Wednesday, August 31, 2016

Data Breach Notification and the Ransomware HIPAA Question

Notification of a data breach is a worrisome step of any governmental entity, association, medical office, law office, data management entity, and even of a school or university. The provisions that attempt to address this progressing act of cyber attempts to acquire data, of any sort, are evolving.   An initial reaction to an incident is how to inform the relevant entities that something has happened while overwhelmingly concerned with trying to prevent a spread or reoccurrence, let alone minimizing the potential harm.  Certain states require immediate notification to individuals whose personal health information (PHI) or their electronic health information (ePHI) been compromised.  By compromised, it is meant that the PHI has been obtained by someone or entity without authorization.  There are responsibilities that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to follow and meet.  The key point to note is the element of electronic transmittal, storage, and administration of health records. Another key point is the stress on protecting PHI and ePHI.  Along with these points is the ever so important consideration of the shared responsibilities of the ‘business associates’ who are so integral daily in the operations of handling ePHI and PHI records, though not a healthcare provider, a health plan, or a health care clearinghouse. These business associates serve as third-party responsible entities in handling PHI and are affected by ransomware cyber incidents.
The rate in which cyber events are occurring is so alarming that there is a growing chronicle of cyber incidents in varied sectors of the economy.  The value of personal information and personal health information is at an all-time high which is significantly driving increasing attacks.  The United States Department of Health and Human Services (HHS) pursuant to HIPAA, has provided guidelines  for business associates and covered entities to implement as they operationally address the data breaches and ‘ransomware’ incidents, beyond the inherent notification requirements that may apply contingent on state notification laws.  On this point regarding the state notification laws impinging on covered entities and business associates, note should be taken that over 40 states have implemented some form of data breach incident notification regime.  Among them, they have their differences in addressing how to react to the incidents.  Aspects of a definition of what is ‘personal’ are imperative to triggering a required notification by a business associate and or a covered entity and those aspects differ among states.  Another difference is the required content in the notices as well as the requirement to inform governmental agencies of the incident.
As common steps are prescribed to address a data breach it is important to be aware of how they take place.  The intelligent variety of ways data breaches is emerging catch many information technology specialists by surprise.  Intrusions, which can occur with email attachments, phishing messages, hard intrusions breaching networks, and even websites, can achieve the goals of ransomware.  The ransomware characteristics are varied.  One aspect seeks to deny the covered entity’s or business associates’ record files.  This may be done by an expedient encryption process.  The covered entity or business associate is not informed by the hacker of the encryption key.  Once paid, it is hoped that the hacker releases the information or provided a key to decrypt the record files, but that is not always the case.  There have been incidences that captured data is forcefully transferred to another data storage location where in effect the data no longer resides in the covered entities or business associates network.  This latter scenario is a nightmare.
Nevertheless, the importance of learning what to do now before it happens is critical to the integrity of a covered entity or business associate.  The HHS points are some of the similarly required steps that the Federal Trade Commission is seeking to impose on entities it has cited leaning with great emphasis on prevention which is after all the name of the game.  For instance, the imperative of conducting ‘scheduled’ and frequent backups has not only the benefit of retaining the data that could minimize the damage that could be done if the data is ultimately destroyed or transferred to a remote server, but it allows for operational recovery.  The guidelines also stress the need for testing the restorative process. The examination should highlight how the entity can recover and if its efficiencies and protections are implemented on a restorative posture.  The restorative testing should as well assess its process when using remote storage retrieval rather than just an online connected network.  The concern is that if the backup is online and synced with the online network, the malware can infiltrate that system and compromise any measures taken to address how to recover from ransomware attack.
Entities overwhelmingly are expected to undertake not only plan to train personnel in handling data, personal health information, and electronic files, but as well anticipate how to respond to a cyber incident.  Appropriately training personnel on the noticeable signs of cyber attempts; though, that is only as precise and effective as yesterday’s cyber incident.  But what is expected is that staff should be made aware of their responsibility to not visit questionable sites nor open unknown emails.  An entity’s effort in conducting risk assessments before they occur and after is expected.  The entity’s plan reacting to an incident should be anticipated and rehearsed to ensure that services are not compromised. The assessment of risk will tell if there is a notification requirement.  That risk assessment will screen for how the encryption was effective and how much of the data was encrypted.
The notification requirement issue is the ultimate concern that trips certain entities.  Counsel can be instructive not only in communications with the insurer that covers the cyber incidents within the entity’s General Commercial Liability Insurance (GCLI) but in communicating with law enforcement and in crafting the notice that is sent to effect individuals whose records were compromised.  Depending on the state, determines the notice and its contents.  Depending on the nature of how the data of PHI and ePHI was administered by the covered entity and the business associate, as well determines if there is a noticeable incident under HIPAA. Here the question hinges on the implementation of encryption as a protective tool by the entity.  The privacy requirement stated under HIPAA says ‘acquisition, use or disclosure of personal health information …compromises the privacy of the personal health information.”  From this vantage point, the risk assessment will be telling of what can be done to remedy the incident.  If the cyber incident acquiring encrypted data then there has not occurred a noticeable cyber incident under HIPAA, however, state laws may require notification.  Risk assessment is needed that accounts for the scope of the risk, the effectiveness of the encryption, the assessment of what data was actually compromised, and to what extent the data was compromised.  Each incident will require a case-by-case assessment in order to determine compliance as well as vulnerabilities, including the notification requirements that will be triggered by the nature and extent of the ePHI and PHI compromise in unauthorized hands.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Data Breach Notification and the Ransomware HIPAA Question

