Internet Lawyer Blog

Ireland’s Data Protection Commission Fines Meta Platforms

Published on: December 19, 2022 | by Law Offices of Salar Atrizadeh

Ireland’s Data Protection Commission (“DPC”) has reached its final decision related to Meta Platforms Ireland Limited (“MPIL”) which is Facebook’s data controller in that country. The DPC announced last month that it will be imposing a fine of €265 million against the company and will issue a set of corrective measures.

The investigation was instigated last year based on reports of published personal data on the internet that Facebook controlled and managed. In fact, there was a report of a data leak involving the personal information of 533 million users around the world. The investigation started by examining and assessing Facebook’s search, messenger contact importer, and Instagram contact importer tools. The main issue was whether Facebook complied with the GDPR obligation for data protection by design and default. Therefore, the investigating body – i.e., DPC – examined the technical and organizational measures under Article 25 of the GDPR and determined that MPIL had infringed Articles 25(1) and 25(2) of the GDPR and imposed a reprimand and order compelling the company to remedy the issues within certain deadlines.

Articles 25, and its subparts, were drafted to address data protection by design and default. These articles state as follows:

CISA Releases Cloud Security Technical Reference Architecture

Published on: November 21, 2022 | by Law Offices of Salar Atrizadeh

The Cybersecurity and Infrastructure Security Agency (“CISA”) released the second version of its cloud security Technical Reference Architecture (“TRA”) several months ago. CISA is the country’s cyber defense agency that works with other interagency partners to improve cybersecurity. The purpose of the TRA is to outline the suggested approaches to data protection or cloud migration. The federal government is slowly transitioning to the cloud and the reference architecture is designed to provide guidance. The TRA also explains the considerations for shared services, cloud security posture management, and cloud migration.

It’s important to know how to securely migrate information to the cloud. There are important considerations when transferring information from one database to another one. Data migration can be a multi-faceted process that requires information evaluation. In other words, the information that is being transferred should be categorized based on its sensitivity – e.g., non-confidential, confidential, highly confidential. In that way, the data migration team can implement the necessary safeguards.

President Joseph Biden recently issued Executive Order 14028 called “Improving the Nation’s Cybersecurity” in an effort to support cybersecurity and safeguard critical infrastructures. The key points of the executive order are as follows:

Internet False and Misleading Advertising Laws – Part III

Published on: November 7, 2022 | by Law Offices of Salar Atrizadeh

The franchise and business opportunity rules mandate sellers to issue a clear and concise disclosure document at least ten days before the consumer pays funds. The document must include the following information:

Names, addresses, and telephone numbers of other purchasers;
Fully-audited financial statement of the seller;

Internet False and Misleading Advertising Laws – Part II

Published on: October 17, 2022 | by Law Offices of Salar Atrizadeh

The federal Lanham Act (“Lanham Act”) allows civil actions for false advertising that misrepresents the nature, characteristics, qualities, or geographic origin of goods or services. See 15 U.S.C. § 1125(a) stating in relevant part as follows:

(1) Any person who, on or in connection with any goods or services, or any container for goods, uses in commerce any word, term, name, symbol, or device, or any combination thereof, or any false designation of origin, false or misleading description of fact, or false or misleading representation of fact, which: (A) Is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval of his or her goods, services, or commercial activities by another person, or (B) In commercial advertising or promotion, misrepresents the nature, characteristics, qualities, or geographic origin of his or her or another person’s goods, services, or commercial activities, shall be liable in a civil action by any person who believes that he or she is or is likely to be damaged by such act.

(2) As used in this subsection, the term “any person” includes any State, instrumentality of a State or employee of a State or instrumentality of a State acting in his or her official capacity. Any State, and any such instrumentality, officer, or employee, shall be subject to the provisions of this chapter in the same manner and to the same extent as any nongovernmental entity.

Internet False and Misleading Advertising Laws – Part I

Published on: September 26, 2022 | by Law Offices of Salar Atrizadeh

It is not legal or ethical to engage in false or misleading advertising for selling products or services. This is especially true when the advertising harms consumers or competitors in violation of state or federal laws.

A business that uses misleading words for the sale of a product or service can be sanctioned by state or federal agencies. The use of keywords like healthy, organic, gluten free, or 100% natural can be deceptive. The usage of false scientific support claims or endorsements may be unethical. The posting of a false or deceptive picture or video can be against the law. There have been instances where the advertiser used a false or misleading color to make its product look different. Also, there have been instances where the advertiser made a false claim that its product contained a certain product or it had clinically proven health benefits to enhance sales.

