FCGC Is Cheering On Client Shea Buckner As He Goes For Olympic Gold!

FCGC is cheering on client and fellow Trojan, Shea Buckner, as he and Team USA Water Polo go for Olympic Gold in London.  The USA Water Polo Team, led by Captain and friend of FCGC, Tony Azevedo, defeated Romania yesterday with a score of 10-8.  Earlier in the week, Team USA rallied against Montenegro 8-7, Sunday.  To support the USA men’s team and stay up to date on their road to the Gold, please visit NBC’s Olympic Water Polo page.

Shea Buckner | London Olympics - USA Water Polo vs Romania

Team USA Women’s Waterpolo Player, Lauren Wenger, a former Trojan teammate of FCGC Founding Attorney, Tiffany A. Kahnen, will be giving her all in the pool as she and Team USA compete for the Gold.  Team USA defeated Hungary, Monday 14-13.  Lauren Wenger played a great game and Team USA came out strong.  FCGC is cheering for you girls back home!  To support the USA women’s team and stay up to date on their road to the Gold, please visit NBC’s Olympic Water Polo page.

Lauren Wenger, of the United States, blocks a shot by Ildiko Toth, of Hungary.

FCGC would also like to wish our fellow Trojans, Trojan Teammates & Friends all our best as they compete for the Olympic Gold in London.  We are cheering for you back in the US every step of the way.

Good Luck!

  • Shea Buckner - US Men’s Waterpolo
  • Tony Azevedo – US Men’s Water Polo
  • Lauren Wenger – US Women’s Water Polo
  • Kami Craig – US Women’s Water Polo
  • Amy Rodriguez – US Women’s Soccer
  • Ous Mellouli – US Men’s Swimming
  • April Ross – US Women’s Beach Volleyball
  • Aniko Pelle – Italy Women’s Water Polo
  • Sofia Konoukh – Russia Women’s Water Polo

 

Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners General Counsel.  FCGC provides corporate legal counsel at a Fixed Value Price, flat fee.  We work closely with each client to develop legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for.  We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.

Posted in Business Advisory, Social Media, USC | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Privacy Implications of Facial Recognition Technology: Big Brother Has Something To Sell You

The Minority Report was Steven Spielberg’s vision for 2054.

We are 42 years ahead of schedule.

Facial Recognition and Facial Detection Technologies are the latest in consumer privacy concerns.  As the use of facial recognition/detection software becomes more prevalent throughout technology we use daily, consumer privacy erodes, with little actual ‘privacy’ at the core.   As a clear facial recognition profile is compiled on an individual, over repeated data points, data accretion enables an identified facial profile to be associated with content about the individual such as photos, blog posts, travel patterns, shopper profiles and even social security numbers.  There is a threat that credit scores and credit cards will soon be linked.  The following is a primer from the recent presentation I gave at the University of Southern California (USC), discussing the ‘Privacy Implications Surrounding Facial Recognition/Detection Technologies.’  It will illuminate the difference between Facial Recognition and Facial Detection Technologies, address growing privacy concerns & illuminate guidelines companies should employ when using Facial Recognition or Facial Detection Technologies.

Facial Detection Technology vs. Facial Recognition Technology

Facial Detection Technology vs. Facial Recognition Technology

Facial Detection Technology uses someone’s facial characteristics to determine certain general characteristics about that person such as age range and gender, but isn’t focused on actually identifying who that individual is, whereas, Facial Recognition Technology can detect specific facial features which can be used to actually identify an individual across systems and photos.

Facial Detection Technology

One company employing Facial Detection Technology is SceneTap:

Another is Intel’s Aim Suite:

In addition to gender and age statistics, Intel Aim Suite may also tell advertiser the distance viewer is from the sensor and how long the viewer engaged with the advertisement.  With Intel Aim Suite, no images are recorded, no images are stored & no identities are tied to the recognition.

