Category Archives: Blog

Are Fingerprints Less Safe Than Passcodes?

Locking your phone with a fingerprint is more secure than using a password, right?   Maybe from a hacker, not from the law.  In a Virginia Circuit Court opinion handed down on October 28, 2014, Judge Steven C. Fucci ruled that fingerprints are not included in the Fifth Amendment’s protection against self-incrimination, and as such, the government may compel a criminal defendant to give up his fingerprint in order to unlock a cell phone.

According to news outlets, Judge Fucci reasoned that giving police a fingerprint is akin to providing DNA, a handwriting sample, or an actual key, which the law in Virginia permits. In contrast, if the police were seeking a password or passcode to unlock a phone, it would be prohibited by the Fifth Amendment because it would require the criminal defendant to divulge his personal knowledge.

This ruling comes in the case of David Baust, an individual accused of domestic violence. Police obtained a search warrant for Baust’ phone, believing it contained a recording of an attack. Baust refused to unlock the phone saying that the police could access embarrassing items on the phone unrelated to the case. Interestedly, the phone has been shut off while in police custody and may require a password in addition to a fingerprint to be unlock. If so, prosecutors would have to tackle the issue of passwords and the Fifth Amendment in the appellate court.

While this ruling has garnered national attention, it remains to be seen whether the rest of the state and courts in other jurisdictions will follow suit. Regardless, it’s another example of the interesting intersection between law and technology.

PERHAPS IT’S TIME TO GET RID OF THAT BROWSEWRAP AGREEMENT

On August 18, 2014 the 9th Circuit Court of Appeals affirmed a district court’s holding that Kevin Khoa Nguyen could not be compelled into arbitration with Barnes & Nobel for a claim arising out of Mr. Nguyen’s online purchase of a HP Touchpad that Barnes & Nobel later cancelled.

Barnes & Nobel argued that by accessing their website, Mr. Nguyen consented to the site’s Terms of Use (“TOU”), which provided: “By visiting any area in the Barnes & Nobel.com Site, creating an account, [or] making a purchase via the Barnes & Nobel.com Site… a User is deemed to have accepted the Terms of Use.” The compulsory arbitration language was contained in the TOU as well.

While the 9th Circuit’s analysis focused on the applicability of the arbitration provision, their holding calls into question the validity of browsewrap agreements in general.

A website’s Terms of Use is a contract between the website owner and the website visitors. In order for any contract to be legally binding, it is required that the parties to the contract manifest their assent to be governed by the terms of the contract. See Register.com, Inc. v. Verio, Inc., 356 F.3d 393, 403 (2d Cir. 2004) (“While new commerce on the Internet has exposed courts to many new situations, it has not fundamentally changed the principles of contract”). In keeping with the tradition that assent may be expressed in writing, orally, or by conduct, many website owners and online service providers use “clickwrap” or “browsewrap” agreements to bind their online consumers. Users consent to clickwrap agreements by some form of affirmative express consent, typically clicking on an “I Agree” box, before accessing the website or online service. On the other hand, a browsewrap agreement does not block a user from accessing the website or online service and the agreement is accessible to the user via a hyperlink, which is typically located on the bottom of the website. Since browsewrap agreements lack the user’s explicit assent (no “I Agree” box), the enforceability of the browsewrap agreement hinged on whether the user had actual or constructive knowledge of the website’s TOU. Until this opinion, constructive knowledge was generally inferred where notice of the TOU was conspicuously displayed and placed on the website.

In Nguyen v. Barnes & Nobel, the 9th Circuit found that Mr. Nguyen did not have actual or constructive knowledge of Barnes & Nobel’s browsewrap TOU. They held that since there was no evidence Mr. Nguyen read the TOU or that he even clicked on the TOU hyperlink, he did not assent to the TOU and therefore cannot be bound by the TOU’s terms. This is despite the fact Barnes & Nobel had placed hyperlinks to its TOU on every page of their website and in the online checkout process, and such links were underlined and off-set in green typeface. Without more, the court held that this did not surmount to constructive notice of the TOU.

