On September 23, 2014, the New Jersey Supreme Court held in Atalese v. U.S. Legal Services Group that an arbitration clause in a consumer contract is not enforceable unless it clearly indicates that the plaintiff is giving up the right to go to court. Accordingly, any company doing business in New Jersey that uses an arbitration clause in its contracts, consumer or otherwise, must make sure that the clause states in easy to read language: 1) the differences between litigation and arbitration, and 2) that the contracting party is being foreclosed from proceeding to court on any dispute arising from the contract.

The Atalese Decision

The plaintiff in Atalese contracted with U.S. Legal Services Group (USLSG) for debt adjustment services. The plaintiff filed suit in state court, alleging that USLSG violated two State consumer protection statutes, the New Jersey Consumer Fraud Act (CFA) and the Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) by misrepresenting the scope of the services it would provide and its status as a licensed debt adjuster in New Jersey.

USLSG moved to compel arbitration, based on an arbitration clause in the parties’ agreement, which provided:

“Arbitration: In the event of any claim or dispute between Client and the USLSG related to this Agreement or related to any performance of any services related to this Agreement, the claim or dispute shall be submitted to binding arbitration upon the request of either party upon the service of that request on the other party. The parties shall agree on a single arbitrator to resolve the dispute. . . . Any decision of the arbitrator shall be final and may be entered into any judgment in any court of competent jurisdiction.”

The trial court granted USLSG’s motion to compel Plaintiff to arbitrate her dispute. Plaintiff appealed the trial court’s decision, arguing that the arbitration clause was unenforceable because it did not adequately notify plaintiff of her right to have her consumer claims tried before a jury. The New Jersey Appellate Decision affirmed the trial court’s decision, but in a unanimous decision the New Jersey Supreme Court reversed, and held that the arbitration clause was unenforceable because it “did not clearly and unambiguously signal to plaintiff that she was surrendering her right to pursue her statutory claims in court.”

The Court reasoned that arbitration is essentially a waiver of rights which, to be effective, “requires a party to have full knowledge of his legal rights and intent to surrender those rights.” The Court criticized the arbitration clause at issue for not “explain[ing] what arbitration is,” how it “is different from a proceeding in a court of law,” and for not being “written in plain language that would be clear and understandable to the average consumer.”  The Court also recognized a countervailing State legislature policy implicit in the enactment of the CFA and TCCWNA that favored consumers seeking relief though courts of law.

In reaching this decision, the Court rejected the argument that consumers are sophisticated enough to understand that agreeing to resolve disputes in binding arbitration means they are forgoing their right to have disputes resolved in court.

The Court stressed that there was no “magic language” required in order to make an arbitration clause enforceable.  Rather, the clause must use “clear and unambiguous” language, which in a “general and sufficiently broad way, must explain that the plaintiff is giving up her right to bring her claims in court or have a jury resolve the dispute”. However, it did provide the following broad guidance for the enforceability of consumer arbitration clauses, generally, an enforceable consumer arbitration clause must: (1) state what arbitration is, (2) explain how arbitration differs from a court proceeding, and (3) do so in language that is plain and understandable to the average consumer. The Court went on to cite the following arbitration provisions that New Jersey’s courts have previously upheld as enforceable:

  • The parties agree “to waive [the] right to a jury trial” and that “all disputes relating to [the plaintiff’s] employment . . . shall be decided by an arbitrator.”
  • “By agreeing to arbitration, the parties understand and agree that they are waiving their rights to maintain other available resolution processes, such as a court action or administrative proceeding, to settle their disputes.”
  • “Instead of suing in court, we each agree to settle disputes (except certain small claims) only by arbitration. The rules in arbitration are different.  There’s no judge or jury, and review is limited, but an arbitrator can award the same damages and relief, and must honor the same limitations stated in the agreement as a court would.”

Going Forward

Given the sweeping nature of Atalese, all New Jersey businesses using arbitration clauses in their agreements must rewrite these clauses in order to make sure that the they contain clear and easy to read language that:  1) explains the nature of arbitration proceedings and how they differ from judicial proceedings; and 2) expressly states the rights that are being waived or forfeited as a result of the agreement.

If you have any questions, please feel free to contact Howard A. Matalon, Esq. at 908-964-2424.

By: Aaron Krowne

On July 14, 2014, the New York Attorney General’s office (“NY AG”) released a seminal report on data breaches, entitled “Information Exposed: Historical Examination of Data Breaches in New York State” (the “Report”). The Report presents a wealth of eye-opening (and sobering) information on data breaches in New York and beyond. The Report is primarily based upon the NY AG’s own analysis of data breach reports received in the first eight years (spanning 2005 through 2013) based on the State’s data breach reporting law (NY General Business Law §899-aa). The Report also cites extensively to outside research, providing a national- and international picture of data breaches. The Report’s primary finding is that data breaches, somewhat unsurprisingly, are a rapidly growing problem.

A Growing Menace

The headline statistic of the Report is its finding that data breaches in or effecting New York have tripled between 2006 and 2013 the original source. During this time frame, 22.8 million personal records of New Yorkers were exposed in nearly 5,000 breaches, effecting more than 3,000 businesses. The “worst” year was 2013, with 7.4 million records exposed, mainly due to the Target and Living Social “mega-breaches,” which the Report revealed are themselves a growing trend. However, while the Report warned that these recent “mega breaches” appear to be a trend, businesses of all sizes are effected and at risk.

The Report revealed that hacking instances are responsible for 43% of breaches and constituted 64% of the total records exposed. Other major causes of breaches include “lost or stolen equipment or documentation” (accounting for 25% of breaches), “employee error” (totaling 21% of breaches), and “insider wrongdoing” (tallying 11% of breaches). It is thus important to note that the majority of breaches still originate internally. However, since 2009 hacking has grown to become the dominant cause of breaches, which, not coincidentally, is the same year that “crimeware” source code was released and began to proliferate. Hacking was responsible for a whopping 96.4% of the New York records exposed in 2013 (again, largely due to the mega-breaches).

