Kenneth N. Rashbaum is a Partner at Barton LLP and aN Adjunct Professor of Law at Fordham University School of Law. Kenneth has a background in advising multinational corporations and healthcare organizations; specializing in areas that comprise cybersecurity, healthcare, privacy, social media, and compliance counsel. He counsels on information governance and its compliance with federal, state, and non-U.S. laws; the interface of e-commerce and legal and regulatory liabilities in areas such as cybersecurity and breach response. Using his insights and experience, Kenneth discussed what are some privacy concerns today.
LIFARS: What privacy issues does the “Internet of Things” raise?
Kenneth: Transmission and storage of data from the connected devices in ways that are subject to interception by unauthorized users are centeral concerns. When baby monitor images are being intercepted and posted on the web, there is an issue that needs addressing and opens the gate to questions about other vulnerabilities of these products.
Kenneth: Startups, in attempting to save money, often copy Pprivacy Policies and Terms of Service from other websites. This is usually a mistake, because careful thought is required into the enfroceabiity of those provisions and this can be cetermined by the nature of the offering, the types of data that will be collected, alternative dispute resolution (arbitration) clauses, limitations of liability, ownership of data and choice of applicable law and dispute resolution venue. In addition, manystartups approach privacy as an afterthought, and then only if they are audited, have a breach or attack, or are required to respond to business partner or customer inquiries (i.e., a large customer won’t sign off on a large order without assurances that security and privacy safeguards are in place). This is unfortunate, as the company could attract additional rounds of financing and additional customers by building security and privacy into the offering, “privacy and security by design.” That “design” requires well though-out Privacy Policies and Terms of Service.
LIFARS: What impact does privacy and privacy legislation have on the healthcare industry? Multinational corporations?
Kenneth: Health data is among the most sensitive forms of personal information and subject to HIPAA regulations in the U.S., as well as state laws and regulations, with heightened protection in Europe and much of South America and Asia. Multinational health information software developers and medical information and equipment hardware manufactuers, especially those based in Europe, often make the mistake of assuming there is no privacy law at all in the U.S. and run afoul of HIPAA and other federal privacy laws and state privacy laws, which can result in terrible damage to reputation and significant legal expense.
LIFARS: What would you say are some impacts that lack of personal privacy on the Internet have on students?
Kenneth: They are often unaware that data uploaded to certain cloud services, particularly iCloud and Instagram, may be shared and distributed by the cloud services provider. That is to say, students’ data is certainly not as private as they would like to think. A challenge for me as an adjunct law professor is to get law students to remember that confidential client data requires certain safeguards for privilege that may preclude putting it on commercial email or certain cloud services and that they cannot, for those reasons and also regulatory prohibitions, post everything that occurs at their jobs on social media.
LIFARS: What are your views on the “transparency” revolution that has consumed the current age? (transparency revolution consists of the idea that companies have access to your personal information through your activity online in order to sell your data to advertisements.)
Kenneth: For legal, personal, and common sense reasons, some information just should not be widely shared. If that means refraining from putting it on Internet-based platforms or repositories without protection such as encryption, so be it. Awareness is required and one should think before sharing. Just because the technology makes sharing easy does not mean one should do so without thinking.The consequences of wide disclosure or not-so-wide but potentially catastrophic (i.e., an employer, client, or significant other viewing derogatory or revealing information) can affect a career
LIFARS: Would you be able to tell us about one of your more challenging cases?
Kenneth: I headed an investigation into a breach by a law firm that resulted in the medical records of hundreds of patients appearing on five Internet search engines, including one in China. The firm’s information management system was not on a Virtual Private Network (VPN), and during an upgrade of this web-enabled system critical controls that keep web “spiders” away from the data were taken down. In-house counsel for a client discovered this when he Googled the name of a litigant and got a hit for his own defense law firm. He clicked on it and the litigant’s medical record appeared.