data protection officer

GDPR Compliance: 5 Steps You Need to Take Before May

If you think Facebook is the only company that needs to think about data privacy and security issues, unfortunately you are mistaken. Right now, most companies need to consider whether or not there are prepared to protect the personal data of their customers. Not only because of the outrage and backlash that companies face in the aftermath of a breach but because of regulations like the GDPR and other data protection laws. The General Data Protection Regulation (GDPR) is a regulation that has been passed by the European Union and is set to be implemented in May 2018 and companies need to take steps to meet GDPR compliance requirements.

What if your company has no presence in the EU?

GDPR could still apply to your company if you offer goods and/or services to people in the EU and you collect data from them or if you process data received from a third party who does. This is important because non-compliance could result in massive fines up to 20 million Euros or 4% of global company turnover, whichever is higher. These fines are high due to the EU’s intention to deter companies from misusing data.

The GDPR allows for personal data processing where the owner of the data consents and you have legitimate reasons to collect the data or when the processing is necessary for tax, legal, or other reasons.

Personal Data as defined by the GDPR includes any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Some GDPR Personal Data Rights and how they could affect your business:

  1. Opt In/Opt Out: The GDPR requires that companies obtain and keep records affirmative opt in to collect personal data. Traditionally, companies have relied on their online Terms of Use and Privacy Policies to dictate the collection of data and have notified users that their continued use of the services constitutes acceptance of the data collection. This is not sufficient under the GDPR. Companies will have to receive and keep a record of each opt in. Furthermore, users must also be able to opt out of the collection and opting out cannot be more difficult a process than opting in. You will need to keep records of each opt in and opt out action taken by all users and be able to provide them if requested.
  2. Right to Access: Consumers have a right to know what data is being collected and for what purpose. You need to be able to provide this information for free to anyone who asks for it.
  3. Portability: Not only do consumers have a right to know what data you’ve collected and what you’ve done with it, they also have a right to obtain a copy of all data you’ve collected to use for any other reason. Your company needs to be able to provide them with a copy in a readable format at no charge and within one month of the request.
  4. Erasure: Consumers have a right to be forgotten completely. Your company should have a process by which, upon request, you can access all data collected regarding an individual and erase it completely from your systems and files. There are some exceptions to this where you need to keep certain data for specific reasons such as for taxes or legal reasons. Even then, you must delete all non-necessary data.

The GDPR also places restrictions on and regulations regarding the transfer of Personal Data outside of the European Union. Data breaches must be reported to authorities within 72 hours and companies must have a process in place to notify potentially affected individuals.

This is not an exhaustive list of all requirements imposed by the GDPR. It is imperative that companies have processes, procedures, technological capabilities and training in place so that they can comply.

GDPR Compliance: 5 Steps You Need to Take

  1. Evaluate what data are you collecting and why.
  2. Understand why you need to collect/process the data you collect.
    1. Do you really need to do it?
    2. What happens to the data after it is collected?
  3. Review your consent process.
    1. Individuals should provide affirmative consent and your privacy policies must be written in clear language.
    2. Revocation of consent must be as easy as giving it.
    3. You must retain consent receipts (show both you and your client that they gave and or revoked consent).
  4. Compare existing procedures to GDPR requirements and make edits.
    1. What do you already have in place and what do you need to expand or change?
  5. Implement all policies before May 25, 2018.
    1. Documentation
    2. Audit
    3. Training
    4. If you aren’t there yet, you need to be able to explain why you are not compliant.

The GDPR is a complex law with significant impact on the business community. Time will tell us the full extent and impact on business but we recommend taking steps now to move toward compliance. Contact Revision Legal for more information or for further guidance and resources.

 

9 Steps to Business Success

So, you have a great business idea. Great! What now?

Below are 9 steps that will help guide your idea from light bulbs to a profitable business.

Step 1: Identify a Brand Name

Branding is important and any new idea needs a name. There are many details that come into play when choosing a brand name.  Whether you are working with a marketing firm or you have a list of potential names on a napkin, it is important to consider the legal implications of choosing a name. Brand names are trademarks. The use of a trademark has legal implications that can enhance or hurt your business.

Some names are better than others. Choosing a strong, distinctive trademark will help you create a brand that really makes your idea shine. It is important to avoid descriptive and generic trademarks. The strongest trademarks are fanciful or arbitrary. Apple is a very strong trademark for the sale of computers but Apple is a terrible trademark for the sale of apples.

Many people think their trademark should describe their product or service. This is not necessarily true. While your brand should represent the tone you intend to portray in business, choosing a descriptive trademark is not the best approach in the long run.

Step 2: Identify a Domain name

Your idea needs a website. Whether you are selling products online or you will use your website to help get the word out about your services, your website is an important aspect of your marketing and business plans. Finding the right domain name is an important part of this process.  Do your research and see what relevant domain names are available.

The law also provides protections for trademark owners. Anti-cybersquatting laws provide an opportunity for trademark owners to protect their rights online. Cybersquatting occurs where one registers a domain name containing the trademark of another with the intent to profit from the sale or use of that domain name. Cybersquatting can be devastating to a business. Cybersquatters can divert valuable traffic and, in turn, sales, from a business through the use of the cybersquatted domain name.

Step 3: Obtain a Trademark Clearance

You picked a name you love and you’ve found a domain name that is perfect. Now it is time to take this step which many entrepreneurs skip or put off only to suffer devastating consequences in the future. Obtaining a trademark clearance is an affordable and essential action in the start-up process. A trademark attorney will perform a trademark search and provide you with a clearance opinion. In the opinion, the attorney will include results of their search that they consider relevant to your ability to use and register your trademark.

