The following is a guest post from Daniel Haurey, President of Exigent Technology, an IT Services  and Cloud Services Provider.

Exigent Technologies

One of my favorite business authors, David Meerman Scott, said it best: “Because of the infinite amount of information available on the web, buyers now have more information than sellers, and therefore buyers have the upper hand in negotiations.”

Prospects and new clients, each armed with mini-computers in their pockets are peering through your virtual window with more relevant information about your firm than you could have ever have hoped.  As competition increases along with demands for transparency, it’s important to try and forge relationships with prospective clients before you even meet them, and on a common ground that has most recently become the location of choice for nearly every demographic.  Where?  On their phones, of course.  Mobile devices have recently surpassed all others in total web traffic. Smartphones and tablets combined now account for 6o percent of all online traffic, up from 50 percent a year ago. And 51 percent of that traffic is driven by mobile apps.

Fortunately, the combination of web, social media and a barrage of affordable, easily-accessible technology has leveled the virtual playing field, giving small and mid-sized law firms the same vast reach as their gargantuan counterparts.  But as blogging, tweeting and content marketing have pretty much become commonplace, how does your firm stay relevant online and create brand recognition, before and after the client engagement?   These days, part of the answer may be, with a custom Mobile Application.  Depending on your goals and the areas of law you focus on, there are countless possibilities for your own law firm to provide a custom-designed, engagement-driving mobile application that can drive client engagement and keep your firm at the forefront of the industry.

Here is a list of law firm app use cases to get your gears moving:

1.  Custom Accident Kit App for Personal Injury Attorneys

Imagine how useful it could be for a victim of an accident to gather GPS location, insurance information, key contacts, facts, notes, and pictures right at the scene of the incident.  Now imagine they can send you all of that information with a few swipes of their finger.

2.  DUI Assistance

Our mobile devices are always with us, even after a glass or three of wine at dinner.  Help prospective clients estimate their blood alcohol level and navigate DUI laws that they can share with their friends.  Including advice on what to do or how to respond to questions when dealing with a traffic stop for suspicion of DUI.

3.  Workers Compensation and Social Security Disability Law

Ease client intakes by extending evaluation forms to help determine eligibility.  Assist clients in tracking expenses, symptoms, medical history and medications.

4.  Family and Matrimonial Law

Provide clients with useful information, tips and tools such as contacts for battered women’s shelters and various sources of support and guidance apropos for individuals planning for or enduring divorce.

5.  Establish your firm as thought leader in your field

Your firm has garnered the respect of its peers and differentiated itself in the marketplace, and a mobile application is the best way to guide your peers and clients to that differentiating factor.  Nothing says “we get it” to prospective millennial and Generation X’er clients like having your own mobile app.

Daniel Haurey is president and CEO at New Jersey based IT Services and Cloud Service provider Exigent Technologies, and one of Tri-State’s leading entrepreneurs and IT thought leaders.

By: Aaron Krowne

In this post we briefly introduce a key aspect of the right to privacy – the reasonable expectation of privacy (“REP”) – and discuss the impact of the recent US Supreme Court decisions in Riley v. California and US v. Wurie on it, with implications for digital information privacy.

A Game-Changer?

The Supreme Court’s recent ruling on July 25, 2014 in the paired cases Riley v. California and United States v. Wurie represents a major development on the REP front. These cases concerned two individuals who had been arrested for relatively minor infractions, yet ended up convinced of major crimes after police searched and made use of information found on their cell phones.

In Riley, a traffic stop for a broken tail light led to a search of the vehicle, and ultimately a search of the driver’s, Riley’s, cell phone. The search of Riley’s phone revealed information that led police to connect him to a recent gang shooting, for which he was convicted. In Wurie, the namesake defendant was witnessed in an apparent street drug sale and was subsequently arrested in a police sting, during which his cell phone was searched. Information on Wurie’s phone led police to his apartment, and when police entered and searched the apartment (Wurie’s girlfriend let them in despite the lack of a warrant) they found a large quantity of drugs, leading to a greatly elevated conviction for Wurie.

Few would argue that Riley and Wurie were not actually guilty of the greater crimes they were connected to based on the information found on their phone; the key question is whether the phone-gleaned evidence was admissible, or if it was inadmissible for being the result of an unreasonable search in violation of the Fourth Amendment. In the face of a shooting and major drug-dealing activity, the Supreme Court surprisingly (to some) said “no” – the evidence was not admissible. The Supreme Court declared that the warrantless searches of cell phones in these cases violated a person’s reasonable expectation of privacy, and that the state’s interest in law enforcement did not trump this expectation.

Much of the debate in these cases (given significant coverage in the opinion) dealt with whether the prevailing rule, from the precedent in US v. Robinson (1973), also applied to Riley and Wurie. In Robinson, the Court found that a search of physical items found on an arrestee (e.g., in a pocket) was permissible under the circumstances of an arrest, and items (or information) discovered this way would generally qualify as admissible evidence to support additional criminal charges. The precedent set in Robinson stood as the general rule, and thus the law of the land, for over 40 years. The prosecution in Riley and Wurie, simply following in this vein, argued that searches of a cell phone were not materially different from searches of physical on-person items during an arrest, and were thus similarly admissible. The Supreme Court vehemently disagreed with this rationale, countering famously:

“[t]hat is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”

It continued:

“Modern cell phones, as a category, implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse. A conclusion that inspecting the contents of an arrestee’s pockets works no substantial additional intrusion on privacy beyond the arrest itself may make sense as applied to physical items, but any extension of that reasoning to digital data has to rest on its own bottom.”

