Category: Uncategorized

Uncategorized

A Lesson In How NOT To Respond To A Data Breach & The Consequences

In January of this year, the California Attorney General obtained $150,000 settlement, plus ongoing notification obligations, from a CA company that learned that one its computers had been sold at a thrift shop.

The ongoing obligations include a duty to: 1) notify employees as information becomes available, 2) train employees on additional methods to protect sensitive information, and 3) review and improve its policies regarding protecting sensitive information.

The CA AG’s enforcement action alleged that the company learned of the lost hard drive on September 24, 2011 and regained the drive on December 21, 2011. Within a week, forensic analysis determined employee personal information was contained on the drive. However, the company did not notify some 20,000 current and former affected by the disclosure until mid-March 2012, almost four(4) months later.

So, what is a reasonable time period to respond to a security breach and how fast does a company have to notify consumers or employees that a data breach has occurred?

Unfortunately, there is no “bright line” rule. Most state breach notification laws and, for that matter many Data/IT/Cloud contracts, require notification within a reasonable time frame, or “without delay”, subject to some qualifications. A couple of states require notification to occur no later than 45 days after discovery, there is not a bright-line, objective answer.

California’s law requires that: “The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement . . . or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.”

The key take away is that waiting several months after a forensic investigation to disclose the occurrence of a data breach to those affected is probably too long. Companies facing a data breach can and should take into account the legitimate needs of law enforcement and the requirements of forensic investigation. Within those parameters, a company is well-advised to begin the notification process even if it must reserve for itself the ability to conduct additional investigation and provide sole tang notification.

NOTE: This is not legal advice. Every situation is unique and if you or your company is dealing with a data breach or its consequences you should engage a qualified attorney.

Please feel free to tweet, like, and share this article. You can contact me at (866) 734-2568 for a no-fee consultation.

Compliance, Contracts, Law, Litigation, Patent, Strategy, Technology, Uncategorized

Drafting Contract Termination Clauses – Termination for Breach by Non-Breaching Party

One of the key issues that must be examined when negotiating or drafting any contract is how the parties may get out of, or “terminate,” that contract. While many attorneys will rest on standard “termination for breach with notice and cure” language, the recent case of Powertech Tech. v. Tessera, Inc. demonstrates how artful drafting can put limitations on a party’s right to terminate. The Opinion in U.S. District Court for the Northern District of California case No. C 11-6121 can be found here.

Powertech and Tessera were parties to a patent license agreement, although the court’s reasoning does not seem limited to only those types of agreements. The license agreement allowed Powertech to use Tessera’s patents in exchange for payment of license fees.

The contract contained the following clause regarding termination for breach:

“Termination for Breach. Either party may terminate this Agreement due to the other party’s breach of this Agreement, such as failure to perform its duties, obligations, or responsibilities herein (including, without limitation, failure to pay royalties and provide reports as set forth herein). The parties agree that such breach will cause substantial damages to the party not in breach. Therefore, the parties agree to work together to mitigate the effect of any such breach; however, the non-breaching party may terminate this Agreement if such breach is not cured or sufficiently mitigated (to the non-breaching party’s satisfaction) within sixty (60) days of notice thereof.”

The court held that Powertech was not permitted to terminate a license agreement with Tessera for Tessera’s breach because Powertech itself was in breach of the agreement by its failure to pay royalties to Tessera.

Acknowledging Powertech’s argument that Tessera was itself in breach, that in and of itself did not give Powertech the right to terminate the contract. Only a “non-breaching” party may terminate the agreement. Said the court “[a]lthough the first sentence of the termination clause is broad – ‘Either party may terminate this Agreement due to the other party’s breach’ — the language of the clause as a whole makes clear that only a non-breaching party may terminate. Reading the clause as a whole, the court concluded “[t]he termination clause refers to a “breaching party” and a “non-breaching party” in every sentence after the first… [therefore]…the clause requires the party seeking to terminate for the other party’s purported breach to be substantially in compliance with its own obligations first.

The Powertech agreement’s termination clause is useful because it put conditions on a party’s ability to terminate the agreement even when the other party was in breach.

Uncategorized

On free speech and blogging: The First Amendment applies to everyone, not just journalists

Digital media continues to befuddle courts and push traditional legal boundaries.

