September 8, 2017

What You Should Do Today In Response To The Equifax Breach

You've probably heard that Equifax revealed on Thursday that it was the subject of a data security breach that resulted in the exposure of 143 million Americans--almost half the population.  It is likely the largest data security breach in U.S. history.   The information exposed included names, social security numbers, addresses, credit card numbers, drivers license numbers, and sensitive documents.  In other words, this is very, very bad news.


If you're an American (or live in the U.S.), here's what you should do (as soon as possible) to protect your own identity:


1.  First, take advantage of the opportunity to check with Equifax on the status of your information. 


Equifax has set up a website for consumers to inquire whether their personal information was among the exposed data.  Go to www.equifaxsecurity2017.com and enter your last name and the final six digits of your social security number.  Equifax says it will inform you if your information was exposed.






Next, click on "Potential Impact" at the bottom left side of the screen.  A new page will open. 


Click on "Check Potential Impact" at the bottom left side of this page as well.




Enter the information where prompted.






If you're lucky (like me), you'll see the following screen:




If your information was potentially exposed, you'll be notified of that instead.  (Please accept my condolences!)


2.  Enroll in free credit monitoring.


When you complete the step described above, Equifax offers to enroll you in a credit monitoring and identity theft protection program called TrustedID Premier.  You can enroll with a single click.


Equifax says that TrustedID Premier includes credit monitoring of Equifax, Experian and TransUnion credit reports; copies of Equifax credit reports; the ability to lock and unlock Equifax credit reports; a type of identity theft insurance; and Internet scanning for Social Security numbers – free for one year.


If you have additional questions, you can call Equifax at 866-447-7559 between 7:00 a.m. and 1:00 a.m. Eastern time.


3. Check for ID Theft.


Because the Equifax breach occurred beginning in May, your identity may already have been assumed by a nefarious character.  You should check you credit report immediately for unfamiliar credit accounts.  Although Equifax will give you a free Equifax credit report, I suggest you obtain your report from Experian and TransUnion (the other two major credit reporting bureaus) as well. You can do that by phone or online:


  • Experian - 1-888-397-3742, www.experian.com
  • TransUnion - 1-800-680-7289, www.transunion.com


  • You could also use this form if you prefer pen-and-ink.


    4.  If you find evidence of fraud, put a fraud alert on your credit report.  


    If you see any fraudulent credit accounts on your report, you can call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report.  (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert.  There will be no cost.  The purpose of a fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed. 

     You can contact the credit reporting agencies at the following:
    5.  If you are the victim of identity theft, submit an affidavit to the Federal Trade Commission. 


    Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can.  Next, you need to put this information into the form of an affidavit (a sworn written statement).  The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at https://www.ftccomplaintassistant.gov/.  When finished, submit the affidavit to the FTC through the website.  Print or save a copy for your records. (Alternatively, you can use this form.)

    6.  File a Police Report

    If you are a victim of ID theft, after you complete the FTC affidavit, you should call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both.  In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule).  File a police report.  (Either they will send an officer to you, or will ask you to come to the station.)  Give the officer a copy of your FTC Identity Theft Affidavit.  Ask to be given a copy of the police report once it's ready.

    Sadly, some local law enforcement agencies are reluctant to take reports on ID theft. You can give the agency a copy of the FTC's official memo for local law enforcement agencies, a copy of which is available here
     
    7.   File an FTC ID Theft Report.

    Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from attempting to collect debts from you that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
     
    Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see below). In either case, you should notify all three of the credit reporting agencies.

    8.  Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze.   Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze. 

    Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years.  When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

    North Carolina residents (and residents of certain other states) are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently.  (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.)  If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes.  Putting a credit freeze on your credit file does not affect your credit score.

    The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law.  Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above). 
     
    So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity.  My general preference is  the freeze, because it gives you the most control.
     
    9.  Review Your Credit Reports and Dispute Errors.  You will have already reviewed your credit reports for unauthorized accounts.  Review them on an ongoing basis.  If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report.  Here is a sample letter that may be helpful.
     
    The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
     
    10.  Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed.  Also ask them to stop reporting information relating to the fraud to credit reporting agencies.  As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization.  Here is a sample.  
     