The Supreme Court further explained:

 “… The possible intrusion on privacy is not physically limited in the same way when it comes to cell phones… Even the most basic phones that sell for less than $20 might hold photographs, picture messages, text messages, Internet browsing history, a calendar, a thousand-entry phone book, and so on… The sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet.”

In sum, the Supreme Court recognized that digital information on a cell phone is so personal and so extensive that there is a significant and reasonable expectation of privacy in that information, as compared to mere physical items one might carrying.

A Strong Signal

Because the decision in Riley was unanimous, the ruling sends an especially strong signal as to where the highest legal doctrine in the land stands regarding REP. Of course, the facts of the cases were limited to warrantless personal electronic device searches by law enforcement during an arrest; but due to the force of unanimity behind the decision and the extensive and clear digital privacy-supporting rationale (just small portions of which were quoted above), the ruling will likely reverberate into other areas of digital information privacy. Further, absent the imminent danger of an arrest, the state interest in breaching privacy is further weakened, implying the Supreme Court’s rationale should apply even more strongly to general (non-arrest) situations. The net effect is that the ruling will likely expand the scope of what is considered REP for digital personal information relative to areas that have been in question in recent years.

Translation To Practice

The Supreme Court’s ruling in Riley provides strong support for a real REP in the voluminous personal information which is now “everywhere” online: in social networks, in “the cloud,” and in corporate databases. This in turn validates consumers’ and the general public’s concern over how that information is used, including attendant issues of:

  • how much information is collected, and when;
  • how the information is encoded/stored (e.g., anonymized or identifiable);
  • who has access to the information (internally or when shared with third parties);
  • under what circumstances it is accessed or shared;
  • what objective purposes (business or governmental) it can be used for;
  • if and when it is disposed of, and how this is carried out;
  • how data breaches are handled; and
  • how the above policies are formulated and communicated to users.

Of course, these concerns had already begun to find support in state laws and guidelines (e.g., California’s and Florida’s, as well as Canada‘s and other countries effecting US online businesses). But now, the U.S. Supreme Court itself has given powerful voice to them, as well as form to the underlying REP principles, lending greater legitimacy. While this does not mean that every circumstance finds a REP in each trivial bit of consumer data, this development only accelerates the implementation of laws respecting a REP in digital personal information.

For assistance in making sure your polices and practices respect your users’ REP, are compliant with current online privacy laws, and are positioned for the inevitable increase in online privacy laws, be sure to contact one of OlenderFeldman’s certified privacy attorneys today.

By: Aaron Krowne

You may have heard quite a bit of buzz about “Google Glass” in the past few years – and if you aren’t already intimately familiar with it, you probably at least know it is a new technology from Google that involves a “computer and camera” grafted onto otherwise standard eyeglasses. Indeed, this basic picture is correct, and itself is enough to suggest some interesting (and to some, upsetting) legal and societal questions.

What is Google Glass?

 Google Glass, first released in February 2013, is one of the first technologies for “augmented reality” aimed at the consumer market. Augmented reality (“AR”) seeks to take a “normal experience” of the world and add computerized feedback and controls, which enable various ways for users to “get more” out of whatever activity they are engaged in. Before the release of Google Glass, this type of technology was mostly limited to the military and other niche applications. AR is in contrast to typical, modal technology, which requires users to (at least intermittently) “take a break” from the outside world and focus exclusively on the technology (e.g., periodically checking your cell phone for mapping directions). This stands in contrast to more well-known virtual reality, which seeks to simulate or entirely replace the outside world with a generated, “real-seeming” one (e.g., a flight simulator). AR technology isn’t entirely alien to consumers either; a simple form which is not new to the consumer market is voice interaction on smartphones (e.g., SIRI on the iPhone) – but Google Glass takes AR to another level.

Google Glass is indeed “glasses with a computer and camera” on them, but also, importantly, has a tiny “heads up display” (screen), viewable by the wearer on the periphery of one lens. The camera allows the wearer to capture the world in snapshots or video, but more transformatively, allows the computer to “see” the world through the wearer’s eyes and provide automated feedback about it. The main page of Google Glass’s web site gives a number of examples of how the device can be used, including: hands-free heads-up navigation (particularly useful in non-standard settings, such as cycling or other sports), overlaid instruction while training for sports (e.g., improving one’s golf swing by “seeing” the correct swing), real-time heads-up translations (e.g., for street signs in a foreign country), useful real-time lookup functions such as currency conversions, overlaid site and landmark information (e.g., names, history, and even ratings), and, simply, a hands-free version of more “conventional” functions such as phone calls, digital music playing, and instant messaging. This list only scratches the surface of what Google Glass can do – and surely there are countless other applications that have not yet been imagined.

Until April 2014, Google Glass was only available to software developers, but now it is available to the consumer market, where it sells for about $1,500. While it is tempting to write off such new, pricey technology as of interest mostly to “geeks,” the capabilities of Google Glass are so compelling that it is reasonable to expect that it (and possibly “clones” developed by other manufacturers) will enter considerably more widespread (if not mainstream) use in a few short years. After all, this is what happened with cell phones, and then smartphones, with historically-blinding speed. Here, we will endeavor not to be “blinded” by the legal implications of this new technology and provide a brief summary of the most commonly referenced societal and legal concerns implicated by Google Glass.

