hot legal topics for mobile playing offense & defense
DESCRIPTION
Hot Legal Topics for Mobile Playing offense & defense. Robin Luce Herrmann Butzel Long. Agenda. Mobile Data Management Personal Identifying Information Protected Health Information Geolocation Issues Affirmative Obligations: Offense Resisting Inquiry: Defense. - PowerPoint PPT PresentationTRANSCRIPT
Hot Legal Topics for Mobile
Playing offense & defense
Robin Luce HerrmannButzel Long
Agenda
• Mobile Data Management• Personal Identifying Information• Protected Health Information• Geolocation Issues
Affirmative Obligations: OffenseResisting Inquiry: Defense
iPhones Now Top 5% Of Total E-CommerceWebsite Traffic
Playing Offense
Management of Mobile Data:Personal Identifying Data
With the advent of online and mobile transactions which collect individual identifying information, data protection protocols have become more important. Although various legislative strategies have been adopted (both federally and on a state by state basis), this area is rapidly evolving.
Personal Identifying Information
• Personally Identifiable Information (PII), is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. – The abbreviation PII is widely accepted, but for legal purposes the
effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.
• The pertinent issue is Information Security.• Although the concept of PII is old, it has become much more important
as technology has made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes.
• As a response to these threats, many website privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.
PII Examples
• IP address (in some cases)• Driver’s license number• Face• Credit card numbers• Digital identify• Date of Birth• Birthplace
Potential PII Examples
• Place of residence• Name of school(s) attended• Workplace• Grades• Salary• Job position
Legislation to Protect PII
• The U.S. Senate proposed the Privacy Act of 2005, which attempted to strictly limit the display, purchase, or sale of PII without the person's consent.
• Similarly, the (proposed) Anti-Phishing Act of 2005 attempted to prevent the acquiring of PII through phishing.
Business & PII• Legislation is often seen as a barrier to
progress & requiring an attorney just to engage in simple business practices (i.e., user registration).
• Preference is for laws that stress “acceptable uses” of PII.
Children’s Online Privacy Protection Act (“COPPA”)
• Passed to add protections when an internet site sought to collect PII from children under 13.
• On Aug. 1, the FTC proposed amendments to keep up with changes
Changes to COPPA• Until now the person responsible for compliance
was the “operator” of the website, presumably the party that was collecting the PII from children.
• That has changed. A large number of websites contain links to Facebook and other social media, which may ask for and obtain PII even if the primary “operator” does not. Other devices, including pop-up ads on a web page, may also be used to gather PII.
• Now, an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered operator under the Rule.
Management of Mobile Data:Protected Health Information
As Tele-Medicine enters the scene, often supported through mobile interfaces, HIPAA compliance will be a key area of concern
PHI and PII
• One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII.
More HIPAA• HIPPA required the Secretary of the U.S. Department of Health
and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information.
• HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
• The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.
• The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form.
• The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).
The HIPAA Security Rule – and YOU!
• The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.
• Specifically, covered entities must:– 1. Ensure the confidentiality, integrity, and availability of all
e-PHI they create, receive, maintain or transmit;– 2. Identify and protect against reasonably anticipated
threats to the security or integrity of the information;– 3. Protect against reasonably anticipated, impermissible
uses or disclosures; and– 4. Ensure compliance by their workforce
Management of Mobile Data: Geo-location
With the advent of geo-location programs utilizing LinkedIn, Foursquare, Twitter and other mobile apps, the management and use of geo-location data has become critical.
It’s all about Location, Location, Geo-location…• Although pulled from the market
in April 2012, the Girls Around Me app was able to locate women near an individual’s Foursquare check-in site
• The most “invasive” geo-location tool released to date is Creepy (the program’s real name, which is widely believed to be an accurate description), a “geo-location information aggregator” app that locates an individual’s coordinates using Twitter or other social media when they log on with their phone
I complied with all these &^%#&( security protocols…..
There’s nothing more to worry about…..
Right?
WRONG!!!
Other folks may be interested in getting the information being gathered
Playing Defense
Look at Google alone….
• Google said in June that government agencies across the United States sought user data 6,321 times for the six months ending December 2011, up from 5,950 the six months prior.
• Google said the U.S. government targeted 12,243 Google accounts, compared to 11,057 in the six months before.
• But neither Google nor any other ISP releases how many times it turns over user data in the United States without a probable-cause warrant. It is highly likely that the numbers are too frightening.
The Law is Clear as mud…
The 6th Circuit Court of Appeals has said that there is a reasonable expectation of privacy in emails stored in a 3rd party server. But, just this week held that a man did not have a reasonable expectation of privacy in the data emanating from his cell phone that showed its location.
• Another Federal Court said it was ok to have an ISP install a monitoring device that recorded a target’s IP address, to/from email addresses & volume sent from the account.
More mud….
A federal judge has upheld the practice of police using seized phones to impersonate their owners, reading messages and sending entrapping replies to contacts in the phone's memory, without a warrant. The judge reasoned that constitutional privacy rights don't apply to messages if they appear on a seized device -- even if the messages originated with someone who has not been arrested or is under suspicion of any crime.
And more mud
• Another court held that cell phone location records could not be disclosed without a warrant.
And it isn’t just the Government that is interested
Trolls
• Litigants
• Public officials looking for leakers/whistleblowers
No Evident PII - Anonymous Posters
There are instances where businesses seek to unmask an anonymous poster or may be the recipient of a subpoena to unmask and anonymous poster.
This is a complex area of privacy law and is currently unsettled in Michigan, the 6th Circuit, and various state and federal jurisdictions.
Wireless Surveillance Act of 2012• In the wake of an investigation that revealed over 1.3 million law
enforcement requests for mobile phone info from providers, this month Rep. Ed Markey (D-Mass.) released a draft of a bill, the Wireless Surveillance Act of 2012, that would put some limits on those requests, including requiring a court order for location tracking.
• The new law would:– require the FCC to set limits on how long carriers cankeep customer personal information. – require law enforcement to make regular disclosures of the volume and nature of their requests. – Would curb data dumps from cell towers that yield info on large
groups of users, in part by requiring requests to be more targeted. – would require a judge to authorize the release of location tracking
info, and only for probable cause that the info could uncover evidence of a crime. The Justice Department has argued that law enforcement wants more access to that data, not less, in order to track down criminals.
Amendment of Electronic Communications Privacy Act
• Attempt to re-write legislation that generally grants the government wide powers to access cloud-stored data without a probable cause showing.
QUESTIONS ?