Some things that trademark attorneys consider include whether there are any registered trademarks that would hinder your use and registration. They will provide you with an opinion as to whether consumers would likely be confused by the existence of your trademark and the prior mark. The attorney will also give you their opinion about any genericness or descriptiveness concerns they anticipate.

 

Step 4: File a Business Entity

Creating a business entity will help you organize and protect your business. There are many different entity types and structures to choose from. The best type of entity for you depends on the nature of your business and your goals. A business attorney can help explain your options and help you choose the most appropriate one. Business entities are valuable because they help shield owners from personal liability and can help improve the tax implications of bringing your ideas to life.

Step 5: File for a Trademark Registration

Obtaining a trademark registration is a powerful asset for your business and not something that should be overlooked or put off for the future. After you have a business entity and a trademark clearance, it is important to file an application for registration for your trademark. You will want to make sure that not too much time has passed since you received a trademark clearance as it may be inaccurate as to any subsequent filings or trademark use by third parties. The United States Patent and Trademark Office handles all trademark applications for registration. While it is not absolutely required, you may want to hire a trademark attorney to help you prepare and file your application.

Step 6: Open a Bank Account

It is important to keep business and personal expenses separate from one another. Opening a new bank account is a great way to avoid confusion and help make tax filing easier. You may want to consider opening an account at a bank other than the one you use for personal finances just to keep everything separated and easy.

Step 7: Get Insurance

Business insurance can help keep you out of trouble and assist in the event your business encounters problems. Ask around to learn about your options. The type of insurance you purchase depends greatly on the type of business you are creating. Important questions maybe whether you are offering services that put people in harm’s way, sell products to a potentially vulnerable customer base or invite people to your place of business to purchase or receive services. A reputable insurance agency can help you determine the best insurance for your business.

Step 8: Get Your Contracts in Order

Businesses need solid contracts to protect their assets and create good working relationships. Whether you hire employees or independent contractors, have a graphic designer create a logo or other design, hire a developer to help create the software you intend to sell, etc., you will need contracts. Hiring a distributor to help get your product on the market overseas? You need a good contract. Working with a supplier? You need a contract. Almost every business needs a website and you will need Terms and Conditions and a Privacy Policy.

Having agreements that are drafted with your business goals in mind can help you avoid costly litigation and difficulties in business relationships in the long run. A good attorney will help you draft contracts that are reasonable and protect both your business and your relationships.

 

Step 9: Get Your IP in order

Many companies do not realize that their intellectual property (IP) rights can often be their most valuable asset. Few startups have portfolios of real property or vast quantities of retail inventory and other physical assets. What startups usually have are ideas, and ideas are valuable if they are properly protected. If you have a well-established business, you might not be aware of the value of the IP you currently own. Having an audit performed by an IP attorney can help make you aware of the value you have, find holes in your protection, and create a plan for the future.

There are five main types of intellectual property rights:

  • Trade Secrets
  • Trademarks
  • Internet Domain Names
  • Copyrights and
  • Patents

If you have questions about your IP inventory or how to monetize your IP assets, please reach out to us and have us help you realize your business’s potential.

 

Finding Help

There are a lot of things that business owners need to consider. These are some major issues we help people deal with so that they can focus on running and growing their business. This is our business and we love what we do. Please contact us if you have any questions or if you need a consultation. We want to help you succeed!

 

Streaming Music in your Business

If you walk in to a local book shop, the corner bar, the Apple Store, or Target you will likely hear some sort of music playing. Music can help set the tone for your location and enhance your brand while your customers are in your establishment. If you have a brick and mortar business, there are some serious legal considerations you need to be aware of when playing music for your customers.

There have been many instances in the news recently of businesses being sued for Copyright infringement for streaming music without the proper license. Joe’s on Weed St. in Chicago is just one example.  It is much cheaper to purchase the right license than to pay settlement costs or court ordered damages and legal fees if you get sued for copyright infringement.

Copyright law protects the artists, publishers, and owners of music. Copyright gives rights holders the exclusive right to copy, reproduce, distribute and license their works. Streaming services like Spotify, Apple Music, and yes even CDs and iTunes music you’ve “purchased” is not available for public performance. That means that it is illegal to play this music in a commercial establishment.

Limited License For Music

Here’s how it works… When you pay for a subscription or buy an album on iTunes or a record at the store, you do not actually buy the music. Your payment provides you with a limited license to use the music for personal enjoyment. That means, you can play it for yourself in your home or on your devices for your own personal use and with family and friends. If you want to be able to play music for the public, you need a Public Performance License (PPL).

Many small businesses think they can get away with playing Spotify for their customers but that is a potentially expensive mistake. Music licensing entities are very active in inspecting commercial establishments like shops, bars, and restaurants. Often you will get a letter demanding that you both cease playing the music and pay a fine or an estimate of the fee you should have paid for the PPL. If you do not comply they will have the option of filing a copyright infringement lawsuit against you in federal court. A copyright attorney can help you negotiate but this is something that is better to avoid in the long run.

Solution: Obtain a Public Performance License

What can you do? The best way to avoid problems, comply with the law, and help make sure artists, collaborators and producers get their fair compensation for their work is to obtain a Public Performance License (PPL). One option to obtain PPL licenses for the music you want to play from licensing organizations. There are three major organizations in the United States that license music: Broadcast Music, Inc. (BMI), American Society of Composers, Authors, and Publishers (ASCAP) and Global Music Rights (GMR).  These are performing rights organizations that the songwriters, composers and publishers join. They have the ability to grant PPLs. This is helpful because it streamlines the process of having to purchase a license from each individual rights holder.