Mathew Ingram's avatarGigaom

When Montana blogger Crystal Cox lost her defamation case in 2011, the decision was greeted by a chorus of cheers from journalists, who were quick to argue that Cox wasn’t a journalist in any real sense of the word, and therefore didn’t deserve any protection from the First Amendment. An appeals court for the Ninth Circuit has disagreed, however: on Friday, a panel of judges overturned the original decision and said that Cox was in fact entitled to protection.

The implications of this ruling go beyond just a single defamation case. It’s another link in a chain of decisions that are gradually helping to extend the principle of free-speech protection beyond professional journalism to anyone who is publishing information with public value — and as such, it helps shift the focus away from trying to define who is a journalist and puts it where it should be: on protecting…

View original post 715 more words

Uncategorized

Owner of 9/11 Photograph sues Palin & PAC For Copyright Infringement

English: This is an alternate crop of an image...
English: This is an alternate crop of an image already uploaded. See http://commons.wikimedia.org/wiki/Image:Gov._Sarah_Palin_in_Dover,_NH.jpg (Photo credit: Wikipedia)

 

 

I’m always surprised when I see that a politician is being sued for copyright infringement. It actually happens more than I thought it would. Senator John MCain has been accused of using a song without permission at least five times. No, Senator, there is no Fair Use of some one else’s copyright work just because you are using it in connection with political speech (if one could even go so far as to make that argument.)

 

Ownership of copyright is still a mystery to Sarah Palin as well. On September 13, 2013, news broke that Sarah Palin and her political action committee SarahPAC are being sued by North Jersey Media Group Inc., publisher of The Record and Herald News. The lawsuit claims copyright infringing form use of a an iconic photo of firefighters raising the U.S. flag at the World Trade Center following the Sept. 11 attacks.

 

The lawsuit, North Jersey Media Group Inc. v. SarahPAC, 13-cv-06494, U.S. District Court, Southern District of New York (Manhattan) claims the image are posted on Palin’s Facebook page and her political action committee page, http://www.sarahpac.com

 

The photo, depicting three firefighters blackened by soot as they raise the flag while standing at ground zero, was taken by Record photographer Thomas E. Franklin. The U.S. Postal Service later sued the image on a stamp called “Heroes,” released in 2002.

Does your business use images for sales, marketing and promotional purposes. Contact me for a free consultation on how to identity, protect and commercialize your creative works or properly use the creative works of others. I can be reahced at (866) 734-2568 or http://www.lsglegal.com & http://www.ecommerceattorney.com.

 

Please Tweet, Like, Share & Follow!

 

Uncategorized

What I’m Reading: MIT Technology Review-The World as Free-Fire Zone

How drones made it easy for Americans to kill a particular person anywhere on the planet.

Chicago, Compliance, Contracts, Creative Content, data privacy, enterprise, Entrepreneurs, Evidence, Law, Litigation, Noncompete, Restrictive Covenants, Small Business, Start-ups, Strategy, Trade Secrets, Uncategorized

Latest Illinois Case on Restrictive Covenants Increases Uncertainty, Burden For Employers

English: A customer signing the at A Stone's T...
English: A customer signing the at A Stone’s Throw Jewelers in . (Photo credit: Wikipedia)

Fifield v. Premier Dealer Services, Inc.

BACKGROUND

The plaintiff in this declaratory judgment action had been employed by a subsidiary of an insurance company that marketed finance and insurance products to the automotive industry. After a sale of that business, plaintiff’s employment was terminated, but he was offered employment conditioned upon his acceptance of an “Employee Confidentiality and Inventions Agreement” (the agreement) which included non-solicitation and non-compete provisions. The agreement states in pertinent part:

“Employee agrees that for a period of two (2) years from the date Employee’s employment terminates for any reason, Employee will not, directly or indirectly, within any of the 50 states of the United States, for the purposes of providing products or services in competition with the Company (i) solicit any customers, dealers, agents, reinsurers, PARCs, and/or producers to cease their relationship with the Company *** or (ii) interfere with or damage any relationship between the Company and customers, dealers, agents, reinsurers , PARCs, and/or producers *** or (iii) *** accept business of any former customers, dealers, agents, reinsurers, PARCs, and/or producers with whom the Company had a business relationship within the previous twelve (12) months prior to Employee’s termination.”

