Articles Posted in Cybersecurity and Privacy


Much has been said about the EU “Cookie” laws introduced by an amendment to the Privacy and Electronic Communications Directive in 2011.  Companies with European customers (including those in the US) have grappled with the law’s requirement to obtain informed consent from visitors to their websites before cookies can be used.

Not only being the subject of much academic debate, European regulators have also issued a series of guidance papers on the issue, including recent publications from the UK’s Information Commissioner’s Office and from the Article 29 Working Party, the group made up of representatives from the various EU privacy regulators.  These provide layers of at times arguably conflicting commentary on how to comply with the law.

Whilst question marks hang over key issues (e.g.


This article was originally published on February 27, 2014 and is reprinted with permission from Corporate Compliance Insight.

Managing third-party suppliers presents significant compliance challenges that often span an organization, raising legal, insurance, human resources and technology concerns, to name just a few. Corporations will continue to wrestle with these risks in the year ahead, but the convergence of external threats, abundance of valuable corporate data and the current regulatory environment has highlighted the importance of corporate cybersecurity practices. Cybersecurity is perhaps one of the hottest topics being discussed in boardrooms today.  The Cybersecurity Framework,

anticipated legislation and litany of high-profile data breaches have resulted in even more heightened scrutiny.


On February 12, 2014, the National Institute of Standards and Technology (“NIST“) released the final version of its Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework” or “Framework“)

and the companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (the “Roadmap“).

The final version is the result of a year-long development process which included the release of multiple iterations for public comment and working sessions with the private sector and security stakeholders. The most significant change from previous working versions is the removal of a separate privacy appendix criticized as being overly prescriptive and costly to implement in favor of a more general set of recommended privacy practices that should be “considered” by companies.


Customers increasingly are taking advantage of Software as a Service (SAAS) and other cloud-based solutions available in the marketplace. There are of course many legal and commercial issues that customers should consider when evaluating contracts provided by suppliers of these solutions. This post focuses specifically on issues arising when SAAS or other cloud solutions will be provided from an offshore location. For example, data hosting, help desk/service desk, implementation, and disaster recovery services are often provided from India, the Philippines and other offshore locations in support of solutions that are delivered in North America and Europe.

  • Transfer of Customer Data Offshore. Customers should consider whether there must be restrictions on the transfer of data offshore (whether due to internal security policies, industry standards, obligations within downstream customer contracts, or applicable laws and regulations). If the data contains personally identifiable information (PII), protected health information (PHI) or similar types of data covered by data privacy laws, the data most likely should remain onshore. A customer may decide that other data may be transferred offshore, but only if additional safeguards, contract restrictions or liability provisions are added to the contract with its service provider.
  • Access to Customer Data or Systems from Offshore. This issue turns the item above on its head, a bit: even when customer data and systems remain onshore, customers should consider whether personnel from the SAAS or cloud service provider should have access to such data or systems from offshore. For example, offshore personnel who are accessing service desk records or performing break-fix services may request the ability to access a customer’s onshore systems. This may or may not be acceptable in any case, or it may be acceptable only if certain agreed-upon restrictions are followed.


Google has figured out that I shop for a lot of children’s clothing online, as my two children grow like weeds. Every time I launch a search, my banner ads link to brands that I have bought previously or similar brands that other consumers may have purchased. That is Big Data at work, as it is being used to identify other brands that I might be interested in purchasing based on shoppers with similar consumer profiles to mine. But let’s say that the next banner ad I receive isn’t for children’s clothing, but is instead for an all-inclusive Caribbean vacation. Well, I have never searched for Caribbean vacations, why would this be turning up? Again, this is Big Data at work, because patterns in human behavior have informed Google that people with small children are likely good targets for a quick getaway vacation. This is an example of the value of Big Data in predicting individual consumer behavior based on the behavior of many.

“Big Data” is the somewhat uncreative but accurate term for the process of collecting, culling, and categorizing of data from diverse sources on a massive scale. Through the application of algorithms, companies are analyzing Big Data in order to see patterns in human behavior, and (most commonly) using it to develop targeted, individualized marketing. The primary goal of Big Data is to learn from a large body of information things that we could not comprehend when we used only smaller amounts. Recent trends point to an increase in the use of Big Data, but there are several cautionary points from a legal and privacy perspective to consider.