Notification of a data breach is a worrisome step of any governmental entity, association, medical office, law office, data management entity, and even of a school or university. The provisions that attempt to address this progressing act of cyber attempts to acquire data, of any sort, are evolving.   An initial reaction to an incident is how to inform the relevant entities that something has happened while overwhelmingly concerned with trying to prevent a spread or reoccurrence, let alone minimizing the potential harm.  Certain states require immediate notification to individuals whose personal health information (PHI) or their electronic health information (ePHI) been compromised.  By compromised, it is meant that the PHI has been obtained by someone or entity without authorization.  There are responsibilities that covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to follow and meet.  The key point to note is the element of electronic transmittal, storage, and administration of health records. Another key point is the stress on protecting PHI and ePHI.  Along with these points is the ever so important consideration of the shared responsibilities of the ‘business associates’ who are so integral daily in the operations of handling ePHI and PHI records, though not a healthcare provider, a health plan, or a health care clearinghouse. These business associates serve as third-party responsible entities in handling PHI and are affected by ransomware cyber incidents.
The rate in which cyber events are occurring is so alarming that there is a growing chronicle of cyber incidents in varied sectors of the economy.  The value of personal information and personal health information is at an all-time high which is significantly driving increasing attacks.  The United States Department of Health and Human Services (HHS) pursuant to HIPAA, has provided guidelines  for business associates and covered entities to implement as they operationally address the data breaches and ‘ransomware’ incidents, beyond the inherent notification requirements that may apply contingent on state notification laws.  On this point regarding the state notification laws impinging on covered entities and business associates, note should be taken that over 40 states have implemented some form of data breach incident notification regime.  Among them, they have their differences in addressing how to react to the incidents.  Aspects of a definition of what is ‘personal’ are imperative to triggering a required notification by a business associate and or a covered entity and those aspects differ among states.  Another difference is the required content in the notices as well as the requirement to inform governmental agencies of the incident.
As common steps are prescribed to address a data breach it is important to be aware of how they take place.  The intelligent variety of ways data breaches is emerging catch many information technology specialists by surprise.  Intrusions, which can occur with email attachments, phishing messages, hard intrusions breaching networks, and even websites, can achieve the goals of ransomware.  The ransomware characteristics are varied.  One aspect seeks to deny the covered entity’s or business associates’ record files.  This may be done by an expedient encryption process.  The covered entity or business associate is not informed by the hacker of the encryption key.  Once paid, it is hoped that the hacker releases the information or provided a key to decrypt the record files, but that is not always the case.  There have been incidences that captured data is forcefully transferred to another data storage location where in effect the data no longer resides in the covered entities or business associates network.  This latter scenario is a nightmare.
Nevertheless, the importance of learning what to do now before it happens is critical to the integrity of a covered entity or business associate.  The HHS points are some of the similarly required steps that the Federal Trade Commission is seeking to impose on entities it has cited leaning with great emphasis on prevention which is after all the name of the game.  For instance, the imperative of conducting ‘scheduled’ and frequent backups has not only the benefit of retaining the data that could minimize the damage that could be done if the data is ultimately destroyed or transferred to a remote server, but it allows for operational recovery.  The guidelines also stress the need for testing the restorative process. The examination should highlight how the entity can recover and if its efficiencies and protections are implemented on a restorative posture.  The restorative testing should as well assess its process when using remote storage retrieval rather than just an online connected network.  The concern is that if the backup is online and synced with the online network, the malware can infiltrate that system and compromise any measures taken to address how to recover from ransomware attack.
Entities overwhelmingly are expected to undertake not only plan to train personnel in handling data, personal health information, and electronic files, but as well anticipate how to respond to a cyber incident.  Appropriately training personnel on the noticeable signs of cyber attempts; though, that is only as precise and effective as yesterday’s cyber incident.  But what is expected is that staff should be made aware of their responsibility to not visit questionable sites nor open unknown emails.  An entity’s effort in conducting risk assessments before they occur and after is expected.  The entity’s plan reacting to an incident should be anticipated and rehearsed to ensure that services are not compromised. The assessment of risk will tell if there is a notification requirement.  That risk assessment will screen for how the encryption was effective and how much of the data was encrypted.
The notification requirement issue is the ultimate concern that trips certain entities.  Counsel can be instructive not only in communications with the insurer that covers the cyber incidents within the entity’s General Commercial Liability Insurance (GCLI) but in communicating with law enforcement and in crafting the notice that is sent to effect individuals whose records were compromised.  Depending on the state, determines the notice and its contents.  Depending on the nature of how the data of PHI and ePHI was administered by the covered entity and the business associate, as well determines if there is a noticeable incident under HIPAA. Here the question hinges on the implementation of encryption as a protective tool by the entity.  The privacy requirement stated under HIPAA says ‘acquisition, use or disclosure of personal health information …compromises the privacy of the personal health information.”  From this vantage point, the risk assessment will be telling of what can be done to remedy the incident.  If the cyber incident acquiring encrypted data then there has not occurred a noticeable cyber incident under HIPAA, however, state laws may require notification.  Risk assessment is needed that accounts for the scope of the risk, the effectiveness of the encryption, the assessment of what data was actually compromised, and to what extent the data was compromised.  Each incident will require case-by-case assessment in order to determine compliance as well as vulnerabilities, including the notification requirements that will be triggered by the nature and extent of the ePHI and PHI compromise in unauthorized hands.
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Sunday, August 28, 2016