Facial Recognition Technology

Facial Recognition Technology can detect specific facial features which can be used to identify an individual across systems and photos.  Images and unique facial features are saved. Digital signage targeting ads are currently using such technology, as are social networking websites such as Facebook, Face.com and Google Plus.  Soon, Facial Recognition Technology will be coming to smartphones via apps, as most of the major operating systems currently support Facial Recognition Software.

Facebook licensed technology from face.com and widely uses Facial Recognition Technology:

  • Apple acquired polar rose and uses Facial Recognition Technology in iPhoto.
  • Microsoft has launched Facial Recognition Technology in Kinect.
  • Google has acquired PittPatt and others and deployed Facial Recognition Software in Picasa.
  • Intel has proposed to use Facial Recognition Software in a Virtual TV Service brought into consumers living rooms.

Emotional Recognition Technology

Emotional Recognition Technology analyzes a consumers emotions, via emotion sensing technology and images of consumers’ faces.

Affective Interfaces, Inc.

Affective Interfaces technology analyzes consumers emotions in real time.  It can be used in advertisements, video games, web applications and more.

Overarching Privacy Interest

Below are a few of the overarching privacy interests:

  • Facial Recognition Technology can identify an individual based purely on facial features alone – with that you can pull associated content about the individual such as photos, blog posts, travel patterns, social security numbers and shopper profiles.  There is a threat that credit scores and credit cards will soon be linked.  As data converges over systems and becomes linked, privacy will erode and intimate details will be linked to your facial data points.
  • Facial Detection is less of a privacy impact, however transparency is the utmost concern.  Companies who use facial detection should be transparent about its use.
  • Consumers have consistently rejected tracking for marketing purposes even on an anonymous basis.  Businesses have a strong interest in being transparent, because not doing so will sensationalize the issue and lead to backlash.
  • Currently, there are no laws that address Facial Recognition or Facial Detection Technology, with the exception of Illinois.

Strong Argument To Be Made:  Consumers are walking around in public without obstructing their  face.

Benefits of Facial Detection Technology:

  • You may get more relevant information
  • You may get real time discounts or promotional codes

Guidelines for Digital Signage & Use of Facial Recognition/Detection Software

Currently, the Digital Signage Federation Privacy Standards are viewed by the FTC as best practice and guidelines to be followed in regards to the Use of Facial Recognition and Detection.  The full DSF guidelines can be found here.  The following highlights the practices that should be implemented when the use of facial recognition or detection software is present.

Layered Notice

  • Privacy policy available on website of the owner of the device;
  • Owner of the location at which the device appears has a privacy policy;
  • Notice on the device itself – physical card on the sign – clearly notify consumers that facial recognition/detection is ongoing and notify consumers in regards to the purposes their data will be used for;
  • Notice at the perimeter of the area where the device is located;

Consent

  • Facial Detection should be governed by consumer opt-out practice.  Upon   notice, consumer  can opt to not shop at the establishment.
  • Facial Recognition should be governed by consumer opt-in practice.
  • Various methods of structuring an opt-in, however it must be informed and should be specific opt-in to a particular area.

Accountability

  • Self regulation by corporations & enforcement via FTC & AGs.

*  Such technology should not be placed in areas where people have a direct expectation of privacy such as   bathrooms, locker rooms, HIPPA areas (i.e. pharmacies) and dressing rooms.

What about facial recognition/detection and minors?                                                          Guideline – Minors under the age of 13 must be deleted immediately.

Privacy Concerns & Data Security

  • Security of retained images, if any; data security is a major concern;
  • Cloud Computing; are these images stored in the cloud?;
  • Encryption; What level of encryption is being used?;
  • 3rd party audits of procedures with in the biometric identification industry;
  • Data Accretion – Combining Data Sets – The ability to match identified facial profiles with associated content about the individual such as photos, blog posts, travel patterns, social security numbers and shopper profiles.  Currently, matching anonymous internet dating profiles with public social and professional networking sites (i.e. Facebook & LinkedIn) is yielding 30% of successly identified profiles, that would be otherwise anonymous.Slide Credit: Alessandro Acquisti – Carnegie Mellon

Administrative Governance

FTC’s Mission: To protect the nation’s consumers as we navigate the market and protect competition as it shapes the economy.  The FTC walks a fine line between encouraging innovative technologies & preserving consumer’s privacy.

