Articles Posted in Internet Law

Data

Binary Code

The General Data Protection Regulation (GDPR) was approved by EU Parliament back in May 2017.  The GDPR, in a nutshell, was designed to replace an inconsistent set of data privacy laws with a comprehensive law that protected all European Union residents.  Please click here for my original post on the GDPR.  While the GDPR has been in effect for over a year, the law gave companies until May 25, 2018 to comply.  Well, that deadline has come and gone.  If you fail to comply, regulators can impose a fine of up to 4% of worldwide revenue.  This is NOT a typo!  4% of worldwide revenue up to 20 million euros.

Currently, there are no grace periods if your company still has not complied with the GDPR.  Additionally, as the ability to enforce compliance is less than 1 week old, there is no precedent out there that we can use as guidance.  Regulators for EU member states have indicated different going forward approaches to enforcement.  While one state regulator has inferred that even if full compliance has not yet been achieved, the efforts made to attain compliance will be taken into account as a mitigating factor.  Alternatively, other state regulators have simply stated that if we have reason to impose a fine we will impose a fine.  In this regard, the newly created European Data Protection Board was recently created.

Picture of cell phoneLast month the Pennsylvania Supreme Court held that accessing any information from a cell phone without a warrant violates the fourth amendment to the constitution.  The Fourth Amendment states in a nut shell that we shall be free from unreasonable searches and seizures.  In this particular criminal case, the police powered on a cell phone that was recovered at the scene of an arrest.  The police officers at the scene powered on the phone, determined its number, connected it to a crime and obtained a warrant to monitor a phone number that was found in the cell phone.  This action ultimately led to the arrest of the owner of the cell phone that the police powered on without a warrant.  The PA Supreme Court stated there is  “no exception for what police or courts may deem a ‘minimally invasive search.”  The Court reasoned that a person’s expectation of privacy rests in the phone itself and even went so far as to compare the opening and powering on of a cell phone as tantamount to walking through the front door of someone’s house without a warrant.

Protection of Digital Rights

The Pennsylvania Supreme Court’s decision continues the movement towards the protection of digital rights.  While this case centered on criminal activity, it has clear implications in the business world.  SEC or DOJ investigations, internal audits and civil litigation will be impacted by this decision.  With virtually every adult in the business world possessing a cell phone, understanding one’s rights and obligations in this digital world can mean the difference between jail and freedom, termination for cause versus without cause, or turning over trade secrets when you are under no obligation to do so.  The laws that encompass digital privacy are rapidly changing.  Indeed, I have had several New Jersey litigation cases where opposing counsel was not aware of New Jersey’s Social Media Law that prohibits employers from requiring employees to provide access to their social media accounts (5th amendment issues).  Without this information, opposing counsel was not able to access the information needed to prove her case.

courthouse

Image of courthouse pillars

A Delaware business client recently asked me to review his commercial privacy policy to see if his website complied with current online privacy protection requirements.  Not surprisingly in this fast pace and constantly changing digital landscape – the website failed because it did not clearly provide a link to its privacy policy on the home page.  And this is putting aside the May 25, 2018 GDPR compliance deadline that is fast approaching and its severe financial consequences for noncompliance.  The Delaware Privacy Online Act Delaware Online Privacy Protection Act has three stated goals but for purposes of this alert, I will focus on only on the commercial purpose.  Operators of an internet service must  conspicuously post its “privacy policy” if it collects personally identifiable information of Delaware residents.  To better understand this, let’s break this down into its component parts.

Operators of an Internet Service

o35ansa
The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents.  The EU Parliament approved the GDPR  last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher.   This is not a typo.  Now that I have your attention, let’s break the GDPR down to 2 important questions.

Does my US business offer goods or services to EU residents?  If the answer is yes, you are subject to the GDPR.

First, what is a EU resident?  A EU resident is any individual that resides in any of the 28 member states that form the EU.  This applies to anyone who resides in the EU.  Citizenship is NOT required.  Second, there is no requirement that the company offering the goods or services be located in the EU.  All that is required is that the individual resides in the EU.  The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website?  If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident.  The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.

Cyber Security For the Small Business

Cyber Security Month

October is Cyber Security Month. If your company uses any kind of computers, cell phones, networks, software, etc. to go about its business, then this month applies to what you do day in and day out. Having these technologies makes our lives more advanced and efficient but they also leave us open to security issues. Business large and small have to have plans and processes in place for how they deal with their digital technologies BEFORE something terrible happens.  It can seem like a big undertaking for the little guy given that the big guys seem to be hit time and time again. Yahoo for example, was recently the victim of yet another network security breach. One might ask what can a small business do with limited funds?   After all, if large companies with departments solely dedicated to thwarting cyber intrusions cannot stop hackers, what can a small business do?  The answer is simple – plenty.

  • Understand Your Business Network

A woman living in Staten Island must pay her flooring contractor $1,000. What did she do wrong; a negative review on Yelp.com. While the first amendment (freedom of speech) generally lets you critique your home improvement contractors (and anyone for that matter) and comment upon their quality of work and professionalism, the Judge in this case stated that the home owner went too far when she called her contractor a “con artist” and that he “robs” his customers and it is a “scam”.

