Advocate General Asks EU Court of Justice WHAT?

The Advocate General of the Court of Justice of the European Union recently announced that it had delivered an opinion in connection with a number of proceedings calling for a preliminary ruling in cases involving Ireland and Austria. In Ireland, the owner of a mobile phone submits that the Irish authorities have unlawfully processed, retained and exercised control over data related to its communications. In Austria, three cases brought by the Province of Carinthia have alleged the Austrian Law on telecommunications is contrary to the Austrian Constitution.

Essentially, the top EU legal advocate is asking the EU court NOT to enforce a bad law so the legislature is afforded a chance to fix it. Seriously? That is like asking the U.S. Supreme Court not to strike down discriminatory laws and give Congress a chance to fix them. Seriously?

Without belaboring the technical details of these cases, the Advocate General’s opinion essentially asks the EU Court of Justice to hold off rendering any decision that might declare the EU Data Retention Directive invalid, and urges this delay in order to permit the EU legislature to correct the Data Retention Directive – which requires communications providers to record and maintain consumer metadata. Curiously, just six months ago (June 2013), this same Court of Justice imposed a €3 million fine upon the member nation, Sweden, for failure to adopt the data retention law. That decision found that the delay of almost five years in coming into compliance has interfered with “the proper functioning of the internal market.”

According to the Advocate General, the Data Retention Directive doesn’t provide adequate privacy protections consistent with the EU’s Charter of Fundamental Rights, because it forces electronic communications service providers, not any government or public authorities, to collect and retain traffic and location data. This data, it is pointed out, is not under the control of any government or public authority, but of the providers themselves. Would it be possible “to create a both faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity”? A statement from the Court of Justice says indeed it may, and the Advocate General is concerned this type of data may be subject to abuse, may be used for unlawful or unauthorized purposes, and is inconsistent with the individual’s right to privacy under the EU Charter of Fundamental Rights.

Because the directive doesn’t merely harmonize the laws of member states – but actually imposes an obligation of data retention – the Advocate General argues that the Court of Justice, rather than completely invalidating the directive, should hold off rendering any decision and afford the legislature an opportunity to correct the apparent incompatibilities. You can read the entire Opinion of the Advocate General online (or download the Opinion) [PDF] and decide for yourself.

While the wheels of justice may grind exceedingly slowly, it is unclear whether any court, including the Court of Justice, can delay or refrain from enforcing existing law and regulation or ruling on validity or invalidity simply because there is a disagreement as to its propriety or perception of impropriety. Indeed, even if the legislature chooses to take action, there is no guarantee the resulting legislation or modification will be any better, nor would it or should it be retroactively applied to facts and parties that gave rise to the instant cases. THAT might be inconsistent with virtually every principle of law and justice, as well as the system of checks and balances in our respective governments.

Making the law better is always the objective, and courts have always retained authority to determine if any particular law or regulation goes beyond permissible Constitutional or Charter boundaries – but not the authority to withhold the dispensing of judicial rulings or justice on a case-by-case basis so another branch of government can fix a perceived problem. Perhaps if the Court of Justice invalidated the allegedly bad law, it actually might give everyone a fresh opportunity to get it right and be more careful about doing so.

Questions about data protection, collection or retention, privacy, compliance with applicable law and regulation – Reed Smith has a multi-jurisdictional team of dedicated professionals around the world who can advise; assist in developing compliance programs, policies and training; and assist clients in responding to data breaches, claims of privacy violations, and regulatory inquiries and challenges. As always, if you want to know more, please contact me, Joe Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

Identity Theft? Victim and Alleged Thief ID Each Other.

Digital or Analog, identity theft is frightening, anxiety provoking, and tedious - even if you aren’t in danger of losing money or at risk of physical injury. But it’s often not that simple - for the victim or the perpetrator. As an Applebee’s waitress in Lakewood, Colorado, found out, identity theft in the real world can be more frightening than digital theft.

A few weeks ago, the waitress, Brianna Priddy, while out with some friends (not while working), apparently lost her wallet with all of her credit cards, her checks, and her driver’s license, as well as the cash. She dutifully went through the time-consuming and sometimes frustrating process of calling, writing and notifying everyone she could remember, alerting them to stop transactions that may involve the lost instruments and identification, and asking for replacements. Not fun. Even when her bank called, alerting her to forged checks being issued, she probably resigned herself to living with some frustration, anxiety and pain for a while. But if you think digital identity theft is frightening, read on.

Fast forward, Ms. Priddy is now back at work, waiting tables. A group of young people at her station order drinks. She asks for ID. How amazing to find that one of the women at the table ordering a drink is none other than herself! Cloning? Not really. The woman in the group had offered the victimized waitress’ ID as proof, and I confess she must have been a lot calmer than I would have been. She didn’t let on and, according to reports, said to the patron, handing her back the ID, “I'll be right back with your Margarita." The waitress called police and despite what must have been a nerve racking eternity, she tried to appear calm and collected waiting for the police to arrive. They did and promptly arrested the woman patron on suspicion of theft, identity theft and criminal impersonation.

Not all criminals are as unwitting or as helpful as the alleged thief in this case. Not all identity thieves are that cooperative, even by accident. Most digital identity theft, compromises of personally identifiable information, and data breaches are more complex, and involve more than one individual and often cross-state and national borders - with multiple statutory and regulatory schemes that apply to you, the “victim.” Reed Smith has an entire group dedicated and experienced to help companies deal with identity theft - from preventive policies to defense of legal rights with respect to consumers and regulators. If you need more information about the complex legal and regulatory involved, contact me, Joseph I. Rosenbaum, or the Reed Smith attorney with whom you regularly work.

What You Don't Know Can Hurt You

Multiple Choice Question: What do the following have in common:

“Privacy & Data Protection: Distinctions Between Surveillance and Secrecy”

“Ethics, Process, Privilege, Discovery and Work Product in the Digital Age”

“When Worlds Collide: Old Ethics and New Media”

“Outsourcing: The Law & Technology”

“The Changing Legal Landscape: Evolution or Revolution”

“Growing Your Business Internationally - What to Know Before You Go”

“Social Media, Mobile Marketing, Clouds and Crowds: (modules)

  • Advertising & Marketing in a Digital World
  • Media & Entertainment: Digital Rights and Wrongs
  • Financial Services, Payments & E-Commerce
  • Online Gaming, Gambling & Virtual Worlds
  • Apps & M-Commerce
  • Context & Geo-Marketing: Wi-Fi, Bluetooth, SMS, RFID, QR Codes & Augmented Reality
  • Operations & Performance, Security, Compliance and Interoperability
  • Wired & Wireless: Sweepstakes, Contests, Product Placement & Branded Entertainment
  • Anti-Social? Communication & Public Relations for Companies, Employees & Investors
  • Behavioral Advertising, Endorsements, Blogs, Buzz, Viral, Street Teams & Word of Mouth
  • Labor & Employment Policies in a Networked Age: The Good, The Bad & The Ugly
  • Crowd Sourcing, Crowd Funding, Crowd Investing: Today & Tomorrow

“Privacy, Data Protection & Globalizing Technology: Digital Commerce Brings Legal Challenges”

“Comparative Advertising Issues: Multinational Brands; Global Challenges”

“Direct to Consumer: Legal Challenges in the Digital Marketplace”

“Out of Control? Challenges to Privacy & Security in a Big Data World.”


Answers: (a) Seminars & Presentations Given; (b) Seminars & Presentations Available; (c) Targeted at Lawyers; (d) Targeted at Commercial and Business Management; (e) Relevant to Small-to-Medium Size Business; (f) Relevant to Multinational, International & Global Companies; (g) None of the Above; or (Y) All of the Above.

If you guessed (Y), you are correct. Let us know if any of these, a combination of these or a customized version of these or any other presentations might be right for you. Hey, you never know, but what you don’t know, can hurt you. For more information, contact me, Joe Rosenbaum, or the Reed Smith attorney with whom you regularly work.

Airlines May be Mobile But Delta Apps Irk California Regulators

In a civil action filed in California (People v. Delta Air Lines Inc., California Superior Court, San Francisco, 12-526741), the California State Attorney General’s office alleges that Delta Air Lines was distributing a mobile application without a privacy policy, in violation of the California Online Privacy Protection Act of 2003 (OPPA), which became effective July 1, 2004. The California statute provides a penalty of up to $2,500 for every violation.

Among other things, the Delta ‘app’ allows customers to check in, and display and make reservations; and, according to the lawsuit, Delta has been allowing customers to download and use the ‘Fly Delta’ app without a privacy policy, since at least 2010.

Of course, Delta is not the only company with user-friendly mobile apps for on-the-go busy travelers, and I’m guessing that company lawyers are now scrambling to determine if their apps are in compliance and whether changes need to be made and, just as importantly, how to make those changes to ensure compliance with the law and still maintain the customer friendliness mobile users are accustomed to and demand.

Our Advertising, Technology & Media law practice can help you navigate the challenges of compliance – preventive law as well as representing clients when the regulators come calling . . . and we have a group dedicated to legal support when your needs, defensive or as a defendant, turn to privacy, data protection and identity theft. So if you need help or more information, contact me, Joseph I. Rosenbaum (, or any of the Reed Smith lawyers with whom you regularly work.

Bond Meets Bond Street: Mannequins are Watching You Shop

An Italian company, Almax S.p.A., is selling a mannequin (price tag about $5,000) in a development that is being closely watched – literally – by retailers, consumers and, of course, regulators and privacy gurus. The new product, marketed as the EyeSee Mannequin, contains a camera embedded in the mannequins eyes, and according to the company’s website: “This product will do much more; it would make it possible to 'observe' who is attracted by your windows and reveal important details about your customers: age range; gender; race; number of people and time spent.”

In Europe and the United States, the mannequins are making sporadic appearances – perhaps in showrooms and even in street-side display windows, gathering data as people saunter by the store gazing into the windows. According to reports, Almax may also be testing auditory capabilities that would allow a mannequin to not only see, but to hear what customers are saying as well. Hey, did you just call that mannequin a dummy?


(Image from Almax Website)


The EyeSee Mannequin has a camera placed as an "eye" that includes facial recognition technology that records information about passersby, such as their gender and race, and the software guesstimates the approximate age of each person scanned by the camera. Typically, cameras can be used in retail stores for security, but in many jurisdictions the shop owners are required to post signs alerting consumers browsing the aisles that they are subject to being recorded. Now, the EyeSee Mannequin gives retailers the ability to collect and store information for marketing purposes – a commercial purpose that may put the technology squarely under a microscope (these vision puns really must stop), since it collects personal data about individuals without their consent. That said, the current product is only supposed to record information, not any actual photographs or image scans, but . . . it could, couldn’t it?

Need to know more about the legal implications of technology in advertising and marketing? Concerned about your rights (and wrongs) in deploying surveillance equipment and gathering data and information about customers and consumers? Are you up-to-date on the latest privacy and compliance requirements? Not sure? Need to see these issues more clearly? OK, don’t be a dummy (I mean mannequin) and consult your lawyer. Don’t hesitate to contact me, Joseph I. Rosenbaum, or the Reed Smith lawyer with whom you regularly work. We would be happy to see you, hear you and help you.

IAPP Privacy Presentation - Is the Wizard of Oz Still Behind the Curtain?

On May 10, 2012, I had the privilege of making a presentation at the IAPP Canada Privacy Symposium 2012. The title of my presentation was "Social and Mobile and Clouds, Oh My!" and it addressed some of the emerging issues in privacy, data protection and surveillance that arise as a result of globalizing technology and the convergence of social media, mobile marketing and cloud computing.

As part of that presentation (and as I have started to do for some time now in other presentations), I raised the issue of how lawyers, the law, legislators and regulators often use words to describe activities – words rooted in tradition or precedent – that are no longer applicable to the activity in today's world. "Privacy" is such a word, although "not applicable" perhaps is too harsh. Obviously the word has significant applicability in a wide variety of situations. But "invasion of privacy" has become a knee-jerk reaction to virtually every information-gathering activity, even information readily and publicly available and, in some cases, posted, disclosed or distributed by the very individual whose privacy is alleged to have been "invaded."

Please feel free to download a PDF of my presentation, "Social and Mobile and Clouds, Oh My!" [PDF] (Note: Embedded video file sizes are too large to include), and let's start a conversation about how we use words and how they wind up in laws and regulations. Lawyers work with words. Use them artfully and they provide powerful structures within which society, commerce and all forms of human endeavor function. Use them improperly and they cause confusion, uncertainty, inconsistency and inherently inequitable outcomes.

Seems like I am not the only one to point this out. Take a look at the insightful comments by John Montgomery, COO of GroupM Interaction, North America, as reported in a MediaPost RAW posting on Social Media entitled: If Marketing Terms Could Kill.

Kudos John. I'm with you. Let's get it right.

FYI, Reed Smith has teams of lawyers who have experience and follow developments in privacy and data protection, information security and identity theft. If you want to know more, if you need counsel or need help navigating, or if you require legal representation in this or any other area, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith lawyers with whom you regularly work.

Happy New Year Wishes for 2011


About 4,000 years ago, the ancient Babylonians celebrated the New Year upon seeing the first new moon after the vernal equinox. Today, festivities in New York's Times Square are televised around the world. Although my traditions don't date back nearly as far as either of these, each year at this time I try to create a Legal Bytes piece intended to be more thoughtful and philosophical. So this posting will contain no hypertext links to distract you; it will not have citations to offer more information about a snippet; nor will it dazzle you with factoids or intrigue you with today's news. It's just me philosophizing, about where we've been and where we're going. My one chance during the year to simply ramble about where we've been and where I think we might be headed – without any credentials, qualifications or expertise to do so.

So, loyal Legal Bytes' readers, just pull up an easy chair, put away your other distractions for a moment, pour a glass of your favorite beverage, sit back and enjoy . . . and again, thank you.

Much has been written about social media. Whether it's the Facebook phenomenon, now with 1 billion "friends" in sight, or the Twitter tweets that either rock or knock the world – everyone's talking about it. I just read an interesting blurb from a powerhouse of a social media strategist I follow on Twitter, describing the social media and corporate world as an example of "orthogonal bliss," and I thought, that's interesting, but not quite right. Why, you ask? (You did ask, right?) Hang on.

Much has also been written about privacy and data protection. Online behavioral advertising, geo-targeting and location-based services, tracking, identity theft, the buzz words go on and on. I keep reading how advertisers capable of more accurately determining my preferences represent a massive invasion of my privacy and my rights. Wait a minute. That's not quite right either. Why, you ask? (You did ask again, right?)

Well, let's put these in perspective, because all of these inter-relate with cloud computing and mobile and wireless technology and, yes, drive-up windows! When Henry Ford introduced mass-production assembly lines in the early 1900s, prices of automobiles dropped, making personal transportation more affordable. Closed body construction, first available on General Motors' Cadillac Model Thirty in 1910, as well as the first use of an electric starting motor (invented by Charles Kettering), also in the Cadillac sold in 1912, made the automobile easy for anyone to start and capable of being used in all sorts of weather.

More than just trivia, society as we know it in the industrial age has largely been based on the rapid increase in personal transportation: Drive-up windows, shopping malls, suburbs, gasoline/petrol stations, rumble seats, not to mention paved roads, interstate highways and so much more. Try to imagine not just the vehicles themselves, but also the lifestyles that have changed, the culture and society that has arisen around personalized transportation. The airplane has shrunk the globe, and the automobile has enabled us to go where and when we like on it!

Thirty years ago, computers were largely mainframe monoliths, connected to dumb terminals requiring rocket scientists with punch cards and a working knowledge of Boolean algebra to do anything. Raised floors for cabling, sophisticated air conditioning cooling systems – 1 megabyte of memory in 1978 cost more than $30,000. Why would anyone ever need more than 64K!

Today, personal information systems are transforming our society and our culture as well: Everything from how we work, play, game, learn, research, find things and, yes, interact with each other and the world around us. Rapidly. Our appetite for personalized capabilities has created successful companies that have learned the skills of "mass customization" – yes, there's an app for that! Devices become smaller and more powerful. I can take my toolkit, my work, my school books, my roadmap, my address book, my email and my phone with me wherever I go. I can keep in touch and shop with one device. "Clouds" and wireless devices proliferate – in the next year or so, estimates indicate there will be more than 5 billion active mobile phone contracts, most Web enabled and most with GPS tracking capability.

Social media isn't really "media." Social networking isn't really "networking." Online (or more correctly, "digital") behavioral and geo-targeting isn't really an invasion of privacy. Is it? Are they? Getting back to my "orthogonal bliss" observation, social media and corporate aren't really at right angles, intersecting on a single axis point for each and diverging orthogonally – are they? When corporations have "Chief Tweeters" and pages on Facebook, and display Twitter, Facebook, Linkedin, Plaxo, Google+, Digg and a host of other icon/links on their own domains and even in print and television, as well as online/mobile advertising – is it orthogonal? Not sure. Don't have a better solution, but I'd like to think about it and that's key. The site that gave me that description – the strategist who mentioned the word "orthogonal" and noted it came from a "fancy" person, with "fancy" words at a "fancy" evening party – well, that site made me think. Isn't that what this is all about? Let's conclude by breaking down some myths:

True, some elements of social media depend on media. Some are even social.

True, some aspects of behavioral tracking and location-based services could intrude on my rights.

But we continue to use language that is increasingly irrelevant to the reality of what we do and what we want. The Internet was originally designed as a communications mechanism. Remember Arpanet? Tim Berners-Lee found a way to establish residences (domains) on the information superhighway. Lou Montulli gave us animated GIFs and, yes, cookies, among other things.

So now we can communicate, store, process, transmit, retrieve and use information ourselves, with our friends, family and colleagues; with strangers around the world or around the corner. The "borderless world" envisioned (or perhaps more aptly, reported) by Kenichi Ohmae is here. Privacy – a word that really doesn't capture the accumulation of information about my publicly available activities – does it? Social media – words that don't really describe the amazing revolution and evolution taking place at home, at work, how we educate and how we shop.

Neither of these terms (and without getting to boring, none of the laws or regulations) really hit the nail on the head. I'm not necessarily advocating a change in terminology. Meanings of many words have changed over the years, but we need to change the conversation so that the words and the meanings start to more closely align. If we can't, then change the words. Because the meanings and the ways in which you and I use and want to use this fantastic technological capability – and those emerging into the future – will not stop moving forward.

When a human being first set foot on the moon, the space ship, the lunar landing craft, the clothing used to make that incredible feat of scientific and engineering magic, were all depicted and predicted with unnerving accuracy in fiction, science fiction and writings from Jules Verne, and perhaps earlier. What was equally amazing and unpredictable was that when Neil Armstrong placed his left boot on the surface of our moon at 2:56 UTC July 21, 1969, almost the whole world could watch the live transmission on television.

I daresay 800 million people aren't really friends – on Facebook or otherwise. Yet we use the word as if it is meaningful in the same way. Can a judge be "Friends" with lawyers appearing in their courtrooms? Can an employee of PepsiCo, "Like" Coca-Cola with impunity? Think about all the ways we give information to others willingly and in what context. Are we really complaining about privacy or are we more concerned with our loss of control over information about us?

Something and some things to think about. Some ramblings to ruminate about. Fortunately someone else has to proofread this (thank you Lois). I'd like to tell you I have the answers because that would make me both rich and famous. I don't (not yet).

My second tradition has always been limited to my personal contacts – friends, family, colleagues – but this year I received so many kind words and so many requests to post it and share it with others, that I have reformatted my personal holiday message for Legal Bytes and I share it with you. Perhaps the start of another tradition. Here goes:

This is the time of year when season's greetings, holiday and new year's wishes, regardless of religion, culture, ethnic background or heritage, fill the air. We spend a lot of time and attention on cards, gifts, attending or hosting parties, dinners and otherwise gaining the 10 pounds we resolve to lose in the New Year. Far be it from me to screw up the tradition, so among the flurry of well-wishers, holiday revelers, frosty noses and smiling faces, let me join with others and wish you a cheery and joyous holiday season now; and in the months ahead, a healthy, happy new year filled with wonder, challenge, excitement and, yes, traditions old and new.

Over the past 30+ years I have agonized over gifts to clients, colleagues, family and friends. About three years ago, I started a new tradition (for me), passed on to me from a colleague who had started doing it years before. He told me to write a thoughtful note and send it out – let the ripples flow through time and touch the people that you know. So as we leave 2011 behind and look forward to 2012, I gratefully appreciate you for allowing me to share my personal holiday and new year's wishes with you.

We can't all change the world. But we might just be able to change a life or two or three. Yes, it's corny. So what? We are already edgy and hip. We are all cool. Can you spare some good old-fashioned corny? We talk about random acts of kindness as if it were a bumper sticker. Sure, maybe the homeless guy will spend it on a beer - maybe not. Yes, someone might be ripping off money from the battered women's shelter - maybe not. Maybe showing a little faith and kindness to those who have felt so little, will pay more dividends than we care to believe. The real inconvenient truth is that we use failure as an excuse not to give to or help others who have less. Think about every person who is extolled for their selfless dedication to helping others. We admire them not because they gave to others; rather, we honor them because they never gave up helping others. Adversity. Challenge. Humiliation. Their belief in helping others was steadfast. Beat them down, they simply got up and went on. Perhaps each of us, in our own small way, should try and show others who are less fortunate that we care and we are willing to help - even if we are not sure they will use our help wisely or to turn their lives around, and even if we are disappointed. Have a little faith - it's not about religion, it's about tolerance and understanding and a willingness to accept that we may not know why some people are what they are, but we can help nonetheless. I am not the paradigm of virtue. I've walked past my share of corrugated cardboard box people without a glance - avoiding their gaze so I'm not shamed into coughing up a few dollars. Then I realize I spend more on my newspaper subscription or Starbucks and I feel guilty. Sometimes I go back - not often enough - but when I do I feel better. I like that feeling. Stupid me, I don't reproduce it often enough. My father did, rest his soul. I should have learned from him. Hopefully it's not too late. So I'll try again, starting now, to be better. I'll also try to keep in touch more.

I also value the diversity of people I've come to know and care about over the years and throughout the world - you know who you are and if you aren't among them, send up a flare and say "hi." There is much I still have to learn from each of you.

So to family and friends, colleagues and acquaintances, clients and adversaries, loyal Legal Bytes readers and those who browsed here by accident, let me wish you peace, comfort and joy. May those who love you come closer and those who dislike you become fans. But most of all, I wish all of you the extraordinary sense of goodness that comes with changing another person's life for the better... a person to whom you owe nothing and who expects nothing from you. Think what the world would be like if we all did that.

No matter what language you prefer, it means "Thank You," and I offer my thanks to all you readers and fans, new subscribers and sporadic browsers. A special appreciation to Erin Bailey, Lois Thomson, Rebecca Blaw and the Reed Smith and Lexblog team that makes what I do appear a lot easier. Thank you all for everything you do to make Legal Bytes a special place to visit.


Happy Holidays & Best Wishes


Health, Happiness, Prosperity and Peace in 2012

-  Joe Rosenbaum


MMA Releases Mobile App Privacy Guidelines - Appy Days Are Here Again

A few days ago (October 17), the Mobile Marketing Association released its MMA Mobile Application Privacy Policy, which the MMA asserts is the first industry guideline to deal with data protection and privacy specifically related to mobile and wireless applications. The guideline being made available for comment is slated to be finalized sometime after November 18, 2011, when the MMA’s comment period is scheduled to close. The press release notes that there are currently more than 425,000 iPhone/iPad apps available from Apple’s App Store, and more than 200,000 available for Android.

The document is intended to deal with some of the basic privacy principles and text that developers should consider incorporating into mobile apps to let consumers know how their data is collected and used, as well as information regarding confidentiality and the security of information that becomes available when a consumer installs and uses a mobile app. Obviously, legal disclaimers and disclosures and issues related to privacy and data protection are quite jurisdiction-specific, and compliance will always require consultation with legal counsel to be sure mobile, and all other online and other applications and processes, conform to the legal requirements of each jurisdiction that applies to consumers for that application or process.