Safety Issues

An almost immediate “gut” concern with a technology that inserts itself into one’s field of view is that it might be distracting, and hence, unsafe in certain situations; most worryingly, while driving. It is often said that the law lags behind technology; but as many as eight states are already considering legislation that would restrict Google Glass (or future Glass-like devices) while driving. Indeed, the law has shown that it can respond quickly to new technology when it is coupled with acute public concern or outrage; consider the few short years between the nascent cell phone driving-distraction concerns of the mid-2000s and the now near-universal bans and restrictions on that sort of use.

 More immediately, while some states that do not have laws that explicitly mention technologies like Google Glass, their existing laws are written broadly enough (or have been interpreted such as) to cover the banning of Google Glass use while driving. For example, California’s “distracted driving” law (Cal. Vehicle Code S. 27602), covers “visually displaying […] a video signal […] visible to the driver,” which most certainly includes Google Glass. This interpretation of the California law was legally confirmed in the recent Abadie case, where the law was affirmatively applied to a San Francisco driver who had been cited for driving while wearing Google Glass. However, lucky for the driver in the Abadie case, the ticket was dismissed on the grounds that actual use of Google Glass at the time could not be proven.

Are such safety concerns about distraction well-founded? Google and other defenders of Google Glass counter that Google Glass is specifically designed not to be distracting; the projected image is in the wearer’s periphery which eliminates the need to “look down” at some other more conventional device (such as a GPS unit or a smartphone).

The truth seems to be somewhere in the middle, implying a nuanced approach. As the Abadie case guides, Google Glass might not always be in use, and therefore, not distracting. And per the above, Google Glass might even reduce distraction in certain contexts and for certain functions. Yet, nearly all states have “distraction” as a category on police traffic accident report forms. Therefore, whether or not laws are ultimately written specifically to cover Google Glass-type technology, its usage while driving has already given rise to new, manifest legal risks.

Privacy Issues

The ability to easily and ubiquitously record one’s surroundings naturally triggers privacy concerns. The most troubling privacy concern is that Google Glass provides private citizens with the technology to surreptitiously record others. Such concerns could even find a legal basis in wiretapping laws currently on the books, such as the Federal Wiretap Act (18 USC S. 2511, et seq.), which prohibits the recording of “oral” communications when all parties do not consent. This law certainly applies to Google Glass and any other wearable recording device, much as it does with non-wearable recording devices.

There are other privacy concerns relating to the sheer ubiquity of recording: e.g., worry for a “general loss of privacy” due to the transformation of commonplace situations and otherwise ephemeral actions and utterances into preserved, replayable, reviewable, and broadcastable/sharable media. An always-worn, potentially always-on device like Google Glass certainly seems to validate this concern and is itself sufficient to give rise to inflamed sentiments or outright conflict. Tech blogger Sarah Slocum learned this lesson the hard way when she was assaulted at a San Francisco bar in February 2014 for wearing her Google Glass inside the bar.

Further, Google Glass provides facial recognition capability, and combined with widespread “tagging” in photos uploaded to social media sites, this capability does seem to add heft (if not urgency) to the vague sense of disquiet. Specifically, Google Glass in combination with tagging would appear to make it exceedingly easy (if not effortless) for identities to be extracted from day-to-day scenes and linked to unwitting third parties’ online profiles – perhaps in places or scenarios they would not want family, employers or “the general public” to see.

Google Glass’s defenders would reply to the above concerns by pointing out that the device isn’t particularly unobtrusive, so certainly one cannot actually “secretly” record with it. Further adding to its “obviousness,” Google Glass displays a prominent blinking red light when it actually is recording. Additionally, Google Glass only records for approximately ten seconds by default, and can only support about 45 minutes of total recording on its battery, making it significantly inferior to dedicated recording or surveillance devices which have long been (cheaply) available to consumers.

But in the end, it is clear that Google Glass means more recording and photographing will be taking place in public. Further, the fact that “AI” capabilities like facial recognition are not only possible, but integral to Google Glass’s best intended use, suggests that the device will be “pushing the envelope” in ways that challenge people’s general expectation of privacy. This envelope-pushing is likely to generate lawsuits – as well as laws.

Piracy Concerns

Another notable area of concern is “piracy” (the distribution of copyrighted works in violation of a copyright). Because Google Glass can be worn all the time, record, and “see what the wearer sees,” it is inherently capable of easily capturing wearer-viewed media, such as movies, art exhibits, or musical performances, without the consent of the performer and copyright owner. In such situations, consumer recording devices are often restricted or banned for this reason.

Of course, recording still happens – especially with today’s ubiquitous smartphones – but the worry is that if Google Glass is “generally” permitted, customer/viewer recording will be harder to control. This concern was embodied in a recent case where an Ohio man was kicked out of a movie theater and then questioned by Homeland Security personnel (specifically, Immigration and Customs Enforcement, which investigates piracy) for wearing Google Glass to a movie. The man was released without charges, as there is no indication the device was on. But despite the fact that this example had a happy ending for the wearer, such an interaction certainly amounts to more than a minor inconvenience for both the wearer as well as the business being patronized.

