Category Archives: Backup & Recovery Systems

Backup & Recovery Systems, California Lawyer, Cost, Duties, e-Evidence Insights, Education, Implementation, Law, Law Practice Management, Management, Media, Privacy, Privilege, Science, Scope, Security, Strategy, Technology

CALIFORNIA LAWYERS ASSOCIATION PWG: Proposed California Consumer Privacy Act Regulations – COMMENTS

Hello Again, All:

Last week, on Twitter, I promised to try to post the California Lawyers Association Privacy Working Group’s comments on the California Consumer Privacy Act.  I made it.  Before you skip directly to the comments, I wanted to briefly discuss my specific role and also make a suggestion (it’s my blawg, so I get to do that!)

My colleagues are attorneys who immersed themselves in technology and the law.  In my case the opposite is true.  I’m a technology professional who passed the California Bar when I was 44 years old (2007, for the curious).  As such, I became the ‘roving technology consultant’ on the various aspects of this law.  In short, I worked with several of our writing subgroups to identify where the concepts in the law don’t mesh with how the technology actually works.

Aside from some minor formatting differences between WordPress and the original – plus some bolds and one URL added by me – these are verbatim comments.

The suggestion?  While you may discern most of the original issues via the comments alone, it would be best to review the proposed regulations that these comments address.

Estimates are that implementation of CCPA may cost $55 billion – and it does not exclusively apply to California companies – so, we understand and appreciate your interest in being well-informed.

Best wishes for the holiday season and the adventure that awaits us in 2020!

Perry

**************************************************************************

December 6, 2019

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

Email: PrivacyRegulations@doj.ca.gov

Re: Proposed California Consumer Privacy Act Regulations

Dear Attorney General Becerra:

The California Lawyers Association (“CLA”) Privacy Working Group (“PWG”) respectfully submits these comments on the proposed California Consumer Privacy Act (“CCPA”) regulations. The PWG is a multidisciplinary group with members drawn from various sections of the California Lawyers Association, including: Antitrust, UCL and Privacy; Business Law; and Intellectual Property Law. Our members have broad-ranging expertise in areas that include consumer privacy, cybersecurity, and data protection, and extensive experience with related regulatory, transactional, and litigation matters.

The Attorney General released these proposed regulations for public comment on October 10, 2019. The regulations are intended to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. The CCPA requires the Attorney General to adopt initial regulations on or before July 1, 2020.

The PWG applauds the Office of the Attorney General for engaging in a broad and inclusive rulemaking process, including public forums. This public comment period is important because the stakes are high. According to estimates in the Standardized Regulatory Impact Assessment for the CCPA regulations, published by the Berkeley Economic Advising and Research, LLC, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year. If finalized, businesses are estimated to spend between $467 million to $16,454 million in costs to comply with the draft regulation during the period 2020-2030. The CCPA grants new rights to consumers and imposes new obligations on businesses.

As highlighted in the CCPA Fact Sheet, published together with the proposed regulations, the CCPA and the European Union’s General Data Protection Regulation (“GDPR”) are separate legal frameworks with different scopes, definitions, and requirements. A business that is subject to GDPR and also processes personal information of California consumers will need to reconcile the differences between the two regimes. In addition, a business will need to examine what additional obligations apply under the CCPA that are outside of how personal information is collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, the Driver’s Privacy Protection Act of 1994, the Confidentiality of Medical Information Act, the Health Insurance Portability and Accountability Act of 1996 and the Federal Policy for the Protection of Human Subjects.

We submit the following comments on the proposed regulations.

All views expressed in these comments are our own as individual members of the PWG and do not represent the views of any entity whatsoever with which we have been, are now, or will be affiliated.

Overall Concerns:

The PWG notes that the proposed regulations will not be final before the January 1, 2020 effective date of the CCPA. Once the regulations are final, it will likely take most businesses several months to fully implement processes consistent with the final regulations. Accordingly, we urge the Office of the Attorney General to take into consideration the practical impact these regulations will have on businesses as well as the desire to protect consumer rights.

Our comments below are organized by section. We underlined for ease of reading new or amended language and we struck out language we propose to have deleted (i.e., underline or strike out).

