Data Localization and Export: 2 Steps to Take Now

Some of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?

In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.

Data Localization: Microsoft Case and Proposed New Laws

In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?

At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.

The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”

If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”

The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.

Data Localization: China’s Cybersecurity Law

In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:

“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”

The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.

Data Localization: EU’s GDPR

As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.

With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).

Two General Steps to Take Now

As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.

  1. Audit and inventory the personal and consumer data. Identify where physically the data is stored.
  2. Audit and identify circumstances in which the various data is transferred cross-border.

With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).

Internet Law Attorneys: Contact Revision Legal

If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.

 

You Might Also Like:

Stored Communication Act

Tips To Avoid Data Breach Litigation

Privacy Related News — Carpenter Case

GDPR

Yes, Your Business Needs A Data Protection Officer

telephone consumer protection act

Internet Law: Is Facebook Violating The TCPA Via Text Message?

There a few cases percolating through the federal courts accusing Facebook of illegal robocalling via their automated text messaging. One example is Brickman v. Facebook, Inc., No. 16 Civ. 00751 (N.D. Cal. Jan. 27, 2017) which argues Facebook is violating the Telephone Consumer Protection Act.

Mr. Brickman claims Facebook sent an automated text message prompting him that it was the birthday of a friend of his. The message came to his cellphone number and sated: “Today is Jim Stewart’s birthday. Reply to post a wish on his Timeline or reply with 1 to post ‘Happy Birthday!’” While Brickman had given his phone number to Facebook (he was required to give his phone number), Brickman set his personal settings to “no text messages” from Facebook. Brickman sued Facebook alleging violation of the federal Telephone Consumer Protection Act (“TCPA”), which prohibits robocalling via use of automated dialing machines.

What is the Telephone Consumer Protection Act?

The Telephone Consumer Protection Act (TCPA) became law in 1991; now codified at 47 U.S.C. § 227. Essentially, the TCPA bans robocalling and gives the Federal Communications Commission (FCC) regulatory authority to create regulations. The TCPA prohibits companies or individuals from “mak[ing] any call (other than a call made … with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice …” The penalties are the greater of actual monetary loss or $500 per violation with treble damages where a violation is deemed willful or knowing.

TCPA Legal Principles: What is an Automated Call?

The TCPA came onto the scene just as cellphones and the internet enjoyed wider adoption. As such, key terms such as “automated” and “call” needed legal definitions. Generally, courts have taken the “if it walks like a duck…” approach to defining both terms. The case of King v. Time Warner Cable, 113 F. Supp. 3d 718 (S.D.N.Y. 2015) provides a good example. In that case, the plaintiff sued Time Warner, a national cable service provider, for making 163 automated calls to her cellular phone without her consent. Time Warner used an “interactive voice response” calling system. The system automatically dials the number associated with accounts more than 30 days past-due in the billing cycle. If the customer answers the call, the system plays a recorded message. If the call goes to voicemail, the recorded message plays and the system can call up to two additional times per day.

Time Warner argued that its system did not meet the definition of an automated dialing machine under the TCPA since the numbers called were not “randomly generated.” The court, however, rejected that argument by stating “The method is fully automated from start to finish” and noting that there was no human involvement at any stage of the customer selection, list compilation, or dialing processes. As for the random generation argument, the court found that the law does not require telephone numbers to be randomly generated or chosen, only that the system have “the capacity … to store or produce telephone numbers to be called.” And by that definition, Time Warner’s system met the standard of violating the Telephone Consumer Protection Act.

TCPA Legal Principles: Obtaining Consent

The final argument made by Time Warner was that the plaintiff had consented to the calls. Because to obtain service, Time Warner requires that all customers agree to its Terms of Service Agreement. Among the provisions is this one concerning consent:

“We may call any number you provide to us (or that we issue to you) for any purpose, including marketing of our Services…. However, if you ask to have your number placed on our “do not call” list, we will not call you at that number for marketing purposes…. We may use automated dialing systems or artificial or recorded voices to call you.”

This argument swayed the court and this consent provision was sufficient to absolve Time Warner of liability for robo-calling, but only up to the point where the plaintiff revoked her consent and told Time Warner to stop calling her. The evidence showed that the plaintiff revoked her consent at the 30th call; the court held Time Warner liable for the remaining 153 calls. The court noted that consumers have the right to revoke their consent to receive robocalls. Time Warner could have continued to call the plaintiff about the past-due bill, but had to do so manually. The court assessed treble damages against Time Warner.

Are Text Messages Like Calls?

With respect to Mr. Brickman’s case against Facebook, the question then becomes: Are text messages “calls” for purposes of the TCPA? The answer is yes. See Van Patten v. Vertical Fitness Group, LLC, 847 F. 3d 1037 (9th Circuit 2017). In that case, the plaintiff sued for robo-text messages, or “wireless spam” as he called it, from his fitness club. The plaintiff’s case was dismissed because he had consented to the text messages and had not revoked his consent.

However, before dismissing Mr. Van Patten’s claim, the court confirmed that text messages are “calls” for purposes of the TCPA. The court noted that TCPA does not contain a definition of a “call,” but that the FCC passed regulations in 2003 interpreting the TCPA to encompass text messages. Several courts have deemed that interpretation “reasonable,” and the 9th Circuit panel agreed.

How Will Brickman v. Facebook Turn Out?

