GDPR: How to Handle a Data Breach

Photo by Christoph Scholz from Flickr (Creative Commons License)

Every company that sends commercial emails to people who reside in the EU or process their data has to comply with the new privacy law, the General Data Protection Regulation (GDPR). This law has specific rules about how companies have to respond when a data breach occurs. It’s so much better than the current rules in the U.S.

Report the Breach to Supervisor within 72 Hours

When a data breach occurs, the employee must report the breach to their supervisory authority without undue delay, and where feasible, within 72 hours of learning of the breach. This notice must include the likely consequences of the breach and the measures the company is taking to mitigate the potential adverse effects.

The only exception to this rule is if the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The company doesn’t have to report the breach if it’s will not likely cause harm to those impacted.

Report the Breach to Consumers

In addition to reporting the breach up the chain of command, the company, without undue delay, must notify the people’s whose data was compromised if the breach is likely to result in a high risk to their rights and freedoms. The law doesn’t specify a number of days or a rubric to determine what is notification “without undue delay.”

Companies should notify the effected persons unless it would require a disproportionate effort. In that case, notification may be made by public communication.

There is an exception to this requirement. The company does not have to disclose that the data breach occurred if the personal data would be unintelligible (e.g. encrypted) to whomever stole it or if the risks have been sufficiently mitigated that adverse results are unlikely to occur.

These new requirements are fantastic. These will hopefully eliminate the problem of companies waiting weeks or months to disclose to impacted consumers that their personal data was hacked.

You can learn more about this aspect of the GDPR here:

Remember, if you are subject to the GDPR, you must comply with this law by May 25, 2018 when it goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

GDPR: Protecting Personal Data

Image by Descrier from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) is the new privacy law that goes into effect on May 25, 2018. Every company that sends commercial email to the European Union must comply with it, even if you’re not located in the EU. The purpose of this law is to obtain consent before using a person’s personal data and to adequately protect it.

Protection by Design and Default

The GDPR requires that you take adequate precautions to protect the personal information entrusted to you. The law does not specify exactly what you must do protect this data beyond the requirement that you take the appropriate technical and organizational measures considering the cost, available technology, and why you are processing individuals’ data. The level of security should correlate to the level of risk related to the nature of the data and what you’re doing with it. Additionally, you should only process the necessary data to fulfill your purpose for doing so.

Another requirement of GDPR is that the people who have access to the data subjects’ information are only permitted to process it per the data controller’s instructions. This is a rule that every organization should have: only those who need access to the data subject’s information should have it, and it should be limited to only for the tasks for which they need it.

You can learn more about these requirements here:

Maintain a Records of Processing Activities

The GDPR requires certain companies to maintain a record of all their processing activities. These companies fall into one of two categories:

  1. Companies that employ 250 or more persons.
  2. Companies whose work with data subjects’ information presents a high risk to the data subjects’ rights, or the companies process data that falls into one of the following special categories:
  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade-union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation

As a company with no employees (just me running this show) and the only information people give me are their email address and name, I don’t have to maintain this record. If I did, it would only be a list of newsletters I sent and the service I use keeps my list protected behind a password.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

GDPR: Full Disclosure Required

«Via sicura» by Falk Lademann from Flickr (Creative Commons License)

If you’ve been following this blog, you know I’m all about preparing for the General Data Protection Regulation (GDPR) as it applies to content marketing. This rule applies to every company that sends commercial emails to anyone in the European Union. (If you don’t know where everyone on your list is located, assume at least one of them lives in the EU.) We’ve already talked about how, under this law, when you want to add a person to your email list, you must get their specific informed consent and you must be able to prove that you obtained their consent to be on your list.

The GDPR requires, when you obtain this consent, to provide the person (aka data subject) with the following information:

  • The identity and contact information of the controller of the data subject’s information or their representative;
  • The contact information for the data protection officer (if applicable);
  • Your purpose for processing the data subject’s information and legal basis for doing so;
  • The period of time the data will be stored;
  • The data subject’s right to request erasure or corrections of their data or to restrict the processing of their data;
  • The data subject’s right to withdraw their consent;
  • The data subject’s right to lodge a complaint with the supervisory authority; and
  • Whether the data subject giving their information fulfills a statutory or contractual obligation.

If you want to process the subject’s data for another purpose, you must tell the person in advance, and when a person’s data is processed for direct marketing purposes, the data subject has the right to object at any time.

