Close
Enter your
text here

Privacy

Here’s One Way to Comply with GDPR – Block All EU Users: Data Privacy Trends

Believe it or not, Europe’s General Data Protection Regulation (GDPR) is set to go into effect in one just one week(!), on May 25th.  Many organizations are scrambling to comply with the new regulation and a lot of them won’t have compliance sorted out in the next week.  As a result, some companies have realized it’s just too much of a hassle and decided to block all access to EU users.

According to Above the Law (Companies Respond To The GDPR By Blocking All EU Users, written by “Techdirt”), F-Secure’s Mikko Hypponen has tracked a bunch of examples of sites that give you some simple javascript to block EU visitors.  Hypponen highlighted one site (currently offline, but can be seen at the Internet Archive) called GDPR Shield that does that (assuming the requestor has Javascript turned on, and their location is determined accurately — both of which may be big assumptions). Hypponen also noted several other sites cutting off EU users, including: Ragnarok Online, Verve, Brent Ozar, Unroll.me, SMNC, Tunngle, Drawbridge and Steel Root.

Hypponen also noted the very different reactions to all of this from EU readers and US readers. EU folks seem to be generally supportive of the GDPR and think that companies shutting down service are either stupid & ignorant or evil and thus should shut down. On the US side, he noted people are smug about how this serves the EU right and will harm the EU.

I can understand the prospects of a penalty of €20 million or 4% of worldwide revenue (whichever is greater) can cause organizations to take drastic steps.  But, should those steps include blocking EU users altogether?  Seems like a great way to cut off a lot of potential revenue.  What’s better: to be penalized for not complying with GDPR or to give up potential business in a drastic attempt to avoid the penalty?

Back in February, Tom O’Connor and I discussed the aspects of GDPR and steps to comply in a webcast we conducted on the topic (and we didn’t advocate shutting out the EU users).  It’s not too late to check it out!  One week to go!

So, what do you think?  Are you ready for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

More Than Two Thirds of Data Breaches Take Months to Discover: Cybersecurity Trends

One of my favorite annual cybersecurity publications to read is the Verizon Data Breach Investigations Report (DBIR), which analyzes the reported cybersecurity and data breach incidents for the year.  As always, this year’s report has some interesting findings.

But first, this week’s eDiscovery Tech Tip of the Week is about Selecting Views.  Workflows associated with reviewing documents in discovery can be varied, depending on the task to be accomplished during review, the type of information needed to conduct the review effectively and the individual’s preferred style in conducting the review.  It’s important to find a an eDiscovery review platform that gives you options for review that fit your workflows.

To see an example of how Selecting Views is conducted using our CloudNine platform, click here (requires BrightTalk account, which is free).

Anyway, every year, the Verizon DBIR report starts off with a notable quote.  This year, the report writers chose to get downright Shakespearean with the quote “I would give all my fame for a pot of ale, and safety” from Henry V.  Sounds like a pretty good trade to me!

Anyway, here are some interesting statistics from the 68 page PDF report:

  • They are reporting on over 53,000 incidents and 2,216 confirmed data breaches;
  • 73% of reported breaches were perpetrated by outsiders, 28% by internal actors;
  • 50% of breaches were carried out by organized criminal groups;
  • 12% of breaches involved actors identified as nation-state or state-affiliated;
  • Who was affected? 24% of breaches affected healthcare organizations, 15% of breaches involved accommodation and food services, 14% were breaches of public sector entities and a whopping 58% of victims are categorized as small businesses.  So, it’s not just the “big guys” who are the targets.
  • How do they get you? 48% of breaches featured hacking, 30% included malware, 17% of breaches had errors as causal events, 17% were social attacks, 12% involved privilege misuse and 11% of breaches involved physical actions.
  • Also, 49% of non-point of sale malware was installed via malicious email, 76% of breaches were financially motivated and, the most remarkable stat, 68% of breaches took months or longer to discover.

As always, the report chock full of graphics and statistics which makes it easier to read than the size of the report indicates and covers everything from social attacks to ransomware to denial of service to incident classification patterns and coverage of data breaches and other incidents in several industries.

