Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

By: Allison R. Trimble

The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices. 

Read More
      By:  Reece Clark   Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.   1.    What is a Software Escrow?   In typical off the shelf purchases of software, only object code (i.e. executable code) is licensed out to the end user.  [1]  In commercial licensing deals, however, the licensee may have a legitimate interest in object code and source code. Accessing source code allows the licensee to see how the software is processing data or performing functions, and can even allow the licensee to change the operation of the software . [2]  The licensor is usually hesitant to grant rights to source code, as it represents a key piece of intellectual property. To compromise, the parties may choose to enter a software escrow arrangement.  The software escrow allows the licensor (“Depositor”) to deposit its source code, associated build/deployment documentation, and/or other proprietary technology as needed (the “Deposit Material”) with an escrow agent (“Agent”) for the benefit of the licensee (“Beneficiary”). In the event certain pre-defined conditions are met (each, a “Release Condition”), the Agent will release the Deposit Material to the Beneficiary. In this way, a licensee acquires the protection it is looking for without requiring the licensor to directly convey intellectual property rights.    2. When is a Software Escrow Needed?   Software escrow arrangements can be expensive and are not right for every deal. [3]  As a result, it is important to make a fact-based determination as to whether a software escrow should be built into a particular contract. While every deal is different, there are several factors which a party may consider in determining whether a software escrow is needed.  Some of these include [4] :  Whether the licensor is signaling:   Financial instability;  Declining business forecast;  Discontinuation of software maintenance and support;  Infrequency of software updates; or  Risk of future breach of contract.   Whether the licensed software is:          Critical to licensee’s business growth;  Difficult to acquire through competitor products;  Touching or affecting key stakeholders of licensee;  Necessary for licensee’s business continuity preparation or operations; or  Offered by an unestablished vendor.   After evaluating the above factors, if the parties believe the benefits of having the Deposit Material safely stored with a neutral third party outweigh the costs, then a software escrow may be a prudent measure.   3.   How Does a Software Escrow Work?   In principle, a software escrow functions in the same way as any other escrow arrangement. After determining that a software escrow is desirable, the parties execute an escrow agreement with an Agent. Escrow agreements will vary depending on the Agent’s scope of engagement and suite of value-added verification services, but the core responsibilities of the parties should remain fairly consistent and are substantial as follows:   Depositor    Makes initial deposit of Deposit Material.  Agrees to release updates as necessary to Deposit Material during the term.  Gives market representations and warranties regarding the Deposit Material.    Beneficiary    Monitors compliance between the Depositor and Agent during the term.  Requests additional verification services for Deposit Material as needed.    Agent    Receives Deposit Material and confirms receipt to Beneficiary.  Offers additional verification services upon request.  Holds and controls Deposit Material until Release Conditions are met.   In addition to the above responsibilities, the following terms are unique to software escrow agreements and should be defined between the parties:     Deposit Material Description   .  The Deposit Material should be adequately described in the escrow agreement and the actual Deposit Material should match the description. A market example of such a description is as follows: “the computer program expressed in a source code language consisting of a full source language statement of the program the software is comprised of and all related compiler command files, build scripts, complete maintenance documentation, application programming interfaces, graphical user interfaces, schematic diagrams and annotations which comprise the pre-coding detail design specification, and all other material necessary to allow a reasonably skilled programmer to maintain and enhance the software without the assistance of the licensor.” [5]     Type of Escrow Arrangement  . While a software escrow is most common, some Agents have the capacity to manage different types of escrow arrangements. Other types of escrow arrangements include: (1) technology escrows, holding items of physical technology such as encryption keys or prototypes, (2) SaaS escrows, involving the components necessary to ensure a SaaS product remains viable, such as code, virtual machines, data, and other key components of the SaaS service; (3) domain escrows, holding a website domain name. [6]     Single Beneficiary vs. Multi-Beneficiary  . [7]  A single beneficiary agreement is a standard three-party agreement that designates the Beneficiary as the receiver of the Deposit Materials upon a Release Condition. A multi-beneficiary agreement involves multiple receivers of Deposit Materials. This type of agreement may be complex by separating the software escrow into projects or releases and designating certain Beneficiaries to receive different Deposit Materials based on the identity of the Beneficiary and/or which project or release the Beneficiary is logically tied to.     Designation of Paying Party  . Either the Depositor or the Beneficiary or some combination of both may be designated as the paying party. There are usually two key payments to be made: the setup fee and an annual fee. Some strategic considerations on where the cost should be placed may be found  here , and a sample fee schedule of the costs associated with a software escrow may be found  here . Expect additional verification services to substantially increase the cost of the escrow arrangement.    Defined Release Conditions  . These conditions will vary from deal to deal. Typically, they will revolve around, (i) the Depositor’s financial condition, triggering if, for example, the Depositor enters voluntary or involuntary bankruptcy, or (ii) the happening of a future event or condition, such as the Depositor failing to function as a going concern or operate in the ordinary course. Upon the occurrence of a Release Condition, the Depositor will be given a notice period to contest whether the Release Condition has actually occurred. If the Depositor fails to timely contest, the Agent will release the Deposit Material to the Beneficiary and will terminate the agreement.    Verification Services   .    Agents typically offer services that verify the Deposit Material’s functionality, accessibility, or usability and such services are offered at varying degrees of thoroughness. Verification services range from basic file list tests analyzing readability and file listing/classification, to full comprehensive usability tests, which may involve the Agent setting up an environment, installing and configuring the Deposit Material, and then running functional tests as necessary to confirm the Deposit Material is in an executable condition. Extensive verification services typically require a separate executed statement of work between the parties.      4.    Conclusion.    Utilizing a software escrow can be an effective means to ensuring business continuity in the event of a realized risk. Software escrow arrangements can be complex in nature and require careful structuring of release conditions, payment responsibilities, and other services as necessary. If you are contemplating a licensing agreement and are seeking further assurances of the future accessibility of the licensed product or service, consider a software escrow arrangement. Polsinelli attorneys are experienced in technology transactions and can help counsel and develop a protective software escrow arrangement for your deal.   [1]  Katheryn A. Andersen & Jen C. Salyers,  Source Code Escrow,  § 21:1 available at: http://www.bssdlaw.com/files/lbcs_source_code_escrow.pdf   [2]   Source Code,  Techopedia, available at https://www.techopedia.com/definition/547/source-code (last visited Apr. 4, 2018)   [3]  EscrowTech,  Software Escrow Fundamentals ,  When Should I Use a Software Escrow?  EscrowTech, https://www.escrowtech.com/software-escrow.php#whatSoftwareEscrow (last visited Apr. 4, 2018)   [4]   Id.    [5]  Andersen & Salyers,  supra  note 1, at   § 21:4.   [6]  EscrowTech,  Supra  note 4,  Software Escrow Fundamentals, Types of Escrows .   [7]  Nccgroup,  Software Escrow Agreements , Nccgroup, https://www.nccgroup.trust/us/our-services/software-escrow-and-verification/escrow-agreements/ (last visited Apr. 4, 2018)

