Privacy law is a mess

by | Oct 15, 2019 | Data Privacy, Internet, Technology and Privacy Law, Privacy

The title says it all – what should smaller companies do to comply with privacy laws?

California has now finalized the California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100 to 1798.199 – well, at least for now (please note that this link does not have all of the law changes in it as of the posting of this article). It goes into effect 1/1/2020. Regulations under it will not be issued until December at the earliest and are likely to change over time. While it is a net gain for California consumers, it is a complex law with many incidental effects and traps for the unwary business. How does a small business deal with this mess? Before we address that, let’s discuss some background:

Why is CCPA important?

The CCPA is important because so many businesses do business with California consumers that California law is the “highest common denominator” – meaning, instead of trying to comply with disparate laws in 50 states, a business could target compliance with the most onerous law (typically California law in the pro-consumer sense), and then hope for the best that such compliance will also comply with other laws. This does not always work – for example, Illinois has a much harsher bio-metric security law than California, and New York has very detailed personal information protection laws and rules as well, particularly in the financial/banking sector. So, a slight modification of the above strategy is to target the “top 3” laws (i.e. California, Illinois and New York) and again hope for the best in other states. And finally, there is the modified “top 3” strategy of adding compliance with the General Data Protection Regulation of the EU (GDPR).

What many larger companies have done is simply targeted compliance with the GDPR worldwide, assuming it is the most onerous pro-privacy law. However, the CCPA has provisions that differ from, and add to, the GDPR, for example, the regulations on businesses that sell personal information, and that broker those sales, does not really directly exist under GDPR.

How does this affect small business?

Many small businesses may think they are not subject to these privacy laws because they do not “do business” in a particular state, or in the European Union. While those are interesting issues – either the ability of a state to constitutionally require a remote business to be liable under a privacy law when interacting solely electronically with a resident of that state – or whether the GDPR regulators can fine and enforce such fines against a small US business that has no offices, employees or other contacts in the EU, the problem is that many small businesses will contract with larger businesses that are subject to those laws and regulators and those contracts will require the small business to comply with those laws indirectly. This is particularly true in heavily regulated industries such as banking and health care, where regulators apparently force their member banks to impose liability on third party vendors.

In addition, when a small business goes to sell or merge – typically with a larger entity that may apply these rules and regulations in analyzing the level of data risk it has post transaction. If the small business has not thought about basic data privacy and data security, this can negatively impact the value of the business.

So, what should a small business do (and, what are the key provisions of CCPA)?
  1. First, do not ignore remote state laws like CCPA or the GDPR. Someone in the organization should be assigned the responsibility, and be given reasonable time, to make a true assessment of the data privacy and security risks of the company. Ideally that person would have a “C” designation (CIO, CTO, CPO etc) and be incentivized to diligently complete such tasks. The business should neither marginalize nor minimize such role.
  2. Second, do a data inventory – what data is the business collecting? Why? Does it really need it? Where is it collecting this data from? (the web, forms, manual entry, data harvesting/scraping, third party lists etc) What agreements are there with those data sources (this includes terms of service)? Is this information personal information? What type of personal information ? (i.e. is it sensitive personal information). Basically, this is a review of all inbound data flow . . .
  3. Third, determine where the collected data is being disclosed or shared? This can be the critical step – because if the information being collected is personal information, and particularly if it is sensitive information, this can have significant impacts if there is a data breach. Do adequate agreements cover that data exchange? Is the data encrypted? Should it be? Has any audit or review of the recipient been done to determine the adequacy of their data protection systems? Basically, this step involves tracing all outbound data flows, and determining the business need for the disclosure and the risk level such disclosure presents.
  4. Fourth, assess the computer systems used to capture, store, and transmit data, to determine weaknesses in security where a data breach can occur. Computer security is hard, period. It is way harder today when its not just your own computer security, but the security of every link in the data disclosure chain.
  5. Fifth, consider what tools to use to address risk. Do you throw technology at the issue, like better intrusion protection, detection systems, universal threat management devices, etc.? Do you hire experts, which may be costly? Both? Do you have proper agreements in place? Indemnity? Does the downstream recipient have insurance? Are you sure about that? Do you have insurance? Do contracts you have require insurance? Be especially careful with insurance – a good insurance broker will be up on all the various changes in insurance policies that claim to cover “cyber liability” (a generic term that is meaningless without specific context). You simply cannot determine what insurance you need if you have not performed steps 1-4 above.
  6. Sixth, engage in continuous review and management. Hackers are not static, they evolve – your systems must be maintained and modified to address new threats and issues, be updated and patched, and monitored for threats. See item 1 – it is why a dedicated C level person and/or team need to be in place to really address these issues.