What’s more? The court provided examples from caselaw where the courts found users had assented to browsewrap agreements:

  • com, Inc. v. Verio, Inc.: Defendant admitted that it was fully aware of the terms on which plaintiff offered access to its online service and defendant repeatedly accessed plaintiff’s service;
  • Airlines Co. v. Boardfirst, LLC: Defendant continued its breach after being notified of the terms in a cease and desist letter;
  • Ticketmaster Corp. v. Tickets.com, Inc.: Defendant continued to breach the TOU after receiving a letter from plaintiff quoting the browsewrap contract terms.
  • Zaltz v. JDATE : The court enforced the forum selection clause of the browsewrap agreement where prospective members had to check a box next to the statement “I confirm that I have read and agreed to the Terms and Conditions of Service.”
  • Fteja v Facebook, Inc.: The court enforced the forum selection clause in a browsewrap TOS where notice below the “Sign Up” button stated “By clicking Sign Up, you are indicating that you have read and agree to the Terms of Service” where “Terms of Service” was a hyperlink and there was evidence the plaintiff had clicked “Sign Up.”
  • Cairo, Inc. v. Crossmedia Servs, Inc, No. 04-04825, 2005 WL 756610 (N.D. Cal. Apr. 1, 2005): The court enforced the forum selection clause in website’s TOU where every page on the website had a textual notice that read: “By continuing past this page and/or using this site, you agree to abide by the TOU for this site, which prohibit commercial use of any information on this site”).
    • Compare the decision in Cairo with Pollstar v. Gigmania where the court refused to enforce a browsewrap agreement where textual notice appeared in a small gray print against a gray background.

Interestingly, the 9th Circuit affirmed the district court’s second holding that Mr. Nguyen was not prevented from denying the applicability of the arbitration clause even though he took advantage of the TOU’s choice of law provision when bringing this lawsuit. The court distinguished this case from previous cases which applied the doctrine of direct benefit estoppel because Mr. Nguyen was not a third party beneficiary to the TOU, but a primary party to the TOU; and the choice of law provision was not a benefit intended to benefit Mr. Nguyen specifically.

Although browsewrap agreements were not technically invalided per se by the court, this opinion and the court’s recommendations on the extra steps make browsewrap agreements the much less attractive option.

Square raising additional funds – $6 Billion valuation to compete with Apple Pay

Square just closed a $150 Million Series E round of fundraising (that would be after A, B, C, D…).   The valuation has fallen in  relation to  it’s payment processing rate (they are expected to process roughly $30 billion in transactions this year, they did $20 billion last year with a valuation of $5 Billion in 2013, in 2011, they processed $1.46 billion in transactions and had a valuation of $1.6 billion), and still lost $100M in 2013.

It is unknown whether Square needs the funds to pay it’s bills, acquire additional companies, or other internal ops priorities.

There is a lot of buzz in the payment space, especially with the anticipation that Apple Pay will make NFC payments more widely available and and accepted payment form.  This is also making the space more crowded.  Intuit, Paypal and others are all competing for this space.

 

Why Aereo Matters: Where did Secondary Liability Go?

Earlier this summer, in American Broadcasting Cos., Inc. v. Aereo, Inc., 573 U.S. (2014), the United States Supreme Court held that Aereo infringed the copyright holders’ exclusive rights to publicly perform their works by providing a service which allows subscribers to watch free, over-the-air broadcast television channels over the Internet. Aereo provided the service by mounting an array of small antennas — each dedicated to one individual subscriber. Aereo’s antennas would receive the broadcast signal, which Aereo would then buffer and stream over the Internet to the subscriber, much the same as any individual could do by connecting an antenna to a PC or laptop. The Court’s decision matters because the Court’s reasoning and ultimate decision that Aereo was engaged in direct copyright infringement, if widely followed, could eviscerate the concept of secondary liability on which many online services depend for their legality, and with it, the framework which has provided some degree of predictability to a complex area of law.