Article 2. Notices to Consumers

§ 999.305. Notice at Collection of Personal Information

Section 999.305(a)(2)(d) provides that a notice at collection of personal information shall: “Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” This same language exists in § 999.306(a)(2)(d) (Notice of Right to Opt-Out of Sale of Personal Information), § 999.307(a)(2)(d) (Notice of Financial Incentive), and § 999.308(a)(2)(d) (Privacy Policy).

The PWG is concerned that “accessible” in the first sentence is unclear, ambiguous, and undefined. This could result in regulatory enforcement issues as well as prolonged litigation regarding interpretation and applicability, similar to other litigation we have already seen concerning website accessibility. In order to address this concern, the PWG suggests that the phrase “accessible to consumers with disabilities” be tied to the requirements of other specific provisions of law and recommends revising

§ 999.305(a)(2)(d) to read as follows:

§ 999.305(a)(2)(d)

Be accessible to consumers with disabilities to the extent required by the Americans with Disabilities Act, the Unruh Civil Rights Act, the California Disabled Persons Act, or any applicable regulations. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.

We recommend that this same amendment be made to § 999.306(a)(2)(d)

§ 999.307(a)(2)(d), and § 999.308(a)(2)(d).

Section § 999.305(a)(3) appears to create an opt-in and consent requirement. The PWG is concerned that a new opt-in requirement not already part of CCPA will potentially lead to “click fatigue” in which consumers ignore notices because of their ubiquity. We think a better approach may be to limit the use of personal information to the purposes that were included in the notice at the time of collection or uses that are within the reasonable expectation of the consumer. We understand that the existing text of the CCPA already allows for exceptions that permit use of personal information for other purposes, as enumerated in Civil Code § 1798.145(a), including: (1) to comply with federal, state or local laws; (2) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (3) to cooperate with law enforcement agencies concerning conduct or activity that the business, service provider,

or third party reasonably and in good faith believes may violate federal, state or local laws;

  1. to exercise or defend legal claims; and (5) to collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information. As such, uses required by law or in furtherance of legal processes, such as serving subpoenas, providing required warranty or recall notices, providing notice of pending class actions, etc. would be permitted even if the notice at collection did not adequately cover these use cases. We recommend revising § 999.305(a)(3) to read as follows:

§ 999.305(a)(3)

A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection, required by law, or reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business, or within a lawful manner that is compatible with the context in which the consumer provided the information. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall use and obtain explicit consent from the consumer to use it for this new purpose.

Section § 999.305(b)(4) appears to require a link to a privacy policy in the notice at collection, implying the privacy policy must be a set of text that is separate from the notice at collection. The PWG suggests that if a privacy policy is provided at or before the time of collection, then a separate notice would not be required. We recommend revising § 999.305(b) to read as follows:

§ 999.305(b)

A business may inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used by providing a link to the privacy policy at or before the point of collection, or in the case of offline notices, the web address of the business’s privacy policy, by URL, QR code, or similar means. If the privacy policy or a link to the privacy policy cannot be provided at or before the time of collection, a business shall provide a separate notice at collection which includes:

    1. A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.
    2. For each category of personal information, the business or commercial purpose(s) for which it will be used.
    3. If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” required by section 999.315(a), or in the case of offline notices, the web address for the webpage to which it links.
    4. A link to the business’s privacy policy, or in the case of offline notices, the web address of the business’s privacy policy.

Similar to the change noted above, we recommend revising § 999.305(a)(2)(e) as follows, to allow for other means to link to privacy policies than web addresses, such as QR codes or shortened URLs such as bit.ly:

§ 999.305(a)(2)(e)

Be visible or accessible where consumers will see it in reasonable proximity to where any personal information is collected. At a minimum, the notice may consist of a link to the portion of the privacy policy that describes the categories of information collected and the purposes of collection, though a business may also choose to provide a separate notice, so long as the notice complies with this section. For example, when a business collects consumers’ personal information online, it may conspicuously post a link to the notice on the business’s website homepage or the mobile application’s download page, or on all webpages where personal information is collected. When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post signage directing consumers to the web address where the notice can be found, by URL, QR code, or similar means.