The key provisions of CCPA as they relate to small businesses are below:

  1. It only applies to certain “businesses” – namely – a business that has annual gross revenues in excess of $25,000,000); or that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  2. A consumer has a right to an accounting – essentially, a consumer can request that a business disclose to the consumer the categories and specific pieces of personal information the business has collected.
  3. A consumer has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer, subject to several exceptions.
  4. A consumer has the right to an accounting of personal information that has been transferred by the business to third parties, subject to several exceptions. These rights are enhanced if the business “sells” that personal information.
  5. A consumer has the right to terminate the sale of its personal information. It is important to note that the law does not force a business to offer a service to a consumer who makes such an opt out – in other words, a business can condition its service on the right to sell the information. However: (a) a business cannot sell personal information of consumers under 16 (if they know they are under 16) without express opt in, and for consumers under 13, the parent or guardian must opt in; and (b) a business cannot discriminate against a consumer who exercises any of their rights under the law.
  6. A business must provide two methods of contacting the business to exercise these rights – one of which is a toll free number, unless the business transacts business solely online and has a direct relationship to the consumer, in which case such online business need only provide an email address to send such requests. There are affirmative disclosure requirements for websites of businesses that are subject to the law. Businesses that sell personal information have additional affirmative disclosure requirements for their websites.
  7. A consumer whose personal information has been breached now has an affirmative damage remedy. Previously there was uncertainty in the law as to whether actual damage or harm would have to be shown to recover, or just the risk of future harm. In general the cases have held that actual harm is required, but vary in what they view as “actual harm.”
  8. Significant daily penalties can be assessed for non compliance after a 30 day notice period.

The above is only a general overview. However, some of those rights, for example, the right to onward transfer accounting, the right to delete information, and the right to opt out, present not only legal compliance issues, but significant technical hurdles. For many small businesses, their systems were not designed this way, and/or, they have so many disparate systems where data is duplicated, that it might hard or near impossible to comply. If a small business runs through the above checklist and gets a handle on the who, what, where, when and why questions, it will be easier to then assess the “how hard to comply” question.

For more information or assistance in data security and privacy law compliance, please contact Mike Oliver

Misconfigured Server costs firm £80,000

by | Jul 22, 2019 | Data Privacy, Privacy Law

Question: How do cost your company £80,000 with one relatively small computer error?

(Short) Answer: You misconfigure an FTP (file transfer protocol) server . . . and forget and leave it running.

This was the lesson Life at Parliament View Limited recently learned when the Information Commissioner’s Office (https://ico.org.uk) fined it £80,000 for violating the 7th principle of the Data Protection Act 1998 (“DPA”). See https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf. ICO could have fined it £500,000 (the maximum under that act) – but chose to only implement 16% of the maximum fine.

What happened? Life at Parliament needed to mass transfer personal data – though not particularly sensitive data (note1) – to a data processor, and chose to use an FTP server. They intended to use a feature of this server to require a username and password, but the technicians misunderstood the server documentation from Microsoft, and ended up putting the server in Anonymous Authentication mode. In addition, “The FTP server was further misconfigured in that whilst approved data transfers were encrypted, personal data transmitted to non-approved parties was not. As such, transfers of personal data over FTP to non- approved parties had the potential to be compromised or intercepted in transit.” (Though not explained in the opinion, this was likely a fallback setting that allowed the server to transmit over a non encrypted channel if the receiving party did not have a secure channel available). The server was left in this condition for just shy of 2 years. Computer logs showed over 500,000 anonymous data requests. Eventually a hacker (well, really a person with ordinary computer skill who located the open FTP server) who had obtained the data, began extorting Life at Parliament.