You can download a copy of the report here.  Once again, you can register and download the report or just choose to download the report.  This is our fourth year covering the report (previous reports covered here, here and here).  Enjoy!

So, what do you think?  Have you ever experienced any data breaches, either personally or professionally?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

CLOUD Act Renders Supreme Court Decision in the Microsoft Case Moot: eDiscovery News

The Supreme Court heard arguments on February 27th over Microsoft’s ongoing data privacy case involving email stored in Microsoft datacenter in Ireland.  Supposedly, according to reports from those attending, the justices didn’t seem swayed by Microsoft’s claims that data stored overseas should not be accessible to government prosecutors.  However, Congress has since passed the CLOUD (Clarifying Lawful Overseas Use of Data) Act. Parties on all sides of the case expected the passage of the CLOUD Act to render the Microsoft case moot.  And, they were right.

Yesterday, in an unsigned three-page opinion, the Supreme Court justices threw out a ruling by the U.S. Court of Appeals for the 2nd Circuit, explaining that the case had become moot.

On March 23, Congress passed – and President Donald Trump signed – legislation that directly addressed the legal issue before the court in the Microsoft case. The CLOUD Act contains a provision that requires email service providers to disclose emails within their “possession, custody, or control,” even when those emails are located outside the United States. Once the CLOUD Act was in effect, the federal government went back to court and got a new warrant, which has replaced the warrant originally served on Microsoft back in 2013.  According to ZDNet, Microsoft officials said they are reviewing the new DOJ warrant before deciding how to proceed.

Microsoft officials repeatedly have said they were in favor of legislation, not legal action, in settling these kinds of matters. Though it seems contradictory, Microsoft actually backed The CLOUD Act, which stipulates that cloud providers comply with court orders for data regardless of whether the information is located in the U.S. or not.

Microsoft released the following statement from its President and Chief Legal Officer Brad Smith yesterday regarding the Supreme Court’s move:

“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into to law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”

In light of all these facts, the court concluded, there is no longer a “live dispute” between the United States and Microsoft on the legal question that the justices had agreed to review. The court therefore invalidated the 2nd Circuit’s ruling and sent the case back to the court of appeals with instructions to vacate the district court’s rulings against Microsoft and to direct the district court to dismiss the case.

So, what do you think?  Does the CLOUD Act end the disputes over data stored by internet providers overseas?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

According to the IGI, Information Governance Continues To Gain Traction: Information Governance Trends

Last week, the Information Governance Initiative (IGI) released Volume III of their State of Information Governance Report – the third (annual) edition of the Report, which is based on “extensive” surveying of Information Governance (IG) practitioners and providers.  So, is Information Governance gaining traction in organizations? (Well, duh, I gave the answer away in the title of this post, didn’t I?)  :o)

I couldn’t find a total number of respondents mentioned in the report, but it does note that the survey “reached an estimated audience of approximately 100,000 practitioners through our network and those of our partners and Supporters” and that “the majority of respondents came from our own community of IG practitioners.”  For what it’s worth.

Regardless, the report contains several findings, including these highlights:

  • Only 2 percent of respondents have never undertaken an IG project. When compared to last year, the number of respondents reporting they have never undertaken an Information Governance project fell by a dramatic 90 percent.
  • There was a 41 percent rise in the number of professionals who say the IG market is clearly identified, with just over a third of respondents (7 percent) agreeing or strongly agreeing that the IG market is clearly defined.
  • There was also a 26 percent rise in the number of organizations with an IG Steering Committee (to 46 percent) and a 41 percent rise in the number of IG leaders with “Information Governance” in their title (to 52 percent).
  • More organizations are also realizing more business value from their data with those extracting value from data rising from 16 percent last year to 46 percent this year.
  • Integration between IG and cybersecurity programs is accelerating, with 48 percent of respondents agreeing that IG is essential to strong cybersecurity.
  • This year, only 4 percent of respondents reported having no active IG projects – a 64 percent drop from last year. However, according to the respondents, the main barrier to IG progress remains a lack of organizational awareness, so there’s still work to be done.

