Technology

Subscribe to Technology

In Massachusetts, wearable technologies, such as smartwatches, smart glasses, and location-tracking badges, are raising concerns from security experts as they become increasingly ubiquitous in business settings. While these devices may bring about gains in productivity, efficiency, and information-gathering, they also carry cybersecurity risks that may make sensitive data more susceptible to attack. There are other worries, too. UPS, for example, has substantially increased its profitability through the use of wearable tech that tracks its employees and collects data, helping to increase efficiency while reducing costs. While this use of technology has been a game changer in some contexts, businesses looking to adopt similar measures should carefully consider potential privacy issues as they track the whereabouts and behavior of their employees.

            In Massachusetts, data breaches reported to the Office of the Attorney General have been climbing steadily since 2008. One explanation is that technology developers, in their rush to get new products to market, may overlook safety or security flaws in their products. (Think of the security features recently uncovered in Mitsubishi’s new Wi-Fi outfitted hybrid, where hackers found they could disable the vehicle’s security system remotely.) Early adopters of new technologies are well-advised not to make the same types of mistakes, hastily seeking the benefits of new tech without considering the risks.

            How will your business avoid these pitfalls?

  1. An experienced attorney can help you reap the benefits of new technology without creating avoidable vulnerabilities within your business.
  2. By working with lawyers with expertise in addressing privacy in the workplace, clients will likely avoid being blind-sided by privacy issues.
  3.  Another benefit of working with privacy-savvy counsel is better understanding and buy-in  to the  company’s data security and privacy programs from the Board of Directors to the entry- level employee.
  4.  Frequent bench-marking of performance; training; and improvement processes are all necessary elements to blending in new technology with appropriate attention to employee and customer privacy. 

iphone.jpgIn October 2012, the Librarian of Congress, James H. Billington, decided to remove the unlocking of cell phones exemption from the Digital Millennium Copyright Act (DMCA). The act went into effect on January 26, 2013, and it made clear that consumers would not be able to unlock their cell phones on a different network without carrier permission, regardless of whether or not the user contract had expired.

The practical implication of this act is that individuals who travel abroad on business will be forced to pay expensive roaming fees in order to activate their cell phones instead of simply unlocking their phones for use on a local carrier network. Essentially, if you are abroad and you want to make a phone call, this act makes it impossible to do so cheaply, as the roaming fees will rack up substantially.

One justification offered for the non-renewal on the exemption for unlocking cell phones in the DMCA is that phones are now sold unlocked, including some versions of the iPhone and the Google Android Nexus 4. As Marguerite Reardon has observed however, these phones are much more expensive than ordinary phones as they are not subsidized by the carriers. In response to the act, a whitehouse.gov petition was immediately circulated, which got over 100,000 signatures and attracted the attention of the White House itself. The petition asked the White House to overturn the act, noting that this would result in heavy roaming fees, a reduction in consumer choice, and a decrease in the market for used phones.

Through R. David Edelman, the White House Senior Advisor for Internet, Innovation, & Privacy, the White House recently expressed support for the signatories of the petition. Edelman agreed with the signatories that those who pay full price for a mobile device and are not tied to a service agreement should be able to use the mobile device on another network. In addition to protecting consumer choice and freedom, Edelman noted that there is an obligation to support a vibrant and competitive wireless market, which would be inhibited by such a law.

Edelman offered three potential solutions that the Obama administration supports in order to ameliorate the situation. First, Edelman tasked the legislature to enact laws that will allow consumers not bound by service agreements to switch carriers without fear of criminal penalties. Also, Edelman made it clear that the FCC also plays a role here, as it is responsible for promoting mobile innovation and telecommunications. Edelman noted that Chairman Genachowski has expressed his concern for the effects the act will have on competition and innovation. Finally, Edelman put the burden on mobile phone providers themselves to work together with their customers to establish service plans as consumer-friendly as possible.

It should be noted that the renewal did not omit the exception allowing consumers to jailbreak their phones. Consumers will still be able to jailbreak in order to add software and apps; they simply won’t have the ability to unlock their phones for use in another network. Also, it is quite difficult to unlock a device without getting an unlock code from your carrier, so as long as you are careful, you should not be facing charges for unlocking your mobile device even under the new law.

Overall, the decision made by the Librarian of Congress does not place people in as much danger of criminal penalties as it does place them in danger of excessive fees, but the backlash from the cyber community to the White House itself has still been significant.