Reed Smith’s offices around the world are open, coordinating with our Advertising Technology & Media law practice group, ensuring that lawyers knowledgeable in data protection and privacy, as well as in mobile technology and marketing, are available to help you. As always, if you want to know more about how lawyers who understand can help your business, feel free to contact me, Joe Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

BNA Highlights Health IT Issues Raised by Reed Smith Attorneys

The August 29, 2011 issue of BNA’s Health IT Law & Industry Report (Vol. 3, No. 36), describes some of the major legal and contractual issues raised when health care industry companies and professionals are considering moving to a cloud computing environment. Joseph I. (“Joe”) Rosenbaum was interviewed by the author, Kendra Casey Plank, for her article, entitled, “Attorney: Cloud Services Offer Affordable Solutions but Raise Privacy, Security Risks.” The article not only quotes Rosenbaum extensively, but also refers to Reed Smith’s White Paper series “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing,” which began in June 2010 (see "Transcending the Cloud" - Reed Smith Announces White Paper Series & Legal Initiative on Cloud Computing). The series is updated regularly with individual articles on topics ranging from government contracting and state tax, to the most recent White Paper entitled, “Health Care in the Cloud – Think You Are Doing Fine on Cloud Nine? Hey, You! Think Again. Better Get Off of My Cloud,” which Rosenbaum and Reed Smith Associate Vicky G. Gormanly wrote and which was posted on the Legal Bytes blog August 5, 2001 (Transcending the Cloud - Health Care on Cloud 9? Are You Doing Fine?). What’s the state of your health care compliance? Are you doing fine?

Read the White Paper and, if you have any questions or need help, contact Joe Rosenbaum or Vicky Gormanly, or the Reed Smith attorney with whom you regularly work.

Who's Right on Privacy? Rosenbaum on Legal Bisnow.

You'll have to read the story to find out why Reed Smith's own Joseph I. ("Joe") Rosenbaum thinks that "Privacy is the elephant-sized rubber band ball in the room." Joe was recently interviewed by Jeff Gamsey, managing editor of Legal Bisnow, and is featured in yesterday’s lead story on Legal Bisnow entitled, "Who's Right on Privacy?"

Transcending the Cloud - Health Care on Cloud 9? Are You Doing Fine?

If you are a music aficionado, you will remember that years ago, The Temptations sang “I’m Doing Fine on Cloud Nine.” 



If you are a health care provider paying attention to the buzz about cloud computing, you may be concerned about migrating your technology, your data and your applications to a cloud environment.  Or, let’s say you are just confused about the implications. You are not alone.

That’s precisely why our Cloud Computing initiative exists. To provide you with a guidance system – navigational tools to allow you to see sunshine, even on a cloudy day. So, as part of our ongoing commitment to keeping abreast of legal issues, concerns and considerations in the legal world of cloud computing, here, from Vicky G. Gormanly and Joseph I. Rosenbaum, is the next chapter in Reed Smith’s on-going series, “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing,” entitled “Health Care in the Cloud – Think You Are Doing Fine on Cloud Nine? Hey, You! Think Again. Better Get Off of My Cloud.” This white paper examines the considerations and concerns that arise for the health care industry and the industry’s associated suppliers, vendors and providers in the wake of complex and evolving regulation and scrutiny – most notably, in the privacy and data protection of medical information – of electronic health records.

As we do each time, we have also updated the entire work, so that in addition to the single ‘Health Care in the Cloud’ white paper, you can access and download a PDF of the entire “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing” compendium, up to date and including all the previous chapters in one document.  After reading the article, instead of doing fine, you just may want to take the advice of The Rolling Stones and "Get Off of My Cloud" until you consult your legal advisors.



Of course, feel free to contact Vicky Gormanly or Joe Rosenbaum directly if you have any questions or require legal counsel or assistance related to this white paper. Make sure you subscribe via email or get the Legal Bytes RSS feed so you are always in touch with our latest information. Of course, if you ever have questions, you can always contact any Reed Smith attorney with whom you regularly work.

ICONfusion Creeps Into Interactive Advertising Awareness

Earlier this week, ClickZ reported that the improper use of the Digital Advertising Alliance's behavioral icon


is threatening to dilute the self-regulatory effectiveness of its campaign to educate consumers on the risks of online behavioral advertising, and enable them to make an informed judgment in seeking to control the use of their browsing behavior across multiple websites. Legal Bytes has previously reported the initial development and launch, as well as the growing acceptance of the industry’s self-regulatory efforts (just search us for "behavioral advertising" or follow the links through any of our prior posts – e.g., Self-Regulatory Ad Industry Effort Continues to Drive Forward). While the icon has gained wide acceptance as part of the advertising industry’s self-regulatory initiative (See Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles), using it inappropriately or inaccurately may cause consumers to be more confused, rather than educated.

You might be tempted to argue that if advertising that does not involve behavioral information nonetheless includes the DAA icon, what’s the harm? However, if the objective is to educate consumers about the distinctions in how their information is collected and used by advertisers, agencies, network publishers, browser publishers and others in the interactive ecosystem, confusion fuels the concerns already raised by consumer advocacy groups, regulators and lawmakers alike – and that’s counterproductive.

The good news is that the industry campaign to stimulate adoption of the self-regulatory guidelines and the inclusion of the icon in relevant advertising is gaining momentum – a sign the industry can and will police and regulate itself. Innocent mistakes in the name of compliance are certainly better than abuse or ignorance, so let’s not be too quick to throw stones. That said, as consumers increasingly see the icon and begin to appreciate, and take advantage of, the self-regulatory efforts, it behooves the industry to do a better job of making sure the educational component is consistent and not ICONfusing!

As always, if you need more information about the advertising industry’s self-regulatory initiative, advice regarding compliance, or legal help in understanding the dynamic and ever-changing environment of online and mobile interactive advertising, marketing and privacy, call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work – our lawyers deal with these issues every day.

Payment Card Industry Takes a Swipe at Virtual Security

Someone in the payment instrument, payment processing, or payment systems environment must be living under a rock if he or she has not heard of or been affected by the Data Security Standards (DSS), or “PCI-DSS” as it has been referred to in the industry, promulgated and released by the Security Standards Council of the Payment Card Industry Association (PCI). Although the original impetus for the credit-card-driven security standards was combating identity theft and credit card fraud in the wake of the data breaches and compromised (or potentially compromised) databases containing sensitive consumer payment account information, the standards have become the de facto starting point for any compliance security standard in the payment industry.

Last week, the PCI Security Standards Council released new comprehensive guidelines for PCI compliance in virtual card holder data environments dealing with consumer payment system and payment transaction security in a virtual environment. Reed Smith lawyers who work in this area consistently and who have a wealth of experience with information security and financial services, have put together a client alert entitled: "Is the PCI Security Standards Counsel Preparing for Cloudy Weather?"

Credit, debit and prepaid cards; smart cards and chip cards; gift cards and stored value cards; co-branded cards and loyalty rewards programs; corporate cards, fleet cards and purchasing cards; data protection and privacy; information security, identity theft and data breaches; micro, digital and virtual payment systems – E Commerce; The Fair Credit Reporting Act; Regulation E; Regulation Z; Credit Card Act of 2009 (see Credit Card Act of 2009: Act I, Scene 1 or just search the Legal Bytes blog)! Do any of these terms apply to you? Talk to us. It’s what we do. Contact any of the lawyers listed in the Alert, contact me, or contact the lawyer at Reed Smith with whom you routinely work, and we will make sure we help you or connect you to someone at Reed Smith who will be happy to do so.

Transcending the Cloud - Advertising & Marketing Make Rain

This post was written by Joseph I. Rosenbaum and Keri S. Bruce.

As part of our ongoing commitment to keeping abreast of legal issues, concerns and considerations in the legal world of cloud computing, most of you know we have been publishing regular topical updates to our Cloud Computing initiative – new chapters and white papers intended to provoke thought, stimulate ideas and, most of all, demonstrate the thought leadership Reed Smith attorneys bring to bear when new and important trends and initiatives in the commercial world give rise to new and interesting legal issues. If you didn’t know, re-read the previous run-on sentence!

So here, from Joe Rosenbaum and Keri Bruce, is a glimpse at some issues that apply to the world of advertising and marketing arising from Cloud Computing. This next chapter in Reed Smith’s on-going series, “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing,” is titled “Cloud Computing in Advertising & Marketing: Looking for the Silver Lining, Making Rain.” This white paper tries to examine the considerations and concerns that arise within the advertising and marketing industries in the wake of complex and evolving regulation and scrutiny. We hope it provides some insight into the issues and the factors that apply, even as the industry and the regulatory landscape continue to evolve.

As we do each time, we have updated the entire work so that, in addition to the single "Advertising & Marketing" services’ white paper, you can access and download a PDF of the entire “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing” compendium, up to date and including all the previous chapters in one document.

Of course, feel free to contact Joe Rosenbaum or Keri Bruce directly if you have any questions or require legal counsel or assistance related to advertising and marketing. Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information. And if you ever have questions, you can always contact any Reed Smith attorney with whom you regularly work.

China Announces State Internet Information Office

This post was written by Joseph I. Rosenbaum, Frederick H. Lah, Zack Dong and Amy S. Mushahwar.

On May 4, 2011, the Chinese government announced it was establishing the State Internet Information Office, an office dedicated to managing Internet information. According to the announcement, this office will be responsible for directing, coordinating, and supervising online content management. The office will also have enforcement authority over those in violation of China's laws and regulations (see, for example, China sets up office for Internet information management). While there are reports that many believe the purpose of the new office will be to censor political and social dissidents (see, China Creates New Agency for Patrolling the Internet, the office may also have a key role in thwarting illegal spamming and other dubious data practices.

Further, many see the establishment of this office as another step forward for the Chinese in terms of establishing their own data-protection regime. China has long been considered as lagging behind other countries in terms of their data-protection standards (quite possibly by design), and with no comprehensive data privacy law, businesses have had little guidance concerning the handling of personal data. China published the draft Personal Information Protection Measures in 2005, but those Measures have not yet been adopted and little progress seems to have been made since then. However, in February 2011, China issued a draft of the "Information Security Technology - Guide of Personal Information Protection" ("Guidelines") to address the lack of guidance and standards surrounding online information practices in China. The Guidelines include standards with respect to collecting, processing, and using data, and there are provisions related to the transfer of data to third parties. While the Guidelines are technically non-binding, they still provide important guidance for businesses in China on how to protect the online information of China's citizens. With the Guidelines still under review, Reed Smith lawyers will continue to monitor developments to see what form the Guidelines will take in the future.

If you have or are considering a presence in China, you need to know and be attentive to many things, if you are to succeed in the Chinese marketplace. That’s why you should contact Frederick H. Lah in our Princeton office, Zack Dong in our Beijing office, Amy S. Mushahwar in our Washington, D.C., office, me, or the Reed Smith lawyer with whom you regularly work. When you need legal guidance or have questions about regulations that apply online, on the Web, and across the Internet, in almost any part of the world, let us know. We are here to help.

Mobile Advertising & Marketing - Myths & Miffs

Thanks to the Digital Marketing Committee of the Association of National Advertisers for having me attend and give a presentation on mobile advertising and marketing yesterday. A copy of the presentation is available for your reading enjoyment right here: “Mobile Marketing or I Know Where You Will Be Next Summer & Other Mobile Marketing Myths.” (PDF)

UK ICO Issues Guidelines for Online Compliance - C is for Cookie

The Information Commissioner's Office in the United Kingdom, in furtherance of the European Union's "browser cookie" laws (EU Privacy and Communications Directive), has just published a set of guidelines that commercial enterprises will need to comply with when the new law goes into effect May 26. (See ICO Advice on New Cookie Law Published.) Because the laws' requirements relate to technology and marketing, the intention of the new guidelines is to provide guidance on compliance for businesses.

For background, in case you haven't been following this closely, in November 2009, the European Parliament amended the Directive of Privacy and Electronic Communications 2002/58/EC (sometimes referred to as the e-Privacy Directive) that mandated that websites give consumers the right to opt out of receiving cookies (in most cases by changing settings on their web browsers). The 2009 amendments reversed the requirement, setting the default as "opt in." Consumers will have to give permission (informed consent) to a website in advance, to allow a cookie to be placed on their computer.

The UK ICO's guidance makes it clear that all businesses, private and public, will be required to get consent from the user, in advance of having a browser cookie downloaded and installed on the consumer's computer. In addition, the ICO has amended the UK Privacy and Electronic Communications Regulations to mandate that clear and thorough information – to ensure informed consent - is provided to end users, explaining why their information is being stored and how it will be used by the commercial enterprise. Expect to see consumer-directed information soon, alerting consumers as to what their rights are and what to expect as businesses comply with the new law and regulations.

As you probably know if you are a loyal and longstanding reader, Legal Bytes in 2009 reported that the major players in the online advertising industry had issued self-regulatory principles concerning online behavioral advertising (Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles), and intended to create an industry self-policing mechanism, as well as disclosures to consumers concerning the use of their personal information. The self-regulatory mechanisms in the United States – these being similar – have followed an "opt out" approach to consumer privacy and the control of personal information. For multinational and international businesses worried about compliance (and that includes all you web browser publishers) – well, it's complicated.

As always, if you need guidance for your advertising, marketing, privacy or data protection efforts, call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work. Our lawyers deal with these issues every day.

Do Not Track - Diving Deeper Into the Quicksand

Coming on the heels of a bill aimed at preventing children from being tracked, introduced by Rep. Ed Markey (D-Mass.) (see, Rep. Markey Releases a Kids Do Not Track Discussion Draft Bill): Today, Jay D. Rockefeller (D-W.Va.), Chair of the Commerce, Science & Transportation Committee in the U.S. Senate, introduced a Do Not Track Online bill that would empower the FTC to promulgate rules "that establish standards for the implementation of a mechanism by which an individual can simply and easily indicate whether the individual prefers to have personal information collected by providers of online services, including by providers of mobile applications and services . . . "

A copy of the proposed legislation is available here for you to download and read Do Not Track Online Act of 2011 – Proposed Rockefeller Bill (PDF). Of course, if you need legal guidance, advice or representation as these bills are introduced and make their way through the legislative process, don’t hesitate to call us. We are here to help.

The Tip of the Iceberg - 'Do Not Track' Kids Bill Proposed

After several months of anticipation, Rep. Ed Markey (D-Mass.) released his Kids "Do Not Track" discussion draft bill. At face value, this bill appears to have a narrow focus of online behavioral activities toward children, which we normally define under the Children's Online Privacy Protection Act ("COPPA") as any individual younger than 13. However, such is not the case. This bill would amend COPPA to expand some marketing provisions to teens under age 18, and may, in effect, require better age screens, given teen savvy (and their propensity to lie about their age).

If enacted, this bill has the potential to create complications when marketing to the crucial college age and young adult market as more sophisticated age screens will require all to enter information that they might not want to share online.

To read the entire Reed Smith Alert and find out more, just check out Rep. Markey Releases a Kids Do Not Track Discussion Draft Bill.

Dear WikiLeaks, Here We Come. Sincerely, The Wall Street Journal.

The Wall Street Journal just announced it has established a secure mechanism that allows "newsworthy" materials to be uploaded to its separate, but internal, secure servers. The new service, Safehouse, is a logical outgrowth of the age-old newsgathering function. That noted, one can only imagine everyone scratching their heads saying, "What took you so long?" considering the international notoriety garnered by the most visible recent leak-gathering organization, WikiLeaks.

Legal Bytes was certainly not alone in highlighting the WikiLeaks phenomenon (see IMHO - Wiki Wiki True to Its Meaning), so it's a bit surprising that traditional news organizations had not previously moved aggressively into the digital technology age with their news-gathering activities. That said, kudos to the industry for opting to enter the digital age on the input side of the process and create competition in this arena, just as competition among journalists has existed for centuries.

The presumption is the WSJ upload process will be secure and apparently anonymous - the accumulation of anonymous and pseudonymous tips, leaks and leads has long been part of every investigative reporter's and journalist's job. Other news organizations are also rumored to be working on similar services, although not having done an investigation myself, others perhaps may have already launched. The WSJ service will reportedly provide encrypted digital file transmissions and, according to the Safehouse website, will seek to minimize the amount of technical information (read that to mean, traceable information) that the service receives on its servers.

Joseph I. ("Joe") Rosenbaum is a partner in the New York office of Reed Smith, global chair of its Advertising Technology & Media law group – oh, and is the editor, publisher and often author of posts on Legal Bytes.

Free Speech on the Internet - India Goes Schizophrenic

Unreasonable restraints on free speech? India? Well, you decide. According to an article published today in the Pittsburgh Post-Gazette, storm clouds are brewing over just how far the government should and can go in restricting free speech on the Internet. Indeed—just how ambiguous the regulations can be such that interpretation becomes a subjective problem, enforceable at the discretion of regulators.

Unfortunately, the new rules (referred to as “Information Technology (Intermediaries Guidelines) Rules, 2011”) stem from a 2008 amendment, widely supported by Internet service providers (I.T. Act 2008) to an Indian information technology statute first enacted in 2000. For a history of the Indian legislation, see Information Technology Act 2000 (ITA-2000).

The Amendment removed intermediary liability of Internet service providers, many of whom are represented by the Internet and Mobile Association of India, for any content created by third parties and for which the ISP played no active role in creating. While the removal of passive ISP intermediary liability is one of growing consistency in the international community, the regulations broadly empowering officials to curtail free speech on the web are not.

Growing trend, justified by security? Aberration spawned by immediate and local concerns? Abuse of power? Reasonable trade-off for protection of society? Ahh, but whose society? Where is the balance? Who decides?

Take a look at the regulations, then you decide. But if you need legal guidance or have questions about regulations that apply to the Internet—internationally, multi-nationally or domestically, in almost any part of the world—let us know. We are here to help.

ILO Publishes 'Twitter Settles with FTC - Gets 20 Years' Probation!'

On April 5, 2011, the International Law Office published a customized version of the March 14, 2011 blog on Legal Bytes, Twitter Settles with FTC - Gets 20 Years' Probation! You can read it online or download your own copy of the ILO posting here: ILO Posts Twitter Settlement news.

Sens. Kerry & McCain Introduce Commercial Privacy Bill of Rights Act

Sens. John Kerry (D-Mass.) and John McCain (R–Ariz.) have introduced a bill in Congress to legislatively enable a statutory bill of rights for consumers with respect to commercial privacy. You can read the full text of the Commercial Privacy Bill of Rights Act of 2011 (PDF), and Reed Smith will have a more complete analysis for your reading enjoyment soon; but the bill clearly intends to require that as little data about an individual is collected as possible, and give individuals a right to know how their information is being used. At first reading, the bill does not provide a private right of action, but does contemplate a self-regulatory program, perhaps a nod to the industry initiative that is highlighted in a recent Legal Bytes posting "OBA Self-Regulatory Initiative Gets Boost from Yahoo! & Google." You can search for privacy, behavioral advertising and/or self-regulatory on our site and you will find more about this on the Legal Bytes blog.

It may be too early to tell just how much faith Congress has in the industry initiative. That said, it would seem somewhat foolish – given that the FTC and many Congressional leaders have argued for and applauded industry self-regulatory measures – not to afford an industry-sponsored, dynamic, self-regulatory program, a chance to work. As we’ve seen so many times before, along with the technology, consumers’ expectations of privacy, their tastes, commercial needs and sensitivities often change rapidly.

As always, if you need guidance for your advertising and marketing efforts, or privacy and data-protection counsel from lawyers who have experience and resources aligned to deal with these issues every day, feel free to call me, Joseph I. (“Joe”) Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

Italian Courts Order Yahoo! Italia To Keep the Links Missing

I picked up an interesting article published today in the International Law Office, and since the article is listed in the category of Information Technology, I thought some Legal Bytes readers with international interests and activities that are "content," "search" or "link" related might not see it.

The article summarizes a case in which Yahoo! Italia was held responsible for failing to remove links to infringing versions of a motion picture – thus, in the court's view, resulting in contributory liability. What is also of interest is that the Italian court ordered Yahoo! in Italy to not only remove links to websites that "served" the allegedly infringing content, but also to remove any other websites that contained links to the websites serving that content – even if those websites had other links or provided other legitimate content, features and functions. Such a decision could have far-ranging implications since it goes to the heart of the ripple effect that linking has on legitimate content-sharing. It also raises the chilling specter of restricting access to otherwise legitimate, non-infringing content, features and functions based on a finding that there is a link to infringing material.

While one can make the case that such strong enforcement helps deter and ultimately prevent infringement, the breadth of the decision and the fact that a rights-holder can simply send a notice without requiring formal "proof" of infringement, means every link to every website that connects to an offending website could potentially be forced to de-link, and arguably bears some liability for contributory infringement. Think of the connections on social media, embedded players and links on the web – Wow!

If you want to read the entire article, you can access it right here Yahoo! Italia liable for searchable content. And as always, if you need advice from a U.S. lawyer who has done work with Italian companies and legal colleagues in Italy, call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

Federal Grand Jury Seeks To Open Pandora's Box

Knock Knock. Who's there? Andover. Andover who? Andover those records Pandora.

So Pandora Media, Inc., the company that brings us the popular Pandora® Internet Radio, has reportedly received a subpoena from a federal grand jury looking into the practice of information-sharing involving smart phone applications. Pandora did indicate, however, it had been advised it was not a target of the grand jury investigation, and that it believed the legal request for the production of information had been served on an "industry-wide basis" to many other smart phone application publishers. Not much else is known about either the specific subpoenas (or is the correct Latin, "subpoenae"?) or the nature or focus of the federal investigation; but guessing that it relates to the sharing of information about location-based target-marketing practices, and the disclosure of information by and among ad publishing networks, can't be far from the target.

The Advertising Technology & Media law practice group, in conjunction with our global regulatory practice and litigators when we need them, has experience in dealing with such subpoenae (or is the correct English "subpoenas"?). Think about knowing how to respond before you get served – with a subpoena or on a platter. OK. I'm still in the April Fool's Day spirit. What can I say?

OBA Self-Regulatory Initiative Gets Boost from Yahoo! & Google

Back in 2009, Legal Bytes reported that a coalition of the major players in the online advertising industry had gotten together and issued self-regulatory principles concerning online behavioral advertising (Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles). These principles were and remain intended to create an industry self-policing mechanism that provides, among other things, discipline and disclosures to consumers concerning the use of personal information.

Amidst much activity and debate – the good, the bad and the ugly – the industry has moved forward, creating a Digital Advertising Alliance ("DAA") (and website), and enlisting the aid of the Council of Better Business Bureaus to develop and implement an enforcement process, much like the process that has worked quite successfully in traditional advertising for well more than 30 years! By the way, for the record, I refer to online behavioral advertising (OBA) as "digital behavioral advertising" or "DBA," since excluding mobile and wireless would be a mistake, and "online" conjures up images of "wired."

In a major show of support for the self-regulatory initiative, both Google and Yahoo! have announced they will begin using the "forward i" icon (shown below), promulgated by the DAA for its behavioral advertising.

Aside from the obvious boost to the industry's self-regulatory efforts, the uniformity will help lessen the likelihood of consumer confusions regarding industry practices across the web. The DAA icon will also serve as a live link, taking users to user-based tools that a consumer can use to modify the behavioral and identified interest categories advertisers use to serve targeted advertising. The tools would also enable a consumer to opt out of receiving such advertising. Yahoo! actually will prevent partner sites from collecting consumer data if a consumer opts out, while Google will disable interest-based cookies and remove demographic and interest-related information from its Chrome browser when a consumer opts out.

Neither the industry's self-regulatory program, nor the consumer tools available through the DAA's program, were ever intended to stop data tracking (as you probably know, "do not track" is getting lots of play in Congress and the media lately). Microsoft and Mozilla have separately introduced modifications to their IE and Firefox browsers (i.e., HTTP header settings) that allow consumers to alter the settings and alert advertisers that they have opted out of tracking; although the settings do not block tracking per se, they will simply serve as notice to the companies that may be tracking user data of that consumer's preference.

As always, if you need guidance for your advertising and marketing efforts or privacy and data protection from legal representatives who deal with these issues every day, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

I See Paris, I See France: Google's Street View Draws French Fine

On December 20, 2010, a Legal Bytes blog entitled Look! Out the Window! It's a Peeping Tom! No, It's Google Street View noted the problems Google was facing as a result of a faux pas in connection with its Street View automobiles roaming the streets equipped with cameras. As we reported earlier, Google's picture-capturing vehicles appear to have accidentally gathered data over unsecured Wi-Fi systems in more than one country and city around the globe – including France.

Although Google agreed to delete the Wi-Fi data collected accidentally and has apologized, if one picture is worth a thousand words, France has apparently decided that Google's pictures were worth about €100,000. This is reportedly the highest fine imposed by the CNIL (the National Commission for Information Freedom – the French data-protection regulatory body) since it was given the authority to levy financial penalties in 2004. The financial sanctions were levied because Google's activities were considered to be "unfair collection" of data under French law, data that Google was able to collect for economic advantage. The "accident" resulted from some "sniffing" programming code that ostensibly carelessly found its way into the equipment capturing Street View data in the cars as they roamed highways and byways.

While other countries are considering fines and investigations that are on-going, some countries (e.g., the United States) have apparently dropped the investigations or are not considering penalties at this time. This is not the last we will hear of location-based or geo-targeted information raising an uproar, as people "check in" and the surveillance society becomes closer to reality than we often care to admit. The law and regulation are not harmonized around the globe, and many regulators and laws don't even adequately address the problem – often created because, like so many other issues in our digital world, some information is being shared voluntarily, some is not, and some is a blend.