    11.  Stop Debt Collectors from Contacting You about Fraudulent Debts.  If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

    12. Additional Tips: 
    • Remember to record the dates you made calls or sent letters.
    • Keep copies of all correspondence in your files.
    • A number of sample letters are available here.
    I hope you find this guide helpful.  Please feel free to share it with your family, friends, and colleagues.  I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website.

    July 27, 2017

    Reflections on a Rewarding Year with the NCBA YLD





    A few days ago, I handed over an enormous gavel, signifying the end of my term as leader of the more than 6,400 members of the Young Lawyers Division of the North Carolina Bar Association.

    It has been an incredibly rewarding year. The young lawyers and law students who have volunteered their time and talents over the past twelve months have accomplished a great deal, and I'm very proud of them.  The legal profession, and the people of North Carolina, are better off for their efforts.

    As I delivered my final report to the other members of the Board of Governors of the NCBA, I described the accomplishments of our Young Lawyers Division over the past year, and I'd like to share the highlights of that report here.

    I’ll begin with our Pro Bono Division, which was led by Kristen Kirby.

    Our Wills for Heroes Committee is led by Rebecca Rushton and Chad McCullen.  This committee coordinates live, in-person "clinical" events at which lawyers and notaries provide wills, powers of attorney and health care powers of attorney to first responders (such as law enforcement officers, EMTs and firefighters).  This committee organized events in Holly Springs, Durham, Winston-Salem, Wilmington, and New Bern.  More than 150 volunteer attorneys, paralegals, and law students volunteered to provide these services free of charge, and generated more than 700 estate planning documents. 

    Our Project Grace Committee, which is led by Caitlyn Goforth, offers free healthcare powers of attorney and advance directives (often called "living wills") to qualifying low-income individuals.  The committee held multiple events around the state during the Bar year, and helped a large number of people plan for their future health care.

    The Pro Bono Committee, led by Orla O’Hannaidh, selected the recipients of the Younger Lawyer Pro Bono Award, who were twice honored at the Annual Meeting in Asheville.  The Committee also evaluated future pro bono projects on behalf of the YLD.

    Our Legal L.I.N.K. project continued to grow under the direction of Jane Paksoy and Rashad Morgan. Legal L.I.N.K., as you may recall, is our ABA award-winning project that puts lawyers into high schools in low-income school districts. The goal is to introduce students to the legal profession and “prime the pump” for college and law school.  “L.I.N.K.” is an acronym that stands for "Leadership," "Information," "Networking" and Knowledge," and those four topics are each addressed in separate sessions.  The events were held at Southern High School in Durham and Person High School in Roxboro.  Some excellent participants, comprised of lawyers, judges (including Supreme Court justices Jackson and Beasley), law students and law school admissions directors, joined us. 

    The Bar Outreach Division, led by Elizabeth Zwickert-Timmermans, was primarily active through the Membership and Networking Committee, which was led by Leah Hermiller.  The Commitee is finalizing details for a 5K road race on December 9th in Raleigh. It is funded in part by the NCBA Foundation, and proceeds will benefit the NC LEAP pro bono project.  The Committee has also participated in "Professionalism for New Attorney" events and hosted networking events following the PNA CLEs held throughout the bar year.

    Our Communications and Awards Division was led by Lucy Austin.

    Members of our Citizen Lawyer and Scholarship Committee, led by Lisa Arthur and Nathan Standley, have written articles on each of the Citizen Lawyer Award recipients.   The Commmittee also awarded $25,000 in scholarships to thirteen students whose parents were slain or permanently disabled law enforcement officers. For the first time, a scholarship recipient has enrolled in law school!

    The Internet/Newsletter Committee, led by Matt Quinn, collected information about YLD and NCBA activities and published the YLD Blast via email every month. The Blast includes updates about recent accomplishments of the YLD, notifications about upcoming events, and other information of interest to young attorneys.  The Committee also published five issues of The Advocate, our award-winning newsletter, filled with legal updates, how-to articles, profiles, announcements and humor pieces.

    The Meetings and Conventions Committee, led by Martha Bradley, expertly planned our meetings, including our Annual Meeting events, which involved a bluegrass band and food truck.  Their proactive attention to detail resulted in an excellent experience for all of us.