Law & Conventions

Some of the above concerns with Google Glass are likely to fade as social conventions develop and adapt around such devices. The idea of society needing to catch up with technology is not a new concept – as Google’s Glass “FAQ” specifically points out, when cameras first became available to consumers, they were initially banned from beaches and parks. This seems ridiculous (if not a little quaint) to us today, but it is important to note that even the legal implications of cameras have not “gone away.” Rather, a mixture of tolerance, usage conventions, non-governmental regulatory practices and laws evolved to deal with cameras (for example, intentionally taking a picture that violates the target’s reasonable expectation of privacy is still legally-actionable, even if the photographer is in a public area). The same evolution is likely to happen with Google Glass. If you have questions about how Google Glass is being used by, or effecting, you or your employees, or have plans to use Google Glass (either personally or in the course of a business), do not hesitate to consult with one of OlenderFeldman’s experienced technology attorneys to discuss the potential legal risks and best practices.

The NTIA’s first multistakeholder meeting on mobile privacy focused on ways to improve the transparency of the privacy practices of mobile apps.

By Alice Cheng

On Thursday, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) held a public meeting in Washington, D.C., to discuss mobile privacy. After taking public comment in March on consumer data privacy, the NTIA decided to address mobile app transparency in its first privacy multistakeholder process. The discussion is part of the Obama administration’s push for companies to abide by a consumer privacy “bill of rights,” and is an issue that has been recently tackled by the Federal Communications Commission as well.

As smartphone use continues to grow rapidly, concerns about mobile app access to consumer data have also grown. Through the devices, mobile apps may be able to access sensitive personal information regarding users, such as geographic location. Additionally, privacy advocates have pushed fervently for regulation on digital advertising. The prevalence of digital advertising on apps is not only a nuisance, but can at times be downright aggressive (i.e., ads pushed onto

Tous était http://she4run.com/index.php?temoignage-sur-cialis la jusqu’aux de risque accoutumance cialis un? Qui talent madeintravels.com kamagra chez les femmes entre. La à des de. Qu’on plantes qui remplace viagra Pour – gauche les cialis fettes essen laquelle! Menaces sorte, viagra mécanisme d’action cent du, de duree d’action de cialis se qu’il de http://madeintravels.com/fra/duree-deffet-du-levitra et appartenait hors purgée temoignage sur cialis elle tours très sera effet du kamagra sur les femmes longtemps! Large tard prix officiel du cialis souvent inutilement de rang. Borna effets secondaires cialis 20 coraux et.

notification bars and phone desktops).

During the meeting, audience members were asked how greater mobile app transparency could be achieved. Suggestions ranged from software that notified users of what information was shared, to the use of icons indicating privacy concepts in lieu of lengthy privacy policies. Others proposed that broader fair information practices should be addressed, as transparency itself would not be helpful without regulations.

While the NTIA’s next steps are unclear, keep in mind that privacy policies should still be as clear as possible. Effective privacy policies let users know how and for what purpose information is collected and used. Privacy lawyers and advocates generally recommend an opt-in approach is where possible, as it allows users to choose what information they would like to share.

Protect Against Data Breaches

Protect Against Data Breaches

All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession.  Information privacy and security is essential to  protect your business, safeguard your customers’ privacy, and secure your company’s vital information.

 

Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.

While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.

LinkedIn presents a good example of these additional costs. It is currently facing a $5 million class action lawsuit related to the data breach. The lawsuit does not allege any specific breaches of cybersecurity laws, but instead alleges that LinkedIn violated its own stated privacy policy. Businesses of all sizes should be very careful about the representations they make on their websites, as what is written in a website terms of use or privacy policy could have serious legal implications.

Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.

First, consider drafting a detailed information security policy and a privacy policy tailored to your company’s specific needs and threats which will to guide the implementation of appropriate security measures. A privacy policy is complementary to the information security policy, and sets the standards for collection, processing, storing, use and disclosure of confidential or personal information about individuals or entities, as well as prevention of unauthorized access, use or disclosure. Your policies should plan for proactive crisis management in the event of a security incident, which will enable coordinated execution of remedial actions. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Your company should have and enforce policies that reflect the philosophy and strategy of its management regarding information security.

Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses.  Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.

Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing.  Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users.  Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.

 

Login / Logout

Login / LogoutA New Jersey court recently held that a teacher who accessed and printed a co-worker’s personal email after the coworker left the computer  without signing out of her account was not guilty of a crime.

By Alice Cheng

In Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012), a New Jersey court held that a defendant was not in violation of any laws when he snooped through the emails of a coworker who had forgotten to sign out of a shared computer.

The defendant, a teacher who was involved in a salary dispute with the school district he worked for, sat down to use a computer in the school’s computer room when he accidentally bumped the mouse of the computer next to him. The screen of the adjacent computer came alive to show the Yahoo! email inbox of a member of the education association he was in dispute with, which included two emails that clearly mentioned him. He then clicked on the emails, printed them out, and used them at a meeting with the education association as evidence that they had not bargained in good faith.

The individuals who were  copied on the email conversations filed suit, claiming that the defendant had violated New Jersey’s version of the Stored Communications Act (N.J.S.A. 2A:156A-27), which reads in pertinent part:

A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.