As always, if you need advice and counsel about your own advertising and marketing efforts, or privacy and data protection guidance from legal representatives who deal with these issues – in the United States and around the globe – every day, feel free to call me, Joseph I. ("Joe") Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

Adwords Add Nauseum - What if the Jabberwock Wrote Blogs

The Adword Lawsuit

Now D (Defendant) buys competitor's words from a search engine, you see.
What words do they buy? Just brands that are popular - with you and with me.
They buy words I might search for when I am looking for thee. 
When we search for P's (Plaintiff) product, they also find me.
D's product and brand pops up with such glee; a sponsored link for consumers to see.

Now P gets really mad, call the lawyers, they do,
P's marketers scream loudly, "Go sue, yes, let's sue."
So do what they might and do what they may,
The lawyers do sue, in court we shall have our day! 

But wait just a moment, says the court to party P,
In order to win, two things prove for me,
Did D "use the mark in commerce" for all the world to see
And can you prove that buyers, from deception and confusion are free?

Well maybe I can and maybe I can't, says P not quite funny.
But Your Honor, you do know I've invested huge sums of money.
With branding and ads placed in time and in space, 
How can D be permitted to stand in my place? If a "mark" I invest in, an intellectual property right,
Surely you will protect my investment before calling it a night!

Not so, sayeth the court and much to Plaintiff's fright.
'Tis only deception we courts should set right.
The mark is intellectual and property we know,
But in "adword" competition, deception is as far as we go.
So P left the stage, bloodied but resolved to fight another day,
But so far and at this point, the Ninth Circuit says "no way."


The English Translation

Consider the case of Network Automation, Inc. v. Advanced Systems Concepts [No. 10-55840 (9th Cir. 3/8/11)]. Network Automation sells scheduling and management software under the brand name AutoMate. Its competitor, Advanced Systems Concepts, has a product called ActiveBatch. Now in 2009, Network Automation purchased keywords, including "ActiveBatch," from Google and Bing. When consumers searched for "ActiveBatch," the displayed results carried a sponsored link to Network Automation's website. Naturally, Advanced Systems demanded Network Automation stop using its name as an advertising keyword, claiming the use infringed its intellectual property rights. Network Automation refused and Advanced Systems sued.

In order to prevail, traditional trademark law says Advanced Systems must show that the mark was "used in commerce" and that consumers of these competitive products are likely to be confused. I won't bore you with the legal machinations leading up the ruling last week, but first the Ninth Circuit clearly joins the Second Circuit in stating the purchase of adwords is "use in commerce" for purposes of trademark law (the Second Circuit made a strong statement to that effect in Rescuecom v. Google Inc., 562 F.3d 123, 127 (2d Cir. 2009)). But what about the likelihood of confusion?

Here, Advanced Systems failed to convince the court that a "sophisticated" Internet consumer (the target consumer for this product) was likely to be confused by the keyword advertising strategy. "A sophisticated consumer of business software exercising a high degree of care is more likely to understand the mechanics of Internet search engines and the nature of sponsored links, whereas an un-savvy consumer exercising less care is more likely to be confused," the ruling states.

While intellectual property lawyers will themselves review the Ninth Circuit's distinction between the Sleekraft factors used to determine likelihood of confusion (named from AMF, Inc. v. Sleekraft Boats, 599 F.2d 341 (9th Cir. 1979)) and those used in the Brookfield case (Brookfield Communications, Inc. v. West Coast Entertainment, 174 F.3d 1036 (9th Cir. 1999)), you should know the Ninth Circuit felt the right factors to consider in competitive adword cases are: strength of the mark, evidence of actual confusion, type of goods, the degree of care likely to be exercised by the purchaser, and the appearance of the ads and surrounding context on the screen displaying the results. 

But wait a minute. If the brand owner has invested significant time and money building brand recognition and a strong mark, shouldn't it be entitled to protection? Put another way, if a trademark is intellectual PROPERTY, don't I have the right to protect my asset and not give the alleged "infringer" a free ride on my investment? Well the Ninth Circuit seems to be saying "no, you don't." 

The court reasoned that trademark law focuses on protecting the consumer (and correspondingly the trademark owner) from the likelihood of confusion. Even though, over the past decade (inspired by cases like Brookfield), companies sought to emphasize the "property" aspect of their marks - protecting their investment and asset value – this court feels that is not the right approach. With this ruling, the Ninth Circuit appears to dismiss the property or asset "value" and investment argument, and makes a fairly clear statement that the rationale for protecting trademarks and the basis of permissible legal action still remains consumer deception and confusion. "Did D 'use the mark in commerce' for all the world to see, and can you prove that buyers, from deception and confusion are free."

For these judicial combatants, it means Network Automation can keep advertising on search engines using keywords that include the name of Advanced Systems and its products. Want to read the case for yourself? You can download your own personal copy and read the entire Ninth Circuit decision in this case right here: Network Automation, Inc. v. Advanced Systems Concepts. Need help? Contact me or the Reed Smith attorney with whom you regularly work.

That Face is Written All Over Your Expression - Facebook Adds Ads

Hi. Do you like Legal Bytes? Have you told friends about Legal Bytes? Shared the link with at least 10 friends and colleagues? Have you told anyone about an article, a Useless But Compelling Fact or perhaps a Light Byte on Legal Bytes? Well, have you? I mean do you REALLY like Legal Bytes? If you do, please click the icon now:

What? Nothing happened? Well, that's right. Nothing happened. Sorry to disappoint you, but aside from the satisfaction of reading very exciting and timely postings; thoroughly enjoying the insights; admiring the wit and wisdom of the authors and editor; and, we hope, feeling enlightened and mildly entertained – this is, after all, a legal website, and you get nothing. We don't even publish comments or invite debates – that's not what Legal Bytes is about. Oh, and we don't use your name or email address. We just want you to read, and we thank you!

Not so any more on Facebook; and although I have been given absolutely nothing and have had no contact with any of the following companies about this or any other blog posting, here goes:

Have you been posting nice things on your friends' Facebook pages about your morning Starbucks coffee or perhaps checking in at Steamboat Springs, eager to hit the slopes? Have you felt compelled to comment to a Facebook friend that you just bought a new General Motors Cadillac and how great it now looks and drives? Has your Twitter feed, your LinkedIn comment, or your Digg dig shown up on Facebook, remarking about the lovely feel of Proctor and Gamble's Charmin bathroom tissue? Perhaps you have been browsing the official Facebook pages of MTV or Coca-Cola, or marveling at Kellogg's Cares? Like what you see? Well just click the "Like" icon at the top of those pages to let them and the world know.

Advertisers will now be able to take your nice posts, comments, remarks and words – those messages posted about brands – or your "like" clicks, and turn them into advertisements and "sponsored stories" for your friends to see. Although they won't be edited – not even the advertiser will be able to do that – postings on your wall that now show up on your "friends'" news feeds will now also show up on your friends' home page, right along with the other advertisements – more noticeable and conspicuous to be sure.

Although you won't be notified it's happening and you can't opt out, don't worry about someone stealing your words or preferences. The ad will have your name and profile photo, and will appear as an advertisement, along with the others, only now labeled as a "Sponsored Story." Going one better than "word of mouth," your posts, your check-ins and your likes will be as plain as the expression on your Facebook. According to what we have read, Facebook has stated that "A sponsored story never goes to somebody who's not one of your friends."

So far the griping has not been whether Facebook has the right, or even about keeping the ads limited to Facebook "friends" who already can see your postings. It's been about not being told that my "check-in," which enables me to connect with others while I'm on the move, is now going to be used to "promote" the places I check into – without my approval or without me necessarily knowing. If my neighborhood diner is going to get an endorsement (explicitly or implicitly), do I get royalties (or a complimentary egg-white omelet)? Listen up, Converse, I need a new pair of sneakers. 

Mobile Marketing & Privacy - Gnus from DataGuidance

In connection with an announcement by the Mobile Marketing Association, Joe Rosenbaum was interviewed by London-based, Rita Di Antonio, Journalist and Editor of DataGuidance (and Managing Editor of Data Protection Law & Policy), a publication of Cecile Park Publishing Ltd. You can read the article online “MMA to discuss 'comprehensive mobile privacy guidelines' during January forum”, or download your own copy in PDF Format.

Look! Out the Window! It's a Peeping Tom! No, It's Google Street View.

The recorded legal enforcement of privacy dates back to at least 1361, when Justices of the Peace Act in England provided for the arrest of Peeping Toms and eavesdroppers. In the 1760s, English Parliamentarian William Pitt wrote: "The poorest man may in his cottage bid defiance to all the force of the Crown. It may be frail; its roof may shake; the wind may blow though it; the storms may enter; the rain may enter – but the King of England cannot enter; all his forces dare not cross the threshold of the ruined tenement." Translation: One's home is one's castle.

The right to be free from unlawful searches and seizures and intrusions into one's home is among the earliest expressions of the legal right to privacy. Today, privacy has been woven into the fabric of the laws and regulations of most countries throughout the world. The Preamble to the Australian Constitution states: "A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both state and private organizations to intrude on that autonomy. Privacy is a key value which underpins human dignity and other key values such as freedom of association and freedom of speech. Privacy is a basic human right and the reasonable expectation of every person." The 1948 Universal Declaration of Human Rights may well be the first multi-national, international legal document moving privacy to the level of a legally enforceable principle, noting that no one should be subject to arbitrary interference with privacy, family, home or communication, nor attacks on honor or reputation, and that each individual should have the right to legal protection against such interference or attack. In 1965, the Organization of American States proclaimed the American Declaration of the Rights and Duties of Man, which called for protection of numerous human rights, including the right of privacy.

We've come a long way. Today, Google's Peeping Toms are roving street cars equipped with cameras and are allegedly violating privacy rights left and right as they roam through your neighborhood. If you hadn't heard, Google reported earlier this year that in the course of its Street View automobiles roaming the streets of cities in more than 30 countries, its picture-capturing vehicles had also accidentally gathered data over unsecured Wi-Fi systems. Oops! Some of Google's woes stem from mistakenly collecting data it allegedly should not have, although many privacy advocates and some regulators are protesting the actual picture-taking itself – even though the streets are public – not just the inadvertent capture of such data. Google has agreed to delete Wi-Fi data collected accidentally and has apologized (e.g., New Zealand, United Kingdom) for collecting personal data (e.g., personal emails, passwords) from wireless networks.

Although this past October (2010), the FTC in the United States indicated its inquiry into violations of privacy by Google's Street View cars was ended – noting that Google had made efforts to increase its privacy and security processes and compliance procedures – Google is still facing a slew of questions, objections and government inquiries. Inquiries remain pending from attorneys general in a number of U.S. states, and at last count, about six or seven actual or putative class-action suits were pending.

In Germany, regulators have forced Google to agree to allow individuals to opt out of Street View and, when doing so, there will be computer-generated pixilation of their houses, instead of a photo, effectively blurring detail. Even with Google's recent actions to bolster its compliance and sensitivity to privacy concerns, German investigators may still pursue investigations and violations. Indeed, investigations are also underway in Australia, France, Ireland, Italy and Spain.

In the "you can't make this up" category on the subject, Legal Bytes recently saw a report that a woman in Japan is suing Google for about $7,000 for psychological damages because images of her underwear have appeared on the clothes washing/drying line outside her home displayed on Google Maps. Mainichi news service in Japan reports that part of her allegations state: "I was overwhelmed with anxiety that I might be the target of a sex crime. It caused me to lose my job and I had to change my residence."

When do public photographs become grist for the Peeping Tom mills? What about government surveillance? Satellite photos? Drone imagery? I, for one, am giving up sunbathing on the roof from now on!

Privacy is a dynamic and evolving concept – one not uniformly dealt with or perceived around the world, or even within nations. Privacy is often blurred with identity issues or security principles, in some cases overlapping and in others just emotionally charged rhetoric. Witness the recent FTC and Department of Commerce reports, each ostensibly dealing with "privacy." You can read about it on blogs posted by our Global Regulatory Enforcement Group, as well as right here on Legal Bytes (see, 'Tis The Season To Issue Privacy Reports - NTIA Green Paper, Protecting Consumer Privacy - FTC Issues Staff Report and Privacy & Data Security Bills After the Midterm Elections), or search "privacy" in the search box in the left side navigation bar. But there is no substitute for getting the advice, counsel and guidance about your own particular situation from legal representatives who deal with these issues – in the United States and around the globe. So if you do need assistance, call me, Joseph I. ("Joe") Rosenbaum, global chair of Reed Smith's Advertising Technology & Media law practice, or any of the Reed Smith attorneys with whom you regularly work.

'Tis The Season To Issue Privacy Reports - NTIA Green Paper

Just a few moments ago, in their own words: "The Commerce Department Office of the Secretary, leveraging the expertise of the National Telecommunications and Information Administration ("NTIA"), the Patent and Trademark Office ("PTO"), the National Institute of Standards and Technology ("NIST"), and the International Trade Administration ("ITA"), has created an Internet Policy Task Force to conduct a comprehensive review of the nexus between privacy policy, copyright, global free flow of information, cybersecurity, and innovation in the Internet economy." That introduction prefaced the release by the NTIA of its "Green Paper" (which you can download and read), Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.  The Federal Register notice of this paper will seek public comments, noting that they will be due on or before January 28, 2011. 

While Legal Bytes and Reed Smith will digest the report more thoroughly and report to you in the days and weeks ahead, the report at first blush focuses on four major themes:

  • Support for Fair Information Practices Principles (FIPPS), noting the need and importance of greater transparency, consumer control and data security
  • Support for self regulation
  • Creation of a national Privacy Policy Office to coordinate voluntary, enforceable, self-regulatory programs
  • The need for greater harmonization of privacy laws and self regulation internationally

Stay tuned for further information and analysis, but if you want to be part of the conversation; if you feel you should have a voice in the discussion and are considering submitting comments; or if you simply want to better understand the implications, the interplay between this report and the recently released FTC report (see Protecting Consumer Privacy - FTC Issues Staff Report)posted on Legal Bytes December 2, 2010), please don't hesitate to contact me, Joe Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

IMHO - Wiki Wiki True to Its Meaning

According to Tech Terms, "wiki" comes from the Hawaiian phrase "wiki wiki," which means "super fast." I guess if you have thousands of users launching denial of service attacks (see below) against targeted web sites – well "super fast" spells super trouble. Which has prompted me to write this article "IMHO" (in my humble opinion) – IMHO being a social media nod to the kewl gnu SMS lingo.

So, doesn’t it seem as if this WikiLeaks thing has gotten out of hand? Now in fairness, in my view there are intelligent points being made on both sides of the issues – national security is important; so is freedom of the press and speech. There are also rights and responsibilities on both sides of the issues – private censorship is not something that sits well with those of us who value the right to hear and voice differing opinions and thoughts; yet using a "free speech" argument to allow someone to scream fire in a crowded theatre – even when none exists - can cause harm to innocent people and is, again in my view, irresponsible, if not illegal.

So if you have been following this Wikileaks issue, you already know about the leak of U.S. diplomatic cables by or through WikiLeaks, and unless you have been living under a rock, you have also noticed the arrest of WikiLeaks founder, Julian Assange. All of this has resulted in a dramatic and well-publicized series of "cyber attacks" from "hacktivists" primarily using a disruptive technique known as "denial of service attacks."

Curiously, the arrest of Mr. Assange in London has nothing to do with the current controversy over confidential and sensitive material that is giving rise to the tensions across the Internet. Mr. Assange's legal problems stem from an international warrant issued by Sweden, where he is accused of rape, molestation and unlawful coercion by two women in connection with sexual encounters he reportedly had while he was in Sweden last summer. Mr. Assange apparently confirmed the encounters, he has denied the allegations of assault, and he has not yet been formally charged in either of the women’s cases.

The disruptions on the Internet and outcry against his treatment (or the treatment of his company) are not about his personal problems, but rather have taken on a life of their own as a poster child for the principle of "information needs to be free." Somehow, WikiLeaks has become a symbol, a rallying cry, for the cause of free speech and information transparency, being championed by activists around the world, the activities of some of whom has allegedly already resulted in:

  • The Swedish government website was offline for several hours, and arms of the Swedish postal service, the websites of Swedish prosecutors, and at least one lawyer, were the targets of attacks. 
  • Both MasterCard and Visa, whose banking and financial institution members stopped accepting payment transactions in support of either WikiLeaks or Mr. Assange’s defense, were subject to attack (e.g., reportedly Visa’s website and MasterCard's "secure code" system was affected – in the case of MasterCard, apparently preventing some online transactions from being processed for several hours. 
  • Just today we read of allegations and reports that Sarah Palin's credit card information and the website of her political action committee were hacked because she referred to Mr. Assange on ABC News yesterday as "an anti-American operative with blood on his hands," and U.S. Senator Lieberman's website was impaired and anonymous SPAM faxes sent to the Senator's office after he called for an investigation of The New York Times, which had published articles with details of the diplomatic cables leaked by WikiLeaks.

As Mr. Spock, the iconic "Star Trek" character played by Leonard Nimoy, might have remarked well into the future: "Fascinating!" Well the future is now.

So what should you do? First you should read my partner, Douglas J. Wood’s recent opinion piece on Corporate Counsel, entitled "Say Hello to the World's New Sovereign Nations: Facebook, Google and RIM." When you finish, head straight to YouTube and watch the clip (my title) "There's a War Out There" from the incredibly prescient motion picture "Sneakers," with Ben Kingsley and Robert Redford. You might also grab a copy of An Army of Davids: How Markets and Technology Empower Ordinary People to Beat Big Media, Big Government, and Other Goliaths, by Glenn Reynolds. Oh, and in case anyone is thinking about my Legal Bytes post more than a year ago, entitled FTC (Revised) Endorsement Guides Go Into Effect, rest assured I have no interest (other than intellectual) in either my partner’s publication, the motion picture production, or the book or publishing company noted.

It is likely, some of the "attacks" may lead to criminal prosecution or civil litigation, or both. It is also likely that companies and governments may rethink their security and dependence on digital technology, as well as their activities and responses to events such as these. Protests of this nature, irrespective of one’s view or one's "side," are now occurring on a scale, orchestrated by individuals dispersed throughout the globe, in a manner that might make taking to the streets or holding passive sit-ins or hunger strikes in the halls of legislative bodies passé. Further, the effects of such activities on innocent people should not be underestimated. While the United States holds dear the Constitutional rights of free speech and freedom of the press, that does not include the right to create panic or harm or injury to others. There is a line between voicing one’s support and opinion, freely heard in the blogosphere, and illegal conduct that damages persons and property.

So after reading this and the references cited, ask yourself the following question: Is this a technology problem? A political problem? A national security problem? A public relations problem? A legal problem? It is probably worth noting, since my partner Doug Wood mentioned it after reading a draft, that the freedoms of speech and the press (and assembly, etc.) that are embedded in the U.S. Constitution are not the norm around the world. We often lose sight of the fact that these rights (and the passion and zealousness with which we cherish them and defend them) are not the global norm – yet. But, technology has enabled activities and communication unimaginable in the past. It can be a force for good or bad - sometimes both. Now comes the revolution? Fascinating! But that’s just my opinion.

Joseph I. ("Joe") Rosenbaum is a partner in the New York office of Reed Smith, global chair of its Advertising Technology & Media law group – oh, and is the editor, publisher and often author of posts on Legal Bytes.

Protecting Consumer Privacy - FTC Issues Staff Report

This post was written by Paul Bond, Chris Cwalina, Amy Mushahwar and Fred Lah.

The FTC just released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This preliminary staff report proposes a major change in U.S. privacy law. The FTC is accepting comments on this report until January 31, 2011, and if you could be affected by these changes and would like to submit comments, or if you are considering submitting comments to the report (or perhaps you aren't sure if you should), Reed Smith can help. While we are still reviewing the 123-page report in depth, we wanted to share a few thoughts from an initial reading.

The report proposes a major change in the framework of U.S. privacy law, stating bluntly: "Industry must do better." The report notes, among other things:

  • Notice-and-consent doesn't work. People don't read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible."
  • Waiting for harm to consumers isn't an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Privacy harms include reputational harms and even the emotional harm of having one's information "out there," or "fear of being monitored." The new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch, in his concurrence, notes "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
  • Industry self-regulation is too little, too late, and has failed to provide adequate and meaningful protection.

The report challenges a number of privacy and security assumptions. The report:

  • Casts severe doubt on claims that de-identified information need not be protected, citing multiple instances and methods by which personally identifiable information (PII) can be culled from "non-name" information (e.g., IP addresses, other unique identifiers). The distinction between PII and non-PII is, the report says, "of decreasing relevance." Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer or other device."
  • Purports to apply in the online and offline world, and not only to companies that work directly with consumers.
  • Suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates no matter what the industry, universalizing the consumer notice requirements that previously only applied to certain highly regulated industries (e.g., telecommunications, education, health care, financial services), or certain types of sensitive data (e.g., credit data, bank accounts, medical records).
  • Distinguishes between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, using data to aid law enforcement, or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers, but ALL other data practices (e.g., behavioral advertising and deep packet inspection that are explicitly named as not commonly accepted data practices) would require notice and consent in a form easy to read and understand, ideally provided to the consumer when the consumer enters his or her personal data. The report suggests opt-in consent be obtained prior to implementing any material changes to company policy that would apply to data collected under a prior privacy policy.
  • Suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers, and that consumers be given "reasonable access" to their data.
  • Notes that appropriate data-retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
  • Endorses a "Do Not Track" mechanism, recognizing that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self-regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but it recognizes a browser-based solution – similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not indicated if opt-in or opt-out would be the default browser setting for any browser privacy technology deployed.

So what should businesses do?

First, companies should carefully review the report and all the questions made open for public comment. These are listed in Appendix A to the report, but additional questions are posed in the Commissioner dissent statements.

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen and often address business concerns. But you must be heard. Trade associations are a good place to start, but individual company voices are important, especially if you have unique issues that should be addressed.

Third, now is a good time for you to pull back and consider your privacy policies, practices and programs, and the extent to which privacy is incorporated into your everyday business practices. The report suggests every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services."

You can read and obtain a copy of the FTC's full report here

If you need help, want more information, want to comment, or simply require some guidance – whether counsel or representation – in an area that is of critical importance to businesses and consumers, please don’t hesitate to contact Paul Bond, Chris Cwalina, Amy Mushahwar, Fred Lah or me, Joe Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work.

Privacy & Data Security Bills After the Midterm Elections

The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the current ambitious privacy and data security legislative agenda. Reed Smith Washington D.C. Data Privacy, Security & Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security.

Transcending the Cloud - Tying Up Cloud Antitrust Issues in a Bow

As you know, we have been updating our Cloud Computing initiative with a consistent stream of information – new chapters and white papers intended to provoke thought, stimulate ideas and, most of all, demonstrate the thought leadership Reed Smith attorneys bring to bear when new and important trends and initiatives in the commercial world give rise to new and interesting legal issues. Often, especially when words like "privacy" and "security" are thrown about, it becomes easy to overlook some of the other issues lurking in the background.

So here, from Jeremy D. Feinstein, is a glimpse at some antitrust issues. This next chapter in Reed Smith's on-going series, "Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing," is titled "Tying Up the Cloud," and seeks to give you some insights into the potential antitrust and competitive issues that even customers should be aware of, if not concerned with, when considering entering the cloud.

As we continue to do, we have updated the entire work so that, along with the single chapter on "Tying Up the Cloud" applicable to antitrust, you can now access and download the PDF of our complete "Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing" compendium, up to date and including all the previous chapters in one document.

Feel free to contact Jeremy D. Feinstein directly if you have any questions or require legal counsel or assistance related to competition or antitrust. Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information. Of course, if you ever have questions, you can contact me, Joseph I. ("Joe") Rosenbaum, or Adam Snukal, or any Reed Smith attorney with whom you regularly work.

Transcending the Cloud - Cloud Coverage (Insurance for a Rainy Day)

As part of our Cloud Computing initiative, we promised to tackle some issues that have seen little coverage elsewhere and can often be overlooked in the “technological” arena. Here is a look at the insurance coverage issues representing our next chapter in Reed Smith’s on-going series, “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing.” This White Paper and Chapter takes a look at the insurance coverage implications of cloud computing, and is aptly titled “Cloud Coverage.”

We would like to thank Richard P. Lewis and Carolyn H. Rosenberg for their thoughtful and practical insights and effort. Feel free to contact them directly if any questions arise or if you need help or more information. As we continue to do, we updated the entire work so that in addition to the single chapter on “Cloud Coverage,” you can access the PDF of our “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing” compendium, receiving a complete update, including this one on insurance coverage.

Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information. Of course, if you ever have questions, you can always contact me, Joseph I. (“Joe”) Rosenbaum, or Adam Snukal, or any Reed Smith attorney with whom you regularly work.

Transcending the Cloud - The German Perspective

As part of our Cloud Computing initiative entitled, we take a step over to Europe and proudly present our next chapter in Reed Smith’s on-going series “Cloud Computing - A German Perspective.” This white paper and chapter, takes a look at cloud computing from a German and, to some extent, potentially representative European perspective. It’s a refreshing look at both some legislative and regulatory implications, as well as a view from outside the United States.

We would like to thank Thomas Fischl and Katharina A. Weimer in our Reed Smith Munich office for their insight and effort. Feel free to contact them directly if any questions arise or if you need help or more information. As we continue to do, we updated the entire work so that when you access the .PDF of our “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing” compendium, you will receive all of the sections, now updated with this chapter from Germany.

Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information. Of course, if you ever have questions, you can always contact me Joseph I. (“Joe”) Rosenbaum, Adam Snukal, or any Reed Smith attorney with whom you regularly work.

Every Cloud Has a Lining - Maybe a Legal One

Stimulated by the recently launched Reed Smith Cloud Computing initiative, Joseph I. ("Joe") Rosenbaum was interviewed by CFO U.S. reporter David McCann, and in the August 10, 2010, Today in Finance section, you can read the entire interview, "The Cloud's Legal Lining".

You can also read and download a current copy of all of the white papers in our ongoing series, "Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing." Be sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with the latest and most updated version, as new white papers on additional topics are released. Of course, if you have questions, you can always contact Joseph I. ("Joe") Rosenbaum directly, or the Reed Smith attorney with whom you regularly work.

E-Discovery in the Cloud: Next Installment in Transcending the Cloud

As part of our Cloud Computing initiative, we are proud to present the next installment and chapter in our on-going series, "Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing." This White Paper and Chapter, entitled E-Discovery in the Cloud, takes a close look at some of the challenges that lie ahead in the world of discovery, when information and applications are processed, stored, accessed and used in a cloud-computing environment.

We would like to thank Jennifer Yule DePriest and Claire Covington for their hard work in putting this together, and you should feel free to contact them directly if any questions arise or if you need help or more information. As we have in the past, we have also updated the entire work so that when you access the PDF of our "Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing" compendium, you will receive all of the sections, now updated with this "E-Discovery in the Cloud" chapter, and you will have our updated and growing body of legal and regulatory insight into Cloud Computing.

Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information. Of course, if you ever have questions, you can always contact me Joseph I. ("Joe") Rosenbaum, Adam Snukal, or any Reed Smith attorney with whom you regularly work.

Cloud Computing: 'Transcending the Cloud' Adds Government Contracting Case Study

Last week, Legal Bytes announced Reed Smith’s new global initiative, Cloud Computing. With that announcement, the Task Force released the first three in a series of white papers entitled, “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing.” We also promised to release “case studies” shortly after the white papers, to demonstrate how the insights in each paper have practical implications through case study examples.

Here is the first: A case study on government contracting, now attached to the white paper entitled, “The Risks and Rewards of a U.S. Federal Government Contractor Employing a Cloud Service Provider to Perform a Federal Government Contract,” authored by Lorraine Campos, Stephanie Giese and Joelle Laszlo. Contact them if you need to know more about this important area of cloud computing.

We will update each individual paper, as well as the compendium, as each paper, case study and update is released, so make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with the latest information. Of course, if you ever have questions, you can always contact me Joseph I. (“Joe”) Rosenbaum, Adam Snukal, or any Reed Smith attorney with whom you regularly work.

'Transcending the Cloud' - Reed Smith Announces White Paper Series & Legal Initiative on Cloud Computing

This post was written by Joseph I. Rosenbaum, Adam Snukal and Douglas J. Wood.

For those of you who have wondered why Legal Bytes has been so quiet recently, it’s because I, and my colleague Adam Snukal, have been hard at work coordinating and putting together a new initiative – Cloud Computing.

Today, we are proud to announce the launch of a new Reed Smith initiative focusing on Cloud Computing and showcased with our new series of white papers entitled, “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing.”  The term “cloud computing” is showing up with greater frequency, but there is still much confusion and unawareness of what it means, and, more significantly for our purposes, how it is affecting and will increasingly affect you.  In the decade ahead, cloud computing likely will affect everyone, from major multinational corporations to consumers; from governments to the local grocery store. 

But cloud computing, like social media, is ultimately not about technological innovation or novel or transformative invention – it is about changing the fundamental nature of our relationships and how all of us access and use information and application programs: at work, in school, at play, as we shop and as we grow.  Cloud computing is transformative because it will enable anyone, anywhere and at any time, to access, use and create information and content – whether working on a spreadsheet, collaborating on a graphic design, creating an online gaming program, searching for a new restaurant, streaming music, or watching a motion picture – independent of a robust processing device.  No longer tied to desktops, laptops or proprietary pieces of equipment – just plug into the wall, as you would for electricity, and it’s there.  All you need is the ability to enter commands (input) and to display and receive (output) the results.  No plugs, no problem.  Just as sending and receiving transmissions wirelessly occur today, so too will the devices that access the cloud. 

In this brave new world, there will be new providers, new economic models, new access plans, and broadened capabilities, at differential pricing.  On demand, subscription, tiered pricing (anyone remember the timesharing companies of the late ‘60s and ‘70s?) will likely return to fashion in a world of cloud computing.

As mentioned above, the Cloud Computing Task Force at Reed Smith has created a series of white papers – collectively entitled “Transcending the Cloud: A Legal Guide to the Risks and Rewards of Cloud Computing” – to elucidate the opportunities and dangers, the risks and rewards of cloud computing.  Our collection of white papers will cover cloud computing issues you may have heard little about, but that are and will be no less significant.  Will we still need backup on our devices?  What about cloud insurance?  New economic and business models mean – yes, you knew this was coming – new taxes.  What about security and privacy and data protection in the cloud?  We will worry about standards and interoperability.  No one provider can possibly cover the world or a world of data and applications – mobile phone carriers interexchange based on regulations over decades; Internet protocols evolved to ensure that email and other providers would enable individuals to communicate regardless of proprietary networks or email programming.  Will clouds evolve the same way?  Will there be barriers to entry as a cloud provider?  Infrastructure is expensive; global capability more so.  Providers will vie for cloud apps.

Our approach is also unique.  Today, we are launching our initiative.  An introduction and three exciting new introductory white papers all dealing with the cloud: government contracting, tax and service levels, and other contractual performance protections.  We will release case studies in the weeks ahead, providing practical examples based on the white papers and insights into how law and regulation is likely to affect each of these areas.  Where answers are available, we’ll tell you.  Where they are not, we’ll be insightful.  We have assembled a multi-jurisdictional, cross-disciplinary team, a task force of lawyers and professionals dealing with the issues arising in Cloud Computing.  In the weeks and months ahead we’ll keep releasing white papers – antitrust and competition law, e discovery, litigation, insurance, contract law and regulatory compliance.  We will not only deal with U.S. law, but will also provide you with contributions from our lawyers around the world.  Each release will not only provide an individual chapter that is the subject of the release (today we have Government Contracting, Tax and SLA/Performance Protection), but also an updated comprehensive copy of the growing compendium.  Transcending the Cloud will dynamically provide insights as the industry and challenges grow.  Keep a copy handy.  Make sure you check back for updates regularly.  Join us in the conversation.

I want to thank my colleague Adam Snukal for his steady hand and keen insight in helping me to put this Cloud Computing initiative together.  And Kevin Vaarsi, our marketing guru, who coordinated much of the logistics and the planning for our initiative.  Most important, as you will see today and in the months ahead, a team of Reed Smith lawyers who have invested countless hours and done significant research to contribute these white papers and bring you their insights – none of this would be possible without them, and each paper will have names, contact information and biographical information about these terrific professionals.  As our body of work grows, we will make each white paper available as a separate PDF, but we will also update our “Transcending the Cloud” compendium for those of you wanting a constantly updated and growing body of legal and regulatory insight into Cloud Computing in one place.  Make sure you subscribe via email or get the Legal Bytes RSS Feed so you are always in touch with our latest information.  Of course, if you ever have questions, you can always contact me Joseph I. ("Joe") Rosenbaum, Adam Snukal, or any Reed Smith attorney with whom you regularly work.

Tension Between Privacy and Digital Behavioral Marketing

A few days ago (April 21, 2010), Joe Rosenbaum made a presentation to the Entertainment & Media Law Committee of the eMIPS Section of the New York County Lawyers Association. The presentation described the legal issues and implications arising from the tension between consumer privacy and online and digital behavioral marketing—a hot topic and an area that continues to spark debate and continues to evolve, as technology persists in being an enabler of greater functionality. You can view or download a .PDF of the presentation right here: Privacy Issues in Online & Wireless Advertising & Entertainment: Brave New World or 1984?

LifeLock CEO May Not Be Giving Out His Social Security Number Anymore

Todd Davis, the CEO of LifeLock is not the first CEO to appear in advertising, but was probably the first to prominently display his U.S. Social Security Number in full-page ads in major newspapers and billboards across the country. Although these ads disappeared a while ago, the action brought by the Federal Trade Commission and the Attorneys General of 35 states of the United States, has now resulted in a settlement valued at $11 million. FYI, the states involved were: Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia. The settlement resolves claims that LifeLock’s advertising was deceptive and misleading and misrepresented the types of services consumers could expect if they become victims of identity theft and their personal information was compromised.

While LifeLock does provide some measure of identity-theft protection, it was apparently not as robust and comprehensive as the advertising might lead a consumer to believe (personal information would be “useless to a criminal”). As a result of the action, not only has LifeLock promised to make changes (or has already made changes) to address the FTC complaint - in its business practices as well as its advertising - but the complaint also named CEO Davis and his co-founder Robert J. Maynard, Jr., who both will be barred from making the same misrepresentations as LifeLock. The $11 million received from LifeLock will provide refunds to consumers who signed up for the service. Information about eligibility and how the redress program will work can be obtained directly from the FTC - LifeLock Redress Program.

FTC Chairman Leibowitz stated: “Consumers received far less protection than they were promised," noting further that LifeLock’s service was ineffective against identity theft involving existing credit cards or bank accounts. Despite the advertised claims, according to the FTC, LifeLock often did not encrypt data in storage or transmission, didn’t install any antivirus protection software on computers used by employees, and failed to even require strong password protection for employees’ access to systems and files.

The documents were filed by the FTC in the U.S. District Court for the District of Arizona, and you can obtain a full copy of the original Complaint and the Stipulated Final Judgments against LifeLock, Davis and Maynard, right here: Federal Trade Commission v. LifeLock.

The Advertising Technology & Media law practice has lawyers and the resources of Reed Smith’s litigation and regulatory enforcement team to help clients seeking to prevent legal and regulatory problems and, if necessary, defend you if they arise. We have a team of data security and identity-theft lawyers with hands-on experience who know how to respond if a data breach occurs and can counsel you in complying with federal and state requirements. Need to know more? Call Joe Rosenbaum, or any of the lawyers at Reed Smith with whom you work - and, by the way, don’t give out your Social Security Number.

What in the World! Wait a Minute. Which World? Find Out On March 26th.

On March 26, 2010, the Center for Law, Science and Innovation at the Sandra Day O'Connor College of Law at Arizona State University and World2Worlds, Inc., will present “Governance of Virtual Worlds,” a conference held live in the Great Hall at the Sandra Day O'Connor College of Law at Arizona State University and in Second Life™.  For many, an opportunity to save on travel time, cost and carbon emissions.  Audience participation will be facilitated virtually within Second Life, live in the Great Hall at ASU and via a chat-bridge. So you can attend in person and live at The Great Hall of the Sandra Day O'Connor College of Law at Arizona State University, on the web via video and interactive text-chat, or by avatar in the immersive virtual world of Second Life.

Joseph I. (“Joe”) Rosenbaum, Reed Smith partner and Chair of its Advertising Technology & Media Law practice and an Advisory Board Member of the College of Law, is among the panelists participating. The conference will bring together, physically and virtually, a program of experts from academia, legal practice, corporations, governments, and online communities, to present a broad panorama of the state of governance of virtual worlds. 

National and international participation is encouraged and the conference will begin at ASU at 8:00 a.m. PDT (11:00 a.m. EDT), but for those brave virtual warriors there will be a reception starting at 7:00 a.m. Mountain Standard (Phoenix) Time – one hour before the formal conference begins.  If you wish to attend and/or share this invitation with others, here is a:

Déjà vu All Over Again: Online Behavioral Advertising

Just catching up with continuing efforts to educate the legal community on the implications of digital behavioral advertising and the importance of the industry self-regulatory efforts, as well as the dangers of legislation and regulation arising from insufficient or inaccurate information. In November of last year, Cyberspace Lawyer [Volume 14, Issue 10; November 2009], published "Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles," written by Joseph I. Rosenbaum.

The article follows the release, by the major advertising industry associations, of Self-Regulatory Principles for Online Behavioral Advertising, and Legal Bytes had numerous blog postings summarizing the individual principles, as well as an overview (see Self-Regulatory Online Behavioral Advertising Principle No. 7: Accountability that will link you to the others; or simply search "social media" in the keyword search box in the navigation column on the left side of the web page). The Cyberspace Lawyer article consolidates and integrates these summaries into a single article that you can read in that issue, or you can download the article here: "Advertising Industry Collaboration Releases Self-Regulatory Online Behavioral Advertising Principles" [PDF].

Joe Rosenbaum, who edits and publishes Legal Bytes, is general counsel of the Interactive Advertising Bureau (IAB), one of the major industry associations that participated in the development and release of the actual principles. Behavioral advertising can be viewed as another aspect of the social media phenomenon sweeping the digital world, and if you want (or need) to know more, you should know that Reed Smith's Advertising Technology & Media Law Group can help with integrated experience and legal skills, both nationally and internationally. Let us know if we can help you.

Are There Clouds in Your Future?

Check out MediaPost’s SearchBlog yesterday (A Dream Cloud Computes The Future), which recounts the conversation Joe Rosenbaum had with reporter and blogger Laurie Sullivan about the future of cloud computing. Need to know more about the legal implications and issues? Call Joseph I. (“Joe”) Rosenbaum or the Reed Smith attorney with whom you regularly work.

Social Media Could Get You Fired? Really? Well, Yes. Really.

If you aren’t careful, social media can hurt in the workplace, too. While recruiters, college and university admissions counselors, and many others have used profiles, postings, YouTube videos, and other social media platforms to gather information about candidates and prospects—corporations that are now increasingly monitoring their own presence, mentions, and brands in social media are discovering that employees—at work and outside the workplace—can be outstanding goodwill ambassadors, or may be saying a bit too much. In an interview with Laurie Sullivan, reporting in MediaPost News, Online Media Daily describes how Twitter And Facebook Could Get You Fired—because the same rules apply online as offline, but online are magnified by technology. Read the article, and when your company needs to develop a policy or understand how to optimize the benefits and minimize the legal risks, call me, Joe Rosenbaum; or Douglas J. Wood or Stacy Marcus, key lawyers in our Social Media Task Force; or any of the Reed Smith lawyers with whom you regularly work.

Social Media Risks and Rewards

In the wake of our release and distribution of the Reed Smith Social Media Task Force’s groundbreaking white paper entitled “Network Interference: A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon,” Practical Law Publishing has published a summary, prepared by The Social Media Task Force at Reed Smith, available here and entitled, Social Media Risks and Rewards. The published article represents a condensation of the entire white paper, previously announced in Legal Bytes, and which you can still download in its entirety.

As we mentioned, we will be adding, supplementing and updating these materials with even more chapters and new information, and we will soon be launching a special web page dedicated to the evolving social media legal landscape. If you need help navigating this environment, bear in mind that Reed Smith has a Social Media Task Force – a team of lawyers who have experience, and can advise and guide you as the medium and media evolves. Contact me, Joe Rosenbaum, or Douglas J. Wood, Stacy Marcus, or any of the Reed Smith lawyers with whom you regularly work. How can we help you? 

When the Fog Lifts, Don't Be Surprised if You Still See Clouds

“If computers of the kind I have advocated become the computers of the future, then computing may someday be organized as a public utility just as the telephone system is a public utility . . . The computer utility could become the basis of a new and important industry.”

                                      John McCarthy, MIT Centennial, 1961

“Cloud computing” is a term used to describe the use of computer resources not solely as a communications protocol (e.g., the Internet), nor solely as a content or transaction host (World Wide Web), but as an application development and information processing service. To help explain further, to send an email, much like using the telephone, it makes no difference who your provider or host is or which carrier you use. There is a protocol that allows interoperability across networks and processors, and as long as the sender and recipient have an email address and access to an Internet connection, the email gets through. On the web, with access to the Internet and a browser (technology that displays content and functionality hosted at a particular Internet address), you can interact with the website – you can see the material displayed and you can "select" (click) to enable certain features.

Today, as a general rule, if you wanted to create, edit, spell check, save, send or share most content or information with someone, unless you plan on typing and formatting a very long email, you still need word processing, spreadsheet or presentation software programs to create and upload (communicate or store for display), or to see and use content that you might download. In a cloud-computing environment, all of these functions are resident in the "cloud." Imagine that you no longer needed a desktop or laptop computer processor, and all you had were input and display devices (e.g., keyboard, mouse, monitor), which you could either carry or borrow wherever you went. Plug into a universal "outlet," enter your unique pass codes and authentication information, and you have everything you need – where and when you need it. Like telephone, electric or gas service, computing becomes a commodity accessible virtually anywhere and anytime, generally priced by usage, the applications, and the amount and type of storage for which you want and need access.

Cloud-computer services can be sold and paid for using plans not dissimilar to phone service – per call, per minute, unlimited, features, functions – and they disaggregate the user, whether individual or business enterprise, from the procurement, maintenance and operations of the underlying processors and software programs. Clouds can be public – made available to anyone on demand (think Wi-Fi registration based hot spots) or private (large companies can operate or arrange to have someone operate a closed-cloud environment). I summarize the basic characteristics of cloud computing as follows:

  • Flexibility – the user can easily modify use, resources, demand, access and virtually every other resource, without the need to purchase or dispose of any equipment or software, other than input and output devices. Increases or decreases in processing, development, storage or other requirements can be managed easily in real time and on an infinitely scalable basis.
  • Cost – commodity or utility pricing lowers user costs. Capital expenditures can be eliminated, license fees reduced and access fees managed more efficiently.
  • Resources - shared resources enable lower per-user, per-unit pricing, and optimization of peak and non-peak loads across user communities. Resource upgrades and enhancements can be amortized across a broad user base, seamlessly and transparently to the user community. Inter-exchange agreements between cloud providers will enable continuity and recovery, load management, and resource backup capability at optimal prices.
  • Independence – time, space and resource constraints become largely irrelevant to the extent Internet or web access is available.
  • Interoperability – absent unique or customized requirements that can be managed separately by the user, standardized applications, development tools and protocols are simpler to maintain and operate, debug, update and support. 

While security and privacy is always a concern – more so where data, in addition to processing capability and storage, becomes more concentrated and accessible rather than distributed – more users and businesses will have the potential benefit of stronger security measures than are currently affordable or in use, to the extent cloud providers can develop and implement strong security standards and protocols within their service offerings. 

So who are the actual or prospective players? Well lots of prognosticators and labelers are out there, but here is my list in basic categories:

  • Providers are those who procure, create, host and manage cloud resources and then sell access, services, features and functions in a cloud environment – wholesale or retail
  • Users are those who need to use and take advantage of cloud services, features and functions, whether individually or as part of a business
  • Intermediators are those who create intermediation and aggregation opportunities between and among providers. On the one hand, intermediators can bridge gaps between providers and create interface and sharing environments between or among providers. On the other hand, intermediators may begin finding niches in customizing or aggregating services, features or functions for particular industries or in particular regions.
  • Developers and supporters are those who develop utilities, applications, tools, features and functions to enhance the cloud experience, make additional services and applications available, and who maintain and support the efficient functioning of the cloud environment.

There may be others – my list is not intended to be comprehensive or even definitive. I don’t have a crystal ball, so time and experience will determine what we cannot now predict. Four computers, interconnected to respond to the perceived vulnerability of centralized computing, were the origins of the Internet. Distributed computing represented commercial attempts to amortize costs, decentralize institutionalized information, and enable greater redundancy and recovery capability. Networking and web-based computing gave us the ability to communicate, share and store information across multiple processors and devices through share protocols. While it’s still too foggy to tell what the future will bring, cloud computing represents the next big innovative thing in making the power of the computer and the Internet easier to use, more available, more interoperable and more cost-effective.

When the fog starts to lift, we may see clouds on the horizon. Whether they are storm clouds or fluffy wondrous sights of joy, I leave to your imagination. Stay tuned. But no matter what your visions of the future may be, if you see a cloud and you aren’t sure what the legal implications might be, please feel free to contact me, Joseph I. (“Joe”) Rosenbaum, or the Reed Smith attorney with whom you regularly work.

HITECH Means High Stakes in First-Ever State HIPAA Lawsuit

Yesterday, the Attorney General of the State of Connecticut filed suit against the Connecticut subsidiary of Health Net, charging it with violations of the privacy and security requirements of HIPAA. The action, filed yesterday in the United States District Court in Connecticut, comes on the heels of a security breach involving medical records and Social Security numbers. The suit also names United Health Group Inc. and Oxford Health Plans LLC, who acquired Health Net of Connecticut but who were not involved in the data breach.

If you forgot, last year the Health Information Technology for Economic and Clinical Health Act (HITECH), for the first time authorized individual state attorneys’ general to enforce the security and data privacy regulations under HIPAA, and this appears to be the first such action.

The lawsuit claims that Health Net in Connecticut failed to provide adequate security for the medical and financial records of hundreds of thousands of enrolled individuals, and failed to notify them promptly in connection with the breach. The breach, which took place last May, involved the disappearance of a computer hard drive. Health Net eventually reported the breach, posting a notice on its website and starting a staggered process of mailing letters to consumers November 30, 2009, almost six months after the security breach. For those of you involved in the collection, handling, maintenance, or use of personal, financial and medical information covered by HIPAA, new federal rules under the HITECH Act require "timely" notification of certain breaches, rules that have a compliance deadline of February 22, 2010.

Health Net attributed the delay in reporting to its inability to determine exactly what was on the computer hard drive that disappeared, thus not being sure if a notice was even required. One can only surmise that the mere fact that Health Net didn’t know what information was contained on a removable computer hard drive made its reasoning less than satisfactory to the Connecticut State Attorney General. Although Health Net appears to have conceded that the data was not encrypted, it did indicate that the data should not be visible without the use of specific software. However, Kroll Inc., a computer forensic firm retained by Health Net to investigate the breach, reported the data could be viewable with commonly available software.

Privacy, security and data protection of non-public, personally identifiable and sensitive information (e.g., health, financial data) are increasingly subject to stricter rules and regulations. The use of the Internet and web, making digital information more susceptible to undetected duplication, transmission and access – not to mention the obvious fact that carrying millions of pages of records would be impossible, while walking out with a single hard disk or CD-ROM on which the same data and information has been scanned or stored in digital form – can be virtually undetectable.  

Do you know of any law firm that has a team of privacy and data security, identity theft and data breach legal professionals? A firm that has health care, financial services and insurance specialists, as well as lawyers steeped in digital technology, information security and e-commerce? A firm that has transactional, regulatory compliance and policy-oriented lawyers who can audit current practices and policies, assist in developing mechanisms needed to satisfy regulatory requirements, and provide legal support to help avoid a legal problem, and also regulatory, compliance and litigation professionals who can represent and defend clients if a problem arises? Now you do – Reed Smith. If you need more information, contact me, Joseph I. (“Joe”) Rosenbaum, or Mark Melodia or Paul Bond, or the Reed Smith attorney with whom you regularly work, if you need legal advice, information or support on this subject.

2010 ANA Advertising Law & Public Policy Conference

Join top legal professionals and government regulators March 17-18, 2010 in Washington, D.C., at the 2010 Annual ANA Advertising Law & Public Policy Conference, where you will hear from Jon Leibowitz, Chairman of the FTC and Doug Gansler, Maryland attorney general, as well as leading legal experts both from law firms and client-side marketers.

Connect with key industry leaders and policymakers as we discuss the most volatile and fast-moving legal and political environment for advertising and marketing in decades. Learn about the new regulations, legislation and major court cases that are fundamentally changing the business environment, and how you can keep up!

For the full agenda and to register, go to

Libel Tourism: Will Free Speech Return to the United Kingdom?