On Thursday, February 14, 2013, Attorney Jay Wolman of Raymond Law Group will appear on Fox 25 Boston News at 10 p.m., discussing drone technology and privacy law.  Attorney Wolman and reporter Ted Daniel sat down to discuss the rights of Massachusetts citizens.  Although Peeping Tom of legend spied on Lady Godiva from the confines of his house, now there is a greater threat of someone, or something, outside looking in.  By way of example, the Parrot A.R. App-Controlled Quadricopter (http://ardrone2.parrot.com/usa/ ) is a small, remote controlled aircraft that works with smartphones and tablets through wi-fi.  It is capable of taking still photographs and recording 720p HD video.  These drones have many positive uses, such as recording images for real estate sales, providing security, aerial mapping, and furthering art.  But they are also intrusive on personal space and privacy.

The drone is a combination of existing technologies: remote controlled aircraft and digital photography/video.  Primary concern is whether someone could fly a drone up to a window and spy on occupants. Whether or not an activity is lawful depends on the use and how the law already deals with these technologies independently.

First, there is the issue of the aircraft itself.  Massachusetts has a criminal trespass statute, G.L. c. 266, sec. 120.  It prohibits the entry of land if a person has previously been forbidden to do so by notice, e.g. a No Trespassing sign.  It is a misdemeanor carrying a $100 fine and up to 30 day prison term.  However, the Massachusetts Court of Appeals held that the law only spoke of entry upon land, not airspace.  See, Commonwealth v. Santos 58 Mass. App. Ct. 701 (2003) (laborer in a bucket briefly traversed the air over the property of another).  Further, the law requires specific notice.  Since most people do not post No Trespassing signs, and posting near all access points for an aircraft will be difficult, even if the law covered airspace it would be difficult to rely upon.  An arrest for criminal trespass is thus unlikely.

However, even if the police cannot prevent an aircraft from entering one’s airspace, Massachusetts residents may be able to sue those individuals who have or may enter the airspace without permission.  Smith v. New England Aircraft Co., 270 Mass. 511 (1930)(low flying aircraft a trespass).  At common law, the principle of “Cujus est solum, ejus est usque ad coelom et ad infernos” (“he who owns the soil owns upward unto heaven and downward to hell”) governed.  Landowners also owned their airspace.  Renters should take particular caution because they might only rent a dwelling, and not the land and airspace around the dwelling. 

The common law rule was limited in United States v. Causby 328 U.S. 256 (1946), where the U.S. Supreme Court found that the rights only extended one’s the usable airspace, in order to promote air travel, and not the heights at which aircraft typically travel.   The amount of useable airspace was revisited in Florida v. Riley, 488 U.S. 445 (1989), a case involving a warrantless search.  There is an overlap between Fourth Amendment cases and trespass because the police are generally permitted to occupy any space an ordinary member of the public may occupy.  A warrant is needed only where the police desire to enter and search areas otherwise off limits.  In the context of whether or not a warrantless search was unreasonable, the Supreme Court found a helicopter at 400 feet looking down did not invade privacy as air traffic could occupy that space.  It may take a Supreme Court decision again to determine how high up air rights extend.  This question will likely be analyzed in the context of “curtilage”, the area immediately surrounding one’s house.  In United States v. Dunn (1987), the Court held that “curtilage questions should be resolved with particular reference to four factors: the proximity of the area claimed to be curtilage to the home, whether the area is included within an enclosure surrounding the home, the nature of the uses to which the area is put, and the steps taken by the resident to protect the area from observation by people passing by.”  Thus, the more an area is fenced in, the greater one’s expectation of privacy. 

Second, there is the issue of unwanted photography and voyeurism.  Massachusetts has an electronic surveillance act that prohibits secret photography, video, or electronic recording of others.  G.L. c. 272 sec. 105.    It carries a $5,000 fine and 2 ½ year prison term.  However, this only applies where the subject is nude or partially nude.  Spying on other activities, embarrassing or confidential, is not made unlawful.  Massachusetts also has a statute prohibiting disturbance of the peace, carrying a fine of up to $200 and a 6 month prison term.  G.L. c. 272, sec. 53.   In Commonwealth v. LePore, 40 Mass. App. Ct. 543 (1996), review denied 423 Mass. 1104, the Court of Appeals found that an activity that may cause alarm to a person peered at creates a breach in the public peace.  See also, Comm. v. Cahill, 446 Mass. 778 (2006) (citing LePore approvingly).   However, these laws may be challenged if the activity is performed by drone, even with a person at the command, rather than a person directly peering. 

These drones will certainly be further developed and modified.  If audio recording capability is added and used, Massachusetts prohibits such recording without consent.  See, G.L. c. 272, sec. 99.  Use for corporate espionage may violate federal law under the Economic Espionage Act of 1996, 18 U.S.C. sec. 1831. 