By: Reece Clark

Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.

Read More

FTC Encourages Vendor Contracts to Address Privacy and Security Risks

FTC Encourages Vendor Contracts to Address Privacy and Security Risks

By: Greg Kratofil

Speaking at the National HIPAA Summit in Arlington, VA this past week (April 3, 2018), the Federal Trade Commission (FTC) highlighted the importance of healthcare providers having information security agreements in place with vendors.  “Companies need to have contracts in place to specifically address privacy and security”, said Molly Crawford, the Chief of Staff for the FTC’s privacy and identification division. 

Crawford further provided that new solutions for handling data are not governed by longstanding federal rules and statutes for healthcare privacy and security, including HIPAA.  While noting that the FTC works closely with the Department of Health and Human Services, “the FTC is the primary consumer protection agency” Crawford said and reinforced the role the FTC will play in protecting consumer data. 

Read More

Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

Cyber Security Insurance: Nine Questions to Ask to Determine Your Exposure

By Kathryn T. Allen

There is an increased interest in cyber security insurance for businesses amid frequent news of computer hacking, network intrusions, data theft, and high-profile ransomware attacks. Since cyber security insurance is relatively new to the market, many companies lack a basic understanding of what their policy covers and what it may not.

Read More

Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

Flu Shot Reminder Text Deemed "Health Care Message", TCPA Claim Dismissed

By: Zuzana S. Ikels

The Second Circuit recently addressed a matter of first impression, interpreting the scope and effect of the FCC’s Healthcare Exception from violations of the Telephone Consumer Protection Act (“TCPA”) to healthcare providers for contacting patients about their care. In Latner v. Mt. Sinai Health Center, the patient came for a routine visit and signed a written consent form containing his contact information and granted consent to Mt. Sinai to use his health information “for payment, treatment and hospital operations purposes.” Ten years later, the patient received a single text message reminding him to get an immunization shot. The plaintiff sued, asserting it violated the TCPA.

Read More

2018: A Cybersecurity Preview

2018: A Cybersecurity Preview

By Reece Clark

As the world rings in 2018, privacy experts collectively brace for a new year of information security challenges. While ransomware, denial of service attacks, and endpoint security vulnerabilities will remain top of mind in 2018, new threats and risk factors will also emerge. Likewise, traditional hacking threats are likely to be more sophisticated in 2018, with new and more powerful hacking tools in the hands of bad actors. Businesses, consumers, and governments must remain vigilant in their information security posture as they face these new and diverse cybersecurity challenges. Polsinelli on Privacy looks at four areas of information security poised to make headlines in 2018.