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information

Similar to our comment for § 999.305, we recommend allowing businesses to provide the notice of right to opt-out as part of their privacy policy. We recommend revising § 999.306(b) to read as follows:

§ 999.306(b)(1)

A business may inform consumers as to the right to opt-out of sale of personal information by providing a link to the privacy policy, or in the case of offline notices, the web address of the business’s privacy policy, by URL, QR code, or similar means. If the privacy policy or a link to the privacy policy cannot be provided, a business shall provide a separate notice of right to opt-out. A business shall post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell

My Info” link on the website homepage or the download or landing page of a mobile application. The Notice shall include the information specified in subsection (c) or link to the section of the business’s privacy policy that contains the same information. For example, one of the acceptable methods to provide the notice of right to opt-out would be for the business to provide the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or the download, settings or landing page of a mobile application and direct the consumer to the section of the business’s privacy policy that contains the information in subsection (c). Using pop-up or pop-over windows or check boxes may also be acceptable and appropriate means for informing consumers as to the right to opt- out.

We also recommend removing § 999.306(c)(5) so it is clear to the businesses that if a link to the privacy policy was provided, a separate notice of right to opt-out is not necessary.

We encourage the Office of the Attorney General to consider other permissible means of presenting the opt-out notice in § 999.306(b)(2), particularly for offline notices, such as providing the web address to the privacy policy or using QR codes which link to the privacy policy.

Article 3. Business Practices for Handling Consumer Requests

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete

The proposed regulations in § 999.312(a) set forth the requirements for businesses to provide two or more designated methods through which consumers may submit requests to know. We ask the Office of the Attorney General to consider the legislative changes under AB 1564 (Stats. 2019, ch. 759), which clarify this toll-free number requirement and would require a business which “operates exclusively online and has a direct relationship with a consumer” to only provide an email address for submitting access requests.

We recommend revising § 999.312(a) to read as follows, adding this clarification to make the draft regulations consistent with the CCPA:

§ 999.312(a)

A business shall provide two or more designated methods for submitting requests to know including, at a minimum, a toll-free telephone number, and, if the business operates a website, an interactive webform accessible through the business’s website or mobile application. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.

We also recommend revising the proposed example (1) in § 999.312(c)(1) to clarify that if a business is primarily an online retailer but also has certain products or services that are provided to consumers at brick-and-mortar retail stores, the consumer may submit requests through the email address that is provided on the business’s retail website.

In Example 2, the PWG proposes revising the requirement so that the businesses can consider the methods by which they interact with consumers but the number of designated methods the retail businesses must provide is no more than the two that are required for other industries to avoid any confusion on the minimum requirement.

As such, our recommended revision to § 999.312(c) reads as follows:

§ 999.312(c)

A business shall consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know. Illustrative examples follow:

      1. Example 1: If the business is primarily an online retailer, businesses can provide an email address on their retail website through which consumers can submit requests to know or requests to delete. at least one method by which the consumer may submit requests should be through the business’s retail website.
      2. Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business may shall offer three methods to submit requests to know consumers the following designated methods for submitting requests to know or requests to delete: a toll-free telephone number, an interactive webform accessible through the

business’s website, and or a form that can be submitted in person at the retail location.

We understand that the intent of § 999.312(d) may be to allow for instances where a consumer may have submitted the deletion request by mistake, especially in an electronic setting where accidents may occur at the click of a button. However, we do not believe this is a significant issue as deletion requests under the CCPA already require a process for verifying the identity of the consumer. As such, we recommend revising § 999.312(d) to indicate that the businesses can apply discretion in asking the consumers if they indeed meant to submit such deletion request but it is not a requirement. Our suggested language for § 999.312(d) reads as follows:

§ 999.312(d)

A business may shall use a two-step for online requests to delete where the consumer must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted.

The PWG suggests removing proposed §999.312(f) because it is overly burdensome and unworkable as drafted. If a business has 10,000 employees, we cannot expect all 10,000 employees to be trained to handle privacy-related inquiries. Especially given that the draft regulations require a response from the business within certain number of days after receiving such requests, we ask that the regulations do not add this new requirement and keep the requirement intact as it is written in the CCPA, which is for the businesses to respond to requests that are submitted through the designated methods. In the alternative, we would propose at a minimum that the requirement is amended to read as follows:

§ 999.312(f)

If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall, to the extent feasible, either:

  1. Treat the request as if it had been submitted in accordance with the business’s designated manner, or
  2. Provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.

