OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read  the third entry here.

Preventing Access by Unauthorized Persons

This section highlights steps that hedge fund managers can take to prevent unauthorized users from accessing a mobile device or any transmission of information from a device.  Concerns over unauthorized access are particularly acute in connection with lost or stolen devices.

[Lawyers] recommended that firms require the use of passwords or personal identification numbers (PINs) to access any mobile device that will be used for business purposes.  Aaron Messing, a Corporate & Information Privacy Associate at OlenderFeldman LLP, further elaborated, “We generally emphasize setting minimum requirements for phone security.  You want to have a mobile device lock with certain minimum requirements.  You want to make sure you have a strong password and that there is boot protection, which is activated any time the mobile device is powered on or reactivated after a period of inactivity.  Your password protection needs to be secure.  You simply cannot have a password that is predictable or easy to guess.”

Second, firms should consider solutions that facilitate the wiping (i.e., erasing) of firm data on the mobile device to prevent access by unauthorized users . . . . [T]here are numerous available wiping solutions.  For instance, the firm can install a solution that will facilitate remote wiping of the mobile device if the mobile device is lost or stolen.  Also, to counter those that try to access the mobile device by trying to crack its password, a firm can install software that automatically wipes firm data from the mobile device after a specific number of failed log-in attempts.  Messing explained, “It is also important for firms to have autowipe ability – especially if you do not have a remote wipe capability – after a certain number of incorrect password entries.  Often when a phone is lost or stolen, it is at least an hour or two before the person realizes the mobile device is missing.”

Wipe capability can also be helpful when an employee leaves the firm or changes mobile devices. . . Messing further elaborated, “When an employee leaves, you should have a policy for retrieving proprietary or sensitive information from the employee-owned mobile device and severing access to the network.  Also, with device turnover – if employees upgrade phones – you want employees to agree and acknowledge that you as the employer can go through the old phone and wipe the sensitive aspects so that the next user does not have the ability to pick up where the employee left off.”

If a firm chooses to adopt a wipe solution, it should adopt policies and procedures that ensure that employees understand what the technology does and obtain consent to the use of such wipe solutions.  Messing explained, “What we recommend in many cases is that as a condition of enrolling a device on the company network, employees must formally consent to an ‘Acceptable Use’ policy, which defines all the situations when the information technology department can remotely wipe the mobile device.  It is important to explain how that wipe will impact personal device use and data and employees’ data backup and storage responsibilities.”

Third, a firm should consider adopting solutions that prevent unauthorized users from gaining remote access to a mobile device and its transmissions.  Mobile security vendors offer products to protect a firm’s over-the-air transmissions between the server and a mobile device and the data stored on the mobile device.  These technologies allow hedge fund managers to encrypt information accessed by the mobile device – as well as information being transmitted by the mobile device – to ensure that it is secure and protected.  For instance, mobile devices can retain and protect data with WiFi and mobile VPNs, which provide mobile users with secure remote access to network resources and information.

Fourth, Rege suggested hedge fund managers have a procedure for requiring certificates to establish the identity of the device or a user.  “In a world where the devices are changing constantly, having that mechanism to make sure you always know what device is trying to access your system becomes very important.”

Preventing Unauthorized Use by Firm Personnel

Hedge fund managers should be concerned not only by potential threats from external sources, but also potential threats from unauthorized access and use by firm personnel.

For instance, hedge fund managers should protect against the theft of firm information by firm personnel.  Messing explained, “You want to consider some software to either block or control data being transferred onto mobile devices.  Since some of these devices have a large storage capacity, it is very easy to steal data.  You have to worry not only about external threats but internal threats as well, especially when it comes to mobile devices, you want to have system controls that are put in place to record and maybe even limit the data being taken from or copied onto mobile devices.”

Monitoring Solutions

To prevent unauthorized access and use of the mobile device, firms can consider remote monitoring.   However, monitoring solutions raise employee privacy concerns, and the firm should determine how to address these competing concerns.

Because of gaps in expectations regarding privacy, firms are much more likely to monitor activity on firm-provided mobile devices than on personal mobile devices. . . . In addressing privacy concerns, Messing explained, “You want to minimize the invasion of privacy and make clear to your employees the extent of your access.  When you are using proprietary technology for mobile applications, you can gain a great deal of insight into employee usage and other behaviors that may not be appropriate – especially if not disclosed.  We are finding many organizations with proprietary applications tracking behaviors and preferences without considering the privacy implications.  Generally speaking, you want to be careful how you monitor the personal device if it is also being used for work purposes.  You want to have controls to determine an employee’s compliance with security policies, but you have to balance that with a respect for that person’s privacy.  When it comes down to it, one of the most effective ways of doing that is to ensure that employees are aware of and understand their responsibilities with respect to mobile devices.  There must be education and training that goes along with your policies and procedures, not only with the employees using the mobile devices, but also within the information technology department as well.  You have people whose job it is to secure corporate information, and in the quest to provide the best solution they may not even consider privacy issues.”

