GDPR Compliance: Common Misconceptions

GDPR Compliance: Common Misconceptions

The European Union’s General Data Protection Regulation (GDPR) has multiple levels of provisions that can be complicated for organizations that require a consumer’s consent to process their data. In an interview with Marianne Kolbasuk McGee of Bank Info Security, Elizabeth (Liz) Harding, shareholder in Polsinelli’s Tech Transitions and Data Privacy practice, weighs in on the common misconceptions of GDPR compliance and regulatory changes.

Read More

California Takes the Lead in Regulating the Internet of Things

California Takes the Lead in Regulating the Internet of Things

By: Randall Stempler

After just recently enacting the broadest United States privacy law, the California Consumer Privacy Act of 2018, California took the lead once again by enacting a law for the “Security of Connected Devices,” commonly known as the Internet of Things. Both laws will become effective on January 1, 2020. 

Read More

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

U.K. Information Commissioner’s Office Intends to Impose Fine on Facebook

By: Allison Trimble

The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent).  The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent. 

Read More

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

Don’t be a Dummy – FTC Warns against Inadequate Security Controls in “Dummy” (Non-Production) Environments

By: Allison R. Trimble

The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices. 

Read More
      By:  Reece Clark   Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.   1.    What is a Software Escrow?   In typical off the shelf purchases of software, only object code (i.e. executable code) is licensed out to the end user.  [1]  In commercial licensing deals, however, the licensee may have a legitimate interest in object code and source code. Accessing source code allows the licensee to see how the software is processing data or performing functions, and can even allow the licensee to change the operation of the software . [2]  The licensor is usually hesitant to grant rights to source code, as it represents a key piece of intellectual property. To compromise, the parties may choose to enter a software escrow arrangement.  The software escrow allows the licensor (“Depositor”) to deposit its source code, associated build/deployment documentation, and/or other proprietary technology as needed (the “Deposit Material”) with an escrow agent (“Agent”) for the benefit of the licensee (“Beneficiary”). In the event certain pre-defined conditions are met (each, a “Release Condition”), the Agent will release the Deposit Material to the Beneficiary. In this way, a licensee acquires the protection it is looking for without requiring the licensor to directly convey intellectual property rights.    2. When is a Software Escrow Needed?   Software escrow arrangements can be expensive and are not right for every deal. [3]  As a result, it is important to make a fact-based determination as to whether a software escrow should be built into a particular contract. While every deal is different, there are several factors which a party may consider in determining whether a software escrow is needed.  Some of these include [4] :  Whether the licensor is signaling:   Financial instability;  Declining business forecast;  Discontinuation of software maintenance and support;  Infrequency of software updates; or  Risk of future breach of contract.   Whether the licensed software is:          Critical to licensee’s business growth;  Difficult to acquire through competitor products;  Touching or affecting key stakeholders of licensee;  Necessary for licensee’s business continuity preparation or operations; or  Offered by an unestablished vendor.   After evaluating the above factors, if the parties believe the benefits of having the Deposit Material safely stored with a neutral third party outweigh the costs, then a software escrow may be a prudent measure.   3.   How Does a Software Escrow Work?   In principle, a software escrow functions in the same way as any other escrow arrangement. After determining that a software escrow is desirable, the parties execute an escrow agreement with an Agent. Escrow agreements will vary depending on the Agent’s scope of engagement and suite of value-added verification services, but the core responsibilities of the parties should remain fairly consistent and are substantial as follows:   Depositor    Makes initial deposit of Deposit Material.  Agrees to release updates as necessary to Deposit Material during the term.  Gives market representations and warranties regarding the Deposit Material.    Beneficiary    Monitors compliance between the Depositor and Agent during the term.  Requests additional verification services for Deposit Material as needed.    Agent    Receives Deposit Material and confirms receipt to Beneficiary.  Offers additional verification services upon request.  Holds and controls Deposit Material until Release Conditions are met.   In addition to the above responsibilities, the following terms are unique to software escrow agreements and should be defined between the parties:     Deposit Material Description   .  