California Enacts First Law Regulating Internet Of Things Devices

California has enacted the nation’s first law regulating Internet of Things (IoT) devices, which was signed by Governor Jerry Brown on September 28, 2018. IoT refers to the rapidly-expanding world of internet-connected objects such as home security systems, video monitors, enterprise devices that track packages and vehicles, health monitors, connected cars, smart city devices that manage traffic congestion, and smart meters for utilities.

IoT devices promise to bring efficiencies to a broad range of industries and improve lives. But these devices also collect vast troves of information, and this raises data security and privacy concerns. In 2016, a distributed denial of service (DDoS) attack on the internet infrastructure company Dyn was powered by millions of hacked IoT devices such as web cameras and connected refrigerators. Hackers have used baby monitors to view inside homes, with a prominent recent example being the widely-deployed Mi-Cam baby monitor. If hackers are able to get into critical IoT systems in first responder networks, then there could be public safety risks.

The most obvious vulnerabilities with IoT devices used by consumers are easily-guessed default passwords and weak authentication. Consumers rarely change default passwords because they do not know how to or because the user interface is confusing or hard to access.  Continue Reading

Copyright Office Red Cards UEFA Trophy Application

Last month, the Copyright Office’s Review Board denied for the second time the application of the Union des associations européennes de Football (UEFA) for copyright registration in UEFA’s EURO Trophy. The Trophy is shown below:

According to the Board, the Trophy’s overall shape is no different than standard Greek amphora, and thus “as a whole, does not rise to the level of creativity required by the Copyright Act” and is only “a de minimis standard design based on classical and common works of art.”

Bet that makes the loser of the UEFA cup feel much better…

U. S. Supreme Court Will Decide What It Means to “Register” a Copyright

In this 2018-19 term, the United States Supreme Court will hear arguments on an issue that has long divided copyright attorneys and the courts that hear their cases. Under the Copyright Law, Section 411(a), a copyright owner may not bring an infringement lawsuit until the copyright owner has registered the copyright with the U.S. Copyright Office. In Fourth Estate Public Benefit Corporation v., LLC, the Court of Appeals for the 11th Circuit affirmed a lower court’s dismissal of a copyright infringement suit on grounds that the Copyright Office had not yet granted registration to the copyright in question, whose application was still pending.

This was consistent with the way in which both the 10th and 11th Circuits have treated this issue. However, the 5th and 9th Circuits have held for some years now that having filed an application to register one’s copyright is sufficient to enable the copyright owner to bring an action and a federal court to exercise subject-matter jurisdiction. The Supreme Court will resolve this circuit split during the new term, and copyright practitioners are already laying bets on how the court will rule. Meanwhile, the American Bar Association last month filed an Amicus brief with the Supreme Court that raises issues and eyebrows by urging affirmation of the “Application approach” adopted by the 5th and 9th Circuits. Continue Reading

And Away We Go…UK Information Commissioner’s Office Issues First Formal Notice Under the GDPR

Since the EU’s General Data Protection Regulation (GDPR) went into effect, we have been anxiously awaiting enforcement activities that would indicate regulator priorities. The waiting is over. It was recently reported that the UK Information Commissioner’s Office (ICO) issued an Enforcement Notice to AggregateIQ Data Services (AIQ) on July 6, 2018. Although the Enforcement Notice was issued in July, it only recently came to light.

AIQ is a Canadian analytics firm that was involved with political advertising during the Brexit vote in the UK. The ICO alleges that AIQ received personal data including names and email addresses of people in the UK from political organizations, including Vote Leave and others. AIQ used this personal data to target individuals with political advertising on social media without their knowledge or consent. AIQ also confirmed in writing to the ICO that a third party had unauthorized access to that personal data, which AIQ kept in a code repository. AIQ gathered this information before GDPR went into effect on May 25, 2018, but the ICO stated ongoing concerns that AIQ continued to possess and process personal data after that date. Continue Reading

FBI Calls Out Data Privacy and Security Risks with Educational Technology

Educational technology (“EdTech”) such as unified communications programs, educational software, and networked devices has become an integral part of education due to its ability to help educators, students, and institutions manage information, provide educational materials, and improve administrative functions. But the FBI is now warning of the data privacy risks associated with EdTech.

The FBI notes the wide range of personal data that EdTech collects from users:

  • personally identifiable information;
  • biometric data;
  • academic progress;
  • behavioral, disciplinary, and medical information;
  • web browsing history;
  • students’ geolocation;
  • IP addresses used by students; and
  • classroom activities.

Continue Reading