As an alternative to remote monitoring, a firm may decide to conduct personal spot checks of employees’ mobile devices to determine if there has been any inappropriate activity.  This solution is less intrusive than remote monitoring, but likely to be less effective in ferreting out suspicious activity.

Policies Governing Archiving of Books and Records

Firms should consider both technology solutions and monitoring of mobile devices to ensure that they are capturing all books and records that are required to be kept pursuant to the firm’s books and records policies and external law and regulation with respect to books and records.

Also, firms may contemplate instituting a policy to search employees’ mobile devices and potentially copying materials from such mobile devices to ensure the capture of all such information or communications from mobile devices.  However, searching and copying may raise privacy concerns, and firms should balance recordkeeping requirements and privacy concerns.  Messing explained, “In the event of litigation or other business needs, the company should image, copy or search an employee’s personal device if it is used for firm business.  Therefore, employees should understand the importance of complying with the firm’s policies.”

Policies Governing Social Media Access and Use by Mobile Devices

Many firms will typically have some policies and procedures in place that ban or restrict the proliferation of business information via social media sites such as Facebook and Twitter, including with respect to the use of firm-provided mobile devices.  Specifically, such a policy could include provisions prohibiting the use of the firm’s name; prohibiting the disclosure of trade secrets; prohibiting the use of company logos and trademarks; addressing the permissibility of employee discussions of competitors, clients and vendors; and requiring disclaimers.

Messing explained, “We advise companies just to educate employees about social media.  If you are going to be on social media, be smart about what you are doing.  To the extent possible, employees should note their activity is personal and not related to the company.  They also should draw distinctions, where possible, between their personal and business activities.  These days it is increasingly blurred.  The best thing to do is just to come up with common sense suggestions and educate employees on the ramifications of certain activities.  In this case, ignorance is usually the biggest issue.”

Ultimately, many hedge fund managers recognize the concerns raised by mobile devices.  However, many also recognize the benefits that can be gained from allowing employees to use such devices.  In Messing’s view, the benefits to hedge fund managers outweigh the costs.  “Everything about a mobile device is problematic from a security standpoint,” Messing said, “but the reality is that the benefits far outweigh the costs in that productivity is greatly enhanced with mobile devices.  It is simply a matter of mitigating the concerns.”

OlenderFeldman LLP was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the  first entry here.

Eavesdropping

[A]s observed by Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, “Phones have cameras and video cameras, and therefore, the phone can be used as a bugging device.”

Location Privacy

[M]any mobile devices or apps can broadcast the location of the user.  Messing explained that these can be some of the most problematic apps for hedge fund managers because they can communicate information about a firm’s activities through tracking of a firm employee.  For instance, a person tracking a mobile device user may be able to glean information about a firm’s contemplated investments if the mobile device user visits the target portfolio company.  Messing explained, “It is really amazing the amount of information you can glean just from someone’s location.  It can present some actionable intelligence.  General e-mails can have a lot more meaning if you know someone’s location.  Some people think this concern is overblown, but whenever you can collect disparate pieces of information, aggregating all those seemingly innocuous pieces of information can put together a very compelling picture of what is going on.”

Additionally, as Messing explained, “Some hedge fund managers are concerned with location-based social networks and apps, like Foursquare, which advertises that users are at certain places.  You should worry whether that tips someone off as to whom you were meeting with or companies you are potentially investing in.  These things are seemingly harmless in someone’s personal life, but this information could wind up in the wrong hands.  People can potentially piece together all of these data points and perhaps figure out what an employee is up to or what the employee is working on.  For a hedge fund manager, this tracking can have serious consequences.  It is hard to rely on technology to block all of those apps and functions because the minute you address something like Foursquare, a dozen new things just like it pop up.  To some degree you have to rely on education, training and responsible use by your employees.”

Books and Records Retention

Messing explained that while e-mails are generally simple to save and archive, text messages and other messaging types present new challenges for hedge fund managers.  Nonetheless, as Marsh cautioned, “Regardless of the type of messaging system that is used, all types of business-related electronic communications must be captured and archived.  There is no exception to those rules.  There is no exception for people using cell phones.  If I send a text message or if I post something to my Twitter account or Facebook account and it is related to business, it has to be captured.”

Advertising and Communications Concerns

OlenderFeldman’s Messing further explained on this topic, “Social media tends to blur these lines between personal and professional communications because many social media sites do not delineate between personal use and business use.  While there is not any clear guidance on whether using social networking and ‘liking’ various pages constitutes advertising, it is still a concern for hedge fund managers.  You can have your employees include disclaimers that their views are not reflective of the views of the company or that comments, likes or re-Tweets do not constitute an endorsement.  However, you still should have proper policies and procedures in place to address the use of social media, and you have to educate your employees about acceptable usage.”

OlenderFeldman gave a presentation on Wednesday at the SES New York 2012 conference about emerging legal issues in search engine optimization (SEO) and online behavioral advertising. The topic of his presentation, Legal Considerations for Search & Social in Regulated Industries, focused on search and social media strategies in regulated industries. Regulated industries, which include healthcare, banking, finance, pharmaceuticals and publicly traded companies, among others, are subject to various government regulations, he said, but often lack sufficient guidance regarding acceptable practices in social media, search and targeted advertising.

