Photo of Kathleen Porter

Kathy Porter's practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies' privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.

This week, the world learned of widespread and serious vulnerabilities in most central processing units (CPU). CPUs manage the instructions received from the hardware and software running on a computer.  The vulnerabilities, named Meltdown and Spectre, affect virtually every computer existing today, in particular those with Intel, Advanced Micro Devices, Inc. (AMD), Nvidia and Arm

As we approach calendar year end, traditionally the busiest period of the year for mergers and acquisitions, it is worth revisiting whether our existing competition law framework can and does properly assess the market power of big data.

This spring, The Economist magazine joined the ranks of some antitrust regulators, particularly from the EU, in

In an order issued on October 16, 2017, the U.S. Supreme Court granted certiorari in United States v. Microsoft Corporation, a case with potentially far-reaching implications for the privacy of electronic data maintained by technology companies across the globe.

The case, which Robinson+Cole has previously discussed here, here, and here, arises from a warrant obtained by the Department of Justice (DOJ) under the Stored Communications Act (SCA).[1] The SCA was enacted in 1986 to protect the privacy of electronic communications, including by extending privacy protections to electronic records analogous to those afforded under the Fourth Amendment to the U.S. Constitution.[2] In relevant part, the SCA requires a governmental entity in most instances to secure a warrant in accordance with the Federal Rules of Criminal Procedure to compel disclosure of electronic communications stored by a service provider.[3]
Continue Reading Supreme Court to Hear Microsoft Emails Case

Japan and the European Union announced an agreement in principle on major components of a substantial free trade deal on the eve of the recent G20 summit in Hamburg. This free trade deal rivals NAFTA in scope and impact, as it will impact 40 percent of the world’s trade. Once finalized, this free trade pact

Twitter recently announced updates to its Privacy Policy. The updates are effective on June 18, 2017. By using the social media platform on or after that date, Twitter users will be deemed to have agreed to these updates.

The updates enable Twitter to collect more user data, including about a user’s visits from Twitter

Two Massachusetts accounting firms separately recently notified the Office of the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation of data breach incidents at their firms, resulting in the unauthorized access of their respective clients’ names, addresses and Social Security numbers.

The first accounting firm, King McNamara Moriarty LLP (KMM) discovered

The GDPR will apply as of May 25, 2018. It provides a single set of very innovative rules directly applicable in the entire European Union (EU), without the need for national implementing measures—which means that any personal data processing ongoing at this date shall be in compliance with the GDPR. This leaves one year for companies to ensure compliance with the GDPR.

The GDPR provides for a scope of application wider than processing undertaken in EU countries. Indeed, it will also apply to data controllers or subcontractors not established within the EU which are in charge of data processing with the aim to provide goods and services to EU residents or to monitor EU residents’ behavior.

A business can take several steps in order to organize compliance with provisions of the GDPR:
Continue Reading GDPR Effective Date and Geographical Scope of Application

Privacy laws in Asia-Pacific countries such as Japan, Australia, New Zealand and Singapore restrict the export of personal information except when the exporter meets certain qualifying conditions. One qualifying condition is if the exporter is in compliance with the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules System (CBPR). Under the CBPR, the exporting company would have its data privacy policy and practices reviewed and certified by a third party to confirm the policy and practices are consistent with the applicable domestic law. For example, if an exporting company desired to export personal information of Japanese citizens, its privacy policy and practices would need to be consistent with Japanese law in order for the third party to certify the exporter was CBPR compliant. A company promoting compliance with CBPR on its website would be representing, directly or indirectly, expressly or by implication, that it was certified by a third party to participate in APEC’s CBPR system.

The U.S.’s data protection scheme does not require a third party to review a company’s privacy practices and policy prior to its export of personal information from the U.S. However, the U.S. scheme does prohibit a company from making false statements about its privacy practices and policy. Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen recently reinforced the importance of this U.S. requirement, stating that companies “must live up to the promises they make to protect consumer data.”
Continue Reading FTC Resolves Allegations Against Three U.S. Based Companies Involving Misrepresentations of International Privacy Program Certifications

As was expected, President Trump signed into law the rescinding of the broadband privacy regulations adopted in 2016 by the Obama administration’s Federal Communications Commission (FCC).

The now rescinded regulations would have required internet service providers (ISPs) to obtain consent from a customer before using or selling the customer’s Web browsing history, app usage history,

Yahoo’s troubles for failing to timely disclose security breaches provides rare insight into quantifying the financial and other costs to a company’s shareholders and leadership when a security breach occurs and is mishandled.

In 2014, more than a billion Yahoo accounts were hacked. Then in 2015 and 2016, more than 500,000 Yahoo user accounts were