Gary A. Kibel is a partner in the Technology, Digital Media & Privacy; Intellectual Property and Advertising, Marketing & Promotions Practice Groups of Davis & Gilbert. Mr. Kibel regularly counsels clients with respect to new media/advertising law; privacy and data security; and information technology matters. Mr. Kibel advises interactive companies, advertising agencies, media providers and other commercial entities regarding transactions for interactive advertising, behavioral advertising, social media, user-generated content, viral marketing, mobile marketing, affiliate marketing, gaming and other emerging products and services. He also serves as General Counsel to the Performance Marketing Association. Mr. Kibel is a Certified Information Privacy Professional (CIPP) and advises clients in many industries regarding privacy and data security issues, including, internal information security policies, contractual obligations and requirements, security breaches and incident responses, audits, cross-border data transfers and other matters in connection with an organization’s collection, storage and use of data in all aspects of its business. Droid Report recently interviewed Gary A. Kibel about his current role at the firm and discussed his insights on digital law.
Gary A. Kibel
Droid Report: Hello Gary, as an expert in your field, how would you describe the current movement of BYOD in the way it raises significant data security and privacy concerns?
Gary A. Kibel: BYOD is an unavoidable trend. However, companies need to carefully consider how BYOD will be implemented and what company policies will apply before allowing employees to use their personal devices to access the company network and store company data. A proper combination of technical controls, training and employee policies can reduce the risk of an incident, but can never eliminate every risk that might exist. Depending upon your industry, they may also be regulatory concerns, such as data retention obligations.
Droid Report: What are your thoughts on the current legal and policy issues for an organization which may decide to take action in dealing with malware and hacker attacks?
Gary A. Kibel: An organization must constantly be scanning and monitoring for potential vulnerabilities. Attacks are becoming more sophisticated and targeted. Efforts should clearly be taken to avoid becoming an easy target. While many risks are external, the internal risks should not be ignored. Internal access to data should follow the principle of least privilege, there should be appropriate company policies regarding the use of the information systems and applicable employees should attend privacy and security training.
Droid Report: Could you share any insight regarding mobile application development which may be related to any emerging legal trends?
Gary A. Kibel: Mobile is a different beast that desktop/web. With limited real estate on the screen, but sensitive data collection and use, disclosures need to be made clearly, succinctly and at appropriate times. The concept of “just in time” disclosures is one that promotes providing key privacy statements just before the moment when such data is collected. Building in such processes requires a careful review of an app early on during the development stage. Privacy and security concerns cannot be an afterthought or left to be addressed for the first time at the end of a development project.
Droid Report: What are your personal thoughts on legal experiences with data breach issues?
Gary A. Kibel: There needs to be a partnership between the information technology, compliance, public relations and legal teams. Vendors should be carefully monitored and proper contracts should be in place. When a security incident occurs, there should be a well-oiled plan that is quickly put into action. When an incident occurs, an organization needs to consider their legal obligations, contractual obligations and how to proceed in a manner which makes sense for the business.
Droid Report: How are you seeing such laws with data breaches being enacted within the U.S? Internationally?
Gary A. Kibel: There are currently 46 states in the U.S. with security breach notification laws. While some international jurisdiction encourage notification or are moving in the direction of notifications, the U.S. generally has more regulation in this area. The challenge with these state laws is that there are 46 different laws. When an incident occurs, the facts need to be carefully analyzed to ensure that all laws are being properly observed. Legal should be involved early on to preserve privilege, and proper forensic procedures should be followed to avoid destroying or contaminating evidence.
Droid Report: Is there anything else you feel Android users and the Android market should know?
Gary A. Kibel: Ask questions and be proactive. Think about what risks are likely, whether they be from hackers, regulators, consumers or competitors, and plan how to deal with those issues in advance. For example, proper privacy disclosures may forestall a regulatory action. Hardened security may deter hackers. Accurate claims about your product or service may prevent claims from consumers or competitors. Don’t be a stranger to legal! They are there to help you avoid ending up in a bad situation.
Davis & Gilbert LLP is a strategically focused, full-service law firm of more than 110 lawyers. Founded over a century ago, the firm represents a wide array of clients - ranging from small, independent start-ups to some of the world’s largest public companies - throughout the United States and internationally. Davis & Gilbert is widely regarded as the #1 law firm for the marketing communications industry and also has specialty practices focusing on middle market M&A, intellectual property, litigation, labor & employment, office & retail leasing and private client services.
We would like to thank Gary A. Kibel for taking the time for this discussion and Davis & Gilbert, LLP.