The Deposit Material should be adequately described in the escrow agreement and the actual Deposit Material should match the description. A market example of such a description is as follows: “the computer program expressed in a source code language consisting of a full source language statement of the program the software is comprised of and all related compiler command files, build scripts, complete maintenance documentation, application programming interfaces, graphical user interfaces, schematic diagrams and annotations which comprise the pre-coding detail design specification, and all other material necessary to allow a reasonably skilled programmer to maintain and enhance the software without the assistance of the licensor.” [5]     Type of Escrow Arrangement  . While a software escrow is most common, some Agents have the capacity to manage different types of escrow arrangements. Other types of escrow arrangements include: (1) technology escrows, holding items of physical technology such as encryption keys or prototypes, (2) SaaS escrows, involving the components necessary to ensure a SaaS product remains viable, such as code, virtual machines, data, and other key components of the SaaS service; (3) domain escrows, holding a website domain name. [6]     Single Beneficiary vs. Multi-Beneficiary  . [7]  A single beneficiary agreement is a standard three-party agreement that designates the Beneficiary as the receiver of the Deposit Materials upon a Release Condition. A multi-beneficiary agreement involves multiple receivers of Deposit Materials. This type of agreement may be complex by separating the software escrow into projects or releases and designating certain Beneficiaries to receive different Deposit Materials based on the identity of the Beneficiary and/or which project or release the Beneficiary is logically tied to.     Designation of Paying Party  . Either the Depositor or the Beneficiary or some combination of both may be designated as the paying party. There are usually two key payments to be made: the setup fee and an annual fee. Some strategic considerations on where the cost should be placed may be found  here , and a sample fee schedule of the costs associated with a software escrow may be found  here . Expect additional verification services to substantially increase the cost of the escrow arrangement.    Defined Release Conditions  . These conditions will vary from deal to deal. Typically, they will revolve around, (i) the Depositor’s financial condition, triggering if, for example, the Depositor enters voluntary or involuntary bankruptcy, or (ii) the happening of a future event or condition, such as the Depositor failing to function as a going concern or operate in the ordinary course. Upon the occurrence of a Release Condition, the Depositor will be given a notice period to contest whether the Release Condition has actually occurred. If the Depositor fails to timely contest, the Agent will release the Deposit Material to the Beneficiary and will terminate the agreement.    Verification Services   .    Agents typically offer services that verify the Deposit Material’s functionality, accessibility, or usability and such services are offered at varying degrees of thoroughness. Verification services range from basic file list tests analyzing readability and file listing/classification, to full comprehensive usability tests, which may involve the Agent setting up an environment, installing and configuring the Deposit Material, and then running functional tests as necessary to confirm the Deposit Material is in an executable condition. Extensive verification services typically require a separate executed statement of work between the parties.      4.    Conclusion.    Utilizing a software escrow can be an effective means to ensuring business continuity in the event of a realized risk. Software escrow arrangements can be complex in nature and require careful structuring of release conditions, payment responsibilities, and other services as necessary. If you are contemplating a licensing agreement and are seeking further assurances of the future accessibility of the licensed product or service, consider a software escrow arrangement. Polsinelli attorneys are experienced in technology transactions and can help counsel and develop a protective software escrow arrangement for your deal.   [1]  Katheryn A. Andersen & Jen C. Salyers,  Source Code Escrow,  § 21:1 available at: http://www.bssdlaw.com/files/lbcs_source_code_escrow.pdf   [2]   Source Code,  Techopedia, available at https://www.techopedia.com/definition/547/source-code (last visited Apr. 4, 2018)   [3]  EscrowTech,  Software Escrow Fundamentals ,  When Should I Use a Software Escrow?  EscrowTech, https://www.escrowtech.com/software-escrow.php#whatSoftwareEscrow (last visited Apr. 4, 2018)   [4]   Id.    [5]  Andersen & Salyers,  supra  note 1, at   § 21:4.   [6]  EscrowTech,  Supra  note 4,  Software Escrow Fundamentals, Types of Escrows .   [7]  Nccgroup,  Software Escrow Agreements , Nccgroup, https://www.nccgroup.trust/us/our-services/software-escrow-and-verification/escrow-agreements/ (last visited Apr. 4, 2018)

By: Reece Clark

Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.

Read More

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

Guidance from the FTC says “Don’t Worry: It’s Just a Phrase"

By Rachel A. Rice

In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios. 

Read More

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

Privacy-Class-Action-Plaintiffs' Emerging Litigation Strategy Avoids Arbitration

By Zuzana S. Ikels 

On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.

In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.

Read More

Privacy and Data Security: 2017 Year in Preview

Privacy and Data Security:  2017 Year in Preview

Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.  

As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.

Read More

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

As the GDPR Compliance Date Looms, Risks and Budgets Grow in Tandem

By Jean Marie R. Pechette and Daniel L. Farris

As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million. 

Read More

OCR Provides New BA Guidance to Cloud Providers

OCR Provides New BA Guidance to Cloud Providers

By Lisa J. AcevedoLisa S. Katz, Rebecca Frigy Romine, Kathleen D. Kenney, and Lindsay R. Dailey, and Erin Fleming Dunlap

In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules).  Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs.  Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).

OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.

Read More

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

As Grace Period Ends, Burst of Privacy Shield Applications May Decrease

By Amanda J. Katzenstein

More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.

