Tips On How To Reduce The Risk Of Intellectual Property Theft

 In my last post, I wrote about the risks facing businesses when there is a departing employee.  It can be fairly argued that in the next 3 years your average business will have to deal with a disgruntled, departing employee.  The employee will have had access to confidential information in digital form.  Studies have shown that greater than 50% of disgruntled employees and 90% of IT employees will take something.  So what can a business do to protect itself from theft of clients, confidential information, and trade secrets?  Here are a few tips:

1.Strong Contracts.  I often say that Legal Zoom = courtroom doom.  Many folks go to online websites to get cheap, low cost non-compete or confidentiality agreements.  There are circumstances where you can get a decent contract that will help your business from these online sites.  However, too many times I have reviewed the low cost, canned contract of a client and found significant problems with the contract.  If you want to have a contract that will have a better chance of standing up in court, you are best served by hiring an attorney well versed in these areas.  Relying on a form contract from a website is not recommended.

2.Strong Policies.  Any workplace policy should include strong electronic monitoring policies prominently posted in break rooms and in the employee handbook.  Ideally, the policy will spell out that the company can and will monitor the company owned computers and all communications and information stored on them.  You also want to have strong password policies, auditing of file access, and guards against deletion. You also should seek to have visibility by your IT department for all activities on work networks.

3. Intake Checklists.  Upon employee intake, your business will want to have a checklist that documents all the necessary items covering confidential information.  You will want to document all the devices issued to the employee, review the details of the contract (non-compete or non disclosure), and review all policies of electronic monitoring.

Continue Reading...

Confidential Information and the Departing Employee

I recently ran a seminar for the Human Resources Association of Central CT on "Effectively Managing Your Departing Employees."  The issues concerned  how attorneys can help to eliminate, prevent, or mitigate the risks of intellectual property theft.  In this post, I will define the basics of the problem.  In the next post, I will cover how to address the problem.  

  • Employees will Leave (Millennials average job tenure is 2.5 years)
  • Employees will be disgruntled (Wall Street Journal: 75% of departing employees are disgruntled)
  • Employees will have access to electronically stored data (UC Berkeley study shows 90% of critical business data is digital)
  • Digital is portable, easy to copy, saved in seconds, and transferred to multiple locations
  • Employees do take confidential information, even if by mistake. (Ponemon Institute says 59% of departing employees take information, and 90% of IT professionals)

Based on the these numbers, you could fairly argue that in a three year time frame an average business will likely have to deal with an unhappy, departing employee that will copy accessible confidential information.   This paints a pretty grim picture.  Nevertheless, it is a fair way to think about the problem to manage risks appropriately. 

One of the biggest risks is financial loss from theft of intellectual property and confidential information.  This might cover any of the following:

  • Trade secrets (confidential client lists, formulas, data)
  • Patents (fully or partially disclosed inventions)
  • Copyrights (original works such as software code)
  • Trademarks (counterfeit goods, brand damage) 
  • Proprietary information (anything you do not want in hands of a competitor)

How does employee or insider theft typically happen?  Here are a few examples:

  • Email (with or without attachments)
  • Portable drives (thumb or flash drives)
  • Smartphone 
  • File Transfers (FTP sites)
  • Remote access programs (GoToMyPC)
  • File Synching programs (Dropbox)
  • Old fashion printing and copying

In the next post, I will cover what you can do to help stop or reduce the risks of intellectual property theft. 

New John Doe Copyright Infringement Suit Filed in Connecticut

A lawsuit relating to online copyright infringement of synthesizer software using “peer-to-peer” networks was filed recently in Connecticut District Court.  The case is captioned reFX Audio Software, Inc. v. Does 1-89.  The complaint alleges that certain individuals and Connecticut residents committed acts of copyright infringement through the use of a common “peer-to-peer” (“P2P”) file transfer protocol known as BitTorrent.  

A common tactic in mass copyright infringement lawsuits is the use by plaintiffs of “tracking software” which identifies the internet protocol addresses (“IP Addresses”) that were allegedly used to commit acts of software piracy. 

By way of background, Internet service providers, (i.e., Comcast, Cox, etc.) provide the account holders with specific IP addresses from which users can access the Internet.  In these lawsuits, attorneys bringing the lawsuits allege that each IP address is unique and is therefore linked to a specific user account. In order to identify the allegedly infringing users, reFX hired a Connecticut attorney to file a motion with the court, asking to conduct discovery in order to learn the identities of the account holders.  If granted by the court, the attorney for reFx will issue a subpoena to each of the Internet providers requesting that they turn over information (typically name, address, telephone number) for the account holder.  

On March 20th  Judge Janet Hall granted Plaintiff’s motion for leave to take discovery in the reFX Audio case.  As a result, certain Internet providers have now sent letters to cable customers and account holders notifying them of the pending lawsuit.  Typically, Internet providers will wait 60 days to allow  the account holders to seek legal counsel prior to providing the court-ordered personal information.