Based on the foregoing caselaw, it looks like Facebook might be violating the TCPA with its Birthday text messages. But Facebook has marshalled a novel argument: The TCPA violates the First Amendment to the US Constitution. The TCPA has two exceptions where robo-calling without consent is allowed – emergency communications and certain messages from debt collectors. As such, Facebook argues that the TCPA requires a review of speech and/or communication — content — to determine if a violation has occurred. Because a review of the content of the messages is necessary, the TCPA violates the First Amendment. The Brickman court denied Facebook’s argument. The court held that the TCPA withstands strict scrutiny. A similar result was reached in Mejia v. Time Warner Cable, Inc., Nos. 15-CV-6445 (JPO), 15-CV-6518 (JPO) (S.D. New York August 1, 2017). The cases are on appeal.

Internet Attorneys: Contact Revision Legal Today

If you need more information on the Telephone Consumer Protection Act, contact Revision Legal. Internet law is at the core of Revision Legal’s practice. We are attorneys who know the business of internet law and have the skills and dedication to help your business succeed. We can be reached by email or by calling us at 855-473-8474.

You Might Also Like:

10 Data Security Management Tips to Prevent a Data Breach

2017 Data Breaches — Severity and Frequency On

Browsewrap and Clickwrap Agreements

Updated Guidelines for Online Endorsements

Import Businesses: Beware of FCC Regulations

intellectual property tips for architects

Intellectual Property: 3 Tips For Architects

As an architect your designs combine creativity, technical skill, experience and your unique style. You provide your clients with a customized experience and your work product is one-of-a-kind. Whether you focus on residential or commercial, custom design or license plans in bulk, your work and your business need to be protected. Below are three intellectual property tips that will help you keep your business safe from those who might attempt to profit from your ideas and creativity.

Read about Managing Intellectual Property

Tip 1: Register your Copyrights

One of the most important things you can do to protect your intellectual property is to register your designs as architectural works with the US copyright office. Registering a copyright is a relatively easy and affordable way to not only protect your design but also put yourself in the best possible position for the future if someone does try to use your designs without your permission. US Copyright law protects the owners of copyright registrations by providing for increased damages awards and more options if your work is registered before someone copies it.

Tip 2: Draft Strong Licensing Agreements

You might have a great contract your clients sign when they engage your design services. You are clear about your fees and payment requirements as well as what the client should expect in the work product. But do you have a tight copyright license section? Have you had an IP attorney review your licensing agreements for you? Do you sell your designs online or in a publication? Making sure that your designs are being licensed to your clients not only protects your IP, it protects your clients and your reputation.

Tip 3: Think About Your Trademark

The name you use in business is your trademark. Your logo says a lot about your style and approach. These are essential to creating a strong business and brand. It is likely that your clients and potential clients recognize your style by your trademark. Your drawings likely have your name and logo on them. This is how you indicate to the public where your designs come from and the quality of product they are purchasing.  Protecting your name and logo with a trademark registration is an essential part of helping your business thrive.

Read 10 Reasons Why You Should Register Your Trademark

Contact an Intellectual Property Attorney

If you have questions about the state of your IP or for a consultation with an IP attorney, feel free to Contact Us today. We’d love to help protect your work and business.

Naming your Business, Naming your Baby

As a trademark attorney I often try to come up with good ways to explain the intricacies of the law to my clients. Whenever I work with a new trademark client we discuss ideas for naming their business and potential problems they might have in using a trademark and obtaining a registration. There are lots of things to consider when naming your business including the marketing, design, style, and legal aspects.

Read about 10 more reasons to trademark your name

Also, I am currently expecting my first baby. As my husband and I consider different name options for the baby, we have had to look at each possible name from many different angles. Does it flow with our last name? Is there any significant meaning in the name? Do we both like it? How about the middle name? Should we consider family names? How does it sound in Spanish (my husband is from Honduras)? Our considerations go on and on. Everyday it seems like there is another thing to consider.

Picking a business name is a lot like picking a baby name. There are many different perspectives from which you have to evaluate the name. Business owners have to consider the marketing and design elements, their own personal feelings about the name and what they want to portray to consumers. Also, business owners have to consider whether their name is available for use and registration. You wouldn’t use your best friend’s baby name for your baby, you can’t use someone else’s trademark for your business.

Unlike naming your baby, naming your business without first clearing the name through a trademark attorney could result in serious legal, financial and business consequences. US Trademark law protects the rights of those who first use a trademark in commerce and obtain a trademark registration. A trademark lawyer can provide you with a clearance search, advice about trademarks, and help you file an application for trademark registration with the USPTO. We often help clients that have tried registering their mark with an online automated system.

Too often, clients come to us with trademark applications filed through automated services like trademarkengine.com or similar services. The price for such services looks too good to be true because it is. A trademark attorney with years of experience dealing with the Trademark Office can help you identify problems that you did not know existed. In most cases, it is important to identify these issues as soon as possible. Being forced to change your business name after a year in business is often a death sentence to a young company.

Read About The Trademark Registration Process

Unfortunately, we can’t help you name your baby but if you have any questions or want to schedule a consultation with a trademark attorney please Contact Us.

 

Data Breach

The High Cost of Data Breaches: Six Examples From 2017

Whether you are a small startup or a big company with a long and storied history, a data breach can be a legal and financial nightmare. There were over 850 cyberattacks and data breaches in 2017 alone, with the number and severity of data breaches rising every year. The cost of data breaches is rising, too. How much will a data breach cost? A lot. Here is what six companies paid in 2017 as a consequence of data breaches.