If purchasing PPLs, research which music you want to play and which organization the rights holders belong to. Because of the collaboration in the music industry you most likely will need a license from all of the organizations. There are also monthly reporting requirements to comply with for these licenses. Another option is to subscribe through a third party licensor like Spotify’s Soundtrack Your Brand service or CloudCover Music. These companies pay for the PPLs and then sell sub-licenses for a fee. You will want to make sure you comply with the terms and conditions of these services.

Overall it will be worth it to save yourself time and money upfront by purchasing licenses for the music you’d like to share with your customers versus facing a copyright lawsuit for illegal streaming. If you have received a letter regarding copyright infringement or just have some questions, contact Revision Legal.

Data Localization and Export: 2 Steps to Take Now

Some of the more perplexing issues in our data-driven world are the questions of data localization and export – that is, where data should be stored and how it can be moved. Up until recently, data and computer-housed information has flowed cross-border without much hindrance. In general, companies store data wherever it is convenient to store the information and move it around at will. Those practices are coming under fire. For example, a new law in China requires personal data to be stored “domestically.” See here. But what does that really mean in a world of cloud storage?

In another example, the US Supreme Court is set to decide whether a US-issued warrant can compel a US-based company to disclose data stored on servers located outside of the US. Moreover, the EU’s new General Data Protection Regulation (“GDPR”) also tries to tackle this complicated issue. These are complex issues and every business, both small and large, needs skilled and experienced internet law attorneys to help. Here is a quick primer.

Data Localization: Microsoft Case and Proposed New Laws

In the case of US v. Microsoft, the key issue is whether a US-issued warrant for information in a criminal case can be used to compel a US-based company, Microsoft, to provide copies of emails and other electronically-stored information housed on computers and servers located in Ireland. The underlying case concerns drug-trafficking. According to reports, Microsoft stores data on more than a million servers located in 40 countries. Given the constant flow of data and information, there is a legitimate question of where any given piece of data is located at any given moment. Is there truly a concept of “storage” or “stored”?

At the trial level in 2013, in response to the warrant, Microsoft tendered relevant emails that were stored on US-based servers, but sought to quash the warrant with respect to data stored on its Irish servers. Microsoft lost at the trial level, but the trial court was reversed by the Court of Appeals in Matter of Warrant Search Certain E-Mail, 829 F. 3d 197 (2nd Cir. 2016). See news report here.

The Court of Appeals held that, when enacting the federal Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., Congress did not intend the SCA to have extraterritorial applications. To quote the Court: “Having thus determined that the Act focuses on user privacy, we have little trouble concluding that execution of the Warrant would constitute an unlawful extraterritorial application of the Act.”

If the standard is “Congressional intent,” then Microsoft may win the case before the Supreme Court. Indeed, at the recent oral argument of the case, Justice Sonia Sotomayor asked why the court should not wait for Congress to resolve the issue. A proposed law called the CLOUD Act has been introduced in the Senate by, among others, Sen. Orrin Hatch (R-Utah). The proposed law would require production of stored data in response to a valid warrant even if it is held outside the US. The proposed language amending the SCA is this:

“A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record or other information is located within or outside of the United States.”

The proposed CLOUD Act would also allow companies to challenge application of the warrant where disclosure would place the company in violation of a foreign nation’s laws. As can be seen, the issue of data locatalizion and movement is complex.

Data Localization: China’s Cybersecurity Law

In related news and adding another layer of complication, compliance deadlines are now going into effect for China’s Cybersecurity Law (“CSL”). The CSL took effect on June 1, 2017; compliance with various parts of CSL were deferred until various dates throughout 2018 and full compliance is required by December 31, 2018. With respect to cross-border data transfer and data storage, as reported here, Article 37 of the CSL states:

“Personal information and important data collected and generated by critical information infrastructure operators in the PRC [People’s Republic of China] must be stored domestically.”

The CSL states that where it is “truly necessary” due to “business requirements” that the data is provided outside of the mainland, companies must follow rules and procedures formulated by various Chinese State information and security assessment departments. Unfortunately, the rules and procedures for moving the stored data have not been promulgated. Obviously, companies in and companies doing business with China are concerned with how Chinese authorities will define “truly necessary” and “business requirements.” Compliance with the domestic storage of China-based data takes effect on December 31, 2018.

Data Localization: EU’s GDPR

As might be expected, the EU’s new GDPR does not have a provision related to localization of data storage. Given the number of member states, that would be untenable. Likewise, given the linkages of the EU economy to the larger global economy, there is no within-EU data storage requirement.

With respect to data movement, in general, movement is free as long as the receiving nation or the exporting-receiving companies have sufficient standards for protecting the private, personal, and financial data. Thus, Article 44 of GDPR prohibits transfer of personal data to non-EU recipients unless the receiving country has laws providing adequate levels of protection for data (Article 45) or the data exporting-data receiving companies have appropriate, proper, and sufficient safeguards to protect the data from compromise (Article 46).

Two General Steps to Take Now

As noted above, every business handled private data. To handle current and future issues with data localization and data movement, a couple of simple steps should be taken now.

  1. Audit and inventory the personal and consumer data. Identify where physically the data is stored.
  2. Audit and identify circumstances in which the various data is transferred cross-border.

With these two steps taken, your business can begin to determine whether storage and movement comply with the applicable law(s).

Internet Law Attorneys: Contact Revision Legal

If you need more information about data localization, cloud storage or data movement laws and requirements, contact the dedicated and experienced Internet law lawyers at Revision Legal, a new kind of law firm serving a data driven world. We can be reached by email or by calling us at 855-473-8474.