§ 999.313. Responding to Requests to Know and Requests to Delete

Section 999.313(c)(7) allows a business that maintains a password-protected account with the consumer to comply with a request to know by utilizing a secure self-service portal for consumers to access, view, and receive a portable copy of their personal

information. The PWG proposes the below changes to make clear that the business which uses such a portal may direct the consumer to the portal for submission and processing of a consumer request.

The PWG suggests revising § 999.313(c)(7) to read as follows:

§ 999.313(c)(7)

If a business maintains a password-protected account with the consumer, it may comply with a request to know by using directing the consumer to a secure self- service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4.

Section 999.313(d)(1) requires businesses to treat a failed deletion request as an opt-out request. The CCPA treats the right to opt-out and the right to delete as two separate rights. We do not recommend conflating the two and instead recommend clarifying that if the business is unable to verify the identity of the requestor for the deletion request, the requestor must be informed how she may rectify the issue and allow an opportunity to complete verification. The PWG recommends revising § 999.313(d)(1) to read as follows:

§ 999.313(d)(1)

For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified, and shall instead treat the request as a request to opt-out of sale the information needed for verification, and allow the requestor to provide additional information to complete verification.

We understand the intent behind the proposed regulations in § 999.313(d)(3) may be to provide the businesses the flexibility to not have to search through and delete personal information from archived or backup systems if the information is not in use currently. We recommend revising the language in § 999.313(d)(3) to clarify that the requests to delete do not apply to information on archived or backup systems but if the information were accessed or used by the business, the deletion request would apply to that information. Our recommended version reads as follows:

§ 999.313(d)(3)

If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is

next accessed or used. The consumers’ request to delete shall not apply to any personal information on archived or backup systems, as long as that information is not accessed or used by the business.

§ 999.315. Requests to Opt-Out

The CCPA already contains a provision which restricts the resale of personal information (see Civil Code § 1798.115(d)). We suggest removing § 999.315(f), as any third parties to whom the personal information is sold would already be restricted from reselling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out. The proposed requirement to look back 90 days in § 999.315(f) is unnecessary and unduly burdensome.

§ 999.317. Training: Record-Keeping

In § 999.317(b), there is no clear indication of when the 24 month clock starts (i.e., from the date the business receives the request, responds to the request, etc.). The PWG recommends the Attorney General clarify when the 24 months record-keeping requirement begins. Recommended version of § 999.317(b) reads as follows:

§ 999.317(b)

A business shall maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months from the date the consumer submitted any such request.

The PWG proposes a minor change to § 999.317(f) in order to provide clarity as to what record-keeping purpose it pertains. We recommend revising § 999.317(f) to read as follows:

§ 999.317(f)

Aside from this the record-keeping purpose referred to in subsection (e), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

Article 4. Verification of Requests

§ 999.325. Verification for Non-Accountholders

The PWG recommends adding language to § 999.325(c) to allow for electronic signatures, as follows:

§ 999.325(c)

A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business that it has determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. A signed declaration may be physically signed or electronically signed. Businesses shall maintain all signed declarations as part of their record-keeping obligations.

Article 5. Special Rules Regarding Minors

§ 999.330. Minors Under 13 Years of Age

The PWG recommends adding language to § 999.330.(a)(2)(a) to allow for additional electronic methods for businesses to verify user identities. Recommended changes to

§ 999.330(a)(2)(a) reads as follows:

§ 999.330(a)(2)(a)

Providing a consent form to be signed physically or electronically by the parent or guardian under penalty of perjury and returned to the business by postal mail, electronic mail, electronic form, facsimile, or electronic scan;

We thank you for your consideration of these comments.

Members of the Privacy Working Group that prepared these comments are identified below. Affiliations are provided for identification purposes only.

Stanton Burke, Member of the California Lawyers Association

Christopher James Donewald, Member of the California Lawyers Association Aigerim Dyussenova, Member of the California Young Lawyers Association

Jennifer S. Elkayam, Member of the Antitrust, Unfair Competition, and Privacy Law Section of the California Lawyers Association

Jared Gordon, Past co-chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Christian Hammerl, Past co-chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Thomas A. Hassing, Chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Irene Jan, Member of the Intellectual Property Law Section of the California Lawyers Association

Minji Kim, Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Joshua de Larios-Heiman, Executive Committee Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Marina A. Lewis, Member of the California Lawyers Association Gayatri Raghunandan, Member of the California Lawyers Association