    Our Community Outreach Division, which is led by Collin Cooper, was busy engaging with the public. 

    The Community Relations and Civic Education Committee was led by Andy Jones and Sidney Minter.  It held "Ask of Lawyer Day" events across the state in April, which gave members of the public the opportunity to sit down with licensed NC lawyers to ask questions and receive advice for free.

    Our Law Week and Liberty Bell Committee was led by Caroline Trautman and Joesphine Tetteh.  The Committee completed the Law Week festivities in May, which was the culmination of the past year’s work. The Law Day Ceremony and awards luncheon were held on May 5 at the City Club Raleigh. Ninety five people attended the luncheon, including judges and justices, NCBA leaders, contest winners, and the Liberty Bell Award winner, Chief Judge Linda McGee.  The student contest winners traveled from schools throughout North Carolina for the event.   The Law Day Moot Court Competition took place at the N.C. Supreme Court, where judges and Supreme Court justices presided over the competition.  Justice Paul Newby presented the Moot Court winners and runners up with their awards, and other justices and judges presented the other student contest winners with their awards, at the Ceremony.

    Our Legal Feeding Frenzy task force, which was led this year by Bryan Norris, recruited 87 teams across 54 firms and organizations to raise over 300,000 pounds of food to benefit our state’s Feeding America Food Banks.

    The Minority Focus Committee, led by Dulce Plaza, continued working on the final phase of our Know Your Rights Clinic with Guilford County Schools. (We borrowed this program from Wake Forest Law.)  The Committee also issued a call for ideas for projects that it could join in, or organize, that promote the Committee’s mission of recruiting minority attorneys to the NCBA YLD. 

    Finally, I want to tell you about our Law Student Division, led by Will Quick. 

    At the start of the bar year, I told the Board of Governors that one of our key objectives for the year was step up our engagement with law students. We made this strategic decision in keeping with our Strategic Plan and the direction of our NCBA volunteer leadership and staff leaders. We expanded our structure from a law student committee and a bar exam committee to a new vertical within our organizational chart which is comprised of four committees dedicated to law students and bar exam takers.

    The Bar Exam Committee, led by Porsha Washington, continued its three traditional roles during the past bar year. Members held workshops for exam takers, coordinated tutors and greeted test-takers with refreshments and encouraging words on exam day.

    Our Law Student Publications & Communications Committee is led by Rebecca Hendrix. The Committee has been creating original content for the Law Student Division Blog, some written by law students themselves. (We think that approach helps to ensure the content is relevant to the target audience.)

    Now to the law students themselves: Our Law Student Outreach Committee is comprised of young lawyers and the law student representatives on campus.  Historically, we struggled to keep our law student liaisons engaged and active.  We now have law student representatives in each class and at each of the NC law schools. (The only exception is the Charlotte School of Law, where our representatives left the school this year.)  Our law student representatives now have regular "tabling" days in the common areas of the law schools, in which they stand in their NCBA t-shirts and share NCBA materials with their fellow law students.

    To help drive that engagement, we held a retreat at the start of the school year at the Bar Center to orient and train our reps so they could be effective ambassadors for us in the law schools.  I’m proud to report to you that we now have well-trained, fully-committed law student ambassadors who are representing the NCBA full-time in the North Carolina law schools.

    Our leadership team, including President Kearns Davis and President-Elect Caryn McNeill, our YLD leaders, as well as our professional staff, visited each of the law schools this year to speak to law students directly.

    We also held two of our quarterly YLD leadership meetings near law schools, and we explicitly invited law students to join us at each of our leadership meetings. I’m happy to report that we had law students take us up on that invitation each time.

    We also created an Out-of-State Law Students Committee this year, led by Aaron Lindquist.  They got to work and made some significant strides in their inaugural year.  They created and distributed a survey for out-of-state NCBA law student members, and a different (but similar) survey for practicing NC attorneys who attended an out-of-state law school, in order to better understand the needs of out-of-state law students.  They used the survey results to create the Out-of-State Law Student Manual, which is designed to help out-of-state law students prepare for practice in North Carolina. It covers job searching and networking, bar application information, early practice tips, and "must-dos" in NC. The Manual was distributed to out-of-state LSD members and shared on the L3 blog.   Finally, the Committee also planned two summer networking events for out-of-state law students in Charlotte and Raleigh.