Discussion:

As a company employing these technologies, what are you doing to create consumer transparency and prevent administrative actions by the FTC & AG as use continues?

  • How do you as a consumer feel about this technology?
  • Think about your political beliefs…what about facial recognition at political  events?
  • Ethnicity targeting?
  • Real time surveillance?
  • How do we strike a balance? How do you define what is creepy and what is not?

##

Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners General Counsel.  FCGC provides corporate legal counsel at a Fixed Value Price, flat fee.  We work closely with e ach client to develop legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for.  We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.

Posted in Advertising, Business Advisory, Business Law, Contracts, Corporate Policy, CRM, Data, Data Security, Digital Media, Direct Marketing, Email Marketing, entrepreneur, Facebook, Facial Recognition Technology, General Counsel, Information Security, Intel, Internet Law, Marketing, Media, Privacy, Risk Management, Social Media, StartUps, Technology, USC | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 2 Comments

Tiffany A. Kahnen Will Speak Today At USC on Business Law & The Privacy Concerns Surrounding Biometric Identification and Facial Recognition Technology

Tiffany A. Kahnen, founding attorney of FCGC, has been invited to speak today at USC Marshall. She will be presenting on Business Law & The Privacy Concerns Surrounding Biometric Identification and Facial Recognition Technology.

Please check back for a recap of her presentation, as her presentation materials will be made available.

Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners  General Counsel.  FCGC provides corporate legal counsel at a Fixed  Value Price, flat fee.  We work closely with e ach client to develop  legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for.  We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.

Posted in Advertising, Business Advisory, Contracts, Corporate Policy, CRM, Data, Data Security, Deals, Direct Marketing, Email Marketing, entrepreneur, Information Security, Internet Law, Marketing, Privacy, Risk Management, Social Media, StartUps, Technology, Uncategorized, USC | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

FCGC CLIENT NEWS: Nimble Announces $1M Raise From Google, Mark Cuban & Others

Four Corners General Counsel Client, Nimble, announces $1M Raise from noteworthy investors Google, Mark Cuban, Jason Calacanis, Don Dodge, Dharmesh Shah and others. Nimble is positioned to revolutionize the Customer Relationship Management (CRM) industry.  To date, Nimble has surpassed significant milestones, including global expansion.  Below, please find the Nimble press release detailing the transaction:

Santa Monica, CA – Jan. 5, 2012 – Nimble, the award-winning social business platform, today announced it has capped a successful initial launch year, resulting in $1 million in funding from Google Ventures and angel investors including Dallas Mavericks owner Mark Cuban, Jason Calacanis, Don Dodge, Dharmesh Shah, and others.  To date, Nimble has achieved significant growth milestones, including global expansion and market penetration in Europe and Asia Pacific with more than 25,000 users, 2,700 companies supported by 250 solution partners.

“The year 2011 has been a landmark year for Nimble,” said Jon Ferrara, CEO, Nimble.  “When we introduced Nimble, we promised our customers a new way of doing social business by empowering them to listen, engage, embrace, enchant, and grow their customer relationships.  We delivered on that promise with a revolutionary CRM platform where small- to medium-sized businesses can easily transform their social communities into customers for life.”  Nimble has garnered numerous industry awards including the “DEMO GOD” award, PC Magazine’s Editors’ Choice Award , Gartner Cool Vendor recognition for the Social Software & Collaboration category, and has been named a “Company to Watch” on Paul Greenberg’s “2011 CRM Watch List” published by ZDNet.  The company has been a Finalist for Red Herring’s Top 100 Global award and a “Finalist” on the “2012 CRM Watch List.”

“I’m excited to be part of the Nimble team,” added Mark Cuban, investor.  “I think their CRM service is one of the best tools any small to medium size business that wants to increase sales and productivity can have at their disposal.”

