technology law: regulations on the internet and emerging technologies
DESCRIPTION
With a transactional practice, covering the areas of e-commerce, software and technology, Heather Buchta, Partner with Quarles & Brady, LLP, presented the different cloud regulations that impact our industry; from data privacy to compliance. Attendees at the Infinity Software 2014 User Group Conference learned all the legal Internet/cloud considerations CIOs are faced with today and apply them to your value proposition.TRANSCRIPT
![Page 1: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/1.jpg)
Partner Program
![Page 2: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/2.jpg)
Technology Law: Regulations on the Internet and Emerging Technologies
Heather L. BuchtaQuarles & Brady LLPSeptember 4, 2014
![Page 3: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/3.jpg)
• Regulatory Environment
• Contractual Issues
![Page 4: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/4.jpg)
Regulatory Environment
• Speed of Regulation
• Comparison over last 10 years
![Page 5: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/5.jpg)
State in 2003
–E-contracting
–Cybercrime/hacking
![Page 6: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/6.jpg)
Personal Information• FEDERAL
– FTC Act
– COPPA
– CAN-SPAM
– TCPA
– FERPA• STATE
– Breach Notification
– Point of Sale Collection
– State Consumer Protection
– Security Obligations
Health Information
• FEDERAL
– HIPAA– HITECH– Health
Breach Notification Rule
– GINA• STATE
– HIPAA-like
Financial Information
• FEDERAL
– GLB– FCRA– FACTA
• STATE
– GLB-like
Employee Information
• FEDERAL
– ERISA– FMLA– Whistleblowe
r Protection Act
• STATE
– Contract law
Current State
![Page 7: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/7.jpg)
Regulatory Environment - Background
• Terminology–Data Privacy–Data Security–Cybersecurity–Co-Lo–Cloud
• Legal Framework–Sectoral–Comprehensive
![Page 8: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/8.jpg)
A Bit of Historical Context….
• Not actually a new topic– Warren and Brandeis – 1890– Prosser – 1960– Fair Information Practices – 1973– Guidelines Governing the Protection of Privacy and
Transborder Data Flows of Personal Data – 1980– Council of Europe – 1981– EU Data Protection Directive – 1995– APEC Privacy Framework – 2004
![Page 9: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/9.jpg)
Regulatory Environment – Disclaimer
• Data Privacy and Protection– Health Care– Financial– Labor & Employment– Trade Secrets– Internet of Things– BYOD
• Other Regulations– Online contracting– All other offline business regulations – FCC, FTC, etc.
![Page 10: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/10.jpg)
Regulatory Environment
• Understand applicable obligations– Geographic Source of Data– What Kind of Data – Defined by States and/or
Statutes• Personally Identifiable Information (PII)• Nonpublic Personal Information (NPI)• Protected Health Information (PHI)
• Types of Obligations– Privacy– Security
![Page 11: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/11.jpg)
Regulatory Environment
• Understand Applicable Obligations– Personal Information
• Federal– FTC
» Section 5 of the FTC Act» Telemarketing Sales Rule» COPPA» CAN-SPAM
– FCC» Telephone Consumer Protection Act
– USDOE» FERPA
– Electronic Communications Privacy Act
![Page 12: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/12.jpg)
Regulatory Environment
• New Bills – Location Privacy Protection Act of 2014
• S.2171, Sen. Franken, March 27, 2014
– Personal Data Privacy and Security Act of 2014• S.1897, Sen. Leahy, January 8, 2014
– Data Security Act of 2014• S.1927, Sen. Carper, January 15, 2014
– Commercial Privacy Bill of Rights of 2014• S.2378, Sen. Menendez, May 21, 2014
• Other Initiatives– Do Not Track movement– Big Data: Seizing Opportunity, Preserving Value, May 2014,
Executive Office of the President
![Page 13: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/13.jpg)
Regulatory Environment
• Understand Applicable Obligations– Personal Information
• State– Security Breach Notification Statutes– Point of Sale Collection– Security Obligations – MA 201 CMR 17.00, Nev. 603A.215– State Consumer Protection Laws– FERPA-like– ECPA-like– California
» CALOPPA, BPC 22575-22579» Shine the Light, CA Civ Code 1798.83» CALCOPPA, S.B. 568
![Page 14: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/14.jpg)
Regulatory Environment
• Understand Applicable Obligations–Health Information• HIPAA/HITECH – OCR of HHS–LabMD – overlapping jurisdiction with
FTC–State Attorneys General
• Health Breach Notification Rule – FTC• GINA – EEOC• States also have similar legislation
![Page 15: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/15.jpg)
Regulatory Environment
• Understand Applicable Obligations– Financial Information• GLB–Privacy Rule – FTC and CFPB–Safeguards Rule – FTC and CFPB–Banking Regulators
• FCRA – FTC, CFPB and State Attorneys General• FACTA – FTC, CFPB and State Attorneys General–Red Flags Rule
• Some states have similar legislation
![Page 16: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/16.jpg)
Regulatory Environment
• Understand Applicable Obligations– Employee Information• ADA• HIPAA• State Specific Rules – social media• Employee Handbooks• Union Agreements/Collective Bargaining Agreements
![Page 17: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/17.jpg)
Regulatory Environment
• Understand Applicable Obligations– EU • Directives – Personal Information and Cookie• DPAs• Works Councils
– Canada• PIPEDA• CASL
– Australia • Privacy Amendment Act 2012
![Page 18: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/18.jpg)
Regulatory Environment
• Credit Card Data– PCI DSS v.3– Nevada 603A.215– Minnesota 325E.64
• Online Tracking– Digital Advertising Alliance– OBA and retargeting
• NIST– Media Sanitization– Cybersecurity Framework
• NERC• Contractual obligations and self-imposed obligations
![Page 19: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/19.jpg)
Regulatory Environment
• Security Audit– “systematic, measurable technical assessment of how the
organization's security policy is employed at a specific site” (Symantec 2003)
– “appropriate” and “reasonable”• What is involved?
