Connecticut Business Litigation Blog : Connecticut Business Lawyer & Attorney : N. Kane Bennett : Raymond & Bennett Law Firm : Hartford, Middletown, Glastonbury

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

• The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
• Cyber attacks are the most common occurence
• The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
• The companies in the study were experiencing 50 successful attacks per week
• Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
• Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

• Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
• Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
• Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
• Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company's ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut's computer crime statute.   The statute defines criminal conduct under the following categories:

• Unauthorized access to a computer system
• Theft of computer services
• Interruption of computer services
• Misuse of computer system information
• Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney's fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Is it David v. Goliath or a patent troll case?  Connecticut based XPRT Ventures, LLC has filed a lawsuit in the U.S. District Court in Delaware (download lawsuit here) against eBay for $3.8 billion dollars over the technology for automating and securing online payment portals. The suit was also filed against eBay's PayPal, Bill Me Later, Shopping.com, and StubHub.

In the suit, XPRT alleges that PayPal and others have used its systems and methods for electronic auction and e-commerce transactions subject to XPRT's six U.S. patents since at least 2002.  XPRT also alleges that eBay received confidential information in 2001 from the inventors and misappropriated information from patent applications assigned to XPRT. XPRT alleges a loss to date of $600 million with expected future losses of $3.2 billion.

The suit is for willful patent infringement, but at its heart is XPRT's allegation that eBay stole XPRT's trade secrets obtained from patent applications to use in eBay's own patent applications and for use by eBay in multiple platforms for PayPal and others.  The complaint states that XPRT passed on confidential information related to its patents to eBay in 2001 with the expectation of compensation should eBay be interested in the technology. The complaint alleges that the confidential information included how eBay could benefit from acquiring PayPal's payment platform.  Instead, eBay allegedly used the information provided in support of its own patent applications and online uses for PayPal and others.

The suit has been summarized and covered by various online media with some support and others criticizing the suit. Read here for the Reuters report on eBay suit and PCWorld's story.  Another good summary is the post today from Rajeev Saxena of Trends Updates. The post includes the following statement from XPRT's Connecticut based counsel, Steven Moore: 

This involves a trade secret theft, along with sheer patent infringement.  It is bad enough to take someone's technology, but it is a bit much to use it in your own patent application. 

Attorney Moore's firm also issued a press release that states, in part:

 In a nutshell, XPRT asserts eBay unfairly stole the idea and method of payment used in eBay's PayPal and similar electronic payment systems.

Techdirt, a technology blog, came out swinging and criticized the suit as "another patent lawsuit against a big company for doing something obvious, filed by a company that appears to exist solely for the purpose of suing a company that actually does stuff."   Mike also includes in his post some additional details about the history of XPRT's trail of patent rejections.  His take is basically that the case is a patent troll stick up suit.    For a good and balanced definition of "troll patent" or "patent troll" read this post form PatentlyO, the nations leading patent law blog.

Erik Sherman, a freelance writer, had a somewhat different take in his blog post.  After a providing a detailed summary of his own investigation and fact finding, Erik wrote that "this is not a simple case of a troll finding an obscure patent that could be stretched to cover an intended target."  He also focused on another case where eBay was alleged to have engaged in similar unethical behavior and the complications potentially created for Meg Whitman (eBay CEO at the time) currently running for California governor.

Thus far, eBay only issued a short statement denying that there is any merit to the suit. What's your take, Patent Trolling or David v. Goliath?

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Previously, I have posted about non-compete agreements and the duty of loyalty for employees.  Many times, businesses do not have written contracts to protect confidential and proprietary information from not only competitors and vendors, but also their own employees.  Without a contract, the common law of Connecticut concerning breach of fiduciary duty is one of the ways attorneys can seek to protect business clients against improper use of confidential information.

Another method for attorneys to seek to protect their clients' confidential information stored on a computer system or network is through the federal Computer Fraud and Abuse Act (CFAA).  The CFAA is largely a criminal statute, but is being used more frequently in civil cases on behalf of businesses faced with loss or theft of confidential and proprietary information and trade secrets.   The CFAA, 18 U.S.C. 1030, essentially provides for civil liability for unauthorized access to protected computers with intent to defraud or cause damage.  There are civil enforcement provisions that allow private actions for recoverable loss related to prohibited conduct if a series of factors can be proved in court.

Recently, Peter J. Toren wrote an excellent article in the New York Law Journal  where he detailed methods in which the CFAA might be useful for attorneys to protect client trade secrets and other confidential information.   Peter listed the six factors necessary for proof of damages.  Peter also noted some of the limitations of the CFAA when it comes to employee theft of trade secrets and described the narrow and broad views taken by different courts when interpreting improper access of a protected computer without authorization. Peter further provides some useful tips for businesses on how to construct a policy in light of the different court interpretations of improper access. 

