General Interest Archives - Page 12 of 21

General Interest

You Are Invited: Join FTC Chairwoman Ramirez on November 12 at Our Menlo Park Office for a Conversation on Privacy and Technology

by McDermott Will & Emery | Nov 6, 2014 | Data Privacy, General Interest

Will you be in the Bay Area on November 12? You are invited to join Federal Trade Commission (FTC) Chairwoman Edith Ramirez at McDermott’s office in Menlo Park, California for a conversation in privacy and technology. The FTC is celebrating its 100th anniversary and this will be the first time Chairwoman Ramirez is visiting the Bay Area since her appointment. Come and ask the tough questions, join the lively conversation and mark this important visit by Chairwoman Ramirez as she talks about all things privacy and technology to some of the top tech teams in the country. Please RSVP as space is limited. A complimentary networking reception with Chairwoman Ramirez will immediately follow the program.

To register, please click here.

Be Careful Who You Hire To Make Those Calls! Ninth Circuit Takes Expansive View of Vicarious Liability under the TCPA

by McDermott Will & Emery | Oct 1, 2014 | Advertising & Marketing, Consumer Protection, General Interest, Text Messaging

A recent ruling by the Ninth Circuit took an expansive view of vicarious liability under the Telephone Consumer Protection Act (TCPA). Reversing the district court’s grant of summary judgment, the court in Gomez v. Campbell held that a marketing consultant could be held liable for text messages sent in violation of the TCPA, even though the marketing consultant itself had not sent the texts and even though the texts were sent on behalf of the marketing consultant’s client, not the consultant itself.

Among other things, the TCPA prohibits (with certain exceptions) the use of automatic telephone dialing systems in making calls to cellphones. Both the Federal Communications Commission (FCC) and the courts have interpreted this provision to bar the use of automated systems to send unsolicited texts to cellphones. In Gomez, the Campbell-Ewald Company had been hired by the Navy to conduct a multimedia recruiting campaign. Campbell-Ewald had then outsourced the text-messaging component of the campaign to a third party, Mindmatics. Mindmatics then allegedly sent text messages to the plaintiff and others who had not given consent.

On appeal, Campbell-Ewald raised two variations of the arguments that it should not be held liable for texts that it had not itself sent. First, Campbell-Ewald argued that it did not “make” or “initiate” any calls under the TCPA because Mindmatics had sent the texts. As the statue only provides for liability for those that “make” or “initiate” prohibited calls, Campbell-Ewald argued that it could not be held liable. Second, addressing another potential avenue of liability, Campbell-Ewald noted that the FCC had interpreted the TCPA to allow for liability against those “on whose behalf” unsolicited calls are made. But, Campbell-Ewald argued, it could not be held liable on this ground either because the texts had been sent on behalf of its client, the Navy, not Campbell-Ewald.

In the end, the Ninth Circuit sidestepped both these arguments and found Campbell-Ewald potentially liable on a third basis, “ordinary tort-related vicarious liability rules.” The court noted that where a statute is silent on vicarious liability—as the court judged the TCPA to be—traditional common law standards of vicarious liability apply. Thus, the court held, Campbell-Ewald could be liable under the TCPA based on the agency relationship between Campbell-Ewald and Mindmatics. The court further noted that FCC had stated that the TCPA imposes liability “under federal common law principles of agency,” and held that the FCC’s interpretation was entitled to deference.

Finally, the court noted that it made little sense to subject both the actual sender and the ultimate client to liability, while absolving the middleman marketing consultant, noting, “a merchant presumably hires a consultant in party due to its experience in marketing norms.”

The decision reinforces the importance for companies to closely monitor anyone sending texts or placing calls on their behalf or at their direction. Following Gomez, it is clear that any company that had a role in sending unsolicited calls or texts can potentially be held liable under the TCPA; and the company with the [...]