Under Pennsylvania tort law, libel is defined as “a maliciously written or printed publication which tends to blacken a person’s reputation or expose him to public hatred, contempt or ridicule, or injure him in his business or profession.” Specifically, in an action for libel a plaintiff in Pennsylvania has the burden of proving each of the following:

  1. The defamatory character of the communication;

EMV stands for EuroPay, Mastercard and Visa and starting next week, it will be important for business owners to consider how they employ this payment method. On October 1, 2015 the liability for credit card fraud will shift to the business entity that employs the least effective security technology. In other words, in disputes between the merchant (store front owner) and the credit card issuer (for example a Citizens Bank Visa), the party that uses non-compliant EMV technology will assume the liability for credit card fraud if the other party uses EMV technology. If both parties do not use EMV technology then the liability issues remains unchanged.

So what is EMV technology and how does it work? Have you ever noticed on your new credit card that there is shiny silver square? This is a computer chip and it produces a code that EMV compliant credit card terminals must receive in order to authorize the trasaction. You will no longer “swipe” your card but rather insert it into the terminal. The code will be constantly changing making fraud much harder to occur. In addition, some issuers will also require a PIN to confirm the transaction as well. If either your credit card or the merchant’s terminal is not EMV compliant, the card, for now, will work as before by the swipe method. The only thing that has changed is the potential shift of liability. This is not new technology. Europe has been using this technology for years. For more information on EMV technology, click here.

While it makes sense for brick and mortar stores to switch to EMV compliant terminals it is less clear for on-line retailers. Right now major credit card companies are using two different systems for EMV online technology. MasterCard uses its “Chip Authentication Program” or CAP and Visa offers its “Dynamic Passcode Authentication” or DPA.  It is very similar to the choice between VHS and Betamax all over again. Which technology will prevail is anyone’s guess at this point. In the meantime, it’s best to understand what’s out there and make an informed decision for your business’ individual needs.

The Supreme Court continued its trend of significant decisions today, issuing rulings in favor of copyright holders over technological innovation (ABC v Aereo) and in favor of upholding privacy rights in the face of police searches (Riley v California). While the decisions were broad in scope, they also both created substantial unanswered questions that the Court is essentially pleading with Congress to resolve. From a political standpoint, that appears unlikely, and I predict both of these issues will be back before the Court in the not too distant future.

Looking first at the Riley case, the Court held cell phones contained private information which the police are not entitled to review merely incident to an arrest. Unlike the contents of your pockets or items in plain view, the government now cannot access your cell phone without a warrant during an arrest. This rule applies to both smartphones and so called dumb phones alike (the police viewed the incoming caller ID in one of the defendant’s older style flip phones to determine where he lived), and actually signals real concern for future business cases.

While this may seem like a boon to privacy advocates, there are holes in this ban big enough to steer Google’s self driving car through. First, there are exceptions for when the police believe they need to access your device in exigent circumstances. No warrant is required when the police are trying to prevent a disaster, or save someone else. Second, the Border Search exemption does not come up in this case. This exemption, still on the books but possibly overruled by today’s decision, allows for a warrantless customs search anywhere within 100 miles of an international border. That includes our offices in Philadelphia, and most of the population of the US who live within 100 miles of an international coastline. Is every police search now going to have a customs element to get around the Riley decision?

The bigger concern with this decision, from a business perspective, is the growing use by the Roberts Court of anecdotal evidence not truly before the Court. The Riley decision in some ways is based upon a faulty understanding of technology and how we interact with it on a daily basis. Justice Roberts cites to the iPhone User Guide as definitive proof that “Law enforcement officers are very unlikely to come upon such a phone in an unlocked state because most phones lock at the touch of a button or, as a default, after some very short period of inactivity.” While many phones have this feature, it’s frequently not used. Various surveys have shown between 40% to 70% of cell phone users don’t lock their phones. The Court similarly dismisses out of hand the potential for automatic wiping via geofencing as simply not a real concern. I’ll grant Justice Roberts that most criminals are not IT specialists, but it’s not difficult to set up a directive for your phone to be wiped if it enters the local police station. In fact, the controls to set that up are right in the apps at the heart of the Riley decision. Finally, the Court suggests merely turning the phone off or removing the battery as a way police can prevent a remote wiping signal, failing to understand that (i) many, if not most, new smartphone have integrated non-removable batteries; and (ii) a phone is not rendered completely inaccessible simply because it’s turned off.

The problem here is not holding itself, which may actually be a bit of a pendulum swing against the destruction of privacy standards we’ve seen since 9/11. Rather, the issue I see is that the Court continues to decide cases based upon a misunderstanding of how people interact with technology. This has led to, and will continue to create, decisions which raise significant business issues. We’ll have more in the next few days on the Aereo decision, which even the Court acknowledged will hang over SAS and cloud computing services for some time to come. But in the meantime, it’s clear that if we are going to continue to see technological growth, Congress needs to get on the ball and deal with some of these issues before they’re dumped at the courthouse steps.
Continue reading

I came across an interesting blog that was posted by a professional hacker whose job is to find vulnerabilities in top corporations’ IT security. His official title is “penetration tester”. Rather than just summarize what is already a short blog, I decided to just let the hacker speak for himself and tell you directly what he believes are the top 3 mistakes corporations make with their IT security programs. I think the top 3 will surprise you. Click here for the security blog.

The attorneys at Danziger Shapiro & Leavitt, PC can help you with developing your security protocols and smart phone/tablet work policies customized to the unique needs of your business. Call us today to set up a free consultation to discuss this and any other issue affecting your business.
Continue reading

Contact Information