NFL Star Files Twitter Lawsuit Against ESPN

According to The New York Post, New York Giants star Jason Pierre-Paul has filed a lawsuit against ESPN and one its reporters, Adam Schefter, for Tweeting a photo of his medical records.  Last July 4th, Pierre-Paul was involved in a fireworks accident that severely damaged one of his hands and the incident created a feeding frenzy among the media to determine the extent of Pierre-Paul's injuries.  

Under the Health Insurance Portability and Accountability Act (HIPAA), the hospital and its employees owed a duty of medical privacy to Pierre-Paul.  The media is not a covered entity under HIPAA so it doesn't apply to ESPN or Schefter.  It has been reported that the hospital that treated Pierre-Paul has already settled with him most likely because it had the most to lose if the matter went to trial since it was a covered entity under HIPAA.

While HIPAA doesn't cover ESPN/Adam Schefter's actions, Pierre-Paul may have an actionable claim under Florida state law or common law. If ESPN/Adam Schefter contacted me before posting Pierre-Paul's medical records on Twitter, I would have advised against Tweeting out the photo or posting it online on another platform due to potential legal liability. While its too soon to speculate on how Florida state law or common law may affect the outcome of this case, it should make people think long and hard before they post the medical records of others online without expressed written consent.    

I have previously written about ESPN's corporate social media policy that covers its reporters here and here.  The bottom line is that professional sports teams, athletes, and those that work in the sports field need to become better educated about the legal implications of their actions whenever they utilize digital platforms. One wrong post or action/inaction that leads to a digital post may create millions of dollars in legal liability.  

Copyright 2016 by the Law Office of Bradley S. Shear, LLC. All rights reserved.

Apple vs. the FBI: We Can Have Both Privacy And Security

Can we have both privacy and security?  That is a question that has been popular since 9/11/2001.  I believe we can have both.  As someone who personally witnessed the terrorist attacks on The World Trade Center from a couple of blocks away (and became homeless because of them and eventually moved), I am fully well versed on these issues from the security side.  As an attorney who focuses on technology and privacy issues and who has advocated for stronger personal privacy laws on the state and federal level, I also understand the inherent privacy issues.

To recap the latest privacy vs. security debate: the U.S. Justice Department is demanding that Apple help unlock an iPhone that was utilized by the San Bernardino terrorists who killed 14 people and injured 22 in 2015.  Without getting too technical, the FBI has requested (there has been multiple requests/back and forth between the parties) that Apple create software or disable some security protections on an iPhone that would weaken its encryption to allow the FBI to ensure that it may access the contents on the device.  According to The New York Times, the FBI has also requested that Apple assist it with unlocking at least 9 other iPhones.

Weakening encryption or creating back doors into our technology may sound like a good idea for this one case; however, there are and will be other cases where similar requests will be made to access information stored on electronic devices.  If the FBI is provided a back door for this one case, security services from others countries will also demand one for their cases (there could be demands for access to phones belonging to government political opponents or to whistle blowers) as well. In addition, hackers may also utilize back doors which would harm the privacy and personal security of all of us.

I am in favor of law enforcement being able to access digital content when a valid warrant has been obtained.  However, the legal process needs to be followed before content requested is turned over. In general, a major problem with our current legal process is that our digital laws are outdated. For example, the 1986 Electronic Communications Privacy Act which governs email access was created before we had smart phones and the Internet as we know it.  The judiciary is stuck trying to interpret laws that are woefully out of date.

Congress must step up to fix this process.  Bills such as the Email Privacy Act, and the Law Enforcement Access To Data Stored Abroad Act-LEADS need to be enacted because these bills demonstrate that government is willing to update our laws to better reflect how we utilize technology. Absent a legislative fix, private industry has a challenge when law enforcement makes certain demands which are more than just data requests. Should they comply absent trying to block these demands through the courts or should they fight law enforcement demands via a flawed legal process?

This case and others like it demonstrate the need for more dialogue on these issues and the enactment of legislation that provides clearer guidance on how to handle these issues. Technology is moving too fast to leave it solely up to the judiciary to try to interpret how laws enacted decades ago for a different time should apply in the Digital Age.  Our personal privacy and national security demand that Congress and the White House work on a long term solution to these important privacy and security issues.