The report cites a couple of factors as driving greater emphasis on information governance: the Equifax breach, which affected 143 million American citizens and new legal and regulatory developments, like the EU’s General Data Protection Regulation (GDPR).  Regarding GDPR in particular, the report states:

“GDPR asks organizations to zero in on the reasons they store data in the first place. Without consent and justifiable reasons for storing the data, organizations are required to delete it. It is a refocus from an attitude of ‘If in doubt, keep’ to one of ‘If in doubt, delete’. Facing a drive for better governance and defensible deletion across at least a subset of their data, organizations are now beginning to more loudly ask those questions that high-profile data disasters raise: Why does this information exist? Why are we holding on to it? What value does it have, and what kind of risk does it represent?”

Needless to say, GDPR will be a major driver in adoption of information governance.

The report is contained within a 63 page PDF, full of detailed information regarding the state of information governance today, but it also includes a two page state of the industry report “quick read” with some of the key findings on pages 3 and 4 (if you want to hit the highlights quickly).  To download a copy of the report, click here (requires an IGI profile to be set up, which is free).

So, what do you think?  Are you surprised by any of these results?  Does your organization have any active IG projects?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Tending Your Garden: Why Information Governance Should be an Ongoing Process in Your Organization: eDiscovery Best Practices

Editor’s Note: Jim Gill’s writing about eDiscovery and Data Management has been twice recognized with JD Supra Reader’s Choice Awards and he holds an MFA in Creative Writing from Southern Illinois University, Carbondale.  Before working in eDiscovery, Jim taught college writing at a number of institutions and his creative work has been published in numerous national literary journals, as well as being nominated for a Pushcart Prize.

Jim’s post below highlights the importance of a strong information governance program and how creation of a data map can be a key component to that IG program.  Complying with the management requirements of personal data in Europe’s impending General Data Protection Regulation (GDPR) will make information governance even more of a priority than ever as Tom O’Connor and I discussed in last week’s webcast.

Just south of San Francisco lies the Filoli mansion, built in 1916 for the Bourn family, and then sold to the Roth family in the 1930s. During that time, the formal gardens gained worldwide renown, and in 1975, the family donated the house and gardens to the National Trust for Historic Preservation.

This month, I was visiting a friend who is the head of horticulture there and was asking about the seasonal planning of the garden and if they use landscape maps, or if it’s up to the garden managers to decide what to plant and maintain. The answer, as most answers tend to be, involved a little of both. But he told me that they no longer had access to a lot of the maps, because they had recently upgraded their computers, and the new machines couldn’t read the old files.

“Did you switch from Mac to PC?” I asked.

“No, we just went with the latest Macs, but they can’t read the old Apple files.”

As computing has shifted more to mobile-based platforms, the issue of legacy document accessibility comes along with that shift. Certainly, it’s nothing new, as system updates with both hardware and software have become increasingly frequent over the last 20 years. But often there was a built-in reverse compatibility – the newest machines could read older software versions but not the other way around.

To add even more complexity, Apple has so far made the decision to keep its mobile iOS platform separate from its desktop/laptop OS. In an article in Time, written in December 2016 by Tim Bajarin, he states, “Keeping two separate operating systems makes sense for Apple, enabling the company to offer a more basic and approachable OS for mobile users, with more powerful software for pro buyers.” But he continues with his belief that “both everyday consumers and business users will embrace so-called “2-in-1” computers, which can function as both a tablet and a laptop-with-keyboard.”

When I asked my friend what Filoli was planning to do about the old maps, he simply smiled and said, “we’re not exactly sure yet.” Mainly, they’d just started creating new maps using the new programs, which at a small organization like his, will probably work just fine.

But it raises some interesting considerations when thinking about information governance and eDiscovery policy in a larger corporate setting.

First, in the same way that the Filoli gardeners used maps to understand the property’s landscape, organizations should create data maps in order to learn the same about their data landscape. What types of data are being stored, where is it stored, when was it created, and in the case of hardware and software updates, will there be compatibility issues.

Second, once a data map is created, policies should be created surrounding retention and storage. If you have older files that can’t be opened, one should question whether it’s even necessary to keep it around. Because storage is moving to the cloud and is becoming more and more affordable, many find it easier to simply just keep everything. But this can lead to issues down the road should litigation arise.