Data Breach Insurance

Data breach insurance is becoming a growing concern and a topic for businesses to address their risk management administrative panoply. Considerations may sway a business towards a third-party insurance coverage or a first-party insurance coverage or both depending on the services provided.  Previously posted writing regarding the cyber insurance needs, we discussed the limits that the industry faces with their coverages and how businesses are not covered for cyber events.  Earlier this year the Fourth Circuit rendered a decision that sets a tone for insurers to keep a watch on regarding the commercial general liability insurance (CGLI) required the scope of coverage for data breaches.  That scope is the duty for the insurer to defend the insured business entity for a data breach event.
Initially, it is worth to note that cyber insurance or data breach incident insurance was created to address what general liability insurance did not intend to cover at first.  As these policies metamorphosed with the growth of cyber incident considerations, limitations are placed to account for the many different facets integral to a potential cyber incident, data breach, or sheer cyber negligence event.  The actual scope of coverage within a company’s CGLI is critical and is what was been battered about by the Fourth Circuit in Travelers Indemnity v. Portal Healthcare Solutions, LLC.[1]  The scope of coverage in question was whether data breaches were included in the coverage, and if so, to what extent and for what aspect.
Portal Healthcare Solutions, LLC, (Portal) is a company that provides electronic storage management of patient medical data.  Its  clients are medical service providers including hospitals, who after discovering that medical records were available on the web without password protection, filed a class action suit in the district court in Virginia.  Portal’s CGLI policy was under Traveler’s coverage policies.  Portal sued Travelers when it refused to cover Portal Portal argued that Traveler’s policy covered the cyber incident in question.  The District Court ruled for Portal depicting that Traveler’s coverage obligated it to defend Portal for the data breach incident.  Portal was seeking for Travelers to pay the amount that Portal was liable as a result of the data breach.
Companies considering CGLI will quickly recognize that the insurance vehicle enumerates conditions for liability coverage that include personal and advertising injury.  This addresses the duty of the insurer to pay and defend the insured for its liability and damages incurred as a result of violating privacy rights of customers and the like because of a publication of private information.  The contentious issue that insured companies and insurers wrestle when there is a data breach or cyber incident is to determine if there has occurred a publication of private information.