A business that engages in deceptive pricing by hiding true fees or surcharges can be sanctioned by state or federal agencies. In most cases, the consumers are misled by not knowing the true price of the product or service – e.g., a communication service provider hides the cell phone bill’s real charges from the consumer when signing up for service.

Wire Fraud Laws – Part III

Published on: September 5, 2022 | by Law Offices of Salar Atrizadeh

It’s a crime when you use interstate wire communications (e.g., phone, radio, television, internet) to engage in a scheme to defraud or to obtain money by false pretenses. Wire fraud is one type of cybercrime that takes place by using technology. In most cases, the culprit uses some kind of software or hardware technology to inject him or herself into the private computer network of a third party such as an escrow/title company or financial institution. The culprit spies on the third party’s internal communications to gain access to confidential information such as bank wire instructions.

Wire fraud is similar to mail fraud except that it requires the communications to be transmitted by wire rather than conventional mail. Generally, the plaintiff must prove the existence of a fraudulent scheme, usage of wire, radio, television, or internet communications to further that scheme, and intent to commit fraud. The culprit commits the wire fraud by deceiving the victim into thinking that he or she is dealing with a legitimate party. For example, the culprit intervenes in a pending real estate transaction by using a fake email account and sends a message to instruct the victim into transferring the funds to another bank account. The victim, who has been dealing with multiple individuals (e.g., real estate agent, broker) legitimately believes that he is sending the money to the right financial institution. However, unbeknownst to the victim, the culprit’s fraudulent scheme is intended to send the funds to a different bank or financial institution.

These situations are extremely time sensitive and complicated because the victims have a limited time to determine the facts – i.e., who, what, when, where, and how the wire fraud was committed without their authorization. The victims will need to contact law enforcement agencies and a qualified lawyer who know the intricacies of these matters. The government agencies usually collaborate with the victim’s lawyer to locate and identify the culprits. These government agencies include, but are not limited to, the local police, Federal Bureau of Investigation, United States Secret Service, or United States Treasury Department. Nonetheless, a tremendous amount of time and resources are necessary to initiate and finalize the investigations.

Wire Fraud Laws – Part II

Published on: August 22, 2022 | by Law Offices of Salar Atrizadeh

Wire fraud can be considered a white-collar crime. The government usually relies on the wire fraud statute if other types of criminal statutes such as healthcare fraud or bank fraud would not be applicable.

There are several prima facie elements for wire fraud as we have discussed in previous articles. These elements must be satisfied before charging the defendant with the specific crime. These elements include the scheme to defraud, the scheme involving false material representations, the intent to defraud, and wire transmission in interstate or foreign commerce.

Wire fraud can be investigated by law enforcement agencies, including, but not limited to, the Federal Bureau of Investigation, United States Secret Service, or Internal Revenue Service. The United States Secret Service has been involved in financial and cybercrime investigations for a long duration. It also participates in other investigations such as counterfeit and cryptocurrency fraud investigations. These federal government agencies may team up with local or state government agencies if necessary.

Wire Fraud Laws – Part I

Published on: August 1, 2022 | by Law Offices of Salar Atrizadeh

A person can be prosecuted for wire fraud when there is reliable evidence of a scheme to defraud another by using electronic communications such as wire, radio or television. The defendant must be part of a fraudulent scheme and have a specific intent to commit the fraud. In some cases, it could be enough if the defendant fails to disclose material facts to mislead the plaintiff – i.e., the culprit deceives his or her victim. The defendant may be guilty for wire fraud if he or she shows a reckless indifference through his actions.

For example, the defendant may use wire, radio, or television communication to commit the fraudulent scheme be emailing false or misleading bank statements to clients or investors. Historically, these types of violations include telemarketing fraud or internet scams (e.g., phishing). There have been cases where the culprits hack into the plaintiff’s computer and install keyloggers to track their electronic transactions. Then, they extract personal information that would allow them to log into their bank accounts. Or, they can hack into the escrow company’s network to intercept financial information (e.g., bank account number) that allows them to send false wire instructions. So, thereafter, the hackers provide the false wire instructions to the victim who believes he or she is sending the funds to the correct financial institution.