 

You Might Also Like:

Stored Communication Act

Tips To Avoid Data Breach Litigation

Privacy Related News — Carpenter Case

GDPR

Yes, Your Business Needs A Data Protection Officer

telephone consumer protection act

Internet Law: Is Facebook Violating The TCPA Via Text Message?

There a few cases percolating through the federal courts accusing Facebook of illegal robocalling via their automated text messaging. One example is Brickman v. Facebook, Inc., No. 16 Civ. 00751 (N.D. Cal. Jan. 27, 2017) which argues Facebook is violating the Telephone Consumer Protection Act.

Mr. Brickman claims Facebook sent an automated text message prompting him that it was the birthday of a friend of his. The message came to his cellphone number and sated: “Today is Jim Stewart’s birthday. Reply to post a wish on his Timeline or reply with 1 to post ‘Happy Birthday!’” While Brickman had given his phone number to Facebook (he was required to give his phone number), Brickman set his personal settings to “no text messages” from Facebook. Brickman sued Facebook alleging violation of the federal Telephone Consumer Protection Act (“TCPA”), which prohibits robocalling via use of automated dialing machines.

What is the Telephone Consumer Protection Act?

The Telephone Consumer Protection Act (TCPA) became law in 1991; now codified at 47 U.S.C. § 227. Essentially, the TCPA bans robocalling and gives the Federal Communications Commission (FCC) regulatory authority to create regulations. The TCPA prohibits companies or individuals from “mak[ing] any call (other than a call made … with the prior express consent of the called party) using any automatic telephone dialing system or an artificial or prerecorded voice …” The penalties are the greater of actual monetary loss or $500 per violation with treble damages where a violation is deemed willful or knowing.

TCPA Legal Principles: What is an Automated Call?

The TCPA came onto the scene just as cellphones and the internet enjoyed wider adoption. As such, key terms such as “automated” and “call” needed legal definitions. Generally, courts have taken the “if it walks like a duck…” approach to defining both terms. The case of King v. Time Warner Cable, 113 F. Supp. 3d 718 (S.D.N.Y. 2015) provides a good example. In that case, the plaintiff sued Time Warner, a national cable service provider, for making 163 automated calls to her cellular phone without her consent. Time Warner used an “interactive voice response” calling system. The system automatically dials the number associated with accounts more than 30 days past-due in the billing cycle. If the customer answers the call, the system plays a recorded message. If the call goes to voicemail, the recorded message plays and the system can call up to two additional times per day.

Time Warner argued that its system did not meet the definition of an automated dialing machine under the TCPA since the numbers called were not “randomly generated.” The court, however, rejected that argument by stating “The method is fully automated from start to finish” and noting that there was no human involvement at any stage of the customer selection, list compilation, or dialing processes. As for the random generation argument, the court found that the law does not require telephone numbers to be randomly generated or chosen, only that the system have “the capacity … to store or produce telephone numbers to be called.” And by that definition, Time Warner’s system met the standard of violating the Telephone Consumer Protection Act.

TCPA Legal Principles: Obtaining Consent

The final argument made by Time Warner was that the plaintiff had consented to the calls. Because to obtain service, Time Warner requires that all customers agree to its Terms of Service Agreement. Among the provisions is this one concerning consent:

“We may call any number you provide to us (or that we issue to you) for any purpose, including marketing of our Services…. However, if you ask to have your number placed on our “do not call” list, we will not call you at that number for marketing purposes…. We may use automated dialing systems or artificial or recorded voices to call you.”

This argument swayed the court and this consent provision was sufficient to absolve Time Warner of liability for robo-calling, but only up to the point where the plaintiff revoked her consent and told Time Warner to stop calling her. The evidence showed that the plaintiff revoked her consent at the 30th call; the court held Time Warner liable for the remaining 153 calls. The court noted that consumers have the right to revoke their consent to receive robocalls. Time Warner could have continued to call the plaintiff about the past-due bill, but had to do so manually. The court assessed treble damages against Time Warner.

Are Text Messages Like Calls?

With respect to Mr. Brickman’s case against Facebook, the question then becomes: Are text messages “calls” for purposes of the TCPA? The answer is yes. See Van Patten v. Vertical Fitness Group, LLC, 847 F. 3d 1037 (9th Circuit 2017). In that case, the plaintiff sued for robo-text messages, or “wireless spam” as he called it, from his fitness club. The plaintiff’s case was dismissed because he had consented to the text messages and had not revoked his consent.

However, before dismissing Mr. Van Patten’s claim, the court confirmed that text messages are “calls” for purposes of the TCPA. The court noted that TCPA does not contain a definition of a “call,” but that the FCC passed regulations in 2003 interpreting the TCPA to encompass text messages. Several courts have deemed that interpretation “reasonable,” and the 9th Circuit panel agreed.

How Will Brickman v. Facebook Turn Out?

Based on the foregoing caselaw, it looks like Facebook might be violating the TCPA with its Birthday text messages. But Facebook has marshalled a novel argument: The TCPA violates the First Amendment to the US Constitution. The TCPA has two exceptions where robo-calling without consent is allowed – emergency communications and certain messages from debt collectors. As such, Facebook argues that the TCPA requires a review of speech and/or communication — content — to determine if a violation has occurred. Because a review of the content of the messages is necessary, the TCPA violates the First Amendment. The Brickman court denied Facebook’s argument. The court held that the TCPA withstands strict scrutiny. A similar result was reached in Mejia v. Time Warner Cable, Inc., Nos. 15-CV-6445 (JPO), 15-CV-6518 (JPO) (S.D. New York August 1, 2017). The cases are on appeal.