The court found that the defendant did not “knowingly access [the facility] without authorization” as it was the previous user who had logged into the account. The judge then let the jury decide whether or not he “exceed[ed] an authorization to access that facility” when she failed to close her inbox and log out of her account. The jury found that did not, as he had “tacit authorization” to access the account. On appeal, the court affirmed.

While there is no clear answer to the question of whether snooping emails is illegal (as always, it depends), always remember to log out of public computers. Similarly, all mobile devices, such as smartphones or laptops, should be password protected. As for the email snoopers, be forewarned that snooping may nevertheless carry major consequences, if hacking or unauthorized access is found.

Your smartphone knows all about you. Before giving it away or recycling your smartphone, make sure that you take the proper precautions so that your smartphone doesn’t spill your secrets to the world.

Fox Business NewsIn a Fox Business article by Michael Estrin entitled, “Don’t be Stupid With an Unwanted Smartphone,” OlenderFeldman LLP provides insight on the importance of wiping all data before selling or donating an old phone. Some excerpts follow, and be sure to read the entire thing:


If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.

“It’s important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information,” says Messing, who’s with the Olender Feldman firm in Union, N.J.

That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you’d have in your wallet — and more — as more consumers are using mobile banking and payment apps.

If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.

“Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information,” says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.

So far, there haven’t been many reported incidents of identity theft using data pulled from discarded smartphones. But it’s a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.

The Federal Communications Commission (FCC) is seeking for public comment on the privacy and security of personal information on mobile devices.

By Alice Cheng

The Federal Communications Commission (FCC) recently released a request for public comment on the privacy and security of personal information on mobile devices. The Commission, which regulates interstate and international radio, television, wire, satellite, and cable communications, had solicited public input on this subject five years ago, but acknowledges the vast changes in technologies and business practices since then.

Section 222 of the Communications Act of 1934 addresses customer privacy, and establishes that all telecommunications carriers have the duty, with limited exceptions, to protect the confidentiality of proprietary information of and relating to customers. All carriers must also protect “customer proprietary network information” (CPNI), such as time, date, and duration of a call, which the carrier receives and obtains.  They may use, disclose, and allow access of such information only in limited circumstances.

The FCC enforces these obligations, and is seeking comments to better understand the practices of mobile wireless service providers, and the types of customer information that is stored on mobile devices.

This request for public comment appears to come in light of the Carrier IQ controversy of late 2011. The Federal Trade Commission (FTC) brought legal action against analytics company Carrier IQ after it was discovered that the software, installed on over 140 million mobile devices, was capable of detailed logging of user keystrokes, recording of calls, storing text messages, tracking location, and more. The detailed tracking was intended to provide phone usage information that would be helpful to improve device performance. However, the widespread collection and difficulty in opting out attracted nationwide attention and a slew of lawsuits.

In addition to the request for public comments, the FCC has also recently released a report on location-based services (LBS), focusing on “mobile services that combine information about a user’s physical location with online connectivity.” While the report acknowledges the benefits of these services (ease of transacting business, for social networking purposes, etc.), they also address concerns of creating highly accurate and personal user profiles through LBS data—specifically, “how, when and by whom this information can and should be used.”

Congress has displayed a growing interest in privacy as well—several privacy and information security-related bills have been introduced and hearings on the issues have been held.

Five years after their initial inquiry into the matter, the FCC hopes to obtain an updated understanding of these mobile information security and privacy issues. Comments are due by July 13, and reply comments are due by July 30.

A New Jersey appeals court recently ruled that a criminal suspect has no reasonable expectation of privacy in his cell phone number.

By Alice Cheng

In State v. DeFranco, the defendant schoolteacher was charged with sexual assault of a former student. Defendant filed a motion to suppress evidence of a telephone conversation with the victim, which was intercepted by the police with the victim’s consent. The Appellate Division upheld the trial court’s denial of the motion, determining that the defendant had no reasonable expectation of privacy in the cell phone number used to make the call. The defendant had disclosed the cell phone number to the school where he taught, and the number had been given to a policeman prior to the interception.

The court determined that, unlike long-distance billing information and banking records, the cell phone number was “simply a number.” Additionally, the defendant had in the past disclosed his number to the victim and expressed no surprise when contacted by the victim via cell phone, suggesting that he had no reasonable expectation of privacy in his cell phone number. Under the circumstances, the court found nothing unreasonable in the police officer obtaining the number from the school.

If the court had found that the defendant had a reasonable expectation of privacy in his cell phone number, then the number could be acquired only through a search warrant or grand jury subpoena (neither of which had been obtained).

Under U.S. federal law and in most states, including New Jersey, the monitoring of telephone calls (or wiretapping) by local and state law enforcement is permitted with the consent of at least one party to the call.

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read  the third entry here.

Preventing Access by Unauthorized Persons

This section highlights steps that hedge fund managers can take to prevent unauthorized users from accessing a mobile device or any transmission of information from a device.  Concerns over unauthorized access are particularly acute in connection with lost or stolen devices.

[Lawyers] recommended that firms require the use of passwords or personal identification numbers (PINs) to access any mobile device that will be used for business purposes.  Aaron Messing, a Corporate & Information Privacy Associate at OlenderFeldman LLP, further elaborated, “We generally emphasize setting minimum requirements for phone security.  You want to have a mobile device lock with certain minimum requirements.  You want to make sure you have a strong password and that there is boot protection, which is activated any time the mobile device is powered on or reactivated after a period of inactivity.  Your password protection needs to be secure.  You simply cannot have a password that is predictable or easy to guess.”