“Some companies are trying to bring business applications to the web or leverage cloud infrastructure. Others add social or mobile features to existing applications as discrete capabilities,” said Don Dodge, angel investor.  “Nimble started fresh and took the best of CRM, social media, and cloud infrastructure, and built it into a powerful social business platform.”

Nimble’s Vision – Life Is Social, Business Is Social

Nimble, created by CRM visionary and GoldMine co-founder Jon Ferrara, is the only solution that empowers small businesses in today’s socially connected world to collaborate more efficiently, and to listen and engage with their community to attract and retain the right customers.  According to Gartner, the Social CRM market will exceed $1 billion worldwide by 2013, and small businesses especially are looking for ways to optimize social networking for their business needs. Nimble’s core vision is that not only is life social, but business is social.

“The tools we use for connections and interactions with business and friends and the way we communicate are at a crossroads,” Ferrara said.  “Nimble is a revolution and an evolution in the way we do business, by empowering businesses to engage, nurture and grow customers and companies in the social customer age.”

Nimble is establishing itself as a leading Social Relationship Manager by:
● Bringing Social Relationship Management and Collaboration to an entire company
● Extending Nimble’s Social Business platform with Sales and Marketing functionality
● Delivering on a Social Business strategy with true competitive business advantages

About Nimble

Since its initial launch, Nimble has quickly established itself as a leading Social Relationship Manager.  Publications around the world have recognized Nimble as a revolutionary Social Business solution.  The platform was awarded PC Magazine “ Editors ‘ Choice ” as well as the coveted “ DEMO God ” award from a field of hundreds of start-up contenders.  It has also been recognized by leading analyst firm, Gartner, as a “Cool Vendor” for Social Software and Collaboration and placed on “ The CRM Watchlist 2011 ” by Social CRM expert and best-selling author, Paul Greenberg.

Nimble was founded in 2009 to help small businesses transform their communities into business opportunities.  Nimble opens a whole new channel for businesses to engage customers in a two-way dialogue, leveraging the power of traditional CRM and social media with its web-based social CRM platform.  Located in Santa Monica, Nimble is in the heart of the Southern California tech community. Please join the conversation on Nimble’s Facebook page at www.facebook.com/nimble, LinkedIn and on Twitter @ nimble .

About Jon Ferrara, CEO, Nimble

A social entrepreneur at heart, Jon Ferrara founded GoldMine Software in 1989 where he served as the executive vice president of the company until it was sold in 2000.  GoldMine is one of the best selling CRM products that helped pioneer the entire Sales Force Automation (SFA) and Customer Relationship Management (CRM) market.  During this time, Ferrara was awarded the Ernst and Young Entrepreneur of the Year Award while GoldMine was named PC Magazine’s Editor’s Choice in 1993 and again in 1995, 1996 and 1997.  After selling GoldMine and watching the immense rise in power social media was experiencing, Ferrara entered the start up world again when he noticed a distinct lack of any products that effectively combined Relationship Management, Social Listening and Engagement, and Collaboration with Sales and Marketing.  In 2009, Jon founded Nimble to create an extensive Social Business platform to fill this gap.

About Google Ventures

Google Ventures is the venture capital arm of Google Inc. We seek to discover and help develop great

companies, and believe in the power of entrepreneurs to do amazing things.  Our investments range from seed to late stage, across a broad range of industries, including consumer Internet, digital media, software, hardware, and biotechnology.  We embrace the challenge of helping young companies grow from the proverbial garage to global relevance. For more information, visit www.googleventures.com.

###

Tiffany A. Kahnen of Four Corners General Counsel serves as outside corporate counsel for Nimble.

Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners General Counsel.  FCGC provides corporate legal counsel at a Fixed Value Price, flat fee.  We work closely with e ach client to develop legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for.  We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.