1. Hilton Hotels — $700,000 in Fines

Hilton Worldwide was subject to a data hack in 2014 and another one in the summer of 2015. The data breaches affected more than 363,000 customers. The stolen data included names, addresses, credit card numbers, and other personal information. The company was charged by the attorneys general of New York and Vermont for failing to have reasonable data security and for failing to quickly tell consumers about the data breaches. This is because Hilton waited nearly 10 months after learning of the first breach and and then three months after learning of the second before telling customers in November 2015. In 2017, Hilton Worldwide paid $700,000 to settle with state regulators. See here.

2. Nationwide Insurance — $5,500,000 in Fines

In 2012, the computer systems and networks of Nationwide Insurance Co. were breached by hackers. Personal information for nearly 1.3 million consumers was exposed including names, addresses, social security numbers, drivers’ license numbers, credit scores, and other personal and financial information. All the information collected by Nationwide as part of its process of providing insurance quotes to customers seeking insurance coverage. Legal actions were brought by 33 states accusing Nationwide and an affiliate company of failing to apply a critical security patch intended to stop potential hackers. As the news article reports, the New York Attorney General argued that “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” In August 2017, Nationwide agreed to pay $5.5 million in settlement.

3. CardioNet — $2,500,000 for Compromised Data on Stolen Laptop

In 2012, CardioNet, a wireless heart monitoring service provider, had a laptop stolen from a parked vehicle. The theft resulted in the compromise of health and privacy data with respect to 1,391 patients. Government regulatory action came from a subdivision of the Department of Health and Human Services (“HHS”). Aside from security issues with respect to the vehicle, the laptop itself did not have sufficient security to protect the data stored thereon. According to the news report, HHS charged that the company had “insufficient risk analysis and risk management processes in place at the time of the theft” and that the company had not implemented the proper policies and procedures to meet the HIPAA Security Rule. Despite the small number of customers impacted, CardioNet settled the proceedings in May 2017 for $2.5 million.

4. Home Depot — Another $27,250,000 and Then More

In September 2014, Home Depot announced that it has suffered a massive data breach. An estimated 56 million customers’ personal and financial data was stolen including credit card information. This data was sold on the dark web to thieves and resulted in a “massive number” of fraudulent transactions on the customers’ credit and debit cards.

Home Depot was accused of lax cybersecurity and using an outdated malware detection system — seven years out of date according to the allegations — on Home Depot self-checkout kiosks at stores in dozens of locations across the United Stats. Home Depot was also accused of knowing about the problem in July 2014, several months before notifying authorities and customers of the breach. See report here.

Home Depot’s first settlement was in 2016. The company agreed to pay $19.5 million to settle open customer class actions. Then in March 2017, Home Depot agreed to pay another $27.25 million to settle with the banks.

Finally, in August, Home Depot was ordered to pay $15.3 million in legal fees to the banks’ attorneys. See here. The total fines  paid by Home Depot exceeded $85 million without taking into account legal fees and litigation costs.

5. Target Stores — Another $18,500,000 in Fines

In November 2013, Target, one of the nation’s largest retailers, had their computer network breached by hackers that used access codes and credentials stolen from one of Target’s third-party vendors. The hackers accessed a customer-service database and installed malware that captured consumers’ personal data. See report here.

The data breach affected more than 60 million Target customers. The data stolen included names, telephone numbers, email and mailing addresses, credit card numbers with the attendant expiration dates, and encrypted debit card personal identification numbers.

In May of 2017, Target agreed to pay $18.5 million to settle regulatory actions and claims made by 47 states and the District of Columbia. The $18.5 million was on top of millions paid in 2015 and 2016 to settle class action suits filed by customers and financial institutions.

6. Anthem Inc — $115 Millions to Settle Class Actions

In 2015, Anthem Inc, the largest U.S. health insurance company, was hacked and the personal information with respect to 79 million customers was stolen. The information included names, birthdays, social security numbers, addresses, email addresses, and employment and income information.

In June 2017, Anthem agreed to settle the lawsuits for $115 million which is the largest settlement ever for a data breach. More than 100 lawsuits — many were class actions suits — were filed after the data breach. Anthem claimed that it was not negligent with customer information and that no customers were injured.  In other words, a much different situation than the breaches at Home Depot and Target. According to reports, the $115 million is to be paid out to the customers as either two years’ worth of credit monitoring or a $50.00 cash settlement per class member.

The Cost of Data Breaches: More Than Just Fines and Settlements

In the cases discussed above, note the time lags between the breach and settlement – three to five years. The costs identified are just for the settlements. For the companies involved, the “costs” of these data breached includes three to five years of legal fees, expenses and filing costs in defending against the regulators. As an example, with respect to Target, the New York Times reported that, through March 2017, Target spent more than $202 million on settlements, legal fees, and other costs following the November 2013 breach.

Contact Revision Legal Today

If you need more information on the cost of data breaches and on preventing data breaches, contact Revision Legal. We are experienced data breach attorneys with the skills and dedication to help if you have suffered a data breach or if you need assistance in enhancing your cybersecurity. We can be reached by email or by calling us at 855-473-8474.

