning Recurring Subscriptions and Other Negative Option Programs”, also referred to as the “Click-to-Cancel” Rule (the “Rule”). See the following link from the FTC’s website for more information: Federal Trade Commission Announces Final “Click-to-Cancel” Rule Making It Easier for Consumers to End Recurring Subscriptions and Memberships | Federal Trade Commission (ftc.gov).

Artificial intelligence (AI) is fast becoming an integral element in the operation of virtually every business and organization.

The Children’s Online Privacy Protection Act (“COPPA”) was enacted in 1998 and was created to address concerns with the online collection of children’s personal information. Recently, the Federal Trade Commission (“FTC”) has announced several large fines for companies not in compliance.

Federal data privacy legislation in the United States is looking increasingly likely to pass in the foreseeable future. This renewed outlook is a stark change for those who remember previous legislative proposals, like the 2009 Personal Data Privacy and Security Act that never received a floor vote.

Data privacy and cybersecurity concerns are changing the way potential investors and acquirers evaluate a target company through due diligence. Data and security related risks can be extremely costly – especially those that are not uncovered in due diligence.

For an introduction to these areas, visit Taylor's previous video, an Introduction to Data Privacy, Cybersecurity and Third Party Vendor Management. 

In recent years, security risks and data breaches have increased and businesses are working to be better equipped to respond to emergency cyber attack and breach situations. 

On June 28, California governor Jerry Brown signed into law the California Consumer Privacy Act of 2018. The Act will significantly impact companies (including many based outside of California) and United States legislation in the coming months, although it is unclear whether the new law will serve as an example for other states or an outlier. Importantly, the Act contains a number of "GDPR-like" features, making it the most restrictive data privacy law that the United States has ever seen.

It's not hyperbole to say that the General Data Protection Regulation's May 25th enforcement date marks one of the largest shifts in the history of privacy laws.

This is the first article in a series on Third Party and Vendor Management. The next article in this series discusses provisions for vendor contracts.

Recently, international travelers have noticed US Customs and Border Protection agents with increased interest in searching cell phones, laptops, and other portable technology. Employers should be aware that this trend increases the risk that an unauthorized individual will access sensitive company information, which could result in an inadvertent data breach.

Some international travelers have been asked by border agents to unlock cell phones or provide a password needed to unlock the device. One report included a customs agent threatening to seize a travelers' phone if he did not unlock his cellphone. Employers are rightfully concerned that these searches may allow unauthorized individuals to access sensitive company information.

In 2016 Lansing, MI's Board of Water and Light fell victim to a cyber-attack that resulted in $2.4 million in costs, including a $25,000 ransom paid to the perpetrators. In the aftermath of the breach, BWL announced that it was filing for a $1.9 million insurance claim under its cyber insurance policy, including $2 million in covered losses, less a $10,000 deductible.

There is a lot at stake for businesses when it comes to cyber-crime, which is why more and more businesses are investigating and purchasing cyber insurance to hedge against the risks associated with cyber security and data privacy.

No matter how carefully, thoughtfully and diligently a company works to prevent it, data breaches happen. Company management, IT teams and outside consultants can do everything right and still end up dealing with a breach. That means that knowing how to best respond when (not if) a breach happens should be part of every company’s data protection strategy.

We recommend that every company assemble a security breach team, consisting of individuals inside and outside of the organization who possess different skill sets. This may include technology officers, as well as staff from IT, human resources, communications, legal departments, outside counsel, and outside vendors. The composition of the team will depend on the type and size of the organization, but each member should be in a position and have skills that enable the organization to quickly and properly respond to an incident. The team must also be equipped, authorized and empowered to evaluate and immediately react to an incident once it has occurred.

According to the Department of Justice (the “DOJ”), an estimated 17.6 million Americans aged 16 or older were victims of at least one attempt or incident of identity theft in 2014. Identity theft takes many forms - from stealing someone’s identity to obtain government benefits to creating new financial accounts in another person’s name. The most frequent type of identity theft - 80 percent of all cases according to the DOJ - involves someone trying to take over an existing bank or credit card account. Tax-related fraud is also on the rise.

