One of the fastest ways to mobilize your existing websites is to license special mobile middleware tools.  These tools access source content on your existing site but then apply a mobile-friendly layout to it. Key players include Dudamobile (also offered by Google via its GoMo initiative), dotMobi (offered by many hosting providers like GoDaddy) and many others of various types including open source libraries.

Most such "mobilize-an-existing-site" approaches work in a similar way. They act as a proxy between the visitor and your site and then perform what was classically called screen-scraping or web-clipping. Once they scrape content, they can then re-purpose and serve it to mobile devices.

Besides being a quick approach, proponents argue that you can reuse your existing site without making any major changes and thus save money, time, and hassle. I don't disagree with that conclusion, but I see this only as a short-term stopgap that you should consider while you evaluate a long-term approach.

The reason is, there are several problems with this quick-fix approach:

1. You've added an additional layer between your visitor and content. This obviously has performance implications because typically, screen-scraping happens on the fly. Sure, you can optimize and cache some of it, but you still have an additional layer to worry about.
2. This one proxy can become a single point of failure that's probably outside of your control, despite your other investments in rendundancy and reliability that you or your hosting partner have made. 
3. There are many problems with screen scraping itself. The quality of results will depend on the nature of the JavaScript, AJAX, CSS, and Forms code you've applied.  Your mileage will vary.

Besides these technical issues, my bigger problem is that this approach considers mobile as an "add-on" and not necessarily a channel becoming as important or more so than desktop access.

My recommendation to to our subscribers who are evaluating how to mobilize their web presence is to certainly consider this approach -- but only as a quick-and-dirty solution. If required, you should go back to the basics and evolve a strategy that treats mobile users with respect they deserve. This will inevitably require taking a hard look at your content strategy and your CMS technology. In fact, our recently released version 21 of Web Content and Experience Management (WCXM) Evaluation Stream specifically covers mobile capabilities of all the tools covered in that stream.

If you are an RSG subscriber looking for more personalized guidance, you can place an advisory session request here.

 The panel was comprised of:

• Justin Brookman, Director of the Center for Democracy & Technology’s Project on Consumer Privacy;
• Steve DelBianco, Executive Director of NetChoice;
• Rachel Thomas, Vice President of Government Affairs for the Direct Marketing Association (“DMA”); and
• Peter Swire, Professor of Law at the Ohio State University Moritz College of Law.

Ms. Mithal explained that the FTC Report, released in March of this year, refines but does not change the principles set forth in the preliminary staff report released in December 2010. She noted that there are four “big picture” takeaways from the FTC Report:

1. Commission Report: It is a “commission report,” rather than a “staff report,” as it was adopted by a majority of the Commissioners, and as such, it carries more weight than a staff report.
2. Legislation: It calls on Congress to enact privacy and data security legislation, including baseline privacy legislation, data security and breach notification legislation, and legislation aimed at improving the transparency of the information practices of data brokers.
3. Best Practices:  The Report does not prescribe “rules of the road” that the FTC will use as a template for enforcement actions. Rather, it merely sets forth recommended best practices.
4. Relation to White House’s Privacy White Paper: The FTC Report and the White House’s privacy white paper are “entirely complementary and consistent.” Ms. Mithal noted that the white paper focuses more on implementation, while the FTC Report focuses on providing guidance to industry.

Ms. Mithal also examined the specific principles set forth by the FTC Report. Notably, she highlighted the fact that the FTC Report demonstrates the FTC’s focus on information that can be “reasonably linked” to a specific consumer, computer, or other device, a deviation from the FTC’s former focus on “personally identifiable information” (“PII”). This shift is due to the fact that the traditional line between PII and non-PII is blurring, as it is becoming easier to re-identify non-PII data. This “reasonably linked” concept was seemingly the key to the recent FTC enforcement action against MySpace, which involved MySpace’s sharing of users’ “Friend IDs” – pieces of non-PII which were easily linked to PII – in a manner that was inconsistent with representations MySpace made in its privacy policy.