Read More

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

By JJ Bollozos, Joseph D. McClendon, and Daniel L. Farris

For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived.  The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers. 

Read More

Recent Enforcement Action Shows Business Associates Are Not Off the Hook

Recent Enforcement Action Shows Business Associates Are Not Off the Hook

By Rebecca Frigy Romine, Erin Fleming Dunlap, and Lindsay R. Dailey

Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 (the effective date of the relevant provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act), the Department of Health & Human Services, Office for Civil Rights (OCR), announced last Thursday, June 30, 2016, that it has entered into its first resolution agreement with a HIPAA Business Associate.

Read More

Brexit & Privacy: Keep Calm and Carry On

Brexit & Privacy:  Keep Calm and Carry On

By Daniel L. Farris

As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.  

There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.  

Read More

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

Data Security Violations Found by the Consumer Financial Protection Bureau Against Payment Processor Dwolla, Inc.

By Mary Kathryn Curry

Dwolla, Inc., a company that claims secure, ready-to-use payment tools used to simplify how people send or receive money from anyone in the U.S., has been hit with a $100,000 penalty and an annual data-security audit compliance plan. Dwolla, based in Des Moines, Iowa, has collected and stored sensitive personal information from consumers since 2009, such as address, date of birth, telephone number and Social Security number. In addition, consumers provide their bank account and routing number to link their bank accounts to their Dwolla account. Dwolla has approximately 653,000 members and transfers as much as $5,000 per day.

Read More

FTC Issues Warning to Application Developers

FTC Issues Warning to Application Developers

By Zuzana S. Ikels

A few days ago, the Federal Trade Commission issued warning letters to 12 application developers because the apps use the software, Silverpush.   According to the FTC, Silverpush is designed to monitor a user’s television use regardless of whether the user is actively using the particular app, enabling it to provide a detailed record of the consumer’s' television use for the purpose of marketing analytics and targeted advertising. The FTC instructed the app developers to notify consumers if the software is being used in the U.S., which Silverpush claims it is not. 

Read More

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

New US-EU ‘Privacy Shield’ Will Impose Heightened Compliance Obligations on US Companies

By Dov H. Scherzer and By Daniel L. Farris

The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.  

Read More

When a “Consumer” is not a “Subscriber”– The Eleventh Circuit Court of Appeals Limits the Application of VPPA to Free Mobile Applications

When a “Consumer” is not a “Subscriber”– The Eleventh Circuit Court of Appeals Limits the Application of VPPA to Free Mobile Applications

By Zuzana S. Ikels

Last Friday, the Eleventh Circuit addressed a question of first impression at the appellate level – namely, when is a user of a free mobile application a “subscriber” under the Video Privacy Protection Act (“VPPA”).  In Ellis v. the Cartoon Network, Plaintiff downloaded defendant Cartoon Network’s free mobile app to watch video clips and shows.  Without plaintiff’s knowledge or consent, the app monitored and tracked his viewing habits.  The app did not collect plaintiff’s name or other contact or financial information; rather, it tracked him based upon a unique number identifier associated with his device.  The info was then shared with third party marketing companies.  Plaintiff filed a putative class action alleging the app violated VPPA.  VPPA prohibits video providers from disclosing the personal information of a “consumer” to a third party, without prior consent, assessing a $2,500 statutory penalty per violation. 

Read More

What’s Next? Article 29 Working Party Issues an Initial Statement in Wake of ECJ Schrems Decision

What’s Next?  Article 29 Working Party Issues an Initial Statement in Wake of ECJ Schrems Decision

By Mary Kathryn Curry & Dov H. Scherzer

The fallout from the EU Court of Justice (EJC) Schrems decision invalidating the Safe Harbor continues. 

As posted earlier this month, the national Data Protection Authorities (DPAs) from across the EU met under the auspices of the Article 29 Working Party (Working Party) to discuss the consequences to be drawn from the ECJ’s ruling. 

Read More

Cybersecurity Startups Attract $1.2 Billion in Funding in First Half of 2015

Cybersecurity Startups Attract $1.2 Billion in Funding in First Half of 2015

By Daniel L. Farris

The seemingly unending reports of high profile data breaches have been a boon for privacy and data security startups, the Wall Street Journal recently reported.  Venture firms have invested $1.2 billion in cybersecurity startups through the first half of 2015. 

All of this investment makes privacy and data security big business, and demonstrates the importance that cybersecurity will have to economic growth going forward.  The investments, however, demonstrate something else – risk.  Not just the risk that investors in startup companies will have, but the increased risks established organizations will have in selecting good vendors to secure their products and services. 

Read More