At the first reading of these requirements, my first thought was that the signage at conferences where vendors collect business cards would have to become much more complicated to comply with GDPR. I thought about how this firm will comply with these requirements. People voluntarily add themselves to my email, so I don’t know where they live. I will be adding double opt-in consent for my email list, and I believe the most effective way to comply with these requirements is to include this information in the confirmatory email.

You can hear more about these requirements here:

We have to comply with these rules by May 25, 2018 when this new rule goes into effect.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Proving Consent Under the GDPR

“Consent Is Sexy” by Charlotte Cooper from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. According to this new law aimed at protecting individuals’ privacy and their personal data, all companies that send commercial emails to any person living in the European Union must obtain a person’s consent to collect and process their data – and be able to prove it. This applies to anyone who collects and processes data from persons living in the EU, including non-EU companies.

The key to compliance is specific explicit consent.

Double Opt-In Required for Email Lists

If you have an email list, the GDPR essentially requires you to use double opt-in when adding someone to your list. This will help resolve the problem of companies adding people to their mailing list without consent.

So many times, when I’ve sent a question, bought a product, or dropped my card in a company’s drawing for an iPad at a conference, my inbox has been bombarded with the company’s newsletter and “special offers.” We all agree this is poor form, right? If I want to be on your list, I promise I’ll add myself.

It happened just this week. A new connection on LinkedIn sent me an email to invite me to coffee. While we were exchanging emails to arrange a meeting time, he added me to his list! When his newsletter hit my inbox, I let him know that adding me to his list violated Wheaton’s Law and he blew his opportunity to have coffee with me.

Under the GDPR, you have to verify you’ve obtained consent to send someone commercial emails. This also avoids problems like someone adding you to a list without consent as a joke or to annoy you.

Written Declarations of Consent

If the data subject gives their consent in writing – perhaps at an expo at a conference or by filling out a form on your website, you must explicitly tell them what they’re signing up for. Their consent must be obtained:

  • On an easily accessible form,
  • Using clear and plain language, and
  • Distinguishable from other matters.

This means consent cannot be buried in your terms of service or some other process or fine print.

Right to Withdraw Consent

One of the requirements of the GDPR is it must be as easy to withdraw consent as it is to give consent. Companies that comply with the U.S.’s CAN-SPAM Act know that every email  they send “must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future.” Email services, like Mail Chimp, already have this feature by automatically including an “Unsubscribe” link in every newsletter its users send.

Here’s more on the consent requirements for the GDPR:

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

GDPR Compliance: Informed Consent Required

“Content Marketing” by Luis Osorio from Flickr (Creative Commons License)

The General Data Protection Regulation (GDPR) is the new law aimed at protecting individuals’ privacy and their personal data. All companies that send commercial emails to any person living in the EU must comply with this law when it goes into effect on May 25, 2018 – including non-EU companies.

If you collect or process personal data from any natural person residing in the EU, the GDPR requires you obtain the person’s specific, informed consent that unambiguously indicates the person’s wishes or it must be given by a clear affirmative action.

When you collect a natural person’s (aka data subject’s) personal data, the GDPR requires you to do the following:

  • It must be done lawfully, fairly, and with transparency.
  • Data must be collected for a specific, explicit, and legitimate purpose.
  • The data collected must be limited to the data necessary for the purposes for which it will be processed.
  • You must erase or rectify inaccurate data without delay.
  • You must keep the data for a period that is no longer than necessary for the purpose for which it will be used.
  • You must protect the data subjects’ personal data with appropriate security measures.

Requiring specific informed consent, means you can’t hide the consent information in your terms of service. The data subject has to know what they’re signing up for and give their explicit consent to use their data. If you give people who visit your website the option to add themselves to your mailing list, that, since you won’t know where they live (especially if all they’re providing you is a name and email address), the sign-up form should comply with the GDPR requirements.

I suspect it also means that dropping your card in the bowl to try to win an iPad at a booth and a conference won’t be sufficient to establish explicit consent to add a person to your email list unless there’s verbiage adjacent to the bowl that doing so is a clear affirmative action of consent. Hmm . . . perhaps event organizers who have EU attendees should provide their expo vendors information about obtaining consent under GDPR.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Preparing for GDPR: Are You Ready?

Europe Privacy Law GDPR from Smeders Internet

This year, I’m putting considerable energy into understanding and complying with the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European law that goes into effect on May 25, 2018.