[The following article, authored by Michael Skrein and Tom Webley, who are both resident in our London office, reviews the current (and future) state of the UK’s libel multiple publication rule. It was first published as “In Focus. Libel Tourism,” in Legal Strategy Review, Issue 5 (Winter 2009/10), and Legal Bytes gratefully acknowledges and appreciates their permission to re-publish it.]

Media organisations, publishers, journalists and human rights lawyers have, for many years, argued that the UK’s libel multiple publication rule is incompatible with free speech in the modern digital age. This ancient rule renders each publication of defamatory material liable to be sued on as a separate cause of action. That means, for example, that if material remains available online in archives or live websites, the threat of proceedings being issued will hang over the head of the publisher indefinitely. 

The limitation periods in England and Wales for defamation is one year from publication. However, under the multiple publication rule, each ‘hit’ on a website is treated as a new publication and can lead to a claim being brought within that time frame. The rule dates back to a case in 1849 which arose when the Duke of Brunswick purchased a copy of a newspaper published 17 years previously. He then sued for defamation over its contents. The new purchase was ruled to equate to a new publication, thereby allowing him to sue. The rule has been applied to defamation cases in England and Wales ever since. 

A Time For Change?

Unsurprisingly, many lawyers in England and Wales have been arguing that the rule is completely inappropriate and a dangerous anachronism. Many overseas lawyers greet the existence of the rule with disbelief. Nearly 100 years after the Duke of Brunswick case, in 1948, the New York appellate court decided that the multiple publication rule had no place in an American society with mass publication and nationwide distribution, and it replaced the rule with a single publication regime. 

The UK Ministry of Justice has recently published a consultation paper on the topic. It agrees that the multiple publication rule has failed to keep pace with the digital age, conceding that defending a claim becomes increasingly difficult as time passes. 

However, it says that this difficulty must be balanced against the need for a claimant to be given suitable redress for damage to reputation. The paper suggests implementing a single publication rule in which the limitation period runs from the date on which the claimant discovers the defamatory material (if this is within 10 years of initial publication) and/or to have a defence of qualified privilege for archived material (this defence would be defeated if the defendant failed to remove the material having received a reasonable request to do so). 

Implementing a single publication rule in England and Wales would be good news for publishers operating in those countries, and others worldwide would also breathe a sigh of relief as it would reduce the incidence of ‘libel tourism’ in the jurisdictions. For many years, overseas claimants have flocked to the courts to bring defamation actions. As there is no equivalent to the U.S. First Amendment, defendants face several additional legal hurdles, and they may have to pay damages and huge legal fees if they lose. 

The consultation closed on 16 December 2009 and the Ministry of Justice will now consider the responses. Perhaps soon English law will finally lay to rest the spirit of the Duke of Brunswick. 

If you need to know, you need to contact Michael Skrein, a partner, and Tom Webley, an associate, both in our London office. Of course, you can always contact me, Joseph I. (“Joe”) Rosenbaum - or your favorite Reed Smith attorney - who will be more than happy to help or coordinate getting your legal needs taken care of.

Legal Predictions for 2010 - Ad Age Book Of Tens

As it does every year at this time, Advertising Age has again published its Book of Tens. For as long as I can recall, that has included an amazingly prescient set of legal prediction ‘Tens’ from my partner, Douglas J. Wood, and this year is no different.

Go. Look. Read. Recall last year’s. Save this one for December 2010. It’s amazing how good his track record is . . . but then, if you know him, that shouldn’t surprise you. But some of his predictions this year, just might: Book of Tens: Legal Predictions for 2010.

You can contact Douglas J. Wood directly to tell him how ‘on target’ he is, or you can contact me, Joseph I. Rosenbaum, or any of the Reed Smith attorneys with whom you regularly work if you need more information or help in areas related to advertising, media, technology and entertainment. We are here to help.

Join Us for Cookies - It's the Social (Media) Thing to Do

Just a reminder that space is filling up, so if you want to join us for any of the three West Coast social media law seminars please use the registration link below to sign up. Joseph I. (“Joe”) Rosenbaum and Anthony Traymore from the Advertising Technology & Media Group in New York and local Reed Smith lawyers in each office will present: "Social Media: It’s 10:00 p.m. Do You Know Where Your Brand Is?"

Can’t attend?  If you are a client, we can do a customized in-house seminar for your legal department, executive management, marketing or other professionals. Not a client, perhaps you should be.  Interested? Contact Joe Rosenbaum.

Social Media: It's 10 p.m. Do You Know Where Your Brand Is?

Did you miss our New York seminar on Social Media? Well now you can catch us in California. Three of Reed Smith's offices in California will be hosting a seminar on social media, where Joseph I. ("Joe") Rosenbaum and Anthony Traymore from the Advertising Technology & Media Group in New York, and local Reed Smith lawyers in each office, will present:

"Social Media: It's 10 p.m. Do You Know Where Your Brand Is?"

Tweets, profiles, avatars, blogs, chats, friend requests, user-generated content, personalized pages, customized URLs—keeping up with social media is daunting. Social media continues to change the rules of engagement, and for companies, brands, marketing professionals and their legal advisors, engagement is now the rule. Just as economic and advertising models for whole industries are changing to take advantage of social media, industries must confront new and unprecedented legal risks in this brave new world of engagement—a world where lawmakers, regulators and courts are struggling to figure it out. Legal risks and challenges abound; so does opportunity—for brands who know before they go!

Reed Smith LLP is a State Bar of California-approved MCLE provider, and this course qualifies for 1.5 general MCLE Credit. The presentations will highlight:

  • Best practices for corporate engagement in social media
  • How to approach workplace policies
  • The current and potential legal landscape evolving around social media platforms
  • Case studies—social media successes and failures
  • Highlights of our "white paper": A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon, recently released by the Reed Smith Social Media Task Force
  • And much more

Because of the high level interest received, we will be conducting the seminar in three of our California offices.

1.  Reed Smith's San Francisco Office

Tuesday, December 8, 2009

Registration & Breakfast: 8:30 a.m.; Program: 9:00 – 10:30 a.m.

2.  Reed Smith's Silicon Valley (Palo Alto) Office

Tuesday, December 8, 2009

Registration & Lunch: 12:30 p.m.; Program: 1:00 – 2:30 p.m.

3.  Reed Smith's Century City (Los Angeles) Office

Wednesday, December 9, 2009

Registration & Breakfast: 8:30 a.m.; Program: 9:00 – 10:30 a.m.

We hope you will attend, and we encourage you to share this invitation with others. For your convenience, here is a link to the invitation & registration page for these sessions.

The Fed Notices an Overdraft - Decides to Close the ATM Window

This post was written by Roberta G. Torian and Joseph I. Rosenbaum.

On Nov. 12, the Federal Reserve Board released its final rule on overdrafts for ATM and one-time debit card transactions (the “Final Rule”), which amends Regulation E. Although it hasn’t been published in the Federal Register yet, Legal Bytes thought you might like a little heads-up as to what is in the new Final Rule.

To start, a financial institution will have to obtain a consumer's consent – in advance – to assess a fee for paying an overdraft in an ATM or one-time debit card transaction. To get consent, the financial institution must provide a description, give the consumer an opportunity to opt-in; and if consent is given (which can be revoked at any time), give the consumer written or electronic confirmation. While existing customers who haven’t opted in to the overdraft program by then can’t be charged a fee for these overdrafts after Aug. 15, 2010, for everyone else, compliance is required by July 1, 2010.

Here’s one you might not have considered. What if the system in place with the financial institution doesn’t distinguish between various types of overdrafts (e.g., one-time debit card versus recurring debit card transactions)? Well there is a safe harbor, but you’ll have to call Roberta G. Torian (or read the Final Rule yourself).

Now, the Final Rule doesn’t mean a financial institution is required to pay overdrafts, whether or not a consumer has consented, and it still allows them to maintain policies on overdraft limits, frequency, and other factors that would restrict the customer’s overdraft privileges. In other words, it doesn’t change an institution’s right to manage its overdraft program or risk – only the situations where it can charge a fee to the consumer.

The Final Rule does, however, delve a bit more deeply into the marketing and cross-selling considerations financial institutions must comply with. For example, the Final Rule prohibits conditioning other account services on opting in to the overdraft service. Furthermore, the consumer must be offered the same account terms, conditions and features, whether or not they opt-in to the overdraft program.

The Federal Reserve Board has created a model form for use by financial institutions (one that can be modified to fit the individual programs available) to obtain the consumer’s opt-in consent, and that highlight the disclosures required by the Final Rule. The form was developed because the Final Rule also prohibits including this new overdraft "consent" as part of the basic account agreement when a consumer opens an account. In other words, you need to give the consumer a meaningful opportunity to decide whether to opt-in, and not simply bury the "consent" in a string of clauses and terms.

Although the rule has not yet been published in the Federal Register, you can download a copy of the Final Rule right here. But if you really want to know the (opt) ins and (opt) outs of Regulation E, contact Roberta G. Torian, Joe Rosenbaum or any of the lawyers at Reed Smith with whom you work. Reed Smith has a full service Financial Institutions Group that can help virtually any financial institution with legal support, service, and representation, whenever and wherever the need arises. Call us, we are happy to help.

Friday the 13th - No Need To Worry. It's Your Lucky Day.

Yesterday evening, Reed Smith and Boyden Executive Search Agencies co-sponsored a seminar in which Douglas J. Wood, head of Reed Smith’s Media & Entertainment Industry Group, joined by Sarah Needleman from The Wall Street Journal, and Kathy Ewing, assistant general counsel at Benjamin Moore, discussed the legal, social and economic implications of the social media and social networking revolution.

Friday the 13th notwithstanding – it’s the third one this year and, for you Useless-But-Compelling-Facts fans, the most any single year can have – today is your lucky day. Even if you missed it, the seminar can be downloaded right here: “Making Sense of Social Media.” And, in keeping with our triskaidekaphobic theme, Legal Bytes is proud to present a double whammy.

Simultaneously with this first-in-a-series of seminars, we have released a groundbreaking white paper entitled Network Interference: A Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon. The white paper, which you can also download by clicking the linked title above, was compiled by Stacy Marcus and edited by Douglas J. Wood (head of Reed Smith’s Media & Entertainment Industry Group) and Joseph I. Rosenbaum, Chair of Reed Smith’s global Advertising Technology & Media Law Practice). The white paper includes contributions from our social media task force – numerous Reed Smith lawyers across many disciplines affected by or involved in the social media revolution.

We will be adding, supplementing and updating these materials with even more chapters and new information as this exciting area continues to dynamically unfold. Whether you are an active participant in the commercial world of social media or are confused by it, this is a must read.

Oh, and if you want to actually be social and sociable Joseph I. Rosenbaum and Anthony S. Traymore will be presenting MCLE accredited and customized variations of these Social Media Seminars in our offices in San Francisco, the morning of December 8th, in Palo Alto at mid-day the same day and in Century City the morning of December 9th – so be social and if you are on the West Coast and your schedule permits, mark your calendar and watch the Whatz Gnu? section of Legal Bytes over the next week for further information and links to an invitation and registration.

If you or your brand advertising and marketing professionals think social media is a fad, you need to GWI or start waving goodbye. The train is leaving the station without you. But, if you recognize that digital and web-based technology, coupled with new interactive social platforms and applications are changing the way we interact, communicate, work, play, learn and entertain; are changing the legal and socio-economic landscape; and, indeed, are changing how brands and companies engage with their customers, their employees, their suppliers and yes, their investors and shareholders: well, then OMG, you totally get it.

But even if you do, navigating the waters as legislators, regulators and courts struggle to enact or apply a legal framework originally intended for a world with easily defined borders and tangible products, can be daunting. That’s why Reed Smith has a core and virtual team of lawyers who have experience and can advise you and guide you through the uncertainties. Contact me, Joe Rosenbaum, or Douglas J. Wood, Stacy Marcus, or Anthony Traymore, or any of the Reed Smith lawyers with whom you regularly work. How can we help you?

Collection and Use of Consumer Information - Congress is Listening

Congress is listening—why do you think they are called "hearings"? But will your voice be heard? The U.S. House of Representatives' Subcommittee on Commerce, Trade and Consumer Protection, and the Subcommittee on Communications, Technology and the Internet, will hold a joint hearing on "Exploring the Offline and Online Collection and Use of Consumer Information" Thursday, Nov. 19, 2009. If you or your representatives aren't in the room, you can't be part of the conversation and you won't be heard. If you can't make it, but you want to listen, or be heard, or both—let me (Joe Rosenbaum), or any Reed Smith attorney with whom you regularly work, know.

Because That's Where the Money Is

Presumably, that's why Willie Sutton robbed banks. So I ask you, somewhat rhetorically, why would anyone defraud advertisers on the Internet. Well, if you don't know, please refer to the title—that's what this note is about.

Remember click fraud? That's the name for illicit activity in which someone or something (a computer executing macros, automated scripts, etc.) emulates the click-selection process on a web advertisement. Why is that fraud? Well for one thing, if you are counting the number of times visitors "select" your advertising, click fraud makes it seem like lots of browsers out there are attracted to your advertising. But it ain't necessarily so. Even worse, if an advertiser is paying each time a visitor browses the ad—pay per click—that advertiser can pay a significant amount of money for eyeballs that simply aren't there. While you might think some clever computer hackers or scammers were engaging in this activity for kick (something like a teenager joyriding with the family car), when you find out your competitors are retaining the services of others to engage in that activity, making your advertising seem exceedingly successful and driving up your cost of sales while they are merrily trimming their costs—well that's why they call it fraud after all.

Solid investigative work, pattern detection, programs designed to sniff out repetitive or rapid clicks and Internet protocol and address tracking—1000 clicks per second from the same address—can't completely prevent click fraud, but they can make it more difficult, make the insertion companies, publishers and networks more accountable for accurate metrics and payment mechanisms, and can sometimes even lead to prosecutions.

More recently, even more sophisticated schemes have arisen, including fake advertisements, appearing to be for a legitimate company, but that are actually a launching pad for malicious code—capable of phishing or denial of service attacks, or penetrating corporate firewalls to access company networks and systems.

Now this is not a particularly new problem. After Hyundai was victimized, earlier this year, Initiative, the Agency of Record for Hyundai, sent out letters to its business partners, presumably to its publishing and advertising network partners, stating “someone allegedly working for Hyundai, or working at other agencies, has contacted various sites requesting proposals, and have even run a short campaign,” and requesting that they be notified immediately if contact is made “from an e-mail domain address of ''.”

Publicis, one of the world's largest advertising holding companies and the largest global network within the Publicis Groupe, headquartered in France, has also been warning publishing networks about these fake ads. This past Oct. 5, Digitas, Optimedia, MediaVest, Zenith, and Spark (each of them Publicis companies) sent letters to their media partners [link to PDF] alerting them to: "rogue software and malicious advertising that is being placed on websites by individuals pretending to represent legitimate insertion requests."

A recent article in The Wall Street Journal noted yet another scam in web-based advertising: invisible ads. Agencies and media buyers are generally unable to audit banner campaigns when bought through ad networks and purchased on a CPM basis. Now imagine you are paying for ads based on web pages loaded, not clicks. Well, according to the article, Ben Edelman, an assistant professor at Harvard Business School who has been studying Internet advertising, has discovered that these "invisible" ads use computer programming code to make it appear as if the ads are where they are supposed to be. But when you point your browser to the web page where the ad is supposed to be, NOTHING IS VISIBLE. Notice I didn't say that nothing was there. I said it wasn't visible. BUT, if you are reading this, pay attention.  Take your cursor and highlight the entire blank space above right after the words "ad is supposed to be," all the way through to "Notice I didn't say," the previously hidden text becomes visible.  You see, the letters are there, but they are in the same color as the background, so they appear invisible to the reader. A fairly old trick. Now imagine there's a web-based advertisement on an invisible web page. The browser "sees" the page and acts as if that page is loaded and open—only you can't see it.

The Wall Street Journal article notes that security experts at Symantec and McAfee, as well as at online verification and audit companies DoubleVerify and Anchor Intelligence, have confirmed the programming code used to create the invisible ads. Code that ultimately causes advertisers, including some major companies and brands, to pay for advertising that is "there," but not to the user. Just like the text color coded to appear invisible against the background here, these programming codes—normally used to tell the computer how to display a web page when a browser loads the page—make the display (referred to as an "iframe") invisible, so the user won't actually see anything within that iframe. Because you can't see any of the contents, scammers can create multiple invisible iframes, even on the same page. Mr. Edelman reported that he "opened a series of invisible pages on the visitor's computer with as many as 46 ads"—none of which could be seen.

I suspect that when Congress and regulators refer to targeted advertising, they aren't thinking about criminals who target legitimate advertisers and publishing networks and ultimately cost them (and you) money. But here at Legal Bytes, and among the lawyers at Reed Smith, we are! Need to know more about digital advertising, publishing networks, media and marketing online? Call Joe Rosenbaum, or any of the lawyers at Reed Smith you work with. We are happy to help.

Did You Miss our Legal Seminar for Publishers? No Worries.

Even if you missed the educational webinar—held Oct. 23, 2009; sponsored by the Long Tail Alliance Program of the Interactive Advertising Bureau (IAB); and presented by Joseph I. (“Joe”) Rosenbaum, partner at Reed Smith and general counsel of the IAB, and Adam Snukal, senior associate at Reed Smith—you're in luck. A PDF copy of the seminar, which covered many current legal issues in advertising compliance, privacy, and social media, can be downloaded right here: What Me Worry? Legal Best Practices for Small Publishers.

We’ve been told the Interactive Advertising Bureau will be posting a video recording of the webinar, so you can watch a replay of the entire broadcast, if you like, at your convenience. We will provide details once we receive them.

IAB Long Tail Alliance: Join The Legal Briefing from Reed Smith

Just a reminder that this coming Friday, October 23, 2009, from 12 – 1 p.m. (Eastern US Time), Joseph I. (“Joe”) Rosenbaum, partner at Reed Smith and general counsel of the IAB, assisted by Adam Snukal, senior associate at Reed Smith, will be presenting an educational webinar, sponsored by the Long Tail Alliance Program of the Interactive Advertising Bureau (IAB). The title is: What, Me Worry? Legal Best Practices for Small Publishers

The webinar will provide an overview of the legal issues and suggested best practices in the following areas:

Advertising Compliance ** Privacy ** Social Media

There will be a Q&A session as time permits at the end of the session, and a .PDF copy will be available on Legal Bytes after the seminar is over.

The webinar is open not only to IAB members and Reed Smith clients, but also to anyone who is interested - on a first-come, first-served basis. So register now. You can get more information and register right here for What, Me Worry? Legal Best Practices for Small Publishers. 

About the Long Tail Alliance Program

The IAB formed the Long Tail Alliance program in summer 2008 to encourage involvement with individuals and small business who, powered by interactive advertising, have turned their interests and passions into a media revolution. The Alliance is the beginning of something the IAB envisions as a much larger portrait of American entrepreneurs who are pursuing and achieving the American dream, even as they row hard against strong economic currents. The IAB hopes to expand its Long Tail Membership in order to encourage advocacy, training, and a coming-together of smaller publishers across America as their businesses grow, all while the dynamic of technology and media continues to change.

For more information, click here:

About the IAB

The Interactive Advertising Bureau is comprised of more than 375 leading media and technology companies who are responsible for selling 86 percent of online advertising in the United States. On behalf of its members, the IAB is dedicated to the growth of the interactive advertising marketplace, of interactive's share of total marketing spend, and of its members' share of total marketing spend. The IAB educates marketers, agencies, media companies and the wider business community about the value of interactive advertising. Working with its member companies, the IAB evaluates and recommends standards and practices, and fields critical research on interactive advertising. Founded in 1996, the IAB is headquartered in New York City, with a Public Policy office in Washington, D.C.

About Reed Smith

Reed Smith is a global, full-service law firm with nearly 1600 lawyers in 23 offices around the world. Joseph I. (“Joe”) Rosenbaum, a partner in the New York office, chairs the firm’s global Advertising Technology & Media law practice, is the editor and publisher of Legal Bytes, is Corporate Secretary & General Counsel to the IAB, and is an ex-officio member of the IAB Board. Adam Snukal is a senior associate who works with Joe in the Advertising Technology & Media law group and is editor of Adlaw by Request, the gold standard in advertising legal publications in the industry.

Join us for this exciting and timely IAB Long Tail Alliance webinar presented by Reed Smith. We look forward to your participation.

Maine Recommends Repeal of Controversial Privacy Law

Under mounting pressure that "An Act To Prevent Predatory Marketing Practices against Minors"—which was recently enacted and which became effective last month—was unconstitutional (both on free speech grounds and because it unduly restricted intestate commerce), a Maine legislative committee recommended that the new privacy law be repealed. The law would have placed restrictions on the collection and use of data of minors—effectively extending many provisions of COPPA to teens age 13 to 18—and requiring parental consent for the collection of any personal information. While concern still remains over sensitive data (e.g., medical- and health-related information), Maine appears to be poised to modify the original law to limit its applicability to health- and medical-related information of minors. 

Without belaboring the Constitutional arguments (preemption by federal law, unlawful restriction on interstate commerce beyond a state’s interest in protecting its citizens) the Act, if enforced, would have even restricted the rights of teenagers to receive certain information or to participate in social media and social networking activities. Opposition was unusually diverse—with the Center for Democracy & Technology. a civil liberties-focused organization, and the Maine Independent Colleges Association, joining the marketing-oriented Motion Picture Association of America and the Association of National Advertisers in objecting to the legislation.

Apparently in deference to the court cases that had been filed in opposition and the arguments made, Maine’s attorney general previously indicated she would not enforce the Act.

Privacy? Children’s Advertising? State vs. federal law? We can help sort out the confusion. Call me, Joseph I. Rosenbaum, or John Feldman or Douglas J. Wood, or the Reed Smith attorney with whom you regularly work.

Buzz Over Behavioral Advertising - Listen, Do You Want to Know a Secret?

This post was written by Stacy Marcus and Joe Rosenbaum.

The buzz over online behavioral advertising in the United States has been building since the 2008 hearings in Congress over deep packet inspection. The first class-action lawsuit targeting behavioral advertising, Valentine v. NebuAd (N.D. Cal., No. 3:08-cv-05113), was filed in November 2008, followed soon thereafter by Simon v. Adzilla (N.D. Cal., No. 3:09-c-00879) in February 2009.

In the first case, NebuAd and six other ISPs were accused of violating the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act, by using deep packet inspection technology. Specifically, the NebuAd complaint alleged that customers were unaware their online activity was being monitored for marketing purposes; that either no notice or consent was provided; that any notice that may have been attempted was insufficient or misleading; and that their technology intentionally sought to negate customers’ efforts to remove tracking cookies. For their part, the defendants vigorously deny having violated customers’ privacy rights, noting that they did not collect personally identifiable information, and that the data collected was anonymized to protect the identities of customers.

Since its filing in November 2008, all of the defendants in the NebuAd case have moved to dismiss the action on various grounds, including lack of personal jurisdiction and failure to state a claim. Just a few days ago (Oct. 6, 2009), the court granted the motions in respect of five of the defendants, to dismiss for lack of personal jurisdictions, citing the fact that the ISPs that were not based in California did not provide a sufficient and constitutionally reasonable basis for a California court to assert jurisdiction. However, the ruling leaves NebuAd as the last defendant standing in the action. But wait. There’s more. In May 2009, NebuAd liquidated its assets and went out of business. In fact, on the day the court dismissed the action against the other five defendants, the court also granted NebuAd’s counsel’s motion to withdraw from the case. That said, the court refused the additional request to stay the proceedings against NebuAd until new counsel could be retained. Stay tuned . . . we’ll track this for you!

Now in the second case, Adzilla (whose website is currently “under construction”) and three other defendants were parties to a joint venture that created a technology called the “ZILLAcaster.” According to the press release of Adzilla partner NetLogix, “[t]he ZILLAcaster technology resides within the service provider's network, the closest point to the subscriber, and utilizes network data in combination with contextual and behavioral targeting to make decisions regarding the delivery of the most relevant ad content for network users. Content can be delivered down to individuals without the use of any desktop, software, or adware.” The plaintiffs claim that this ZILLAcaster oversees, inspects, copies, transmits and actually permits the alteration of the user’s Internet communications – all without any notice to the user. Although there is no allegation that any actual ads were served to Simon (the plaintiff) as a result of this ZILLAcaster, the plaintiffs argue that simply tracking them in this manner violates the Electronic Communications Privacy Act, the California Computer Crime Law, the California Invasion of Privacy Act, and the Computer Fraud and Abuse Act through the use of deep packet inspection. Adzilla has denied plaintiffs’ allegations and asserted numerous defenses. 