    In summary, our profile, as an organization, is as high as it has ever been within the walls of the law schools. This is a dramatic success for our Law Student Division team.

    In addition to the work of the Committees, we also partnered with two of NCBA sections—the Administrative Law Section and the Appellate Practice Section—for joint events. I hope that is something we can continue to do and expand to other NCBA sections.

    Despite our aggressive agenda and all our early planning for the bar year, we encountered two significant surprises this year that forced us to pivot and adapt.

    First was the tumultuous experience that our law student division members at the Charlotte School of Law endured. Our student representatives, YLD volunteers, Division Director Will Quick, the NCBA staff, and our Association leadership—especially President Kearns Davis—stepped up to provide support and relevant information to these members. This was not a circumstance that we could have anticipated, but we reacted and served as a resource for the most vulnerable of our members during a very difficult time.

    Second, Hurricane Matthew came along and flooded the eastern half of the state. In cooperation with FEMA, the ABA and Legal Aid of North Carolina, we activated our Disaster Legal Services program. Brooks Jaffa of Charlotte was the coordinator. He worked tirelessly to help establish four clinics in four communities, during which we helped about 100 people. With the diligent aid of Cabell Clay and Rachel Blunk, we also set up a hotline, recruited volunteer attorneys, and connected needy victims with attorneys for telephone counselling. 175 attorneys volunteered and helped about 300 callers. All of this was done without much advance notice or time to plan, but it was a great success nonetheless, and I'm proud of all of our volunteers who pitched in.

    In summary, despite a couple of major curveballs, it was a successful year for the Young Lawyers Division.  It has been my tremendous honor to lead an exceptional group of young lawyers, and I look forward to seeing their future accomplishments, which will probably exceed all of our expectations.  

    It's Time for a Change

    Over the past six years, I have really enjoyed sharing thoughts with you on this blog and participating in some of the conversations that have arisen from the posts.

    Having recently departed private practice to work as in-house counsel, my interests are shifting, and this blog is likely to evolve to reflect that.  I am no longer regularly working on banking law matters, and likely will have littler or nothing further to say about that area of the law.  Accordingly, I am changing the name of this blog to reflect the anticipated shift in content.  I hope you will continue to find it interesting and useful.  While I likely will not post as frequently as I did when in private practice, I do intend to continue sharing thoughts from time to time on this forum.  As always, your comments and suggestions are very welcome.

    Because my new in-house role is focused on technology, privacy and information security, I am likely to post more frequently on my other blog: www.LawOfPrivacy.com.  I hope you check it out if you haven't already.



    July 26, 2017

    In a First, a Federal Court Finds Grocery Store's Website Fails to Comply with the Americans with Disabilities Act (ADA)

    A recent case has organizations all over the U.S. concerned about litigation over website
    image of a computer keyboard key displaying a handicapped symbol on top
    accessibility.

    In the first federal decision of its kind, a federal judge in Florida concluded that Winn-Dixie, a regional grocery store chain, was obligated to make its website accessible to a blind man, and that it failed to do so.

    As a result, the court awarded the plaintiff his attorneys' fees and ordered the parties to agree on a compliance deadline by the end of this month.

    I've written previously about the trend in demand letters and the uncertainty in the law regarding the applicability of the Americans With Disabilities Act to websites, applications and other online interfaces. 

    Background

    By way of background, when the Americans with Disabilities Act was first drafted in 1988 (and adopted in 1990), it is unlikely that even a single member of Congress contemplated that it could be applied to the Internet. The ADA (and specifically Title III) was applied to brick-and-mortar facilities and intended to ensure that people with disabilities could access and enjoy them. Common examples are wheelchair ramps and braille menus. In the quarter-century since, almost everything that was once only brick-and-mortar now has a presence on the Internet.

    One of the greatest ADA questions of our day is whether the ADA applies to websites, apps, and other online interfaces. Only a few courts have addressed this issue, and the results have been mixed, and sometimes very fact-specific. Courts must decide whether a given website is a "public accommodation" and, if so, whether the website operator has made "reasonable modifications" to make the website available to people with disabilities. 