Mary Stone Ross, Executive Committee Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Perry L. Segal, Board Representative, Law Practice Management and Technology Section of the California Lawyers Association

Jeewon Kim Serrato, Executive Committee Member of the Antitrust, UCL and Privacy Section of California Lawyers Association

Kieran de Terra, Executive Committee Member of the Intellectual Property Law Section of the California Lawyers Association

Emily S. Yu, Secretary of the Intellectual Property Law Section of the California Lawyers Association and Chair of the Technology, Internet and Privacy Interest Group

Backup & Recovery Systems, Cost, Disaster Recovery, Duties, Education, Law Practice Management, Strategy, Technology

Calbar Solo Summit – June 18-20, 2015

Solo Summit 2015It’s that time again, folks.  The State Bar of California Solo and Small Firm Summit will be held at the Newport Beach Marriott from June 18-20, 2015.  I’m presenting program ten this year on Thursday, June 18:

 

Earth(quake), Wind, Fire & Flood: Disaster Planning for the Law Practitioner

Four things are certain in life: death, taxes and disasters. The fourth? The disaster won’t manifest itself in the way you expect nor when you expect it. This program broadens your perception of what a disaster is and – should one occur – guides you through preparing and planning for continuity in your law practice.

I’ve been a fan of this conference for years because it provides a more intimate experience between attendees and presenters.  I hope you join us this year!

Backup & Recovery Systems, Cost, Disaster Recovery, Duties, Education, Law Practice Management, Privacy, Security, Technology

Perry Segal Discusses the Cloud, Privacy & Attorney Ethics on KUCI Irvine 88.9FM – Monday, Nov. 12th at 8:00 a.m. PST

MP900309623

I guess the headline says it all, except I'd like to add that the interview will also be available as a podcast via iTunes.  I will also post an MP3 here Monday.

Here's a few of the additional details:

Privacy Piracy (88.9FM and www.kuci.org), a half-hour public affairs show with no
commercials broadcasts from the University of California, Irvine campus on
Mondays from 8:00 a.m. – 8:30 a.m. Pacific Time.  To learn more
about the show and listen to archived interviews, please visit www.kuci.org/privacypiracy.

Backup & Recovery Systems, Education, eMail, Implementation, Technology

‘Outlook’ for Hotmail: Cooler with a Chance of Replacement

MP900385981Normally, the announcement that Microsoft is transitioning away from Hotmail to their new cloud-based Outlook interface wouldn’t register much space on this blog.  However, due to my posts about using Hotmail to emulate ActiveSync on your devices, there is a tie-in.

First, there’s the perception that having a Hotmail account is somewhat embarrassing.  Why?  Who knows.  I don’t care about how things look; I care about making use of the most efficient process to achieve the goal.  You can even replace an existing hotmail.com address with a new outlook.com address (although you were never required to use a hotmail.com address).  But, if these issues held you back from trying it, well, your problems are solved.

But here’s the better news.  Based on my assessment, Outlook is just a superior interface.  Also, if you implemented Hotmail, transitioning to Outlook takes about two mouse-clicks and doesn’t interrupt or affect ActiveSync.

So, maybe you want to revisit the process…

Backup & Recovery Systems, Cost, Education, eMail, Implementation, Security, Technology

Leveraging ActiveSync to Emulate MS Exchange, Part II – Sync Devices

Ok…so you've spent the weekend dutifully configuring your primary database and cloud configuration a la Part I, eagerly (at least, that's what I tell myself…) anticipating Part II; my instructions on how to synchronize your email, calendar & contacts with virtually all of your secondary devices.

The cool thing is, virtually any default or add-on app that supports Microsoft ActiveSync will work with this process.  For example, if you have an Android smartphone or tablet, you can configure Corporate Sync to use the default modules that came stock with your device – at no cost.  Or, since this process sits on a Hotmail backbone, you can use Microsoft's own Hotmail App

But, for a lot of us, we want robust functionality on our mobile devices.  After all, many of us spend more time using those products than our traditional desktop devices (pretty soon, the term 'desktop' won't even be accurate, anymore).  If, like me, you're one of those people, you may want to invest in apps geared to the power-user, such as Touchdown.

However, keep in mind; this is a Microsoft backbone, but it's a free backbone.  Regardless of whether the apps support ActiveSync, their technical support will not be obligated to assist you with the configuration because their products are meant to support true Exchange ActiveSync.  If you experience difficulty, you'll have to throw yourself on the mercy of the particular provider, or hit the support forums.