Less than two months ago (Aug. 18, 2009), Continental Broadband was dismissed from the action, and on Oct. 2, 2009, a filing in the case seeks to voluntarily dismiss Core Communications d/b/a CoreTel as a defendant in the lawsuit. If the filing is granted, only Adzilla and its parent company, Conducive Corporation, will remain as defendants.

So why should you care? Because given the settlement of Facebook’s class action lawsuit over its Beacon technology, these two lawsuits are the only major ones we are aware of that are pending, that concern online behavioral advertising AND that could potentially yield decisions and opinions. Given Congress’ and the FTC’s interest in consumer privacy in general, and online behavioral advertising in particular, a decision in either of these two cases could set the stage for government regulation and policy – confirming with or reactive to these decisions – and may well set precedent for future online behavioral advertising cases in the months and years ahead. While it’s too soon to tell, we will keep you posted as they unfold. As always, you can contact the authors, Stacy Marcus and Joe Rosenbaum, or any Reed Smith attorney with whom you regularly work, for more information or assistance.

Reed Smith Analysis of the New FTC Endorsement and Testimonial Guidelines

A few days ago, Legal Bytes alerted you to the fact that the Federal Trade Commission has issued revised "Guides Concerning the Use of Endorsements and Testimonials in Advertising". These revisions update the FTC’s Guides, last modified in 1980, that provide direction to advertisers and agencies regarding compliance with the FTC Act.

John P. Feldman, a partner in our Washington, D.C. office and a key member of our Advertising Technology & Media law team, has prepared (and you can view and download) an Analysis of the New Guides. Of course, no memorandum prepared for general information or a summary of this type can provide legal advice, and you should be careful not to rely on it since everyone’s circumstances and the facts of each situation will differ – at a minimum, based on the type of product or service, the target audience, and the advertising media, among other things. That said, the summary will give you a good overview of what is in the Guides and what is different or updated from the prior Guides.

Of course, if you need specific guidance or need to know more about the FTC Guides, or the implications to social media advertising and marketing or traditional advertising, feel free to contact John P. Feldman, Douglas J. Wood or Joseph I. Rosenbaum, or the Reed Smith attorney with whom you regularly work.

What Me Worry? Don't Get Mad, Get Informed!

On Friday, October 23, 2009, from 12 – 1 p.m. (Eastern U.S. Time), Joseph I. (“Joe”) Rosenbaum, Partner at Reed Smith and General Counsel of the IAB, assisted by Adam Snukal, Senior Associate at Reed Smith, will be presenting an educational webinar, sponsored by the Long Tail Alliance Program of the Interactive Advertising Bureau (IAB), entitled: What Me Worry? Legal Best Practices for Small Publishers.

The webinar will provide an overview of the legal issues and suggested best practices in the following areas:

Trademarks: Buying someone else’s key words? Displaying advertising? Sponsoring or hosting contests, sweepstakes, co-branded promotions? Using social media or virtual worlds? Trademarks are everywhere. When should you worry?

Compliance: What’s new at the FTC and FCC? Industry groups want self-regulation. Privacy and consumer advocacy groups want more regulation. Congress is poised to “do something.” What you need to know about marketing to children, adults, compliance with sectoral advertising regulations, from finance and health care to product safety.

Privacy: Behavioral targeting has everyone up in arms. What should a small publisher do if she feels her privacy policy has been violated?

Social Media: Blogs, splogs and vlogs. Virtual worlds, avatars and pseudonyms. Profiles and networks, friends and fans. Testimonials and endorsements – from celebrities to consumers, paid and unpaid. Buzz, viral and word of mouth. Defamation, libel, copyright and personalized URLs. Sound confusing? It is. But ignorance won’t insulate you from liability. Don’t want to become a regulatory target? What you should know.

Q&A: IAB and Reed Smith to answer questions from participants.

The webinar is open to IAB members, to Reed Smith clients, and to the general public on a first-come, first-served basis. Register now. You can get more information and register right here for What Me Worry? Legal Best Practices for Small Publishers.

About the Long Tail Alliance Program

The IAB formed the Long Tail Alliance program in summer 2008 to encourage involvement with individuals and small businesses who, powered by interactive advertising, have turned their interests and passions into a media revolution. The Alliance is the beginning of something the IAB envisions as a much larger portrait of American entrepreneurs who are pursuing and achieving the American dream, even as they row hard against strong economic currents. The IAB hopes to expand its Long Tail Membership in order to encourage advocacy, training, and a coming-together of smaller publishers across America as their businesses grow, all while the dynamic of technology and media continues to change.

For more information, click here.

About the IAB

The Interactive Advertising Bureau is comprised of more than 375 leading media and technology companies that are responsible for selling 86 percent of online advertising in the United States. On behalf of its members, the IAB is dedicated to the growth of the interactive advertising marketplace, of interactive's share of total marketing spend, and of its members' share of total marketing spend. The IAB educates marketers, agencies, media companies and the wider business community about the value of interactive advertising. Working with its member companies, the IAB evaluates and recommends standards and practices, and fields critical research on interactive advertising. Founded in 1996, the IAB is headquartered in New York City, with a Public Policy office in Washington, D.C.

About Reed Smith

Reed Smith is a global, full service law firm with nearly 1600 lawyers in 23 offices around the world. Joseph I. (“Joe”) Rosenbaum, a partner in the New York office, chairs the firm’s global Advertising Technology & Media law practice; is the editor and publisher of Legal Bytes; is Corporate Secretary & General Counsel to the IAB; and is an ex-officio member of the IAB Board. Adam Snukal is a Senior Associate who works with Joe in the Advertising Technology & Media law group, and is editor of Adlaw by Request, the gold standard in advertising legal publications in the industry.

Join us for this exciting and timely IAB Long Tail Alliance webinar presented by Reed Smith. We look forward to your participation.

FTC Releases Updated Endorsement & Testimonial Guidelines

Although it will be published in the Federal Register shortly, you can download and read the text of the Federal Trade Commission’s  revised "Guides Concerning the Use of Endorsements and Testimonials in Advertising" issued earlier today, right on Legal Bytes now. As reported previously in Legal Bytes, the final revisions are intended to update the FTC’s guidance, last revised in 1980, that provide advice to advertisers and agencies regarding compliance with the FTC Act.

While the prior guidelines allowed advertisers to use a “results not typical” disclaimer, that is no longer a safe haven from liability, and advertisers will be required to disclose what a consumer should generally expect when purchasing or using the product. Furthermore, any connection that a consumer might not reasonably know between an advertiser and an endorser needs to be disclosed. In recent years, comments by bloggers, through word of mouth, buzz or viral marketing were never addressed in the Guides. The updated version now deals with and provides examples of when these rise to a level of connection requiring disclosure.. For example, if a blogger receives any consideration in cash or in kind (e.g., free gaming console to try) to review products or services, that would now be considered an endorsement that requires disclosure – even if the review remains unbiased. 

The fact that a consumer should be informed about a material connection between the advertiser and the maker of the statements is now firmly embedded in the FTC Guides, even though these cases were always subject to review on a case-by-case basis. Of course, what constitutes a “material” connection will still be subject to a factual determination, but if a company, for example, sponsors research about its products or services (or potentially about the products or services of a competitor, if the results will be used in a comparative ad), then the company must disclose its sponsorship in the ad. Similarly, although consumers may expect celebrities to be paid for appearing in commercials, if an endorsement is made outside that context – for example, on a talk show, at a book signing, at a motion picture premiere, or on Facebook, Twitter or other social media - any material relationships must be disclosed.

The proposed new guidelines were the subject of a seminar, "Trust Me, I'm a Satisfied Customer: Testimonials & Endorsements in the United States", presented by Joseph I. Rosenbaum, at the University of Limerick in July. You can go to the previous Legal Bytes blog post and download a copy of the presentation at any time.  "

Want to know more about the FTC Guides, or the implications to social media advertising and marketing, or traditional advertising? Feel free to contact me or the Reed Smith attorney with whom you regularly work.

Are You Behaving Badly? Redux

If you missed our teleseminar “Global Regulation of Behavioral Marketing in an Age of Privacy & Data Protection,” presented by Reed Smith partners Douglas J. Wood and Joseph I. Rosenbaum from New York and Gregor Pryor from London, I am pleased to make a copy of the “Are You Behaving Badly” presentation available to our Legal Bytes’ readers. The industry gave us “New Hope.” Privacy and consumer advocacy groups responded, and the “Empire Strikes Back.” Just recently, Congress commended the self-regulatory efforts of the industry, but noted a perceived need for additional legislation. “The Phantom Menace” persists.

The intergalactic battles continue, battle lines remain drawn, tensions remain high and the balance unclear – perhaps because changing technology, social media norms and advertising models keep rewriting the rules of engagement. If you listened in, thank you. If you missed it, here is the presentation. In either case, don’t hesitate to contact any of us with questions.

Online Behavioral Advertising - Congress Poised to Act

Late last week, Rep. Rick Boucher (D-Va.), who chairs the Subcommittee on Communications, Technology and the Internet, released a statement indicating that despite industry collaboration and efforts at self-regulation, his belief is that government regulation remains necessary. Rep. Boucher intends to introduce legislation, regulating online behavioral advertising. His statement notes that the intention would be “to assure Internet users a high degree of privacy protection, including transparency about the collection, use and sharing of information about them and to give them control over that collection, use and sharing,” and that the advertising industry’s self-regulatory principles, “while proactive . . . . do not go far enough.”

In deference to the industry, however, Rep. Boucher’s statement also acknowledges that “online advertising supports much of the commercial content, applications and services that are available to Internet users today without charge,” and mentions that the intention of any legislation is not to disrupt well-established business models. The announcement asserts the legislation will have bipartisan support, and although it notes that actual draft legislation is not yet ready for prime time, it will be targeted primarily at privacy concerns, seeking to establish baseline standards relating to the disclosure, collection and use of consumer information, and safe harbors for advertisers that adhere to certain online practices in connection with these issues. In addition, the Federal Trade Commission will be given the authority to enforce the principles in the legislation and define the specific policies and practices that would allow advertisers to take advantage of the proposed safe harbor protections.

You can read all of Rep. Boucher’s statement right here. Fittingly, there is still time to register for tomorrow’s teleseminar “Are You Behaving Badly”, sponsored by the Advertising Technology & Media law practice at Reed Smith.

Self-Regulatory Online Behavioral Advertising Principles: What's Déjà New?

In a speech in November 1942, Sir Winston Churchill remarked, “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.”

So, if you have been following along with the original announcement and each of the following “principle summaries” posted on Legal Bytes:

. . . and, if you have read the actual report, then you will appreciate that “Self-Regulatory Principles for Online Behavioral Advertising”, consistent with the Federal Trade Commission’s support of industry self-regulation, are patterned after the highly successful record of the Council of Better Business Bureaus in regulating the traditional advertising industry for more than 30 years. A record that includes industry collaboration, self-regulatory principles and monitoring, and close collaboration with the Federal Trade Commission over the years, as the industry and advertising models evolved.

While one is always careful to ensure that at some point governmental intervention may be necessary to protect consumers from those who abuse the system or violate the law, the question to ask is whether and to what extent new or different regulation is required. That is certainly a question being asked (and being answered) by a coalition of 10 consumer advocacy and privacy groups in its recently released report, “Online Behavioral Tracking and Targeting Concerns and Solutions”, in response to the industry principles. More importantly, one may ask whether a concretized and codified piece of legislation is likely to remain relevant or even defensible in the face of innovation and technology that could not have been predicted five years ago and, I believe, will remain relatively unpredictable in the future.

That said, some aspects of advertising are predictable. Development, display and distribution mechanism will evolve dynamically as technology and innovation continue. Notions of consumer privacy and data protection will continue to evolve and be difficult to harmonize across nations, across cultural and local boundaries, and—because privacy is and has always been context specific—in time and space. What might have been considered private in 16th century France is very different from the concept of privacy that permeates the hearts and minds of citizens of Japan or Brazil today. Indeed, even the role of government in protecting one’s right to privacy and the use of information about oneself, is an ever-changing one. Advertising models and economics will continue to change, with metrics and quantification methodologies being sparred and argued over, recognizing that even the roles of advertisers, agencies, media buyers, and broadcast and publishing networks, as well as ISPs, search engine, browser and web hosting companies—the technology players—are and will continue to change. Wireless and mobile devices will continue to expand the domain of advertising and challenge our ability to capture consumers’ interest on tiny mobile screens, while the opposite is taking place in our living rooms—with the separation of desktop or laptop computing and home television and entertainment centers being increasingly irrelevant (and screens becoming larger). Oh, and did we forget to mention how online gaming and the interplay between gaming console, entertainment and product placement, virtual worlds and display advertising, are all blurring (pardon the pun) right before our eyes?

So if you have ever attempted to change a tire on a moving automobile, you have a vision of what the “industry” is and will look like in the future. Under these circumstances, traditional regulation as we knew it, may not make sense. What might make sense is a more dynamic system of regulation. One that is more flexible, more adaptable and more capable of interacting and reacting to changing circumstances, mechanisms, technology and the environment. Perhaps allowing the industry and the Federal Trade Commission, in conjunction with other agencies already tasked with the mission of protecting consumers within their particular areas of authority (e.g., FDA, FCC, FAA, and the list goes on) to develop self-regulatory enforcement mechanisms, referral mechanisms, and a track record, may be the best way to determine what, where and when regulation may be needed.

In the meantime, you may want to ask yourself if you are misbehaving as an advertiser or marketing professional, and register and listen in to our “Are You Behaving Badly” Teleseminar Sept. 30, which will tackle current issues in global regulation of behavioral advertising.

As always, I and my colleagues in the Advertising Technology & Media law practice at Reed Smith are ready to assist in guiding, advising and providing legal support where and when you need it. We’ve been changing tires for more than a century!

Reed Smith DC Office Hosting Next FCBA Privacy/Data Security & Legislative Committees Meeting

Reed Smith will host the next brown bag lunch meeting of the Federal Communications Bar Association’s joint Privacy/Data Security and Legislative Committees. The meeting will be held on October 13, 2009 between 12:00 noon – 2:00 p.m. at Reed Smith’s Washington, D.C. offices (1301 K Street, NW, Suite 1100 East Tower). The Committees will discuss the legislative priorities for the 111th Congress with special emphasis on behavioral marketing and data security legislation. The following speakers are confirmed to-date: Amy Levine, Legislative Counsel to Congressman Rich Boucher; and Paul Cancienne, Legislative Aide to Congresswoman Mary Bono Mack. We also have invited staff from the U.S. Senate. Please RSVP to Desiree Logan at to attend.

Privacy: FTC Announces the First in a Series of Public Roundtables

Earlier today the Federal Trade Commission announced details of the first of a series of Public Roundtables being held to deal with continuing efforts to examine, evaluate and determine if, and to what extent, regulation may be needed in connection with consumer privacy. In its announcement, the FTC specifically cites its intention to review privacy practices related to social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers and third-party applications.

The FTC’s announcement acknowledges the beneficial uses of information and technological innovation, while seeking to balance those against the need to protect consumer privacy. The first full-day session will be held Monday, December 7, 2009, at the FTC Conference Center at 601 New Jersey Avenue, N.W., Washington, D.C., and no registration is required. Those who cannot attend in person are welcome to go to and will be able to view the proceedings as a webcast.

The FTC has invited individuals and organizations to participate and/or to suggest topics. To participate, your request can be submitted directly to the FTC by email sent to on or before October 30th, and comments surrounding the issues to be discussed can be submitted on or before November 6th. The FTC has prepared a list of specific questions it intends to use in opening the dialog at this first in its series of public roundtable discussions and has invited written comments, as well as research submissions. Details can be found at the Privacy Roundtable Workshop page of the FTC’s website. Comments can be mailed to the FTC, or you can check the FTC website for instructions as to submitting comments electronically. Of course, Reed Smith stands ready to assist clients in preparing comments or providing representation, and if we can be of assistance, don’t hesitate to contact us. If you need to know more, please feel free to call me or the Reed Smith attorney with whom you regularly work.

Self-Regulatory Online Behavioral Advertising Principle No. 7: Accountability

This post was written by Adam Snukal and Joseph Rosenbaum.

Well, here it is. A summary of the last of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The seven principles are:

The Accountability principle is the one concerned with the “effect,” rather than the “cause” and calls upon the industry to establish and implement programs to monitor its online behavioral advertising activities and take steps to ensure compliance with the principles within a self-regulatory framework. In the context of the self-regulatory principles, Accountability means – monitoring, transparency, reporting and compliance.

  • Monitoring: Both random and systematic, depending on the circumstances;
  • Transparency: Widely available, easy to use communication tools and channels so that the public, competitors and government agencies can file complaints when the Principles are violated;
  • Reporting: Violators will be publicly reported, including the reason for a finding of violation, a description of the violation, and the actions taken in response to, and to correct, the non-compliance; and
  • Compliance: The establishment of mechanisms and procedures to bring any publicly-reported entity into compliance with the principles, or, if necessary, to refer the violation to the appropriate government agency.  

The Accountability principle also notes the importance of coordination and consistency among programs to promote efficiencies in implementation, so as to avoid multiple enforcement actions against the same entity for the same violation. 

While the blueprint for the specifics surrounding the proposed monitoring, transparency, reporting and compliance initiatives under this principle are yet to be drawn, the Direct Marketing Association (“DMA”) and National Advertising Review Council of the Council of Better Business Bureaus (“CBBB”), have agreed to cooperate and collaborate, with the stated goal of having something in place by early 2010. Both the DMA and the CBBB were called upon to provide leadership in this area because of their widely respected existing self-regulatory accountability programs. The DMA also has agreed to integrate the principles into its longstanding DMA Self-Regulatory and Compliance Tools.

If you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link, but stay tuned for next week, when we will post a short consolidated summary of all seven principles and you can always read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report here. So now, as always, if you have any questions or need help, please feel free to contact Adam Snukal or me, or any of the Reed Smith attorneys with whom you regularly work.

Are You Behaving Badly? Global Regulation of Behavioral Marketing

On Wednesday, September 30, 2009, from 12 noon – 1 p.m. (U.S. EDT), Reed Smith will be hosting a teleseminar as part of its “Doing Business Globally” series. Entitled Global Regulation of Behavioral Marketing, this seminar will be presented by Reed Smith partners Douglas J. Wood and Joseph I. Rosenbaum from New York, and Gregor Pryor from London. The seminar will explore the legal implications to advertisers, marketing professionals and brands associated with the labyrinth of global regulation increasingly applicable, or newly enacted, in connection with the targeting of consumers — on and off the web — through behavioral marketing.

Privacy and consumer groups object to such sophisticated techniques, fearful it further erodes what little privacy protection remains. Regulators are concerned such practices may violate privacy and data protection laws, or worse, are simply not covered by existing law and regulation. Marketers respond that such advances allow for a far more efficient, consumer-friendly marketplace, and that self-regulation has been a successful model in the advertising industry for more than 30 years. In this interconnected, networked age of social networking and global communication, understanding the implications and the legal and regulatory landscape is critical for every advertising professional and marketer, and the brands they represent. The camps remain far apart. Advertising industry associations call for self-regulation, recently releasing a report entitled Self-Regulatory Principles for Online Behavioral Advertising. Only about two months later, as previously reported in Legal Bytes, a coalition of 10 consumer advocacy and privacy groups released a fresh call for new regulation in a report referred to as a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and Solutions. The dividing lines remain drawn, tensions remain high, and the balance unclear – perhaps because the technology environment keeps rewriting the rules of engagement. Want to know more? Don’t miss this informative presentation.

Join us for this exciting and timely Reed Smith Teleseminar. You can view the Invitation to obtain more information, or go right to the Registration page. We look forward to your participation. 

Self-Regulatory Online Behavioral Advertising Principle No. 6: Sensitive Data

This post was written by Anthony S. Traymore and Joseph I. Rosenbaum.

Almost down to the wire, here is the next installment summarizing the sixth of the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. For reference, the seven enumerated principles are:

The Sensitive Data principle segments sensitive data into two basic categories - personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

The Sensitive Data principle segments sensitive data into two basic categories - personal information of children under the age of 13, and financial and health-related information, regardless of the age of the individual.

With respect to the collection and use of data for online behavioral marketing purposes, if you have actual knowledge that any of the information being collected is from individuals under the age of 13, or if your website is targeted at children under the age of 13, the Sensitive Data principle states you should not be collecting any personal information from or be engaged in any online behavioral advertising with regard to that individual, unless you comply with the Children's Online Privacy Protection Act (COPPA), and then, only to the extent specifically allowed by COPPA.

In case you’ve forgotten, COPPA requires you to have "verifiable parental consent" prior to collecting any personal data from children under the age of 13. The Federal Trade Commission routinely enforces COPPA, and violations may carry fines in excess of $1 million, in addition to the damage to goodwill and public image that can result. Compliance with the provisions of COPPA is tricky. While this post will not belabor the ambiguities that have already been reported about what constitutes "verifiable parental consent", suffice it to say that when dealing with children under the age of 13, it is best to exercise considerable caution in connection with online marketing efforts – behavioral or otherwise – and to always consult an attorney well-versed in guiding you through the compliance maze.

With respect to personal information related to an individual’s financial or health status, age is not relevant to this sixth principle. What is relevant is the requirement that you obtain the consent of the individual if you are collecting the information online and you intend to use it. Prudent practice would indicate you should affirmatively obtain the individual’s consent in advance – whether during the process of registration, through formal acceptance of terms of use that clearly solicit consent, or through any other means. Clearly, if you plan to share this information with third parties in connection with online behavioral marketing efforts, you should indicate that to the individual. In all cases, the principle notes that you should always provide the individual with the right and an option, at any time, to opt-out of the use of his or her information for such purposes.

As mentioned, this is the sixth of the seven principles being highlighted, but if you would like to read the entire “Self-Regulatory Principles for Online Behavioral Advertising” report now, in its entirety, just follow the link. Legal Bytes will be bringing you a summary of the remaining principle next week. And now, as always, if you have any questions or need help, please feel free to contact Anthony S. Traymore or me, or any of the Reed Smith attorneys with whom you regularly work.

Self-Regulatory Online Behavioral Advertising Principle No. 5: Material Changes

Here is the fifth in our installments of summarizing the seven principles contained in the Self-Regulatory Online Behavioral Advertising Principles released by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, For reference, the seven enumerated principles are:

The Material Changes principle requires an organization engaged in behavioral advertising to obtain consent before applying any material changes to its existing online behavioral advertising policies and practices – specifically, to the data collection-and-use policies and practices that apply to data collected prior to the effective date of any material change to these policies and practices.

This principle also makes it clear that a change in policy or practice that would result in less data collection or more restrictive use of the data (i.e., less or more restrictive use of the data than existing usage) is NOT a material change that would require prior consent. This makes sense considering that the purpose of the principle, when coupled with Transparency and Consumer Control, is not to merely give consumers an absolute right to consent or to reject any and all changes, but only those that would broaden, deepen or alter in an expansive or materially different manner, the existing collection-and-use practices of the organization. If a change would result in less data being collected or more constrained use of the data being collected, a consumer would likely be notified of the change, but consent would not be required.

Legal Bytes will be bringing you a summary of the remaining two principles in the next week. And now, as always, if you have any questions or need help, please feel free to contact me or any of the Reed Smith attorneys with whom you regularly work.

Could the Government Seize Control of the Internet?

The text of the Cybersecurity Act of 2009 (the “Act”) is now available, and individuals, organizations and associations, and, of course, lawyers, are now starting to digest its contents. 

This legislation, introduced by Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), would appear to give the federal government sweeping and unprecedented authority over the Internet. Section 2 of the bill starts off with a lengthy series of observations about horrible things and consultants’ wisdom concerning our vulnerability to “attack.” Curiously, it is unclear exactly how the bill and the powers to be granted the government will correct that issue. But I digress.

So when the title of this post says “the Internet,” you’re kidding, right? Of course, you must mean government-operated networks or defense or intelligence systems, right? Well . . . not really. Hmm. Then you must mean those critical infrastructure systems related to national defense – you know, communications and transportation systems? Well . . . not exactly. You see the bill includes, within the meaning of systems and networks covered by the Act, “State, local, and nongovernmental information systems and networks in the United States designated by the President as critical infrastructure information systems and networks.” In other words, we’ll know what they are when the President tells us what they are. Comforting for federal legislation, isn’t it?

Non-governmental includes financial institutions – then again, the government already owns a chunk of those anyway – wired and wireless carriers, electricity grids, gas and power systems, and air and rail transportation systems, to name a few. All of these are currently in the hands of private companies and management. Go ahead, name some systems that aren’t directly or indirectly critical or connected to critical systems – my refrigerator, for instance, or your digital music account.