    The ADA is enforced by the U.S. Department of Justice (DOJ) and through private litigation. The DOJ is reviewing organizations' websites to determine whether they comply with the law’s access requirements. In addition, a number of plaintiffs' law firms across the country are filing lawsuits alleging that organizations' websites are in violation of the ADA. Internet companies, including Netflix, have settled cases that alleged their websites were inaccessible to people with disabilities.

    There are currently no specific federal standards for websites under the ADA. Since 2010, the DOJ has been telling us that it is in the process of developing regulations for website accessibility, but those standards are not expected until 2018 or later. In the meantime, the DOJ says it expects organizations to make their websites accessible to the disabled. The DOJ has indicated that it considers the Web Content Accessibility Guidelines (WCAG) [2.0 Level AA] to be satisfactory for the time being (and perhaps these standards go further than legally necessary), and many organizations have been working towards compliance with those standards on the assumption that any future DOJ standards will be consistent with them (although there are no promises).

    Why the Winn-Dixie Case Matters

    The decision in Gil v. Winn Dixie is the first federal court opinion addressing the applicability of the ADA to the website of a brick-and-mortar retailer. While it is not binding throughout the U.S., it sets an important precedent. 

    The court concluded that the ADA applied because Winn Dixie's website is “heavily integrated” with and serves as a “gateway” to its physical stores. That's an important consideration for brick-and-mortar retailers, who may want to re-evaluate accessibility in light of this recent development.


    May 8, 2017

    Can Young Lawyers Learn Something From Older Lawyers About Managing Their Professional Reputations Online (and Vice Versa)?

    I thought I'd share an article that was published this week in the North Carolina Lawyer magazine that might be of interest to some of you.


    Can Young Lawyers Learn Something From Older Lawyers About Managing Their Professional Reputations Online (and Vice Versa)?


    by Matt Cordell, NCBA YLD Chair


    When I have the opportunity to give advice to law students and young lawyers, one of the things I try to impress upon them is the importance of their reputations, including their “online reputations.” Usually the comment is quickly met with a knowing nod. Everyone seems to know that their reputation is important. However, having witnessed many lawyers of all ages impair their professional reputations online, I have begun to realize that many of us fail to recognize some aspects of maintaining our online reputations, and I have begun to be much more specific in my advice to younger lawyers.

    Older lawyers, I have observed, often seem to understand some of the things that younger lawyers may miss, but older lawyers can have their own blind spots in this area. In this short piece, I would like to describe a few observations about lawyers’ online reputations and suggest that young lawyers and older lawyers can learn much from one another regarding this topic. (There are, of course, plenty of exceptions to my generational generalizations.)

    For many of us, especially those of us who attended law school in North Carolina, our professional reputations began to develop during law school. I often remind law students that their law school classmates form their initial professional network. Their classmates are likely to become their partners, opposing counsel, judges, and clients. I suggest that they will want to be remembered as the friendly, reliable law student who was always prepared and who shared notes freely with deserving classmates; they will not want to be remembered as the John “Bluto” Blutarsky of their law school class (i.e., John Belushi’s character in the cult classic “Animal House”) or the sharp-elbowed “gunner.”

    Some law students and young lawyers seem to be unaware that their social media posts can affect their professional reputations. When the weekend’s party photos are just a click away, the line between one’s professional reputation and one’s personal life can become blurred, or disappear entirely. Too many young lawyers allow themselves to be photographed or videotaped in unflattering circumstances without realizing that it may affect how others perceive them in a professional context (whether consciously or unconsciously). Older lawyers, by contrast, tend to be more perspicacious in their social media activity. Perhaps age brings wisdom in these matters.

    I have also observed that young lawyers seem more attuned to their online presence when it comes to ratings and reviews. Young lawyers tend to be conscious of what is being said of them on online rating and review websites, and tend to be more proactive in engaging with these sites. For example, young lawyers tend to be more likely to “claim” their Avvo profiles and ensure that the information presented there is accurate, because Avvo profiles tend to get remarkable priority in search engine results. Older lawyers seem more likely to dismiss sites like Avvo as meaningless (perhaps because Avvo’s ratings system is open to criticism). Older lawyers also seem less likely to recognize how a clunky website or free email account (e.g., that old AOL account) can cause a client or prospective client to lose confidence in them.