Finally, hardware and system updates are a great time to bring your organization’s data management program up to speed. Before moving old files over into a new system (such as Office 365), it could be beneficial, especially in the long term, to clean house before moving. However, this can be easy to put off, it takes extra time and effort, and if you’re in the middle of a move, being proactive about defensible deletion isn’t often top of mind. It’s the same reason why after you move into a new house and start unpacking boxes, you’re often left shaking your head and thinking, why did I bring this?

Even if you’re not planning to upgrade hardware or software platforms anytime soon, it is inevitable that your organization will do so. And in this day and age, the space between upgrades continues to grow narrower all the time. It may be a good idea to use the “off time” to begin the process of creating a data map, as well as information governance policies and contingencies, so that when the day comes for that upgrade, you won’t have to recreate some things from scratch, while still feeling compelled to carry around the outdated and inaccessible files.

So, what do you think?  Does your organization have a data map that is periodically updated?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Germany Finds that Facebook’s Privacy Settings and Terms of Service Violate Their Privacy Rules: Data Privacy Trends

One of the things that Tom O’Connor and I discussed in last week’s webcast about the upcoming Europe General Data Protection Regulation (GDPR) was how consent will be interpreted for use of data for its data subjects.  Last month, a German court may have given an early indication of how consent will be enforced.

In Legaltech News (Facebook Foreshadowing: German Court Underscores Tech’s Uncertain GDPR Future, written by Rhys Dipshan, free subscription required), the author notes that after a three-year battle, a regional court in Berlin has found that Facebook’s default privacy settings, terms of service, and requirement that users register under their own name violate Germany’s data privacy and consent rules.

The January 2018 ruling (available here, in German, of course) based on German law on a case brought by The Federation of German Consumer Organisations (VZBV) could nonetheless illustrate trouble for international technology companies under the GDPR, once it takes effect on May 25th of this year.

Germany’s data privacy laws are currently based on the EU Directive 95/46/EC, the data privacy directive passed by the European Union in 1995 which has provisions that mirror those in the GDPR, especially around the issue of consent.  EU Directive 95/46/EC will be replaced by GDPR on May 25th.

Last November, the EU Article 29 Data Protection Working Party (WP29) issued Guidelines on Consent under Regulation 2016/679 to clarify how the EU would move to define and regulate consent and that guidance aligns closely with how the German court interpreted consent in the case against Facebook. For example, the court ruled that the pre-activated privacy settings on Facebook’s mobile application, such as allowing geotagging and for search engines to index a user’s Facebook profile, are a violation of user consent.

The court also found that eight clauses in Facebook’s terms of service assumed and framed consent too broadly and declared that asking users to register under their own names “was a covert way of getting people’s consent to use their real names,” said Nick Wallace, a senior policy analyst at the Center for Data Innovation.

The WP29’s guidance affirms both points and it also notes, “If consent is bundled up as a non-negotiable part of terms and conditions, it is presumed not to have been freely given.”  WP29 also states, “The use of pre-ticked opt-in boxes is invalid under the GDPR. Silence or inactivity on the part of the data subject, as well as merely proceeding with a service cannot be regarded as an active indication of choice.”

Debbie Reynolds, director of EimerStahl Discovery Solutions, an affiliate of law firm Eimer Stahl, stated that “Facebook and a lot of tech companies sell marketing,” and having their users register under their real names “makes the information they collect more valuable. So I think this is going to in some way change the foundation of how they are operating today.”

As you can imagine, the requirements of specific consent could change things for a lot of companies that currently collect data from individuals, including EU data subjects – perhaps significantly.  We will see.

Speaking of data privacy, today is the day that the Supreme Court will hear oral argument in United States v. Microsoft Corp (which we’ve referred to as the “Microsoft Ireland” case).  Needless to say, the ruling in this case will have major impact on how organizations treat data privacy as well.  We will certainly cover the ruling when it’s issued.

