By Corporate Law Practice Group
As a business owner, you’ve heard a lot about the European Union’s General Data Protection Regulation (GDPR). April 16, 2022, marks the six year anniversary of its enactment. It has become a model for data privacy laws around the globe.
GDPR applies to any entity anywhere that processes personal data of individuals located in the European Economic Area (EEA). Non-European companies, including those in the U.S., must also comply with its stringent requirements.
By contrast, the U.S. has no national data privacy statute. Data privacy in the U.S. is governed by a patchwork of federal statutes and regulations (e.g., HIPAA) and state laws (e.g., the California Consumer Privacy Act). Additionally, every state has its own data breach notification law. The result is that when a business with customers in the U.S. experiences a data breach, it has to determine its obligations in multiple jurisdictions. An online retailer has to identify its obligations under the myriad laws of all 50 states plus Washington, D.C., Guam, Puerto Rico, and the Virgin Islands.
Different states’ data breach notifications laws contain similar features, but there are numerous variations. Common requirements include notifications to affected individuals, state attorney general offices, and credit reporting agencies. However, the timing, content, and method of these notifications varies from state to state. Some states, including Missouri, require notice to affected individuals “as expeditiously as possible.” Other states set a hard deadline, such as Alabama’s 45-day rule. Indiana allows business to notify their customers via email; Illinois does not (without prior customer consent). North Carolina requires notice to the Attorney General’s Office if a breach affects even one person, but Arizona only requires notification if at least 1,000 Arizonans are affected.
Even the definitions of “personally identifiable information” and “breach” are not universal. To make things more difficult, states frequently update their statutes. In 2021 alone, at least 22 states introduced or considered measures to amend existing security breach laws. Continue reading »
03/24/22 3:38 PM
Cybersecurity, Data Privacy, Digital Media | Comments Off on Happy 6th Anniversary, GDPR! |
Permalink
Happy 6th Anniversary, GDPR!
By Corporate Law Practice Group
Social media has officially taken over our lives. The statistics only confirm this fact. There are 2.3 billion active social media users across the world. Any given internet user has an average of five social media accounts. Facebook has over 1.71 billion users, YouTube has over 1 billion users, and WhatsApp has 900 million users. Every day, there are 60 billion messages sent through Facebook messenger and Whats-App. Three hundred hours of videos are uploaded on YouTube every minute. Snapchat users watch 6 billion videos on average a day.
It is clear that an individual’s accounts contain a plethora of intimate, personal details meant to be shared exclusively with friends or a fan base. But this begs the question, with this personal nature of social media, what can be excluded from court? The answer: potentially none of it. Continue reading »
06/17/19 11:18 AM
Business Law, Digital Media, Litigation, Technology | Comments Off on #SocialMediaAsEvidence |
Permalink
#SocialMediaAsEvidence
By Ruth Binger
Cyber criminals hack businesses for a myriad of reasons: to rob bank accounts by hacking email accounts and intercepting wire transfers; to file fraudulent tax returns using stolen customer or employee personal data; to commit health insurance or Medicare fraud; to steal intellectual property; to destroy property; and to deny service. Websites are also hacked as a mechanism to cyber hack other businesses. (See data protection tips here.)
Cyber hackers include your employees, identity thieves, contractors and vendors, business competitors, terrorists, state-sponsored actors and others. The success of your business and its very existence could be placed in jeopardy because of unauthorized business account access, loss of ability to execute transactions, regulatory, reputational and litigation costs, and significant remedial costs.
Focusing on the litigation ramifications, let’s use the following fictional ABC Co. case study to understand the various laws involved. Continue reading »
12/19/17 2:30 PM
Business Law, Digital Media, Manufacturing and Distribution, Technology | Comments Off on When Bad Guys Attack: Data Breach and Legal Exposure |
Permalink
When Bad Guys Attack: Data Breach and Legal Exposure
By Ruth Binger
Today, marketing and sales are yoked through digital channels. Leads and customer relations are created and maintained on LinkedIn, Facebook, Twitter, Blogs, email, video calls, and chat rooms. Your salespeople use these tools to sell your products. Yet, change happens. Valuable salespeople with critical customer relationships and employee friendships will leave your company. Hopefully, when those employees leave your employ, you have non-competes and non-solicitation clauses in place which prohibit them from directly or indirectly soliciting employees or customers for a period of years after termination of employment.