    The topic of online reputation management seems to be an area that is ripe for intergenerational learning. Older lawyers can share the wisdom that comes from experience and young lawyers can share their technological savvy. I hope this article will spark conversations here and there between older lawyers and their younger counterparts. We all have more to learn from one another, both online and offline.


    March 5, 2017

    A New Chapter


    
    This photo was taken
    for the firm's website
    when I joined in 2007
    
    In 2005, I met two exceptional people, Don Eglinton and Leigh Wilkinson, during on-campus interviews at my law school.  I could immediately tell from the way they talked about Ward and Smith and its people that there was something special about the firm.   In the years since, I've experienced firsthand the remarkable culture of this firm and the people who make it so special. I have also had the opportunity to work with some incredibly smart, innovative clients in a number of fields, and I've learned a great deal from many of them.  

    My practice has evolved over the past decade, and I have found that I very much enjoy practicing in the areas of privacy law, information security law, and technology law, in particular.  A very attractive opportunity has arisen which will enable me to work on these issues on a global scale.

    I will be joining the legal department of VF Corp in Greensboro, N.C. If you are unfamiliar with VF, you are likely familiar with its brands, which include The North Face, Lee, Wrangler, Vans,
    Timberland, Nautica, Smartwool, Reef, Eagle Creek, Eastpak, JanSport, Kipling, and others.  VF has more than 50,000 employees globally and about $12 billion in annual revenue.  The legal department, like the rest of the company, spans the globe.  I will be managing a small group within the legal department handling privacy, information security, and information technology contracting. 

    Volunteering at a workday at Camp Challenge
    (a financial literacy camp for underprivileged kids)
    with my Ward and Smith colleagues
    just a few months after joining the firm in 2007
    Even though I will miss my law partners and clients, I am looking forward to this new challenge and to starting a new phase of my career.  I am also looking forward to spending a little more time with my family.  We will be moving to the Triad area very soon.

    I am confident that all of the clients with whom I have worked over the years are in good hands with the other (nearly 100) lawyers at Ward and Smith.

    I intend to continue to write about interesting legal developments on my personal blogs: www.BizLawNC.com and www.LawOfPrivacy.com / www.PrivacyLawNC.com.  I hope you'll continue to check back in from time to time. 



    December 17, 2016

    The FCC Creates Privacy, Data Protection, and Data Breach Rules for Internet Service Providers


    Image of Federal Communications Commission Seal - Matt Cordell is the leading privacy and information security law attorney in North CarolinaThe Federal Communications Commission is venturing into new areas of privacy regulation.  By a narrow vote, the FCC has approved new rules that govern how internet service providers ("ISPs") use consumers' information.

     

    ISPs long ago realized that customer data is valuable, and are continuing to develop ways to monetize that information.  For example, last month, AT&T explained that a major factor in its decision to bid on Time Warner was the lure of new possibilities in targeted advertising.  Last year, Comcast bought targeted advertising firm Visible World for similar reasons.

     

    Efforts by ISPs to monetize user data have triggered concerns among privacy watchdogs and the FCC.  On October 27, 2016, the FCC adopted new rules to control when and how this information can be used and shared.  "It's the consumers' information.  How it is used should be the consumers' choice" said FCC Chairman Tom Wheeler. 

     

    According to the FCC, the rules "do not prohibit ISPs from using or sharing their customers’ information – they simply require ISPs to put their customers into the driver’s seat when it comes to those decisions.”  The new rules require specific notices to consumers about:


    • The types of information the ISP collects from them

    • How the ISP uses and shares the information

    • The types of entities with whom the ISP shares the information

    The rules also require ISPs to give a degree of control to the consumer.  ISPs will be required to obtain consumer consent (an "opt-in") before sharing certain categories of "sensitive" information, including:


    • Health information

    • Financial information

    • Geo-location

    • Children’s information

    • Social Security numbers

    • Web browsing history

    • App usage history

    • Content of communications

    For other categories of information (those not deemed “sensitive," such as an email address or service level), ISPs must still offer users the opportunity to “opt-out” of the use and sharing of their information, with some exceptions.  Customer consent can be inferred for certain uses, such as providing services and for billing and collection activities.