If you have received a letter from your Internet provider identifying your IP address as having participated in the alleged copyright infringement of reFX software, read here from our earlier post on the issue for next steps and to consider if you need to hire an attorney to represent you. 

We already have received calls in response to this lawsuit.  Many callers have read or been told to ignore these letters.   Each circumstance is typically unique in these cases, and there is no one size fits all defense.  Do not assume that ignoring the letter will result in the problem going away.  While it is true that in some cases ignoring the letter is an appropriate response, it many other cases the risks are too high to simply ignore the problem.  Once you are fully informed of all of your options such as, filing motions to quash, settling or compromising the claim, defending the action, or ignoring it,  you can then decide the proper cost/benefit for your case.

Software Liability Act in Connecticut - Good Idea or Too Much Regulation?

Do software publishers need more regulation to encourage creation of safe and reliable software?That was the general question posed for a debate at the RSA Conference USA on February 29, 2012. Sean Doherty of Law Technology News wrote an interesting article summarizing the two different positions.  One side of the debate favors creating a regime of "civil liability for software manufacturers whose code causes harm to consumers."  Opponents view a regime of civil liability for damages caused by software as another unnecessary regulation.  In addition, opponents maintain that our existing laws already provide remedies for software liability.  

In Connecticut, there is no software liability statute or act.  However, there are various existing legal theories that might apply to the sale of defective software, including:

  • breach of contract;
  • breach of express warranty;
  • breach of implied warranty; and
  • misrepresentation.

Of course, there are also defenses to breach of warranty claims regarding software.  In many instances, a software attorney writing a contract or license agreement will include a disclaimer of all warranties and a cap on damages.  

Some consumers and purchasers do not have the ability to hire an attorney to negotiate a purchase of software.  Will a software liability act prohibit such disclaimers?  Conversely, not all software vendors or manufacturers hire a software lawyer to protect their interests by drafting appropriate disclaimers in license agreements and contracts.  Will a software liability act also protect software publishers from frivolous claims? 

As noted by the debaters at the RSA conference, everyone wants better, more reliable software. However, I doubt that creating a new software liability regime, and thus more regulation, is the right answer.  I tend to favor the market solution.  Let the better software win.  

New Connecticut Business and Technology Law Firm

I am pleased to announce that I have started a new law firm, Aeton Law Partners LLP.  At my new firm, I will continue my litigation practice involving a wide array of business and technology matters.  In this new venture,  I have partnered with Attorney David Benoit.  Dave brings a wide range of experience in transactions related to business, technology, and intellectual property. Together, we provide a broad base of experience and general counsel legal services for our existing and expanding client base.  For more information on Aeton Law Partners, please contact me at 860 724 2163.

 

Did Courtney Love Make A Good Decision To Settle Her Twitter Case?

According to various online sources and media outlets, Courtney Love has settled (or is close to settling) the Twitter lawsuit brought against her by Dawn Simorangkir.  The trial was supposed to start tomorrow, and according to Amanda Bronstad at the National Law Journal, it was going to be broadcasted live.  Love was reportedly going to defend the case claiming that the Twitter comments were just opinion or hyperbole.   I categorized this as the "it was just a Tweet" defense. 

If the facts that have been reported are accurate, Love's decision to go for a settlement was probably a good one.  Love's defense was not likely to succeed.  She didn't make isolated rambling comments.  There appeared to be intent to harm Simorangkir's reputation in business with the comments.  In Connecticut, this may have amounted to defamation per se, trade libel, or commercial disparagement.

Given the nature of the comments, Simorangkir might have been entitled to a damages award even if she could not show a loss of business.     Simorangkir's lawyer said Love "embarked in what is nothing short of an obsessive and delusional crusade to terrorize and destroy."    If true, the case goes beyond a simple Tweet or personal opinion.

The Twitter, Facebook, and LinkedIn universe was waiting to see what a jury would say about social media and defamation.  Unfortunately, if the settlement is final, we now have to wait for the next big Twitter defamation case.  It will not take long. 

Carders, Full Wallets and Identity Theft In Connecticut

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut's statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney's fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.
 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.
 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Disturbing Rise in Internet Harassment and Cyber Bullying Part Of Growing Trend

The tragic suicide of Rutgers University student, Tyler Clementi, shows the potential devastating impacts arising from misuse of the Internet and social media sites such as YouTube, Facebook, and Twitter.  This incident also serves as a reminder of the rapid sea change that technology brings and how our laws struggle to keep pace especially when it comes to new forms of media and the Internet.  I have seen two trends develop as it relates to lawsuits and social networking litigation. Both of these trends will continue. 