You hear through the grapevine that your former super salesperson who just quit has an updated job status on LinkedIn. Now some of your employees and customers know where the former super salesperson is now employed. To add insult to injury, your former super salesperson has asked several of your employees to connect via LinkedIn. You are afraid of the Pied Piper effect and that more of your employees will leave you. Plus you paid good money for your lawyer to draft the darn non-solicitation agreement and you want your money’s worth!
How can you as an employer determine if your former salesperson is legally violating the non-solicitation agreement?
- Passive solicitation. Is the activity passive and what is the content and substance of the message conveyed? Most courts that have considered this issue have found that an update to an individual’s LinkedIn account is passive. But what about a new request to connect?In Bankers Life and Casualty Company v. American Senior Benefits, Bankers Life sued a former sales manager for updating his LinkedIn account and asking three former co-workers – current employees of his former employer – to connect. Bankers Life argued that asking existing employees to connect was targeted and it would uncover job listings of current employer. The sales manager argued that the connection request was a LinkedIn generic email simply asking to form a professional networking connection on social media. The court noted that the generic emails did not contain any discussion of Bankers Life, no mention of the new employer, and no suggestion that a job description be reviewed. Further, current Bankers Life employees had a choice whether or not to respond and connect, click on the former co-worker’s profile, or review job postings for the salesperson’s new employer. Accordingly, the mere act of asking someone to connect on a social network via a generic email generated by the network itself did not violate the non-solicitation agreement. In Pre-Paid Legal Services v. Cahill, the court held that posting on Facebook that an employee has moved and touting the new employer’s product did not constitute evidence of unlawful solicitation.Courts have also ruled that posting a job opportunity on a LinkedIn is not a solicitation and becoming “friends” with former clients on Facebook does not in and of itself violate a non-compete clause (Enhanced Network Solutions Group, Inc. v. Hypersonic Technologies Corp and Invidia and LLC v. DiFonzo).
Continue reading »
10/17/17 12:39 PM
Business Law, Digital Media, Employment Law | Comments Off on Is a LinkedIn Offer to Connect a Violation of a Non-Solicitation/Anti-Raiding Agreement? |
Permalink
Is a LinkedIn Offer to Connect a Violation of a Non-Solicitation/Anti-Raiding Agreement?
By Ruth Binger
A cyber incident will happen to your company. It is not a matter of if, but when. Small businesses make an appealing target because hackers know they don’t spend as much on security as larger businesses and are not as careful.
According to a Towergate Insurance study, 82 percent of small business owners claim that they are not targets for attack because there is nothing worth stealing. However, employee personal data and health information and customer data are always worth stealing. Symantec reports that 43 percent of cyber-attacks worldwide in 2016 were against small businesses with less than 250 workers. In fact, cyber crooks try to rob bank accounts via wire transfers, steal customers’ personal identify information, file fraudulent tax returns, commit Medicare fraud, etc.
IBM estimates that nearly two-thirds of all cyber-attacks hit small to mid-sized businesses. More disturbing, the U.S. National Cyber Security Alliance estimates that about 60 percent of those hit are forced to close six months after an attack. A 2016 Poneman Institute Breach Report advises that the average price a small business has to pay after a cyber attack is about $690,000.
According to the 2017 Verizon Data Breach Investigations Report:
- 75 percent of the breaches were perpetrated by outsiders (with 51 percent involving organized criminal groups) and the remaining involved internal actors.
- 62 percent of the breaches involved hacking
- 81 percent of breaches involving hacking leveraged stolen and/or weak passwords
- Not surprising, malware installed via malicious email attachments was present in 50 percent of the breaches involving hacking
- The victims of data breaches are:
- Financial organizations (24 percent)
- Health care organizations (15 percent)
- Public sector entities (12 percent)
- Retail and accommodations (15 percent)
- One in 14 users are tricked into following a link or opening an attachment with 25 percent of the users making the same mistake twice
It’s all about the money: Perpetrators of data breaches steal and exploit sensitive data for financial gain. They are opportunistic, using phishing to poke for weak points to use as entry points. Phishing, the most common tool, involves collecting sensitive information like login credentials and credit card information through legitimate-looking but fraudulent websites. Ninety-five percent of phishing attacks led to a breach that was followed by the installation of some sort of malicious software (malware).