It impacts any professional commercial activities regarding natural persons residing in the EU, so that includes process personal information about natural person who lives in the EU, or sending commercial emails to any natural person who lives in the EU. Commercial emails include the offer of goods or services, even if you’re not doing it in exchange for money.

The purpose of this new law is to protect natural persons’ personal data, and it includes provisions about obtaining data subjects’ consent and using adequate security to protect their information. Failure to comply could result in millions of dollars in fines.

Who is Exempt from GDPR?

The GDPR does not apply to anyone who stores or uses person’s data for personal use – like if you maintain a personal database of contacts, and some of them happen to be people who live in the EU.

It also doesn’t apply to anonymous persons or dead people.

Complying with the GDPR

I have read the GDPR from cover to cover (260 pages). A significant amount of my work in early 2018 will be related to GDPR compliance – starting with my own company

My rule for my email list is people add themselves. It’s disrespectful when companies add you to their email list without consent, so I don’t do it. As a result, I have no idea where most of my subscribers are located. I have assume at least one of them is a person who resides in the EU, therefore the GDPR applies.

For the next few weeks, I’m going to be breaking down this law into it’s requirements and applying them to my business so I can, in turn, educate and help other companies modify their policies and practices before the law goes into effect on May 25, 2018.

This is not a law that companies can easily comply by adding a new paragraph to their terms of service. It will change their tactics and approach to content marketing.

If you want more information about GDPR, please watch this site and my YouTube channel because I’m creating a substantial amount of content on this topic. You can also send me an email (Note: I can’t give advice to non-clients). I use my mailing list to I share my thoughts about being a lawyer/entrepreneur, updates about projects I’m working on, upcoming speaking engagements, and I may provide information about products, services, and discounts. Please add yourself if you’re interested.

You can also connect with me on TwitterFacebookYouTube, or LinkedIn.

Unsolicited Advice: Shut Up

“zip your mouth and shut up” by pHotosHo0x from Flickr (Creative Commons License)

As a lawyer, clients come to help prevent or resolve legal problems. It’s my job to explore the pertinent facts of the situation, explain the legal implications to my client, present their options, and make recommendations. The decision of what to do is ultimately the client’s choice. When your lawyer recommends that you refrain from speaking about a situation publicly, that may be their polite way of saying, “Shut up. Anything you say will likely make your situation worse.”

What Not To Do
Today’s example of what not to do comes from Robert Scoble. After several women publicly accused him of sexual harassment and/or assault, he released a blog post entitled “No, of that I’m innocent.” In this post he wrote:

I have rejected my lawyer’s advice to not make a statement and in a spirit of healing I would like to address the issue head on with open and honest dialogue.

I’m glad he admitted that he was ignoring his lawyer’s advice. He went on to state what he called the “actual truth of the allegations” against him, naming his accusers, and calling out alleged misbehaviors of his accusers in their encounters with him.

If your lawyer is telling you not to talk about accusations against you, assuming you’re already in a hole. Stop digging.

Scoble also claimed he could not have sexually harass any of these women because he was never “in a position where I could make or break their careers.” Umm…that’s not how sexual harassment works. It can occur outside an employment, professional, or financial relationship.

Listen to Your Lawyer
When I first meet with a client, I explain that lawyer-client privilege applies, meaning I can’t repeat what I client tells me. The reverse is not true. I can’t control what a client says or posts when they leave my office. If I tell them not to talk about their case, it’s because I think that’s what’s in their best interest. As a third party, I’m not emotionally enmeshed in the situation. I can see the forest for the trees when they can’t and help move them towards the ultimate outcome they seek, and avoid pitfalls in the moment.

When it comes to internet posts, here are some of my general suggestions:

  • Think before you post.
  • Today’s righteous indignation may be tomorrow’s regret.
  • Ditto for drunken rants.

The internet never forgets. One post can cost you your career, marriage, or reputation. Even if you delete a post you regret creating, you don’t know how many people saw, copied, or downloaded the post before you deleted it. And there’s probably a copy of that post on a server somewhere.

If your lawyer advises you not to talk about something online or otherwise, don’t do it. There’s a good chance you’re setting yourself up for more pain in the future, and there are some bells that we can’t un-ring.

If you want additional information about the legalities of social media, please check out my book The Legal Side of Blogging: How Not to get Sued, Fired, Arrested, or Killed. You can also contact me directly or connect with me on TwitterFacebookYouTube, or LinkedIn. You can also get access to more exclusive content that is available only to people on my mailing list.