There have been other instances where the defendant’s action constitutes mail or security fraud. Mail fraud is committed when the defendant uses the mail to commit the fraudulent scheme. Security fraud is committed when the defendant engages in a fraudulent scheme for the sale or purchase of securities which is a violation of state and federal laws. Internet fraud is also referred to as “cybercrime” and may include actions that fall under the definition of hacking or phishing schemes to extract private or confidential information. So, in a nutshell, the culprit uses the internet to lure the victim into believing a false fact. Then, once the victim relinquishes access or discloses the private or confidential information, the culprit uses that information to commit a crime such as identity theft. Also, in other cases, the defendant may be prosecuted for real estate fraud when he or she gains unlawful access to the escrow or title company’s network infrastructure. These types of real estate fraudulent schemes are relatively sophisticated and require the rights tools and resources. The stolen funds are usually sent to another bank account that could be located in another state or country. Obviously, the victims will feel helpless when they face these situations and will reach out to government agencies for assistance. In most cases, the victims should also seek assistance from a private law firm that specializes in these matters.

Global Cross-Border Privacy Rules Forum

Published on: July 4, 2022 | by Law Offices of Salar Atrizadeh

The United States Department of Commerce has issued a declaration regarding global cross-border privacy rules. These privacy rules are designed to promote data flows with privacy protections. The participants (which include Canada, Japan, Republic of Korea, Philippines, Singapore, Chinese Taipei, and United States of America) have declared that: (1) the establishment of a Global CBPR Forum to promote interoperability and help bridge different regulatory approaches to data protection and privacy; (2) The objectives of the Global CBPR Forum are to: (a) establish an international certification system based on the APEC Cross Border Privacy Rules and Privacy Recognition for Processors Systems; (b) support the free flow of data and effective data protection and privacy through promotion of the Global CBPR and PRP Systems; (c) provide a forum for information exchange and cooperation on matters related to the Global CBPR and PRP Systems; (d) periodically review data protection and privacy standards of members to ensure Global CBPR and PRP program requirements align with best practices; and (e) promote interoperability with other data protection and privacy frameworks.

The Global CBPR Forum is expected to promote expansion and uptake of the Global CBPR and PRP Systems globally to facilitate data protection and free flow of data. It is expected to disseminate best practices for data protection and privacy and interoperability. In addition, it is expected to pursue interoperability with other data protection and privacy frameworks.

The Global CBPR Forum is supposed to facilitate trade and international data flows. It is created to promote global cooperation and to promote protection of data privacy. The forum plans to establish an international certification system based on the existing APEC Cross-Border Privacy Rules and Privacy Recognition for Processors Systems. Cooperation is intended to be based on the principle of mutual benefit and a commitment to open dialogue and consensus-building, with equal respect for the views of all members. It is supposed to be based on consultation and exchange of views among representatives of members, drawing upon research, analysis and policy ideas contributed by members. It is also intended to be based on the active multi-stakeholder participation in appropriate activities.

Big Data Rules and Regulations – Part III

Published on: June 13, 2022 | by Law Offices of Salar Atrizadeh

A business organization has legal responsibilities when it comes to data access, control, and management. The government has recently issued an opinion regarding disclosure requirements for the so-called “inferred data” which comprise of internally generated inferences within the context of a consumer’s right of access request. California Civil Code Section 1798.140(v)(1)(K) defines “inferred data” as inferences drawn from a consumer’s personal information to create a profile which reflects the consumer’s preferences, characteristics, psychological trends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes.

Under California Civil Code Section 1798.110(a)(1), consumers have the right to know the specific pieces of personal information a business organization has collected about them. The California Consumer Privacy Act (“CCPA”) did not address inferred data in its provisions and only implied that businesses should disclose personal data they collected from consumers. However, the Attorney General’s Office issued Opinion No. 20-303 to address whether business organizations that are subject to the CCPA should include inferred data when a consumer submits a Data Subject Access Request (“DSAR”). In short, with limited exceptions (e.g., trade secret protection), the answer was affirmative.

The question is whether inferred data elements fall under trade secret protection rules. In his opinion, the state Attorney General stated that the CCPA only mandates a business to share the product of its internal algorithms even though the algorithms themselves are protected trade secrets. In fact, internal algorithms fall under the classic definition of trade secrets because they’re not publicly accessible to competitors, they confer a competitive advantage, their secrecy is maintained from external disclosure. See California Civil Code § 3426.1(d)(2) for more information about trade secrets. In fact, trade secrets include customer lists, processes, and software or commercial methods. It is conceivable, and probably foreseeable that, a business may withhold inferences because they’re protected trade secrets but it has the burden of proof. So, in short, a business has two options when it comes to disclosing inferred data. First, it can fulfill the DSAR according to the most recent opinion and face the risk of exposing its internal algorithm. Second, it can withhold the data inferences and face the risk of receiving a non-compliance notice from the state Attorney General’s office.