Small to mid-sized businesses can take preventive steps to minimize damage. Here are 20 tactics to employ to protect your data. Continue reading »
09/11/17 11:53 AM
Business Law, Digital Media, Technology | Comments Off on When Bad Guys Attack Small to Mid-Sized Businesses: 20 Data Protection Tips |
Permalink
When Bad Guys Attack Small to Mid-Sized Businesses: 20 Data Protection Tips
By Ruth Binger
Visiting a website and merely viewing its contents can bind you to an internet “Terms and Conditions” or “Terms of Use” (“browsewrap” or “clickwrap”) contract.
Website owners, as technology providers, have a dilemma as they wish to facilitate business in the most efficient way. Maintaining the integrity of their software by controlling the scope of the limited software license they are offering is essential to protecting their copyrighted technology.
Given website owners are offering their services to the world, a pressing concern is a disgruntled website user who sues via a class action in the user’s home state. The issue for the courts is how many dispute resolution pre-existing legal rights a website owner can remove through its browsewrap contract, often called “Terms and Conditions,” if the website user receives little to no notice of its existence or has no knowledge that such a notice refers to a binding contract.
If you look carefully at a website you frequently use, you are likely to see various notices in capital letters in highlighted colors referencing that your use of the website is an automatic agreement to the website policies of privacy and terms and conditions. You may not know that this means you are binding yourself to a contract. If you do click on that bothersome notice link, you will most likely notice a nonnegotiable contract that contains a choice of law, agreement to arbitrate, and/or class action waiver. Given the limited attention span of a website user, most users will not click on the link. This is especially true if the website owner has buried the notice at the very end of the page, made it as inconspicuous as possible, and does not require any action to proceed with using the website. Continue reading »
04/19/16 9:16 AM
Business Law, Digital Media, Manufacturing and Distribution | Comments Off on Best Practices for Avoiding Misleading Browsewrap and Clickwrap Agreements in Cyberspace |
Permalink
Best Practices for Avoiding Misleading Browsewrap and Clickwrap Agreements in Cyberspace
By Corporate Law Practice Group
This summer, Missouri voters approved an amendment to the Missouri Constitution protecting electronic data from searches and seizure by law enforcement officers.
Article I, Section 15 of the Missouri Constitution closely resembles the Fourth Amendment to the Federal Constitution: both provide that the people shall be “secure in their persons, papers, homes and effects from unreasonable searches and seizures,” and that law enforcement must demonstrate probable cause before obtaining a search warrant. The recent amendment modifies Section 15 so that it now explicitly protects “electronic communications and data” and requires police to “describe the data or communication to be accessed as nearly as may be” when applying for a warrant.
Surprisingly, the amendment might have ripple effects far removed from searches conducted by law enforcement. Continue reading »
12/2/14 1:11 PM
Business Law, Digital Media, Litigation | Comments Off on Electronic Privacy Amendment May Have Broad Implications for Use of Digital Information |
Permalink
Electronic Privacy Amendment May Have Broad Implications for Use of Digital Information
By Employment Law Practice Group
Legislation addressing the question of the extent to which an employer may request an employee’s social media account information has been introduced or is pending in 36 states with seven already enacting legislation in 2013.
As a follow-up to the discussion of Illinois’ recent legislative efforts, let’s look at Missouri’s legislative efforts.
Unfortunately, at this time the Missouri Legislature has not enacted any legislation to clarify the question of whether an employer may lawfully request or require employees or job applicants provide that employer with their social media account login information. Although the 2013 legislation session recently ended without a bill being passed in both houses, one bill, Senate Committee Substitute / Senate Bill 164, which would have created “The Password Privacy Protection Act,” passed in the Senate and fell just one vote shy of passage in the House. This bill’s partial success likely indicates the direction Missouri will ultimately take.
Like the Illinois legislation, SCS/SB164 began with a general ban of the practice of requesting or requiring the disclosure of account information. Specifically, the bill read:
Subject to the exceptions provided in subsection 4 of this section, an employer shall not request or require an employee or applicant to disclose any user name, password, or other authentication means for accessing any personal online account or personal online service.