Anthony Weiner Sentenced to 21 Months for Sexting: Processing My Thoughts

Chainlink Prison Fence by Jobs For Felons Hub from Flickr

This week, former Congressman Anthony Weiner was sentenced to 21 months in federal prison for “transferring obscene material,” aka sexting, with a 15 year-old. He’ll also have 3 years of supervision after he’s released, including internet monitoring, and will have to register as a sex offender.

According to reports, here’s what we know about this case:

  • He knew he was talking to a 15 year-old using various social media platforms.
  • He sent the teen nude pictures of himself.
  • He asked her to sexually perform for him on Skype.

Clearly his behavior was criminally and morally wrong.

Anthony Weiner
112th Congress
from Wikipedia

I’ve been mulling over this situation for the past few days, wondering if the punishment fits the crime. I asked friends who are teachers or the parents of tweens and teens for their reactions. Some said 21 months was too lenient, some said too harsh, and others agreed it was appropriate based on the available information.

I’ve watched plenty of episodes of To Catch A Predator where men engaged in similar online behavior with people they thought were teens, and then showed up at a house to meet them before being arrested. At the end of the program, they reported the sentences of these perpetrators, and often they were sentenced to less than 12 months in prison. Some only got probation. It makes me wonder whether Weiner’s sentenced was based solely on his interactions with this minor or his history of sexting.

It’s been sad to watch a charismatic up-and-coming Congressman destroy his professional life, his reputation, and his marriage because of his sexual compulsivity. The judge even acknowledged that Weiner has a disease. His past impropriety involved sexting with other consenting adults – not illegal, but not appropriate given his then-political position and being in a seemingly non-open marriage. Part of me wonders how his past behavior (where no criminal laws were broken) factored into the sentence.

Likewise, I wonder if Weiner’s position as a public figure played a role in his sentence. The judge reportedly sentenced him to 21 months in part to serve as a general deterrence. While I respect that one of the purposes of criminal punishment is to deter others from acting in similar ways, I question whether Weiner was punished for the law(s) he broke or to make an example out of him. The law says he could have received a sentence up to 10 years, and 21 months was within the range of jail time requested by the prosecution, so I’m not saying the judge or the prosecutor acted outside the scope of their position, but I still wonder how the judge came to her decision.

Of course, Judge Cote was there for the entire trial process, and I’m watching from the sidelines. I’m in no way questioning her judgment.

This whole situation has also reminded me of how little I expect a person to be rehabilitated while incarcerated. I’d rather see people convicted of committing crimes, in part due to an addiction, be sentenced to a long-term treatment facility followed by jail time with ongoing counseling.

The other thing this crime reminded me of is how important it is for parents to monitor what their kids are doing when they’re online. It’s not just an issue of where they go, what apps they’re using, what they say, and what pictures they’re taking, but also who is trying to communicate with their kids.

Regarding Anthony Weiner and his victim, I have no answers. I don’t know what the appropriate punishment should be for adults who are caught sexting with teens, or whether Weiner’s sentence was too harsh or too lenient. I hope I’m not the only person who was inspired to step back and consider what is the correct legal and social response to these criminal acts.

I’m constantly doing work related to internet law, so if you want to keep up with what I’m doing or if you need help, you can contact me directly or connect with me on TwitterFacebookYouTube, or LinkedIn. You can also get access to more exclusive content that is available only to people on my email list. (Please note: If you suspect you’re the victim of an internet crime, I will refer you to law enforcement.)

FTC Rules: Easy to Follow, Easy to Forget

Happy Lawyers Unpacking our Barbri Books

I have the pleasure of speaking at Content Marketing World next month, in part, about the FTC rules that apply to advertising.

Disclose, Disclose, Disclose
The key to complying with the FTC rules for native advertising it to always disclose when you have a relationship with a company. That includes when you get a product for free, when you have a personal relationship with an officer of the company, and when you use affiliate links. In all of these situations, regardless of the platform, you have disclose when you are compensated for sharing an opinion or have a reason to be biased.

These rules even apply on social media platforms, including Instagram and Twitter. Usually using the hashtag “#ad” is sufficient to comply with the rules. The purpose of the rule is to let the reader know about your potential bias before they form an opinion about the product or your review.

The fine for violating these rules are harsh – up to $16,000 per violation under the current rules.