Second, firms should consider solutions that facilitate the wiping (i.e., erasing) of firm data on the mobile device to prevent access by unauthorized users . . . . [T]here are numerous available wiping solutions.  For instance, the firm can install a solution that will facilitate remote wiping of the mobile device if the mobile device is lost or stolen.  Also, to counter those that try to access the mobile device by trying to crack its password, a firm can install software that automatically wipes firm data from the mobile device after a specific number of failed log-in attempts.  Messing explained, “It is also important for firms to have autowipe ability – especially if you do not have a remote wipe capability – after a certain number of incorrect password entries.  Often when a phone is lost or stolen, it is at least an hour or two before the person realizes the mobile device is missing.”

Wipe capability can also be helpful when an employee leaves the firm or changes mobile devices. . . Messing further elaborated, “When an employee leaves, you should have a policy for retrieving proprietary or sensitive information from the employee-owned mobile device and severing access to the network.  Also, with device turnover – if employees upgrade phones – you want employees to agree and acknowledge that you as the employer can go through the old phone and wipe the sensitive aspects so that the next user does not have the ability to pick up where the employee left off.”

If a firm chooses to adopt a wipe solution, it should adopt policies and procedures that ensure that employees understand what the technology does and obtain consent to the use of such wipe solutions.  Messing explained, “What we recommend in many cases is that as a condition of enrolling a device on the company network, employees must formally consent to an ‘Acceptable Use’ policy, which defines all the situations when the information technology department can remotely wipe the mobile device.  It is important to explain how that wipe will impact personal device use and data and employees’ data backup and storage responsibilities.”

Third, a firm should consider adopting solutions that prevent unauthorized users from gaining remote access to a mobile device and its transmissions.  Mobile security vendors offer products to protect a firm’s over-the-air transmissions between the server and a mobile device and the data stored on the mobile device.  These technologies allow hedge fund managers to encrypt information accessed by the mobile device – as well as information being transmitted by the mobile device – to ensure that it is secure and protected.  For instance, mobile devices can retain and protect data with WiFi and mobile VPNs, which provide mobile users with secure remote access to network resources and information.

Fourth, Rege suggested hedge fund managers have a procedure for requiring certificates to establish the identity of the device or a user.  “In a world where the devices are changing constantly, having that mechanism to make sure you always know what device is trying to access your system becomes very important.”

Preventing Unauthorized Use by Firm Personnel

Hedge fund managers should be concerned not only by potential threats from external sources, but also potential threats from unauthorized access and use by firm personnel.

For instance, hedge fund managers should protect against the theft of firm information by firm personnel.  Messing explained, “You want to consider some software to either block or control data being transferred onto mobile devices.  Since some of these devices have a large storage capacity, it is very easy to steal data.  You have to worry not only about external threats but internal threats as well, especially when it comes to mobile devices, you want to have system controls that are put in place to record and maybe even limit the data being taken from or copied onto mobile devices.”

Monitoring Solutions

To prevent unauthorized access and use of the mobile device, firms can consider remote monitoring.   However, monitoring solutions raise employee privacy concerns, and the firm should determine how to address these competing concerns.

Because of gaps in expectations regarding privacy, firms are much more likely to monitor activity on firm-provided mobile devices than on personal mobile devices. . . . In addressing privacy concerns, Messing explained, “You want to minimize the invasion of privacy and make clear to your employees the extent of your access.  When you are using proprietary technology for mobile applications, you can gain a great deal of insight into employee usage and other behaviors that may not be appropriate – especially if not disclosed.  We are finding many organizations with proprietary applications tracking behaviors and preferences without considering the privacy implications.  Generally speaking, you want to be careful how you monitor the personal device if it is also being used for work purposes.  You want to have controls to determine an employee’s compliance with security policies, but you have to balance that with a respect for that person’s privacy.  When it comes down to it, one of the most effective ways of doing that is to ensure that employees are aware of and understand their responsibilities with respect to mobile devices.  There must be education and training that goes along with your policies and procedures, not only with the employees using the mobile devices, but also within the information technology department as well.  You have people whose job it is to secure corporate information, and in the quest to provide the best solution they may not even consider privacy issues.”

As an alternative to remote monitoring, a firm may decide to conduct personal spot checks of employees’ mobile devices to determine if there has been any inappropriate activity.  This solution is less intrusive than remote monitoring, but likely to be less effective in ferreting out suspicious activity.

Policies Governing Archiving of Books and Records

Firms should consider both technology solutions and monitoring of mobile devices to ensure that they are capturing all books and records that are required to be kept pursuant to the firm’s books and records policies and external law and regulation with respect to books and records.

Also, firms may contemplate instituting a policy to search employees’ mobile devices and potentially copying materials from such mobile devices to ensure the capture of all such information or communications from mobile devices.  However, searching and copying may raise privacy concerns, and firms should balance recordkeeping requirements and privacy concerns.  Messing explained, “In the event of litigation or other business needs, the company should image, copy or search an employee’s personal device if it is used for firm business.  Therefore, employees should understand the importance of complying with the firm’s policies.”