     

    ISPs are prohibited from rejecting a customer for refusing to provide a requested consent.  Because it is more profitable for the ISP if the customers permit data use and sharing,, the rules permit an ISP to give customers a discount or other financial incentive to provide a requested consent.

     

    The FCC has made it clear that its rules “do not regulate the privacy practices of websites or apps, like Twitter or Facebook, over which the FTC has authority.”  Websites and apps currently collect much more data than ISPs, so the practical impact of the rules on consumer privacy is likely to be limited.

     

    The new rules impose a requirement that ISPs implement reasonable data security practices, including robust customer authentication and data disposal practices.  The rules also include a data breach notification requirement, which preempts those in existence in 47 states, but only to the extent that the FCC rules are inconsistent with a state's requirements.   

     

    The rules become effective with respect to different sections at different times, with all of the rules likely becoming enforceable within one year. 

     

    This action by the FCC creates just one more piece in the mosaic of statues, regulations, and treaties that together comprise privacy and data security law. 

     

    November 20, 2016

    "Cyber Safeguards and Procedures" for Law Firms (and Others)

    I recently spoke about information security issues at a continuing legal education event sponsored by Lawyers Mutual. 


    The session was titled "Cyber Safeguards and Procedures" and focused on data security risks faced by law firms and how they can mitigate those risks. 


    If you would like a copy of the slides from this presentation, please email me.  


    
    Cyber Safeguards and Procedures Continuing Legal Education Presenation image showing Matt Cordell and Troy Crawford on stage
    photo by Camille Stell

    October 23, 2016

    Is Your Organization About To Be Sued Because Your Website Is Inaccessible To People with Disabilities?

    Is your organization about to be sued in a class action, or receive a demand from the Department of Justice, because its website or app is not accessible to people with disabilities?


    Wheelchair symbol on keyboard key and image of computer keyboard
    When the Americans with Disabilities Act was first drafted in 1988 (and adopted in 1990), it is unlikely that even a single member of Congress contemplated that it could be applied to the Internet.  The ADA (and specifically Title III) was applied to brick-and-mortar facilities and intended to ensure that disabled people could access and enjoy them.  Common examples are wheelchair ramps and braille menus. In the quarter-century since, almost everything that was once only brick-and-mortar now has a presence on the Internet.


    One of the greatest ADA questions of our day is whether the ADA applies to websites, apps, and other online interfaces.  Only a few courts have addressed this issue, and the results have been mixed, and sometimes very fact-specific.   Courts must decide whether a given website is a "public accommodation" and, if so, whether the website operator has made "reasonable modifications" to make the website available to people with disabilities. 


    One example of how websites can be more accessible is as follows:  If a website has an image that shows a product, that image can be "tagged" (or "alt tagged") with a clear written description of the image so that a visually-impaired person's "reader" program can read the description to the person (either audibly or in braille). 


    The ADA is enforced by the U.S. Department of Justice (DOJ) and through private litigation.  The DOJ is reviewing organizations' websites to determine whether they comply with the law’s access requirements. In addition, a number of plaintiffs' law firms across the country are filing lawsuits alleging that organizations' websites are in violation of the ADA. Internet companies, including Netflixhave settled cases that alleged their websites were inaccessible to people with disabilities.


    Several North Carolina companies have recently received demand letters from plaintiffs' law firms alleging that their websites are in violation of the ADA.  So far, these demands have not resulted in litigation, and some are still being addressed.


    There are currently no specific federal standards for websites under the ADA. Since 2010, the DOJ has been telling us that it is in the process of developing regulations for website accessibility, but those standards are not expected until 2018 or later.  In the meantime, the DOJ says it expects organizations to make their websites accessible to the disabled.  The DOJ has indicated that it considers the Web Content Accessibility Guidelines (WCAG) [2.0 Level AA] to be satisfactory for the time being (and perhaps these standards go further than legally necessary), and many organizations have been working towards compliance with those standards on the assumption that any future DOJ standards will be consistent with them (although there are no promises). 