In response to questionning, Ms. Mithal stated that while the new best practices set forth in the FTC Report will not be the basis for an FTC enforcement action, a company that has otherwise committed a deceptive or unfair act or practice in violation of Section 5 of the FTC Act may be required to implement these best practices as part of the settlement with the FTC. Chris Wolf referenced the FTC’s enforcement action against MySpace, noting that the alleged violations of Section 5 seemed to be founded on the FTC Report’s concept of “reasonably linked.” But Ms. Mithal responded that the data at issue in the MySpace case was viewed by the FTC as an extension of PII, which is similar to a concept that the FTC previously set forth in its 2010 closing letter with Netflix. 

Mr. DelBianco inquired whether companies that fail to have a privacy policy would be subject to FTC enforcement. Ms. Mithal stated that although not every failure to do so would be actionable under Section 5 of the FTC Act, if the failure rises to the level of a material omission, then that may be considered a deceptive practice for which the FTC may take action. 

The panelists discussed many privacy issues related to the recent FTC, White House, and EU proposals, and among the highlights of the discussion were the following points:

• In response to a question about what is privacy today and how does it differ from the past, Mr. Brookman stated that the scope of surveillance is much greater today, noting that tracking is prevalent and collection is the default.
• With respect to a discussion about how to handle companies that refuse to abide by self-regulation standards, Ms. Thomas explained that the DMA self-regulation program allows the DMA to take action against both members and non-members, and she noted that any company (whether a member or not) that refuses to comply with the program’s self-regulatory code of conduct will be reported to the FTC for enforcement.  
• With respect to harmonization between the EU and US privacy regimes, most of the panelists felt that the US shouldn’t “chase” the EU, but rather – as Mr. DelBianco put it – the US should “sell our case” a little harder. Ms. Thomas agreed, stating that she feels our regime has achieved “adequacy.” Mr. Swire recalled the negotiations over the Safe Harbor framework, where the EU first took the approach that only EU law is acceptable, but softened its view over time as “reality set in,” suggesting that the EU may soften its view in other regards as well.
• With respect to the EU Regulation’s “Right to Be Forgotten,” Mr. Brookman remarked that it could be implemented in a “bad way,” which would impose huge burdens on business, but stated that if implemented properly, it could be a positive.

They pointed out that, like SharePoint of yore, Drupal was becoming all the rage among US federal web managers under the current administration. So naturally, this SI went looking for experienced Drupal talent. And could not find any. You see, as readers of our WCXM or Social Collaboration evaluations know, experienced Drupal talent comes in short supply, especially since Drupal fanboys promote it as the hammer for every nail (which it certainly is not). 

So what were these SI managers going to do? What nearly everyone else does: find some PHP developers, train them up on Drupal for several months, and hope they stick around for at least a year. That's exciting for the developer community, but what about you the customer? This sort of dislocation can be very jarring to your project and is something to consider when selecting tools.

No, I'm not suggesting you select some dullard WCXM product so that you can find cheap, unemployed developers. Rather, I'm suggesting that you build hype coefficients into your longterm total-cost-of-ownership calcuations. The more hyped the tool, the more you'll have to spend to get foundational advice. In some cases, a lot more.

And foundational advice is critical to any longterm investment. Ask a developer or architect to talk about their first two implementations with any tool. They'll roll their eyes and explain what they'd do differently if they had it all over again. Fine for them -- they got paid. Tough for you the customer.

Be sure to contract with seasoned implementers with at least 3 projects under their belt with any particular vendor. That's meaningful experience. And with Drupal, it's very hard to find today...

Hogan Lovells partner Chris Wolf (Washington, DC) surveyed the panoply of laws and regulations with which cloud computing customers and, in many cases, service providers must comply.  He also offered attendees a preview of a Hogan Lovells White Paper that surveys the rights of national governments in ten jurisdictions to access data in the cloud.  The complete White Paper will be published on this blog on May 23.  Audrey Roh, Senior Attorney with the U.S. Department of Housing and Urban Development (Washington, DC), who surveyed cloud computing initiatives by U.S. government agencies, highlighted “information security, cybersecurity and privacy” as challenges in government cloud computing contracts.  Her co-presenter, Jason Silverman, a partner at McKenna, Long and Aldridge (Washington, DC), directed attention to compliance with export regulations in connection of movement of data to the cloud and discussed “deemed exports” that can occur even when service providers do not send data outside the country.

