IP Advice for Connecticut Start-Ups: Protecting Your Client’s Personally Identifiable Information

 David Benoit presents his fourth post as a guest blogger on the topic of Intellectual Property for Connecticut Start-Up companies.  In his fourth installment, he focuses on the need for entrepreneurs to protect their client’s most important assets: client personal information.  

In addition to implementing best practices with respect to a company’s own IP, start-ups need to be as mindful in taking adequate safeguards to ensure that any client IP that is being collected, stored, manipulated or distributed is not being used in a manner that will expose the start-up to liability.  Client IP most often includes “NPI” (nonpublic personal information) and includes personally identifiable financial information and any lists, descriptions or other groupings of consumers derived using personally identifiable financial information.  Unauthorized disclosure or access of personally-identifiable customer data typically results in financial liability (i.e., regulatory fines, penalties and legal fees) and reputational liability (i.e., damage to goodwill that the startup has worked hard to build). 

Knowing which IP safeguards to implement and what steps need to be taken if an IP breach occurs requires a thorough understanding of the ever-changing, multi-jurisdictional laws and regulations applicable to the start-up’s business.  This could include federal regulations, state- and industry-specific requirements surrounding the collection, storage, deletion and distribution of sensitive customer or end-user data.  Utilizing the services of a privacy attorney who understands not only your business, but also your client’s, is important to implementing best practices.  

Having an understanding of these regulations and standards, such as the Children’s Online Privacy Protection Act (COPPA), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH Act), Gramm-Leach-Bliley Act (GLBA) the Fair Credit Reporting Act (FCRA), the Fair and Accurate Transactions Act (FACT Act) and the Payment Card Industry Data Security Standards (PCI DSS), is extremely important to minimizing liability exposure.  Furthermore, knowing how to use customer IP without overstepping boundaries requires a well-written privacy policy, terms of service and other applicable data use agreements.



Business Litigation Blog Roundup

Here are some quick hits from Blogs I read around the country on business litigation.

Dionne Searcey of the Wall Street Journal law blog reports on the intellectual property fight over the red, white, and blue "Hope" image of President Barrack Obama created by Los Angeles artist Shepard Fairey.  Fairey is claiming his rights to the work, but apparently is confused as to his source material leading to the withdrawal of his duped attorneys. 

Rush on Business breaks down his tips for negotiating Franchise Agreements. Rush highlights the need to have an attorney review your franchise agreement and not to believe any franchisor that says you do not need an attorney or that they will not hold you to certain terms of the agreement.

A win for digital technology was reported on by Mack Sperling in the North Carolina Business Litigation Report.  Mack reports on a case where a settlement agreement was challenged under the statue of frauds because it involved land and there were no written signatures.  You can read here an earlier post from me on the statute of frauds in Connecticut.  The court upheld the agreement in part based on electronic signatures in emails exchanged between counsel. 

Nancy Savitt of the Privacy Law Blog reports on an enforcement action concerning the Children’s Online Privacy Protect Act (COPPA).  The Federal Trade Commission fined Iconix Brand Group, Inc $250,000 for "collecting personal information from children without complying with COPPA’s parent consent…"  The personal information at issue was dates of birth.  Collecting personal identifiers such as dates of birth can be a real risk for any business.  Read here for some of my posts on how Connecticut businesses can address privacy concerns.

 Jeffrey Mehalic’s West Virginia’s Business Litigation Blog discusses an interesting suit involving misappropriation of trade secrets against the Pittsburgh Post-Gazette.  A corporation, Mylan, brought a lawsuit against the paper claiming misappropriation of trade secrets and conversion for articles that were allegedly not favorable to Mylan.

Edward McNally of Delaware Business Litigation Blog reports on a case upholding Delaware as a forum for a trade secret case.  This post is informative in that it discusses why Delaware is often a preferred forum for corporate litigants trying to protect trade secrets.