We are all at risk of identity theft. It seems like a week never goes by without a news report about a data breach at a major retailer or bank. Unfortunately, most people who are victims of identity theft - or suspect they might be - are not aware of the steps they should take to mitigate the harm from the theft.

This article identifies the steps that a person whose social security number is compromised should immediately take upon learning of a problem, as well as actions to take to protect against the risk of identity theft in the future.

Thanks to the new Oliver Stone movie now in theaters, Edward Snowden has been back in the news lately. Disillusioned and alarmed by the virtual mountain of data that was being assembled by the federal government to track all forms of digital communication, Snowden became a hero to some, and traitor to others, after he leaked information about the government’s secret tracking systems to the press.

It’s not uncommon for “covered entities” such as hospitals and health systems to violate the Privacy Rule under the Health Insurance Portability and Protection Act of 1996 (“HIPAA”). A stolen laptop or misplaced file can expose information that should be protected. Rarely, however, does a violation arise from the filming of a television show. But that’s exactly what happened in the case of New York Presbyterian Hospital (“NYP”), which recently entered into a settlement with the Department of Health and Human Services, Office for Civil Rights (“OCR”) for $2.2 million.

The term "competitive intelligence" is the process of legally gathering information about one's competitors to gain a strategic advantage in the marketplace. Large corporations will have strategic intelligence experts as a part of their marketing department. These experts specialize in discovering promotional activities, sales figures, and other information about the company's competitors. Ideally, strong competitive intelligence enables a company to predict the strategy of a competitor and adapt with a strategy of its own that will result in an advantage in the marketplace.

The good news is that small and medium-sized businesses are not usually the targets of professional competitive intelligence experts. However, a business owner would be wise to protect itself from amateur intelligence gathering by its competitors. Competitive intelligence gathering begins by identifying the strategy of your own business and how your competitor's strategy will interfere. Then the intelligence gathering begins. 

Did you know that one court has ruled that a police officer can force a person to unlock a phone with Apple's Touch ID technology? Understand the risks with enabling this feature on your phone. Check out the story here.

Microsoft may soon find itself being held in contempt of court after refusing to abide by a U.S. District Court Order, requiring it to produce customer e-mail data stored by the company in Dublin, Ireland.  The United States Department of Justice previously sought and obtained a search warrant for the production of customer e-mail data maintained by Microsoft as part of a criminal investigation relating to narcotics trafficking.

Judge Loretta Preska, chief judge of the United States District Court for the Southern District of New York, ordered Microsoft to produce the e-mail data in July, finding that, although the data was held overseas, it remained under Microsoft’s possession and control, over which the court maintained jurisdiction. Microsoft has yet to comply, claiming that the court lacks jurisdiction over the foreign e-mail data. The judge has since imposed a Sept. 5 deadline for the parties to inform the court on how they plan to proceed.

The gossip website, thedirty.com, is immune from liability for online posts about an ex-Bengals Cheerleader’s sexual promiscuity and acquiring a sexually transmitted disease. In a closely followed decision from a case that has generated considerable media coverage because of its potential to chill online speech and hold internet websites such as Facebook, Twitter and newspaper sites liable, which allow third party users to post content, was reversed. The U.S. Court of Appeals for the Sixth Circuit recently overturned a jury verdict of $338,000 against gossip website thedirty.com and its owner Nik Richie. Sarah Jones v. Dirty World Entertainment Recordings LLC  arose after Sarah Jones, a former Cincinnati Bengals cheerleader and teacher who was subsequently convicted of having sex with a high school student, sued the website after it posted unflattering information about her sexual promiscuity with football team players, she demanded the posts be removed, and the website refused. She filed state law tort claims for defamation and privacy torts and won at trial. The defendants appealed.

Business owners are increasingly turning to cloud storage as an alternative to maintaining their own servers. The three most popular cloud storage services are Dropbox, Google Drive and SkyDrive. Each service comes with a specific amount of free storage and allows users to upgrade for a fee. For a helpful comparison of these three choices, see here. Cloud storage providers are promising upgraded security, but there are certain steps business owners can take themselves to protect their data.