Megan Herzler, Assistant General Counsel and Director of Data Privacy at Xcel Energy (Minneapolis, MN), and Boris Segalis, a partner at InfoLawGroup (New York City), offered practical guidance for managing privacy and data security risks in cloud computing transactions beginning with RFPs and service provider due diligence and continuing through the life of a cloud computing contract.  Their though-provoking recommendations included the importance of making preparations for the eventuality of a data security breach and having in place contractors who can assist with responses such as breach notification, credit monitoring and call center support for affected persons.  Hogan Lovells partner Philip Porter (Northern Virginia), a program co-chair, and H. Ward Classen, Deputy General Counsel of Computer Sciences Corporation (Hanover, MD), engaged in a mock negotiation of a hypothetical cloud computing contract, which included defining privacy and data security obligations and remedies for breach of those obligations.  The program concluded with a dialogue by Jeremy Feinberg, Statewide Special Counsel for Ethics for the New York State office of Court Administration, and Maura Grossman, a partner at Wachtell, Lipton, Rosen & Katz, on obligations of lawyers to their clients when the lawyers move client data to the cloud.  At the forefront of these obligations is the use of reasonable care in selecting service providers and in exploring the service providers’ policies and procedures for maintaining the confidentiality and security of client data.

While the program explored a broad range of issues that must be addressed and risks that must be managed in cloud computing transactions, the presenters made it clear that privacy and data security issues are in the forefront. Practising Law Institute will sponsor a similar program in San Francisco and by webcast on June 11.

First and foremost, you will notice the name change: from WCM to WCXM.  To be clear, we're not after adding more ingredients to the acronym soup. However, the marketplace is undeniably changing. Customers and vendors are moving towards more sophisticated ways of managing their web content and the resulting customer experience. It is no longer just about managing content or just on the web.

With this in mind, we have also updated our scenarios and vendor ratings criteria to reflect the latest use cases, and features and functions we evaluate in the WCXM products.  For example, we pay much greater attention to mobile capabilities, which are surprisingly weak in this class of tools.

Version 21.0 also includes updated reviews of the following vendors:

• EPiServer – focusing on mobile and commerce with Mediachase acquisition, but highlighted by slow penetration in North America despite many hires
• Joomla! – slow progression with some concerns from the community about the impact of the long-awaited major 2.5 release
• Drupal – increasing commercialization under the watchful eye of Acquia, coupled with major talent shortage

Another key theme comes courtesy of today's press release: the increasing trend toward commercialization of open source Web Content & Experience Management (WCXM) solutions.

What does that mean for you, the buyer? You need to keep an eye on the narrowing gulf between open source and proprietary business models and how they might affect your CMS purchasing decision.

We’ve discontinued coverage of the following Web CMS vendors (though you can still access archived versions of our reviews):

• EMC | Documentum (now sunset)
• VYRE
• PaperThin
• Oracle (UCM) -- maintaining coverage of former FatWire tool
• Alterian (acquired by SDL)

We’ll be adding new vendors, including ModX and SalesForce, in forthcoming updates to the WCXM stream.

As always, our WCXM stream subscribers can download Version 21 in its entirety, or just individual chapters, and comparison charts immediately. For those of you not familiar with our evaluations, go ahead and download a free sample here.

The Commission on Ethics 20/20 of the American Bar Association released its Report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers’ use of technology and protection of client confidences. The proposals will be considered at the ABA’s 2012 Annual Meeting, and several of these proposed modifications incorporate established concepts from existing data protection and breach notification laws.     

Comments to existing Rule 1.6 of the ABA Rules indicate that lawyers must act competently to safeguard information against inadvertent or unauthorized disclosures. The Commission concluded, however, that “technological change has so enhanced the importance of this duty that it should be identified in the black letter of Rule 1.6 and described in more detail through additional Comment language.” The proposed Model Rule 1.6(c), which uses language commonly found in data breach notification statutes, states: 

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client. 