Continue Reading

Wearable Technologies Are Here To Stay: Here’s How the Workplace Can Prepare

by McDermott Will & Emery | Sep 9, 2014 | Cybersecurity, Data Privacy, Email/Spam, General Interest, Social Media

More than a decade ago, “dual use” devices (i.e., one device used for both work and personal reasons) began creeping into workplaces around the globe. Some employees insisted on bringing fancy new smart phones from home to replace the company-issued clunker and, while many employers resisted at first, dual use devices quickly became so popular that allowing them became inevitable or necessary for employee recruitment and retention, not to mention the cost savings that could be achieved by having employees buy their own devices. Because of early resistance, however, many HR and IT professionals found themselves scrambling in a reactive fashion to address the issues that these devices can raise in the workplace after they were already prevalent. Today, most companies have robust policies and procedures to address the risks presented by dual use devices, setting clear rules for addressing privacy, security, protection of trade secrets, records retention and legal holds, as well as for preventing harassment, complying with the National Labor Relations Act (NLRA), protecting the company’s relationships and reputation, and more.

In 2014, there is a new trend developing in the workplace: wearable technologies. The lesson to be learned from the dual use device experience of the past decade: Companies should consider taking proactive steps now to identify the risks presented by allowing wearables at work, and develop a strategy to integrate them into the workplace in a way that maximizes employee engagement, but minimizes corporate risk.

An effective integration strategy will depend on the particular industry, business needs, geographic location and corporate culture, of course. The basic rule of thumb from a legal standpoint, however, is that although wearables present a new technology frontier, the old rules still apply. This means that companies will need to consider issues of privacy, security, protection of trade secrets, records retention, legal holds and workplace laws like the NLRA, the Fair Labor Standards Act, laws prohibiting harassment and discrimination, and more.

Employers evaluating use of these technologies should consider two angles. First, some companies may want to introduce wearables into the workplace for their own legitimate business purposes, such as monitoring fatigue of workers in safety-sensitive positions, facilitating productivity or creating efficiencies that make business operations run more smoothly. Second, some companies may want to consider allowing “dual use” or even just “personal use” wearables in the workplace.

In either case, companies should consider the following as part of an integration plan:

Identify a specific business-use case;
Consider the potential for any related privacy and security risks;
Identify how to mitigate those risks;
Consider incidental impacts and compliance issues – for instance, how the technologies impact the existing policies on records retention, anti-harassment, labor relations and more;
Build policies that clearly define the rules of the road;
Train employees on the policies;
Deploy the technology; and
Review the program after six or 12 months to confirm the original purpose is being served and whether any issues have emerged that should be addressed.

In other words, employers will need to run through [...]

Continue Reading

Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

by Maria Ostashenko, Of Counsel, ALRUD Law Firm (Moscow, Russia) | Sep 8, 2014 | Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Email/Spam, General Interest, Social Media, Text Messaging

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.” The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia. At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market. This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres. Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015. The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals. If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad. However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question. There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad. If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws. Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia. However, the DPA can initiate the procedure to block access only if there is a respective court judgment. Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements. For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading

New Data Disposal Law in Delaware Requires Action by Impacted Businesses

by McDermott Will & Emery | Aug 27, 2014 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

While the federal government continues its inaction on data security bills pending in Congress, some U.S. states have been busy at work on this issue over the summer. A new Delaware law H.B. 295, signed into law on July 1, 2014 and effective January 1, 2015, provides for a private right of action in which a court may order up to triple damages in the event a business improperly destroys personal identifying information at the end of its life cycle. In addition to this private right of action, the Delaware Attorney General may file suit or bring an administrative enforcement proceeding against the offending business if it is in the public interest.

Under the law, personal identifying information is defined as:

A consumer’s first name or first initial and last name in combination with any one of the following data elements that relate to the consumer, when either the name or the data elements are not encrypted:

his or her signature,
full date of birth,
social security number,
passport number, driver’s license or state identification card number,
insurance policy number,
financial services account number, bank account number,
credit card number, debit card number,
any other financial information or
confidential health care information including all information relating to a patient’s health care history, diagnosis condition, treatment or evaluation obtained from a health care provider who has treated the patient, which explicitly or by implication identifies a particular patient.

Interestingly, this new law exempts from its coverage: banks and financial institutions that are merely subject to the Gramm-Leach-Bliley Act, but the law only exempts health insurers and health care facilities if they are subject to and in compliance with the Health Insurance Portability and Accountability Act (HIPAA), as well as credit reporting agencies if they are subject to and in compliance with the Fair Credit Reporting Act (FCRA).