Posted in Angel Investment, Business Advisory, Contracts, Corporate Policy, CRM, Data, Deals, entrepreneur, Financing, Internet Law, Investment, Private Equity, Securities, Seed Money, Social Media, StartUps, Technology, Venture Capital | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Contracts In The Hospitality Industry: A Business Primer

The landscape of the hospitality industry is heavily influenced by contractual obligations.  Having a strong understanding of your contractual relationships will allow you to make more informed decisions regarding your liabilities and risks, while enabling you to capitalize on your opportunities.

Below are some key nuggets to bear in mind when creating a contractual relationship:

  • Be sure to perform adequate due diligence in selecting a vendor;  Do not hesitate to ask for a list of references and determine whether that vendor utilizes other outside independent contractors to perform its scope of work;
  • Ensure the vendor is properly licensed, insured and/or bonded;  Be sure your contract speaks to any assumption of the risks or limitations of liability;
  • Do not hesitate to negotiate your terms; Find a piece of common ground between you and the opposite party, even if only a personal commonality.  Common ground often builds a bridge to more open and fruitful discussions;
  • Do not necessarily acquiesce to use of the vendor’s form contract.  Form contracts are generally ambiguous and fail to provide you with the adequate protections necessary, should a dispute arise;
  • Secure the right to audit the vendor’s books, as it pertains to the scope of work delineated by the contract;
  • Include thorough and clear termination provisions and procedures in the contract.  Be sure the contract speaks to term renewals and procedures for handling disputes;
  • Ensure the contract adequately addresses the exchange of confidential information including access codes and security codes, non-solicitation provisions and non-competition provisions where applicable.  Be sure your contract includes injunctive relief as a remedy for such breaches;
  • Secure a strong indemnification policy for the acts and omissions of any vendor, their officers & directors or any of their agents.  Be careful: Some indemnity provisions speak not only to an actual third party claim, but also include indemnification for ‘threatened’ or ‘potential’ third party claims.   Determine whether a broad sweeping indemnification clause including ‘threatened’ or ‘potential’ third party claims is suitable for your needs.  Bear in mind most indemnification provisions are mutual;
  • Ensure proper protections are included within the contract to protect ownership and use of your intellectual property, granting only a limited license where necessary; 
  • Ensure any intellectual property created by a vendor is contractually recognized as a ‘work for hire’ and owned by your company.  Absent this provision, the vendor would retain rights in the intellectual property they created;
  • Ensure proper data security measures are addressed in your contracts.  Ensure the vendor adheres to their company’s privacy policy and be sure to delineate any standard of care to be exercised in handling your data.  
  • Clearly delineate any performance standards for the scope of work addressed in the contract;
  • Always consult a corporate attorney to review, negotiate and draft any contracts to be executed.

Tiffany A. Kahnen is the Founding Corporate Attorney at Four Corners General Counsel.  FCGC provides corporate legal counsel at a Fixed Value Price, flat fee.  We work closely with each client to develop legal solutions custom tailored to fit their unique needs, at a predictable rate they can budget for.  We handle all aspects of corporate law, including contractual transactions, risk management & dispute resolution.

Posted in Business Advisory, Contracts, Corporate Policy, Marketing, Risk Management | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , | 1 Comment

EPSILON ‘MASSIVE’ DATA BREACH: THE QUICK & DIRTY ON DATA BREACHES

EPSILON ‘MASSIVE’ DATA BREACH: THE QUICK & DIRTY ON DATA BREACHES

Data in possession of email marketing leader Epsilon has been compromised.  Epsilon Marketing holds close to 2,500 brand clients, according to Security Week, including seven of the Fortune 10 giants.  The compromise was initially disclosed late Friday and reports of affected companies have continued to trickle in.   Companies’ Written Information Security Plans (WISP) are actively in effect, launching notification to consumers of the data breach, the extent of information compromised and of any possible complications that may arise as a result of the breach.  Known companies that have been affected by Epsilon’s breach are:

  • TiVo
  • Kroeger
  • Brookstone
  • Capital One
  • US Bank
  • Walgreens
  • JP Morgan Chase
  • New York & Co.
  • The College Board
  • Citi
  • Home Shopping Network
  • McKinsey & Co.
  • Ritz Carlton Rewards
  • Marriott Rewards

Epsilon has attempted to calm fears by notifying the companies that the only data compromised was names and emails; however, the real threat will come in the form of phishing emails that will be specifically targeted to consumers.  Please be aware of such phishing emails.

