Posts Tagged ‘Mobile Devices’
National Telecommunications and Information Administration (NTIA) Holds Public Meeting on Mobile PrivacyFriday, July 13th, 2012
The NTIA’s first multistakeholder meeting on mobile privacy focused on ways to improve the transparency of the privacy practices of mobile apps.
By Alice Cheng
On Thursday, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) held a public meeting in Washington, D.C., to discuss mobile privacy. After taking public comment in March on consumer data privacy, the NTIA decided to address mobile app transparency in its first privacy multistakeholder process. The discussion is part of the Obama administration’s push for companies to abide by a consumer privacy “bill of rights,” and is an issue that has been recently tackled by the Federal Communications Commission as well.
As smartphone use continues to grow rapidly, concerns about mobile app access to consumer data have also grown. Through the devices, mobile apps may be able to access sensitive personal information regarding users, such as geographic location. Additionally, privacy advocates have pushed fervently for regulation on digital advertising. The prevalence of digital advertising on apps is not only a nuisance, but can at times be downright aggressive (i.e., ads pushed onto notification bars and phone desktops).
During the meeting, audience members were asked how greater mobile app transparency could be achieved. Suggestions ranged from software that notified users of what information was shared, to the use of icons indicating privacy concepts in lieu of lengthy privacy policies. Others proposed that broader fair information practices should be addressed, as transparency itself would not be helpful without regulations.
While the NTIA’s next steps are unclear, keep in mind that privacy policies should still be as clear as possible. Effective privacy policies let users know how and for what purpose information is collected and used. Privacy lawyers and advocates generally recommend an opt-in approach is where possible, as it allows users to choose what information they would like to share.
Data Breach Prevention and Remediation: How to Protect Your Company from Hackers and Internal Threats and Ensure Your Customer’s PrivacyThursday, July 12th, 2012
All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Information privacy and security is essential to protect your business, safeguard your customers’ privacy, and secure your company’s vital information.
Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.
While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.
Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.
Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses. Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.
Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing. Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.
Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users. Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.
Employee Who Read and Printed Coworker’s Emails Found Not Guilty of Violating the Stored Communications ActThursday, July 5th, 2012
A New Jersey court recently held that a teacher who accessed and printed a co-worker’s personal email after the coworker left the computer without signing out of her account was not guilty of a crime.
By Alice Cheng
In Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012), a New Jersey court held that a defendant was not in violation of any laws when he snooped through the emails of a coworker who had forgotten to sign out of a shared computer.
The defendant, a teacher who was involved in a salary dispute with the school district he worked for, sat down to use a computer in the school’s computer room when he accidentally bumped the mouse of the computer next to him. The screen of the adjacent computer came alive to show the Yahoo! email inbox of a member of the education association he was in dispute with, which included two emails that clearly mentioned him. He then clicked on the emails, printed them out, and used them at a meeting with the education association as evidence that they had not bargained in good faith.
The individuals who were copied on the email conversations filed suit, claiming that the defendant had violated New Jersey’s version of the Stored Communications Act (N.J.S.A. 2A:156A-27), which reads in pertinent part:
A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.
The court found that the defendant did not “knowingly access [the facility] without authorization” as it was the previous user who had logged into the account. The judge then let the jury decide whether or not he “exceed[ed] an authorization to access that facility” when she failed to close her inbox and log out of her account. The jury found that did not, as he had “tacit authorization” to access the account. On appeal, the court affirmed.
While there is no clear answer to the question of whether snooping emails is illegal (as always, it depends), always remember to log out of public computers. Similarly, all mobile devices, such as smartphones or laptops, should be password protected. As for the email snoopers, be forewarned that snooping may nevertheless carry major consequences, if hacking or unauthorized access is found.
Your smartphone knows all about you. Before giving it away or recycling your smartphone, make sure that you take the proper precautions so that your smartphone doesn’t spill your secrets to the world.