What are the uses of Big Data, and who uses it? The potential benefits are wide ranging, but can be categorized as follows:


In addition to the consumer hoopla over iOS 7, companies managing BYOD programs also have reason to rejoice. As reported on, iOS 7 brings about a new level of control for companies through expanded app-level MDM Capabilities. MDM, or Mobile Device Management, is the technology that companies use to try to segregate the corporate and the personal realms on mobile devices.

Of course, the trick is not in having the coolest technology, but it how you use it. For app-level MDM to work, the company takes control over the app (including the ability to wipe the app and its data). For some apps that themselves share personal and corporate activities (e.g., the address book), the company’s use of MDM to protect its corporate assets will also sweep in personal assets. One can debate whether this is good or bad, but it does exacerbate challenges in balancing personal versus corporate interests. The tool makes it easier to protect the corporate assets, but exposes the personal assets to greater risk.

As we have outlined in prior posts, courts have striven to protect the individual’s interest in their personal data stored on mobile devices from over-reaching companies. Again, as we have previously discussed, the best way for the company to protect itself is by being very clear in its BYOD policies as to what it will and will not do. This requires the manager of the BYOD policy to understand clearly the technical implications of the new iOS 7 capabilities–including both the intended and unintended consequences of leveraging those capabilities–and to make those implications clear to company employees.


It has been said for some time that data is the new oil, but many global organizations continue to struggle to comply with regulatory requirements when it comes to the exploitation of this valuable resource.

A recent worldwide audit of over 2,000 websites, coordinated by the Global Privacy Enforcement Network (“GPEN”), has revealed “significant shortcomings” at many organizations. In particular, approximately half of the websites “swept” failed to display a complete, coherent and compliant privacy policy, or worse still, any policy at all.

The audit, the first of its kind, was conducted in May of this year by 19 different data protection authorities around the world, including the UK’s Information Commissioner’s Office (“ICO”).”The results reveal significant shortcomings” reports Adam Stevens, Intelligence Officer at the ICO, on 16 August, stating that 23% of the 250 websites it reviewed had no privacy policy at all and that a third of those that did have policies ” were considered to be difficult to read, and many weren’t sufficiently tailored to the actual website”.


This article was originally published in the July 22, 2013 issue of Texas Lawyer.

The constant threat of cyberattacks presents many and varying challenges for businesses. Insurance provides one way to deal with them. Because the market for insurance covering these risks and the law interpreting these policies both continue to develop, this is an area in which attorneys can help clients by maximizing their opportunity to secure the broadest possible coverage.

A look at federal and state action on cybersecurity risks provides some critical background. President Obama issued his Executive Order on Improving Critical Infrastructure Cybersecurity in February. In October 2011, the U.S. Securities and Exchange Commissions Division on Corporate Finance issued relevant guidance on financial-disclosure obligations concerning cybersecurity issues in CF Disclosure Guidance Topic No. 2 – Cybersecurity.


Jim Gatto, Meighan O’Reardon and James Chang recently published “Mobile Privacy Practices: Recent California developments indicate what’s to come” in the June issue of Computer Law Review International.

The use of mobile applications has seen huge growth in the past few years. As the use of apps become increasingly commonplace, social concerns such as the privacy of app users will increasingly need addressing. California is taking the lead in regulating this important issue. For more information, including an overview of mobile privacy, a summary of California’s stance on how to address the issue, an overview of the state’s principles regarding privacy, its best tips for complying with its principles, and an examination of the privacy related laws outside of California, please read the full article: Mobile Privacy Practices: Recent California developments indicate what’s to come.


Rafi Azim Khan and Steve Farmer recently published an article in World Data Protection Report titled “Personal Data Transfers from the European Economic Area: Time to Consider Binding Corporate Rules 2.0.”

What exactly is the ‘”best” solution for an international business needing to handle and transfer personal data across borders?

This has become an increasingly important and common question as business becomes more global and companies grow, reorganise or merge.