The real questions at hand are: How do these breaches occur? What are the consequences for such a breach? How can we effectively prevent a breach in security or mitigate the risks associated with a data breach?

How do these breaches occur?

Companies often turn to third party vendors to fulfill their direct marketing needs.  In doing so, certain risks are assumed.  Companies aim to implement contractual relationships which mandate safeguards, certain levels of security and response programs in the instance of a breach.  From a marketing standpoint, strategically speaking, it would be in a company’s best interest to have a third party vendor who has invested a considerable amount of time, effort and money to hone their craft, perform the very technical function of direct mail marketing.  That standpoint, however, disregards the cautions of risk management.  Without in-house direct marketing departments, certain risks are assumed when your company’s data is in the care of a third party.  That vendor may, in violation of their contractual obligations, fail to safeguard the data with proper firewalls, proper levels of encryption and limited access.  Often, the independent contractors that the third party vendor works with may not be held to the same level of confidentiality or security.  Data breaches may occur during a ‘data scrubbing’ process where the data was released to a third party vendor for ‘scrubbing’ and was not adequately encrypted.  Often data is sent overseas for ‘scrubbing’ which may further expose the data to compromise.  The physical location of the data gives great bearing as to the applicable law.  Often, direct marketing agencies use third party publishers to perform various marketing campaigns.  Without an exclusive relationship or a role as an in-house publisher, the direct marketing agencies often lose control over the actual activities of the third party publishers.   Given the necessity for control in preventing a data breach, the further outsourced direct marketing activities become, the larger the risk of a potential data breach.

What are the consequences of such a breach?

The average cost of a corporate data breach is $7.2 million. (Symantec)

Corporate liability for data breaches is a continually evolving realm.  A company that engages in the practice of collecting and storing Personally Identifiable Information (PII), also has the legal responsibility to take steps to properly secure or dispose of that data.  The Federal Trade Commission (FTC) is responsible for the enforcement of the rules and laws surrounding data security and the protection of individual data privacy.   Upon reasonable cause, the FTC may launch an investigation into the data security and privacy practices of one or more companies, imposing hefty fines and pursuing litigation.  Most recently Google was the target a widely publicized FTC complaint accusing Google of utilizing users data in a manner inconsistent with Google’s privacy policy.  Google has reached a settlement with the FTC, one which imposes an annual 20-year privacy audit as well as, the mandatory implementation of a privacy program.  In addition to the FTC, the Attorney General has the authority to launch investigations and administrative complaints against entities who fail to properly secure consumer’s PII.  Most recently the Massachusetts Attorney General just settled it’s allegations against the Briar Group.

Massachusetts state is law the most aggressive and inclusive state privacy law developed to date.  Massachusetts state privacy law reaches not only nationally, but internationally.  Effective March 1, 2010, the Massachusetts state law “apply[ies] to all persons that own or license personal information about a resident of the Commonwealth [of Massachusetts].” 201 CMR 17.00  The law takes an aggressive approach to data security and prevention requiring each company to, in addition to other regulations, implement a Written Information Security Plan (WISP) outlining the scope of a company’s business, the type of data utilized, the proper safeguards in place to prevent a breach and the action responses and plan to mitigate damage in the event of a breach. Companies across America who are failing to implement such a plan are placing themselves at serious risk.  The Massachusetts Attorney General is responsible for the enforcement of this law and has noted that enforcement will not be contained merely to data breaches, but investigations will also be launched into companies whom the Attorney General has been notified are not compliant.  [READ: Angry employees may tip off the Attorney General to such non-compliance.]