The facet of ‘publication’ was at issue as to whether it took place as understood.  What was clear from the facts is that the medical records were available on the Internet without password protection.  It was claimed that their availability was tantamount to a publication.   Portal argued that its policies with Travelers obligated Travelers to cover if Portal was liable for an incident where an injury occurred due to electronic publication of information or that causes publicity of a person’s private life.  By virtue that patients’ information was available by searching the Internet, the court deemed that it sufficed as a publication.  The court did not believe that there had to be intent to publish in order for it to constitute a publication.  According to the court, the simple fact of medical record exposure in the realm of the Internet is substantial for publication. The court found that because a publication had occurred by Portal exposing confidential medical records, Travelers became obligated to defend Portal under the policies.[2]
It is noteworthy to consider the precedent of the Recall Total Info case[3] where some transported records that were in containers fell off the vehicle on the highway, in light of the Portal case.  The court in Portal distinguished Recall from its instant case by virtue that the data in Portal was available on the Internet and was easily accessible whereas, in Recall, the data records in containers falling off a transport vehicle could not be construed as accessible and disclosed.   The court in Portal noted that the Connecticut Supreme Court in Recall held that absent information that demonstrates that the confidential data and records were accessed, the incident of private data in containers falling off a transport vehicle on the highway cannot be construed as a publication of private information creating a publicity.  The Court found that to be distinguishable from Portal’s case regarding the public disclosure of confidential records on the Internet.
Furthermore, the element of publicity is not the only limitation of CGLI policies.  The tenor of the knowledge or of the acts of the insured is also imperative to the viability of the insurer’s duty to cover.  For instance, in the Sony Corp. case[4], the court in New York ruled that the insurer did not have a duty to defend and pay for Sony because of  the actions of a hacker and not the acts of Sony.  The hacking was not considered to meet the occurrence of there being a publication or advertising of private information.  Another limitation is when the insured acts with intention and knowingly causing the breach of private information.   A Utah District court in the Federal Recovery Services case[5], held that the insurer was not liable to cover the insured where the insured acted knowingly, willfully and intentionally.
In essence, the policy condition of ‘publication’ was expanded by the Fourth Circuit and it also delineated limitations to the insurer’s duty to pay and defend.  The court noted the importance to consider insured’s actions pertaining to its intention, deliberateness, and awareness with the regard of the data breach incident.  It also noted the importance to distinguish the existence of the acts of third-parties regarding a data breach incident - an intervening factor - compared to where the insured’s actions resulted in a publication.   The absence of the insured’s intention to have private personal information placed on the Internet for anyone to see does not deny that a publication has occurred. Overall, the realm of coverage by CGLI policies will now have a broader appeal to consider amid the limitations for insurers’ duty to cover data breaches.
[1]35 F. Supp. 3d 765, 768 (E.D. Va. 2014).
[2] Id. at 769.
[3] 147 Conn. App. 450, 83 A.3d 664 (Ct. App. Conn. 2013) (aff’d Recall Total Information Mgmt., Inc. v. Federal Ins. Co., SC19201 (Conn. May 18, 2015)).
[4] Zurich Am. Ins. v. Sony Corp. of Am., No. 651982/2011 (NY Sup. Ct. Feb. 21, 2014).
[5] Travelers Property Casualty Co. v. Federal Recovery Servs., Inc.(D. Utah May 11, 2015).
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Monday, August 22, 2016

Data Breach Case Standing and Relevance of Harm


Data breach case standing is the critical element in determining the case’s viability to continue along with the relevance of harm incurred.  As data security breach occurrences amount with frequency, the menu of their handling also adds to the list of settled and or filed. The usual person is petrified when hearing that his or her personal identifiable information (PII) has been compromised in some way or another.  No matter if the compromised data was due to a company’s or agency’s disgruntled former employee, an unidentified hacker, or a nefariously loaded email, the concern is the same.  The internal or external manner of intrusion cause is nevertheless and intrusion to acquire PII of hundreds of not thousands of individuals.  The consternation that lingers is not to be weighed by the courts as having value.  This is despite the apparent value of PII in the open illicit market for social security, birthdate, and credit/debit card numbers.  The claim that by the simple fact of the misappropriation of PII there is a harm and that the PII has value to the plaintiff has historically not swayed courts to conclude that Article III criteria are met.