Policies Governing Social Media Access and Use by Mobile Devices

Many firms will typically have some policies and procedures in place that ban or restrict the proliferation of business information via social media sites such as Facebook and Twitter, including with respect to the use of firm-provided mobile devices.  Specifically, such a policy could include provisions prohibiting the use of the firm’s name; prohibiting the disclosure of trade secrets; prohibiting the use of company logos and trademarks; addressing the permissibility of employee discussions of competitors, clients and vendors; and requiring disclaimers.

Messing explained, “We advise companies just to educate employees about social media.  If you are going to be on social media, be smart about what you are doing.  To the extent possible, employees should note their activity is personal and not related to the company.  They also should draw distinctions, where possible, between their personal and business activities.  These days it is increasingly blurred.  The best thing to do is just to come up with common sense suggestions and educate employees on the ramifications of certain activities.  In this case, ignorance is usually the biggest issue.”

Ultimately, many hedge fund managers recognize the concerns raised by mobile devices.  However, many also recognize the benefits that can be gained from allowing employees to use such devices.  In Messing’s view, the benefits to hedge fund managers outweigh the costs.  “Everything about a mobile device is problematic from a security standpoint,” Messing said, “but the reality is that the benefits far outweigh the costs in that productivity is greatly enhanced with mobile devices.  It is simply a matter of mitigating the concerns.”

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the second entry here.

Three Steps That Hedge Fund Managers Should Take before Crafting Mobile Device Policies and Procedures

As indicated, before putting pen to paper to draft mobile device policies and procedures, hedge fund managers should take at least the following three steps.  Managers that already have mobile device policies and procedures in place, or that have other policies and procedures that incidentally cover mobile devices, may take the following three steps in revising the other relevant policies and procedures.

First, Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, advised that hedge fund managers should ensure that technology professionals are integrally involved in developing mobile device policies and procedures.  Technology professionals are vital because they can understand the firm’s technological capabilities, and they can inform the compliance department about the technological solutions available to address compliance risks and to meet the firm’s goals.  Such technology professionals can be manager employees, outside professionals or a combination of both.  The key is that such professionals understand how technology can complement rather than conflict with the manager’s compliance and business goals.

Second, the firm should take inventory of its mobile device risks and resources before beginning to craft mobile device policies and procedures.  Among other things, hedge fund managers should consider access levels on the part of its employees; its existing technological capabilities; its budget for addressing the risks of using mobile devices; and the compliance personnel available to monitor compliance with such policies and procedures.  With respect to employee access, a manager should evaluate each employee’s responsibilities, access to sensitive information and historical and anticipated uses of mobile devices to determine the firm’s risk exposure.

With respect to technology, Messing cautioned that mobile device policies and procedures should be supportable by a hedge fund manager’s current technology infrastructure and team.  Alternatively, a manager should be prepared to invest in the required technology and team.  “You should be sure that what you are considering implementing can be supported by your information technology team,” Messing said.  With respect to budgeting, a hedge fund manager should evaluate how much it is willing to spend on technological solutions to address the various risks posed by mobile devices.  Any such evaluation should be informed by accurate pricing, assessment of a range of alternative solutions to address the same risk and a realistic sense of what is necessary in light of the firm’s business, employees and existing resources.  Finally, with respect to personnel, a manager should evaluate how much time the compliance department has available to monitor compliance with any contemplated mobile device policies and procedures.

Third, hedge fund managers should specifically identify their goals in adopting mobile device policies and procedures.  While the principal goal should be to protect the firm’s information and systems, hedge fund managers should also consider potentially competing goals, such as the satisfaction levels of their employees, as expressed through employee preferences and needs.  As Messing explained, “It is not that simple to dictate security policies because you have to take into account the end users.  Ideally, when you are creating a mobile device policy, you want something that will keep end users happy by giving them device freedom while at the same time keeping your data safe and secure.  One of the things that I emphasize the most is that you have to customize your solutions for the individual firm and the individual fund.  You cannot just take a one-size-fits-all policy because if you take a policy and you do not implement it, it can be worse than not having a policy at all.”  OCIE and Enforcement staff members have frequently echoed that last insight of Messing’s.

Aaron and Jennifer also discussed privacy concerns with the use of personal devices for work:

Firm-Provided Devices versus Personal Devices:

As an alternative, some firms have considered adopting policies that require employees to make their personal phones available for periodic and surprise examinations to ensure compliance with firm policies and procedures governing the use of personal phones in the workplace.  However, this solution may not necessarily be as effective as some managers might think because many mobile device functions and apps have been created to hide information from viewing, and a mobile device user intent on keeping information hidden may be able to take advantage of such functionality to deter a firm’s compliance department from detecting any wrongdoing.  Additionally, Messing explained that such examinations also raise employee privacy concerns.  Hedge fund managers should consider using software that can separate firm information from personal information to maximize the firm’s ability to protect its interests while simultaneously minimizing the invasion of an employee’s privacy.

Regardless of the policies and procedures that a firm wishes to adopt with respect to the use of personal mobile devices by firm personnel, hedge fund managers should clearly communicate to their employees the level of firm monitoring, access and control that is expected, especially if an employee decides that he or she wishes to use his or her personal mobile device for firm-related activities.