Civilly, Massachusetts provides a statutory right to privacy and a violator can be sued for taking such photos and videos.  G.L. c. 214, sec. 1B.  Again, it is limited to where you have a reasonable expectation of privacy.  See Nelson v. Salem State College, 446 Mass. 525 (2006) (a photo in an office, in front of large window, on government property, was not an invasion of privacy).  Massachusetts residents also have a right to publicity, that is, they can restrict commercial use of their image, once it has been taken.  G.L. c. 214, sec. 3A.

Finally, those operating drones should also be mindful of unintended consequences.  Depending on how video or stills are used, they may be collecting data about a person bringing them within the ambit of G.L. c. 93H, the data privacy law.  That law is very broad; once a person starts collecting covered data (e.g., images of credit cards and bills on a kitchen table), which may well be within the photos or videos, they may have an obligation to secure it. 

 

As technology continues to develop, the courts will continue to face challenges applying existing law to these technologies and their uses, and the legislature will need to update the law and predict developments to ensure everyone knows their rights and obligations. 

A data breach occurs and personal information about your customers is compromised. It can happen to any size business, big or small, and the costs to your business can be significant. Every company stores private information including credit card numbers and social security numbers that are vulnerable to a deliberate cyber incident such as unauthorized access to digital systems for the purpose of misappropriating assets or sensitive computer information, corrupting data or causing operational disruption.

In recognition of such a fact the federal government has become involved. A Bill, introduced by Joe Lieberman, aims to address a wide range of cybersecurity issues including data breaches. The Division of Corporate Finance of the SEC has also given Disclosure Guidance that addresses requirements for companies to disclose cybersecurity risks, incidents and related litigation.

As identified by the SEC, disclosure of cybersecurity risk factors include:

–          Discussion of aspects of business or operations that give rise to material cybersecurity risks and potential costs and consequences

–          Description of outsourced functions that have material cybersecurity risks

–          Description of cyber incidents experienced

–          Description of relevant insurance coverage

–          Description of legal proceedings involving a cyber incident

Even smaller companies not subject to SEC public disclosure requirements need to implement appropriate measures to protect internal data. Failure to do so can result in significant expenses such as fines,  disruption of business, loss of customers and litigation expenses.

Many small business insurance policies do not cover cyber incidents such as data breaches. A consult with an attorney who specializes in cybersecurity risks and litigation can help you or your company evaluate your current insurance coverage, discuss specific cybersecurity insurance options and handle any litigation that may result from a cyber incident such as a data breach.  

no_copyright.pngIt is no secret that U.S. Copyright law prohibits copying a copyrighted work such as a movie, tv show or music album without the permission of the owner of the copyright. Recently a number of lawsuits have targeted users who have downloaded copyrighted works via torrents.

How is a person identified as having illegally downloaded a copyrighted work?

Typically a person is notified by their internet service provider (ISP) that they have been identified as illegally downloading a movie. There are companies who monitor BitTorrent traffic associated with a particular movie and this is often how your IP address was identified.  

Why were you contacted by your ISP?

If a lawsuit was filed on behalf of a copyright owner in federal court it typically targets users who downloaded and/or shared a specific movie. The plaintiff will then issue a “John Doe” subpoena to the ISP to force your ISP to reveal your identity based upon the list of IP addresses that downloaded and/or shared the torrent.

At this stage, if the subpoena is issued, your ISP will send you a letter alerting you of these facts and advising you that if you do not seek to quash the subpoena they will release your identity to the plaintiff. Once the Plaintiff has your identity they will be able to proceed with the lawsuit and seek damages.

What are you options once you receive such a letter from you ISP?

While it is tempting to ignore such a letter, to do so risks a default judgment being entered against you. Do not panic and do not initiate contact with the plaintiff. Review the details of the letter and identify any factual inaccuracies. You should consult with an experienced attorney who can advise you on potential options and strategy in the lawsuit.

 

As the best informed Massachusetts technology lawyers already know, the FTC (Federal Trade Commission) and Google have announced a $22.5 million dollar settlement (the largest civil penalty ever) to address claims of unfair and deceptive trade practices in violating its privacy statement for Google Buzz – a social networking application for Gmail users.  Click Here for Bureau of Consumer Protection Business Center post with full history. 

The FTC / Google settlement underscores both the growing regulatory exposure in the area of cyber liability and the need to take privacy policies and practices seriously. Any company that does not have a plan in place dealing with cyber liability and compliance issues for data breach is taking a huge risk. Further, many companies do not take advantage of the available insurance products to reduce the risk of uninsured losses for cyber liability including failing to comply with privacy statements in user agreements for social media applications. 

Both large and small companies need to take steps now to address compliance issues for privacy and data breach laws. The best practices to avoid cyber liability can be identified and implemented as part of a consultation with a qualified cyber liability attorney.