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.  

Kurt Rambis, Twitter, Sports, and Social Media Reputation

The Kurt Rambis Twitter Fail has been blown way out of proportion by the media. Coach Rambis allegedly "liked" a female masturbation photo.  Whether he intentionally "liked" it or it was "liked" by accident is up for debate.  Unfortunately, in the Digital Age any non-puritanical digital activity may become a news story for those who hold high profile positions in the world of sports, entertainment, government, politics, business, etc....

When using a digital device, it is easy to accidentally "like" a Tweet or indicate a preference for a particular post when scrolling up or down on a smart phone.  I have accidentally "liked" Tweets in the past and didn't realize it until reviewing my digital activity at a later date. It is entirely possible that Coach Rambis' Twitter account was hacked. Did the hackers also make Coach Rambis follow @GreatAssDaily?   

I have had multiple clients who have been targets of hacking and other nefarious digital attacks. If Mr. Rambis' account was hacked as the Knicks claim he/the team should file a complaint with the proper state and/or federal authorities. 

Whomever is advising the Knicks and Coach Rambis regarding this matter failed miserably. There are significant legal, business, and personal and corporate reputation issues involved. The bottom line is that many PR firms and social media consultants don't understand how intertwined these issues have become in the Digital Age and it shows when an incident like this occurs.

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

US-EU Safe Harbor Deadline Passes Without A New Data Transfer Deal

According to The New York Times, United States (US) and European Union (EU) officials were unable to reach an agreement on an updated International Safe Harbor agreement before the January 31st deadline. The agreement covered how digital data (i.e. social media content, financial data, etc..) could be transferred between the continents.

The Safe Harbor Agreement that was implemented in 2000 between the US and EU contained principles that allowed companies (i.e. tech companies and other multi-national companies) to comply with EU data protection laws when moving data from Europe to the United States.  US companies that process and/or store individuals' data may self certify that they adhere to 7 principles that comply with the EU's data protection laws.

The 7 principles include:  notice, choice, onward transfer, security, data integrity, access, and enforcement.  The initial Safe Harbor agreement was meant to be an interim agreement; however, it lasted approximately 15 years.  A couple of years ago, EU and US regulators began negotiating an updated agreement to take into account how technology has changed over the years. Last October, before a new agreement was finalized, the current one was invalidated by the European Court of Justice via a compliant from Austrian privacy advocate Max Schrems.  Mr. Schrems gained publicity several years ago for his privacy advocacy that was highlighted in the documentary Terms and Conditions May Apply when he demonstrated how much data Facebook was collecting about each of its EU users.  

Now that the deadline has passed, what comes next?  According to The New York Times, the sides still have a lot of details to work out. Therefore, until a formal announcement is made it is premature to speculate on the next step.  As I told LAW360 the other day, businesses need certainty regarding transatlantic data transfers and if an agreement is not forthcoming companies will need a Plan B. 

If consumer groups file complaints as The New York Times indicated may occur, these issues may need to be adjudicated via the courts. At this point, uncertainty is the status quo and this may create unintended service disruptions for companies that transfer digital data between the continents. My hope is that an agreement is reached sooner rather than later that is flexible enough to account for future technology changes.  

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

How Much Is Your Data Worth To Facebook?

Facebook recently released its fourth quarter 2015 earnings and it demonstrated that the social media giant is hitting its stride.  It made an average of $3.73 off each of its users around the world.  However, in the United States and Canada, it made an average of $13.54 off each of its users.

What do these figures mean exactly?  Well, it demonstrates that there is value in the information you provide to Facebook in exchange to utilize their service.  Therefore, every time you provide Facebook information about your personal life (i.e. date of birth, marital status, kids, etc...), upload a photo, "like" a corporate page, etc...that is data that may be sold to data brokers, advertisers, and others.  There is tremendous value in your personal information.

Due to Facebook's very troubling privacy policy and data usage practices, I don't trust the platform with my personal data and/or my family's information.  I have limited personal information on my Facebook account with intentionally misleading content to protect my family's personal privacy and safety.  Your Facebook account may create tremendous legal problems for yourself and put you and your family's personal safety at risk so the value of your data should be a wake up call.

