Category Archives: Data Protection
No Password for You: California Enacts Social Media Privacy Laws Affecting Employers and Postsecondary Educational Institutions
By: Gary Gansle, Jessica Linehan, and Kurt Whitman Addressing a recent hot topic regarding the forced disclosure of social media passwords and/or content as part of the employment application process, California has promptly resolved the issue legislatively. Effective January 1, 2013, employers in California are generally prohibited from requiring applicants and employees to disclose or access social media information. This new law, AB 1844, parallels an analogous law, SB 1349, which prohibits California’s public and private postsecondary educational institutions from requiring similar mandatory social media disclosure from students, prospective students, or student groups. Consistent with its historically strong state constitutional … [ Continue reading ]
California Court Permits Company to Subpoena Yahoo, Google and ISPs to Identify Anonymous Computer Hacker
A federal court in San Jose California last week permitted SolarBridge Technologies, Inc. (“SolarBridge”) to serve subpoenas on Yahoo, Google and various Internet Service Providers to identify the sender of an email containing SolarBridge’s confidential and trade secret protected data including schematics and other product designs of current and future products. SolarBridge Technologies, Inc. v. John Doe, 2010 WL 3419189 (N.D. Ca. Aug. 27, 2010). With criminals hiding behind the anonymity provided by the Internet this case has widespread application to companies willing to take aggressive action to protect their data and provides an excellent blueprint for going after anonymous … [ Continue reading ]
Why Two District Courts Dismissed Valid Computer Fraud and Abuse Claims for Lack of Jurisdiction
Two federal district courts, one in Maryland and the other in Texas, dismissed what each court considered to be valid civil claims under the Computer Fraud and Abuse Act (“CFAA”). Title 18 U.S.C. § 1030. The CFAA is the federal computer crime statute that provides a civil cause of action to “any person who suffers damage or loss by reason of a violation of the” statute. The ground for dismissal in each case was the lack of federal jurisdiction for failure to meet the CFAA’s jurisdictional requirement of $5,000 in loss.
United States Chess Federation Embroiled in Computer Fraud Prosecution
Last week the federal district court in Northern California downgraded felony Computer Fraud and Abuse Act (“CFAA”) counts to misdemeanors against Gregory Alexander who is charged with accessing “on thirty-four separate occasions . . . without authorization, the Yahoo! email account of Randall Hough, one of the board members of the United States Chess Federation (“USCF”).” U.S. v. Alexander, 2010 WL 3238961 *1 (N.D. Ca. Aug. 16, 2010). In opposing Alexander’s motion to dismiss the felony counts, the government’s papers described “how Alexander’s action were part of an internal power struggle among the USCF members.” In reviewing the indictment the … [ Continue reading ]
New Washington Privacy Law Effective July 1, 2010
Washington is the third state to enact an encryption law and a payment card law.1 Massachusetts and Nevada enacted encryption laws and Minnesota and Nevada enacted payment card laws. Since this law takes effect July 1, 2010, any entity that could be subject to this law should begin assessing whether they are subject to and in compliance with this law. [ Continue reading ]
U.S. Companies Misrepresenting EU Data Protection Directive Safe Harbor Compliance Risk Federal Trade Commission Enforcement Action
U.S. companies that transfer personal data from the European Economic Area (i.e., the 27 Member States of the European Union (EU) and Iceland, Liechtenstein and Norway) (EEA) to the United States, and misrepresent that they have self-certified under the Safe Harbor framework, risk Federal Trade Commission (FTC) enforcement action under Section 5 of the Federal Trade Commission Act. EU Data Protection Directive By way of background, a company that transfers personal data from the EEA to the United States must comply with the EU Data Protection Directive (95/46/EC). Personal data means information about any identified or identifiable natural person (e.g., … [ Continue reading ]
Social Media Poses Risks To Companies
By Melissa Krasnow. Social media, including Facebook, Twitter, YouTube, etc., is an evolving and growing means of communication. According to some reports, people have been spending more time using social media sites than e-mail since February 2009. See “A World of Connections,” The Economist, Jan. 28, 2010. For companies, social media presents both opportunities and risks. These risks include reputational, brand, legal, regulatory and security concerns. This article outlines some approaches that companies are taking to manage the risks, including: 1) reviewing existing company compliance policies and preparing social media policies as warranted; 2) restricting workplace access to social media; … [ Continue reading ]
Massachusetts Privacy Reg Now Effective
What Is Required and How to Comply Contributed by: Melissa J. Krasnow, Dorsey & Whitney LLP The Massachusetts Office of Consumer Affairs and Business Regulation (“MOCABR”) recently issued the final version of the Massachusetts privacy regulation (Regulation). This article provides a summary of this Regulation, which applies to each person or entity that owns or licenses personal information about a Massachusetts resident (Covered Entity) “Owns or licenses” means receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment. “Personal information” means a Massachusetts resident’s first … [ Continue reading ]
Data Protection Strategies
Technology poses a special risk to companies whose businesses depend on such valuable competitive data. With just a couple of mouse clicks or through the use of a thumb drive that can be slipped into a pocket, an employee can easily remove from the workplace what amounts to multiple file cabinets worth of documents. Last year, for example, I represented a client where the data at issue was worth more than $1 billion in business to the company. The employees in that case removed the data from the company by simply downloading it to several compact disks and e-mailing it … [ Continue reading ]