The exceptions include and relate to: Continue reading »
06/27/13 8:37 AM
Business Law, Digital Media, Employment Law | Comments Off on Legislative Update: Missouri & Illinois Address Issue of Employer Requests for Employee/Job Applicant Social Media Account Information (Part 2 – Missouri) |
Permalink
Legislative Update: Missouri & Illinois Address Issue of Employer Requests for Employee/Job Applicant Social Media Account Information (Part 2 – Missouri)
By Employment Law Practice Group
In the spring of 2012, national news media reported an increasing number of employers demanding employees and job applicants provide social media account login information (usernames and passwords) for searching and content monitoring purposes. In my blog post “The Facebook Folly” posted in April 2012, I noted at that time there was no explicit indication as to the legality of this practice.
Since early 2012, however, legislatures in both Missouri and Illinois have worked to clarify the issue in their respective states’ workplaces. We’ll focus on Illinois’ efforts first, and follow up with Missouri in Part 2.
Illinois was an early adopter of a policy prohibiting employers from asking employees or prospective employees for their social media account login information. On January 1, 2013, Illinois and California joined Michigan, New Jersey, Maryland and Delaware making such a practice illegal by enacting Public Act 97-0875, amending the Illinois Right to Privacy in the Work Place Act to read, in part:
It shall be unlawful for any employer to request or require an employee or prospective employee to provide any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website or to demand access in any manner to an employee’s or prospective employee’s account or profile on a social networking website. 820 ILCS 55/10(b)(1).
However, in an apparent attempt to balance the interests of both employees and employers, the Act further states and clarifies that it is not intended to limit the employer’s right to create and maintain lawful workplace policies governing Internet use, limit the employer’s ability to monitor usage of the employer’s electronic equipment or electronic mail (as long as the employer does not request or require the employee “provide any password or other related account information”), or limit the employer from obtaining information about its employees or prospective employees from the public domain. Continue reading »
06/20/13 12:29 PM
Business Law, Digital Media, Employment Law | Comments Off on Legislative Update: Missouri & Illinois Address Issue of Employer Requests for Employee/Job Applicant Social Media Account Information (Part I – Illinois) |
Permalink
Legislative Update: Missouri & Illinois Address Issue of Employer Requests for Employee/Job Applicant Social Media Account Information (Part I – Illinois)
By Ruth Binger
Thanks to an exponential growth rate in technology, the Internet has changed the world and how we communicate with each other. In 1995, 16 million people used the Internet. Last year, 2 billion people used the Internet and in 2020 it is predicted that the number will be over 5 billion.
Google, a 12-year-old company, has certainly fueled this growth. Social media platforms have also supercharged Internet usage. Facebook claims to have over 800 million active subscribers, LinkedIn claims 85 million subscribers and YouTube has over 100 million videos online.
However, the way we relate to and judge each other, whether it is for employment, relationships, or credit history, has not changed. We are all trying to predict each other’s future behavior for the relationship(s) and transactions we seek.
Facebook purports to be worth $104 billion with its purchase of Instagram. Why is it worth so much? Because companies are spending over $2 billion per year to collect information from social media outlets about what we as consumers want. Our behavior and our opinions can be measured in fine detail as we post and that behavior can be monetized. For example, it is estimated that your personal/buying information is worth $50 to $500 to Google, depending upon how much you spend. On Twitter, each of your followers, assuming you have a large following, could be worth as much as $2.50 each per month. In short, personal data greases the Internet. The data we share (names, addresses, pictures, precise locations, and links) helps companies target advertising based not only on demographic but also on personal opinion and desires.
What does all of this information mean to you as an individual? Technology rules will continue to change, so you need to be vigilant. It is important for you to keep up with the positives and negatives of the rapidly changing technology. Right now, social media is at its height but it is designed for websites. That is predicted to change as the world moves to smartphones. Nearly $1 million worth of features come with any smartphone and there are a billion smartphones in the world. Within the next decade, 6 billion people will have a constant connection to the Internet. This explains why Facebook recently bought Instagram, a mobile app company, for $1 billion. Facebook wants to conquer the smartphone market and not be left behind. Continue reading »
05/2/12 9:04 AM
Business Law, Digital Media, Employment Law, Manufacturing and Distribution | Comments Off on Social Media: Six Ways to Protect Today’s You and Tomorrow’s You |
Permalink
Social Media: Six Ways to Protect Today’s You and Tomorrow’s You