Lee Berlik, publisher of the Virginia Business Litigation Blog, also has a recent post about the series of hurdles necessary for attorneys to prove loss or damages under the CFAA.  Lee's post describes a threshold of $5,000 in value that must fit into the categories of potential loss defined in the CFAA.  Similar to Peter's article, Lee also describes how a case was unsuccessful in court because of insufficient facts to show loss under the CFAA.

In Connecticut federal courts, the reported cases under CFAA, largely have been unsuccessful for a variety of reasons, many of which Peter's article details.  Some cases were dismissed for failing to meet damages thresholds (Register.com v. Verio, 356 F.3d 393 (2004)) , while another case was dismissed because the facts were insufficient for unauthorized access (Cenveo, Inc. v. Rao, 659 F. Supp. 2d 312 2009)).   However, in a recent case, in the federal district court, Judge Vanessa Bryant issued an order of sanctions and for production of electronic devices for forensic inspection in a case based, in part, and the CFAA. (Genworth Financial Wealth Mngmt. Inc., v. McMullan). 

The takeaway here is that the CFAA provides another potential basis for a business to protect its confidential and proprietary information when the information resides on a computer system or network.  Of course, there are a series of factors that must be met before liability can be established.  Some of these factors may not apply and eliminate the CFAA as a method of recovery as we have seen in several reported cases.  However, the CFAA should be considered and evaluated in any case involving unauthorized access of confidential information through a computer system as it provides an additional basis for potential recovery.  Also, advanced planning with sound internal policies might provide a business with a better chance of success under the CFAA.

I will do a post soon on another statute, Connecticut's Computer Crime Act, that may provide additional remedies for improper access of a computer system or network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

My firm receives many calls from new or existing businesses with Internet privacy questions.  Many calls come from e-commerce businesses, start ups, or businesses that want to utilize information gathered from users accessing their Web sites. Some business owners have ideas or concepts that test the limit on use of user profiles, preferences, and content.  The question becomes, just what are the limits for user expectations on privacy?

Take Facebook for example.  Facebook has a reported 400 million users.  Facebook is constantly in the headlines over its privacy policies and security settings related to its user's profile information.  Whether it is a class action lawsuit in California  or the recent $10 million settlement for its Beacon program, you can count on Facebook to have dealt with any number of privacy issues in litigation.  

Recently, another lawsuit has been filed over Facebook's "opt out" setting concerning the instant personalization feature.  Wendy Davis on  Online Media Daily reported on the story.  This feature automatically shares user information with three outside companies, Microsoft Docs, Pandora, and Yelp.  The lawsuit was filed in U.S. District Court in Rhode Island for violation of the Stored Communications Act (Download here).  By my count, Facebook has been sued at least 30 times in Federal court in recent years.

In the Internet privacy area, Facebook tests the outer limits of what is acceptable for privacy rights and user expectations.  When Facebook makes a change or tries something new, everyone pays attention.  As a result, Facebook's privacy policies get vetted by 400 million users, numerous industry and trade groups, leading technology blogs like TechCrunch, and even the federal government. 

If you want to know what crosses the line when it comes to privacy on the Internet,  just watch Facebook.   

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The smoking gun evidence in a trademark lawsuit filed in US District Court in Connecticut is allegedly metadata from a YouTube video.  Here is the lawsuit.  In the lawsuit , Tuscan Leveling, Inc. alleges that Roynette, Inc. stole its trademarked concept for a level tiling process.  According to the Complaint:

• Tuscan is an Iowa based business that markets and provides a "unique tile installation method." 
• Tuscan's tiling process is subject to a pending patent and trademark application and has identified the Tuscan Leveling System as its trademark.
• Roynette is a Connecticut  based business that markets and solicits over the Internet.  Roynette advertised the sale of a competing tile leveling system over the Internet through a YouTube video that was identical to the the Tuscan leveling system.
• The metadata from the YouTube video shows the Tuscan Leveling System trademark in "human readable form."   (Note: you can see the readable form in the attachment to the Complaint)
• The metadata would permit Internet consumers to search for Tuscan and end up finding the Roynette video and product.   Roynette puts the product it is selling by hyperlink directly adjacent to the Tuscan trademark.

The Complaint seeks damages, attorney's fees, and an injunction.   Roynette has not yet responded to the lawsuit.

Nothing unusual about a YouTube video surfacing as evidence, but this one may be a first, at least in Connecticut.  This case is unique because the evidence is not the video itself but the metadata with the video.  Metadata is typically described as data about data.   YouTube allows you to edit or add metadata to a video.  The metadata, descriptions, or titles for the videos can show up in response to search terms on search engines such as Google or even YouTube.  The allegation here is that Roynette used Tuscan's trademark name to attract consumers searching on the Internet for tile leveling. 