Basic configuration is actually fairly easy.  Let's take a look at a portion of the default Android Corporate Sync configuration screen:

Droid Corp Sync_75

You have the option of selecting your three sync modules separately.  This is helpful because, for example, I didn't want to use the default settings except to maintain a default copy of my contacts (which is enabled, above).  Then, you simply input your display email address and point to the Hotmail server.  As mentioned in Part I, always make sure you have SSL enabled.  Last (not visible here), input your Hotmail Login ID and password.  That's it!

Now, if you've decided to go the power-route, here's an example of the more robust configuration options available to you in Touchdown:

TD Account AS_75

As you can see, here you must specify ActiveSync, rather than Exchange.  Also, it assumes a domain – which you don't have – but it'll still work with your Login ID.  Sometimes, you need to input the backslash in front of the ID in order to correct for the lack of domain, so if it doesn't work the first time, play around with it a little bit.  You also have a choice of more than one 'reply-to' address.

Server configuration is virtually the same as under the default app above, except Touchdown combines all of the modules under a single icon.  Also, see how it confirms Microsoft IIS/6.0.2.5.

TD Connection AS_75

Now, the power user is ready to access the Advanced tab and configure the numerous options available.  Yes, it really is that easy!

So, what have we accomplished?

  • First, we've established a virtual database that can be archived on the fly and/or exported from the cloud at any time; extremely important if there's a server outage,
  • We're using SSL for better security, and of course, encryption options are available to us as well,
  • Any email, calendar entry or contact that is created, added or modified at one source is automatically propagated to all other resources,
  • Calendar invitations are seamlessly integrated,
  • No need to bcc: ourselves on every sent message,
  • Ability to work seamlessly in standalone mode with auto-sync once re-connected.

Dare I say…everything but the kitchen sync!  Yeah, I had to say it…I feel shame…

Backup & Recovery Systems, Cost, Education, eMail, Implementation, Security, Technology

Leveraging ActiveSync to Emulate MS Exchange & Sync Multiple Devices – Part I

MP900448358In order to make great (information) soup, start with the right (data)base.

As promised, this is the first in a short series on how to leverage available software technology to sync Calendar, Contacts, Email and more on virtually all (or most) of your devices.  Now, we all know there are many different ways to accomplish this, however, this is aimed at the individual – or small business or law firm – who can't afford expensive hardware or software, is nervous about the cloud (for good reason) but would like a robust, alternative method to manage their data dependably, automatically and securely.  In other words, they don't want to be up at night worrying about it nor spending the day trying to figure out why it doesn't work!

What do most individuals and businesses in this 24-hour-a-day world want from their technology, anyway?

  • Access to my data 24-hours-a-day! (That was a gimme)
  • Rapid auto-sync (I enter/modify a contact on my smartphone and within five minutes, it propagates to all of my other devices)
  • I reply to an eMail message and it syncs everywhere without having to cc: myself at other locations/accounts (I hear complaints about this all of the time)
  • I receive a calendar appointment and can seamlessly add it to my device's calendar, then it propagates…
  • I generate calendar appointments that others may seamlessly process as well
  • If my server/cloud connectivity is severed, I have access to – and can process – all of my data up to that moment, modify it or generate more, then sync it when connectivity is restored (this is also important while traveling, isn't it?)
  • Ability to mirror/archive/backup the database (if this isn't on your list, it should be)
  • Ability to access the data securely

…and more, of course.  Many products provide some, or all of these features – the problem is, many of them do it in completely different ways, including for each separate function (e.g. calendar or contacts) and don't 'talk' to other devices very well.  The goal is to make the process as seamless as possible.

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

I'm hitting for averages here, folks.  There are a lot of Operating Systems and hardware out there.  On PC, we have Windows, MAC, Linux, etc.  With tablets we have MAC, Blackberry, Android, etc.  Smartphones?  Well, there are four primaries; iPhone, Android, Blackberry & Windows.

We know that most PCs are Windows-based (no knock against Macs, it's just the way it is) and the majority of businesses use them.  iPhones and Androids are duking it out, with Blackberries still in the hunt and the new version of Windows phone making a splash.  We also know that a majority use Microsoft Office-based products (even many Mac users).  So, there's no way I'll make everyone happy.