You Might Also Like:

10 Data Security Management Tips to Prevent a Data Breach

Your Company Needs A Data Protection Officer

2017 Data Breaches — Severity and Frequency On The Rise

data security management

SEC Guidance on Cybersecurity: Data Breaches Are Likely Material

The Securities and Exchange Commission (“SEC”) just issued, on February 21, 2018, a new Guidance with respect to cybersecurity disclosures for publicly-held corporations. The quick takeaway is that data breaches and data breach risks are likely to be “material” for purposes of disclosure, data security should be deemed a “board level” concern, and knowledge of cybersecurity risks and events are legally relevant to issues with respect to insider trading.

Disclose Data Breaches and Cybersecurity Risks

The SEC issued a cybersecurity Guidance in 2011. This new 2018 Guidance is an update. Of note, the new Guidance was issued at the full Commission level; the 2011 Guidance was a staff-level Guidance. While any Guidance must be taken seriously, the fact that the full five-member SEC Commission reviewed and voted to approve the Guidance suggests a new level of importance to the SEC’s cybersecurity Guidance. The first sentence in the Guidance is: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.”

Under both the 2011 Guidance and the 2018 Guidance, cybersecurity risks and incidents may need to be disclosed in various annual and quarterly reports required pursuant to various federal Securities Acts. Indeed, the SEC highlighted specific sections of the reports where cyberattacks, breaches and cybersecurity risks might be required, including sections on:

  • Risk factors
  • MD&A
  • Description of business
  • Legal proceedings
  • Financial statement disclosures

The new Guidance is quite specific in places. Thus, with respect to risk factors, the new Guidance references “Item 503(c) of Regulation S-K and Item 3.D of Form 20-F.” Both of these require disclosure of significant factors that make an investment in the company’s securities risky or speculative. Essentially, the 2018 Guidance puts cybersecurity and data breach/hacking events on the level of other information that must be disclosed if the information impacts evaluation of an investor’s risk. Data breaches and cybersecurity issues might have these impacts on investment risk:

  • Cessation or interference with the company operations
  • Direct impacts on company liquidity or financial condition
  • Loss of trade secrets and/or other valuable intellectual property
  • Cost of ongoing cybersecurity efforts — including maintaining state-of-the-art preventative measures
  • Insurance costs
  • Costs with respect to responding to litigation and regulatory investigations
  • Harm to reputation — relevant to profit/loss and to stock price
  • Loss of competitive advantage

The 2018 Guidance does not create or require any compulsory disclosure. Rather, the Guidance highlights that data breaches, hacks and other cybersecurity events and general cybersecurity risks might be “material” for disclosure purposes. As the SEC Guidance states:

” … it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The 2018 Guidance provides factors that should be considered when considering the issue of “materiality:”

While emphasizing the need for disclosure, the new Guidance also recognize the necessary balance between disclosing information about events and risks without compromising a company’s efforts to prevent and combat cyberattacks.

The new Guidance also highlights the importance of “timely” disclosures, which is also a component of the insider trader portion of the Guidance. With respect to disclosure, the 2018 Guidance makes it clear that the TIMING of disclosure might be as important, for “materiality”, as the disclosure itself. Again, the SEC recognizes the necessary balance between “timely” and “immediate.” Various factors such as cooperation with law enforcement make prevent “immediate” disclosure. Thus, while a “timely” disclosure is needed, what is “timely” will depend on the circumstances.

Board’s Role in Risk Oversight

Another important aspect of the 2018 Guidance is the emphasis on the obligation of the Board of Directors to discuss, review, and approve cybersecurity issues and measures. The SEC highlights the fact that a member of the board has a general obligation to evaluate various risks when making decisions and policies for the company. In other words, “risk oversight” is part of a director’s “business judgment” that a director must exercise. The new Guidance elevates cybersecurity and data breach risks to the “board level.” The new Guidance also discusses the need to create proper reporting channels to move cybersecurity risks and events up the chain of command to upper management and to the board.

In addition, members of the board are directed by the new Guidance to avoid insider trading.

Insider Trading

Insider trading is a new topic for the 2018 Guidance. As noted above, because there is often a necessary time lag between a cybersecurity event and public disclosure, legal issues with respect to insider trading are implicated. Moreover, there is also a time lag between a cybersecurity event and when an evaluation is made with respect to severity, what data was compromised, and potential cost/profit impacts of the breach or hack.

The 2018 Guideline states that, during those time lags, those within the company with knowledge of a data breach or other attack or the impact of such an event should not buy or sell stock in the company. The Guidance states:

“… directors, officers,and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”

Note that the Guidance can be used as evidence in shareholder derivative actions and securities fraud cases. The Guidance recommends that, if not already otherwise in place, the following steps should be implemented:

  • Establish/create general policies and procedures to prohibit and otherwise guard against officers, directors, and other company employees from taking advantage of the aforementioned “time lags” with respect to buying and selling the company’s securities
  • Establish policies and procedures for timely disclosure of data breach/hack information
  • Establish policies specifically to prohibit and prevent insider trading in the days before public disclosure
  • Establish policies that prevent the appearance of improper trading — the appearance often being just as damaging to a company’s reputation as the actuality of insider trading

Contact Revision Legal Today

For more information, contact the skilled and experienced data breach attorneys at Revision Legal. We have the dedication to help if you need advice on security, if your business has suffered a data breach, or if you need assistance in enhancing your cybersecurity. Internet law is our main practice focus and we have the skill set to help your business with data breach mitigation and response. Contact us via email or call us at 855-473-8474.