Internet Attorneys: Contact Revision Legal Today

If you need more information on the Telephone Consumer Protection Act, contact Revision Legal. Internet law is at the core of Revision Legal’s practice. We are attorneys who know the business of internet law and have the skills and dedication to help your business succeed. We can be reached by email or by calling us at 855-473-8474.

You Might Also Like:

10 Data Security Management Tips to Prevent a Data Breach

2017 Data Breaches — Severity and Frequency On

Browsewrap and Clickwrap Agreements

Updated Guidelines for Online Endorsements

Import Businesses: Beware of FCC Regulations

intellectual property tips for architects

Intellectual Property: 3 Tips For Architects

As an architect your designs combine creativity, technical skill, experience and your unique style. You provide your clients with a customized experience and your work product is one-of-a-kind. Whether you focus on residential or commercial, custom design or license plans in bulk, your work and your business need to be protected. Below are three intellectual property tips that will help you keep your business safe from those who might attempt to profit from your ideas and creativity.

Read about Managing Intellectual Property

Tip 1: Register your Copyrights

One of the most important things you can do to protect your intellectual property is to register your designs as architectural works with the US copyright office. Registering a copyright is a relatively easy and affordable way to not only protect your design but also put yourself in the best possible position for the future if someone does try to use your designs without your permission. US Copyright law protects the owners of copyright registrations by providing for increased damages awards and more options if your work is registered before someone copies it.

Tip 2: Draft Strong Licensing Agreements

You might have a great contract your clients sign when they engage your design services. You are clear about your fees and payment requirements as well as what the client should expect in the work product. But do you have a tight copyright license section? Have you had an IP attorney review your licensing agreements for you? Do you sell your designs online or in a publication? Making sure that your designs are being licensed to your clients not only protects your IP, it protects your clients and your reputation.

Tip 3: Think About Your Trademark

The name you use in business is your trademark. Your logo says a lot about your style and approach. These are essential to creating a strong business and brand. It is likely that your clients and potential clients recognize your style by your trademark. Your drawings likely have your name and logo on them. This is how you indicate to the public where your designs come from and the quality of product they are purchasing.  Protecting your name and logo with a trademark registration is an essential part of helping your business thrive.

Read 10 Reasons Why You Should Register Your Trademark

Contact an Intellectual Property Attorney

If you have questions about the state of your IP or for a consultation with an IP attorney, feel free to Contact Us today. We’d love to help protect your work and business.

Naming your Business, Naming your Baby

As a trademark attorney I often try to come up with good ways to explain the intricacies of the law to my clients. Whenever I work with a new trademark client we discuss ideas for naming their business and potential problems they might have in using a trademark and obtaining a registration. There are lots of things to consider when naming your business including the marketing, design, style, and legal aspects.

Read about 10 more reasons to trademark your name

Also, I am currently expecting my first baby. As my husband and I consider different name options for the baby, we have had to look at each possible name from many different angles. Does it flow with our last name? Is there any significant meaning in the name? Do we both like it? How about the middle name? Should we consider family names? How does it sound in Spanish (my husband is from Honduras)? Our considerations go on and on. Everyday it seems like there is another thing to consider.

Picking a business name is a lot like picking a baby name. There are many different perspectives from which you have to evaluate the name. Business owners have to consider the marketing and design elements, their own personal feelings about the name and what they want to portray to consumers. Also, business owners have to consider whether their name is available for use and registration. You wouldn’t use your best friend’s baby name for your baby, you can’t use someone else’s trademark for your business.

Unlike naming your baby, naming your business without first clearing the name through a trademark attorney could result in serious legal, financial and business consequences. US Trademark law protects the rights of those who first use a trademark in commerce and obtain a trademark registration. A trademark lawyer can provide you with a clearance search, advice about trademarks, and help you file an application for trademark registration with the USPTO. We often help clients that have tried registering their mark with an online automated system.

Too often, clients come to us with trademark applications filed through automated services like trademarkengine.com or similar services. The price for such services looks too good to be true because it is. A trademark attorney with years of experience dealing with the Trademark Office can help you identify problems that you did not know existed. In most cases, it is important to identify these issues as soon as possible. Being forced to change your business name after a year in business is often a death sentence to a young company.

Read About The Trademark Registration Process

Unfortunately, we can’t help you name your baby but if you have any questions or want to schedule a consultation with a trademark attorney please Contact Us.

 

Data Breach

The High Cost of Data Breaches: Six Examples From 2017

Whether you are a small startup or a big company with a long and storied history, a data breach can be a legal and financial nightmare. There were over 850 cyberattacks and data breaches in 2017 alone, with the number and severity of data breaches rising every year. The cost of data breaches is rising, too. How much will a data breach cost? A lot. Here is what six companies paid in 2017 as a consequence of data breaches.

1. Hilton Hotels — $700,000 in Fines

Hilton Worldwide was subject to a data hack in 2014 and another one in the summer of 2015. The data breaches affected more than 363,000 customers. The stolen data included names, addresses, credit card numbers, and other personal information. The company was charged by the attorneys general of New York and Vermont for failing to have reasonable data security and for failing to quickly tell consumers about the data breaches. This is because Hilton waited nearly 10 months after learning of the first breach and and then three months after learning of the second before telling customers in November 2015. In 2017, Hilton Worldwide paid $700,000 to settle with state regulators. See here.

2. Nationwide Insurance — $5,500,000 in Fines

In 2012, the computer systems and networks of Nationwide Insurance Co. were breached by hackers. Personal information for nearly 1.3 million consumers was exposed including names, addresses, social security numbers, drivers’ license numbers, credit scores, and other personal and financial information. All the information collected by Nationwide as part of its process of providing insurance quotes to customers seeking insurance coverage. Legal actions were brought by 33 states accusing Nationwide and an affiliate company of failing to apply a critical security patch intended to stop potential hackers. As the news article reports, the New York Attorney General argued that “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” In August 2017, Nationwide agreed to pay $5.5 million in settlement.