The example I'll use for our purposes is a Windows-based PC, hosting Outlook 2003, 2007 or 2010.  You'll also need a Hotmail/Live Mail cloud component; however, this doesn't mean you'll be changing your existing email setup; you'll be supplementing it.  Last, you'll install the Outlook Hotmail Connector, which allows you to create a virtual database within Outlook.  This will serve as our primary device.  For security, I recommend that it be static, if possible.  Any mobile device, from laptop on down, runs the additional risk of being lost or stolen with your entire database living on it.  Not a pleasant thought.

Is there a method to my madness?  Yes.  The more one can accomplish under a single vendor, the better the results.  In this case, all database components are Microsoft, which makes the process seamless (remember, we're going to be communicating with a lot of devices).  Also, SSL capability was implemented in 2011, meaning your connection to the cloud will be much more secure, whether via Outlook, the Web or your secondary devices.

Once you have your components up & running, you have a choice:

  1. Use Hotmail to "fetch" your emails from your existing database, or,
  2. Forward your emails from your existing database to Hotmail.

Both methods are fine, but I recommend forwarding your emails.  With fetch, Hotmail must make an inquiry and "pull" your messages over.  There will usually be a time delay, which won't be sufficient for those of us who need our messages in real-time.  Forwarding doesn't normally cause a delay; emails are forwarded as they arrive, so this is preferable.  The good news is, you'll have another backup of your messages with your service provider.

As for contacts and calendar, you'll want to import them into your Outlook database as well.  Once completed, you can customize your settings in the cloud.  I recommend disabling as many 'bloatware' features as possible.  After all, you're looking to create a slick, business-like database.  What you do want to enable is your SSL functionality.  One way to verify this is to make sure you may only access it online via https://.  If it works via http://, your security isn't properly configured.

I know this is a lot of detail, but if you're willing to take some time and make the effort, you'll have an excellent base.  In Part II, I'll examine how you'll exploit various flavors of ActiveSync (Corporate Sync on some devices) to sync your data over mutiple platforms.

That's when the fun begins…

Backup & Recovery Systems, e-Evidence Insights, Education, eMail, Law Practice Management, Media, Science, Security, Technology

I Never Promised You a (Dusty)Rose Garden…

Artificial-Sweeteners
…but I did promise to try to post more often.  Isn't it a shame when work gets in the way of a good blog post?  Having not posted anything this week, I wanted to let you know about two subjects I'm working on for you right now:

  1. Due to all of the controversy over Google's privacy policy, I'm writing an instructive article about alternate software products you may use to sync email, contacts and calendar on all of your devices; including desktops, laptops, tablets and smartphones.  And here's the best part – you can do it free (for power users who want more robust features, I'll also include some pay options).  I don't know about you, but being able to create emails, calendar appointments and/or modify contacts – then having the device automatically propagate the data to all of my other devices simultaneously – is one of life's greatest time-savers!  Here's another bonus, that should appeal to many of you – you'll have a database that lives on your own device, not just via access in the cloud.  Yes, there will be pictures, in fact, I've been playing with an excellent app that creates terrific images from a non-rooted Android smartphone.  Stay tuned…
  2. I'm also working on a comparison of scientific analyses in California courts versus other jurisdictions.  I'd seen a few good articles floating around about using the Daubert analysis to support the implementation of predictive coding.  Well, that's not going to help in the Golden State, where we follow the Kelly-Frye standard (aka the 'Kelly' standard).  I'd had a lot of exposure to this during my days at the Los Angeles County District Attorney's Office.  Ask me, sometime, about how my boss and I successfully used a "Sweet'N Low" packet to impeach the defense's scientific evidence in a criminal case, once.  I suppose today, we would have called it the Splenda Gambit…

I won't post until I have the time to do the quality job you expect, so look for them a little ways down the road.  In the meantime, enjoy your weekend!

Backup & Recovery Systems, Cost, Criminal Liability, Disaster Recovery, Education, Implementation, Law Practice Management, Scope, Strategy

#CalBar Solo & Small Firm Summit Recap

MP900439382 Yeah, I know.  The summit ended Saturday at noon.  It's been a busy week for me, but better late than never.  I had to skip the Thursday sessions, but arrived early Friday morning.  I was backing up another one of my LPMT colleagues in the tech lab, so between his presentations and mine, I didn't get to attend anyone else's sessions, which was a shame, because there were some good ones.  I did catch the bulk of Stephen Fairley's morning keynote on marketing and SEO.  I can only say this; the man is right on about what he was saying.  It was similar to the advice I received from my web guru, Clint Brauer.  Bottom line; if you're going to make a serious attempt at creating an online presence, you need to understand how your information will propagate to the 'web before you develop web sites, create accounts, etc.