 

You Might Also Like:

Cybersecurity Best Practices

Cyber Attacks Explained

Tips To Avoid Data Breach Litigation

hacking statistics

2017 Security Breaches: Frequency and Severity on the Rise

We periodically update this post with recent data breach statistics. Now that we’re into 2018, it’s time to look back at the largest data breaches of 2017.

We here at Revision Legal know that cyber-attacks are a constant threat. The number of data breaches is large and the amount of customers affected is staggering. Data breaches are bad for business and can be even worse for customers. We monitor the research and news reports to periodically update this post with 2017 cyber-attack statistics. In this final installment, we look at the worst breaches in the fourth quarter of 2017. For 2017, the largest cyber-attack related to consumers in the United States was the Equifax data breach that affected more than 145 million customers.

Based on records tabulated and compiled by Hackmaggedon.com, there were 868 reported 2017 security breaches and/or cyber-attacks. For the year, the worst months were August, October, and December with 90 each. January came in next at 89 reported cyber-attacks. The spring months saw a relative dip in attacks with those months averaging about 65 attacks.

We shouldn’t be surprised at the number of security breaches that occurred in 2017. Nor should we be surprised at how rapidly cybersecurity attack techniques evolve to affect more computers and devices than ever before. Hackers’ reaches will only keep expanding as time goes on.

Read more

international sale of goods

What is Convention/Contracts for the International Sale of Goods (“CISG”)?

Most businesses are familiar with basic US business contracts and with the Uniform Commercial Code (“UCC”). Unless your business involves a significant component of international transactions, you may not be familiar with the Convention/Contracts for the International Sale of Goods (“CISG”). CISG law and CISG forms govern international sales of commercial goods, but not services, including all transactions between the US, Mexico, and Canada under the North American Free Trade Agreement (“NAFTA”). Here is a quick rundown.

What is the Convention/Contracts for the International Sale of Goods?

The Convention/Contracts for the International Sale of Goods is an international treaty signed in 1980 in Vienna which came into effect in 1988. Currently, 89 nation states are signatories to the CISG including, as noted, the United States, Mexico, and Canada. The significant non-signees are the United Kingdom, India, Hong Kong, Taiwan, many nations in the middle east, South Africa, and many other African nations.

For signatory nations, the CISG governs contracts of the sale of commercial goods between parties whose places of business are in different nations. The CISG can also be specified by contracting parties as the choice of law. Thus, CISG rules can govern international contracts even if one or both parties are from non-signatory nations. Of course, parties can opt out via contractual provisions. As noted, CISG does not apply to services and does not apply to most personal, family or household goods. Thus, CISG provisions generally do not apply to consumer goods bought on the internet and shipped business-to-consumer from overseas (but CIGS protocols might apply if products are shipped in quantity business-to-business). There are various other exclusions including ships and aircraft.

History of the Convention/Contracts for the International Sale of Goods

CISG was developed by the United Nations. See UN Information page here. Like the Uniform Commercial Code (“UCC”), CISG is a set of uniform rules with respect to international commercial transactions. Like the UCC, CISG applies to the sale and purchase of goods and, unless excluded by the express terms of a contract, CISG law is presumed to be incorporated into the contract. Like the UCC, CISG is intended to supplement the domestic commercial codes of the two countries involved providing “default” provisions where the commercial contract is silent as to some circumstance.

Important Differences Between the UCC and CISG

There are significant and important differences with dealing with international trade under CISG versus domestic transactions under the UCC.

First, under the UCC all contracts must be in writing and if a dispute arises, courts will not accept parole evidence unless there is ambiguity in the contract (or some other exception to the admissibility of parol evidence applies). By contrast, under the convention on the international sale of goods, oral contracts allowed and parol evidence is readily allowed for purposes of defining the contract and the intent of the contracting parties.

Second, with respect to the “battle of the forms,” the UCC uses a “knockout” protocol and the CISG uses a “last form sent” protocol. Under the UCC, if buyers and sellers are using their own different forms — maybe per their local business practices in various parts of the US — the UCC favors contract formation even though there are difference between the forms. If performance starts, then the contract is considered “formed.” Where the buyer’s and seller’s forms are different, those parts of the forms are considered “knocked out” and unenforceable.

Likewise, the CISG regime favors contract formation even if the seller and buyer are using different forms (although the differing forms must have substantial similarity). However, under the UCC “knockout” protocol, the CISG honors the “last-form-sent” protocol. A form that is sent in response to a first contract form is considered a counter-offer. If performance commences, then under CISG, the contract being performed in the counter-offer (the “last-form-sent”). This can be extremely important for many reasons. For example, the CISG does not provide a statute of limitations; thus, any limitation period is supplied by the laws of the signatory nations of the contracting parties. Which nation’s laws applies may depend on which form is deemed to be the “contract.”

However, as with most contract drafting, the best practice is to insert clear provisions in the contract itself. Something like this as quoted in Basic Engineering, Inc. v. Commission of Internal Revenue, Docket No. 27691-13 (US Tax Court, 2017):

“This Agreement shall be governed by, and construed in accordance with, the laws of the Republic of Austria including the UN Convention on Contracts for the International Sale of Goods of 1980 (CISG). The Parties’ rights and obligations with respect to title to and security interests in the Equipment shall be governed by the law of the jurisdiction in which such Equipment is located.”

Third, under the UCC, industry standards/usage cannot be used to modify contracts whereas such CAN be used to modify or supply missing terms under the CISG.