 In this case, it was not only consumers who found Roynette, but it seems they attracted Tuscan too. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

When I started this blog, I decided I would keep an eye on lawsuits related to social networking websites as it seems this type of evidence will soon take the place of the smoking gun email of the last ten years.  The impact of social networking evidence in Connecticut business litigation will continue to grow.

My interest in social networking cases started with a Facebook lawsuit so I made a Facebook category on this blog and discussed some concerns for individuals and Connecticut businesses.  Then Twitter exploded to growth of 1000% last year, so I added a Twitter defamation case and a new category.  And now, its finally here ... I need a  LinkedIn category for LinkedIn lawsuits. 

I do not claim to know about all of the social networking lawsuits out there.  There are also some social networking sites that I ignore, like the dying MySpace.  Nevertheless, I do track cases of interest in this area.  You might also check out Megan Erickson's Social Networking blog as a resource to check on these type of claims or visit Dan Schwartz's Connecticut Employment Law Blog for resources and tips on policies for employers related to social networking.  

The LinkedIn lawsuit involves a non-compete agreement and solicitation of employees by a former employee. Molly DiBianca with The Delaware Employment Law Blog detailed the case in a post about the lawsuit filed by TEKSystems against its former employees.  Nothing strange about this type of lawsuit, only in this case, TEKSystems claims it has evidence of breach of the employment contract arising from post-termination solicitation of its employees through the LinkedIn connections of one of the defendants.  Here is a copy of the lawsuit (go to paragraph 37). 

Molly DiBianca states it is the first lawsuit she is aware of using an employee's LinkedIn account.  She may be right, as I am not aware of another case like it.  Nevertheless, I certainly expect this type of social networking evidence to be the focus of more lawsuits and it was only a matter of time for LinkedIn to be involved in a case with media attention.  In Connecticut, we had our own social networking evidence case with Facebook.  In a bullying case involving Miss Porter's School, Judge Arterton ruled that the plaintiff's postings in an expired account were relevant.   

The way I see it, this is only the beginning.  Soon enough, social networking evidence will be as significant and commonplace as email evidence.  At that point, I'll have to find something else to blog about ....

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Recently, I received a call from an attorney trying to figure a way out of a Master Services Agreement for his client.  His client, the purchaser, was stuck owing a lot of money to a technology vendor under a Master Services Agreement that was not working for the client.  The problem - - there was no protection under the contract for the purchaser and no clear way out without owing money to the vendor. 

The problem is not unique to technology purchasers.  Bad contracts also can hurt technology providers.   Take for example a recent case involving a technology company in a lawsuit over installation of new software for a small business.  The business claimed loss of profits due to extended down time as a result of a claimed breach of warranty.  The problem for the technology vendor - -  no protection in the contract with a limitation of remedy provision or disclaimer of warranty.  This opened up a claim for consequential damages that neither party contemplated.

In these cases, whether you are the attorney for the customer or the vendor, many times you are left saying "I wish you called me when you negotiated this contract."   In most instances, when a large or significant service and technology purchase is involved, the relationship between customer and vendor is set forth in a Master Services Agreement.  Master Services Agreements are typically contracts in information technology or professional services that govern a long term vendor-client relationship.  The contract includes general provisions on price, payment terms, and project scope.  The contracts usually include a Statement of Work. The Statement of Work will define the project specifics, services, or deliverables.

While the negotiation of a Master Services Agreement can be quite complex depending on the scope of the project, there are some general terms and clauses that should be considered or included in each agreement to avoid mutual misunderstandings, bad financial decisions, and unnecessary business litigation.  This applies to both sides of the negotiation whether you represent the customer or the vendor.  

There are some standard clauses and considerations in Master Services Agreements that can help the parties reach a true meeting of the minds as to the scope, risks, and obligations. Here is a checklist of some topics and questions that should be discussed as part of the negotiation of a Master Services Agreement:

• Price.  Very important to remember that the sticker price or price on the contract is many times not as important as the soft costs and expenses.  It benefits both sides of the deal to make sure the price and payment terms (including add on fees like renewals, maintenance and service) are clear and understood.
• Payment.  Is the agreement going to call for payment by time and materials?  A fixed fee?  A hybrid of both?  Will the payments be tied to meeting milestones on deliverables?  Penalty or late fees? Any retained amounts until completion?  For both sides of any deal, it is better to work out the details on payment ahead of time and avoid problems before they arise.
• Intellectual Property.  Who is going to own the intellectual property rights to the new software or work performed?  If this is not addressed in the contract, unintended results may occur where the vendor has future property rights for a project paid for by the customer. 
• Warranty.  What is the scope of the warranty of the work? Will the warranty be limited to the vendor's performance in a workmanlike manner or is greater warranty protection needed for a new product installation?  Does the vendor warrant the software or other products? The warranty many times provides the basis of the claim for damages against the vendor.  By limiting or expanding the warranty, the scope of liability is understood by both parties at the outset. 
•  Statement of Work.  This is the document that will provide the specifics on the deliverables under the agreement.  Will it be a separate document?  How much detail will be included?  What assumptions are made?  How can the scope of the project increase?  What are the due dates and deadlines?  An overly broad Statement of Work can be a problem for both a vendor and customer. 
• Confidentiality Agreement.  Typically, the parties to a Master Services Agreement will want a mutual confidentiality agreement or non-disclosure agreement to prevent disclosure of proprietary information and company trade secrets.  How will you define proprietary information and trade secrets?  How long will the agreement last?  What are the penalties for violation?
• Indemnification.  These clauses typically shift the risk associated with a loss or a claim from one party to another.  For example, what happens if the customer gets sued for patent infringement for work product of the vendor?  Should the vendor have to defend and indemnify the customer for the lawsuit?
• Attorneys fees and Alternative Dispute Resolution (ADR).  How will disputes under the contract be resolved?  ADR clauses in the contract can provide for the award of attorney's fees to the prevailing party and force all disputes to be resolved in a binding arbitration as opposed to a typical lawsuit in court.   More and more, both customer and vendor are seeking to avoid costly litigation by electing for a streamlined dispute resolution process.
• Insurance.  Does the vendor have errors and omissions insurance?  Should it be required in the contract?
• Termination.  What terms will govern when one party is unhappy or if a party is in breach?  How do you get out of the contract?  30 days notice?  10 days notice?  Is there any payment for at will termination?  Does work stop upon notice?

These are just a few of the major considerations at play for both a purchaser and vendor under a Masters Services Agreement.  For any significant transaction,  it is advisable for a technology lawyer to negotiate the contract.  Early involvement of a technology attorney can save time and expense later and help each party understand the risks of any particular project. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

• Ashby Jones of Wall Street Journal blog writes an intriguing post about the Google and Viacom lawsuit concerning Viacom's claims of copyright infringement against YouTube (Google subsidiary).  The post recites how Viacom employees were uploading copyrighted copies of their own videos to YouTube to help prove that YouTube was not promptly removing videos that infringe copyrights.  At stake: immunity under the Digital Millennium Copyright Act.  Google says its protected from suit under the Act because YouTube removes content upon request of a copyright holder.  Viacom says otherwise and points to some of its own videos that were not removed.  I do not know the particulars of the lawsuit, but if Viacom hopes to prevail, you would expect that they have more to proceed on than there own employee videos.
• PatentlyO, the nations leading patent law blog, has a humorous post indicating Starbucks may soon be subject to a false marketing claim if it keeps a patent number on its corrugated cardboard cups for much longer.  Professor Dennis Crouch looked up the patent  on the cup and its set to expire in a month.  Maybe Starbucks will settle out of court like the coffee house did with Kramer on Seinfeld for lifetime free coffee!  (if you are wondering, this happened in the Maestro episode)   
• Brendon Tavelli of The Privacy Law Blog writes about the Federal Trade Commissions settlement against LifeLock,Inc. for misrepresentation concerning its identity theft services and protections.  35 states joined in the settlement.  According the the settlement, LifeLock was not providing the comprehensive identify theft coverage it advertised.  Any consumer considering identify theft should do a very detailed investigation of the company and its services.  I wrote a post recently about data loss and noted that many victims are offered identity theft protection as part of the settlement.  Many times, the protection is not adequate. 
• Victoria Pynchon's Settle It Now Blog has a compelling post about her project to teach women to negotiate better in retail, relationships, employment, and the law.  I recently discovered this popular blog and now I am a regular reader.  Great insights, not only for women (although she says so a few times).
• John Buford of the North Carolina Business Litigation Report has a post about a business valuation case involving a closely held business.  At issue in the case was determining a value of an unproven technology.  The problem was setting a fair price to avoid a windfall for either side.  Although it is a North Carolina case, the concepts of valuing intellectual property, especially unproven technology, is more of a function of the science of appraisals than state law.  Some useful concepts are discussed including the appraiser's methodology that the court accepted.
• Mashable, a top 100 blog, discusses Twitter's birthday only 4 years ago.  Twitter hit 50 million tweets per day last month. Mashable is a great blog that has just about everything there is to do with social media and web 2.0.
• For more on social media: Nicole Black's Sui Generis - a New York Law Blog - discusses Nicole's new book, "Social Media for Lawyers: The Next Frontier."  The book is co-authored by Carolyn Elefant, who publishes the blog MyShingle.com an excellent resource for solos and small firm lawyers.  
•  Megan Erickson's Social Networking Blog also details the Classmates.com settlement.  I guess  I was not the only one getting those annoying emails claiming my classmates were looking for me. 
• Cannot do a business blog round up without mentioning the ScotusBlog and its post on Anna Nicole Smith's estate losing her long disputed claim for millions from her tycoon husband J. Howard Marshall.  The Post includes the decision and a summary story.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Thank you to Advanced Copy for nominating me for Best Use of Blogs for the Hartford Business Journal's Strateg E Awards for 2010.  Thank you to the Hartford Business Journal for selecting this Blog as a finalist and putting on a great event yesterday. 