I didn't know what to expect for my labs on disaster planning, but for both sessions (I did the identical presentation back-to-back) I had full houses.  The attendees asked a lot of good questions – which is the first indication they're not bored – and although we had some technical difficulties, I was able to illustrate how, in some cases, a few minutes is all it takes to create a basic backup strategy.

Day three, Saturday, I took in the morning keynote on "Multitasking Gone Mad", or, how the more we multitask, the less we accomplish.  Now, this was Irwin Karp presenting – who also preceded me on the LPMT committee – but I'll tell you, the idea of doing one thing at a time is something to strive for, but awfully hard to accomplish.

The second session should really make the eDiscovery people excited.  It covered hearsay (civil, for the most part), but guess what the starring attraction of most of the examples was?  Electronic evidence!  For example, the presenter showed a slide from a traffic camera of a car colliding with a truck at an intersection.  Another was a photo of a simple bar code (not a QR code, like the one you see on my right sidebar).  In both instances, the question was, is this hearsay?  As usual, the answer was, it depends on your jurisdiction.

The third session was one that eDiscovery professionals most likely wouldn't be attending.  It covered the activity up to and including the arrest of a client.  As you know, I also handle criminal cases, so again, this was a good refresher for me.

So, basically a quick in-and-out, and barring any changes to the schedule, my next presentation will be at Calbar's annual meeting in September.

Backup & Recovery Systems, Cost, Disaster Recovery, Security, Technology, Tips & Tricks

Tips & Tricks: A Password-Protected PDA May Save your Bacon One Day

MP900405586 Remember this post from precisely three months ago?  Well, I'm here to tell you; lightning does strike twice – and I mean exactly!

I'm out of town – in the same place I was three months ago – and once again, my Blackberry was working fine this morning…then it wasn't.  It was virtually the identical problem to last time (frozen solid), except for two glaring differences; 1) I haven't made any modifications to the device in a while, so there wasn't any clue as to why this happened and, 2) (this is critical) I could get to my password screen and unlock the device.  I would also like to note that I have virus software and upon reboot, was able to run a sweep before the device froze again – no sign of any contamination.

So, I went over to the same retail outlet, where some of the same people tried to do the same thing (a software repair push).  Fail!  I basically told the techs (same as last time) "I don't care if you have to wipe it out, I have no problem restoring from backup." (Yes, I have a recent backup, just like last time).  I also told them, "Whether this works or not, I have to walk out of here with a working device."

But – just like last time – no love.  They couldn't wipe the device, either.  Now, here's where it gets ugly.  Last time they had a spare Tour in stock – this time, they didn't.  So, they offered to have a new one shipped to me via overnight courier.  Normally this would be completely reasonable.  Unfortunately this happened today, and on this particular day, this device must work.  I can't forward my cell number elsewhere because I'm out of town, on the go and I need to be reachable (is that even a word?)

This is where the password-protection comes in.  With a Blackberry (not familiar with how other PDAs handle this), when password-protection is enabled, a companion security setting automatically enables a 'doomsday' scenario – and you can't turn it off (unless you disable password-protection altogether).  That's right; it doesn't just fail to unlock the device – it allows you to select the number of incorrect passwords you'll allow (from 3-10), then if that threshold is reached, the device wipes itself out.  Even the techs at the store didn't know this.  So, as a last resort, I suggested, since the only thing that did work was the password screen, try repeatedly entering an incorrect password to trigger doomsday.  Even though the device was frozen otherwise, I hoped that enough of the O/S was running in the background that it might work.

SUCCESS!!!

Most of you know I tend to be vague about my devices, but most of you also have long since figured out my PDA is a Blackberry.  The reason I mention it this time is, I'm afraid I'm worn out with them.  Just like my clients, I cannot afford to have a primary device crashing for no reason.  I lost more than half a day resolving this in the short-term, but for the long-term, I'm switching to a Droid.