The first trend concerns the potential problems and risks to business owners over social media.  These issue have been well documented for over a year now.  Some of these issues include privacy rights, defamation, trade secrets, non-competition agreements, electronic monitoring, evidentiary use, and concerns over social media policies in the workplace. 

The second trend that has developed is the unfortunate increase and rise in cyber bullying, harassment, and invasion of privacy from users posting content on Blogs, Facebook, MySpace, Twitter, and YouTube.  The sad fact is that this often involves school age children as victims of cyber attacks or as users who do not fully understand the significance and devastation that might result from posting content online to the entire world.

As another glaring example, Anderson Cooper of CNN reported just last night on the disturbing story of Chris Armstrong, an openly gay student at the University of Michigan.  The story detailed how a Michigan Assistant Attorney General, Andrew Shrivell, was outright harassing and stalking Mr. Armstrong both in person and on a blog.   Mr. Shrivell's conduct was revolting and disturbing for anyone let alone a law enforcement official.   His actions are an example of someone running wild on the Internet with harassment.

Individuals facing harassment or bullying over the Internet often feel as if there is nothing that can be done to stop the conduct.  For example, as of last night, the Michigan Attorney General had done nothing to discipline Shrivell for his conduct based on purported concerns for "First Amendment" rights.  Although the available laws for bringing a lawsuit for improper use of the Internet continue to evolve, an attorney can help a victim of Internet or online harassment.  In short, something can be done.  Some of the legal theories available for a civil lawsuit include defamation, negligent misrepresentation, invasion of privacy, stalking statutes, and infliction of emotional distress.  

The explosive growth of use of social media is not going to end. Instead, these trends will continue to dominate and grow.   As use and misuse of social media and the Internet continues, litigation attorneys would be well served to stay on top of the evolving legal issues.  Businesses and individuals will continue to need legal representation  to address these growing trends.

 

 

 

Can You Record Phone Conversations In Connecticut To Help Your Lawsuit?

You might be surprised how many times I am asked this question.  Of course, the circumstances of every case warrant separate consideration, but here are the basic facts concerning recording of phone conversations in Connecticut as it relates to civil litigation and lawsuits: 

Civil Liability.  You are subject to liability in a civil lawsuit if you violate Connecticut General Statutes 52-570d entitled "Action for illegal recording of private telephonic communications."  The full text of the statute is here, but the basic summary is that an aggrieved person may bring a civil lawsuit for the recovery of damages and attorney's fees if someone uses a device to record "an oral private telephonic communication" unless the use of the recording device involves:

  • the consent of all parties (some states only require one party consent), and such consent is obtained prior to the recording
  • the consent documented in writing or part of the recording
  • verbal notification given at the start of the recording
  • an automatic tone warning device producing a signal every 15 seconds

There are various exceptions to this rule, including for law enforcement and FCC officials.  In addition, one of the more relevant exceptions is for "any person who, [is] the recipient of a telephonic communication which conveys threats of extortion, bodily harm or other unlawful requests or demands."  For example,if your Mel Gibson's girlfriend, and you are in Connecticut, its probably safe to record his phone calls. To recover in Connecticut, however, you have to prove actual damages related to the recording.

Many people that want to record phone conversations are trying to document conversations as evidence for potential use in a lawsuit.   However, if the recording is done unlawfully, Connecticut law prohibits the use of the recording in "any court of this state." As such, although an improperly recorded phone call might be available for use in a deposition, it will not be permitted as evidence in any court.  

Whether an improper phone recording is criminal will depend on the circumstances.  For example, it is a Class D Felony in Connecticut to engage in wiretapping or "mechanical overhearing" of a conversation.  Wiretapping and mechanical overhearing are defined to include "intentional overhearing or recording" of telephonic communication or conversations without the consent of at least one person involved.  This is more likely to apply to a situation like the allegations against Shaq O'Neal for intercepting cellular phone conversations he was not a part of as opposed to private two way conversations. However, the possibility of criminal penalty should be factored into any decision to record a phone call.

Keep in mind also that this post is only a summary as it pertains to Connecticut state law. If phone calls involve an out-of-state caller, different laws might apply.  For a good example of the intersection of various state recording laws, visit the website for the Reporters Committee for Freedom of the Press.  In addition to state law, there are federal wiretapping laws that might come into play. For an example of some federal laws, see this post on the Citizen Media Law Project.

The takeaway here is that if you improperly record phone conversations in Connecticut you could: (1) face criminal penalties; (2) face a civil lawsuit for damages and attorney's fees; and (3) be precluded from using the recordings in court in any civil lawsuit.  As such, if you are planning on recording phone conversations of any kind, you would be well served to contact an attorney and get advice on whether to proceed.