Copyright law applies to original works of authorship that are fixed in a tangible medium, and is the protective shield for movies, books, songs, dances, architecture and other artistic endeavors. There exists a “bundle of rights” within each copyrighted work, which are: the right to make copies of the work, the right to distribute copies of that work, the right to prepare derivatives, and depending on the nature of the work, the right to publicly perform or display the work publicly. A copyright owner can then assign or license any of these rights to any number of parties. In the Aereo case, the petitioners — TV broadcasters — alleged that Aereo infringed upon their exclusive right to publicly perform the work, specifically, their right to distribute and broadcast various television shows.

As background, one can become liable for copyright infringement in one of two ways: directly or secondarily (also known as contributory or vicarious infringement). Tracing concepts that are familiar in many other areas of law, direct liability for copyright infringement occurs when the infringer engages in one of the rights described above without authorization, ordinarily requiring some “volitional conduct” on behalf of the person accused of infringing. See Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 422 (1984); 3 W. Patry, Copyright §9:5.50 (2013). Secondary infringement occurs when the infringer has not itself engaged in the infringing activity but “intentionally induces or encourages infringing acts by others or profits from such acts while declining to exercise a right to stop or limit them. See MGM Studios, Inc. v. Grokster, Ltd. 545 U.S. 913, 930 (2005). Think of a secondary infringer as a co-conspirator or enabler.

Prior to the Aereo decision, companies that provide a commercial technology capable of both infringing but also substantial non-infringing uses could count on any copyright challenge being analyzed under principles of secondary, not direct liability. This was established in the landmark case of Sony Corp. of America v. Universal Studios, Inc., 464 U.S. 417 (1984), in which the Court refused to hold a manufacturer of VCR technology liable for copyright infringement. Under the test established by Sony and cases that followed it, the defendant would not be secondarily liable for copyright infringement unless the defendant had (i) actual knowledge of specific instances of infringement and failed to act on that knowledge, or (ii) through public statements or advertisements, promoted the technology’s use as a means to infringe copyright. Id., see also MGM, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005). This legal framework has provided some comfort to the owners of products and services such as the VCR, DVR, peer-to-peer file-sharing networks, cloud storage services, antennas, and many other Internet businesses, that they would not be sued out of existence by overly zealous copyright owners. In light of this clear history, it would seem to have made sense for Aereo’s service to be analyzed under a theory of secondary liability. That’s not what happened.

In the complaint, the petitioners alleged direct and secondary liability. They also requested a preliminary injunction to force Aereo to suspend its services during the pendency of the litigation. The request for a preliminary injunction was based exclusively on the theory of direct liability. The district court denied the injunction, finding Aereo did not itself publicly perform the work; rather, each Aereo user specifically requested be content for his or her own personal viewing. The Court of Appeals denied rehearing the case. Therefore the only issue the Supreme Court could decide on, was whether or not Aereo directly infringed the petitioners’ right to publicly perform the work for purposes of the preliminary injunction.

One possible result, and one that many commentators thought likely, would have been for the Supreme Court to agree with the district court that Aereo did not engage in direct infringement and remand the case back to the lower courts to play out. Instead, the Court steamrolled ahead and seemingly ignored the volitional-conduct requirement for direct infringement. In its place, the Court’s analysis depends on what the dissenting Justices snarkily called the “Looks Like a Cable Company” test in order to analyze Aereo’s technology under a theory of direct infringement.

While not officially called the “Looks Like a Cable Company” test, heavily seasoned throughout the Court’s reasoning was a 1976 Congressional amendment to the U.S. Copyright Act, in which Congress sought to include the activities of cable companies within the statute’s scope. Under the amended Copyright Act, “perform” means “to show its images in any sequence or to make the sounds accompanying it audible.” 15 U.S.C. 101. At the same time, Congress also added the “transmit” clause within The Copyright Act, which expanded the copyright owner’s exclusive right to perform its work to the public to include conduct which “transmits or otherwise communicates a performance… to the public, by means of any device or process.” 15 U.S.C. 101. Despite Aereo’s protests that it does no more than supply equipment that emulates the operation of a home antenna and DVR, the Court found that by providing a service which allowed subscribers to select a TV program to watch on Aereo’s website, which then streamed a single copy specifically downloaded for the subscriber to his or her device, it performed the work. Moreover, the Court held that the transmission to a single subscriber from a personal copy was, under the statute, a “transmission to the public” because “an entity communicates the same contemporaneously perceptible images and sounds to multiple people, it transmits a performance to them regardless of the number of discrete communications it makes.”