Plaintiff successfully negotiated with Premier a provision that the restrictive covenants would NOT apply if he was terminated without cause during the first year of his employment (the first-year provision). Three months later, plaintiff resigned, began working for a competitor and sued to have the restrictive covenants held unenforceable stating that plaintiff had no access to confidential and proprietary information. The trial court held that the restrictive Covenants were unenforceable for lack of “consideration” – a legal term of art that generally means a bargained-for exchange of value. The appeals court affirmed.

ANALYSIS

Defendant argued that the non-solicitation and non-compete provisions were enforceable because the offer of employment was adequate consideration, there was a mutual exchange of promises (employment in exchange for restrictions), and the covenants were pre-employment, not post- employment. Defendant further argued that “the purpose of Illinois law regarding restrictive covenants is to protect against the illusory benefit of at-will employment” which was “nullified by the inclusion of the first-year [non-enforcement] provision in the agreement.”

Plaintiff countered with the argument that the provisions in the agreement are unenforceable because Illinois law requires employment to continue for a substantial period of time and that “Illinois courts have repeatedly held that two years of continued employment is adequate consideration to support a restrictive covenant…regardless of whether an employee is terminated or decides to resign on his own.”

The appellate court agreed with plaintiff citing Brown & Brown, Inc. v. Mudron, 379 Ill. App. 3d 724, 728 (2008) which held that the promise of continued employment in the context of post-employment restrictive covenants may be an illusory benefit where the employment is at-will. “Illinois courts have held that continued employment for two years or more constitutes adequate consideration. Id. at 728-29.”

TAKE AWAYS

The Fifield decisions has already generated a great deal of discussion from corporate board rooms to legal blogs. Unfortunately for businesses and their lawyers, the case leaves many unanswered questions.

For example, the court does not discuss whether the outcome would have been different if the employee were a high-level executive with immediate access to a wide range of highly sensitive confidential and proprietary information. At best,mother court simply mentions the plaintiff’s allegations that he had no access to such information.

Another area of uncertainty impacts start-up and early stage businesses. Very young businesses are often highly dynamic and early employees have access to a broad swath of the company’s Intangible assets such as business and revenue models, marketing plans, computer software and hardware and prospective customers, regardless of whether they serve a customer service function or “C-suite” executive function. The requirement that an employee have two years continued employment before a restrictive covenant becomes enforceable ignores the very real dynamic of start-up companies.

Lastly, an important question that went unanswered is whether the employer can offer some other “consideration” besides two years continued employment. For example, is there a pure monetary consideration that would support enforcement of the covenant? What if the covenant only lasted as long as the period of the departing employee’s employment?

NEXT STEPS

If you have restrictive covenants in your agreements with employees, it is strongly recommended that you meet with your lawyer to discuss the impact of this case on these agreements and your business. At the very least, you should carefully review your non-compete and non-solicitation agreements to see if they are supported by adequate consideration. If you have questions or concerns, or just don’t know how to begin, feel free to contact the lawyers at Leavens, Strand, Glover & Adler for a free, in-person or over-the-phone consultation. You can also email the author here: dadler@lsglegal.com.

Advertising, Authentication, Branding, Cloud, cloud computing, Compliance, Criminal Law, cybersecurity, Data, data privacy, Design, enterprise, FTC, Internet, Law, Legislation, Litigation, Marketing, Media, Mobile, Platforms, Privacy, Regulation, Regulatory Compliance, Security, Strategy, Technology, Uncategorized

#Mobile #Privacy Continues to Challenge Marketers, Developers & Lawmakers

The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.

Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.

FTC Privacy Enforcement Actions

Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.

Congressional Privacy Laws, Bills & Initiatives

Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.

The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.

App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.

Learn more David M. Adler here.

Authentication, Cloud, cloud computing, Compliance, Computing, Criminal Law, cybersecurity, Data, data privacy, Evidence, FTC, Infringement, Internet, Law, Legislation, Litigation, Marketing, Media, Mobile, Networks, Privacy, Regulation, Regulatory Compliance, SaaS, Security, Small Business, Technology, Trade Secrets, Uncategorized, Video

#Bank Information #Security: The Evolving Threat From Insiders

VIDEO: The Evolving Insider Threat– Dawn Cappelli, Randy Trzeciak of CMU’s Insider Threat Center

This video from RSA Conference 2013 discusses:

  • Who typically commits insider crimes – and how;
  • How employees are being victimized from outside;
  • Why our critical infrastructure is at heightened risk.