    If your organization receives correspondence from the DOJ or a plaintiffs' law firm regarding website or app ADA issues, I strongly suggest you talk to a knowledgeable attorney immediately.




    - MAC




    Matt Cordell is a lawyer in the Research Triangle of North Carolina with significant experience in technology law, software development and license agreements, website development and license contracts, and e-commerce.  Matt Cordell is one of the best known lawyers in the region in the fields of privacy law and information security law.







    October 16, 2016

    HIPAA Privacy Officer and Security Officer: Too Much for One Person?

    Perhaps your organization is becoming a HIPAA covered entity or a business associate for the first time, and you now understand that your organization will have to comply with HIPAA. One of your first, and most important, tasks will be to designate a Privacy Officer and Security Officer.  This post describes some considerations you should think through when making this decision.

    One person or two?
    The HIPAA Privacy Rule requires a privacy officer be designated and the HIPAA Security Rule each requires a security officer be designated.  It is legally permissible to have on person designated as both, or split the roles. You'll need to decide whether to combine or bifurcate these roles.  




    First, you need to decide whether you have one person within your organization who has the capabilities required for both roles.  The Privacy Officer is responsible for understanding who is allowed to access protected health information (PHI), and will need to answer questions about practices, address requests for information, and handle training and monitoring of other staff. The Security Officer is primarily focused on protecting electronic protected health information (ePHI) from unauthorized access (e.g., meeting encryption requirements, etc.). If the person you would prefer to designate as the Privacy/Security Officer does not have an understanding of the technological aspects of protecting ePHI, there are two solutions: (a) designate someone with the technological understanding to be the Security Officer, or (b) instruct someone with the technological understanding (either inside or outside of the organization) to assist the Privacy/Security Officer.


    What is most effective? The benefit of designating two officers is that each can be more specialized, and potentially more effective in their respective areas. However, the risk associated with having two officers is that things that are not clearly just privacy or just security might fall through the cracks if the two do not coordinate well.
    
    What is most efficient? For administrative purposes, it's hard to argue that having one designated officer isn't substantially easier than having two. There is so much overlap in the two areas of responsibility that if you can have one person be responsible for both, it may avoid a lot of duplication of effort. Combining the roles is more common in smaller organizations.

    All that said, there's no legally incorrect answer here. Just like the debate over whether a CEO should also be the Chairman of the Board, there are good arguments on either side, and the answer often boils down to the size of the organization and administrative ease.
     

    Can (and should) an organization have more than one Privacy Officer or Security Officer?  Some organizations are both a HIPAA "covered entity" (e.g., healthcare provider or sponsor of an employee health plan) as well as a "business associate" (e.g., service provider to a covered entity). Those organizations will need to decide whether the Privacy and Security Officer(s) they designate for themselves as a covered entity should be the same person(s) designated for purposes of the protected health information they acquire as a business associate.  Generally speaking, an organization's obligations as a covered entity are similar to its obligations as a business associate. With the exception of contractual obligations in business associate agreements, the basic legal obligations are almost identical. (The Security Rule obligations to protect ePHI are basically identical. The Privacy Rule obligations are very, very similar.)  
    

    Generally, I don't think there is a compelling reason to have separate Privacy Officers (or Security Officers) for these two capacities in which an organization might be acting, and I don't believe that is a common practice.  I think it is most efficient to have one Privacy Officer and Security Officer who is responsible in both contexts, and who understands the subtle differences in those contexts.  Organizations that find themselves acting as both a covered entity and a business associate should be aware of the distinctions, however, and should have policies and procedures that reflect those distinctions.  Here is one practical example:  Most employees should be shielded from access to PHI that is held by a plan sponsor of an employee benefit plan.  However, within the same organization, far more employees might have a legitimate need to access the PHI of in the capacity as a business associate of other organizations. 




    Once you've made this important decision, you can begin building a HIPAA compliance policy and procedures around the basic structure you've chosen. (Let me know if you'd like some help with that.) - Matt





















    YOU CAN READ MORE ABOUT THIS AND SIMILAR ISSUES ON MY OTHER BLOG: THE NORTH CAROLINA PRIVACY AND INFORMATION SECURITY LAW BLOG AT WWW.PRIVACYLAWNC.COM.