Congratulations to Thomas Clifford who won for his Blog, Bringing Brands to Life.  Tom is a big fan of Daniel Pink who has some revolutionary ideas for business management.  I just read Pink's latest book "Drive: The Surprising Truth About What Motivates Us."  Great read. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

On January 11, 2010, a class action lawsuit (download here) was filed against AT&T alleging that it improperly charged sales tax to access the Internet in violation of Connecticut law and the Internet Tax Freedom Act.

The case was brought on behalf of David Rock who subscribed with AT&T for a "wireless data plan that permits access to the Internet by radio device."  The plan permits Internet access remotely by computer or smartphone, such as an iPhone or BlackBerry.

The complaint alleges improper charges from AT&T for state and local sales taxes on internet access on monthly bills.  The complaint is based in part on Connecticut General Statutes 12-407(a)(26)(A) which excludes Internet access from the state's sales tax on telecommunications.  The Internet Tax Freedom Act also prohibits taxes on Internet access.  The complaint alleges thousands of potential members for the class in Connecticut.  The complaint alleges breach of contract and violation of Connecticut's Unfair Trade Practices Act.

Nate Anderson of ars technica reported on several identical lawsuits filed in Georgia, Indiana, and Alabama over the last month.  Mr. Anderson reported that the same lawyers where behind the multiple filings.  In a Hartford Courtant article today by Matthew Sturdevant, the attorney for Mr. Rock,Michael Koskoff, noted that perhaps a dozen similar suits will be filed in various states.

Mr. Anderson made a humorous comment that all the complaints in the Georgia, Indiana, and Alabama cases have the same typo or misuse of the word  "I-Phone" rather than iPhone.  The complaint in the Connecticut case has the same misuse of "I-Phone."  So, either there is some cooperation nationwide on the plaintiff side on the content of the complaints or perhaps none of the lawyers involved own iPhones.   

In any event, these cases will be interesting to track as all of the lawyers involved on the consumer side have significant experience in class action lawsuits, including against telecom providers.  I also agree with Mr. Anderson that the actual definitions of "sales tax" and "Internet access" might seem simple enough, but can actually be quite complicated.  I expect AT&T will make use of those complications. 

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

A recently filed class action lawsuit (download complaint) against RockYou highlights the very real threats to businesses related to hackers stealing customer data also known as personally identifiable information (PII).

According to the complaint filed in federal court in San Francisco, RockYou is a publisher and developer of popular online applications and services for use with social networking sites such as Facebook and MySpace.  RockYou allegedly exposed 32 million of its users to identity theft by failing to encrypt or otherwise protect email account information and passwords.  The suit alleges violations of California Civil Code, breach of contract, and negligence.

 Jason Remillard of Web Host Industry Review provided a detailed post on the lawsuit noting that RockYou may face more difficulties than expected because RockYou is a "launchpad type of service, that hold credentials for other services (myspace, facebook, etc)..."  As such,  RockYou may face liability for data exposures across other platforms. 

Mr. Remillard notes that he has been warning site owners about the risks of holding PII information of consumers.  I agree with Mr. Remillard that avoiding storage of such personal data  in the first place is often the best way to prevent liability exposure for both loss of data and a security breach.  If a business must store PII in its systems then a data loss and security plan must be in place to protect the data.  In prior posts, I offer some suggestions and tips for Connecticut business owners that have sensitive data or store PII of its customers.

Dave Kravets of Wired.com offers some more details about RockYou's alleged security failures that apparently resulted from the same common vulnerability exploited by hackers in the cases of Hannaford Brothers, 7-Eleven and Heartland Payment System.  The vulnerability results from RockYou's SQL database,which relates to the actual storage method and management of millions of email accounts and passwords.  The complaint against RockYou alleges that the prior well publicized flaws in SQL should have been addressed with readily available protection measures.