Cyber Crime On The Rise And Costly - What Can You Do About It

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

  • The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
  • Cyber attacks are the most common occurence
  • The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
  • The companies in the study were experiencing 50 successful attacks per week
  • Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
  • Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

  • Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
  • Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
  • Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
  • Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company's ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

 

 

Civil Liability For Computer Crimes In Connecticut

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

  • Unauthorized access to a computer system
  • Theft of computer services
  • Interruption of computer services
  • Misuse of computer system information
  • Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

 

Computer Fraud and Abuse Act In Connecticut

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

 

 

Wondering Where The Line Is On Internet Privacy - - Just Watch Facebook

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

YouTube Metadata Evidence in Connecticut Trademark Lawsuit

The smoking gun evidence in a trademark lawsuit filed in US District Court in Connecticut is allegedly metadata from a YouTube video.  Here is the lawsuit.  In the lawsuit , Tuscan Leveling, Inc. alleges that Roynette, Inc. stole its trademarked concept for a level tiling process.  According to the Complaint:

  • Tuscan is an Iowa based business that markets and provides a "unique tile installation method." 
  • Tuscan's tiling process is subject to a pending patent and trademark application and has identified the Tuscan Leveling System as its trademark.
  • Roynette is a Connecticut  based business that markets and solicits over the Internet.  Roynette advertised the sale of a competing tile leveling system over the Internet through a YouTube video that was identical to the the Tuscan leveling system.
  • The metadata from the YouTube video shows the Tuscan Leveling System trademark in "human readable form."   (Note: you can see the readable form in the attachment to the Complaint)
  • The metadata would permit Internet consumers to search for Tuscan and end up finding the Roynette video and product.   Roynette puts the product it is selling by hyperlink directly adjacent to the Tuscan trademark.

The Complaint seeks damages, attorney's fees, and an injunction.   Roynette has not yet responded to the lawsuit.

Nothing unusual about a YouTube video surfacing as evidence, but this one may be a first, at least in Connecticut.  This case is unique because the evidence is not the video itself but the metadata with the video.  Metadata is typically described as data about data.   YouTube allows you to edit or add metadata to a video.  The metadata, descriptions, or titles for the videos can show up in response to search terms on search engines such as Google or even YouTube.  The allegation here is that Roynette used Tuscan's trademark name to attract consumers searching on the Internet for tile leveling. 

 In this case, it was not only consumers who found Roynette, but it seems they attracted Tuscan too. 

 

LinkedIn Evidence In A Lawsuit -- It Was Only A Matter of Time

When I started this blog, I decided I would keep an eye on lawsuits related to social networking websites as it seems this type of evidence will soon take the place of the smoking gun email of the last ten years.  The impact of social networking evidence in Connecticut business litigation will continue to grow.

My interest in social networking cases started with a Facebook lawsuit so I made a Facebook category on this blog and discussed some concerns for individuals and Connecticut businesses.  Then Twitter exploded to growth of 1000% last year, so I added a Twitter defamation case and a new category.  And now, its finally here ... I need a  LinkedIn category for LinkedIn lawsuits. 

I do not claim to know about all of the social networking lawsuits out there.  There are also some social networking sites that I ignore, like the dying MySpace.  Nevertheless, I do track cases of interest in this area.  You might also check out Megan Erickson's Social Networking blog as a resource to check on these type of claims or visit Dan Schwartz's Connecticut Employment Law Blog for resources and tips on policies for employers related to social networking.  

The LinkedIn lawsuit involves a non-compete agreement and solicitation of employees by a former employee. Molly DiBianca with The Delaware Employment Law Blog detailed the case in a post about the lawsuit filed by TEKSystems against its former employees.  Nothing strange about this type of lawsuit, only in this case, TEKSystems claims it has evidence of breach of the employment contract arising from post-termination solicitation of its employees through the LinkedIn connections of one of the defendants.  Here is a copy of the lawsuit (go to paragraph 37). 

Molly DiBianca states it is the first lawsuit she is aware of using an employee's LinkedIn account.  She may be right, as I am not aware of another case like it.  Nevertheless, I certainly expect this type of social networking evidence to be the focus of more lawsuits and it was only a matter of time for LinkedIn to be involved in a case with media attention.  In Connecticut, we had our own social networking evidence case with Facebook.  In a bullying case involving Miss Porter's School, Judge Arterton ruled that the plaintiff's postings in an expired account were relevant.   

The way I see it, this is only the beginning.  Soon enough, social networking evidence will be as significant and commonplace as email evidence.  At that point, I'll have to find something else to blog about ....

Understanding Risks and Avoiding Lawsuits - Negotiation of the Master Services Agreement

Recently, I received a call from an attorney trying to figure a way out of a Master Services Agreement for his client.  His client, the purchaser, was stuck owing a lot of money to a technology vendor under a Master Services Agreement that was not working for the client.  The problem - - there was no protection under the contract for the purchaser and no clear way out without owing money to the vendor. 