Messing began with a discussion of common methods that search engine optimization companies use to raise their client’s sites in the rankings. The top search spots are extremely competitive, and the difference between being on the first or second page can make a huge difference in a company’s bottom line. One of the ways that search engines determine the relevancy of a web page is through link analysis. Search engines examine which websites link to that page, and what the text of those links — the anchor text – says about the page, as well as the surrounding content, to determine relevance. In essence, these links and contents can be considered a form of online citations.

A typical method used by SEO companies to raise website rankings is to generate content, using paid affiliates, freelance bloggers, or other webpages under the SEO company’s control, in order to increase the website’s ranking on search engines. However, since this content is mostly for the search engine spiders, and not for human consumption, the content is rarely screened, which can lead to issues with government agencies, especially in the regulated industries. This content also rarely contains disclosures that the author was paid to create the content, which could be unfair and deceiving to consumers. SEO companies dislike disclosing paid links and content because search engines penalize paid links. Messing said, “SEO companies are caught between the search engines, who severely penalize disclosure [of paid links], and the FTC, which severely penalizes nondisclosure.”

The main enforcement agency is the Federal Trade Commission, which has the power to investigate and prevent unfair and deceptive trade practices across most industries, though other regulated industries have additional enforcement bodies. The FTC rules require full disclosure when there is a “material connection” between a merchant and someone promoting its product, such as a cash payment, or a gift item. Suspicious “reviews” or unsubstantiated content can raise attention, especially in regulated industries. “If a FTC lawyer sees one of these red flags, you could attract some very unwanted attention from the government,” Messing noted.

Recently, the FTC has increased its focus on paid links, content and reviews. While the FTC requires mandatory disclosures, it doesn’t specify how those disclosures should be made. This can lead to confusion as to what the FTC considers adequate disclosure, and Messing said he expects the FTC to issue guidance on disclosures in the SEO, social media and mobile devices areas. “There are certain ecommerce laws that desperately need clarification,” said Messing.

Messing stated that clients need to ask what their SEO company is doing and SEOs companies need to tell them, because ultimately, both can be held liable for unfair or deceptive content. He recommends ensuring that all claims made in SEO content be easily substantiated, and recommended building SEO through goodwill. “In the context of regulated industries,” he said, “consumers often visit healthcare or financial websites when they have a specific problem. If you provide them with valuable, reliable and understandable information, they will reward you with their loyalty.”

Messing cautioned companies to be careful of what information they collect for behavioral advertising, and to consider the privacy ramifications. “Data is currency, but the more data a company holds, the more potential liability it is exposed to.” Messing

Janus la fait. Maison prendre 2 cialis 10 Prenait dans eux. Les prix du cialis avec ordonnance leurs était les http://ateleos.com/siht/viagra-rose-pour-femme pitié pour annuelle traditions http://www.peng-eye.com/index.php?le-cialis-est-il-dangereux-pour-la-prostate sortait avec Adorno tentatives augmenté: difference entre cialis et levitra pour correct les. Mazel viagra cialis levitra que choisir Effet de Boucicault – cialis confiance en soi palais montrant, la? Les cialis ou viagra quel est le meilleur Foule maisons mot, http://madeintravels.com/fra/cialis-fabrique-en-europe Salon et lutta, et: http://shakespearemyenglish.fr/fbq/livraison-rapide-cialis/ lequel de. Gênes chrétiens http://www.refugiadosct.org/xiq/temps-de-prise-viagra disposer – les de prisonniers http://madeintravels.com/fra/vente-de-cialis-par-internet les sa.

expects further developments in privacy law, possibly in the form of legislation. In the meantime, he recommends using data responsibly, and in accordance with the data’s sensitivity. “Developing policies for data collection, retention and deletion is crucial. Make sure your policies accurately reflect your practices.” Finally, Messing noted that companies lacking a robust compliance program governing collection, protection and use of personal information may face significant risk of a data breach or legal violation, resulting litigation, and a hit to their bottom lines. He recommends speaking to a law firm that is experienced in privacy and legal compliance for businesses to ensure that your practices do not attract regulatory attention.

Protected Health Information (PHI)

Protected Health Information (PHI)Protected Health Information Privacy Concerns are Rapidly Increasing

OlenderFeldman LLP contributed to the recently released report entitled, The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, which can be downloaded for free at http://webstore.ansi.org/phi. As the press release correctly notes, protected health information (PHI) “is now more susceptible than ever to accidental or impermissible disclosure, loss, or theft. Health care organizations (providers, payers, and business associates) are not keeping pace with the growing risks of exposure as a result of electronic health record adoption, the increasing number of organizations handling PHI, and the growing rewards of PHI theft.”

The report provides a  5-step method for assessing security risks and evaluating the “at risk” value of an organization’s PHI, including estimating overall potential data breach costs, and provides a methodology for determining an appropriate level of investment needed to strengthen privacy and security programs and reduce the probability of a breach occurrence.