Brennon Slattery of PCworld wrote about the security breach and compared RockYou's security system to storing passwords and emails on sticky notes.  He noted that RockYou stored the information in plain text words.  In other words, once the hacker got inside RockYou's system, the passwords and email accounts were easy to read like sticky notes because there was no encryption of the text. 

RockYou has issued a statement explaining the breach and intends to defend the lawsuit. RockYou also has implemented new steps to avoid future breaches including implementation of encryption for all passwords.  Encryption is the method used to make the passwords unreadable once the hacker gains access to the system. 

The RockYou case is another example of the increasing number of data loss and security lawsuits and should serve as a reminder to any business that stores PII to implement a data loss and security plan. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The National Cyber Security Alliance recently released a new study with some startling numbers concerning small businesses and the threat of data loss, security breach, or cyber attack.  Some of the key numbers obtained from polling small business owners include:

• 65% store customer information on computer systems
• 43% store financial records
• 33% store credit card information
• 86% do not have anyone focused on system security
• 11% of owners never check their computer security systems.
• 75% use the internet to communicate with customers
• 28% have formal internet security policies

What do these numbers suggest? Deborah Cohen, who covers small business for Reuters.com, published an article following release of the study and “confirmed that small businesses are among the most vulnerable to Internet crime. . .” She quoted Michael Kaiser, executive director of the National Cyber Security Alliance, who noted that “small businesses are pretty robust targets” for cyber attacks citing the lack of Internet protocol and employee training. Cohen’s article also offers some tips from Kaiser for small businesses to help confront cyber attacks.  

If you are looking for some guidance or help with cyber security, read here for some of my earlier posts.  If you are looking for a do-it-yourself placer to start, try the U.S. Chamber of Commerce.  The Chamber offers a great resource entitled“Common Sense Guide to Cyber Security for Small Businesses.” It’s a 12 step plan to increase cyber security. Here are some highlights:

·         Use strong passwords and change them regularly

·         Watch for strange email attachments

·         Install computer security software and network security

·         Keep software updated

·         Limit access to sensitive and confidential data

·         Establish and follow security plan

·         Maintain insurance coverage

The threat of data loss or security breach is not going away, but will only increase. Lawsuits concerning data loss and security breach are more frequent. Business owners need to stay on top of the threat by implementing a sound data loss and privacy plan. There is no one size fits all approach and every business will have its own risk exposures. If you are a business owner, consider having your business evaluated for risks of cyber attack or data loss. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This month's business technology tip arises from the recent David v. Goliath story reported on by Douglas Malan of the Connecticut Law Tribune.  Kent Johnson, the owner of a small computer repair shop in Connecticut was sued by the software Goliath Microsoft for allegedly selling one improperly licensed version of Microsoft Office. Microsoft put 15 people on the case and sued Mr. Johnson in federal court for copyright infringement.  

Mr. Johnson represented himself against Microsoft and reportedly reached a favorable settlement.   Mr. Johnson has a website that provides all the details of the case form the very beginning.   As much as Mr. Johnson's apparent success against Microsoft was unusual, the notion of Microsoft going after business owners for copyright infringement is not. 

Microsoft, and other software publishers, might pursue an infringement case directly or through enforcement groups such as the Business Software Alliance (BSA) and the Software & Information Industry Association (SSIA).  These groups estimate that piracy costs software publishers seven billion dollars annually.

When you purchase software for your business, the software comes with a license that restricts your use of the software.  If you violate the restrictions in the license by copying or distribution, software publishers consider it piracy.  For example, typically you cannot install a software program for several users on multiple computers without purchasing additional licenses.  Also, you generally cannot install a program on a network server and let multiple users have access to it without the proper number of licenses.

Violation of a software license or copyright can implicate significant civil (and potential criminal penalties) in piracy cases.  Penalties can range up to $150,000 per offense for copyright infringement and there may be additional damages for lost profits. Many of these cases result in significant financial settlements in favor of the software publisher. 

You might be wondering how Microsoft finds out about a small company violating its software license.   Typically, an anonymous informant (an employee or IT consultant) reports the company to the software publisher, BSA, or SSIA in hopes of recovering a reward.  These groups openly advertise rewards of up to a million dollars for anonymous tips that lead to successful enforcement  actions. 

Many times businesses can inadvertently run afoul of licensing restrictions without realizing it.  Violations can occur when trying to cut costs, relying on bad advice from IT professionals,  or an employee's improper downloading of software.  When groups like the BSA become aware of allegations of software piracy, they usually issue a software audit letter to the business or initiate a lawsuit in federal court.  The BSA will request proof of proper licensing from the business.

After receiving an audit letter a business will have to decide to either fight it in court or cooperate.  Facing Microsoft or the BSA in court can be risky financially and many businesses chose to cooperate.  Problems often arise for businesses that cooperate because they cannot establish sufficient proof of licensing or the business is not aware of the extent of the infringement. 