3. CardioNet — $2,500,000 for Compromised Data on Stolen Laptop

In 2012, CardioNet, a wireless heart monitoring service provider, had a laptop stolen from a parked vehicle. The theft resulted in the compromise of health and privacy data with respect to 1,391 patients. Government regulatory action came from a subdivision of the Department of Health and Human Services (“HHS”). Aside from security issues with respect to the vehicle, the laptop itself did not have sufficient security to protect the data stored thereon. According to the news report, HHS charged that the company had “insufficient risk analysis and risk management processes in place at the time of the theft” and that the company had not implemented the proper policies and procedures to meet the HIPAA Security Rule. Despite the small number of customers impacted, CardioNet settled the proceedings in May 2017 for $2.5 million.

4. Home Depot — Another $27,250,000 and Then More

In September 2014, Home Depot announced that it has suffered a massive data breach. An estimated 56 million customers’ personal and financial data was stolen including credit card information. This data was sold on the dark web to thieves and resulted in a “massive number” of fraudulent transactions on the customers’ credit and debit cards.

Home Depot was accused of lax cybersecurity and using an outdated malware detection system — seven years out of date according to the allegations — on Home Depot self-checkout kiosks at stores in dozens of locations across the United Stats. Home Depot was also accused of knowing about the problem in July 2014, several months before notifying authorities and customers of the breach. See report here.

Home Depot’s first settlement was in 2016. The company agreed to pay $19.5 million to settle open customer class actions. Then in March 2017, Home Depot agreed to pay another $27.25 million to settle with the banks.

Finally, in August, Home Depot was ordered to pay $15.3 million in legal fees to the banks’ attorneys. See here. The total fines  paid by Home Depot exceeded $85 million without taking into account legal fees and litigation costs.

5. Target Stores — Another $18,500,000 in Fines

In November 2013, Target, one of the nation’s largest retailers, had their computer network breached by hackers that used access codes and credentials stolen from one of Target’s third-party vendors. The hackers accessed a customer-service database and installed malware that captured consumers’ personal data. See report here.

The data breach affected more than 60 million Target customers. The data stolen included names, telephone numbers, email and mailing addresses, credit card numbers with the attendant expiration dates, and encrypted debit card personal identification numbers.

In May of 2017, Target agreed to pay $18.5 million to settle regulatory actions and claims made by 47 states and the District of Columbia. The $18.5 million was on top of millions paid in 2015 and 2016 to settle class action suits filed by customers and financial institutions.

6. Anthem Inc — $115 Millions to Settle Class Actions

In 2015, Anthem Inc, the largest U.S. health insurance company, was hacked and the personal information with respect to 79 million customers was stolen. The information included names, birthdays, social security numbers, addresses, email addresses, and employment and income information.

In June 2017, Anthem agreed to settle the lawsuits for $115 million which is the largest settlement ever for a data breach. More than 100 lawsuits — many were class actions suits — were filed after the data breach. Anthem claimed that it was not negligent with customer information and that no customers were injured.  In other words, a much different situation than the breaches at Home Depot and Target. According to reports, the $115 million is to be paid out to the customers as either two years’ worth of credit monitoring or a $50.00 cash settlement per class member.

The Cost of Data Breaches: More Than Just Fines and Settlements

In the cases discussed above, note the time lags between the breach and settlement – three to five years. The costs identified are just for the settlements. For the companies involved, the “costs” of these data breached includes three to five years of legal fees, expenses and filing costs in defending against the regulators. As an example, with respect to Target, the New York Times reported that, through March 2017, Target spent more than $202 million on settlements, legal fees, and other costs following the November 2013 breach.

Contact Revision Legal Today

If you need more information on the cost of data breaches and on preventing data breaches, contact Revision Legal. We are experienced data breach attorneys with the skills and dedication to help if you have suffered a data breach or if you need assistance in enhancing your cybersecurity. We can be reached by email or by calling us at 855-473-8474.

You Might Also Like:

10 Data Security Management Tips to Prevent a Data Breach

Your Company Needs A Data Protection Officer

2017 Data Breaches — Severity and Frequency On The Rise

data security management

SEC Guidance on Cybersecurity: Data Breaches Are Likely Material

The Securities and Exchange Commission (“SEC”) just issued, on February 21, 2018, a new Guidance with respect to cybersecurity disclosures for publicly-held corporations. The quick takeaway is that data breaches and data breach risks are likely to be “material” for purposes of disclosure, data security should be deemed a “board level” concern, and knowledge of cybersecurity risks and events are legally relevant to issues with respect to insider trading.

Disclose Data Breaches and Cybersecurity Risks

The SEC issued a cybersecurity Guidance in 2011. This new 2018 Guidance is an update. Of note, the new Guidance was issued at the full Commission level; the 2011 Guidance was a staff-level Guidance. While any Guidance must be taken seriously, the fact that the full five-member SEC Commission reviewed and voted to approve the Guidance suggests a new level of importance to the SEC’s cybersecurity Guidance. The first sentence in the Guidance is: “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.”