The problem is not unique to technology purchasers.  Bad contracts also can hurt technology providers.   Take for example a recent case involving a technology company in a lawsuit over installation of new software for a small business.  The business claimed loss of profits due to extended down time as a result of a claimed breach of warranty.  The problem for the technology vendor - -  no protection in the contract with a limitation of remedy provision or disclaimer of warranty.  This opened up a claim for consequential damages that neither party contemplated.

In these cases, whether you are the attorney for the customer or the vendor, many times you are left saying "I wish you called me when you negotiated this contract."   In most instances, when a large or significant service and technology purchase is involved, the relationship between customer and vendor is set forth in a Master Services Agreement.  Master Services Agreements are typically contracts in information technology or professional services that govern a long term vendor-client relationship.  The contract includes general provisions on price, payment terms, and project scope.  The contracts usually include a Statement of Work. The Statement of Work will define the project specifics, services, or deliverables.

While the negotiation of a Master Services Agreement can be quite complex depending on the scope of the project, there are some general terms and clauses that should be considered or included in each agreement to avoid mutual misunderstandings, bad financial decisions, and unnecessary business litigation.  This applies to both sides of the negotiation whether you represent the customer or the vendor.  

There are some standard clauses and considerations in Master Services Agreements that can help the parties reach a true meeting of the minds as to the scope, risks, and obligations. Here is a checklist of some topics and questions that should be discussed as part of the negotiation of a Master Services Agreement:

  • Price.  Very important to remember that the sticker price or price on the contract is many times not as important as the soft costs and expenses.  It benefits both sides of the deal to make sure the price and payment terms (including add on fees like renewals, maintenance and service) are clear and understood.
  • Payment.  Is the agreement going to call for payment by time and materials?  A fixed fee?  A hybrid of both?  Will the payments be tied to meeting milestones on deliverables?  Penalty or late fees? Any retained amounts until completion?  For both sides of any deal, it is better to work out the details on payment ahead of time and avoid problems before they arise.
  • Intellectual Property.  Who is going to own the intellectual property rights to the new software or work performed?  If this is not addressed in the contract, unintended results may occur where the vendor has future property rights for a project paid for by the customer. 
  • Warranty.  What is the scope of the warranty of the work? Will the warranty be limited to the vendor's performance in a workmanlike manner or is greater warranty protection needed for a new product installation?  Does the vendor warrant the software or other products? The warranty many times provides the basis of the claim for damages against the vendor.  By limiting or expanding the warranty, the scope of liability is understood by both parties at the outset. 
  •  Statement of Work.  This is the document that will provide the specifics on the deliverables under the agreement.  Will it be a separate document?  How much detail will be included?  What assumptions are made?  How can the scope of the project increase?  What are the due dates and deadlines?  An overly broad Statement of Work can be a problem for both a vendor and customer. 
  • Confidentiality Agreement.  Typically, the parties to a Master Services Agreement will want a mutual confidentiality agreement or non-disclosure agreement to prevent disclosure of proprietary information and company trade secrets.  How will you define proprietary information and trade secrets?  How long will the agreement last?  What are the penalties for violation?
  • Indemnification.  These clauses typically shift the risk associated with a loss or a claim from one party to another.  For example, what happens if the customer gets sued for patent infringement for work product of the vendor?  Should the vendor have to defend and indemnify the customer for the lawsuit?
  • Attorneys fees and Alternative Dispute Resolution (ADR).  How will disputes under the contract be resolved?  ADR clauses in the contract can provide for the award of attorney's fees to the prevailing party and force all disputes to be resolved in a binding arbitration as opposed to a typical lawsuit in court.   More and more, both customer and vendor are seeking to avoid costly litigation by electing for a streamlined dispute resolution process.
  • Insurance.  Does the vendor have errors and omissions insurance?  Should it be required in the contract?
  • Termination.  What terms will govern when one party is unhappy or if a party is in breach?  How do you get out of the contract?  30 days notice?  10 days notice?  Is there any payment for at will termination?  Does work stop upon notice?

These are just a few of the major considerations at play for both a purchaser and vendor under a Masters Services Agreement.  For any significant transaction,  it is advisable for a technology lawyer to negotiate the contract.  Early involvement of a technology attorney can save time and expense later and help each party understand the risks of any particular project. 