See you in Cleveland!
I have a goal of finding a way to climb this thing.

So Easy to Forget
These rules are simple to follow, and it’s also super easy to forget to remember to include the proper notice in a post. I had first-hand experience with this over the last few weeks.

My colleague and I teamed up with Barbri to study for the California Bar Exam. They gave me my study course for free (I split the cost of my colleague’s course with him) in exchange for writing a weekly post about what it’s like to study for a bar exam while practicing law. We did 11 weekly posts, and I’ll write one more when we get our results this fall.

Early in each post, I repeated verbiage that disclosed our relationship with Barbri – that was easy enough. Where I had trouble was remembering to include “#ad” on every social media post. It’s easy to forget to remember to include those three characters. There were many mornings where I had to edit my posts or delete and re-do tweets to add in “#ad.”

I recently learned I’m not alone. According to research, 37% of publishers do not adhere to the FTC rules for labeling the material as sponsored. I’m curious to see if the FTC is investigating or fining content creators who don’t follow the disclosure rules.

I’m super excited to talk about the FTC rules and how to write effective contracts for content creators at Content Marketing World. It’s one of my favorite events on online advertising. I’m just as ecstatic about speaking as I am about learning from my fellow presenters.

I’m constantly doing work related to internet law, so if you want to keep up with what I’m doing or if you need help, you can contact me directly or connect with me on TwitterFacebookYouTube, or LinkedIn.  You can also get access to more exclusive content that is available only to people on my mailing list, by subscribing here.

Staying Out of Trouble on Facebook Live

Selfie by Reyes Blanch from Flickr (Creative Commons License)

Facebook Live is one of the more recent developments in live video streaming on the internet. When used properly, it’s a lot of fun to get a real-time glimpse into someone’s life or a breaking news situation. It has value, but it also has its place.

The Same Rules Apply
Legally speaking, the rules that apply to Facebook Live are the same rules that apply to live video apps. In 2015, I wrote a post about the legal dos and don’ts of Periscope. Those same rules apply to Facebook Live.

The challenge with live video . . . is it’s live. You can’t edit a live performance, so if you do something inappropriate or illegal, assume someone saw it, recorded it, and you may have to face consequences for it later. If you’re not jumping on Facebook Live to show a newsworthy event in real-time, I recommend you take a minute or two before you go live to think about the scope of want to talk about, what topics or language are out-of-bounds, and when you’ll know to stop the recording. This is especially true if you’re distraught or experiencing extreme emotions. If you’re especially upset, it may be better to wait a few hours until you’ve calmed down or record your thoughts without being live.

Playing Music on Facebook Live
A friend asked about the legalities of playing music during a Facebook Live broadcast. The rules that apply to radio stations, retail stores, and cover bands apply to a person who is live streaming. If the music is not in the public domain, the copyright holder has the right to control where their music is copied and played. Facebook Live is likely a public performance, so even if you own a copy of the song for personal enjoyment, you can’t play it publicly without a license. In these situations, the only person who can come after you for infringement is the copyright holder. If they don’t know or don’t care about what you’re doing, you may never get in trouble. (Of course there is an exception for someone who uses Facebook Live to give commentary or criticism of the music – that may be protected by fair use.)

Think Before You Post
As always, think before you post/broadcast yourself. Once you put something out there, you can never fully take it back. What seemed like a good idea in the moment may be tomorrow’s regret, with long-lasting implications. Last summer we saw the disturbing Facebook Live video of a Georgia mother beating her 16 year-old daughter. The woman wasn’t charged with assault, but I wonder what will happen the next time she applies for a new job and the news stories (with video) from this incident dominate the results when prospective employers search for her name.

These are my rules of thumb when it comes to posting anything on the internet:

  1. Don’t post anything online that you wouldn’t put on the front page of the newspaper.
  2. Assume everything you post will be seen by four people: your best friend, your worst enemy, your boss, and your mother. If you don’t want to one of those people to see what you’re thinking about posting, don’t say it.

The laws that apply to the internet is an area of law that is constantly developing as cases are decided and new statutes are added to the rule book. If you want additional information about the legalities of social media, please check out my book The Legal Side of Blogging: How Not to get Sued, Fired, Arrested, or Killed. You can also contact me directly or connect with me on TwitterFacebookYouTube, or LinkedIn. You can also get access to more exclusive content that is available only to people on my mailing list, by subscribing here.