The recent Equifax data breach has been called the worst personal data breach in history. Over 143 million people have been affected. Experts are saying that is it safer to assume you were affected and take preventative measures immediately.
The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents. The EU Parliament approved the GDPR last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher. This is not a typo. Now that I have your attention, let’s break the GDPR down to 2 important questions.
Does my US business offer goods or services to EU residents? If the answer is yes, you are subject to the GDPR.
First, what is a EU resident? A EU resident is any individual that resides in any of the 28 member states that form the EU. This applies to anyone who resides in the EU. Citizenship is NOT required. Second, there is no requirement that the company offering the goods or services be located in the EU. All that is required is that the individual resides in the EU. The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website? If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident. The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.
Cyber Security Month
October is Cyber Security Month. If your company uses any kind of computers, cell phones, networks, software, etc. to go about its business, then this month applies to what you do day in and day out. Having these technologies makes our lives more advanced and efficient but they also leave us open to security issues. Business large and small have to have plans and processes in place for how they deal with their digital technologies BEFORE something terrible happens. It can seem like a big undertaking for the little guy given that the big guys seem to be hit time and time again. Yahoo for example, was recently the victim of yet another network security breach. One might ask what can a small business do with limited funds? After all, if large companies with departments solely dedicated to thwarting cyber intrusions cannot stop hackers, what can a small business do? The answer is simple – plenty.
Understand Your Business Network
A woman living in Staten Island must pay her flooring contractor $1,000. What did she do wrong; a negative review on Yelp.com. While the first amendment (freedom of speech) generally lets you critique your home improvement contractors (and anyone for that matter) and comment upon their quality of work and professionalism, the Judge in this case stated that the home owner went too far when she called her contractor a “con artist” and that he “robs” his customers and it is a “scam”.
Under Pennsylvania tort law, libel is defined as “a maliciously written or printed publication which tends to blacken a person’s reputation or expose him to public hatred, contempt or ridicule, or injure him in his business or profession.” Specifically, in an action for libel a plaintiff in Pennsylvania has the burden of proving each of the following:
- The defamatory character of the communication;
EMV stands for EuroPay, Mastercard and Visa and starting next week, it will be important for business owners to consider how they employ this payment method. On October 1, 2015 the liability for credit card fraud will shift to the business entity that employs the least effective security technology. In other words, in disputes between the merchant (store front owner) and the credit card issuer (for example a Citizens Bank Visa), the party that uses non-compliant EMV technology will assume the liability for credit card fraud if the other party uses EMV technology. If both parties do not use EMV technology then the liability issues remains unchanged.
So what is EMV technology and how does it work? Have you ever noticed on your new credit card that there is shiny silver square? This is a computer chip and it produces a code that EMV compliant credit card terminals must receive in order to authorize the trasaction. You will no longer “swipe” your card but rather insert it into the terminal. The code will be constantly changing making fraud much harder to occur. In addition, some issuers will also require a PIN to confirm the transaction as well. If either your credit card or the merchant’s terminal is not EMV compliant, the card, for now, will work as before by the swipe method. The only thing that has changed is the potential shift of liability. This is not new technology. Europe has been using this technology for years. For more information on EMV technology, click here.
While it makes sense for brick and mortar stores to switch to EMV compliant terminals it is less clear for on-line retailers. Right now major credit card companies are using two different systems for EMV online technology. MasterCard uses its “Chip Authentication Program” or CAP and Visa offers its “Dynamic Passcode Authentication” or DPA. It is very similar to the choice between VHS and Betamax all over again. Which technology will prevail is anyone’s guess at this point. In the meantime, it’s best to understand what’s out there and make an informed decision for your business’ individual needs.
The Supreme Court continued its trend of significant decisions today, issuing rulings in favor of copyright holders over technological innovation (ABC v Aereo) and in favor of upholding privacy rights in the face of police searches (Riley v California). While the decisions were broad in scope, they also both created substantial unanswered questions that the Court is essentially pleading with Congress to resolve. From a political standpoint, that appears unlikely, and I predict both of these issues will be back before the Court in the not too distant future.
Looking first at the Riley case, the Court held cell phones contained private information which the police are not entitled to review merely incident to an arrest. Unlike the contents of your pockets or items in plain view, the government now cannot access your cell phone without a warrant during an arrest. This rule applies to both smartphones and so called dumb phones alike (the police viewed the incoming caller ID in one of the defendant’s older style flip phones to determine where he lived), and actually signals real concern for future business cases.
While this may seem like a boon to privacy advocates, there are holes in this ban big enough to steer Google’s self driving car through. First, there are exceptions for when the police believe they need to access your device in exigent circumstances. No warrant is required when the police are trying to prevent a disaster, or save someone else. Second, the Border Search exemption does not come up in this case. This exemption, still on the books but possibly overruled by today’s decision, allows for a warrantless customs search anywhere within 100 miles of an international border. That includes our offices in Philadelphia, and most of the population of the US who live within 100 miles of an international coastline. Is every police search now going to have a customs element to get around the Riley decision?