If someone wants to get in touch with me they can call me or email me.  Those who want to say hello know that poking me via Facebook will not get my attention.  It never has and never will.

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Ex-St. Louis Cardinals Scouting Director To Plead Guilty To Hacking

Accessing the digital accounts of others without their authorization may destroy your career and lead to prison.  Last year, the FBI began investigating the St. Louis Cardinals because it was alleged that one or more of their employees may have hacked into the Houston Astros internal computer network. 

According to The Wall Street Journal, Chris Correa, the former director of scouting at the St. Louis Cardinals plans to plead guilty to 5 of 12 hacking charges.  Soon after the investigation became public, Correa's employment with the Cardinals was terminated.  Why did Crorrea illegally access the Houston Astros internal network?  It appears that it was done for competitive reasons (i.e. money-winning the World Series can be very lucrative for an organization and its employees). 

Computer crimes is a growing industry and it will only increase as companies put their intellectual "crown jewels" in the cloud.  Therefore, it is imperative for companies to train their employees about cbyersecurity, cybercrime, and privacy to ensure their employees understand what they can and cannot do online.  Ignorance may lead to personal criminal penalties and corporate legal and financial liability. 

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Will Twitter's New Rules Lead To An NRA Account Suspension?

In order to post to most websites and social media platforms you click "I agree" to their terms of service.  In many instances the terms provide platform owners great flexibility on how to deal with visitors to their websites.  In other words, if you want to play in their sandbox you need to agree to their rules.

Earlier this week, The Washington Post reported that Twitter changed its rules at the end of last year in an attempt to limit harassment.  In particular, Twitter's new rules state:     

Any accounts and related accounts engaging in the activities specified below may be temporarily locked and/or subject to permanent suspension.

• Violent threats (direct or indirect): You may not make threats of violence or promote violence, including threatening or promoting terrorism.
• Harassment: You may not incite or engage in the targeted abuse or harassment of others. Some of the factors that we may consider when evaluating abusive behavior include:
• if a primary purpose of the reported account is to harass or send abusive messages to others;
• if the reported behavior is one-sided or includes threats;
• if the reported account is inciting others to harass another account; and
• if the reported account is sending harassing messages to an account from multiple accounts.
• Hateful conduct: You may not promote violence against or directly attack or threaten other people on the basis of race, ethnicity, national origin, sexual orientation, gender, gender identity, religious affiliation, age, disability, or disease. We also do not allow accounts whose primary purpose is inciting harm towards others on the basis of these categories.

Earlier today, The New York Daily News reported that an NRA controlled Twitter account tweeted a message with the photos of two Brooklyn state lawmakers with bullets next to their photos.  This Tweet appears to have been in reaction to new legislation announced that would limit ammo purchases in the state of New York.  Does the Tweet referenced in The New York Daily News violate Twitter's new rules? 

Last year, the U.S. Supreme Court in Elonis v. United States stated that mens rea (intent) was required to be proven under 18 U.S.C. § 875(c) of the U.S. Code (federal law).  While the Elonis case focused on criminal prosecutions, it doesn't affect whether Twitter or other websites can make their own rules on how people may interact on their platforms.  Therefore, Twitter may at its own discretion decide to suspend the referenced account.

Copyright 2016 by The Law Office of Bradley S. Shear, LLC All rights reserved.

UK: Social Media Domestic Abuse May Lead To 5 Years In Jail

In the United Kingdom, a new law has gone into effect that will enable prosecutors to go after domestic abuse perpetrators who harm their victims online.  Under this law, charges may be brought in domestic abuse matters where there is evidence of repeated controlling or coercive behavior.

Controlling or coercive behavior is defined as a continuing act or pattern of acts which are used to harm, punish, or frighten a victim.  Some examples of repeated controlling or coercive behavior may include: monitoring a person via online communication tools (i.e. tracking apps on mobile devices), or threatening to reveal or publish private information.

While its too early to speculate how this new law will be applied, it demonstrates that it is imperative to understand the legal consequences of your online interactions.  Controlling or coercive tweeting, snapping, pinning, or posting may lead to prison.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

The EU's Push For Stronger Privacy Laws and Safe Harbor

Last week, the European Union took a step closer to enacting stronger digital privacy laws that will make it more challenging for companies to re-purpose the data they are collecting from their customers.  These new data protections would harmonize the privacy laws across the 28 members of the EU and stiffen the potential fines for violators up to 4% of a violator's global revenue.