Given how broadly the HIPAA and FCRA exemptions are drafted, we expect plaintiffs’ attorneys to argue for the private right of action and triple damages in every case where a HIPAA- or FCRA-covered entity fails to properly dispose of personal identifying information, arguing that such failure evidences noncompliance with HIPAA or FCRA, thus canceling the exemption. Note, however, that some courts have refused to allow state law claims of improper data disposal to proceed where they were preempted by federal law. See, e.g., Willey v. JP Morgan Chase, Case No. 09-1397, 2009 U.S. Dist. LEXIS 57826 (S.D.N.Y. July 7, 2009) (dismissing individual and class claims alleging improper data disposal based on state law, finding they were pre-empted by the FCRA).

The takeaway? Companies that collect, receive, store or transmit personal identifying information of residents of the state of Delaware (or any of the 30+ states in the U.S. that now have data disposal laws on the books) should examine their data disposal policies and practices to ensure compliance with these legal requirements. In the event a business is alleged to have violated one of [...]

Continue Reading

Supreme Court Prohibits Warrantless Mobile Phone Searches, Underscores Individual Right to Privacy

by David Quinn Gacioch | Jul 2, 2014 | Data Privacy, General Interest

The Supreme Court of the United States’ recent decision prohibiting warrantless mobile phone searches incident to arrest underscores unique privacy concerns raised by modern technology. The decision has an immediate impact on an individual’s rights under the Fourth Amendment, and may also have an impact on evolving areas of white collar and employment law.

Read the full article.

Planning a Sweepstakes, Contest or Game?

by McDermott Will & Emery | Jun 25, 2014 | Advertising & Marketing, General Interest, Promotions, Sweepstakes & Contests

New technologies have made offering consumer promotions even easier for businesses but complying with the myriad laws, rules, regulations, industry standards and platform requirements is still challenging. To learn how to avoid 12 common promotion execution traps, join McDermott’s Julia Jacobson today (Wednesday, June 25) for “Executing a Sweepstakes, Contest or Game,” the second of a six-session “Wednesday Webinars” series hosted by the Brand Activation Association.

For details and to register, click here. If you are not able to join the live webinar, please visit Of Digital Interest again soon to download the program materials, or contact Julia Jacobson.

More States Restrict Employers’ Access to Employees’ Social Media Accounts

by McDermott Will & Emery | Jun 11, 2014 | General Interest, Social Media

As first discussed in McDermott Will & Emery’s Privacy and Data Protection 2013 Year In Review, state legislatures are enacting laws limiting employers’ ability to access the social media accounts of their employees. Thus far in 2014, four more states – Louisiana, Oklahoma, Tennessee and Wisconsin – have enacted social media legislation, bringing the total number of states with such legislation to 16.

How State Social Media Laws Effect Employers

Generally, state social media laws bar employers from requiring or requesting that an employee or applicant provide log-in credentials for his/her personal social media account. Some of these state social media laws also prohibit an employer from requiring an employee to add another employee or supervisor to a social media account “friends” or contacts list or to access personal social media accounts in the employer’s presence. Many of the state social media laws also prohibit employers from basing adverse employment action on an employee’s refusal to comply with an employer’s request for social media account access.

While these laws offer employees added protection with respect to their personal social media accounts, most of the laws feature important carve-outs. Among other exceptions, most state social media laws allow employers to: access publicly-available social media about employees, restrict employees’ access to social media during work hours and conduct certain types of employment-related investigations that may involve an employee’s social media account(s).

Notably, all four of the recently-enacted laws allow employers to monitor the social media activity of employees when employees access their social media accounts through employer-provided IT systems.

Compliance Tips

Since the terms of state social media laws vary, employers should consider establishing and following basic guidelines to ensure compliance with the myriad laws. Key steps are:

Updating employer policies to clarify state-specific restrictions related to employee access to personal social media accounts through employer-provided information systems; and
Providing training to managers, Human Resources and IT professionals about the conduct prohibited by the different state social media laws.

Incorporating Risk Analysis Into Your HIPAA Strategy

by Edward G. Zacharias | May 14, 2014 | Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, General Interest

In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.

McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.

Read the full interview.

The New Normal: Big Data Comes of Age

by Daniel F. Gottlieb, Jennifer S. Geetter, Karen S. Sealander, Stephen W. Bernstein and Scott Weinstein | May 13, 2014 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest, Mobile Apps

On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.

Read the full article.