Tag Archives: data privacy

ILN Today Post

Who needs a personal shopper…I have my iPhone!

It’s not fair to say traditional media no longer have consumer appeal; after all the John Lewis Christmas ad makes its own headlines each year!

However, new technologies are creating ways for fashion retailers to connect with shoppers in a cheaper, more immediate manner.

Last year, Regent Street was the first street in Europe to adopt Beacon technology in each of its stores. Retailers, airports and shopping centres are increasingly adopting this evolving technology.

What is Beacon?

Beacons are small wireless devices which can be placed around stores to send electronic content to shoppers’ smartphones, using the shopper’s location in store and information on their buying preferences.

While the technology is still in fairly early stages, the possibilities seem endless.

Read More

 

Read full article

Data, data, data

Data, data, data
Every day people, enterprises, government organizations try to disentangle themselves from the increasing amounts of…

As studies show, data are now considered primary elements for generating “business” and to them a significant economic and social value is assigned.

Today, this phenomenon, commonly known as big data, has become a fundamental tool for a growing number of subjects who, due to the large quantities of data, can pursue an objective with subsequent and more or less foreseeable legal consequences.

Essentially, the protection described in this article is achievable through various ways, some ostensible, other real but it is universally acknowledged that whoever wants to achieve a goal must minimize the “regulatory” and “normative” impacts in favor of the maximization of the data processing effects on their activity (be aware: we are not only referring to the profits).

From the massive use of data and sophisticated analysis emerges one of the most “decisive” threats to the fundamental rights of individuals foreseen by article 8 of the Charter of Fundamental Rights of the European Union, that triggers the so-called bureaucratic overcharge phenomenon, tackled with standard formulas, software and applications that computerize ways of thinking which fall far short of banal and lead to results of questionable compliance.

As for any other topic with legal impacts, in order to understand the ramifications of the phenomenon and to better face it, we need to start with evaluating the following variables: the legitimacy of the acquisition of information, the congruence between the purposes for which the data were collected and those for which the data will be processed, the security measures applied to the information.

Furthermore, we must resist the temptation to start from the end: from the data anonymization.

According to various position papers, the anonymization, as it is only logic, is considered an “additional processing”, namely that in the presence of the big data, the anonymization is just a passage of a more complex process.

The analysis activity must allow to evaluate the consequences of the “merge” of databases of different sources. It must be considered that in the “reuse era”, the opportunity to gather large quantity of information of different sources has increased exponentially. In addition to that, individuals and public administrations that release “open-data”, have not the opportunity or the competences to anticipate the possible data exploitation in a business point of view.

Finally, let us not forget that the results of the activities on the big data can, in turn, create innovative services and as such they should be protected.

Therefore is the big data an unmanageable phenomenon?

No, as all phenomena the big data can be managed. The legislative framework in which they evolved is not methodologically ready to protect the individuals without “compromising the uses and the applications of the big data”. It is however possible to balance the bureaucratic hypertrophy with an approach that takes into consideration the necessary effectiveness of the processes.

Our previous experience tells us that, as of today, we resort to a “fictional” approach, we tried to demonstrate the security and the compliance of the processing, making the users feel “safe”, regardless from the effectiveness of this security. It is proven that when the data security mechanisms “crashed” or during a control check carried out by the Data Protection Authority, the “security” was largely compromised and the risk evaluations were out of focus, revealing a depressive and neglected outline of most of the basic data protection principles.

Viceversa, using a rational approach, pointed towards the privacy by design and following some precious instructions on best practices, we can reduce the risk. In particular, once the legal acquisition of information and relative consensus and the coherence with the specified purpose has been ascertained, we must find a way to reduce the risk of recognition of the individuals.

In this sense, an initial and repeated analysis of the context, events and changes that can affect it, can prevent abusive control phenomena as the reidentification of individuals, introducing for example higher levels of uncertainty for which certain records can be attributed to more than one person, at least 3 according to the principles of statistic deontology, or eliminating the requirements that cause the groups with similar characteristics to be atomistic or drowning the profile of the individual in a high number of others for which the characteristics of the analysis do not allow the isolation of a determined subject. This last activity can be carried out leaving intact the requirements that refer to a large number of people.

According what has been stated so far, it must be taken into consideration that these and other measures can allow the cohabitation of the big data with the current data protection frame but the methodical approach is by far more effective than other measures adopted thus far.

Read full article
ILN Today Post

Data privacy and cybersecurity attorney Dominic A. Paluzzi elected Member at McDonald Hopkins

DETROIT (October 1, 2015) – Dominic A. Paluzzi, an attorney in the national Data Privacy and Cybersecurity practice at McDonald Hopkins, has been elected to the firm’s membership.

Based in Detroit, Paluzzi works with a national team of 21 data privacy and cybersecurity attorneys and has counseled clients through more than 425 data breaches and privacy incidents in a multitude of industries. A frequent speaker and writer on data privacy law, Paluzzi has conducted some 165 breach response workshops for clients. His expertise includes advising clients regarding data privacy and cybersecurity risks on both a national and international basis, including proactive compliance, incident response strategies and management, and defense of regulatory enforcement actions and single-plaintiff and class action litigation. 