 

 

Business Blog Round Up: YouTube, Coffee Cups, Anna Nicole and Identify Theft

 

  • Ashby Jones of Wall Street Journal blog writes an intriguing post about the Google and Viacom lawsuit concerning Viacom's claims of copyright infringement against YouTube (Google subsidiary).  The post recites how Viacom employees were uploading copyrighted copies of their own videos to YouTube to help prove that YouTube was not promptly removing videos that infringe copyrights.  At stake: immunity under the Digital Millennium Copyright Act.  Google says its protected from suit under the Act because YouTube removes content upon request of a copyright holder.  Viacom says otherwise and points to some of its own videos that were not removed.  I do not know the particulars of the lawsuit, but if Viacom hopes to prevail, you would expect that they have more to proceed on than there own employee videos.
  • PatentlyO, the nations leading patent law blog, has a humorous post indicating Starbucks may soon be subject to a false marketing claim if it keeps a patent number on its corrugated cardboard cups for much longer.  Professor Dennis Crouch looked up the patent  on the cup and its set to expire in a month.  Maybe Starbucks will settle out of court like the coffee house did with Kramer on Seinfeld for lifetime free coffee!  (if you are wondering, this happened in the Maestro episode)   
  • Brendon Tavelli of The Privacy Law Blog writes about the Federal Trade Commissions settlement against LifeLock,Inc. for misrepresentation concerning its identity theft services and protections.  35 states joined in the settlement.  According the the settlement, LifeLock was not providing the comprehensive identify theft coverage it advertised.  Any consumer considering identify theft should do a very detailed investigation of the company and its services.  I wrote a post recently about data loss and noted that many victims are offered identity theft protection as part of the settlement.  Many times, the protection is not adequate. 
  • Victoria Pynchon's Settle It Now Blog has a compelling post about her project to teach women to negotiate better in retail, relationships, employment, and the law.  I recently discovered this popular blog and now I am a regular reader.  Great insights, not only for women (although she says so a few times).
  • John Buford of the North Carolina Business Litigation Report has a post about a business valuation case involving a closely held business.  At issue in the case was determining a value of an unproven technology.  The problem was setting a fair price to avoid a windfall for either side.  Although it is a North Carolina case, the concepts of valuing intellectual property, especially unproven technology, is more of a function of the science of appraisals than state law.  Some useful concepts are discussed including the appraiser's methodology that the court accepted.
  • Mashable, a top 100 blog, discusses Twitter's birthday only 4 years ago.  Twitter hit 50 million tweets per day last month. Mashable is a great blog that has just about everything there is to do with social media and web 2.0.
  • For more on social media: Nicole Black's Sui Generis - a New York Law Blog - discusses Nicole's new book, "Social Media for Lawyers: The Next Frontier."  The book is co-authored by Carolyn Elefant, who publishes the blog MyShingle.com an excellent resource for solos and small firm lawyers.  
  •  Megan Erickson's Social Networking Blog also details the Classmates.com settlement.  I guess  I was not the only one getting those annoying emails claiming my classmates were looking for me. 
  • Cannot do a business blog round up without mentioning the ScotusBlog and its post on Anna Nicole Smith's estate losing her long disputed claim for millions from her tycoon husband J. Howard Marshall.  The Post includes the decision and a summary story.  

 

Thank You to Hartford Business Journal and Advanced Copy

Thank you to Advanced Copy for nominating me for Best Use of Blogs for the Hartford Business Journal's Strateg E Awards for 2010.  Thank you to the Hartford Business Journal for selecting this Blog as a finalist and putting on a great event yesterday. 

Congratulations to Thomas Clifford who won for his Blog, Bringing Brands to Life.  Tom is a big fan of Daniel Pink who has some revolutionary ideas for business management.  I just read Pink's latest book "Drive: The Surprising Truth About What Motivates Us."  Great read. 

Class Action Lawsuit Filed In Connectiut Against AT&T Over Internet Access Tax

On January 11, 2010, a class action lawsuit (download here) was filed against AT&T alleging that it improperly charged sales tax to access the Internet in violation of Connecticut law and the Internet Tax Freedom Act.

The case was brought on behalf of David Rock who subscribed with AT&T for a "wireless data plan that permits access to the Internet by radio device."  The plan permits Internet access remotely by computer or smartphone, such as an iPhone or BlackBerry.

The complaint alleges improper charges from AT&T for state and local sales taxes on internet access on monthly bills.  The complaint is based in part on Connecticut General Statutes 12-407(a)(26)(A) which excludes Internet access from the state's sales tax on telecommunications.  The Internet Tax Freedom Act also prohibits taxes on Internet access.  The complaint alleges thousands of potential members for the class in Connecticut.  The complaint alleges breach of contract and violation of Connecticut's Unfair Trade Practices Act.

Nate Anderson of ars technica reported on several identical lawsuits filed in Georgia, Indiana, and Alabama over the last month.  Mr. Anderson reported that the same lawyers where behind the multiple filings.  In a Hartford Courtant article today by Matthew Sturdevant, the attorney for Mr. Rock,Michael Koskoff, noted that perhaps a dozen similar suits will be filed in various states.