The days of carrying around a work phone and personal phone are quickly dwindling, if not already gone. Instead, businesses are implementing bring-your-own-device ("BYOD") policies that allow employees to access corporate information from their personal mobile device. On one hand, providing employees with mobile access to information increases productivity by allowing employees to work from anywhere. On the other hand, allowing corporate information to be accessed on devices that are mobile and capable of falling into the wrong hands produces a host of new security issues. This creates a difficult balancing act for employers who want their employees to be productive, but still want to maintain control over the information being accessed.

Yes, the FTC can shut down your app. But you could also face stiff penalties for lack of compliance.

COPPA is the Children's Online Privacy Protection Act. The FTC has recently revised the rules regarding collecting personal information from children, and has set a date of July 1, 2013 as the deadline for compliance with the latest revised rule. The revision focuses on applications that collect personal information about children, such as photos, videos, and audio files containing the child's voice.

Michigan’s new law, the Internet Privacy Protection Act (IPPA), protects employees, potential employees, students and applicants from giving employers and educators access to their personal social media accounts. Under the new law, accounts such as Gmail, Facebook, Twitter, Tumblr or Twitter are covered. Employers and school administrators can’t discharge, fail to hire or admit or otherwise penalize their current or potential employees or students for refusing their request.

Many people love having an application on their iPhone that can convert nearly anything they say into text.  But what does Apple do with what you say to Siri?

Most people are unaware that everything you say to Siri is sent to a data center in North Carolina.  It is sent to Apple in order to convert what you say into text.

Let's revisit a previous posting regarding the scope of the Fourth Amendment in the digital era. 

Last year, the Department of Justice requested the U.S. Supreme Court to approve the warrantless and covert attachment by law enforcement of a GPS tracking device to an individual's vehicle. The DOJ’s request arose from a U.S. Court of Appeals decision, which vacated the life sentence of a convicted drug dealer.  In that case, the Court of Appeals held that law enforcement violated the individual’s Fourth Amendment rights by secretly attaching a GPS tracking device to the individual’s vehicle without a warrant.

Facebook has reached a settlement with the Federal Trade Commission regarding charges that it violated users' privacy rights.

Why Facebook was under investigation?

In December 2009, privacy advocates filed a complaint with the FTC following certain changes to Facebook privacy policies.   Specifically, the FTC complaint alleged that Facebook made aspects of its users' profiles - such as name, picture, and friends list - public by default and without user consent. The FTC stated that such actions violated user expectations of privacy and threatened the "health and safety" of users by exposing "potentially sensitive affiliations" such as political views and sexual orientation.

The FTC complaint also alleged other situations where Facebook "made promises that it did not keep," such as promising that it would not share information with advertisers or retain data that it promised users was deleted.

Cellular phones continue to play an increasing role in our daily lives, allowing us to stay "connected" 24/7.  That "connectivity", however, blurs and erodes the traditional notions of privacy in an individual's daily life.  Now, your boss, email, customers, and friends are never more than a button's push away.

How would you like to have the weight of the U.S. Federal Government behind you in combating piracy of your product?  And how would you like to have it for free?  If you answered no to both, perhaps you should reevaluate your business acumen.  For those who answered in the affirmative, please read on.

The free service is offered through the Office of Intellectual Property Rights (OIPR) of the U.S. Department of Commerce.  OIPR can assist your company in combating intellectual property piracy of your products.  After you have secured your intellectual property protections at home and abroad and taken local enforcement steps through the administrative or legal process, OIPR will step in on your behalf and work with the foreign government to target, confiscate and destroy the piracy items.

The Fourth Amendment protects an individual from unreasonable searches and seizures.  As it stands today, unless an individual has a reasonable expectation of privacy, local and federal law enforcement are not required to obtain a warrant prior to conducting a search. Does a person reasonably expect that law enforcement will attach a GPS tracking device to a vehicle to clandestinely monitor that person’s every movement?  The Department of Justice (DOJ) thinks so.