A plaintiff is required, under article III of the U.S. Constitution, to establish certain elements in federal court that constitute its ability to demonstrate case and controversy enough to stay on and be emblematic of “standing” in a case.   To support this critical element, the complaint must demonstrate that the plaintiff[s] have incurred an injury-in-fact that is a result of its connection to the act claimed to cause the injury and must also demonstrate that the sought after court’s decision can redress the harm by its own decision. The factor of injury-in-fact must be supported by actual or imminent injury and cannot be out of conjecture.[1]  A data breach event presents different circumstances that courts have had to adjust to in order to assess the element of incurred harm by plaintiffs’.
This analytical adjustment took place in the approach taken by the United States Supreme Court to address standing in a data breach case.  In Clapper, the Supreme Court set a standard regarding the injury claimed to have been incurred to be ‘certainly impending’.  The Court stated that it was not enough to make the conclusion that by virtue of the act to acquire PII one cannot make the logical conclusion that harm has occurred or that there is a likelihood or ability of the intruders to read the data and misuse it.  The Court also stated that the nature of the data requires assessment as well in order to ascertain the criticality of the data in unauthorized hands, especially the accessibility of Social Security and credit card numbers with the date of birth data. In Spokeo, despite there being a claimed violation of the D.C. Consumer Protection Procedures Acts, the Court determined that plaintiffs did not demonstrate a concrete harm to substantiate the determination of standing. In Remijas, the Seventh Circuit assessed the possibilities of events from a data breach.  In its analysis, it considered the loss of value of the time the plaintiffs incurred in all their involved efforts to address the breach and circumstances that arose out of the breach that required plaintiff’s action.  The Remijas court seriously considered the costs of time from work and effort by the plaintiff to deal with credit card companies, law enforcement, investigators, and governmental agencies regarding their misappropriated PII.  As the court assessed that the plaintiffs experienced the bother and torment of dealing with the circumstance of their PII being misappropriated.
The element of financial impact has been considered by the Minnesota District Court in In re Target Corp to substantiate the element of standing by virtue of demonstrated financial injuries, including charges, impaired bank account access, the impairment to pay bills, and incurred late payment charges and fees.  In determining the financial impact incurred by plaintiffs, the courts are peering into assessing if the costs were indeed incurred or if there were reimbursable costs.  In  P.F. Chang’s case, the court assessed if the claimed financial harm would uphold the requirement of standing when there were nonmonetary damages.  The court decided that actual injury cannot coexist with a reimbursable cost and it denied the plaintiff’s claims for the risk of identity theft and those associated with mitigation of damages.
In In re Zappos.com case, the court shed light on the guessing that is involved in predicting the time and actions unidentified assailant[s] and their capacities to interpret and use the data.  The noted that it is not absolutely clear that the stolen data would be misused or that it can be used to construe the event of harm to the plaintiff.  Such analysis could be attributed to the Anthem case determination in its second round where the court gave import to the value of PII in the open market and that the disclosure of that information has imputed economic injury.  That economic injury, however, was incurred by the merchants and not the plaintiffs.
No matter the twists and turns that standing has undergone in data breach cases the element of causation is unmovable to interpretation. The harm that a plaintiff incurs from a data breach is always open to analysis that begs to question of who, what, where, and how about the harm, value, and costs, including the impact of what future impact the data breach will have.
[1] See, Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.