Under the Court’s reasoning, it is now more difficult to delineate between online technologies which do and do not run afoul of The Copyright Act. Arguably, the only way online technologies could be 100% certain of their legality under copyright law would be s to implement filtering tools to prevent the use of their service to access copyrighted works unless the user can provide proof they are the copyright owners or are entitled to lawful possession of such works. Obviously, copyright owners would love that to become common practice, but it has very clearly not been a requirement of US law. Seeking assistance from the public on this question, the U.S. Copyright Office, Library of Congress issued a Request for Additional Comments for interested parties to provide thoughts and questions on the relevancy of secondary liability and the meaning of “making available” and “communication to the public” in light of the Aereo decision. Comments must be received by August 14, 2014.

In the meantime, here are the not-so-comforting words of The Supreme Court:

We cannot now answer more precisely how the Transmit Clause or other provisions of the Copyright Act will apply to technologies not before us. We agree with the Solicitor General that “[q]uestions involving cloud computing, [remote storage] DVRs, and other novel issues not before the Court, as to which ‘Congress has not plainly marked [the] course,’ should await a case in which they are squarely presented. And we note that, to the extent commercial actors or other interested entities may be concerned with the relationship between the development and use of such technologies and the Copyright Act, they are of course free to seek action from Congress.

So, the Supreme Court’s advice to tech innovators and entrepreneurs is to either wait for a lawsuit or get Congress to pass a law (which, of course, takes years and lots of lobbying dollars). Not exactly practical or appealing options.

Five Things Every SaaS Contract Needs to Address

Developers and providers of software as a service (“SaaS”) understand that SaaS is different in many ways compared to traditional software, but for some reason these differences are often forgotten when negotiating a SaaS contract. While it may be appealing to repurpose a traditional software license agreement for your new SaaS customer relationship, I will issue the following caution: Many traditional software license agreements do not adequately take into consideration that SaaS presents a greater potential for risk for vendors. When providing SaaS, vendors take on more responsibility than their peers, namely due to two factors (1) SaaS clients expect 24-hour / 7-days a week access and service and (2) SaaS vendors have important legal responsibilities when storing and processing client’s personal data. Though not an exhaustive list, here are five issues that every SaaS vendor should discuss with their clients and address in each SaaS agreement.

1. Customer Service. As mentioned previously, a client’s expectations when it comes to SaaS are going to be high. Unlike a software license agreement with an upfront cost, most SaaS agreements are customarily subscription based, which means clients will be re-evaluating the service’s worth with every payment. That’s why it is important to have the SaaS agreement be as comprehensive as possible and to be as clear as possible to avoid any confusion down the road.

A common area for conflict is the payment section. While most parties can agree on method of payment, invoice procedures, there is often a lack of understanding when it comes to what is included (or excluded) in that subscription price. Include a description of what features are included in the subscription price and which features are available for an additional fee or on a time and materials basis. Specific areas to consider include; who is responsible for integration, client training, and support. If possible, provide parameters of the additional cost, whether that means explicitly stating the amount of the additional fee or providing for the then-current hourly rate.

One feature to consider providing potential clients is a trial period. Trials give clients an opportunity to familiarize themselves with a new service and incorporate that service into their end product or work flow, both of which increases the likelihood of that client agreeing to a longer term. Trials also benefit vendors by providing an indication on whether the client is technically and organizationally ready for your service. Also, when providing a trial be explicit as to the duration, what activities will trigger cancellation, and if there are any use restrictions.