Fourth, under the UCC, commercial contracts CAN be modified via conduct and course-of-dealings. However, under CISG, contracts cannot be modified by course-of-dealing. This may sound odd, but remember that CISG rules allow evidence of oral modifications and also use of industry standards/usage. As such, if the parties course of dealings has changed, the parties can rely on direct evidence of such changes based on what the parties said.

A US Case Example

For a case showing a representative example of how US court apply and interpret the Convention/Contracts for the International Sale of Goods, see Chicago Prime Packers, Inc. v. Northam Food Trading Co., 408 F.3d 894 (7th Cir. 2005). In that case, the plaintiff — a Colorado corporation doing business in Chicago — sold 40,500 pounds of pork back ribs to Defendant Northam — an Ontario, Canada corporation. However, such were spoiled, according to Northam, upon arrival. Northam refused to pay for the ribs and Chicago Prime filed suit in the federal district court for the northern district of Illinois. All parties and the court agreed that the provisions of the CISG applied. At trial, the district court ruled in favor of the plaintiff because Northam did not prove that the port ribs were spoiled.

On appeal, Northam argued that the burden should not have been placed on it — the buyer — to prove non-conforming goods. The Seventh Circuit affirmed. The court began from the principle that CISG did not state who — the buyer or the seller — had the burden of proving that the goods delivered were non-conforming. That being the case, the court compared the CISG to the UCC. The court stated:

“The CISG is the international analogue to Article 2 of the Uniform Commercial Code (“UCC”). Many provisions of the UCC and the CISG are the same or similar, and “[c]aselaw interpreting analogous provisions of Article 2 of the [UCC], may … inform a court where the language of the relevant CISG provision tracks that of the UCC.”” (citations omitted)

The court then went on to show that, under the UCC, the buyer bears the burden of proving nonconformity. UCC § 2-314 provides that goods are warranted to be “fit for the ordinary purpose for which such goods are used” unless the contract states otherwise. Article 35(2) of the CISG provides that “goods do not conform with the contract unless they … [a]re fit for the purposes for which goods of the same description would ordinarily be used” unless the contract states otherwise.

The court then reasoned that, since the CISG is similar, a similar result should apply in terms of how one bears the burden on the question of nonconformity. As such, the Seventh Circuit affirmed that the district court was correct to conclude that Northam bears the burden of proving that the ribs were spoiled at the time of transfer.

International Business Law: Contact Revision Legal

Every business engaged in international trade needs experienced business attorneys familiar with international law and business forms. For further information, contact the professionals at Revision Legal. We can be reached by email or by calling us at 855-473-8474. We look forward to helping your international business succeed.

You Might Also Like:

The Importance of Non-Compete Agreements

IP Strategies For Startups

What You Need to Know About Business Contracts

Business Contracts and Material Breach

Businesses Must Prepare For Data Breaches

10 reasons to trademark

10 Reasons Why You Should Register Your Trademark

Most business owners know it is important to register a trademark to uniquely identify their products and services in a crowded marketplace. A protected trademark sets you apart from the competition, helps drive traffic and sales, keeps customers loyal to a brand, and can influence consumer purchasing decisions. But wait – there’s more! (sound familiar?) Those are not the only reasons to trademark. Read on for 10 more reasons.

1. Trademarks are Valuable

Create a trademark and you create immediate value. You already know that physical assets owned by your business such as property, have value, but registered trademarks are quite valuable as well. The process of using a trademark in advertising, on your packaging and product, and in your interactions with customers creates a positive association with your product – good will. The good will your trademark generates will appreciate in value with time; the better your business, the better your efforts at “branding,” the better your reputation, the more valuable your trademark becomes and so on in a self-reinforcing cycle.

2. Trademarks are Forever (as Long as You Use Them)

Second, when you trademark, you create something to withstand the test of time. As such, the time you spend creating a trademark is worthwhile because it is something that is legally permanent. Something to pass down through the generations if you are a small family-run business for example. Like “Mercedes” – which has been a registered trademark for over 100 years.

3. Trademarks can Make You Money

To make money you need to create value, and to make more money that value needs to persist over time. Registering a trademark is the most obvious method of creating a valuable asset that can persist over time. And franchising and trademark licensing agreements are the most obvious methods of monetizing your trademark(s). Then when it comes to sell your asset you will likely find that the sales price of your business is significantly enhanced when a famous trademark or logo is part of the deal. There are even times when the acquiring business will view your trademark as more significant than any physical asset.

4. Trademarks Help Your Business Grow

When you have a legal trademark, you are prepared for the growth and expansion of your business. A federal trademark in one market is easily migrated into an adjacent, upstream or downstream market. “Market,” of course, here means both physical markets — Illinois to Wisconsin — and also service markets — tax preparation to auditing services to legal forms. Entering a new market with an established brand gives you a significant competitive advantage. In this sense, trademarking helps you grow beyond your core market AND beyond your core product and your core service.

5. Trademarks Communicate

With a legal trademark, a business communicates its brand to the marketplace. A successful business though, makes an effort to communicate a brand message and engage in new markets. Because current customers may be loyal now, but someday they won’t need what you are selling.