In addition to penalties, fines and damages imposed by administrative bodies, private civil actions may also be sought against the company. California does recognize the right of private action in regards to data breaches.

To analyze your company’s data breach risk, consult the Ponemon Institute Data Breach Risk Calculator.

How can we effectively prevent a breach in security or mitigate the risks associated with a data breach?

Data breaches and privacy concerns do not only affect large scale companies.  Small to mid-size businesses who store and utilize PII must invest in implementing proper safeguards and infrastructure to minimize their liability and mitigate the damage caused in the event of a breach.  To effectively prevent possible data breaches or to in the least, mitigate the damage from a breach, proper planning and infrastructure must be implemented and well settled.

Third party contractual relationships should:

  • Impose a strong duty of confidentiality with ex-parte injunctive relief as a remedy to breach;
  • Create a duty to impose certain security levels within a company;
  • Impose a warranty that the vendor is in compliance with their posted privacy policy;
  • Ensure any marketing practices are in compliance will all applicable local, administrative, state and federal rules and regulations, including but not limited to the Gramm Leach Bliley Act and CAN-SPAM ACT;
  • Ensure complete encryption of all data;
  • Ensure proper firewalls, employee security, password protection, server protection ect.;
  • Impose restrictions on the geographical location of the data or state the location of the data;
  • Limit the number of additional third party consultants or independent contractors who will have access to the data;
  • Outline restrictions and safeguards to be extended to any other third parties working with the data;
  • Outline and approve who is responsible for any data ‘scrubbing’;
  • Include a right to audit the third party’s procedures for handling data and security integrity;
  • Mandate an annual review to determine any necessary upgrades in security measures to maintain data integrity.

Other safeguards to minimize such risk are:

  • Implementation of a Written Information Security Plan;
  • Implementation of a Security Breach Response Plan to be activated in the event of a data breach;
  • Implementation of ongoing employee training (i.e. seminars, handbooks, newsletters) for both full-time and temporary/contract employees;
  • Strict employment contracts outlining employee’s obligation to ensure data security and imposing restrictions on various activities in an effort to maintain security (i.e. ban on external storage devices);
  • Implementation of an infrastructure for detecting and preventing system failures;
  • Maintaining a strict policy on the exit of terminated employees and their access to PII;
  • Development of an internal privacy/security program with employee enforcement for violations;
  • Limitation and/or restriction to physical access to any data or PII by employees.

Technical safeguards to minimize such risk are:

  • Encryption of all transmitted files and records containing PII;
  • Reasonable monitoring of systems for unauthorized use;
  • Secure user authentication protocols;
  • Secure user IDs and a reasonably secure method of selecting/accepting passwords;
  • Control of data security passwords to ensure passwords are kept in a place and manner that does not compromise their security;
  • Use of unique identifiers for highly sensitive data such as biometrics, retina scanners;
  • Restricted access to data and systems containing PII to those who need to have access to carry out their job function;
  • Encryption of all personal information, PII, stored on laptops or individual storage devices (i.e. blackberries, portable hard drives, flash drives);
  • Continual updates of aggressive firewalls and technical infrastructure to protect from external intrusion;
  • Up-to-date operating system security patches and system security agent software, including malware protection and virus protection;
  • Blocking of users who have repeatedly failed to properly authenticate their credentials and access PII or other secured data.

The cost of data breaches is only going to gain velocity and become increasingly more expensive.  As we continue to see growth in technology, we will continue to see privacy breaches and data security concerns rise to the forefront.  The FTC has not only pledged to continue to vigilantly enforce the rules and laws concerning privacy and data security, but is gaining momentum in a more aggressive approach to enforcement.

Consult with your internet privacy counsel to receive advisory on your risks, liabilities and the potential safeguards you could implement to better protect your business.

Posted in Advertising, Corporate Policy, Data Security, Direct Marketing, Email Marketing, Information Security, Internet Law, Marketing, Privacy, Technology | Tagged , , , , , , , , , , , , , , , , , , , , , , , | 2 Comments