A Comment explains that an unauthorized disclosure is not a violation of the proposed Rule if the lawyer made “reasonable efforts” to avoid the disclosure. In evaluating whether reasonable efforts were made, the proposed Rule cites the following factors:

• sensitivity of the information
• likelihood of disclosure if additional safeguards are not employed 
• cost and difficulty of implementing additional safeguards
• extent to which the safeguards adversely affect the lawyer’s ability to represent clients

The Commission also proposes that the ABA develop and offer a “user-friendly website” to provide guidance on lawyers’ use of common technology, information about the latest data security standards and the administrative, technical and physical safeguards that should be implemented by lawyers. The website will be designed to respond to rapidly developing security standards in a way that ethics rules cannot. 

In addition, the Commission proposes to make clear that a lawyer’s professional duty of competence includes knowledge of the “benefits and risks” of technology associated with the legal practice. In the words of the Commission, “lawyers must understand technology in order to provide clients with the competent and cost-effective services that they expect and deserve.”   

These proposed Rules together serve as a reminder of the importance of implementing effective policies and procedures that prevent a data breach. A breach already frequently results in significant financial and reputational costs under existing laws, and now the Commission has made clear that a breach may affect a lawyer’s status with the bar and legal practice. In the event that other professional accreditation bodies follow the Commission’s lead, the consequences of a breach will only become more widespread and punitive to businesses and professionals alike. 

The Commissioner noted that Data Protection Principle 4 in Schedule 1 to the Personal Data (Privacy) Ordinance (Chapter 486) requires a data user to ensure that personal data held by it are protected against unauthorized or accidental access, processing, erasure or other use. The Guidance Note sets out various practical recommendations to help data users manage the security risks associated with the use of PSDs.

A top-down approach is recommended whereby an organization-wide policy should be adopted as an initial step to manage the risk associated with the use of PSDs. It is recommended that practical guidelines are developed for the use of PSDs and that procedures are drawn up to ensure those operations are performed correctly. It is further recommended that training with reference to the relevant guidelines and procedures should be provided to users.

The Commissioner has also provided advice on formulating policies concerning the use of PSDs and preventing unauthorized access via encryption algorithms and mechanisms. The Guidance Note discusses the detection of risks, the significance of keeping pace with technological change, the importance of having staff awareness and stipulating the consequence of non-compliance with policy-requirements, as well as the need for routine reviews and audits to regularly re-assess the risk associated with the use of PSDs.

There are several recommendations relating to the use of technical controls to assist in the implementation of PSD policy. End-point security software used to control the security of "end-point" devices such as personal computers and mobile phones can be installed on all computers and controlled centrally to prevent the use of storage devices such as USB storage, optical drives or floppy drives. Data loss prevention systems may be used to detect and block the saving of sensitive information to external storage devices or email systems. Inventory control should be conducted so as to ascertain the number, types and whereabouts of all PSDs. Technical arrangements in relation to the erasure, disposal or relocation of data stored in PSDs should be made so that data is securely erased after each and every use.

This blog post was prepared by Gabriela Kennedy (Partner) Hogan Lovells, Hong Kong (gabriela.kennedy@hoganlovells.com), Heidi Gleeson (Foreign Registered Lawyer) Hogan Lovells, Hong Kong (heidi.gleeson@hognalovells.com), and Fiona Chan (Trainee Solicitor), Hogan Lovells, Hong Kong (fiona.chan@hoganlovells.com)

A timely program on pending proposals will be presented by the Congressional Internet Caucus Advisory Committee in the Rayburn House Office building on Monday, May 14, moderated by Hogan Lovells privacy leader Chris Wolf.

Some highlights from Wednesday's hearing:

I am afraid … that the need to monetize consumers' data will win out over privacy concerns

 Self-regulation is inherently one-sided 

 Consumers' rights always seem to lose out to the industry's needs.

-- Senator Jay Rockefeller

Neither this committee … nor the Commerce Department fully understand what consumers want or need with regard to privacy

It's important that companies have maximum flexibility to work with their customers. Companies are already currently competing on privacy. This is a sign of a healthy, functioning and competitive market — something we should be encouraging.

             -- Senator Pat Toomey

Only companies that profit from assembling personal information have yet to conclude there is a need for comprehensive privacy legislation.

-- Senator John Kerry