Read More

Winter is Coming…and so is PSD2

Winter is Coming…and so is PSD2

By Reece Clark

Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.

Read More

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

By Rachel A. Rice

In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios. 

Read More

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

Privacy Shield Updates: Positive Joint Annual Review; Mandated Arbitral Fees

By Steven A. Hengeli, Jr.

The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward. 

The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights. 

Read More

WPA2 KRACK ATTACK

WPA2 KRACK ATTACK

By Aaron M. Levine

Several news reports today sounded the alarm that the WPA2 protocol, currently the most popular method of securing Wi-Fi communications, is vulnerable to the “KRACK” attack. Despite the amusing name, this vulnerability is extremely serious. 

KRACK stands for Key Reinstallation Attack. In essence, this attack tricks Wi-Fi enabled devices into reinstalling the “nonce,” which is a randomly generated, one-time numerical key used to encrypt communications between the targeted device and the router/gateway. Once the attacker has compromised this key, it can eavesdrop on the packets that are sent to/from the target device or, alternatively, it can forge packets to inject viruses or other malicious code onto a target machine.

Read More

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

By Zuzana S. Ikels 

On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.

In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.

Read More

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

The Potential of “Elastic Sensitivity” to Protect Privacy in Big Data Analytics

By Zuzana S. Ikels

Three University of California-Berkeley researchers have written a paper discussing the first “practical approach for differential privacy.” This new method, referred to as “Elastic Sensitivity,” excludes the components of tables in large data sets and big data databases that contain individual information from the other data before running the query. 

Read More

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

Congressional Task Force Issues Report on Cybersecurity in the Health Care Industry

By Zuzaka S. Ikels

In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.

The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.

Read More

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

Largest Electoral Data Breach Exposes Personal Data of Nearly 200 Million U.S. Citizens

By: Amanda J. Katzenstein

In what is being described as the largest breach of U.S. electoral data, personal data relating to almost 200 million U.S. citizens was accidentally exposed by a Republican National Committee vendor. According to BBC, the 1.1 terabytes of data exposed “includes birthdates, home addresses, telephone numbers and political views of nearly 62% of the entire US population.” 

Read More

AlphaGo Beats The World’s Top Go Player

AlphaGo Beats The World’s Top Go Player

By Zuzana S. Ikels

Google/Alphabet’s new and improved artificial intelligence program, AlphaGo, just beat the best human player of the game Go as reported by Wired. Go was invented in China thousands of years ago, and it is considered the most complicated game in the world. AlphaGo is the newest version of Alphabet’s artificial intelligence program. According to Google’s DeepMind Lab, AlphaGo was completely redesigned and reconfigured so that the AI system would learn the game from playing the game against itself, as well as analyze the data of wins and losses by humans.

Read More

The Power of a Transparent and Broad Privacy Policy

The Power of a Transparent and Broad Privacy Policy

By Zuzana Ikels and Erin Fleming Dunlap

The enforceability of privacy policies and consumer consent as to targeted advertisements related to medical or healthcare conditions is a hot button topic in the law and business. In Smith v. Facebook et al (filed in March 2016), plaintiffs sought to test the boundaries. In a surprising result, and after a year of briefing and oral argument, Judge Edward Davila of the Northern District of California issued his order a few days ago.  In a surprising twist, the Court dismissed the entire complaint without leave to amend. Polsinelli attorneys Zuzana S. Ikels and Erin Dunlap provided analysis and recommendations regarding the power of a transparent and broad privacy policy in an article published by Law360

Read More

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

Texas Health System To Pay $2.4 M To Settle Potential HIPAA Violations For Disclosing Patient’s Protected Health Information to the Media and Public Officials

By Jean Marie R. Pechette and Thomas Kiser

The U.S. Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a May 10, 2017 press release stating that Memorial Herman Health System, a Texas-based not-for-profit health system (“MHHS”), agreed to pay $2.4M and enter into a two- year corrective action plan (“CAP”) to settle potential HIPAA violations for alleged disclosure of protected health information (“PHI”) without the patient’s authorization. The CAP requires MMHS, among other things, to submit an implementation report and an annual report to HHS on MHHS’ compliance with the CAP.

Read More

Massive Global Ransomware Attack

Massive Global Ransomware Attack

By JJ Bollozos

A cybersecurity attack of global proportions...

As of this afternoon, cybersecurity company Avast reported a ransomware attack, known as WanaCrypt0r 2.0, has been detected over 57,000 times across 99 countries. Of note, the attack has allegedly infected a large telecommunications company in Spain, hospitals across England, and a shipping company based in the U.S., as well as other companies throughout the world. According to the New York Times, the ransomware was included in a compressed file sent via email that would infect a victim’s device once it was opened. 

Read More