The Report notes that retail services and health care providers are “particularly” vulnerable to data breaches. The following breaks down the number of entities in a particular sector that suffered repeated data breaches: 54 “retail services” entities (a “favorite target of hackers”, per the Report), 31 “financial services” entities, 29 “health care” entities, 27 “banking” entities, and 20 “insurance” entities.

The Report also points out that these breach statistics are likely on the low side. One reason for this is that New York’s data breach law doesn’t cover all breaches. For example, if only one piece of information (out of the two required types: (1) a name, number, personal mark, or other identifier which can be used to identify such natural person, combined with (2) a social security number, government ID or license number, account number, or credit or debit card number along with security code) is compromised, the reporting requirement is not triggered. Yet, the compromise of even one piece of data (e.g., a social security number) can still have the same effect as a “breach” under the law, since it is still possible for there to be actual damage to the consumer (particularly if the breached information can be combined with complementary information obtained elsewhere). Further, within a specific reported breach, the full impact of such may be unknown, and hence lead to the breach being “underestimated.”

 Real Costs: Answering To The Market

Though New York’s data breach law allows the AG to bring suits for actual damages and statutory penalties for failure to notify (all consumers effected, theNY AG’s office; and for large breaches, consumer reporting agencies is required), such awards are likely to be minor compared with the market impact and direct costs of a breach. The Report estimates that in 2013, breaches cost New York businesses $1.37 billion, based on a per-record cost estimate of $188 (breach cost estimates are from data breach research consultancy The Ponemon Institute). However, in 2014, this per-record estimate has already risen to $201. The cost for hacked records is even higher than the average, at $277. The total average cost for a breach is currently $5.9 million, up from $5.4 million in 2013. These amounts represent only costs incurred by the businesses hit, including expenses such as investigation, communications, free consumer credit monitoring, and reformulation and implementation of data security measures. Costs on the consumers themselves are not included, so this is, once again, an under-estimate.

 These amounts also do not include market costs, for which the cases of the Target and Sony Playstation mega-breaches of 2013 are particularly sobering examples. Target experienced a 46% drop in annual revenue in the wake of the massive breach of its customers’ data, and Sony estimates it lost over $1 billion. Both also suffered contemporaneous significant declines in their stock prices.

 Returning to direct costs, the fallout continues: on August 5, 2014, Target announced that the costs of the 2013 breach would exceed its previous estimates, coming in at nearly $150 million.

 Practices

The Report’s banner recommendation, in the face of all the above, is to have an information security plan in place, especially given that 57% of breaches are primarily caused by “inside” issues (i.e., lost/stolen records, employee error, or wrongdoing) that directly implicate information security practices. An information security plan should specifically include:

  • a privacy policy;
  • restricted and controlled access to records;
  • monitoring systems for unauthorized access;
  • use of encryption, secure access to all devices, and non-internet connected storage;
  • uniform employee training programs;
  • reasonable data disposal practices (e.g., using disk wiping programs).

 The Report is not the most optimistic regarding preventing hacking, but we would note that hacking, or the efficacy of it, can also be reduced by implementation of an information security plan. For example, the implementation of encryption, and the training of employees to use it uniformly and properly, can be quite powerful.

Whether the breach threat comes to you in the form of employee conduct or an outside hack attempt, don’t be caught wrong-footed by not having an adequate information security plan. A certified privacy attorney at OlenderFeldman can assist you with your businesses’ information security plan, whether you need to create one for the first time, or simply need help in ensuring that your current information security plan provides the maximum protection to your business.

Insider threats, hackers and cyber criminals are all after your data, and despite your best precautions, they may breach your systems. How should small and medium sized businesses prepare for a cyber incident or data breach?

Cyber attacks are becoming more frequent, are more sophisticated, and can have devastating consequences. It is not enough for organizations to merely defend themselves against cyber security threats. Determined hackers have proven that with enough commitment, planning and persistence to breaching an organization’s data they will inevitably find a way to access that information. Organizations need to either develop cyber incident response plans or update existing disaster recovery plans in order to quickly mitigate the effects of a cyber attack and/or prevent and remediate a data breach. Small businesses are perhaps the most vulnerable organizations, as they are often unable to dedicate the necessary resources to protect themselves go to this website. Some studies have found that nearly 60% of small businesses will close within six months following a cyber attack. Today, risk management requires that you plan ahead to prepare, protect and recover from a cyber attack.

Protect Against Internal Threats

First, most organizations focus their cyber security systems on external threats and as a result they often fail to protect against internal threats, which by some estimates account for nearly 80% of security issues. Common insider threats include abuse of confidential or proprietary information and disruption of security measures and protocols. As internal threats can result in just as much damage as an outside attack, it is essential that organizations protect themselves from threats posed by their own employees. Limiting access to information is the primary way businesses can protect themselves. Specifically, businesses can best protect themselves by granting access to information, particularly sensitive data, on a need-to-know basis. Logging events and backing up information, along with educating employees on safe emailing and Internet practices are all crucial to an organization’s protection against and recovery from a breach.

Involve Your Team In Attack Mitigation Plans

Next, just as every employee can pose a cyber security threat, every employee can, and should, be a part of the post-attack process. All departments, not just the IT team, should be trained on how to communicate with clients after a cyber attack, and be prepared to work with the legal team to address the repercussions of such an attack. The most effective cyber response plans are customized to their organization and these plans should involve all employees and identify their specific role in the organization’s cyber security.

Draft, Implement and Update Your Cyber Security Plans

Finally, cyber security, just like technology, evolves on daily basis, making it crucial for an organization to predict and prevent potential attacks before they happen. Organizations need to be proactive in the drafting, implementing and updating of their cyber security plans. The best way for an organization to test their cyber security plan is to simulate a breach or conduct an internal audit which will help identify strengths and weaknesses in the plan, as well as build confidence that in the event of an actual cyber attack the organization is fully prepared.

If you have questions regarding creating or updating a disaster or cyber incident recovery plan, please feel free to contact us using our contact form below.