Good customer service also requires detailed discussions on what happens when the vendor-client relationship ends. The agreement should clearly set out that a client’s data will be returned or destroyed within a predetermined length of time. If client data is to be returned, the parties should agree on the format of the data, whether it is useable by the client without use of vendor’s software, and the cost of providing the client data in any format other than “as is”.

2. Performance, Technical Malfunctions, Upgrades. Service Level Agreements (“SLA”) are becoming more common in SaaS agreements. A SLA contains guarantees by a vendor that service will be available a certain percentage of the time, usually somewhere between 97% to 99.9% of the time. In the event service is unavailable, a SLA may also include a promise by the vendor to respond within a certain period of time, which can vary from minutes to hours depending on the severity of the interruption. A failure to meet a guarantee contained in the SLA will often trigger a credit or refund to the client, so vendors should take care to avoid putting unrealistic commitments on paper and guarantee levels that are achievable by them and more importantly, by any third party contractors.

One small issue to address, but avoids a huge headache later on, are updates and upgrades. Vendors should make it explicit that clients, for as long as they have a subscription, must accept all vendor updates and upgrades. The reason for this is that it is not usually practical to maintain and run multiple versions of the software.

3. Privacy and Data Security. Not only will many clients ask for certain assurances and warranties regarding the security of their data, but SaaS vendors are generally subject to data security and privacy laws. The obligations vary considerably, depending where the vendor resides, where its servers are located, where its clients reside and what type of information is processed by the vendor.

In the United States, SaaS vendors will be subject to a patchwork of laws, rules and regulations from the national, state, and local level. With this in mind, it is best to work with a transactional attorney who regularly handles privacy issues. SaaS vendors working with clients that reside in the European Economic Area (EEA) can and should obtain certification under the US-EU and US-Swiss Safe Harbor Programs. These Safe Harbor Programs assure companies based in the EEA or Switzerland that their US partners meet the EU’s adequacy standard for privacy protection, which is set forth in the EU’s Data Protection Directive 95/46/EC. This assurance is necessary as companies operating in the EU are not allowed to send personal data to countries outside the EEA unless there is a guarantee that it will receive adequate levels of protection.

Going along with data privacy and security, vendors should develop internally clear procedures to follow in the event of a data breach, disaster recovery, and termination of services. Although not always included, a client may request a description of such procedures be provided or even attached to the agreement.

One area that gets overlooked is the client’s responsibilities when it comes to protecting its own data. Include a section to describe the client’s responsibilities, such as to notify you in the event their login ID and password are stolen.

4. Indemnity and Liability. In a fair and rational world, indemnity obligations would be limited to those factors within such party’s control. Unfortunately for vendors a client is usually going to ask for more. One area a vendor should seek limitation is patent infringement. Limit such indemnity obligation to the functional or technical aspects of the service performed or software provided by the vendor and limit patent infringement claims that are the result of gross negligence or willful misconduct of the vendor. Also discuss whether the client expects you, or you would want to give notice that you do not, perform patent searches.

When addressing a limitation of liabilities, (1) consider carving out indemnity and confidentiality obligations and (2) including a liability cap, usually set at multiple of the fees paid over a reasonable period of time. The reason for this is damage control. In the event of a breach or other cause of action under the agreement, both parties want to know their potential exposure. However, damages due to a breach of warranty or confidentiality are difficult to forecast and may easily surpass any limitation.

5. Governing law and jurisdiction. If you are dealing with clients and end-users from outside your own state or country, explicitly provide for the exclusive governing law and jurisdiction to avoid ending up in a faraway location with unfamiliar and perhaps unfavorable law. Keep in mind that there may be restrictions on venue and jurisdiction. For example, vendors that have certified under the US-EU Safe Harbor Program may address issues with EU residents in the U.S. but are required to cooperate with EU’s data protection authorities.

This list is not meant to be exhaustive, but an overview of some of the top legal issues surrounding SaaS agreements for vendors. Of course, we advise consulting with an attorney who understands SaaS and can incorporate his or her knowledge into drafting and reviewing a SaaS agreement.