Friday, August 19, 2016

Computer Abuse by Password Sharing

Computer abuse can occur by the simple act of password sharing to gain access to a computer and its network. Password sharing for use of a computer is seldom realized as a wrongful use.  It is as well not realized by many account holders that sharing their account passwords or access passwords is as well problematic. Accessing digital media accounts of others through the sharing of passwords is construed as an “unauthorized” access to the content. The password bears the meaning of a license for use that has been granted to a specific individual.
The computer use under fraudulent purposes adheres as well to the work environment where a company’s system is accessed with authority essentially equal to a trespasser.  It is important to keep in mind, that that access to particular sections of a company’s data network may not be uniform throughout the company, agency, or entity. A particular person’s position may not allow access to accounting data, employee records, and latest results in IT audits of the company.
The Ninth Circuit, in United States v. Nosal had to determine the confines of sharing passwords with the Computer Fraud & Abuse Act (CFAA), 18 U.S.C. § 1030.  The argument shifts from a hacking concern which is the thrust of the CFAA’s purpose to who is the rightful grantor of authority to use a person’s password.  Amid these two quadrants of analysis lies the conundrum of why did the purpose access the computer system using another’s passwords?  The facts speak that it was about former employees using an employee’s password to access the former employer’s network database. The hinge in the case is more about the intent to intrude into the former employer’s network database than the ramifications of the decision.  The ramifications of the decision clouds over the occurrence of password sharing and accessing digital accounts of friends with their friend’s password.
This case leaves open to determine how to construe “authorized” access to account data and product subscriptions and the permissive grant of such access.  The defendant, in this case, was a former employee who received login credentials from employees in order to access former employer’s system. The lower court did not hold that charges under the CFAA met federal criminal standards.  The United States appealed the lower court’s decision.  Amid concerns of how this action would expand the reach of the CFAA into the criminal sphere by the occurrence of a company computer use policy, the Ninth Circuit in 2012 held that it is not a CFAA violation for accessing a workplace computer in violation of a business computer policy.  Now more recently, the court held that based on the Act’s language “knowingly and with intent to defraud, access a protected computer without authorization or exceed authorized access, and by means of such conduct further the intended fraud and obtain anything of value….” (CFAA Sec 1030 (a)(4), Nosal did acquire access without permission and with an intent that met the criteria of the criminal stigma of the CFAA.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved, Lorenzo Law Firm, P.A.

Saturday, August 6, 2016

Advertising Disclosures

Advertising disclosures required by the Federal Trade Commission are becoming numerous.  As creativity increases so will the efforts for the FTC to find aspects, not to their liking.  As the FTC pursues companies using native advertisers or influencer programs, restrictions will appear clearer to businesses.  FTC’s concern is over the possibility of consumers being confused or deceived by ads that do not appear as ads but as story lines and such.  The FTC’s native advertising guidelines state that under its FTC Act, “an act or practice is deceptive if there is a material misrepresentation or omission of information that is likely to mislead the consumer acting reasonably in the circumstances.  A misrepresentation is material if it is likely to affect consumers’ choices or conduct regarding an advertised product or the advertising for the product.
As their guidelines state, that the information conveyed is seen as well as to how it is conveyed.  It is the means of conveying the message that could lead to consumer deception.  Greater disclosure is seen by the FTC as a needed piece to prevent consumers from being misled.  Therefore the FTC is pushing for clear disclosures revealing the source of the representation in the ad.  What the FTC is zeroing in on are ads that make it appear that the representation is independent of a company’s product or service being conveyed to the general public.  The public should be aware that an ad is a sponsorship of the service or product paid by the company.
There have been several companies that the FTC has targeted, i.e., Machinima, Lord & Taylor, and Warner Bros.  The FTC sought Machinima for ways of promoting Xbox through influencers without adequate disclosure to the general public.  Lord & Taylor was found to have not disclosed the nature of its Nylon Instagram ads where influencers were paid by Lord & Taylor to post.  Warner Bros. was seen to have not disclosed the sponsor for video in a conspicuous manner.  Digital advertising through Internet means using platforms such as YouTube, Twitter, and even Facebook is not going away.  But the FTC will continue to eye the hidden relationship between a paid sponsorship and a nonpaid sponsorship.  The ease in which a company can influence consumer choice and consumer spending through digital means and the opportunities for fraud on the Internet cause concern for consumer protection advocates.  Disclosure of the source of the comment stated in a video promoting a product or service will be required in order to ensure that the general public recognizes it is viewing paid subjective content rather than non-paid objective content.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.