Mr. Anderson made a humorous comment that all the complaints in the Georgia, Indiana, and Alabama cases have the same typo or misuse of the word  "I-Phone" rather than iPhone.  The complaint in the Connecticut case has the same misuse of "I-Phone."  So, either there is some cooperation nationwide on the plaintiff side on the content of the complaints or perhaps none of the lawyers involved own iPhones.   

In any event, these cases will be interesting to track as all of the lawyers involved on the consumer side have significant experience in class action lawsuits, including against telecom providers.  I also agree with Mr. Anderson that the actual definitions of "sales tax" and "Internet access" might seem simple enough, but can actually be quite complicated.  I expect AT&T will make use of those complications. 

 

Don't Get Rocked like RockYou - - Protect Your Customers' Personal Information

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace.  RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords.  The suit alleges violations of California Civil Code, breach of contract, and negligence.

 Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..."  As such,  RockYou may face liability for data exposures across other platforms. 

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers.  I agree with Mr. Remillard that avoiding storage of such personal data  in the first place is often the best way to prevent liability exposure for both loss of data and a security breach.  If a business must store PII in its systems then a data loss and security plan must be in place to protect the data.  In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System.  The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords.  The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes.  He noted that RockYou stored the information in plain text words.  In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text. 

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords.  Encryption is the method used to make the passwords unreadable once the hacker gains access to the system. 

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan. 

 

New Study Shows Small Businesses Vulnerable to Cyber Attacks

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

  • 65% store customer information on computer systems
  • 43% store financial records
  • 33% store credit card information
  • 86% do not have anyone focused on system security
  • 11% of owners never check their computer security systems.
  • 75% use the internet to communicate with customers
  • 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

 

Do Not Count On Beating Goliath: Implement A Management Plan To Avoid Software Licensing Problems

This month's business technology tip arises from the recent David v. Goliath story reported on by Douglas Malan of the Connecticut Law Tribune.  Kent Johnson, the owner of a small computer repair shop in Connecticut was sued by the software Goliath Microsoft for allegedly selling one improperly licensed version of Microsoft Office. Microsoft put 15 people on the case and sued Mr. Johnson in federal court for copyright infringement.  

Mr. Johnson represented himself against Microsoft and reportedly reached a favorable settlement.   Mr. Johnson has a website that provides all the details of the case form the very beginning.   As much as Mr. Johnson's apparent success against Microsoft was unusual, the notion of Microsoft going after business owners for copyright infringement is not. 

Microsoft, and other software publishers, might pursue an infringement case directly or through enforcement groups such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SSIA).  These groups estimate that piracy costs software publishers seven billion dollars annually.

When you purchase software for your business, the software comes with a license that restricts your use of the software.  If you violate the restrictions in the license by copying or distribution, software publishers consider it piracy.  For example, typically you cannot install a software program for several users on multiple computers without purchasing additional licenses.  Also, you generally cannot install a program on a network server and let multiple users have access to it without the proper number of licenses.

Violation of a software license or copyright can implicate significant civil (and potential criminal penalties) in piracy cases.  Penalties can range up to $150,000 per offense for copyright infringement and there may be additional damages for lost profits. Many of these cases result in significant financial settlements in favor of the software publisher. 

You might be wondering how Microsoft finds out about a small company violating its software license.   Typically, an anonymous informant (an employee or IT consultant) reports the company to the software publisher, BSA, or SSIA in hopes of recovering a reward.  These groups openly advertise rewards of up to a million dollars for anonymous tips that lead to successful enforcement  actions. 

Many times businesses can inadvertently run afoul of licensing restrictions without realizing it.  Violations can occur when trying to cut costs, relying on bad advice from IT professionals,  or an employee's improper downloading of software.  When groups like the BSA become aware of allegations of software piracy, they usually issue a software audit letter to the business or initiate a lawsuit in federal court.  The BSA will request proof of proper licensing from the business.

After receiving an audit letter a business will have to decide to either fight it in court or cooperate.  Facing Microsoft or the BSA in court can be risky financially and many businesses chose to cooperate.  Problems often arise for businesses that cooperate because they cannot establish sufficient proof of licensing or the business is not aware of the extent of the infringement. 

The best way to prevent problems with software licensing or an audit is to implement a software asset management plan.  Ideally, the plan would include at a minimum a written policy covering: (a) terms for copying, use,and transfer of company software; (b)  the risks or improper use of software and piracy; and (c) disciplinary action for employee misuse.  The plan should also include software management including a system for record keeping of all receipts, licenses, and original copies of the software.  The plan should further include regular self-audits of company computer systems to verify proper licensing.

With a good software management plan in place, a business will be better equipped to defend a software audit or avoid it in the first place.  In either case, if your business is facing an audit or other enforcement action, you should seek legal advice.  If you face Goliath alone, do not count on obtaining the same success as Mr. Johnson.