The European Parliament and individual member governments still must pass the new proposals so it not certain that this is a done deal.  After all of the approvals have been obtained, the law may become effective within two years.

In general, I am in favor of strong industry self-regulation.  Unfortunately, this has not worked as hoped in the digital space.  Some companies are collecting massive amounts of personal information about their users and then utilizing the data for opaque secondary uses (i.e. selling the content to data brokers, psychological experiments, etc...).  Because of these non-transparent abuses, EU lawmakers felt it was time to act to reign in these practices.

Some positive aspects of these reforms provide users the right to know why they are being profiled, how they are being labeled, who is using their personal data, etc... This type of transparency will lead to greater accountability and hopefully lead to some companies changing their troubling privacy policies and data usage practices.  While it may be wishful thinking, I am optimistic that these new laws will convince U.S. law makers and regulators to push for some of these much needed reforms because there is little transparency in the data collection and usage industry.  

This latest push for stronger EU privacy laws coincides with the negotiation for an updated Safe Harbor data transfer agreement which may soon replace the previous one that was invalidated earlier this year.  In our digital dependent economy, participants need to be able to transfer data between continents in a timely fashion. Therefore, I am cautiously optimistic that an updated Safe Harbor Agreement will be finalized early in the new year because in our interconnected world it is imperative for businesses to have legal certainty.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved. 

Homeland Security Will Vet Visa Applicants' Social Media

The Department of Homeland Security will soon expand its vetting of visa applicants to include social media.  This expansion appears to be in direct response to the recent terrorist attack in San Bernardino, California.  Surprisingly, there was a secret policy in place that banned officials from reviewing applicants' social media content.

If visa applicants urge their digital connections/followers to commit acts of terrorism against the United States and its allies online, it wouldn't surprise me if they would follow through with physical acts of violence if they are allowed to enter our country.  In response to these revelations about this secret policy to not review visa applicants' digital life lawmakers are demanding a change in policy. 

Will U.S. visa applications soon include requests for usernames/account names of all of one's social media accounts? Will applicants be required to provide access to their password protected accounts. Will increased scrutiny help make us safer? There are many unanswered questions as to how the actually vetting will occur.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved. 

EU Backs Down On Proposal To Raise Social Media Age Limit to 16

In the EU, there was a recent proposal to raise the age limit for children to access social media platforms to 16 years of age absent parental consent.  The idea behind the bill was to help better protect the personal privacy and safety of children.  Banning kids from being able to do something will only make them more interested in subject.  As a parent, I witness this phenomena every single day.

After much deliberation, the EU decided against raising the age limit for social media access to 16 years of age absent parental consent.  EU member states will be free to set their own age restrictions between 13 and 16 years of age.  The debate surrounding this issue was extremely interesting because it demonstrates that law makers around the world are beginning to better understand the issues surrounding unfettered data collection and usage. 

Its importance to have robust conversations on data protection and personal safety issues. Every day, our world is becoming more complex as more personal data is being generated and utilized in ways previously never envisioned so there is a need for these types of continuing conversations.  

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.  

E.P.A.'s Secret Social Media Campaign Violated The Law

According to The New York Times, the Environmental Protection Agency (E.P.A.) engaged in an illegal covert social media campaign to back an Obama administration rule that was intended to to increase protections for our country's streams and waters according to the Government Accountability Office (G.A.O.).

The E.P.A. disputed the G.A.O.'s findings and an official with the agency stated, "[w]e use social media tools just like all organizations to stay connected and inform people across the country about our activities...[a]t no point did the E.P.A encourage the public to contact Congress or any state legislature."

Under the law, federal agencies may not participate in lobbying. The G.A.O. stated that the E.P.A. violated the federal Anti-deficiency Act which prohibits federal agencies from spending money without authorization.  Violating this act may lead to fines and/or jail time.  While its highly unlikely that anyone will be fined or sent to jail for these activities this should serve as a wake up call to government agencies because utilizing social media for illegal activities may create tremendous legal issues that can lead to fines and/or imprisonment.   