So, what do you think?  Is your organization changing how it obtains consent from individuals for handling their data?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Only 53 Percent of Surveyed Security Officers Are Confident in Security of Data by Third Parties: Cybersecurity Trends

A recently issued report provides an interesting look at how Chief Information Security Officers (CISOs) and others responsible for security are addressing the challenges in today’s cybersecurity climate.

The report (The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data, by Ankura and Ari Kaplan Advisors), issued earlier this month, explores the roles of CISOs (chief information security officers), the adoption of cloud technology and how entities are auditing their vendors.  Ankura partnered with Ari Kaplan Advisors and interviewed 30 industry leaders in August 2017, to detect how corporations are adapting to today’s evolving threat landscape.  Most of these were large organizations (70 percent with over $1 billion in annual revenue, 80 percent with over 5,000 employees).

Interesting findings include:

  • 97 percent of the respondents indicated they were evaluating security practices of their vendors, partners, law firms, and third parties that interact with their data. For 17 percent of them, regulatory requirements have driven that effort.
  • However, only 53 percent said they were confident in the security of their data being managed by vendors, partners, and other third parties.
  • 57 percent of the participants noted that their organizations are periodically involved in litigation or investigations that require them to transfer information to law firms and eDiscovery vendors, among others. 27 percent frequently need to do so.
  • 87 percent of respondents were using third-party cloud providers to “host non-critical information” to save money and streamline business processes. 17 percent of the respondents noted that Office 365 is a common impetus for moving to the cloud.
  • 77 percent of respondents advised that the scope of their managed security services includes incident response. And, for 63 percent, that support included onsite response. However, only 37 percent were confident that their managed services provider would provide a legally defensible investigation if they were the victim of a breach or other cyber incident.
  • 80 percent of respondents reported having a Bring Your Own Device (BYOD) plan, though some noted that their plan is to prohibit personal devices. 63 percent believe that those gadgets contain company sensitive information.

GDPR is one significant regulatory requirement affecting security considerations, with one respondent stating that “GDPR will influence the way many companies appraise their partners, given the expansion of responsibilities for both data controllers and processors under the new privacy framework set for implementation in 2018.”  Good thing we have a webcast on the topic tomorrow!  :o)

The report, a 24 page PDF, chock full of other statistics and findings, is available here.  As always, hat tip to Sharon Nelson of the Ride the Lightning blog for her coverage of the report.

So, what do you think?  Do any of these numbers surprise you?  Do you disagree with any of them?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The Sedona Conference Has Published the Final Version of its Data Privacy Primer: eDiscovery Best Practices

With the Microsoft Ireland case being argued before SCOTUS on February 27 and the General Data Protection Regulation (GDPR) going into effect in May (click here to register for our next webcast on that topic), it’s a big year for data privacy.  In keeping with that theme, The Sedona Conference® (TSC) has published the final version of a primer to help with this growing issue.

Last week, TSC and its Working Group 11 on Data Security and Privacy Liability (WG11) rolled out the final version of its new Data Privacy Primer, almost exactly a year after rolling out the public comment version.  This final version contains several updates following thorough consideration of the public comments submitted between January and April 2017.

WG11 developed the Data Privacy Primer to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance.

As we noted last year, the Primer is “intended to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance.”  The TSC notes that it focuses on privacy laws in the U.S. in this Primer and that global privacy laws are outside the scope of its coverage. It also focuses primarily on privacy issues arising under civil rather than criminal law (though criminal law implications are addressed “at various points” in the Primer).

The Primer covers topics ranging from Common Law of Privacy to Federal and State Government Laws and Act regarding privacy policies and protections to discussions of general consumer protection, health (including HIPAA) and financial protections.  It also discusses Workplace and Student privacy considerations which ranges from discussions about use of company equipment and email and bring your own device (BYOD) policies in the workplace and privacy protections for educational records.  Apparently, there were a lot of public comments, because the PDF file for the Primer has ballooned up to a whopping 175 pages (from 115 for the public comment version).  So, it’s not exactly “light” reading for a weighty topic.  :o)

So, what do you think?  How does your organization address data privacy?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

No Dismissal of Claim Against Defendant Accused of Transferring Company Info to Dropbox Account: eDiscovery Case Law

In Abbott Labs. v. Finkel, No. 17-cv-00894-CMA (D. Colo. Nov. 17, 2017), Colorado District Judge Christine M. Arguello denied the defendant-movant’s motion to dismiss the plaintiff-respondent’s conversion claim that the defendant disclosed the plaintiff’s confidential information and trade secrets to a third party and transferred that information to his personal online cloud storage Dropbox account.