Connecticut State Court To Phase In Mandatory E Filing

The Connecticut Judicial Branch will implement mandatory electronic filing in Connecticut state superior courts in all civil cases by December 5, 2009.  The Judicial Branch is also going paperless for short calendar and notices will no longer be sent by paper in the mail (unless the firm or litigant is exempt) starting September 1, 2009.

The mandatory e-filing will be implemented in phases as follows:

E-filing will be available in all remaining civil cases (with few exceptions) starting August 22, 2009.

E-filing is mandatory in all foreclosure cases starting September 1, 2009.

E-filing is mandatory in all remaining civil cases starting December 5, 2009.

Law firms and attorneys can receive e-filing training in each judicial district.

E-filing will be mandatory starting December in Connecticut in both state superior and federal district courts unless a law firm or litigant qualifies for an exemption.

 

Three Lawsuits Against Facebook For Fraud Raise Concerns For Advertisers

If your business is advertising on Facebook, or considering it, you should do some research on the newest allegations of advertising fraud against the online giant.  Facebook reportedly has over 250 million users so it is understandable that a business would want access to Facebook's users.  Facebook offers businesses advertising space online that is targeted to specific demographics of its users.  Facebook charges for the advertising based on the number of views or clicks that the ad receives from users.

As reported by TechCrunch's Michael Arrington, massive complaints started surfacing recently against Facebook for "click fraud."  Basically, advertisers were clicking on competitor's ads, or paying others to do it, to artificially drive the price up.  Advertisers were also reporting that Facebook was charging for more clicks than the ad was actually receiving. There are now three lawsuits filed against Facebook for advertising click fraud.

 The most recent lawsuit was filed on July 31st by an individual advertiser seeking class action status.   The second lawsuit was filed by Unified ECM, a software company, seeking class action status for massive click fraud by Facebook.  The first click fraud lawsuit was filed by sports company RootZoo and it also seeks class action status. 

BNET Media's Catharine Taylor posted a good report on the details of the first two lawsuits including email comments from Facebook.  In the email, Facebook maintained that the Unified lawsuit is "unnecessary and baseless."  Wendy Davis of Online Media Daly posted a good report on the fist lawsuit by RootZoo. All three suits alleged discrepancies between the charges by Facebook and the actual number of clicks recorded by the advertisers.

Although Facebook has denied all the fraud allegations, TechCrunch takes the position that the click fraud problem is real and confirmed by Facebook. The Lost Press Marketing Blog presents a different view accusing Unified ECM of a "marketing stunt" to get exposure through press coverage of its lawsuit. 

Any business considering advertising with a pay per click campaign, should take caution whether on Facebook, another website, or a search engine.  If you want to measure your return on investment, you should consider monitoring any pay per click campaign internally.   If you are considering Facebook, you should wait to see what Facebook does to reassure its advertisers that fraud will be monitored effectively.  For now, the problem does not appear to be going away.

 

Insurance Might Be An Option for Data Loss Lawsuits Alleging Negligence Against Businesses

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

 

Technology Tips For Connecticut Businesses To Avoid Litigation

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

Social Networking Lawsuits Are Big Risk to Business

I just read an excellent article posted on Law.com from the New York Law Journal on social networking and challenges to business owners and their legal counsel.  The authors Christopher Boehning and Daniel Toal focus on a new emerging problems associated with electronic discovery of social networking data.  The authors also point out many of the potential problems for employers and businesses related to social networking sites.

When Facebook started exploding in popularity, you could see that the future in communication was social networking.  Boehning and Toal cite to a New York Times articles that indicates the future is now upon us as more people spend time on social networking sites than e-mailing.  The authors correctly point out something I emphasize to all my business clients:  businesses need to have a policy on how to handle social networking sites like Facebook, MySpace, LinkedIn and Twitter.  The policy should cover the business' use of such sites and use by employees.  Policies on preservation of the data should also be included as social networking data is akin to the new email.

Lawsuits involving some aspect of social networking sites are increasing in frequency from across the country. Take for example the recent jury verdict in New Jersey against Hillstone Restaurant for violation of the Federal Stored Communications Act. 

In that case, the employers accessed an employee MySpace group that was dedicated to criticizing the employer.  Although the verdict amount was relatively small, the implications are far reaching.  This case was reported on by Charles Toutant in the New Jersey Law Journal.  The employees' trial brief is a good read and spells out some of the arguments in favor of employees' rights to privacy with social networking sites. 

The outcome in the New Jersey case may have been different if the restaurant had a policy addressing use and access to social networking sites.  Businesses will have different concerns when it comes to adopting a policy, and no policy will cover every situation.  However, the lack of any policy at all is likely to lead to problems and potential litigation.  The best way to avoid litigation is to implement a written policy on use and access to social networking sites.