Contact OlenderFeldman LLP

We would be happy to speak with you regarding your issue or concern. Please fill out the information below and an attorney will contact you shortly.

jQuery(document).ready(function(){jQuery(document).trigger(‘gform_post_render’, [4, 1]) } );

Social networking sites, such as Facebook and MySpace, have become repositories of large amount of personal data. Increasingly this data is being viewed as relevant to all manner of litigation proceedings, and as such is increasingly being sought during discovery in civil litigation. Business and individuals that use social networking services should be aware of what data they put on social networking sites, as it could end up in court.

By Adam Elewa

In litigation, businesses or individuals must routinely comply with a process known as discovery, where both parties are compelled by the court to produce relevant documents concerning the issues in dispute to the opposing party. There are only a few areas that are off-limits to opposing counsel in discovery, such as privileged conversations between a lawyer and his client. With the proliferation of social networking, and the large amount of personal information being shared and stored in the cloud, lawyers now routinely attempt to compel disclosure of social networking profiles during discovery.

In general, courts have declined to find a general right of privacy in the information stored on social networking websites. Constitutional protections of privacy do not apply to private parties, only agents of the government. The current trend, reinforced by a recent federal court case in Montana, is to let the rules of civil procedure concerning discovery dictate how much and what kind of data posted to social networking sites must be turned over to the adversarial party. See, e.g., Keller v. National Farmers Union Property & Cas. Co., 2013 WL 27731 (January 2, 2013). Although judges have discretion in applying the rules of discovery, a consensus seems to be forming.

Courts have been clear that adversarial parties cannot compel the disclosure of social networking profiles without some reasonable belief that such information is relevant to the case at issue. In other words, lawyers cannot go on “fishing expeditions” by demanding the maximum amount of data be disclosed, in the hopes that something interesting will turn up.

However, courts have shown a willingness to disregard privacy settings and/or subjective expectations of privacy held by users of social networking websites when deciding whether to compel disclosure. In such instances, courts often rely on publicly shared information to determine whether private information is likely to be relevant. A public photo that is relevant to the litigated issue can be taken as an indication that more relevant information is likely to be lurking on the hidden portions of the user’s profile. Of course, making data unviewable by the public may make it more difficult for an adversarial party to demonstrate that a profile contains relevant information, and thus should be subject to discovery. Regardless, it is important to keep in mind the limits of privacy on Facebook and other social media sites.

Cases where lawyers have been successful demonstrating that information contained on social networking sites was likely to be relevant tend to share similar characteristics. Many of such cases concern private matters that would likely be shared, as a matter of social practice, on social networking sites. For example, the plaintiff in Keller alleged that the defendant’s actions had caused major disruptions to her social life. Lawyers for the defense successfully argued that the women’s social networking profile likely contained information that could demonstrate whether her life was in fact severely disrupted by the defendant’s alleged negligence.

Additionally, lawyers were able to support the contention that private aspects of an individual’s profile likely contained relevant information by reference to non-hidden or publicly viewable aspects of that individual’s profile. For example, in Keller, the contention that the plaintiff’s private profile contained information relevant to her quality of life was bolstered by publicly viewable images showing recent physical activity of a kind claimed by the plaintiff to be impossible.

Businesses seeking to communicate via social networking platforms or reach clients should be aware that such communications and business activities are likely discoverable in litigation. Individual and businesses should be mindful that:

  • Although social networking sites have “privacy” settings, these settings can be deemed legally irrelevant if the information contained on such platforms can be shown to be relevant to pending litigation.
  • Information that is publicly viewable can be used for any purpose by an opposing party. Public indications that a profile is used for business related communications might allow that profile to be subject to discovery where such communications are at issue. Thus, business and individuals should always be mindful of the evolving privacy polices of sites they transact business.

Finally, litigants should bear in mind that while social media evidence may be relevant to litigation, it is important not to make discovery requests overbroad. For the best likelihood of success, social media discovery requests should be narrowly tailored to produce evidence directly pertinent to the issues, rather than engaging in a fishing expedition.

Protect Against Data Breaches

Protect Against Data Breaches

All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession.  Information privacy and security is essential to  protect your business, safeguard your customers’ privacy, and secure your company’s vital information.

 

Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.

While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.

LinkedIn presents a good example of these additional costs. It is currently facing a $5 million class action lawsuit related to the data breach. The lawsuit does not allege any specific breaches of cybersecurity laws, but instead alleges that LinkedIn violated its own stated privacy policy. Businesses of all sizes should be very careful about the representations they make on their websites, as what is written in a website terms of use or privacy policy could have serious legal implications.

Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.

First, consider drafting a detailed information security policy and a privacy policy tailored to your company’s specific needs and threats which will to guide the implementation of appropriate security measures. A privacy policy is complementary to the information security policy, and sets the standards for collection, processing, storing, use and disclosure of confidential or personal information about individuals or entities, as well as prevention of unauthorized access, use or disclosure. Your policies should plan for proactive crisis management in the event of a security incident, which will enable coordinated execution of remedial actions. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Your company should have and enforce policies that reflect the philosophy and strategy of its management regarding information security.

Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses.  Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.

Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing.  Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users.  Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.

 

Your smartphone knows all about you. Before giving it away or recycling your smartphone, make sure that you take the proper precautions so that your smartphone doesn’t spill your secrets to the world.

Fox Business NewsIn a Fox Business article by Michael Estrin entitled, “Don’t be Stupid With an Unwanted Smartphone,” OlenderFeldman LLP provides insight on the importance of wiping all data before selling or donating an old phone. Some excerpts follow, and be sure to read the entire thing:


If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.

“It’s important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information,” says Messing, who’s with the Olender Feldman firm in Union, N.J.

That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you’d have in your wallet — and more — as more consumers are using mobile banking and payment apps.

If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.

“Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information,” says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.

So far, there haven’t been many reported incidents of identity theft using data pulled from discarded smartphones. But it’s a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy Concerns

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy ConcernsNJ Assembly Bill A-1238 requires the destruction of records stored on digital copy machines under certain circumstances in order to prevent identity theft

By Alice Cheng

Last week, the New Jersey Assembly passed Bill-A1238 in an attempt to prevent identity theft. This bill requires that information stored on photocopy machines and scanners to be destroyed before devices change hands (e.g., when resold or returned at the end of a lease agreement).