The best way to prevent problems with software licensing or an audit is to implement a software asset management plan.  Ideally, the plan would include at a minimum a written policy covering: (a) terms for copying, use,and transfer of company software; (b)  the risks or improper use of software and piracy; and (c) disciplinary action for employee misuse.  The plan should also include software management including a system for record keeping of all receipts, licenses, and original copies of the software.  The plan should further include regular self-audits of company computer systems to verify proper licensing.

With a good software management plan in place, a business will be better equipped to defend a software audit or avoid it in the first place.  In either case, if your business is facing an audit or other enforcement action, you should seek legal advice.  If you face Goliath alone, do not count on obtaining the same success as Mr. Johnson.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Connecticut Judicial Branch will implement mandatory electronic filing in Connecticut state superior courts in all civil cases by December 5, 2009.  The Judicial Branch is also going paperless for short calendar and notices will no longer be sent by paper in the mail (unless the firm or litigant is exempt) starting September 1, 2009.

The mandatory e-filing will be implemented in phases as follows:

E-filing will be available in all remaining civil cases (with few exceptions) starting August 22, 2009.

E-filing is mandatory in all foreclosure cases starting September 1, 2009.

E-filing is mandatory in all remaining civil cases starting December 5, 2009.

Law firms and attorneys can receive e-filing training in each judicial district.

E-filing will be mandatory starting December in Connecticut in both state superior and federal district courts unless a law firm or litigant qualifies for an exemption.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

If your business is advertising on Facebook, or considering it, you should do some research on the newest allegations of advertising fraud against the online giant.  Facebook reportedly has over 250 million users so it is understandable that a business would want access to Facebook's users.  Facebook offers businesses advertising space online that is targeted to specific demographics of its users.  Facebook charges for the advertising based on the number of views or clicks that the ad receives from users.

As reported by TechCrunch's Michael Arrington, massive complaints started surfacing recently against Facebook for "click fraud."  Basically, advertisers were clicking on competitor's ads, or paying others to do it, to artificially drive the price up.  Advertisers were also reporting that Facebook was charging for more clicks than the ad was actually receiving. There are now three lawsuits filed against Facebook for advertising click fraud.

 The most recent lawsuit was filed on July 31st by an individual advertiser seeking class action status.   The second lawsuit was filed by Unified ECM, a software company, seeking class action status for massive click fraud by Facebook.  The first click fraud lawsuit was filed by sports company RootZoo and it also seeks class action status. 

BNET Media's Catharine Taylor posted a good report on the details of the first two lawsuits including email comments from Facebook.  In the email, Facebook maintained that the Unified lawsuit is "unnecessary and baseless."  Wendy Davis of Online Media Daly posted a good report on the fist lawsuit by RootZoo. All three suits alleged discrepancies between the charges by Facebook and the actual number of clicks recorded by the advertisers.

Although Facebook has denied all the fraud allegations, TechCrunch takes the position that the click fraud problem is real and confirmed by Facebook. The Lost Press Marketing Blog presents a different view accusing Unified ECM of a "marketing stunt" to get exposure through press coverage of its lawsuit. 

Any business considering advertising with a pay per click campaign, should take caution whether on Facebook, another website, or a search engine.  If you want to measure your return on investment, you should consider monitoring any pay per click campaign internally.   If you are considering Facebook, you should wait to see what Facebook does to reassure its advertisers that fraud will be monitored effectively.  For now, the problem does not appear to be going away.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Every business in Connecticut, big or small, faces significant financial consequences for data loss or a breach of security.  As I noted in a business tips post on this blog, implementing a strong data loss and privacy policy is critical for preventing a loss or mitigating its effects and damages.  Of course, once you have a policy or procedure in place, your business could face a lawsuit for negligence for violation of these same policies and procedures.   To add extra protection against the devastating costs of data loss or a security breach, businesses should also consider insurance coverage.

Lawsuits over data loss and security breaches are becoming more common.  Obtaining insurance to cover losses from data loss can potentially save your business.  Business litigation attorneys bringing lawsuits over data losses often include negligence as one of the grounds or theories of recovery in these cases.  Take for example, the recent class action lawsuit for data loss filed against Aetna in Federal Court in Pennsylvania.  The lead theory of recovery in the complaint against Aetna is negligence.   

There may be many reasons why attorneys pursue negligence as a theory of recovery in these security and privacy cases.  However, pursuing a negligence theory increases the possibility of triggering the breaching company's insurance coverage for data loss, if the company has a policy.  If a business has insurance coverage that applies to the allegations in the complaint, the insurance company typically will also provide a legal defense to the claim.   Legal costs alone could be enough to sink a business, let alone the damages.   