Under both the 2011 Guidance and the 2018 Guidance, cybersecurity risks and incidents may need to be disclosed in various annual and quarterly reports required pursuant to various federal Securities Acts. Indeed, the SEC highlighted specific sections of the reports where cyberattacks, breaches and cybersecurity risks might be required, including sections on:

  • Risk factors
  • MD&A
  • Description of business
  • Legal proceedings
  • Financial statement disclosures

The new Guidance is quite specific in places. Thus, with respect to risk factors, the new Guidance references “Item 503(c) of Regulation S-K and Item 3.D of Form 20-F.” Both of these require disclosure of significant factors that make an investment in the company’s securities risky or speculative. Essentially, the 2018 Guidance puts cybersecurity and data breach/hacking events on the level of other information that must be disclosed if the information impacts evaluation of an investor’s risk. Data breaches and cybersecurity issues might have these impacts on investment risk:

  • Cessation or interference with the company operations
  • Direct impacts on company liquidity or financial condition
  • Loss of trade secrets and/or other valuable intellectual property
  • Cost of ongoing cybersecurity efforts — including maintaining state-of-the-art preventative measures
  • Insurance costs
  • Costs with respect to responding to litigation and regulatory investigations
  • Harm to reputation — relevant to profit/loss and to stock price
  • Loss of competitive advantage

The 2018 Guidance does not create or require any compulsory disclosure. Rather, the Guidance highlights that data breaches, hacks and other cybersecurity events and general cybersecurity risks might be “material” for disclosure purposes. As the SEC Guidance states:

” … it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The 2018 Guidance provides factors that should be considered when considering the issue of “materiality:”

While emphasizing the need for disclosure, the new Guidance also recognize the necessary balance between disclosing information about events and risks without compromising a company’s efforts to prevent and combat cyberattacks.

The new Guidance also highlights the importance of “timely” disclosures, which is also a component of the insider trader portion of the Guidance. With respect to disclosure, the 2018 Guidance makes it clear that the TIMING of disclosure might be as important, for “materiality”, as the disclosure itself. Again, the SEC recognizes the necessary balance between “timely” and “immediate.” Various factors such as cooperation with law enforcement make prevent “immediate” disclosure. Thus, while a “timely” disclosure is needed, what is “timely” will depend on the circumstances.

Board’s Role in Risk Oversight

Another important aspect of the 2018 Guidance is the emphasis on the obligation of the Board of Directors to discuss, review, and approve cybersecurity issues and measures. The SEC highlights the fact that a member of the board has a general obligation to evaluate various risks when making decisions and policies for the company. In other words, “risk oversight” is part of a director’s “business judgment” that a director must exercise. The new Guidance elevates cybersecurity and data breach risks to the “board level.” The new Guidance also discusses the need to create proper reporting channels to move cybersecurity risks and events up the chain of command to upper management and to the board.

In addition, members of the board are directed by the new Guidance to avoid insider trading.

Insider Trading

Insider trading is a new topic for the 2018 Guidance. As noted above, because there is often a necessary time lag between a cybersecurity event and public disclosure, legal issues with respect to insider trading are implicated. Moreover, there is also a time lag between a cybersecurity event and when an evaluation is made with respect to severity, what data was compromised, and potential cost/profit impacts of the breach or hack.

The 2018 Guideline states that, during those time lags, those within the company with knowledge of a data breach or other attack or the impact of such an event should not buy or sell stock in the company. The Guidance states:

“… directors, officers,and other corporate insiders must not trade a public company’s securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company.”

Note that the Guidance can be used as evidence in shareholder derivative actions and securities fraud cases. The Guidance recommends that, if not already otherwise in place, the following steps should be implemented:

  • Establish/create general policies and procedures to prohibit and otherwise guard against officers, directors, and other company employees from taking advantage of the aforementioned “time lags” with respect to buying and selling the company’s securities
  • Establish policies and procedures for timely disclosure of data breach/hack information
  • Establish policies specifically to prohibit and prevent insider trading in the days before public disclosure
  • Establish policies that prevent the appearance of improper trading — the appearance often being just as damaging to a company’s reputation as the actuality of insider trading

Contact Revision Legal Today

For more information, contact the skilled and experienced data breach attorneys at Revision Legal. We have the dedication to help if you need advice on security, if your business has suffered a data breach, or if you need assistance in enhancing your cybersecurity. Internet law is our main practice focus and we have the skill set to help your business with data breach mitigation and response. Contact us via email or call us at 855-473-8474.

 

You Might Also Like:

Cybersecurity Best Practices

Cyber Attacks Explained

Tips To Avoid Data Breach Litigation

international sale of goods

What is Convention/Contracts for the International Sale of Goods (“CISG”)?

Most businesses are familiar with basic US business contracts and with the Uniform Commercial Code (“UCC”). Unless your business involves a significant component of international transactions, you may not be familiar with the Convention/Contracts for the International Sale of Goods (“CISG”). CISG law and CISG forms govern international sales of commercial goods, but not services, including all transactions between the US, Mexico, and Canada under the North American Free Trade Agreement (“NAFTA”). Here is a quick rundown.

What is the Convention/Contracts for the International Sale of Goods?

The Convention/Contracts for the International Sale of Goods is an international treaty signed in 1980 in Vienna which came into effect in 1988. Currently, 89 nation states are signatories to the CISG including, as noted, the United States, Mexico, and Canada. The significant non-signees are the United Kingdom, India, Hong Kong, Taiwan, many nations in the middle east, South Africa, and many other African nations.

For signatory nations, the CISG governs contracts of the sale of commercial goods between parties whose places of business are in different nations. The CISG can also be specified by contracting parties as the choice of law. Thus, CISG rules can govern international contracts even if one or both parties are from non-signatory nations. Of course, parties can opt out via contractual provisions. As noted, CISG does not apply to services and does not apply to most personal, family or household goods. Thus, CISG provisions generally do not apply to consumer goods bought on the internet and shipped business-to-consumer from overseas (but CIGS protocols might apply if products are shipped in quantity business-to-business). There are various other exclusions including ships and aircraft.