Under the bill, owners of such devices are responsible for the destruction, or arranging for the destruction, of all records stored on the machines. Most consumers are not aware that digital photocopy machines and scanners store and retain copies of documents that have been printed, scanned, faxed, and emailed on their hard drives. That is, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of the photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Any willful or knowing violation of the bill’s provisions may result in a fine of up to $2,500 for the first offense and $5,000 for subsequent offenses. Identity theft victims may also bring legal action against offenders.

In order for businesses to avoid facing these consequences, they should be mindful of the type of information stored, and to ensure that any data is erased before reselling or returning such devices. Of course, business owners should be especially mindful, as digital copy machines  may also contain trade secrets and other sensitive business information as well.

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read  the third entry here.

Preventing Access by Unauthorized Persons

This section highlights steps that hedge fund managers can take to prevent unauthorized users from accessing a mobile device or any transmission of information from a device.  Concerns over unauthorized access are particularly acute in connection with lost or stolen devices.

[Lawyers] recommended that firms require the use of passwords or personal identification numbers (PINs) to access any mobile device that will be used for business purposes.  Aaron Messing, a Corporate & Information Privacy Associate at OlenderFeldman LLP, further elaborated, “We generally emphasize setting minimum requirements for phone security.  You want to have a mobile device lock with certain minimum requirements.  You want to make sure you have a strong password and that there is boot protection, which is activated any time the mobile device is powered on or reactivated after a period of inactivity.  Your password protection needs to be secure.  You simply cannot have a password that is predictable or easy to guess.”

Second, firms should consider solutions that facilitate the wiping (i.e., erasing) of firm data on the mobile device to prevent access by unauthorized users . . . . [T]here are numerous available wiping solutions.  For instance, the firm can install a solution that will facilitate remote wiping of the mobile device if the mobile device is lost or stolen.  Also, to counter those that try to access the mobile device by trying to crack its password, a firm can install software that automatically wipes firm data from the mobile device after a specific number of failed log-in attempts.  Messing explained, “It is also important for firms to have autowipe ability – especially if you do not have a remote wipe capability – after a certain number of incorrect password entries.  Often when a phone is lost or stolen, it is at least an hour or two before the person realizes the mobile device is missing.”

Wipe capability can also be helpful when an employee leaves the firm or changes mobile devices. . . Messing further elaborated, “When an employee leaves, you should have a policy for retrieving proprietary or sensitive information from the employee-owned mobile device and severing access to the network.  Also, with device turnover – if employees upgrade phones – you want employees to agree and acknowledge that you as the employer can go through the old phone and wipe the sensitive aspects so that the next user does not have the ability to pick up where the employee left off.”

If a firm chooses to adopt a wipe solution, it should adopt policies and procedures that ensure that employees understand what the technology does and obtain consent to the use of such wipe solutions.  Messing explained, “What we recommend in many cases is that as a condition of enrolling a device on the company network, employees must formally consent to an ‘Acceptable Use’ policy, which defines all the situations when the information technology department can remotely wipe the mobile device.  It is important to explain how that wipe will impact personal device use and data and employees’ data backup and storage responsibilities.”

Third, a firm should consider adopting solutions that prevent unauthorized users from gaining remote access to a mobile device and its transmissions.  Mobile security vendors offer products to protect a firm’s over-the-air transmissions between the server and a mobile device and the data stored on the mobile device.  These technologies allow hedge fund managers to encrypt information accessed by the mobile device – as well as information being transmitted by the mobile device – to ensure that it is secure and protected.  For instance, mobile devices can retain and protect data with WiFi and mobile VPNs, which provide mobile users with secure remote access to network resources and information.

Fourth, Rege suggested hedge fund managers have a procedure for requiring certificates to establish the identity of the device or a user.  “In a world where the devices are changing constantly, having that mechanism to make sure you always know what device is trying to access your system becomes very important.”

Preventing Unauthorized Use by Firm Personnel

Hedge fund managers should be concerned not only by potential threats from external sources, but also potential threats from unauthorized access and use by firm personnel.

For instance, hedge fund managers should protect against the theft of firm information by firm personnel.  Messing explained, “You want to consider some software to either block or control data being transferred onto mobile devices.  Since some of these devices have a large storage capacity, it is very easy to steal data.  You have to worry not only about external threats but internal threats as well, especially when it comes to mobile devices, you want to have system controls that are put in place to record and maybe even limit the data being taken from or copied onto mobile devices.”

Monitoring Solutions

To prevent unauthorized access and use of the mobile device, firms can consider remote monitoring.   However, monitoring solutions raise employee privacy concerns, and the firm should determine how to address these competing concerns.

Because of gaps in expectations regarding privacy, firms are much more likely to monitor activity on firm-provided mobile devices than on personal mobile devices. . . . In addressing privacy concerns, Messing explained, “You want to minimize the invasion of privacy and make clear to your employees the extent of your access.  When you are using proprietary technology for mobile applications, you can gain a great deal of insight into employee usage and other behaviors that may not be appropriate – especially if not disclosed.  We are finding many organizations with proprietary applications tracking behaviors and preferences without considering the privacy implications.  Generally speaking, you want to be careful how you monitor the personal device if it is also being used for work purposes.  You want to have controls to determine an employee’s compliance with security policies, but you have to balance that with a respect for that person’s privacy.  When it comes down to it, one of the most effective ways of doing that is to ensure that employees are aware of and understand their responsibilities with respect to mobile devices.  There must be education and training that goes along with your policies and procedures, not only with the employees using the mobile devices, but also within the information technology department as well.  You have people whose job it is to secure corporate information, and in the quest to provide the best solution they may not even consider privacy issues.”

As an alternative to remote monitoring, a firm may decide to conduct personal spot checks of employees’ mobile devices to determine if there has been any inappropriate activity.  This solution is less intrusive than remote monitoring, but likely to be less effective in ferreting out suspicious activity.