When considering the cost of a data loss insurance policy, a business owner should likewise consider the cost to the business of a data breach.  How can you estimate the cost?  One way to estimate the cost is to use a data loss calculator.  You might also estimate your data loss costs by referencing this 2009 Ponemon Institute benchmark study estimating costs at $202 per page and rising. 

The price of an insurance policy may be cost effective when you consider the potential devastating financial impact of a major data loss or security breach.  In addition, if a business has a strong data loss policy and procedure in place, the cost of insurance should be lower.   Although cyber liability insurance has been available for over ten years, more of these insurance policies are being offered at better prices today.  Here are some links to major insurance companies offering insurance policies for data loss, cyber liability, and technology errors. 

Technology 404 by Darwin.

CyberChoice by The Hartford

 CyberSecurity by Chubb

ACE DigitTech

OneBeacon @vantage

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As part of this Blog, I am going to regularly post technology tips for any Connecticut business to manage risks and avoid lawsuits. These tips will be based on a presentation I did for the Hartford Business Journal's Etechnology Summit concerning technology bombs that can sink a business.

Here's todays tip for Connecticut businesses to avoid financial loss as a result of datal loss and security breaches.

Implement a Data Loss Policy and Solution

Any business that stores third party information or personal indentifiers (credit card information, social security numbers) on its computer systems faces potential exposure under a host of privacy laws.  For a good resource on privacy laws go to the Privacy Law Blog by Proskauer Rose LLP.  For an example of a new privacy law in Connecticut, consider the"Act Concerning the Confidentiality of Social Security Numbers."  Connecticut's Unfair Trade Practices Act could also be implicated in a data loss case.

Data loss or a security breach can cause a huge financial problem, bad public realtions, and signficant down time.  Consider the recent case of TJX reported on by Sheri Qaulters for the National Law Journal.  Discount retailer TJX had a data breach involving exposure of 45 million credit and debit cards.   TJX entered into various settlements including payment of $9.75 million to 41 states; $30 to every consumer who used a credit or debit card; and an undisclosed settlement with three banks. Ouch.

TJX is an extreme example, but data loss can sink a small to medium sized business.  How can a business mimize its exposure to lawsuits from data loss or security breach?

Implement a data loss policy and solution for your business.   There is no one size fits all policy and solution and every business will have different needs.  If you already have a policy, you should have it reviewed regularly for changes in the law.  If you do not have a policy in place, you need to start somewhere.  For "do it yourselfers" there is the Federal Trade Commision's Guide for Business and Protecting Personal Information.  The FTC's guide is a 5 step plan from identifying your risk exposure to implementing procedures. 

 In addition  to implementing policies, any business with a significant risk exposure for data loss (i.e. medical practice, retailers, e commerce) should consider purchasing a cyber liability insurance policy.  These policies are now more afforadable and many insurers such as The Hartford are now actively underwriting polices to cover first and third party data loss claims and providing ongoing resources and information.  

The bottom line is, a business cannot afford to take the risk of ignoring data loss and security breach exposure.  Do not wait for the first breach or lawsuit. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

I just read an excellent article posted on Law.com from the New York Law Journal on social networking and challenges to business owners and their legal counsel.  The authors Christopher Boehning and Daniel Toal focus on a new emerging problems associated with electronic discovery of social networking data.  The authors also point out many of the potential problems for employers and businesses related to social networking sites.

When Facebook started exploding in popularity, you could see that the future in communication was social networking.  Boehning and Toal cite to a New York Times articles that indicates the future is now upon us as more people spend time on social networking sites than e-mailing.  The authors correctly point out something I emphasize to all my business clients:  businesses need to have a policy on how to handle social networking sites like Facebook, MySpace, LinkedIn and Twitter.  The policy should cover the business' use of such sites and use by employees.  Policies on preservation of the data should also be included as social networking data is akin to the new email.

Lawsuits involving some aspect of social networking sites are increasing in frequency from across the country. Take for example the recent jury verdict in New Jersey against Hillstone Restaurant for violation of the Federal Stored Communications Act. 

In that case, the employers accessed an employee MySpace group that was dedicated to criticizing the employer.  Although the verdict amount was relatively small, the implications are far reaching.  This case was reported on by Charles Toutant in the New Jersey Law Journal.  The employees' trial brief is a good read and spells out some of the arguments in favor of employees' rights to privacy with social networking sites. 

The outcome in the New Jersey case may have been different if the restaurant had a policy addressing use and access to social networking sites.  Businesses will have different concerns when it comes to adopting a policy, and no policy will cover every situation.  However, the lack of any policy at all is likely to lead to problems and potential litigation.  The best way to avoid litigation is to implement a written policy on use and access to social networking sites.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link