Can I Use a Subcontractor if there is a “No Assignment” Clause?

“Neither party may assign any or all of its rights and obligations under this Agreement to a third party.”

Does the above language forbid the use of subcontractors? The answer is no, but why? In day-to-day conversation, the word “assignment” has broad application, but when used in a contract, an assignment is something much more specific. In the context of a legal relationship an assignment is often described as a third party (the assignee) stepping into the shoes of a party to the contract (the assigning party). While the exact interpretation of an “assignment” depends upon the chosen law of the contract, the general interpretation is that the assigning party has transferred its rights and its contractual obligations under the contract to the assignee and, in many states, the assigning party is released from the contract. For the sake of predictability and assurance against a bait and switch, many parties will therefore agree to a “No Assignment” clause.

Subcontractors are not considered assignees because they are not “stepping into the shoes” of a party. When a party hires a subcontractor to fulfill some or all of its duties, it delegates its performance to the subcontractor. The delegating party remains a party to the contract and is secondarily liable if the subcontractor does not perform or does not perform adequately. However, similar to an assignment, parties may agree to a “No Delegation” clause in the contract.

Since assignment and delegation are legally distinct from one another, a contract should address both of them separately.

Before prohibiting all assignments, consider what assignments would potentially be beneficial. A common framework is to prohibit all assignments except to those entities listed in the contract, or prohibit all assignments unless the assigning party obtains the prior written consent of the non-assigning parties.

Another issue related to assignment clauses, and one that courts prefer explicit language, is whether the parties intend the assignment clause to include, or exclude, assignments to parent companies, subsidiaries, and assignments in the event of a merger or sale of the business.

When deciding whether or not the contract should allow the delegation of performance, consult with an attorney because some states prohibit delegation in certain circumstances, such as when the contract is for a party’s unique set of skills. In most cases, delegation is allowed where the non-delegating party’s expectations will be satisfied.

In the event the non-delegating party is uneasy about the idea of subcontractors, one approach that may be used is to require the delegating party to supervise or control the subcontractor’s performance. Otherwise, the contract should describe any restrictions or standards regarding the identity of the subcontractors or their performance. Additional language that addresses subcontractors’ compensation, reimbursement of expenses, taxes and related issues should also be included to avoid any confusion down the road.

One last thing regarding assignment and delegation is the power versus the right. Courts have distinguished clauses that eliminate the right to assign or delegate with those that eliminate the power to assign or delegate. The following example illustrates the differences:

Eliminate the right: “No party may assign any of its rights under this Agreement.”

Eliminate the power: “No party may assign any of its rights under this Agreement. Any purported assignment is void.”

In the first clause, the parties have agreed not to assign any of their rights. If, however, a party decides to violate the No Assignment clause, it will be in breach of the contract but the assignment itself will likely be considered valid and binding on the parties.

In the second clause, the parties have agreed not to assign any of their rights, and also have agreed that any attempted assignment will have no effect. This clause restricts a party’s right to assign and eliminates its power to assign as well.

The same logic applies to delegation as well.

If you plan on using subcontractors, it is best to have an attorney familiar with these types of issues review the contract prior to signing it.

Proposed Changes to Section 230 of the Communications Decency Act

One of the most important federal laws for websites is Section 230 of the Communications Decency Act of 1996. Section 230 provides immunity to providers and users of an “interactive computer service” by stating that “no provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider.” The relevance for the tech community is that a company cannot be held liable for causes of actions based on the content generated by its users. This immunity applies even if the website ignores take-down notices and exercises editorial control over the user-generated content.

Without Section 230, websites would have to either eliminate user-generated content (which includes everything from profile customization, comment sections, messaging services, blogging, search engines, etc.) or implement costly monitoring programs and filtering tools. Even with such measures, it would be impossible to appreciably diminish a website’s potential liability.