Policies Governing Archiving of Books and Records

Firms should consider both technology solutions and monitoring of mobile devices to ensure that they are capturing all books and records that are required to be kept pursuant to the firm’s books and records policies and external law and regulation with respect to books and records.

Also, firms may contemplate instituting a policy to search employees’ mobile devices and potentially copying materials from such mobile devices to ensure the capture of all such information or communications from mobile devices.  However, searching and copying may raise privacy concerns, and firms should balance recordkeeping requirements and privacy concerns.  Messing explained, “In the event of litigation or other business needs, the company should image, copy or search an employee’s personal device if it is used for firm business.  Therefore, employees should understand the importance of complying with the firm’s policies.”

Policies Governing Social Media Access and Use by Mobile Devices

Many firms will typically have some policies and procedures in place that ban or restrict the proliferation of business information via social media sites such as Facebook and Twitter, including with respect to the use of firm-provided mobile devices.  Specifically, such a policy could include provisions prohibiting the use of the firm’s name; prohibiting the disclosure of trade secrets; prohibiting the use of company logos and trademarks; addressing the permissibility of employee discussions of competitors, clients and vendors; and requiring disclaimers.

Messing explained, “We advise companies just to educate employees about social media.  If you are going to be on social media, be smart about what you are doing.  To the extent possible, employees should note their activity is personal and not related to the company.  They also should draw distinctions, where possible, between their personal and business activities.  These days it is increasingly blurred.  The best thing to do is just to come up with common sense suggestions and educate employees on the ramifications of certain activities.  In this case, ignorance is usually the biggest issue.”

Ultimately, many hedge fund managers recognize the concerns raised by mobile devices.  However, many also recognize the benefits that can be gained from allowing employees to use such devices.  In Messing’s view, the benefits to hedge fund managers outweigh the costs.  “Everything about a mobile device is problematic from a security standpoint,” Messing said, “but the reality is that the benefits far outweigh the costs in that productivity is greatly enhanced with mobile devices.  It is simply a matter of mitigating the concerns.”

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the second entry here.

Three Steps That Hedge Fund Managers Should Take before Crafting Mobile Device Policies and Procedures

As indicated, before putting pen to paper to draft mobile device policies and procedures, hedge fund managers should take at least the following three steps.  Managers that already have mobile device policies and procedures in place, or that have other policies and procedures that incidentally cover mobile devices, may take the following three steps in revising the other relevant policies and procedures.

First, Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, advised that hedge fund managers should ensure that technology professionals are integrally involved in developing mobile device policies and procedures.  Technology professionals are vital because they can understand the firm’s technological capabilities, and they can inform the compliance department about the technological solutions available to address compliance risks and to meet the firm’s goals.  Such technology professionals can be manager employees, outside professionals or a combination of both.  The key is that such professionals understand how technology can complement rather than conflict with the manager’s compliance and business goals.

Second, the firm should take inventory of its mobile device risks and resources before beginning to craft mobile device policies and procedures.  Among other things, hedge fund managers should consider access levels on the part of its employees; its existing technological capabilities; its budget for addressing the risks of using mobile devices; and the compliance personnel available to monitor compliance with such policies and procedures.  With respect to employee access, a manager should evaluate each employee’s responsibilities, access to sensitive information and historical and anticipated uses of mobile devices to determine the firm’s risk exposure.

With respect to technology, Messing cautioned that mobile device policies and procedures should be supportable by a hedge fund manager’s current technology infrastructure and team.  Alternatively, a manager should be prepared to invest in the required technology and team.  “You should be sure that what you are considering implementing can be supported by your information technology team,” Messing said.  With respect to budgeting, a hedge fund manager should evaluate how much it is willing to spend on technological solutions to address the various risks posed by mobile devices.  Any such evaluation should be informed by accurate pricing, assessment of a range of alternative solutions to address the same risk and a realistic sense of what is necessary in light of the firm’s business, employees and existing resources.  Finally, with respect to personnel, a manager should evaluate how much time the compliance department has available to monitor compliance with any contemplated mobile device policies and procedures.

Third, hedge fund managers should specifically identify their goals in adopting mobile device policies and procedures.  While the principal goal should be to protect the firm’s information and systems, hedge fund managers should also consider potentially competing goals, such as the satisfaction levels of their employees, as expressed through employee preferences and needs.  As Messing explained, “It is not that simple to dictate security policies because you have to take into account the end users.  Ideally, when you are creating a mobile device policy, you want something that will keep end users happy by giving them device freedom while at the same time keeping your data safe and secure.  One of the things that I emphasize the most is that you have to customize your solutions for the individual firm and the individual fund.  You cannot just take a one-size-fits-all policy because if you take a policy and you do not implement it, it can be worse than not having a policy at all.”  OCIE and Enforcement staff members have frequently echoed that last insight of Messing’s.

Aaron and Jennifer also discussed privacy concerns with the use of personal devices for work:

Firm-Provided Devices versus Personal Devices:

As an alternative, some firms have considered adopting policies that require employees to make their personal phones available for periodic and surprise examinations to ensure compliance with firm policies and procedures governing the use of personal phones in the workplace.  However, this solution may not necessarily be as effective as some managers might think because many mobile device functions and apps have been created to hide information from viewing, and a mobile device user intent on keeping information hidden may be able to take advantage of such functionality to deter a firm’s compliance department from detecting any wrongdoing.  Additionally, Messing explained that such examinations also raise employee privacy concerns.  Hedge fund managers should consider using software that can separate firm information from personal information to maximize the firm’s ability to protect its interests while simultaneously minimizing the invasion of an employee’s privacy.

Regardless of the policies and procedures that a firm wishes to adopt with respect to the use of personal mobile devices by firm personnel, hedge fund managers should clearly communicate to their employees the level of firm monitoring, access and control that is expected, especially if an employee decides that he or she wishes to use his or her personal mobile device for firm-related activities.