Therefore, every brand needs a strategy to continuously attract new customers while also being careful that their efforts do not alienate their core supporters.  A well-crafted and honed trademark does this, as long as you stay loyal to it. Take the automobile brand Oldsmobile for example, which tried to rebrand as “younger” at the end of the 20th Century. In an effort to improve sales a new ad-line was introduced: “This is not your father’s Oldsmobile” along with a new “international” redesigned logo. However, in their attempt to break from the past, the new logo that Oldsmobile worked so hard on to modernize was left off their cars. The brand identity they were trying to communicate was missing and after a century in existence Oldsmobile was over as a brand.

6. Trademarks Translate

When you register a trademark, you create a symbol that translates to other nations and languages. In this increasingly small world connected by e-commerce, your trademark communicates an emotional message without speaking a language. A good example is the Nike “Swoosh”. A logo you can probably easily picture in your mind.  The Nike ‘Swoosh” logo is familiar on every continent and in every language. Additionally, this applies to “textual” trademarks like “Coca-Cola” as well. The way the letters are written, connected, and even their color becomes a “symbol”.  And this symbol does not depend on the native language to communicate what the product is and the commercial source.

7. Trademarks are Fast

Of the five senses, the human brain gives the most attention to visual perception. Your trademark is visual communication and it is the fastest way to impart emotions and information to a consumer. And in the smartphone age, images at arms length must quickly deliver a message. This is why you need a trademark – to get straight to the brain’s image processing center. Like how a restaurant’s logo can convey a complex message in four symbols – your trademarked logo, an arrow, the word HERE and a street map. Indeed, you could probably skip the word HERE. Your customers will see and understand the message instantly. Trademarks are speed; speed is distance over time; time is money.

8. Trademarks are Scalable

Scalability is the capacity for a logo to change size without changing appearance and is more important that it sounds. Like your favorite sports team – their logo must be easily recognized from hundreds of feet away on a scoreboard, in person on a jersey, or as an icon on a smartphone. Each scale has purpose and use; massive is imposing, the next engaging and the latter is accessible and informative. Communicating via words and text does not scale in this manner since words/text are only readable within a certain range of size limited by our ability to see small detail and our ability to take in a large format. Logos convey instant meaning whatever the size or scale. It takes much work and a creative artist to design a logo that is scalable, be sure that to protect that investment with a registered trademark.

9. Trademarks Create Community

One of the more underrated reasons for trademarking is to create an identity to belong to for a community of both customers and employees. When your brand creates positive feelings and inspires good will today, your brand can pay forward that good will from existing customers and employees to future members of the group. A logo consolidates that identity.  And the longer your logo maintains this good will in the community then the more likely it will continue according the Lindy Effect (in that the longer a logo has been around the more likely it is to stay around).

You want to create a brand community for the long term, don’t you?

You must have an outstanding product or service and pay and treat your employees well. Do this plus have a community that is willing to purchase items with your logo on them? Then brand prestige, symbolized by a trademarked brand ID, is strong enough that talented workers will actually seek employment in the community they most identify with. All else equal, would you prefer to work at Geek Squad or an Apple Store? Do you want to work at “a store,” or do you want to work at “Apple”?

10. Trademarks are Easy to Register

How to file a trademark?

The act of filing a federal trademark is easy and relatively inexpensive with the United States Patent and Trademark Office. America’s economy thrives partly due to there being no significant barriers to obtaining a legally protected and enforced trademark. However, it is wise to seek the assistance of experienced trademark attorneys to perform background research to ensure your trademark is legally unique and can be registered. Also, when you need legal representation for the challenging task of enforcement, you’ll be glad to have familiar trademark attorneys on your team.

Trademark Lawyers: Contact Revision Legal

For more information on trademarks, contact the lawyers at Revision Legal. Revision Legal has expertise with evaluations, audits, applications, renewals, monitoring, enforcement, warning letters, and all other aspects of protecting your trademarks and your other valuable Intellectual Property. We can be reached by email or by calling us at 855-473-8474.

You Might Also Like:

Kylie vs. Kylie: Trademarking A Name

Why Register Your Trademark?

How to Trademark Your Instagram Name

How Strong Is Your Trademark? — InfoGraphic

employee data leak

Can Your Business be Liable for an Employee’s Intentional Data Leak?

Many businesses are acutely aware of the dangers of a data leak that can result from the breaching of networks, computer hacks, malware, and computer espionage. These cyber threats are external threats, but businesses must also be increasingly wary of INTERNAL threats coming from vengeful and vindictive employees and ex-employees. A well-publicized lesson can be found in the recent news of a large grocery store chain in Great Britain, WM Morrisons Supermarkets, suffering from a data leak from a well-placed employee. See news report from the Guardian here.

Employee Data Leak: What Happened to Morrisons?

In 2013, a senior internal auditor in the IT department for Morrisons ran an after-hours moonlighting business on eBay. He was a well thought-of employee by day and mailed out packages to his eBay customers from the Morrisons mailroom by night. Until one day when a package containing a white powder was discovered by a coworker. With understandable concern, the police were called. The white powder was found to be diet supplement powder that was not illegal nor dangerous, but Morrisons was not pleased. The employee was given a written disciplinary warning for his misconduct.

Angry about his disciplinary warning the employee grew disgruntled and waited for an opportunity for revenge – to teach Morrisons a lesson. This lesson was delivered later in 2013 when the employee downloaded payroll data of 100,000 of his coworkers onto a thumb-drive and sent copies of the data to three newspapers. The thumb-drives included names, addresses, phone numbers, bank account details, and salaries of Morrison employees.