While the failure of basic computer security is plain in this case, it is noteworthy that ICO also found the following violations:

  1. Post configuration of the server, LVPL failed to monitor access logs, conduct penetration testing or implement any system to alert LPVL of downloads from the FTP server, which would have facilitated early detection and containment of the breach;
  2. Failure to provide staff with adequate and timely training, policies or guidance either in relation to setting up the FTP server, or information handling and security generally.

ICO has been very active in the general data protection space and issuing fines, and this decision – while an easy one in light of the poor computer security practices – is telling because ICO found secondary violations in post implementation failures to detect and train.

The same tendency is happening in the US – the FTC and State Attorney Generals are increasing their oversight of data protection, and several states (e.g. California’s CCPA) are enacting new data protection and data oversight requirements. While the FTC has had some wins (see a recent order against a car dealer, no fine but consent order, where unencrypted data was exposed for 10 days – https://www.ftc.gov/news-events/press-releases/2019/06/auto-dealer-software-provider-settles-ftc-data-security), and at least one major set back in its efforts against LabMD (http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf), it is likely that the government regulators will start going after companies that have engaged in less egregious data security violations, but nevertheless have lax training or monitoring set up, and probably also pursue smaller businesses who may not have the resources to have a robust security system and training.

For more information on our data security and privacy practice contact Mike Oliver.

_______________________

(note 1): The data consisted of “The types of personal data potentially compromised included names, phone numbers, e-mail addresses, postal addresses (current and previous), dates of birth, income/salary, employer details (position, company, salary, payroll number start date, employer address & contact details), accountant’s details (name, email address & phone number). It also contained images of passports, bank statements, tax details, utility bills and driving licences of both tenants and landlords.”

6th Anniversary Retrospective

by | May 1, 2019 | Firm Matters

Another year passes as quickly as the last – it seems they come and go more rapidly the older we become. Kim and I embarked on this adventure 6 years ago to the day – literally, it was a Wednesday – a typical work day for most people. Back then it was nothing even close to a regular work day for us. Looking forward back then there were a lot of unknowns – office space, staff needs, what clients would come with us?, what software would we use?, what 401k provider, payroll processing, accountant, insurance firms? and on and on . . . it was one thing after another we forgot or did not realize or had to scramble to fix. By us going through all the pain of a true new business startup it has helped us understand the obstacles and issues faced by our most typical client, the entrepreneur.

Six years in, of course, all of that uncertainty is gone, we have firm operations down to a science so to speak, and at this point we are just tweaking and making small adjustments. Our practice has grown but not in giant increments, more in steady increments (our trademark practice has grown significantly however). Our goal has never been growth, but rather finding ways to be as responsive as we can to clients, who ever more frequently want faster and more efficient service.

While we do not set formal goals, every year we look forward and back and see what we did well and not so well, and ask how can we improve in the future to do more things better, and avoid our past mistakes. This has been a challenge because our practice focus – intellectual property, data privacy and security, and corporate law all change as fast as technology is changing. It is just a lot of work.

Rapid legal changes and our general workload explains why we have been busy working, and not really able to do much in the way of blogging, marketing or sending email newsletters. Our patent practice, however, has recently opened a new site at www.baltimorepatent.com where we will make an effort to post more content in the patent law area to help our clients and referral sources better understand the benefits and costs of securing patents.

We again thank all of our clients, referral sources, employees and our family and friends – without all of you we could not have made it this far, and without you we would have no future. We truly do look forward to many years to come helping our clients navigate in these complex and challenging areas of law.

Congratulations to Donna Stevenson Robinson for recognition as one of Maryland’s Top 100 Women

by | Aug 31, 2018 | Client Spotlight

Oliver & Grimsley would like to congratulate Donna Stevenson Robinson of Oliver & Grimsley’s client Early Morning Software, Inc (EMS) and PRiSM Compliance Management (PRiSM) on being named one of Maryland’s Top 100 Women by The Daily Record. Nominees are judged by business professionals and past winners based on their professional abilities, commitment to their communities, and their role with mentoring.