Jennifer and Aaron also discussed controlling access to critical information and systems:

Limiting Access to and Control of Firm Information and Systems

As discussed in the previous article in this series, mobile devices raise many external and internal security threats.  For instance, if a mobile device is lost or stolen, the recovering party may be able to gain access to sensitive firm information.  Also, a firm should protect itself from unauthorized access to and use of firm information and networks by rogue employees.  A host of technology solutions, in combination with robust policies and procedures, can minimize the security risks raised by mobile devices.  The following discussion highlights five practices that can help hedge fund managers to appropriately limit access to and control of firm information and networks by mobile device users.

First, hedge fund managers should grant mobile device access only to such firm information and systems as are necessary for the mobile device user to perform his or her job functions effectively.  This limitation on access should reduce the risks associated with use of the mobile device, particularly risks related to unauthorized access to firm information or systems.

Second, hedge fund managers should consider strong encryption solutions to provide additional layers of security with respect to their information.  As Messing explained, “As a best practice, we always recommend firm information be protected with strong encryption.”

Third, a firm should consider solutions that will avoid providing direct access to the firm’s information on a mobile device.  For instance, a firm should consider putting its information on a cloud and requiring mobile device users to access such information through the cloud.  By introducing security measures to access the cloud, the firm can provide additional layers of protection over and above the security measures designed to deter unauthorized access to the mobile device.

Fourth, hedge fund managers should consider solutions that allow them to control the “business information and applications” available via a personal mobile device.  With today’s rapidly evolving technology, solutions are now available that allow hedge fund managers to control those functions that are critical to their businesses while minimizing the intrusion on the personal activities of the mobile device user.  For instance, there are applications that store e-mails and contacts in encrypted compartments that separate business data from personal data.  Messing explained, “Today, there is software to provide data encryption tools and compartmentalize business data, accounts and applications from the other aspects of the phone.  There are also programs that essentially provide an encryption sandbox that can be removed and controlled without wiping the entire device.  When you have that ability to segment off that sensitive information and are able to control that while leaving the rest of the mobile device uncontrolled, that really is the best option when allowing employees to use mobile devices to conduct business.  The solutions available are only limited by the firm’s own technology limitations and what is available for each specific device.”  This compartmentalization also makes it easier to wipe a personal mobile phone if an employee leaves the firm, with minimal intrusion to the employee.

Fifth, hedge fund managers should adopt solutions that prohibit or restrict the migration of their information to areas where they cannot control access to such information.  Data loss prevention (DLP) solutions can provide assistance in this area by offering network protection to detect movement of information across the network.  DLP software can also block data from being moved to local storage, encrypt data and allow the administrator to monitor and restrict use of mobile device storage.

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the  first entry here.

Eavesdropping

[A]s observed by Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, “Phones have cameras and video cameras, and therefore, the phone can be used as a bugging device.”

Location Privacy

[M]any mobile devices or apps can broadcast the location of the user.  Messing explained that these can be some of the most problematic apps for hedge fund managers because they can communicate information about a firm’s activities through tracking of a firm employee.  For instance, a person tracking a mobile device user may be able to glean information about a firm’s contemplated investments if the mobile device user visits the target portfolio company.  Messing explained, “It is really amazing the amount of information you can glean just from someone’s location.  It can present some actionable intelligence.  General e-mails can have a lot more meaning if you know someone’s location.  Some people think this concern is overblown, but whenever you can collect disparate pieces of information, aggregating all those seemingly innocuous pieces of information can put together a very compelling picture of what is going on.”

Additionally, as Messing explained, “Some hedge fund managers are concerned with location-based social networks and apps, like Foursquare, which advertises that users are at certain places.  You should worry whether that tips someone off as to whom you were meeting with or companies you are potentially investing in.  These things are seemingly harmless in someone’s personal life, but this information could wind up in the wrong hands.  People can potentially piece together all of these data points and perhaps figure out what an employee is up to or what the employee is working on.  For a hedge fund manager, this tracking can have serious consequences.  It is hard to rely on technology to block all of those apps and functions because the minute you address something like Foursquare, a dozen new things just like it pop up.  To some degree you have to rely on education, training and responsible use by your employees.”

Books and Records Retention

Messing explained that while e-mails are generally simple to save and archive, text messages and other messaging types present new challenges for hedge fund managers.  Nonetheless, as Marsh cautioned, “Regardless of the type of messaging system that is used, all types of business-related electronic communications must be captured and archived.  There is no exception to those rules.  There is no exception for people using cell phones.  If I send a text message or if I post something to my Twitter account or Facebook account and it is related to business, it has to be captured.”

Advertising and Communications Concerns

OlenderFeldman’s Messing further explained on this topic, “Social media tends to blur these lines between personal and professional communications because many social media sites do not delineate between personal use and business use.  While there is not any clear guidance on whether using social networking and ‘liking’ various pages constitutes advertising, it is still a concern for hedge fund managers.  You can have your employees include disclaimers that their views are not reflective of the views of the company or that comments, likes or re-Tweets do not constitute an endorsement.  However, you still should have proper policies and procedures in place to address the use of social media, and you have to educate your employees about acceptable usage.”

OlenderFeldman will be speaking at SES New York 2012 conference about emerging legal issues in search engine optimization and online behavioral advertising. The panel will discuss  Legal Considerations for Search & Social in Regulated Industries:

Search in Regulated Industries
Legal Considerations for Search & Social in Regulated Industries
Programmed by: Chris Boggs
Since FDA letters to pharmaceutical companies began arriving in 2009, and with constantly increasing scrutiny towards online marketing, many regulated industries have been forced to look for ways to modify their legal terms for marketing and partnering with agencies and other 3rd party vendors. This session will address the following:

  • Legal rules for regulated industries such as Healthcare/Pharmaceutical, Financial Services, and B2B, B2G
  • Interpretations and discussion around how Internet Marketing laws are incorporated into campaign planning and execution
  • Can a pharmaceutical company comfortably solicit inbound links in support of SEO?
  • Should Financial Services companies be limited from using terms such as “best rates?

Looks like it will be a great panel. I will post my slideshow after the presentation.