As described more fully here, the leak — as opposed to a hack — was timed to cause maximum embarrassment to Morrisons. Morrisons is a publicly traded company, and in May 2014, Morrisons was having profitability issues and issued a profit warning sending its shares down 12%. To allay concerns about profitability, the CEO of Morrisons touted the company’s new IT systems as key to helping Morrisons return to better performance. Within hours of this announcement the employee data was leaked and Morrisons’ shares continued to lose value.

The employee was eventually sentenced to eight years in prison for violating the 1998 British Data Protection Act.

However, about 5,500 of the employees affected by the data leak filed a class action lawsuit against Morrisons in the British courts for damages in connection with the internal information leak. In December of 2017, the court ruled that the Morrisons was vicariously liable for the employee’s intentional leak of the personal and financial employee data. Morrisons states that it plans to appeal the ruling.

Employee Data Leak: Legal Principles

The case is worrisome for many reasons. Most employee data leaks occur because of some negligence or accident (see US examples below). But here the employer is being held liable for the criminal conduct of an employee. In finding Morrisons liable, the British court specifically acknowledged that Morrisons was not at fault, that Morrisons itself did not violate the law, and that Morrisons was essentially the target of the employee’s criminal behavior. Nonetheless, the court held that Morrisons was liable for the leak on the basis of respondiat superior.

This creates, in effect, a form a strict liability for an employee data leak (at least in the UK). If the ruling is upheld, Morrisons will face a massive legal liability and, without question, the remaining 94,500 employees will join the class action or file their own lawsuits. Further, it is possible that British regulators will follow the court’s ruling and impose heavy regulatory fines and penalties.

Employee Data Leak: Legal Principles Negligence in US Courts

It is unclear whether US courts would come to the same result as the British court in the Morrisons case.

So far, US courts have only dealt with negligent or accidental leaking of employee data. In one example, a US district court held that, under theories of negligence, an employer can be held liable to employees for loss of data. See Sackin v. TransPERFECT Global, Inc., No. 17 Civ. 1469 (LGS) (US Dist. Court, SD New York October 4, 2017).

In that case, hackers successfully hacked into the company’s computers and networks and stole personal and financial data on 4,000 employees. The employees brought suit based on many claims including common law negligence, violations of various labor laws, and breach of contract. The court held that, under New York law, employers have a duty to take reasonable precautions to protect the personal data that they acquire from employees. The court held that the employees had properly alleged claims under various New York statutes. The only claims dismissed where breach of contract claims.

By contrast, in Enslin v. The Coca-Cola Co., 136 F. Supp. 3d 654 (US Dist. Court, ED Penn. 2015), the court eventually dismissed all claims by employees. In this case, per standard operating procedures, an IT employee was to dispose of obsolete Coca-Cola employee laptops. However, rather than destroy these computers the employee unlawfully sold them. But  unbeknownst to the employee, the hard drives on these laptops still contained employee information, including addresses, phone numbers and SSNs for upwards of 74,000 employees. Identity thieves pounced on this data leak. Once Coca-Cola became aware that the laptops had not been destroyed the employee was fired and criminally charged. Later, several employees whose personal and private information had been stolen filed suit and attempted to have a class action certified against Coca-Cola.

Most of the claims were dismissed early at the 10(b)(6) stage in 2015. The employees asserted various state law claims that required “knowing violations” of the relevant statutes. The federal court found that Coca-Cola did not have any knowledge that data had been stolen/leaked. In addition, Coca-Cola acted very quickly to recover as many of the laptops as they could locate. As such, all claims based on “knowing violations” were dismissed.

The federal court also dismissed claims based on the Pennsylvania economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage. The court also found that there was no “special relationship” between Coca-Cola and its employees that would be an exception to the economic loss doctrine. Negligence claims were also dismissed by the court on the grounds that various employee and company policies failed to create a duty on the part of Coca-Cola to protect employee data. The court also rejected claims based on civil conspiracy and bailments.

In the 2015 decision, the only claims NOT dismissed were ones based on breach of contract or, in the alternative, claims based on unjust enrichment. However, those were eventually dismissed on summary judgment in March 2017. See here.

Employee Data Leak: Legal Principles Intentional Conduct in US Courts

With respect to an employer being responsible for the criminal conduct of its employees, the law is complicated and depends very much on state statutes and common law. But, in general, an employer has no duty to prevent criminal activity or intentional harm to a third party victim unless a “special relationship” exists with the victim or the harm/crime is foreseeable and the victim is among the class of foreseeable victims. See e.g., Niece v. Elmview Group Home, 929 P.2d 420 (Wash. Supreme Court 1996) (nursing home liable for employee rape of nursing home resident).

A special relationship imposes a duty upon the employer to control the conduct of its employees and otherwise protect against the criminal conduct. Foreseeability depends almost entirely on the facts of the case. Liability has been found, for example, against innkeepers and owners of apartments when guests and residents have been the victim of various crimes if such crimes were foreseeable but protective steps were not undertaken. Prosser and Keeton on Torts § 56.

How these principles play out with respect to intentional data leaks is yet to be determined.

Data Breach Attorneys: Contact Revision Legal Today

For more information, contact the data breach attorneys at Revision Legal. Contact us via email or call us at 855-473-8474.

 

You Might Also Like:

Why You Need A Data Breach Attorney

Cybersecurity Best Practices

Cyber Attacks Explained

Tips To Avoid Data Breach Litigation