History of the Convention/Contracts for the International Sale of Goods

CISG was developed by the United Nations. See UN Information page here. Like the Uniform Commercial Code (“UCC”), CISG is a set of uniform rules with respect to international commercial transactions. Like the UCC, CISG applies to the sale and purchase of goods and, unless excluded by the express terms of a contract, CISG law is presumed to be incorporated into the contract. Like the UCC, CISG is intended to supplement the domestic commercial codes of the two countries involved providing “default” provisions where the commercial contract is silent as to some circumstance.

Important Differences Between the UCC and CISG

There are significant and important differences with dealing with international trade under CISG versus domestic transactions under the UCC.

First, under the UCC all contracts must be in writing and if a dispute arises, courts will not accept parole evidence unless there is ambiguity in the contract (or some other exception to the admissibility of parol evidence applies). By contrast, under the convention on the international sale of goods, oral contracts allowed and parol evidence is readily allowed for purposes of defining the contract and the intent of the contracting parties.

Second, with respect to the “battle of the forms,” the UCC uses a “knockout” protocol and the CISG uses a “last form sent” protocol. Under the UCC, if buyers and sellers are using their own different forms — maybe per their local business practices in various parts of the US — the UCC favors contract formation even though there are difference between the forms. If performance starts, then the contract is considered “formed.” Where the buyer’s and seller’s forms are different, those parts of the forms are considered “knocked out” and unenforceable.

Likewise, the CISG regime favors contract formation even if the seller and buyer are using different forms (although the differing forms must have substantial similarity). However, under the UCC “knockout” protocol, the CISG honors the “last-form-sent” protocol. A form that is sent in response to a first contract form is considered a counter-offer. If performance commences, then under CISG, the contract being performed in the counter-offer (the “last-form-sent”). This can be extremely important for many reasons. For example, the CISG does not provide a statute of limitations; thus, any limitation period is supplied by the laws of the signatory nations of the contracting parties. Which nation’s laws applies may depend on which form is deemed to be the “contract.”

However, as with most contract drafting, the best practice is to insert clear provisions in the contract itself. Something like this as quoted in Basic Engineering, Inc. v. Commission of Internal Revenue, Docket No. 27691-13 (US Tax Court, 2017):

“This Agreement shall be governed by, and construed in accordance with, the laws of the Republic of Austria including the UN Convention on Contracts for the International Sale of Goods of 1980 (CISG). The Parties’ rights and obligations with respect to title to and security interests in the Equipment shall be governed by the law of the jurisdiction in which such Equipment is located.”

Third, under the UCC, industry standards/usage cannot be used to modify contracts whereas such CAN be used to modify or supply missing terms under the CISG.

Fourth, under the UCC, commercial contracts CAN be modified via conduct and course-of-dealings. However, under CISG, contracts cannot be modified by course-of-dealing. This may sound odd, but remember that CISG rules allow evidence of oral modifications and also use of industry standards/usage. As such, if the parties course of dealings has changed, the parties can rely on direct evidence of such changes based on what the parties said.

A US Case Example

For a case showing a representative example of how US court apply and interpret the Convention/Contracts for the International Sale of Goods, see Chicago Prime Packers, Inc. v. Northam Food Trading Co., 408 F.3d 894 (7th Cir. 2005). In that case, the plaintiff — a Colorado corporation doing business in Chicago — sold 40,500 pounds of pork back ribs to Defendant Northam — an Ontario, Canada corporation. However, such were spoiled, according to Northam, upon arrival. Northam refused to pay for the ribs and Chicago Prime filed suit in the federal district court for the northern district of Illinois. All parties and the court agreed that the provisions of the CISG applied. At trial, the district court ruled in favor of the plaintiff because Northam did not prove that the port ribs were spoiled.

On appeal, Northam argued that the burden should not have been placed on it — the buyer — to prove non-conforming goods. The Seventh Circuit affirmed. The court began from the principle that CISG did not state who — the buyer or the seller — had the burden of proving that the goods delivered were non-conforming. That being the case, the court compared the CISG to the UCC. The court stated:

“The CISG is the international analogue to Article 2 of the Uniform Commercial Code (“UCC”). Many provisions of the UCC and the CISG are the same or similar, and “[c]aselaw interpreting analogous provisions of Article 2 of the [UCC], may … inform a court where the language of the relevant CISG provision tracks that of the UCC.”” (citations omitted)

The court then went on to show that, under the UCC, the buyer bears the burden of proving nonconformity. UCC § 2-314 provides that goods are warranted to be “fit for the ordinary purpose for which such goods are used” unless the contract states otherwise. Article 35(2) of the CISG provides that “goods do not conform with the contract unless they … [a]re fit for the purposes for which goods of the same description would ordinarily be used” unless the contract states otherwise.

The court then reasoned that, since the CISG is similar, a similar result should apply in terms of how one bears the burden on the question of nonconformity. As such, the Seventh Circuit affirmed that the district court was correct to conclude that Northam bears the burden of proving that the ribs were spoiled at the time of transfer.

International Business Law: Contact Revision Legal

Every business engaged in international trade needs experienced business attorneys familiar with international law and business forms. For further information, contact the professionals at Revision Legal. We can be reached by email or by calling us at 855-473-8474. We look forward to helping your international business succeed.

You Might Also Like:

The Importance of Non-Compete Agreements

IP Strategies For Startups

What You Need to Know About Business Contracts

Business Contracts and Material Breach

Businesses Must Prepare For Data Breaches