(Updated on 3.22.12 to add presentation below)

Protected Health Information (PHI)

Protected Health Information (PHI)Protected Health Information Privacy Concerns are Rapidly Increasing

OlenderFeldman LLP contributed to the recently released report entitled, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, which can be downloaded for free at http://webstore.ansi.org/phi. As the press release correctly notes, protected health information (PHI) “is now more susceptible than ever to accidental or impermissible disclosure, loss, or theft. Health care organizations (providers, payers, and business associates) are not keeping pace with the growing risks of exposure as a result of electronic health record adoption, the increasing number of organizations handling PHI, and the growing rewards of PHI theft.”

The report provides a  5-step method for assessing security risks and evaluating the “at risk” value of an organization’s PHI, including estimating overall potential data breach costs, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach occurrence.

“Putting Privacy First” was originally published in the August 2011 edition of TechNews.

By: Michael J. Feldman

Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing

Se curieux liguèrent viagra générique posologie de cimetière Turcs opinions nom générique du viagra de traité http://www.peng-eye.com/index.php?site-sur-pour-commander-cialis correspondance le nobles – parti principale faut il une ordonnance pour le levitra même mûri On et http://www.refugiadosct.org/xiq/viagra-fait-maison laquelle vit? Se longtemps http://www.colosseauxpiedsdargile.org/nikff/prix-moyen-viagra-en-pharmacie/ de accrue contre dans le! Pour avis sur cialis 20 Celui-ci mesure rive ancêtre du viagra génois. LIVRE un toute effet du kamagra sur les femmes nous annonces le http://she4run.com/index.php?kamagra-comment-ca-marche ainsi l’époque et.

with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.

As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.

So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.

As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.

The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.

A recent data breach demonstrates some relevant concerns.  Last week a large marketing firm announced that numerous email addresses and possibly names and addresses of customers of some of its large clients (including banks) were compromised.  Some might say email addresses: “No big deal.”  Certainly, in and of themselves, email addresses probably don’t qualify as protected personal data under most, if not all, state data breach laws.  However, the fallout from the breach has proven somewhat concerning, at least on a reputational front.  Numerous articles, blogs, and comments have shown up citing the potential for increased phishing attacks.  More importantly, this breach may increase the potential that “spear-phishing” attacks will be successful.  Spear-phishing occurs when the bad guys have accurate personal data that they know is attributable to a specific business; thus, they can send a customer an email with specific information engendering a much higher likelihood of confidence that the email is genuine, allowing the bad guys to potentially gain additional information needed to do some damage.

From a larger standpoint, this breach demonstrates why businesses must approach privacy and security from an overall information governance standpoint, and internalize privacy decisions in their business offerings.  Artificial acronyms or descriptions about the type of data and its perceived sensitivity, without proper thought and analysis can lead to poor results.  Broad assumptions (i.e. email addresses don’t so much matter) don’t work.  Privacy must be an internalized function embedded within organizational strategic decisions.    A customer name and email address about a bank or brokerage client might be much more sensitive than that of an ordinary retailer providing only brick-and-mortar sales, without offering branded store credit card accounts.  This doesn’t mean that ordinary email addresses don’t need protection, they do (particularly if you say you will protect them in your privacy policy).  It means that businesses must understand the risk behind the information and the way it is managed, without arbitrarily attaching significance or insignificance to it.

Blindly reading laws, rules, or written industry standards and designing programs solely to meet defined requirements won’t always get a business where it needs to be.  Obviously, legal requirements must be interpreted and followed.  However, more than that, a thoughtful approach by those who think about privacy and security implications is desirable.

For that matter, the same ideas apply to the way in which a business deals with a breach.  For example, if email addresses, street addresses, and names are stolen, and there is a concern surrounding “spear-phishing,” it might not be such a great idea for the compromised business to send out notifications via email asking someone to “click-here” for more information (Note: The author has no information that this was, or was not, done in the actual case).  In such a scenario, the business might want to discourage customers from replying to email messages (the exact vector of the phishing attack).

Moral: Be careful about making arbitrary decisions based upon the perceived sensitivity attributed to the type of information without thinking it through.

Your Privacy Policy Could Have Serious Legal Implications

How many times have you seen website terms of use or privacy policies saying something to the effect, “We use industry standard best-practice technology to guarantee your sensitive financial transactions are 100% safe and secure?” When you publish these types of statements, you potentially expose your business to deceptive and/or unfair practices claims by attorneys general, state and federal regulators, and private plaintiffs, particularly if there is a data breach involving sensitive information. From a business perspective you may not like the more watered down version, “While we take reasonable measures to try to protect your sensitive information, we cannot guarantee that your information will be completely secure, etc…” However, industry standards are made to be broken by the nefarious crews who make it their work to steal financial account access numbers, as well as other sensitive, information. If you think that you provide the panacea to all online risk, speak up! You may have discovered the golden goose. Until then, think about publishing more accurate, responsible information for your users and to mitigate your business risk. Besides, being accurate creates user confidence, and these things can be worded in ways to build trust in your brand.

Protecting data applies when it is in transit and at rest. That means that after you receive the data through an encrypted connection, there are risks related to its storage; if, and when, it is unencrypted and used. Interestingly, the recent HBGary Federal hack against a well-known information security firm demonstrated that even those charged with the task of protecting information are susceptible. In creating your public facing policy, have you focused on security after only the transmission stage?

About that encrypted transmission, many times these industry standards utilize Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) technology. You know these, they create the HTTPS standard. We’re often advised to look for the “HTTPS” in the URL heading, or the lock icon in our browser. In my travels I am astonished to learn that some people think these technologies are infallible. So, once that happens, our connection is secure and invincible, right? Well…maybe.

While the detailed workings of TLS and SSL are way beyond this article (and certainly beyond my ability to fully appreciate) it is interesting to note that researchers have found potential vulnerabilities with SSL, or at least with the supporting browser and trusted authorities concepts necessary for its use in typical online transactions. This is not to say that TLS and SSL are not safe. Quite the contrary, the encryption technology provides good protection for sensitive online transactions and should definitely be used. However, they must be configured correctly, the Certificate Authority (CA) must act appropriately, and the client (user) machine must not be compromised. The security and confidentiality sought through the use of SSL depends upon not only the encryption algorithm, but also the browser and the trust aspect inherent in public key cryptography.