– Personal interviews– Vulnerability scans (pen-testing)– Examinations of operating system settings– Analyses of network shares and other data
• Go to the experts– Find the right vendor– Set parameters
![Page 20: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/20.jpg)
Regulatory Environment
• WISP• Consider Insurance Options • Identify Key Team Members– Key Executives– Compliance – CISO?– Legal– Marketing/HR– PR– IT/Forensics– Incident Response Vendor?
• Incident Response Plan• Tabletop Exercises
![Page 21: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/21.jpg)
Regulatory Environment
• Internal Privacy Program• Data Retention Schedule• Regularly Review
![Page 22: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/22.jpg)
Why Do We Care
• The Regulators are Coming….–FTC–Attorneys’ General
• And they are bringing bad press, fines and Enforcement Orders
![Page 23: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/23.jpg)
Why Do We Care
• Corporate Governance Issues– SEC Investigations– Officer Liability– Have to Stay Informed– NACD White Paper – Cybersecurity Boardroom
Implications (2014)– SEC Cybersecurity Roundtable Transcript, 3/28/14,
available at www.sec.gov
![Page 24: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/24.jpg)
Why Do We Care
• Valuation– Reputational Value– Corporate Deals - M&A
• High Profile Deals– WhatsApp, Moves, Nest
• Impacting the Bottom Line• Restricting Ability to Transfer
![Page 25: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/25.jpg)
Why Do We Care
• Vendor Relationships– Implicates both privacy and security–Outsourcing does not mean relinquishing
obligations or liability•Must do due diligence• Appropriate contractual provisions•Maintain level of control and knowledge of
activities
![Page 26: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/26.jpg)
Why Do We Care
• Mobile App Development– Privacy By Design
• Hosting Facilities– Security Requirements – Breach Notifications
• SaaS– Data Ownership/Access/Return– Data Usage
• Marketing– Retargeting– OBA
![Page 27: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/27.jpg)
Why Do We Care
• Ask Questions
• Then Ask More Questions
• Which will lead to more questions
• Must understand the data flows, retention, sharing and usage
![Page 28: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/28.jpg)
Why Do We Care
• Key Provisions to Consider– Audit Rights– Security Audit Reports – SSAE16/ISAE3402– Disaster Recovery/Business Continuity– Compliance with Laws– Ownership/Usage/Destruction– Indemnities– Warranties– Exclusions to Limitations of Liability– Insurance
![Page 29: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/29.jpg)
Why Do We Care
• Responsibility for breach of security is a function of who controls the data
• Liability for breach of security is a function of the contract
• Compliance with laws may be a domestic and/or foreign matter
![Page 30: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/30.jpg)
Other Considerations
• IP law trailing the technology evolution of the Cloud
• Trade Secrets and the Cloud may be incompatible– Potential third-party disclosures– US PATRIOT Act
• Evolving licensing models• Potential data location issues• Legacy software and systems issues
![Page 31: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/31.jpg)
Other Considerations
• Ownership of Data• Preservation of Data• Preservation may be easier on the cloud…or not– Courts may not distinguish servers in the cloud– Physical location of Data may be unknown– Compliance with e-discovery and litigation holds
• Spoliation• Data Integrity– Must be free from corruption
![Page 32: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/32.jpg)
Other Considerations
• Determine accountability for data preservation– Who is liable for stolen data– What does indemnification cover– What happens in bankruptcy– What notice is provided for security breach– What happens if lose co-lo contract or lose lease
![Page 33: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/33.jpg)
Other Considerations
• Intellectual Property– Whose software– Whose network
• Ownership– Customizations or configurations– Works made for hire
• Same contractual provisions come into play – now from an IP perspective
![Page 34: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/34.jpg)
Other Considerations
• Service Levels• Online contracting – Enforceability– Notice• Conspicuous
– Choice• Meaningful• Contract of Adhesion
![Page 35: Technology Law: Regulations on the Internet and Emerging Technologies](https://reader034.vdocuments.us/reader034/viewer/2022042713/547897345906b5a8048b4584/html5/thumbnails/35.jpg)
Questions???
Thank you for your partnership!