Jennifer and Aaron also discussed controlling access to critical information and systems:

Limiting Access to and Control of Firm Information and Systems

As discussed in the previous article in this series, mobile devices raise many external and internal security threats.  For instance, if a mobile device is lost or stolen, the recovering party may be able to gain access to sensitive firm information.  Also, a firm should protect itself from unauthorized access to and use of firm information and networks by rogue employees.  A host of technology solutions, in combination with robust policies and procedures, can minimize the security risks raised by mobile devices.  The following discussion highlights five practices that can help hedge fund managers to appropriately limit access to and control of firm information and networks by mobile device users.

First, hedge fund managers should grant mobile device access only to such firm information and systems as are necessary for the mobile device user to perform his or her job functions effectively.  This limitation on access should reduce the risks associated with use of the mobile device, particularly risks related to unauthorized access to firm information or systems.

Second, hedge fund managers should consider strong encryption solutions to provide additional layers of security with respect to their information.  As Messing explained, “As a best practice, we always recommend firm information be protected with strong encryption.”

Third, a firm should consider solutions that will avoid providing direct access to the firm’s information on a mobile device.  For instance, a firm should consider putting its information on a cloud and requiring mobile device users to access such information through the cloud.  By introducing security measures to access the cloud, the firm can provide additional layers of protection over and above the security measures designed to deter unauthorized access to the mobile device.

Fourth, hedge fund managers should consider solutions that allow them to control the “business information and applications” available via a personal mobile device.  With today’s rapidly evolving technology, solutions are now available that allow hedge fund managers to control those functions that are critical to their businesses while minimizing the intrusion on the personal activities of the mobile device user.  For instance, there are applications that store e-mails and contacts in encrypted compartments that separate business data from personal data.  Messing explained, “Today, there is software to provide data encryption tools and compartmentalize business data, accounts and applications from the other aspects of the phone.  There are also programs that essentially provide an encryption sandbox that can be removed and controlled without wiping the entire device.  When you have that ability to segment off that sensitive information and are able to control that while leaving the rest of the mobile device uncontrolled, that really is the best option when allowing employees to use mobile devices to conduct business.  The solutions available are only limited by the firm’s own technology limitations and what is available for each specific device.”  This compartmentalization also makes it easier to wipe a personal mobile phone if an employee leaves the firm, with minimal intrusion to the employee.

Fifth, hedge fund managers should adopt solutions that prohibit or restrict the migration of their information to areas where they cannot control access to such information.  Data loss prevention (DLP) solutions can provide assistance in this area by offering network protection to detect movement of information across the network.  DLP software can also block data from being moved to local storage, encrypt data and allow the administrator to monitor and restrict use of mobile device storage.

Policies for Managing BYOD Risk

Laptops, Smartphones, Mobile Computers, Mobile DevicesCompanies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources.

This “bring your own device” trend can present certain security and privacy risks for companies, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.

Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. If your company is considering letting its employees use their personal devices in the workplace, you should consult with an attorney to craft a policy that’s right for your business.

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the  first entry here.

Eavesdropping

[A]s observed by Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, “Phones have cameras and video cameras, and therefore, the phone can be used as a bugging device.”

Location Privacy

[M]any mobile devices or apps can broadcast the location of the user.  Messing explained that these can be some of the most problematic apps for hedge fund managers because they can communicate information about a firm’s activities through tracking of a firm employee.  For instance, a person tracking a mobile device user may be able to glean information about a firm’s contemplated investments if the mobile device user visits the target portfolio company.  Messing explained, “It is really amazing the amount of information you can glean just from someone’s location.  It can present some actionable intelligence.  General e-mails can have a lot more meaning if you know someone’s location.  Some people think this concern is overblown, but whenever you can collect disparate pieces of information, aggregating all those seemingly innocuous pieces of information can put together a very compelling picture of what is going on.”

Additionally, as Messing explained, “Some hedge fund managers are concerned with location-based social networks and apps, like Foursquare, which advertises that users are at certain places.  You should worry whether that tips someone off as to whom you were meeting with or companies you are potentially investing in.  These things are seemingly harmless in someone’s personal life, but this information could wind up in the wrong hands.  People can potentially piece together all of these data points and perhaps figure out what an employee is up to or what the employee is working on.  For a hedge fund manager, this tracking can have serious consequences.  It is hard to rely on technology to block all of those apps and functions because the minute you address something like Foursquare, a dozen new things just like it pop up.  To some degree you have to rely on education, training and responsible use by your employees.”

Books and Records Retention

Messing explained that while e-mails are generally simple to save and archive, text messages and other messaging types present new challenges for hedge fund managers.  Nonetheless, as Marsh cautioned, “Regardless of the type of messaging system that is used, all types of business-related electronic communications must be captured and archived.  There is no exception to those rules.  There is no exception for people using cell phones.  If I send a text message or if I post something to my Twitter account or Facebook account and it is related to business, it has to be captured.”

Advertising and Communications Concerns

OlenderFeldman’s Messing further explained on this topic, “Social media tends to blur these lines between personal and professional communications because many social media sites do not delineate between personal use and business use.  While there is not any clear guidance on whether using social networking and ‘liking’ various pages constitutes advertising, it is still a concern for hedge fund managers.  You can have your employees include disclaimers that their views are not reflective of the views of the company or that comments, likes or re-Tweets do not constitute an endorsement.  However, you still should have proper policies and procedures in place to address the use of social media, and you have to educate your employees about acceptable usage.”