The bigger concern with this decision, from a business perspective, is the growing use by the Roberts Court of anecdotal evidence not truly before the Court. The Riley decision in some ways is based upon a faulty understanding of technology and how we interact with it on a daily basis. Justice Roberts cites to the iPhone User Guide as definitive proof that “Law enforcement officers are very unlikely to come upon such a phone in an unlocked state because most phones lock at the touch of a button or, as a default, after some very short period of inactivity.” While many phones have this feature, it’s frequently not used. Various surveys have shown between 40% to 70% of cell phone users don’t lock their phones. The Court similarly dismisses out of hand the potential for automatic wiping via geofencing as simply not a real concern. I’ll grant Justice Roberts that most criminals are not IT specialists, but it’s not difficult to set up a directive for your phone to be wiped if it enters the local police station. In fact, the controls to set that up are right in the apps at the heart of the Riley decision. Finally, the Court suggests merely turning the phone off or removing the battery as a way police can prevent a remote wiping signal, failing to understand that (i) many, if not most, new smartphone have integrated non-removable batteries; and (ii) a phone is not rendered completely inaccessible simply because it’s turned off.
The problem here is not holding itself, which may actually be a bit of a pendulum swing against the destruction of privacy standards we’ve seen since 9/11. Rather, the issue I see is that the Court continues to decide cases based upon a misunderstanding of how people interact with technology. This has led to, and will continue to create, decisions which raise significant business issues. We’ll have more in the next few days on the Aereo decision, which even the Court acknowledged will hang over SAS and cloud computing services for some time to come. But in the meantime, it’s clear that if we are going to continue to see technological growth, Congress needs to get on the ball and deal with some of these issues before they’re dumped at the courthouse steps.
I came across an interesting blog that was posted by a professional hacker whose job is to find vulnerabilities in top corporations’ IT security. His official title is “penetration tester”. Rather than just summarize what is already a short blog, I decided to just let the hacker speak for himself and tell you directly what he believes are the top 3 mistakes corporations make with their IT security programs. I think the top 3 will surprise you. Click here for the security blog.
The attorneys at Danziger Shapiro & Leavitt, PC can help you with developing your security protocols and smart phone/tablet work policies customized to the unique needs of your business. Call us today to set up a free consultation to discuss this and any other issue affecting your business.
It seems we cannot go a day without big news regarding online security and privacy or the lack thereof. Most recently it was Target and tomorrow who knows. California has always been at the forefront when it comes to protecting consumers and internet privacy. Thus it comes as no surprise that, as of January 1, 2014, every business with an online presence will need to comply with California’s amendment to its Online Privacy Protection Act. This recent amendment has teeth and you must comply if a California resident clicks on your commercial web site either through his computer or mobile phone.
In a nutshell, privacy policies will now be required to include how the website will respond to a web browser’s “do not track” security option and if the web site allows third parties to collect personally identifiable information from users and across third party websites. Failure to comply will cost you $2,500 for each violation. However, before any fine is imposed, the noncomplying business will be given 30 days to correct its privacy disclosures.
What is interesting about this new law is that while it places the onus on businesses to state how their website responds to a customer’s “do not track” option, it does not require the business to honor that request. We are truly operating in one unified economy and it is becoming increasingly important to be aware of the laws of other states as you do business on the global web.
For Immediate Release
Contact: Douglas M. Leavitt Danziger Shapiro & Leavitt, P.C.
Danziger Shapiro & Leavitt, P.C.
Announces Investigation of NQ Mobile, Inc.
PHILADELPHIA, PA, December 16, 2013- Danziger Shapiro & Leavitt, P.C., a Philadelphia based litigation law firm, (www.DS-L.com) is investigating securities fraud claims against NQ Mobile, Inc.. (NYSE: NQ). This inquiry centers on allegations that statements issued by NQ Mobile regarding its business operations and the company’s financial condition were deceptive and false.
NQ Mobile purports to provide security solutions for the mobile phone market. On October 24, 2013, a report issued by Muddy Waters states that NQ Mobile had engaged in fraudulent practices by, among other things, vastly overstating its market share in China by asserting it had a 55% share of the market when in fact it only had a 1.5% market share and that at least 72% of NQ Mobile’s alleged Chinese security revenue is fictitious. Upon the release of this news, in less than 36 hours, shares of NQ Mobile dropped approximately 56%, representing over $500 million in losses to investors
Individuals who purchased NQ Mobile shares between May 5, 2013 and October 24, 2013 who would like to learn more about this investigation, have an interest in joining a class-action lawsuit, or have any questions concerning this announcement and their rights, should on or before December 23, 2013, contact Douglas M. Leavitt, Esquire: (215) 545-4830 or visit: www.DS-L.com. You may also email Mr. Leavitt at leavitt@DS-L.com.
This press release may be considered Attorney Advertising in some jurisdictions under the applicable law and ethical rules.
Earlier in the Fall I talked about NJ’s proposed privacy bill that would prohibit employers from requiring employees and job applicants to disclose their private social media account information. (Click here for prior post) Well, the law took effect December 1. Be mindful that this new law applies to all employers regardless of size.