There is even a section in the Act that proposes to enable the President, with almost no restriction, to shut down all message traffic on the Internet in an emergency, and to order the disconnection of all critical infrastructure systems in furtherance of national security. Now if that amount of authority, without any guidance or parameters built into the legislation, isn’t enough, here’s more. The bill also gives the Secretary of Commerce the right to access all relevant data concerning these critical infrastructure networks without regard to any provision of law, regulation, rule, or policy that would otherwise temper or restrict such access. No standards. No limits on what data or why. No opportunity for judicial review, much less intervention. 

Curiously, just this past June, the Government Accountability Office (GAO), in testimony before Congress entitled Cybersecurity: Continued Federal Efforts Are Needed to Protect Critical Systems and Information, noted that continuing efforts to remedy systems security and network vulnerability needed far less dramatic remediation - fixing things like correcting insufficient access controls, better network management, inadequate or poor audit procedures, ineffective information security programs, and in some cases, simply adding encryption where none exists today. Critics of the Act have questioned whether granting the President far-reaching and ambiguous power is proper, but just as significantly, whether they will actually deal with the problem. 

As with many legislative initiatives, this appears to deal with the aftermath of a cyber-attack, not at preventing one from ever occurring. Has it occurred to anyone that mandating standards for security, updating and maintaining security where appropriate, and simply requiring government or other critical systems to practice security measures that have been known for years or even decades, is much more likely to allow the nation to avoid and withstand a cyber-attack?

One can only wonder whether placing control of the Internet in the hands of the government might actually make vulnerability to a devastating cyber-attack greater. When the ‘net was first conceived, it was precisely it’s dispersion, diversity and lack of central control that was at its core, and its endearing and enduring characteristic. No one point of control, no single point of vulnerability. Redundancy, multiple pathways, mirror image reflections and files ensured that if one part was crippled, others would continue to function. True, times change, technology changes, and, so too, must our defense mechanisms and postures. But one has to wonder whether centralizing command and control in an emergency might not just give the bad guys a single point of vulnerability and failure to concentrate on, instead of making it more difficult – precisely when we need the Internet the most. Food for thought.

For information about security (can you say PCI compliance?) or privacy (GLB anyone?) or data breach assistance (is your identity safe?) look up Joseph I. Rosenbaum, send me an email, or contact the Reed Smith attorney with whom you regularly work. We are happy to help.

Self-Regulatory Online Behavioral Advertising Principle No. 4: Data Security

The Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, recently released its Self-Regulatory Online Behavioral Advertising Principles. When we announced these principles, we also promised to provide you with a bit more detail regarding each of these principles, which are listed below; so here is a brief summary of the fourth – Data Security. For reference, the seven enumerated principles are:

The Data Security principle requires entities to provide reasonable security for, and limited retention of, data collected and used for online behavioral advertising purposes. Consistent with the FTC standard, entities must maintain appropriate physical, electronic and administrative safeguards based upon the sensitivity of the data. Further, data collected and used may not be retained any longer than necessary to fulfill a legitimate business need (e.g., testing and auditing) or as required by law. In addition, the principle sets forth the steps that service providers (e.g., entities that provide Internet service, toolbars, web browsers or comparable desktop applications) must take in connection with data collection and use, including alteration, anonymization or randomization (e.g., hashing) of personally identifiable information; enhanced notice and disclosure at the time the data is collected; and the protection of the non-identifiable nature of data shared with non-affiliates. Under the Data Security principle, service providers will be held accountable for compliance with these principles in connection with their collection and use of data for online behavioral advertising purposes. Thanks to Stacy Marcus for her analysis.

We can now also report to you that yesterday a coalition of 10 consumer and privacy advocacy groups (i.e., Center for Digital DemocracyConsumer Federation of America, Consumers UnionConsumer WatchdogElectronic Frontier FoundationPrivacy LivesPrivacy Rights ClearinghousePrivacy Times, U.S. Public Interest Research Group, and The World Privacy Forum, has released a draft of their own principles, in the form of a Legislative Primer, entitled Online Behavioral Tracking and Targeting Concerns and SolutionsLegal Bytes will have a more detailed report for you on this new development in the next day or two, and in the meantime – or any time – feel free to contact me, Stacy Marcus, or any of the Reed Smith attorneys with whom you regularly work.

Self-Regulatory Online Behavioral Advertising Principle No. 3: Consumer Control

Last month we promised to provide you with a bit more detail regarding each of the self-regulatory principles that form the basis of the Self-Regulatory Online Behavioral Advertising Principles, announced by the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus. The principles are intended to provide a framework for industry participants to adopt, implement and adhere to standards of conduct applicable to their online behavioral advertising practices. Seven basic principles are contained in the report, and Legal Bytes is briefly summarizing each one, although we urge you to read the full report. 

We previously reported on the Education and Transparency principles; those links in the outline below will take you to the summaries, or you can read the overview posted when we reported on the initial release of the Self-Regulatory Online Behavioral Advertising Principles.

For reference, here are the seven enumerated principles:

Today, Keri S. Bruce highlights the Consumer Control principle that relates to the practice recommended by the report of providing consumers with additional control over whether data is collected about them and whether it is shared with others. The principle applies to third parties that collect or use behavioral advertising data and the websites from which the data is collected. The principle also applies to “service providers” (i.e., parties that provide Internet access services, toolbars, Internet browsers or comparable services, and who are engaged in online behavioral advertising). Through notices that are described under the Transparency principle, with respect to third parties and websites, consumers should be able to control the use and collection of their personally identifiable information by opting-out of having data collected or shared with non-affiliate websites. With respect to service providers, because they potentially can, by the nature of the services they provide, gain access to all or substantially all online behavioral data of a particular user when that user is online with or through the service provider, the Consumer Control principle requires industry participants to follow practices that require consumers to opt-in to data collection for online behavioral advertising purposes by the service provider. Further, even after consent is given, service providers must provide a means for the consumer to withdraw her or his consent. 

Thanks to Keri S. Bruce for her analysis. For further information, you can also call me or the Reed Smith attorney you regularly work with. Stay tuned for summaries of the remaining principles.

Self-Regulatory Online Behavioral Advertising Principle No. 2: Transparency

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.” 

We promised to provide you with a bit more detail regarding each of these principles. We previously reported on Education, and today we summarize Transparency. As we go through each one, we’ll use the outline below to enable you to link to all the prior principles covered in Legal Bytes, while highlighting the one covered today. The seven enumerated principles are:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

The Transparency principle seeks clear and accessible consumer disclosures regarding the type of data collected and how the data will be used to conduct behavioral advertising. Because behavioral advertising is often conducted by third-party advertising networks that lease space on a website, the principle applies to both third-party entities collecting and/or using the data, and the websites from which such data is being collected. Under this principle, these parties would provide “enhanced notice” on the page where data is collected through links embedded in or around advertisements, or on the web page itself. Customers will have the ability to read these notices and use the information to enable themselves to take control over the use of their personal information, choosing whether they would like to permit their information to be used for online behavioral advertising purposes.

Thanks to Amy S. Mushahwar for her analysis. Stay tuned for summaries of each of the remaining principles.

Self-Regulatory Online Behavioral Advertising Principle No. 1: Education

Last month, Legal Bytes reported to you that the Association of Advertising Agencies, the Association of National Advertisers, the Direct Marketing Association, and the Interactive Advertising Bureau, in concert with the Council of Better Business Bureaus, released its Self-Regulatory Online Behavioral Advertising Principles. As reported, the major participants in the online advertising industry have proposed to apply these principles to their practices related to online behavioral advertising: “the collection of data from a particular computer or device regarding Web viewing behaviors over time and across non-Affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors.” 

Since we promised to provide you with a bit more detail regarding each of these principles, which are listed below, here is our first installment in fulfilling that commitment. The seven enumerated principles are:

  • Education
  • Transparency
  • Consumer Control
  • Data Security
  • Material Changes
  • Sensitive Data
  • Accountability

The Education principle requires everyone in the online behavioral environment to participate in meaningful efforts to educate consumers and businesses about behavioral advertising, the purpose of the Self-Regulatory Online Behavioral Advertising Principles, and the potential benefits and consumer choices that are available when these principles are followed, and to explain to consumers the means and implications of exercising their rights and the choices they may have. While the specifics of all of the proposed educational outreach are yet to be established within the framework of the industry groups that have formulated these principles, the one thing that was agreed on as a tangible, quantitative objective is that through industry-developed website(s) and a major online education campaign, the initial educational outreach would be developed to achieve at least 500,000,000 (yes, that’s five hundred million) impressions over the next 18 months. Thanks to Keri Bruce for her input. Stay tuned for highlights of the six other principles.

Identity Theft: Don't Just Yell 'Stop Thief.' Audit Something!

It was 1998 and identity theft had not yet hit the radar screens as heavily as it would during the course of the next decade. Who could predict? So when I received a call from Albert J. Marcella, Jr. Professor of Management in the School of Business and Technology, Department of Management, at Webster University in St. Louis, who said he was putting together an "audit oriented" publication for The Institute of Internal Auditors to guide professionals who were becoming increasingly concerned about online identity theft, I naturally wondered what I could contribute to that effort.

So we spent a great deal of time collaborating about what we knew, speculated about what we did not know, and tried to put the work in context—specifically, guidance for corporate auditors and security management professionals on what they needed to know as sensitive, personally identifiable information migrated online. The result, of which my contribution played only a small part, was a book entitled, Protecting Your Identity on the Web, published in November 1999 by The Institute of Internal Auditors.

Identity theft, not a brand new crime even then, had a new face in our online, digital interconnected world. And, it was growing and pervasive, and its implications—if for no other reason than the sheer magnitude of the potential risks and the speed at which they would materialize on or through the Internet—were unprecedented and were becoming global.

I now know what I could not have known then—that more than 40 states have passed identity theft statutes and that the Privacy Rights Clearinghouse website, which takes pride in cataloging such things, estimates that as of a day or two ago, 263,247,398 records containing sensitive personal information were involved in security breaches in the United States since January 2005—six years after the publication became available.

To appreciate the foresight and to learn about those audit guidelines and benchmarks, you have to buy the book. But to read my personal piece of that collaborative effort—an end-piece summary of the legal implications entitled "Technology, the Internet and Cyberspace: Challenges to National and International Privacy", you just have to read Legal Bytes.

Carpe Diem! Italy Authorizes Issuance of Online Gaming Regulations.

Gaming is a fast-growing segment of the online community—remarkable since people have actually been saying that since 1994! Well online gaming and gambling may become more difficult (and more expensive) in places like Italy, if the Italian Chamber of Deputies has its way. New legislation ratifying and amending existing Italian law authorizes the State Monopolies Authority (Amministrazione Autonoma Monopoli di Stato (AAMS)) to promulgate implementing regulations—which are likely to be issued in early 2010 (although late 2009 is a possibility). Currently, Italy licenses online poker tournament games and fixed-odds sports betting, but online gambling in Italy is limited to Italian gamblers on internal, not international networks.

So what does the new law provide? Although absent the actual regulations it is impossible to predict with certainty, there does appear to be both good news and bad news.

First the good news. The law authorizes the introduction of online cash games—both fixed draws and card games—and permits the implementation of new online lotteries of various types and modes of play. Consequently, online games involving cash are likely to become legal and be introduced in Italy. 

Now the bad news. The tax that will be imposed on these new games is 20 percent of the total (essentially a gross profits tax). This represents an increase above the current 4.5 percent tax on “gross gaming revenues” that applies to sports betting in Italy. In cash online games, unlike tournament poker (in which a tax is imposed as a percentage of gross gaming revenue), the network operator generally takes a “rake” from each game. Thus, using a gross profits tax will allow the operator to set the rake more rationally in the marketplace, but will also result in more tax revenue.

So bottom line, while these new provisions are likely to stimulate new online gaming, the AAMS retains very broad authority to define the basis upon which operators can customize the wagering products and services being offered. Because the AAMS still retains the right to approve each betting product, one wonders if that will not limit both innovation and competition in the online gaming marketplace. That said, gaming and gaming revenues continue to increase and tax revenue will likely follow. We’ll see if the new regulations provide additional opportunities, but as they said in ancient Rome: Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt.

Need to understand more about online gaming, or online gambling, or both? Need help? In Italy? In the United States? Anywhere? Need references? In Italy? In the United States? Anywhere? Contact me at, check out my bio at Joseph I. Rosenbaum, or contact the Reed Smith lawyer you normally work with. We are happy to help.

FTC May Broaden Regulation & Enforcement of Privacy

The New York Times today has published some of the views of David C. Vladeck, the new head of the Bureau of Consumer Protection at the Federal Trade Commission, regarding the FTC’s role in protecting consumer privacy. 

By way of background, in announcing Mr. Vladeck’s appointment April 14, 2009, the FTC noted that “David C. Vladeck, who will serve as Director of the Bureau of Consumer Protection, has been a Professor of Law at Georgetown University Law Center, teaching federal courts, government processes, civil procedure, and First Amendment litigation. He co-directed the Center’s Institute for Public Representation, a clinical law program for civil rights, civil liberties, First Amendment, open government, and regulatory litigation. Vladeck previously spent almost 30 years with Public Citizen Litigation Group, including 10 years as Director.”

The FTC has been, and likely will continue to be, among the most aggressive federal agencies in the U.S. privacy arena. Traditionally, the FTC had prosecuted companies for how they collect and use consumer information, if consumers had been deceived, or if consumers had suffered economic harm. Although you can read The New York Times article in full, Mr. Vladeck has proposed adding a new thrust to the future of FTC privacy enforcement. He is reported to have suggested that if companies collect too much information from a consumer, that, in itself, is a harm to the inherent privacy of individuals AND (if his views turn out to be prophetic) is prosecutable, no matter how conspicuously or completely the nature and extent of information collection is disclosed to the consumer. This concept of damage to the "dignity" of the consumer goes well beyond the traditional U.S. privacy principles that have typically compensated consumers only when economic harm or damage has occurred, or when there are statutory penalties for violations of law or regulation.  

If Mr. Vladeck’s views transform into regulatory policy and enforcement activity, this highly subjective and vague standard (How much is too much? Why shouldn’t proper disclosure and choice be sufficient?) could have a huge impact on data collection, could lead to a huge flurry of litigation, and would arguably create a "big chill" for all—including consumers. Stay tuned.

Facebook Flap Over Ad Photos (Déjà vu All Over Again)

Last week, rumors started spreading that Facebook had changed its policy and was now allowing third-party advertisers to use your photos (i.e., images users post onto Facebook) without permission. The flap over the use of Facebook user-profile photos in advertising came into the limelight when a man, using a third-party application, saw an advertisement displayed for an online dating website, and much to his surprise—it happened to include a picture of his wife. There’s Good, Bad & Ugly.

Good news: His wife wasn’t out looking for a date. Bad news: The photo emanated from a Facebook profile photo available to companies that use the Facebook platform ad network. Ugly news: You could be next!

So here’s the scoop:

Facebook has not changed its policy and does not allow the use of your photo(s) without permission. Facebook had previously suspended two ad networks from the Facebook platform for deceptive practices and user complaints. Those ad networks were said to be using third-party applications in which these photos were embedded and, according to Facebook, that violates Facebook’s privacy policy; and the ads were misleading since they made it look as if someone’s Facebook friend had taken action when they really had not. Facebook itself issued a statement noting, “We are as concerned as many of you are about any potential threat to your experience on Facebook and the protection of your privacy. That’s why we prohibit ads on Facebook Platform that cause a bad user experience, are misleading, or otherwise violate our policies.” 

Although some Facebook users might not know it, Facebook has been running ads from its own ad system for more than a year—it lets your Facebook friends know of any direct connections you have with products and services. So if you become a "fan" of a Facebook Page, your Facebook friends might see an advertisement showing both the action you took (becoming a fan) and your profile photo along with the ad. According to Facebook, it will only do this when a Facebook user has taken some affirmative action indicating a connection with the product or service being advertised. Facebook also claims no data is shared with third parties in this process.

The best we can determine, Facebook technically only allows any user content to display in or with third-party advertising if the content isn’t being cached. While Facebook likely tries to control these networks, some obviously are not adhering to this policy, with photos then appearing not only on third-party ad networks within Facebook when they haven’t been authorized, but also in some cases outside the Facebook domain itself.

If you are a Facebook user and have actually read (and understood) its Terms and Privacy Policy, which is part of the Facebook Principles, you might know that Facebook ad networks can use these user photos in ads—they just can’t do so in violation of their privacy policy or in a deceptive manner. While clearly Facebook has an interest in keeping users comfortable with the online social media environment it has created, it will likely either do a better job of disclosing and explaining the potential uses that may be made of user information (including images, connections, and the like), or it will need to monitor and control the use of its advertising platform by third-party advertising networks that are allowed to use the platform.

Every user on Facebook is opted-in to allowing the use of their photos as described above, by default, when they sign up. Perhaps part of the flap is the fact that many users may simply have not known this. Or perhaps there's a disclosure or communication problem within the community. Facebook might also provide more visible or multiple ways of enabling users to opt-out of this feature or create more refined privacy settings so that users are given more options and more information that allows them to control the use of their photos (and other information), certainly outside and potentially inside the Facebook social media community. Most users simply may have had no clue this was the default or that this was happening. Even when they realize this is occurring, many can’t figure out how to change the settings. Currently, the only way to fix the problem is to have users change the privacy settings that are found under “Settings,” “Privacy Settings,” “Newsfeeds and Wall”; looking for the tab that says “Facebook Ads”; and re-setting your “Appearance in Facebook Ads” preference to “No One.”

HOWEVER, just so everyone is clear—this still may not opt you out of Facebook ads displayed to your friends with your photo when you expressly take action within Facebook (e.g., becoming a "fan"), but it will opt you out of third-party network ads. That said, it remains to be seen how Facebook will deal with the delicate reality of handling third-party ad networks that aren’t Facebook affiliates, since these represent a significant source of revenue for creators of Facebook applications. 

To put it more simply, if you provide a third-party application with the right to access your information (which you generally need to do in order to use the application), then technically the advertising networks can access that information, too. That’s why users should pay attention to the applications they add, and get rid of applications they are no longer using. You can do this through the “Settings” menu as well. Head for the “Application Settings” page, and if you see a menu that says “Recently Used,” change it to “Authorized” and you will see the applications you have approved with an “X.” Just click to remove those you no longer wish to have authorization. That way, you won’t wind up as a poster child for some product or service that you did not and would not ever intend to endorse.* 

If you need to know more, please contact Joseph I. Rosenbaum at, or you can view his bio at Of course, you can always contact your favorite Reed Smith attorney, who will be more than happy to help you. 

* Speaking of endorsements, Joseph I. Rosenbaum was actually speaking of Endorsements (and Testimonials) at a recent CLE Conference in Ireland, sponsored and hosted by the School of Law at Limerick University and previously featured in Legal Bytes. A copy of Joe’s presentation (without the embedded videos) has been posted in .PDF format in an update to the previous posting.

Your Medical Information; Just A Mouse Click Away - From Hackers?

This post was written by Adam Snukal.

Kathleen Sebelius, Secretary of the Department of Health and Human Services (“HHS”), hadn’t been on the job even two months when she found herself a defendant in a class-action lawsuit brought in the Southern District of New York. A registered nurse had brought the action against Ms. Sebelius, as well as the White House Office of Health Reform Director and the Administrator of the Centers for Medicare & Medicaid Services, alleging that certain provisions of the American Recovery and Reinvestment Act (“ARRA”) violate privacy rules central to the Health Insurance Portability and Accountability Act (“HIPAA”) and the federal Privacy Act.

The suit claims that pursuant to the ARRA, the development and implementation of a new health care information technology system that will create an electronic medical records database by 2014 will include Americans who are not covered by either Medicare or Medicaid (according to the lawsuit, Medicare and Medicaid only cover approximately 23 percent of the American population). This system, according to the complaint, poses a major threat to individual privacy, placing individuals’ personal health information “just a mouse click away from being accessible to an intruder.”

The action takes issue with ARRA’s provision allowing HHS to determine what constitutes the “minimum necessary” amount of personal health information allowed to be disclosed under HIPAA. According to the suit, "This technology will be used to deprive the Plaintiff and others of their fundamental right to privacy by requiring that their medical records be released by their health care providers and upon entry into the Health Information Technology maintained under the supervision of the Secretary will be made available without the permission of the Plaintiff to an unknown and potentially unlimited number of persons.” The action seeks an injunction to prevent distribution of payments for the purchasing of the electronic health care systems.

The standard of “minimum necessary” is a central tenet of the HIPAA laws, which require that when a health care provider uses or discloses personal health information, or requests personal health information from others, the provider must undertake reasonable efforts to limit itself to “the minimum necessary amount of PHI to accomplish the intended purpose of the use, disclosure, or request.” Under this standard, providers must develop policies and procedures that limit information uses, disclosures and requests to those necessary to carry out the organization's work. That includes identification of those within the provider’s workforce that need access to carry out their duties, and reasonable efforts to limit access accordingly. HHS has been clear that the minimum necessary standard that health care providers are required to follow calls for the employment of a "reasonableness" analysis, so that a provider’s functions are not unduly restricted.

Few elements of HIPAA have generated more controversy than this standard, but if this court elects to embrace that standard, the likelihood of the success of this action on its merits may seem remote. HIPAA places a heavy emphasis on maintaining the privacy of an individual’s personal health information, and if the ARRA regulations applicable to the manner by which health information electronic systems are permitted to collect and share personal health information are consistent with HIPAA’s standard of reasonableness, there will be a substantial burden of proof for the plaintiffs to overcome.

If you need to know, you need to contact Adam Snukal at —or you can always contact your favorite Reed Smith attorney who will be more than happy to help you. 

Facebook Adds Personalization & a (Brand) New Dimension?

On Tuesday, June 9, the popular social networking website, Facebook, announced that on Saturday, June 13 at 12:01 a.m. U.S. EDT, it will allow its registered users, subject to certain criteria and qualifications, to create personalized URLs for profiles and pages on Facebook (e.g.,   Currently, a user’s Facebook URL consists of the URL followed by numbers (e.g.,

Allowing users to register personalized names on the web raises, among other things, infringement issues under federal and state trademark and related intellectual property laws, particularly for owners of well-known brands. Any registration process creates fears of cyber squatting and other attempts to hijack trademarks and brand names. Sometimes these fears are well founded; other times they are not. You may have already received bulletins from law firms and bloggers eager to alert you to the fact that Facebook has also announced it has created an online submission form that allows owners of registered trademarks to notify them of their IP rights. Ostensibly, Facebook intends to use the information submitted to preclude others from attempting to use registered marks in personalizing their URLs on Facebook.

While we applaud advising clients and friends of this development, we believe the matter is considerably more complicated than previous briefs and hasty reports may indicate. As is so often the case, the devil is in the detail, and the information below will give you a deeper look at the issues before racing to submit notifications of your IP rights to Facebook.

What Brand Owners Need to Know

The online form created by Facebook for submissions by registered trademark owners allows submission of only one trademark registration at a time, and it is not clear whether your notification will protect only the exact registered mark or variations (subtle, phonetic or otherwise). While URLs are not case-sensitive, trademark owners are painfully aware that "case" is not the most frequent problem encountered when protecting one's brand names and intellectual property rights.

Facebook is limiting the "initial" URL registration period, beginning June 13, (a) to individual users who already had a user profile page prior to the June 9 announcement and (b) to administrators of Facebook Pages (i.e., Facebook pages owned by businesses, public figures, brands and artists) that were live prior to May 31, 2009 and that had at least 1,000 fans at that time. If your Facebook account does not meet these requirements, you have to wait until June 28 to register a personalized URL.

The submission form appears to apply only to registered trademarks, and the owner (or the owner’s authorized representative) is asked to include the registration number on the submission form. While state and foreign registrations are not addressed (either on the form or in the FAQs provided by Facebook), presumably any bona fide registration number in the field could suffice—but that is neither clear nor certain.

Facebook has given trademark owners a very short window of opportunity to provide advance notification to Facebook of their IP rights. If a trademark owner has not done so by end of the day Friday, June 12, presumably any qualified user can register a personalized Facebook URL using a brand owner's mark. Facebook also has indicated that personalized user/page URLs will not be transferable and can be removed or reclaimed by Facebook at any time—further measures Facebook can take to prevent abuse. These mechanisms, procedures and buzz aside, owners give up no legal rights by not submitting forms to Facebook in advance, and Facebook already has a form to use to report infringements after an alleged violation occurs, even if one hasn’t provided advance notification. FYI, allegations of copyright infringement can be dealt with by submitting another form provided by Facebook that applies to "take down" notices under the Digital Millennium Copyright Act (DMCA).

The $64,000 Question

If you are a trademark owner, should you submit forms and notify Facebook of your rights, or wait to assert claims if and when infringements occur? This is not an easy question to answer.