Read full article
ILN Today Post

BEIRNE, MAYNARD & PARSONS PARTNER SCOTT MARRS COMMENTS ON TARGET CORP. DATA BREACH AGREEMENT

Beirne, Maynard & Parsons partner Scott Marrs was quoted in a Law360 article regarding the agreement by Target Corp. and Visa Inc. to reimburse card issuers for costs arising from Target’s 2013 cyber breach. Marrs commented that the agreement reached will serve as a “barometer for future cyber breach settlements.” To view the full article, access the below pdf.

PDF FileTarget Sets High Bar For Data Breach Deals In Visa Pact

Read full article
ILN Today Post

Data Privacy and Cybersecurity: Merchants beware: You could be on the hook for the next data breach

Starting Oct. 1, 2015, credit card companies and banks will enforce new terms in their acceptance guidelines, commonly known as liability shift provisions. These provisions are based on the rollout of Europay, MasterCard and Visa (EMV) technology. If there is an incident of fraud after October 1, the entity, either merchant or card issuer, utilizing inferior non-EMV technology will be held liable.

EMV is overseen by American Express, Discover, JCB, MasterCard, UnionPay, and Visa. EMV operates through the use of card dipping. A consumer dips his or her card into the bottom portion of a terminal, leaves the card in place, and removes the card when prompted. During that process, an imbedded chip communicates with the terminal by sending a unique transaction code. The EMV chip is the reason credit card companies and banks are sending out new cards. Utilizing EMV technology requires customers to have an EMV credit card and merchants to have EMV card terminals available.

Read full article
ILN Today Post

KEEPING UP WITH TECHNOLOGY – UNDERSTANDING THE THREATS, EXPOSURE AND MITIGATION OPTIONS RELATED TO CYBERATTACKS

Energy Executive

With cyber-attacks and cyber-threats becoming increasingly common, Beirne, Maynard & Parsons partner Terry Womac and associate Brandan Montminy discuss how management can protect their organization through awareness of and preparation for possible cyber-security breaches. To read the entire article, please access the below pdf. More…

Read full article
ILN Today Post

CONNECTICUT PASSES ACT LIMITING USE OF VARIABLE RATES

The Connectict General Assembly recently passed Public Act 15-90, “An Act Concerning Variable Electric Rates” (the “Act”), and Governonr Malloy’s approval is expected imminently. The Act affects all Connecticut retail suppliers that either offer variable rate products or use a monthly variable rate product following the end of a fixed price contract if the customer fails to respond to renewal requests.  More…

Read full article
ILN Today Post

CONNECTICUT EXPANDS DATA PROTECTION RULES

In early June 2015, Governor Malloy signed legislation making wide ranging changes to state laws that protect personal information of Connecticut residents (the Act). Key data security expansions and their impacts inside and outside of Connecticut include the following: More…

Read full article

Lessons from the Sony Hack: The Importance of a Data Breach Response Plan

In a decision emphasizing the need for employers to focus on data security, on June 15, 2015, the U.S. District Court for the Central District of California refused to dismiss a lawsuit filed by nine former employees of Sony Pictures Entertainment who allege the company’s negligence caused a massive data breach.  Corona v. Sony Pictures Entm’t, Inc., Case No. 2:14-cv-09600 (C.D. Ca. June 15, 2015).

In November 2014, Sony was the victim of a cyber-attack, which has widely been reported as perpetrated by North Korean hackers in relation for “The Interview,” a Sony comedy parodying Kim Jong Un.  According to the complaint in this case, the hackers stole nearly 100 terabytes of data, including sensitive personal information, such as financial, medical, and other personally identifiable information (“PII”), of at least 15,000 current and former Sony employees.  The hackers then posted this information on the internet and used it to threaten individual victims and their families.  The nine named plaintiffs purchased identity protection services and insurance, as well as took other measures, to protect their compromised PII.

Read full article
ILN Today Post

New Privacy Tort to Play a Broader Role in Class Actions

In an era marked by rapid technologically enabled social change, constrained regulatory budgets, crowded legislative agendas and mounting evidence of the widespread under-protection of sensitive personal information, courts in Ontario have adopted an activist stance in response to innovative lawsuits launched by individuals seeking redress for alleged breaches of privacy rights. The latest example of such a response is the recent unanimous decision of the Ontario Court of Appeal in the case of Hopkins v. Kay (2015), 124 OR (3d) 481 (Ont. C.A.) in which the court upheld the lower court’s expansion of the relatively new common law tort of intrusion upon seclusion to claims which also fall within the scope of Ontario’s Personal Health Information Protection Act (“PHIPA”).

Intrusion upon seclusion was first recognized as a common law cause of action for breach of privacy which co-exists with the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) in 2012 by the Ontario Court of Appeal in the case of Jones v. Tsige 2012 ONCA 32 (CanLII). In that case, which involved improperly accessed bank-held personal information, the court stated that the following  elements needed to be satisfied in order to establish a successful intrusion upon seclusion claim: More…

Read full article