Even if you are an employer using standard commercial verification measures, you should be cautious about misuse of any information by employees, managers and contractors. Accordingly, you should be careful with training and education and not on only newly-hired employees. Further, plan on how login credential and access to sensitive information will be handled and/or turned over when training or when terminating, suspending, withholding pay, lowering pay, or taking any other adverse action against an employee.

Advertising, Cloud, cloud computing, Compliance, Computing, Content Development, Creative Content, cybersecurity, Data, data privacy, Design, Entrepreneurs, FTC, Internet, Law, Legislation, Marketing, Media, Mobile, Platforms, Privacy, Regulation, Regulatory Compliance, Security, Small Business, Social Media, Strategy, Technology, Twitter, Uncategorized

Four #Mobile #Privacy Take-Aways From FTC Settlement With HTC

Intel Mobile Device
Intel Mobile Device (Photo credit: Frank Gruber)

On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.

The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.

Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:

  1. provide your engineering (programming) staff with security training
  2. review or test your software on mobile devices for potential security vulnerabilities
  3. follow well-known and commonly accepted secure coding practices
  4. establish a process for receiving and addressing vulnerability reports from third parties

Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.

Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.

Please comment, tweet and forward!

Related articles
Privacy, Security, Uncategorized

10 Proven Tips For Improving Your Security When Using Public WiFi Hotspots

Ah, public WiFi. nothing beats sitting in Union Square, San Francisco, with a Latte, a scone and free, public Internet access. The last time I attended a security conference where I spoke on security risks related to use of social media in the workplace, I got to thinking about information security and how secure I was (or wasn’t) as I checked my email over a free, public WiFi network.

These days, Wi-Fi hotspots are ubiquitous. One can find free access in airports, universities, public parks, hotels, coffee shops, and libraries. While convenient, these hotspots are usually not secure. Hackers know this and may be sniffing the network for their next unwitting victim. So, how can one protect oneself? Short of ensuring a fully-encrypted VPN connection, one may never be truly secure. Here are some proven tips for improving your security and privacy when using a public hotspot.

Don’t Assume a Wi-Fi Hotspot is Secure

As noted above, most public Wi-Fi hotspots are not secure. They don’t encrypt information you send over the internet.

If you use an unsecured network to log in to an unencrypted site – or a site that uses encryption only on the sign-in page – other users on the network can see what you see and what you send. They could hijack your session and log in as you. New hacking tools – available for free online – make this easy, even for users with limited technical know-how. Your personal information, private documents, contacts, family photos, and even your login credentials could be up for grabs.

An imposter could use your account to impersonate you and scam people you care about. In addition, a hacker could test your username and password to try to gain access to other websites – including sites that store your financial information.

Protect Yourself When Using Public Wi-Fi

So what can you do to protect your information? Here are a few tips:

1. Make yourself a hard target. Take precautions to minimize risks associated with free public networks.

2. Limit information sharing to secure web sites. When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted.

3. Don’t stay permanently signed in to accounts. When you’ve finished using an account, log out.

4. Do not use the same password on different websites. A recent story about a journalist illustrates how once hackers access one account, say Gmail, they can use that info to access all your other accounts.

5. Many web browsers alert users who try to visit fraudulent websites or download malicious programs.Pay attention to these warnings and avoid sites that cause red flags to go up.

6. Keep anti-virus and browser software up to date. If you get a notification that an update is available, install it. Typically updates patch vulnerabilities that have been identified.

7. Use a Virtual Private Network (VPN) connection when available. Many commercial ISPs and corproate networks offer a VPN connection to provide secure access for their employees who work
remotely. VPNs encrypt traffic between your computer and the internet, even on unsecured networks.

8. Some Wi-Fi networks use encryption: WEP and WPA are the most common. WPA encryption protects your information against common hacking programs. WEP may not. WPA2 is the strongest. If you aren’t certain that you are on a WPA network, use the same precautions as on an unsecured network.

9. Some browsers offer “add-ons” like Force-TLS and HTTPS-Everywhere for Firefox. These add-ons are free and force the browser to use encryption on popular websites that usually aren’t encrypted. They don’t protect you on all websites – look for https in the URL to know a site is secure.

10. Be aware of your surroundings. Don’t leave devices unattended. Don’t key in user names and passwords in plain sight of IDE sitting around you.

I don’t guarantee that just by following these steps you will be totally secure. But, the harder you make it for would-be attackers to access your information and device, the more likely they will be to move on to an easier target.