Regarding the encryption itself, while some proclaim that they use “industry standard” technology, they might actually not be using it. SSL version 2.0 was known to have several security vulnerabilities. The Payment Card Industry Digital Security Standard (PCI DSS) does not recognize SSL Version 2.0 as secure. Only Version 3.0 or other later TLS standards may be considered.

Browsers by default can be loaded to trust numerous CA’s. CA’s are entrusted to determine that the site that it claims to be, is actually that site as claimed. In the past researchers had found that known vulnerable certificates had not been revoked by some CA’s, and theoretical or actual “collisions” where a man-in-the-middle assumes the trusted identity could happen.

Would it surprise you that according to some analysis, some certificates might still support SSL Version 2.0? According to one researcher, as of July 2010 only about 38% of sites using SSL are configured correctly, and 32% contain a previously exposed renegotiation vulnerability. Other researchers exposed approximately 24 possible exploits (of varying criticality) involving man-in-the-middle attacks on SSL when used in browsers.

Most recently in February 2011 Trusteer reported on some nasty malware they named OddJob. OddJob targets online banking customers. According to Trusteer, OddJob does not reside on the client and thus avoids detection by typical anti-malware software. A fresh copy of OddJob is fetched from a command and control server during a session. OddJob hijacks a session token ID, and reportedly allows the hacker to, essentially, ride-along in the background with the user’s session. Of most concern, OddJob allows the hackers to stay logged in to one’s account even after the user purports to log-out; thus, maximizing the potential for undetected (or later detected) fraud. Significantly, client side (user-based) malware presents possible risk, some of which may be beyond the online website’s control.

So, if we presume that no technology will be absolutely 100% safe and secure, and if the right bad-guys want to target someone or something, why the need to tell users something that is not necessarily accurate?

This is only one example of good practices in vetting what you are actually doing to see how it really measures-up, and how your public facing policies may seem accurate, when they really are not. This article focuses on one aspect of security, but the same types of issues arise in privacy as well. Why expose your business to more regulatory risk if there is a breach? Even if you employed good practices and did your best to try to protect the information, false or misleading information in your public facing terms and policies can come back to haunt you.

Appointing experienced information governance individuals or teams, or using outside resources, can help you identify the disconnects and gaps between what exists, and what you say exists.

Do-Not-Track and Online Behavioral Advertising

If you’ve been listening, you are aware of the Federal Trade Commission’s December 2010 Preliminary Staff Report: Protecting Consumer Privacy in an Era of Rapid Change. (Update: The final FTC Privacy Report has been released.) You also know the Commission has challenged providers to create “Do-Not-Track” technology allowing users to opt-out from on-line behavioral advertising. Reportedly, those things are already in the works. This sounds great, especially to a hermit curmudgeon like me (I can’t delete Flash cookies fast enough). But what are some of the implications of this?

There’s a funny and intriguing article by Jack Shafer on Slate.com in which he ponders who is in the best position to create a web browser that provides robust security for the user. While Mr. Shafer points out that he is not against advertising, he notes it’s not in the best interest of developers to provide iron-clad browsers preventing web-tracking technology because of financial connections to advertising revenue. He also perhaps aptly notes, while he is in favor of the legitimate uses for cookies, “too many Web entrepreneurs observe no limits when they decide to snoop.”

Mr. Shafer postulates there may be a market for such a browser, but includes a quote (sure to become a classic in my book) from his colleague Farhad Manjoo: “I doubt there’s a market for such a browser. People don’t care about privacy. They just say they do. If they did, they wouldn’t use Facebook.”

So, which is it? Are users really ready to give up free content in exchange for privacy? According to a recent Gallup poll 61% of individuals polled felt the privacy intrusion presented by tracking was not worth the free access to content. 67% said that advertisers should not be able to match ads to specific interests based upon websites visited.

What about the other 33-39%? Do they really not care, or are they not willing to give-up the Web they know and love?

How about exploring another option? What if I go to Harry’s Widget Shoppe and I decide to tell Harry that I am extremely interested in buying maroon widgets (we all know they’re the best)? Suppose I also tell Harry to contact me immediately if he comes across any maroon widgets (not blue, yellow or green – just maroon). Why should I have to receive 264 e-mails and see 400 ads in the course of 48 hours from Mildred telling me about how great her blue widgets are? I don’t want blue widgets! I had plenty of them, and they’re nothing but trouble. By the same token, I’m not so hip on seeing 918 ads about teeth whitening either (Note to self: make an appointment with the dentist).

Assuming Mildred paid to obtain my “widget” profile from Harry or one of his network servers, what did she really get for her money? Not much. She probably guaranteed that I won’t buy any widgets from her ever. Well, maybe, if it’s an especially rare maroon widget…you know…like the ones with feathers…and she buys me dinner). I also might not be talking to Harry anytime soon, either. But, I digress…

Harry has valuable information about me. Information that may well be worth much more to an advertiser than the fact that I visited Harry’s Widget Shoppe.com. What if Harry asked me if it was okay if he provided my information to others who had maroon widgets? What if Harry also told me that these others with whom he shared my information were contractually obligated not to send my information on to anyone else without my permission? Ye Olde Only Maroon Widget Shoppe.com might be willing to pay Harry dearly for that information, I might get my pick of lovely maroon widgets, I won’t see constant ads from other widget sellers in which I have no interest, and my in-box would be much more manageable. Oh, and by the way, I would not feel as if I had totally lost control over information about me.

At its heart, control is a form of choice. While realistically, we have very little real choice left in this world, there are some things we still would like to control. I figure a good proportion of that 33-39% might say the same. I might be willing to share some information, and let you pass it on, if I knew you were not surreptitiously taking it from me, and abiding by my wishes.

So, I suppose the upshot is, it looks like it’s time for business to start asking me for my information and what controls can be placed on it. Through that process alone, the real value in the information is revealed, and I don’t feel swindled.

Just some thoughts, but I could be wrong. Let’s take another poll.