Donna serves as president and CEO of EMS – her firm develops and publishes PRiSM – a secure, web-based portal that tracks  contract spending while producing corporate, federal, state, and local program reports that facilitates both private, federal, and custom diversity program management.

Congratulations Donna from the entire Oliver Grimsley team!

Book Wars: Romance Novelist Seeks to Block Others from Using “Cocky” Trademark

by | Jul 13, 2018 | In the News, Intellectual Property, Trademarks

If you search for books with the word “COCKY” in the title, the romance genre offers a large selection. One author in particular appears to be building a series of books with titles created as a play on words based on the main characters’ last names, Cocker. Thus, the books feature titles with the word “COCKY,” including titles such as “Cocky Roomie” and “Cocky Senator”.

The term “COCKY” is the subject of a recently registered trademark that has spurred quite the controversy. In April, romance author Faleena Hopkins, through her company Hop Hop Productions Inc., received a certificate from the United States Patent and Trademark Office (USPTO) granting her a trademark registration for use of the word “COCKY” in connection with goods for “a series of books and downloadable e-books in the field of romance.” Under U.S. Trademark laws,15 U.S.C. §§10511052, and 1127,  more than one book is required in order to apply for a trademark for the title of a book series.  See also TMEP 1208 et seq.  The title of a single creative work is not registrable on either the Principal or Supplemental Trademark Register. Herbko Int’l, Inc. v. Kappa Books, Inc., 308 F.3d 1156, 1162, 64 USPQ2d 1375, 1378 (Fed. Cir. 2002) (“the title of a single book cannot serve as a source identifier”).

Since obtaining the U.S. Trademark Registration Certificate for COCKY, Hopkins has been asserting her registered trademark in cease and desist letters and threatening litigation against novelists in romance and other genres in order to force them to change the titles of their respective books. The world of romance e-books is mostly filled with self-published authors – generally meaning that these authors don’t have the commercial revenue to fight lawsuits, or design new cover art and promotional materials in order to comply with demands or risk their works being removed from online retailers such as Amazon.

Romance Writers of America hired an intellectual property lawyer to assist authors affected by the “COCKY” owner’s recently issued trademark and aggressive enforcement tactics. Retired lawyer turned writer Kevin Kneupper filed a Petition for Cancellation with the USPTO. In response to this action, Hopkins, through her attorneys, filed for a preliminary injunction and a temporary restraining order in the Southern District of New York against Kneupper and writers Tara Crescent and Jennifer Watson, authors accused of violating the trademark. Hopkins argued that the social media tirade against her has resulted in popular hashtags, such as #CockyGate and #ByeFaleena, and has directly affected her sales and income. On June 1st, a federal judge denied Hopkins’ motion and dismissed Kneupper from the lawsuit.

Hop Hop Productions, Inc. is also asserting ownership of a second “COCKY” trademark, a stylized design wordmark featured in the cover art title of the books. The font used was allegedly created by Set Sail Studios, which is owned by graphic designer Sam Parrett. Parrett recently sent a cease and desist letter to Hopkins and asserted ownership claims in connection with the font. At this time, Hop Hop Productions, Inc. remains the registered owner of this trademark in the USPTO. However, the USPTO provides means for parties to contest ownership, such as by procedural means of opposition of allowed trademarks or cancellation of registered trademarks.

Trademark rights provide an owner with a right to stop unauthorized third-parties from using the same or similar mark on similar or related goods in order to reduce the likelihood of consumer confusion. Trademark owners should seek legal counsel on evaluating enforcement methods and tactics prior to taking any action. Challenges or consequences may exist, such as third parties taking actions to oppose allowed trademarks or cancel registered trademarks, along with posts made to social media related to a matter.

***For more information on this topic or other trademark matters, please contact Pamela K. Riewerts, Esq., a partner at Oliver & Grimsley, LLC at: pamela@olivergrimsley.com.