First, you are under no obligation to do anything, nor does this feature mean that if you do nothing, you are somehow giving up your legal rights. By failing to notify Facebook, a trademark owner does not waive any rights to its intellectual property otherwise provided by law. It simply means that a trademark owner may have to do what intellectual property rights-owners do all the time—enforce its intellectual property rights after an infringement has occurred.

Second, while the notification form doesn’t indicate that the submitter is agreeing to any terms and conditions, nor does it require being a registered user to submit a  notification form—either before or after—one might conjure up a legal argument that by voluntarily submitting a form (where one has no legal obligation to do so), one is agreeing to use the procedures and accept the terms and conditions that apply—at least insofar as one’s dealing with Facebook in connection with handling these matters and enforcing one’s rights (e.g., if the owner has an issue with Facebook in dealing with brand name and trademark issues).

Take one example: What if Facebook simply does nothing with your notification? After all, there is no legal obligation imposed on Facebook to police your marks. What if one year from now, Facebook opts to impose a charge for maintaining or registering personalized URLs? Facebook's terms of use (referred to by Facebook as the "Statement of Rights and Responsibilities") provide exclusive venue for claims or disputes against Facebook in the courts in Santa Clara County, Calif. Could an argument be made that you may now have consent to that jurisdiction exclusively? If you don't have to face such an argument, a trademark owner is clearly free to proceed in virtually any competent jurisdiction in the United States, including the trademark owner’s home state. Whether that is an advantage or not is debatable, but it—like many other issues that arise from such voluntary submissions—is an unresolved issue. Bottom line, you have no duty to act, nor does failing to act deprive you of any of your legal rights. But if you do act, some lawyers may be able to claim that your actions have implications and consequences. 

On the other hand, if a brand owner or its authorized licensee currently has a Facebook Page, it is already subject to Facebook’s terms and conditions. Under such circumstances, notifying Facebook of your rights using the form may be the easiest way to avoiding a needless intellectual property battle that will most certainly cost more than the time spent completing a form.

The Evolution of Brands into Social Networks and Media

Facebook is adding another dimension to social networking—allowing personalization of pages while seeking to develop mechanisms to deal with brands and brand owners. Facebook users interact with brands as well as people. The personalized URL launch is another example of the convergence of interactive advertising, social networks and intellectual property protection. While Facebook’s latest offering may be the next evolutionary step forward, it may also be a passing fad. Time will tell. But one thing is certain:

If you are a brand owner with trademark registrations, you need to consider all of the issues before blindly jumping on anything that appears simple and easy, but that may have unforeseen consequences (and costs).

If you need to know more or if you have any questions, contact me through my website page, by email, or by following me on Twitter, or contact Keri Bruce at, Douglas Wood at, Carl Pierce at, Adam Snukal at, Greg Shatan at or Tracy Zurzolo Quinn at Of course, if they aren't among the names above, you can always contact your favorite Reed Smith attorney who will be more than happy to help you.

Gift Cards Tag Along with Credit Card Legislation

We previously reported its progress in Legal Bytes and last week, President Obama signed into law the Credit Card Act of 2009. Although the bulk of the Act (and the bulk of the publicity surrounding its enactment and passage) deals with credit cards, it also amends the Electronic Funds Transfer Act and implements federal regulation of general use pre-paid cards, gift certificates and store (retail) gift cards. The new law is scheduled to take effect Aug. 21, 2010, and substantively deals with dormancy fees (so-called “inactivity” or service fees) and expiration dates. 

In the area of dormancy or inactivity fees, the new law prohibits them unless there has been no activity for 12 months. In addition, in order to impose any such fees, certain disclosures must be made to the consumer prior to purchase. The new law also prohibits expiration dates of less than five years, and requires clear and conspicuous disclosure of the expiration date, if any. In addition, gift certificates issued as part of an award, loyalty or promotional program (i.e., no money or other consideration is given) are, as is the case with many state laws, excluded. And speaking of state laws, the Act specifically does not pre-empt state laws that provide greater consumer protection. 

What else should you know. First, plastic cards and payment code devices used solely for telephone services or that are reloadable, are not marketed or labeled as gift cards or certificates, not marketed to the general public, and issued in paper form only (including those that apply to tickets and events), are not covered by the requirements of the new Act.  Second, the law authorizes the Board of Governors of the Federal Reserve, in consultation with the FTC, to develop requirements concerning the amount of dormancy fees that can be charged (only once each month), and to more carefully seek to define which provisions of the Electronic Fund Transfer Act and Regulation E apply in this context. 

So, for states that have had no, or lesser, consumer protections, the Act clearly establishes a minimum federal threshold for the imposition of dormancy fees and the prohibition of expiration dates earlier than five years. For states that already have or may yet impose more stringent requirements, those requirements are specifically permitted under the Act, so you will still have to keep track of state requirements in this area. 

If you need to know, you need to contact Keri Bruce or Joseph Rosenbaum – or your favorite Reed Smith attorney – who will be more than happy to help you.

Employees Off-Work, But Online

This post was written by E. David Krulewicz and Cindy Schmitt Minniti.

Facebook, MySpace and Twitter have become household names, a ubiquitous part of the daily lives of many and often a tool for keeping in touch with friends and family. These websites are increasingly being used by individuals to document their daily lives and activities, voice their concerns and post their opinions for the world to read and to respond. The business community has also turned to these “social media” websites as means for marketing their brands and, in some instances, for obtaining information about current employees and prospective job applicants. A series of recent cases reminds us there are significant risks related to the posting and/or use of information discovered on “social media” websites.

For example, in Pietrylo and Marino v. Hillstone Restaurant Group, a case pending in the Unites States District Court for the District of New Jersey, two individuals sued their former employer after they were terminated for posting complaints about their workplace on an invitation-only discussion forum on Much to the employees’ surprise, managers from Hillstone Restaurant Group were able to access this discussion board (although the parties dispute whether the managers had a right to do so) and were less than pleased with what they read. The employees were quickly terminated and a lawsuit followed. 

In their complaint, the former employees assert their employer not only violated state and federal Wiretap and Stored Communications Acts by accessing the invitation-only forum, but wrongfully terminated them in violation of New Jersey’s public policy favoring free expression and privacy as embodied in the U.S. and the New Jersey Constitutions. Their employer has denied the claims and asserts the plaintiffs were “at-will” employees who could be terminated for any reason or no reason at all.

Ultimately, the question of liability may hinge upon whether the employees had a right to privacy for statements made online and whether the employer has a right to make disciplinary decisions based on an employee’s off-duty conduct.

Although legal commentators and privacy advocates debate how the trial will unfold when the case goes to trial later this summer, they all agree the case highlights real- world issues that can follow an individual’s seemingly innocent decision to post his or her thoughts on a social networking website. This is far from an isolated incident – indeed, the sports media recently reported a similar incident involving the Philadelphia Eagles’ termination of a long-time employee for disparaging the team’s management and its decision to release a prominent player on his Facebook page.  

While it is unclear if any of the companies in the cases above had a policy or provided instruction to their employees on these issues, it should not surprise you that increasingly business employers are finding they must do so. Clearly, before making decisions or taking action against employees for online, but off-duty conduct, employers should seek legal counsel from lawyers who understand these issues and can guide you in this dynamically evolving environment – where federal and state (and sometimes municipal or local) law may apply and little, if any, precedent currently exists. Worried? Need help? Need to understand more? Contact E. David Krulewicz or Cindy Schmitt Minniti or the Reed Smith lawyer with whom you work. 

Update:  Today, May 20th, after this story was posted, the U.S. House of Representatives also approved the bill regulating some common credit card and gift card industry practices. It is likely President Obama will sign the bill once it arrives on his desk.

Google To Launch 'Interest-Based' Advertising

Rumor has it that Google will be launching its much-publicized "interest-based advertising" in April, allowing advertisers to serve ads based on a user's prior interactions (e.g., browsing the advertisers' websites, tracking interests). Google will track categories of web pages that users visit in Google's content network and if, for example, a user visits motion picture and film pages, Google may add them to a corresponding interest category that might be labeled "motion picture aficionado." As we understand it, Google will enable use of the DoubleClick DART cookie in advertising served on websites with AdSense for content advertising. Thus, when a user browses an AdSense publishers' site and views or clicks an ad, the user's browser may have a cookie added.

For you loyal Legal Bytes readers, that means you should review your online terms of use, terms of service, privacy policies and online disclosures to be sure they cover this activity if it applies to your web presence, advertising and marketing activities. If you will need to and you don't already take third-party ad servers into account, you may have to amend these to do so. 

As you know, Legal Bytes cannot provide legal advice (you have to be a client for that). Nor could we possibly advise without knowing the specifics about you, your situation, your jurisdiction(s), or the facts that apply. But consider the following sample (which assumes only non-personally identifiable information is collected) that illustrates the type of language one might consider:

We or our advertisers use third parties to serve advertising on our website and web pages when you visit or browse, and some of them use cookies or other technology to collect information about your visit. This information may be used to improve the operation of our website and enhance your experience as a visitor and user, and also to serve advertising about goods and services that might be of interest to you. No personally identifiable information (e.g., name, address, email or phone number) is collected this way or in this process.

Of course, you can add links or contact information for those who want more information, and you may even direct them to the applicable Google web page,or any other third-party ad-serving network’s corresponding page to either get more information, or learn how to opt out of or disable cookies.

Now go call the Reed Smith lawyer you normally deal with for help or contact me (Joseph I. Rosenbaum). We put together and advise companies in connection with their terms of service, privacy policies, and disclosures, and their online, wireless and web presence, all the time. How can we help you?

Court Affirms FCC's Rule Requiring Prior "Opt-In" to Share Customer Data

A U.S. Circuit Court in the District of Columbia has upheld the FCC's rule that requires telecommunications carriers to obtain prior "opt-in" consent from customers before disclosing their personal information to joint venture partners or independent contractors for marketing purposes. The rule, which was adopted in 2007, covers all Customer Proprietary Network Information (CPNI) and also applies to service providers offering VoIP (Voice Over IP) services to customers. For those who don’t stay updated on what the FCC rules mean by CPNI, it includes information such as the phone numbers called by a consumer, the frequency, duration, and timing of the calls and any additional services the consumer is receiving (e.g., call waiting). Our telecommunications experts expect the FCC to enforce this rule aggressively. If you want to read the case yourself, go to National Cable & Telecommunications Association v. FCC , but if you really want to understand what it means to you, contact Robert H. Jackson or Judith L. Harris in our Washington, DC Office.

FCC Issues Parental Controls' Inquiry for Video and Audio

On March 3, 2009, the Federal Communications Commission (“FCC”) released a Notice of Inquiry to implement the Child Safe Viewing Act of 2007 (“CSVA”), which directs the FCC to examine advanced parental control technologies that would be compatible with various communications devices and platforms.

Click here to read the full alert, written by Amy S. Mushahwar, Judith L. Harris, and John P. Feldman.

Better to Lose Face Than Facebook

Facebook, the very informal and ostensibly open social network, hinting at an apology for what its CEO acknowledged were “overly formal and protective” Terms of Service, did an abrupt about-face recently, retracting them and reverting to its old Terms of Service—presumably reacting to a sea of complaints from just about everyone. Complaints? Over legal terms—does anyone still read them? Well, they do, and they didn’t like what they read—particularly the part that claimed unrestricted, perpetual ownership of your personal data, even if you decide to delete your entire account and go away. 

While we respect Facebook’s right to better manage, control, and disclose to consumers how and for what purpose it treats and handles personal data, it highlights a number of things the online world continues to teach us. First, don’t assume those innocuous changes buried somewhere in terms of service, terms of use, privacy policies, codes of conduct, rules of the road, or whatever you choose to call them, aren’t being scrutinized—by consumers, by your customers, by the media and, lest we forget, by regulators and legislators. While Facebook has not admitted it was caught a bit red-faced, it is taking your feedback in a “Facebook Bill of Rights and Responsibilities” group to which you can contribute your thoughts. For those in the know, Facebook’s population has grown to more than 175 million users—does that make it the sixth-largest country in the world? Hmm, I wonder if that country has a growing budget deficit too; we’ll have to wait for the State of the Reunion speech, when results are posted, to find out.

Red Faced or Saving Face. Facebook Faces the Music!

Facebook has built a highly popular business, but it turns out making that popularity profitable appears to depend, in large measure, on advertising. Sound familiar? So Facebook announced a new program, Beacon, an online tracking tool. No, online tracking certainly isn’t new: companies track where your browser has been and your online activity, and routinely serve up ads based on “preferences”—where you have been, what you look for, and what you purchase. But that takes place behind the scenes—you just see the results: relevant, targeted advertising.

Facebook has taken online tracking one step farther: Beacon sends messages telling your Facebook buddies what you are buying and, in some cases, what you are doing. So don’t plan that surprise trip to Puerto Rico just yet—buying a ticket might ruin the surprise. In fact, don’t come back from the trip and rate the hotel—your friends who weren’t invited will know you’ve been there.

Facebook faced criticism last year when its “News Feed” function came under fire. Media and industry pundits and Facebook executives note often schizophrenic and hypocritical marketplace attitudes. Indeed, there is some irony to be considered when the generation that posts profiles, adding everything from drinking, sexual preferences, and religious affiliations, to family videos, in blatantly public web-spaces, complains about privacy. But consumers still distinguish between their choice to share, and allowing a host to decide what, when, where and how to share information about them, or whether to characterize activities as some form of an “endorsement without consent” to their friends.

As usual, privacy and consumer advocacy groups were poised to file complaints with the FTC, right on the heels of investigations already launched by several Attorneys General into Facebook’s privacy practices. The New York Attorney General has issued a subpoena to Facebook for copies of complaints about “inappropriate solicitation of underage users and inappropriate content on the site.” As innovators have learned, success shines a spotlight that creates a glow—and discloses warts; let’s see if they can keep Facebook blemish-free.

Financial Supermarket? No. Financial Advertising Supermarket? Well, Maybe...

Years ago, a number of companies hoped that by offering to simplify financial record-keeping and collect your financial information in one place, consumers would find it easier than trying to keep track of all of the numbers, codes and IDs they have to contend with in the real world. The concept fizzled, primarily because there was resistance to giving one website all the information—putting all your nest eggs, so to speak, in one basket. Now, some companies are hoping to revive the concept, this time with the lure of education, advertising and sponsorship.

Although the basic idea remains, the new aggregation model uses sponsored links—recommendations based on an analysis of consumer data and financial information—all geared to educating consumers about the availability of financial products and services. Just as search engines accumulate information about browsing—to prioritize and serve advertising believed to be of higher value to the individual—these new sites use the same model to recommend financial services. If you use a credit card to purchase airline tickets, the site might recommend or display an advertisement for an affinity credit card tied to an air carrier or one which offers points for your purchases. Use an overdraft line of credit for your checking account? You might see an advertisement or recommendation to consider a home equity line of credit to potentially lower your tax bill while you borrow.

While advertising-supported revenue models may have greater appeal from an economic viewpoint and may attract financial institution sponsors and advertisers, these sites still have to overcome consumer discomfort with making all—or a significant portion—of their nonpublic financial information available at a single point of aggregation. With the identity theft, data breach and privacy issues front and center in the past few years, one has to wonder if the power of advertising can overcome that anxiety.

Disclosures, Decency and Data Security

For the record, privacy, data protection, information security and international law have officially converged with management, compliance and marketing. More than 30 U.S. states have now passed legislation in one form or another that requires businesses to notify consumers if an actual or potential breach of data security may lead to the compromise of personally identifiable information. This comes on the heels of several years of the government tightening its own policies regarding data security breaches and instances of compromised security.

Recently, the Office of Management & Budget, which oversees U.S. federal agencies, announced a tougher policy for government, requiring agencies to follow the security procedures checklist prepared by the National Institute of Standards and Technology (“NIST”) to protect data. An internal OMB memo recommends that data on mobile computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).

As noted in prior issues of Legal Bytes, requirements and compliance obligations for commercial enterprises doing business across state lines and national boundaries vary, although many have common themes. If you are concerned—and you should be—contact us. We can help you sort out your current compliance obligations and help you keep track of the changing privacy and data protection landscape, both domestically and internationally. Even if you choose not to inject your views into the regulatory process, you must keep abreast of developments or risk action by consumers and regulators.

This whole area is churning with activity and, like the migration of computers from technology organizations to mainstream business management decades ago, privacy and data protection are evolving from a technology problem to an issue throughout the world of management, marketing and business process. On a global scale, disharmony in legal systems is a major roadblock to everything from the war on terrorism and money laundering, to the simple acceptance of credit cards by merchants and air transportation. Recently, Europe’s highest court ruled an agreement made in 2004 that allowed airlines to share 34 items of information about every passenger flying from Europe to the United States—in an effort to fight terrorism—is illegal. The United States threatened to strip air carriers of landing rights if an agreement was not reached, and now the European Court of Justice has allowed the arrangement to continue only until September 30 so the parties can forge a new arrangement.

A New York Senator has proposed legislation that might concern marketing professionals (Privacy Rights and Oversight for Electronic and Commercial Transactions Act of 2006, S. 3713). In addition to requiring notice to consumers, the act allows them to place a permanent security hold on credit information; requires opt-in consent by consumers to financial institutions before sharing information with third parties; and contemplates a private right of action for damages, and—if identity theft occurs—damages up to $5,000 per person.

Several years ago, the Payment Card Industry, comprised of the major credit card and payment instrument issuers and processors, announced Data Security Standards and Audit Guidelines. Requiring encryption and secure storage of personally identifiable payment transactional and related data, merchants are faced with certifying, documenting and ensuring compliance or being deprived of the ability to accept payment instruments issued by the card industry issuers and processors. This is hardly an esoteric issue.

Visa fined BJ’s credit card processor upon discovering the processor’s system improperly kept magnetic-stripe data after sales were consummated, in violation of Visa’s operating regulations. Reissuing new account numbers and cards—in addition to covering unauthorized charges—created damages for Sovereign Bank (among others), and Sovereign sued BJ’s and its processor. A U.S. District Court in Pennsylvania has ruled Sovereign may not recover losses from its payment processor and is not a third party beneficiary of Visa’s agreements with the processor. In dismissing the breach of contract claim against the processor, the court concluded that simply because Visa U.S.A. had contracts with processors to protect its payment processing system does not mean the bank, or any other entity that touches the system, is an intended beneficiary of that agreement. This is not the only, not the first and likely not the last case involving allocation of risk and the protection of information and data flowing through virtually every merchant, financial institution and government system in the world today.

Security Breaches Causing Headaches -- Take Two Notices and Call Us in the Morning

Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!

Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.

When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.

Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.

As you can imagine, the laws and regulations are complex—containing numerous exceptions, alternatives and defined terms—as is how they apply to individual incidents and companies. Just as significantly, these laws are changing and evolving and increasing all the time. Shouldn’t you have a plan for dealing with the possibility that a breach of security might affect you? Do you know what your obligations and responsibilities are if a security breach occurs—to consumers? to law enforcement officials? to consumer credit reporting agencies? Do you have an information security and privacy policy that takes these things into account and do you know if it makes a difference? Reed Smith does. Call us and we can help you before a potential threat becomes a regulatory nightmare. We can help you identify policy and procedural requirements, keep you up to date on changing compliance requirements and new legislation and regulation, and provide guidance so you are prepared if a problem arises.

While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.

Identity Theft Again?

Most of you have read about the security issues that have confronted LexisNexis and ChoicePoint, and each day we learn more news about more systems and databases that have been or may have been compromised. Here’s a secret, “Google hacking” is easier. It’s a term used to describe the simple act of using publicly available search engines (no, not only Google) to find information that criminals and wrong-doers can use.

Several months ago, The Wall Street Journal reported that some security experts held a contest to demonstrate how good Google hacking can be—they limited contestants to using only Google’s search engine and in less than one hour they unearthed enough information to perpetrate financial fraud on about 25 million people—including useful combinations of names, birth dates, credit card and social security numbers. In one such experiment, a team of contestants found a directory of more than 70 million social security numbers—all belonging to individuals who are no longer alive.

Yahoo! and Google and similar search engines are not the problem – these folks are continuously refining and fine tuning their search capabilities and adding more information. Why? Because we demand it; we like it; we want it. It is helpful; useful; convenient. So how do we balance the desire to have more and better information more easily available, with the need to protect our people, our customers, our society from abuses and improper use of such information? I don’t know. I do know that Reed Smith has literally dozens of lawyers who can help you with privacy, information security, terms of use and guidelines; can alert you to regulatory and legal issues; and can provide you with solutions to your problems, even when the simple answers are not always easy to find. Let us help you. Have an information security issue? Privacy compliance problem? Fraud or security breach? Now’s the time—before you are part of the problem.

Privacy is Back in the News

In last month’s issue, we mentioned (in “Gnu & Gnoteworthy”) the F.D.I.C. released a report entitled “Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks”. Well, privacy issues are popping up all over the place again.

California Financial Privacy Act

The California Financial Privacy Act of 2003 became effective July 1st and requires banks to give customers the right to opt out of sharing information with bank affiliates with separately regulated lines of business and requires banks to get permission from customers to share information with outside companies. After the law was enacted, the American Bankers Association, Consumer Banking Association and Financial Services Roundtable filed suit claiming the Fair Credit Reporting Act—the federal law regulating sharing of information among affiliates—preempted state law and thus the part of the statute attempting to limit sharing of information among affiliates is invalid. Not so, said the Judge—to the surprise of bankers scrambling to comply—a recent notice from the California Department of Financial Institutions indicated it would begin enforcing the law immediately!

The Judge ruled that since the FCRA only applied to the sharing of “credit reports,” the California law covering a broader range of customer information was not preempted by federal law. Will the ruling be appealed? Will other states follow suit?

California Certainly is Busy

The California Online Privacy Protection Act of 2003 went into effect July 1 with some new requirements for “commercial” website operators that collect “personally identifiable information” from California residents through a website or online service. The law requires website operators to post privacy policies on their websites and requires them to comply with them. Thus, if a website operator doesn’t comply with the Act, not only does a consumer have a potential action for failure to honor the terms of the policy, but the operator would now also be in violation of California law.

Privacy and Outsourcing

In May, the FTC published its response to a letter sent by Congressman Edward J. Markey (D–Mass.) in connection with its efforts to protect personal information of U.S. citizens when information is processed outside the United States. The FTC response deals with the Children’s Online Privacy Protection Act (not to
be confused with COPPA, which has been struck by constitutionality problems), Gramm-Leach-Bliley, the Fair Credit Reporting Act, as well as the Do-
Not-Call Registry. The report is a good summary of the non-banking regulatory framework that applies and while you can read the FTC’s responses in each category here, suffice it to say that the FTC clearly notes: “Simply because a company chooses to outsource some of its data processing to a domestic or off-shore service provider does not allow that company to escape liability for any failure to safeguard the information adequately.”

FACT Act Regulations Surface

Among other things, the Fair and Accurate Credit Transactions Act of 2003, referred to as the FACT Act, created a new provision of the Fair Credit Reporting Act providing that if an affiliated entity received information that would be characterized as a “consumer report,” the affiliate is not permitted to use the information for marketing unless the consumer has an opportunity to opt out. The FACT Act requires the FTC, banking regulatory agencies, the National Credit Union Administration and the SEC to issue rules surrounding the affiliate information-sharing provisions; and while not required to issue a joint rule, they must coordinate to avoid inconsistency in the regulations. The FTC issued its proposed rules on June 15, and on June 25 the Federal Reserve issued substantially similar proposed rules, which have also been approved by the OCC, Office of Thrift Supervision, and National Credit Union Administration. The SEC has yet to issue its proposed rules. Want to know more? Want your voice to be heard? Having problems understanding what compliance means? Call Reed Smith. Our Financial Services team, Privacy Team and a range of expertise and experience is at your disposal.

Gateway Learning Settles FTC Privacy Charges

Gateway Learning, which markets the “Hooked on Phonics” brand, settled FTC charges that it rented personal information of consumers to other companies, despite having promised not to. In the Matter of Gateway Learning Corp. (FTC File No. 042-3047), the FTC charged Gateway Learning with changing its privacy policy (an allegedly deceptive and unfair practice) after collecting the information, to allow it to share information with third parties without notifying consumers or getting their consent. The settlement prevents Gateway Learning from making misrepresentations about how it will use information it collects from consumers, from using consumer personal information collected before it made the policy changes unless the consumer consents, and restricts it from retroactively applying future privacy policy changes without first getting consumer consent. Need a privacy policy? Thinking of changing your privacy policy? Want to know how this might affect your policy? Call Reed Smith. We are happy to help. The agreement between the FTC and Gateway Learning, including the Consent Order and the original FTC complaint, can be found here.