When is the last time you actually sat down and read a privacy policy? What about writing one? In the last week, I have read some (painful), written and updated one (interesting) and started to consider how they drive (or not) actions around how people protect information. I think we need to reconsider our privacy [...]
Online Advertising: The Start of a Long Debate
November 26, 2007 By
Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth…. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination. Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick…. The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them…. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site…. As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting…. Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon…. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.The Google-DoubleClick acquisition has put online privacy at the forefront of government concern.
[Focus on Privacy] E-Mail Privacy: A short-lived dream?
November 6, 2007 By
Basically, does the government need to rise to the level of requiring a subpoena in order to require your ISP to provide them a copy of your email records, and in the process, notify you that they have done so.Think about that for a second…. As a company, what standard is the government required to produce in order to compel you to provide email records – especially if you are an ISP or other email provider.Based on a landmark ruling this past summer, it appeared the easy answer was “yes.†In the ruling, the United States Court of Appeals for the 6th Circuit held that computer users had a “reasonable expectation of privacy†in their e-mail communications…. The humble beginningThe decision of the 6th Circuit arose out the government’s investigation into Steven Warshak and his company, Berkeley Premium Nutraceuticals, Inc. Warshak was being investigated due to allegation of mail and wire fraud, money laundering, and related federal offenses.
…The 6th Circuit disagreed, ruling that “a seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functional equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to a†a 4th Amendment violation. Why is email different?Most Internet users believe that they have a reasonable expectation of privacy in their electronic communications and would be shocked if government agents could snoop around their e-mail box…. As a result, the sender has forfeited any expectation that the ISP would keep the information private and the government should be able to access the content stored by the ISP without a showing of probable cause. Yet while the government is correct in arguing that e-mail is not akin to the telephone, their argument would eradicate any expectation of privacy for any type of communication which requires an intermediary. The fact that an ISP must store and copy the message does not mean that people expect their messages to be turned over to the government by their ISP.
Do Data-Breach Laws Give You The Power to Hold Corporations Liable?
November 1, 2007 By
Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect…. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.Minnesota PCI LegislationEffective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data…. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.†So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.Consequences for the Courts As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information…. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners. While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches…. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).Preparing for the changeAs a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion…. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information.
TSC Insight: Do Email Disclaimers Matter?
October 17, 2007 By
I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient)…. With the help of Patrick Romero, this is what we found:Some Background on DisclaimersTurns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability…. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message…. However, ECPA defines “intercept†as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.  Can encryption provide privacy and confidentiality email?I have spent a lot of time reminding people recently that “solutions follow requirements†– and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications…. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).Encryption solutions are available for commercial and personal use…. Think before you press send.One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).Every organization should put in place a company policy with regards to sending confidential information through e-mail…. In the end, some do, some don’t and you get to choseCurrently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à -vis e-mail disclaimers.
Engage with Michael Santarcangelo