Case Background

In December 2014, the plaintiff hired the defendant as a General Manager for its Nutrition Division, where he received access to its confidential information and trade secrets.  To protect its confidential information and trade secrets, the plaintiff required the defendant to sign confidentiality and non-disclosure agreements and its Electronic Messages policy prohibited the defendant from backing up or storing digital information on personal devices and also prohibited sharing info with outside parties.  Despite that, during the defendant’s employment, he both disclosed plaintiff confidential information and trade secrets to a third party and transferred that information to his personal online cloud storage Dropbox account and was fired, in part, for that.  On the date of his termination, the plaintiff’s IT personnel (with the defendant’s consent) deleted its confidential information that he transferred to his personal Dropbox account.

However, the plaintiff later discovered that “Dropbox has a feature that allows a user to restore any file or folder removed from an active user account in the past 30 days or longer, depending on the version of Dropbox.”  As a result, the plaintiff asked the defendant 1) to certify that all its information was deleted from any electronic or physical storage location owned or used by the third party, 2) that it be allowed to monitor his Dropbox account activity and ensure that the deletion restoration feature was not activated and 3) to allow a third-party forensic consultant to examine his Dropbox account to ensure that all of the plaintiff’s information was deleted and not re-downloaded or transferred.  When the defendant refused, the plaintiff sued, asserting claims of breach of contract, conversion, and misappropriation of trade secrets.  The defendant filed a motion to dismiss the conversion claim, arguing that the claim is preempted by the Colorado Uniform Trade Secrets Act (“CUTSA”) and the allegations showed that the defendant was authorized to access and use the information and that he returned it to the plaintiff upon request.

Judge’s Ruling

Judge Arguello stated: “To assert a claim of conversion, Plaintiff must show: (1) Plaintiff has a right to the property at issue; (2) Defendant has exercised unauthorized dominion or ownership over the property (3) Plaintiff has made a demand for possession of the property; and (4) Defendant refuses to return it.”  In her analysis, Judge Arguello addressed elements two and four (as one and three were undisputed) and found that the defendant still has unauthorized “dominion or ownership” over the documents and concluded that “Plaintiff has sufficiently pled the fourth element” with regard to defendant’s refusal to allow it to re-access his Dropbox account.

As for the defendant’s contention that the plaintiff’s claim is preempted by CUTSA, Judge Arguello rejected that argument, stating: “At this stage in the litigation, the Court is without a sufficient record to determine whether some, part, or all of Plaintiff’s conversion claim depends on a finding of trade secret status and is, therefore, preempted by the CUTSA. Indeed, none of the allegedly converted information has been presented to the Court, nor has it been described in much detail.”  As a result, she denied the defendant’s motion to dismiss the claim.

So, what do you think?  Should the plaintiff have the right to re-access the defendant’s Dropbox account?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Uber’s Response to Data Breach? Pay the Hackers to Keep Quiet About It: Cybersecurity Trends

Hackers stole the personal data of 57 million customers and drivers from Uber last year.  Their response?  Conceal the breach for more than a year, and pay the hackers $100,000 to delete the data (sure they did) and keep quiet about the breach.

As reported on Bloomberg (Uber Paid Hackers to Delete Stolen Data on 57 Million People, written by Eric Newcomer) last week, compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

According to Bloomberg, the breach occurred when two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. According to Bloomberg, Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg.  Dara Khosrowshahi, the new CEO as of September, asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in an emailed statement. “We are changing the way we do business.”

After Uber’s disclosure, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. And it should come as no surprise that the company has already been sued for negligence over the breach by a customer seeking class-action status.

So, what do you think?  How severely should Uber be punished for failing to disclose the breach?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip (as always) to Sharon Nelson of Ride the Lightning for her coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.