In a Fox Business article by Michael Estrin entitled, “Don’t be Stupid With an Unwanted Smartphone,” OlenderFeldman LLP’s Aaron Messing provides insight on the importance of wiping all data before selling or donating an old phone. Some excerpts follow, and be sure to read the entire thing:
If an identity thief gets hold of data on your old smartphone, the risks could be dire, according to Aaron Messing, a lawyer specializing in technology and information privacy issues.
“It’s important for consumers to realize that their smartphones are actually mini-computers that contain all types of sensitive personal and financial information,” says Messing, who’s with the Olender Feldman firm in Union, N.J.
That information typically includes, but is not limited to: phone contacts, calendars, emails, text messages, pictures and a browser history. Increasingly, many phones also contain everything you’d have in your wallet — and more — as more consumers are using mobile banking and payment apps.
If just a little information gets into the wrong hands, it can go a very long way because each piece of compromised data is a clue toward finding more, says Messing.
“Email is especially sensitive because access to email will often give (a thief the) ability to reset passwords, which can be used to access financial and health information,” says Messing. Since many consumers ignore warnings not to use the same password for numerous sites, the risk could easily be multiplied very quickly.
So far, there haven’t been many reported incidents of identity theft using data pulled from discarded smartphones. But it’s a problem that Messing worries might rise as smartphone usage grows. A recent study by Pew Internet found that nearly half of Americans now own smartphones, up from 35% last year.
The Federal Communications Commission (FCC) is seeking for public comment on the privacy and security of personal information on mobile devices.
By Alice Cheng
The Federal Communications Commission (FCC) recently released a request for public comment on the privacy and security of personal information on mobile devices. The Commission, which regulates interstate and international radio, television, wire, satellite, and cable communications, had solicited public input on this subject five years ago, but acknowledges the vast changes in technologies and business practices since then.
Section 222 of the Communications Act of 1934 addresses customer privacy, and establishes that all telecommunications carriers have the duty, with limited exceptions, to protect the confidentiality of proprietary information of and relating to customers. All carriers must also protect “customer proprietary network information” (CPNI), such as time, date, and duration of a call, which the carrier receives and obtains. They may use, disclose, and allow access of such information only in limited circumstances.
The FCC enforces these obligations, and is seeking comments to better understand the practices of mobile wireless service providers, and the types of customer information that is stored on mobile devices.
This request for public comment appears to come in light of the Carrier IQ controversy of late 2011. The Federal Trade Commission (FTC) brought legal action against analytics company Carrier IQ after it was discovered that the software, installed on over 140 million mobile devices, was capable of detailed logging of user keystrokes, recording of calls, storing text messages, tracking location, and more. The detailed tracking was intended to provide phone usage information that would be helpful to improve device performance. However, the widespread collection and difficulty in opting out attracted nationwide attention and a slew of lawsuits.
In addition to the request for public comments, the FCC has also recently released a report on location-based services (LBS), focusing on “mobile services that combine information about a user’s physical location with online connectivity.” While the report acknowledges the benefits of these services (ease of transacting business, for social networking purposes, etc.), they also address concerns of creating highly accurate and personal user profiles through LBS data—specifically, “how, when and by whom this information can and should be used.”
Congress has displayed a growing interest in privacy as well—several privacy and information security-related bills have been introduced and hearings on the issues have been held.
Five years after their initial inquiry into the matter, the FCC hopes to obtain an updated understanding of these mobile information security and privacy issues. Comments are due by July 13, and reply comments are due by July 30.
A New Jersey appeals court recently ruled that a criminal suspect has no reasonable expectation of privacy in his cell phone number.
By Alice Cheng
In State v. DeFranco, the defendant schoolteacher was charged with sexual assault of a former student. Defendant filed a motion to suppress evidence of a telephone conversation with the victim, which was intercepted by the police with the victim’s consent. The Appellate Division upheld the trial court’s denial of the motion, determining that the defendant had no reasonable expectation of privacy in the cell phone number used to make the call. The defendant had disclosed the cell phone number to the school where he taught, and the number had been given to a policeman prior to the interception.
