The continued adoption of cloud computing tools, like web-based email, cloud data storage, and hosted software services, means that important communications will often be maintained by third-party electronic service providers rather than the author of the communication.  During litigation, if a party suspects that the other side used a cloud-based service to communicate about the subject of the dispute, the party needs to figure out the best way to acquire the communication.  The answer may seem simple: the electronic service provider is a non-party in possession of relevant documents – so just serve a third party subpoena requesting the documents.  After all, the service provider might produce a stockpile of valuable communications, and the requesting party can avoid the headaches of fighting with the opposing side over issues of relevance, responsiveness, or privilege.  If the service provider resists, the requesting party can always invoke the power of the court to enforce the subpoena.

But not so fast – some may argue that the Stored Communications Act (“SCA”) puts all of those great cloud-stored communications beyond the reach of a non-party subpoena, and, even worse, serving such a subpoena could lead to some serious and expensive discovery disputes with the opposing side.

[Read more →]

No, the title is not meant to imply a post about the privacy implications of mobile medical apps for psychotherapy. Instead, we’re taking a look at how the government acts at cross-purposes to itself when it comes to the oh-so-slow development of rules for new technologies and markets. The last few weeks have seen a couple of remarkable announcements, one from the FTC about digital advertising disclaimkers and one from the SEC about corporate financial disclosures. Both were presented by the agencies as ways to enable use of social media by corporations — but instead just make things much harder, if not totally impracticable.

Two weeks ago, the Federal Trade Commission basically said “to heck” with form factor and responsive Web design by concluding that disclaimers, caveats and related mandatory advertising disclosures cannot be put into a popup window and must be in the same “conspicuous” format — font size and all — regardless of the device or medium. The FDA had already cracked down on trailblazing pharma firms that tried Facebook advertisements on the same grounds. Both enforcement decisions demonstrate a complete lack of familiarity with new media and an inability to flexibly apply the principles of regulatory schemes to changing circumstances.

Even if, unlike advertiser contentions, potential “Do Not Track” mandates for Web browsing would not kill the Internet content industry, the FTC has signaled it is prepared unilaterally to dictate the size of social media ads in the guise of consumer protection. The old guidance allowed for “proximity” of disclosures — that is, disclosures that were “near, and when possible, on the same screen.” The new guidance places heightened emphasis on disclosures being clear and conspicuous to consumers across all platforms. The newly announced principle is that disclosures should be “as close as possible,” with short form disclosures such as hyperlinks or hashtags permitted only when their meaning is understood by consumers. [Read more →]

Before the United States Senate voted to adopt its first budget in four years on March 23, 2013, the resolution was saddled with hundreds of largely meaningless amendments in a session derisively known as the “vote-orama.”  One of the few such amendments with potential real-world implications concerned the ability of state governments to levy sales taxes on Internet purchases made by their residents.  The amendment’s bipartisan support and overwhelming passage signal that the full act - the Marketplace Fairness Act of 2013 – could soon become the law of the land, dramatically affecting how e-commerce is conducted and where consumer dollars are spent.

[Read more →]

Retailers should be aware that California is not the only state where asking credit card shoppers for their ZIP Code at checkout could lead to a very costly class action suit. Last week, the Massachusetts Supreme Judicial Court ruled in favor of a consumer who alleged that Michaels Stores violated a Massachusetts privacy law prohibiting merchants from recording personal identification information on a credit card transaction form.

[Read more →]

Last year, we discussed the Federal Trade Commissions’ (FTC) efforts to bolster privacy protection through its rule-making and enforcement powers for children who use mobile devices.  As we wait to see how participants in the childrens’ app market respond to the FTC’s various proposals, the FTC continues to study and evaluate privacy protection for those of us who are thirteen and older.

Recently, the FTC issued a staff report that offers numerous “best practice recommendations” for increasing consumer privacy in the mobile application industry.  The Report, entitled “Mobile Privacy Disclosures: Building Trust Through Transparency,” is a culmination of FTC research and input from various mobile app industry participants.  A brief review of these recommendations as they relate to specific members of the mobile app ecosystem is as follows:

[Read more →]

This post is the latest installment of our analysis of the significant modifications to the Privacy, Security, Enforcement, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule. This post focuses on the changes impacting business associates.  This post highlights changes to the requirements for communications, authorization and disclosure of data, and individuals’ rights with regard to their own Protected Health Information (PHI).

[Read more →]

On February 12, 2013, the President issued an Executive Order (EO) and an accompanying Presidential Policy Directive, PPD-21(PPD). The EO requires improved cybersecurity information sharing between the federal government and the owners and operators of critical infrastructure (the vital systems and assets) and the development by the federal government of standards to reduce cyber risks to critical infrastructure. Under the PPD, the critical infrastructure-related functions, roles, and responsibilities across the federal government for implementing the EO are delineated. The PPD identifies 16 critical infrastructure sectors and designates the Sector-Specific Agencies responsible for each sector.  The sectors are Chemical, Commercial Facilities, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Financial Services, Information Technology, Nuclear Reactors and Water and Wastewater systems.  The order redefines critical infrastructure as any organization and associated systems where a cyberattack could pose a threat to U.S. national security, public safety and health or economic interests. Given the breadth of EO and its potential reach, it merits attention. [Read more →]

This post is the latest installment of our analysis of the significant modifications to the Privacy, Security, Enforcement, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule. This post focuses on the changes impacting business associates. [Read more →]

On Thursday, January 17, 2013, the Department of Health and Human Services (HHS) released its Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule, making significant modifications to the Act’s Breach Notification Rules. This post outlines the changes to those Rules. [Read more →]

Everybody on the Internet knows that you have to be careful about where you get your information, particularly when you are trying to figure out what products are worth purchasing.  But what happens when the government posts information about specific consumer products?  How accurate is that information?

[Read more →]