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Wyndam Settles FTC Data Security Charges

The FTC announced earlier today that Wyndham Hotels and Resorts has agreed to settle charges that the company’s security practices unfairly exposed the payment card information of hundreds of thousands of consumers to hackers in three separate data breaches.  The settlement requires Wyndham to establish a comprehensive information security program designed to protect cardholder data and to conduct annual information security audits and maintain safeguards in connections to its franchisees’ servers.

This settlement demonstrates that the FTC will go after companies that it believe do not have the proper data privacy and security protocols in place. Companies must be careful when determining what type of data they collect from their customers, how they will safeguard the information, and how long they utilize the information. In conjunction with a data collection and usage program it is imperative to have robust privacy and security audits.

The bottom line is that companies should bake privacy and security into their customer data collection and usage programs or they risk millions of dollars in potential legal liability.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

  

Canadian Cable Company Facebook Shames Late Paying Customers

There is a valid reason why people are "cutting the cord" and getting rid of their cable subscriptions.  Some cable companies don't have a clue about customer service.  In a very troubling report, Canadian cable company Senga Services has been publicly shaming on Facebook its customers who are in arrears.

Senga Services' behavior was deemed so troubling that Canada's Office of the Privacy Commissioner asked the company to delete its customer shaming Facebook posts.  Do any of the publicly shamed customers have potential legal claims under Canadian law?  What if some of the customers that Senga publicly shamed had a bona fide billing dispute that Senga refused to addressed?  What if some customers were not properly notified of the billing issue due to a move?

Earlier this year, I switched my cable company because I had a major billing dispute.  My now former cable company had lied to me for years and over charged me hundreds of dollars.  Only after I wrote multiple letters to the company and threatened to file FTC and state attorney general complaints was I finally refunded several hundred dollars.

My matter was most likely only settled by the cable company because I am an attorney who has the knowledge and means to easily utilize the proper judicial or regulatory process to obtain the money I was owed.  Most people don't have this luxury.

Companies should tread very carefully when utilizing social media to reach their goals.  Too often organizations empower employees and/or agents to act on their behalf online who don't understand that their digital actions may have legal repercussions.  The bottom line is that its imperative to think before you post.

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.

Mattel, Cybersecurity, Privacy, and Hackable Barbie

Barbie has been an All-American favorite since its introduction in 1959.  She has played a starring role in our popular culture for years; so much so that some girls have gone to great lengths to try to look like her.  The bottom line is that Barbie has become a mainstay in many homes.

For this holiday season, Mattel, the maker of Barbie created a version called "Hello Barbie" that is going to be able to be connected to the Internet.  Some privacy advocates such as the Campaign for a Commercial Free Childhood are very troubled by this new Barbie and have created a social media campaign called #HellNoBarbie because they have some major concerns about how the data being collected will be utilized.

A major problem with Hello Barbie is that parents may not always know when a particular conversation is being recorded by the doll and sent to Mattel's third party technology vendor. Pam Dixon of the World Privacy Forum pointed out to NBC News that the recordings could be utilized in divorce cases and custody battles.

Another issue is cybersecurity. Earlier today, it was reported that Hello Barbie has major privacy and security flaws that could expose the personal privacy and safety of our children. This is a very troubling report. Why didn't Mattel bake privacy and cybersecurity into the design of this toy?  Mattel isn't the only toy maker to have overlooked privacy and cybersecurity issues. VTech, a provider of electronic toys for children was recently hacked and exposed the personal information of millions of children.

The bottom line is that we are entering the era of the "Internet of Toys" where manufacturers may soon start trying to one up each other with how their products are connected online.  The problem is that is appears that many of the privacy and cybersecurity issues that are paramount to protecting the safety our of kids have not been made a priority in this rush for greater profits.

As a parent, I don't want or need my kids toys connected to the Internet. iPhones and Xboxes are meant to be connected online but Barbie, Ken, and GI Joe are not.  Parents must be able to easily control what is recorded about their family in the privacy of their home.  What happened to just being able to play with your kids and having a personal moment that is not shared with the whole world for eternity?

Copyright 2015 by The Law Office of Bradley S. Shear, LLC All rights reserved.