The court determined that, unlike long-distance billing information and banking records, the cell phone number was “simply a number.” Additionally, the defendant had in the past disclosed his number to the victim and expressed no surprise when contacted by the victim via cell phone, suggesting that he had no reasonable expectation of privacy in his cell phone number. Under the circumstances, the court found nothing unreasonable in the police officer obtaining the number from the school.
If the court had found that the defendant had a reasonable expectation of privacy in his cell phone number, then the number could be acquired only through a search warrant or grand jury subpoena (neither of which had been obtained).
Under U.S. federal law and in most states, including New Jersey, the monitoring of telephone calls (or wiretapping) by local and state law enforcement is permitted with the consent of at least one party to the call.
Companies are increasingly allowing their employees to use their own personal mobile devices, such as laptops, tablets, and smartphones, to remotely access work resources.
This “bring your own device” trend can present certain security and privacy risks for companies, especially in regulated industries where different types of data require different levels of security. At the same time, companies need to also be mindful of employee privacy laws.
Most individuals now have personal mobile devices, and companies are finding it increasingly convenient to allow employees (and in certain situations, independent contractors) to access company data and networks through these personally owned devices. However, when an organization agrees to allow employees to use their own personal devices for company business, it loses control over the hardware and how it is used. This creates security and privacy risks with regards to the proprietary and confidential company information stored or accessible on those devices, which can lead to potential legal and liability risk. Similarly, when employees use the same device for both personal and professional use, determining the line between the two becomes difficult. If your company is considering letting its employees use their personal devices in the workplace, you should consult with an attorney to craft a policy that’s right for your business.
OlenderFeldman LLP’s Aaron Messing was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read the first entry here.
[A]s observed by Aaron Messing, a Corporate & Information Privacy Lawyer at OlenderFeldman LLP, “Phones have cameras and video cameras, and therefore, the phone can be used as a bugging device.”
[M]any mobile devices or apps can broadcast the location of the user. Messing explained that these can be some of the most problematic apps for hedge fund managers because they can communicate information about a firm’s activities through tracking of a firm employee. For instance, a person tracking a mobile device user may be able to glean information about a firm’s contemplated investments if the mobile device user visits the target portfolio company. Messing explained, “It is really amazing the amount of information you can glean just from someone’s location. It can present some actionable intelligence. General e-mails can have a lot more meaning if you know someone’s location. Some people think this concern is overblown, but whenever you can collect disparate pieces of information, aggregating all those seemingly innocuous pieces of information can put together a very compelling picture of what is going on.”
Additionally, as Messing explained, “Some hedge fund managers are concerned with location-based social networks and apps, like Foursquare, which advertises that users are at certain places. You should worry whether that tips someone off as to whom you were meeting with or companies you are potentially investing in. These things are seemingly harmless in someone’s personal life, but this information could wind up in the wrong hands. People can potentially piece together all of these data points and perhaps figure out what an employee is up to or what the employee is working on. For a hedge fund manager, this tracking can have serious consequences. It is hard to rely on technology to block all of those apps and functions because the minute you address something like Foursquare, a dozen new things just like it pop up. To some degree you have to rely on education, training and responsible use by your employees.”
Books and Records Retention
Messing explained that while e-mails are generally simple to save and archive, text messages and other messaging types present new challenges for hedge fund managers. Nonetheless, as Marsh cautioned, “Regardless of the type of messaging system that is used, all types of business-related electronic communications must be captured and archived. There is no exception to those rules. There is no exception for people using cell phones. If I send a text message or if I post something to my Twitter account or Facebook account and it is related to business, it has to be captured.”
Advertising and Communications Concerns
OlenderFeldman’s Messing further explained on this topic, “Social media tends to blur these lines between personal and professional communications because many social media sites do not delineate between personal use and business use. While there is not any clear guidance on whether using social networking and ‘liking’ various pages constitutes advertising, it is still a concern for hedge fund managers. You can have your employees include disclaimers that their views are not reflective of the views of the company or that comments, likes or re-Tweets do not constitute an endorsement. However, you still should have proper policies and procedures in place to address the use of social media, and you have to educate your employees about acceptable usage.”