Websites should take note that Section 230 immunity is not absolute. There are four statutory exceptions. First, Section 230 cannot impair the enforcement of any federal criminal statute, including certain federal laws related to obscenity, harassment, or sexual exploitation of minors. Second, Section 230 does not limit or expand any law pertaining to intellectual property (websites may be eligible for safe harbor protection from copyright infringement under the DMCA). Third, Section 230 cannot be used to prevent any state from enforcing one of its laws that is consistent with this Section 230, however states cannot bring a cause of action that is inconsistent with Section 230. Lastly, Section 230 has no impact on the Electronic Communications Privacy Act of 1986 or any similar law.

In a July 23, 2013 letter to Congress 47 state attorney generals and 2 attorney generals from The Virgin Islands and Guam requested an amendment to Section 230 to allow for an additional statutory exception– state criminal laws. In the letter, the AGs describe the states’ inability to prosecute websites who they assert “have constructed their business models around income gained from participants in the sex trade.”

There has been support for the amendment because for the most part, states have been unable to convince the courts to break Section 230 immunity for websites that feature revenge porn or advertise (even unwittingly) prostitution services. See e.g. Barnes v. Yahoo!, 570 F.3d 1096 (9th Cir. 2009) (held that Section 230 immunity applied to the claim that Yahoo! acted negligently by not removing nude image of plaintiff posted by an ex-boyfriend but Section 230 did not apply to the promissory estoppel claim); see also Dart v. Craigslist, Inc., 665 F.Supp 2d 961 (N.D. Ill. 2009) (applied Section 230 immunity to sheriff’s allegation that Craig’s List adult section was a public nuisance).

Overall, the tech community has come out strongly against the proposed amendment because it completely undermines the intent of Section 230. Instead of developing new products and services, websites would spend their time and resources on filtering and monitoring user generated content in a vain attempt to guard against the countless number of state criminal laws – not just the ones that combat revenge porn and prostitution. Even then, monitoring programs and filtering tools are not 100% fail-proof and one unlawful comment could be enough to send a startup back to square one. Also, even if the content was adjudicated to not be unlawful, the time and expense to defend against the lawsuit could be just as harmful. This grim future assumes that websites would even consider allowing user generated content.

One proposal that has been put forth is to leave Section 230 as is and put forth new federal and state legislation to specifically address the conduct of websites which allow and arguably turn a blind eye to the sex trade. There has been some effort in this direction.

For example, New Jersey’s invasion of privacy law prohibits the dissemination of sexual recordings or pictures without the consent of the person depicted in the recording and/or picture. New Jersey also criminalizes “advertising commercial sexual abuse of a minor,” which a person commits if he “knowingly publishes, disseminates, or displays, or causes directly or indirectly, to be published, disseminated, or displayed, any advertisement for a commercial sex act, which is to take place in this State and which includes the depiction of a minor” or “knowingly purchases advertising in this State for a commercial sex act which includes the depiction of a minor.”

Another example is in the state of California which makes revenge porn a misdemeanor with jail times up to six months and $1,000 fine. However, shortcoming of the law have greatly limited its application as the law only applies to individuals who took the photo and distributed it. The law’s author, state Sen. Anthony Cannella, (R. Ceres), explains that he excluded self-taken photos due to a concern that it could increase the overcrowded prison population. Sen. Cannella does assert that he plans to extend the law to cover “selfies” when the state legislature returns in January 2014 but believes that The Communications Decency Act should be amended to remove protections for revenge porn websites.

To further complicate matters, websites should also consider that while the European Union does have laws that provide immunity for websites that host content, the courts’ rulings that delineate between hosting content and creating creation is inconsistent.

In 1998, a German court convicted and a year later acquitted a CompuServe executive for the publication and distribution of images of violence, child pornography, and bestiality as well as providing access to video games which were considered “morally harmful to youth” under German law. The CompuServe executive was acquitted under Germany’s Section 5(3) of the Information and Communications Services Act, which provides “an Internet Service Provider who provides access to material without being able to influence its content should not be responsible for that content.”

In 2010, an Italian court convicted and two years later acquitted three senior Google executives for defamation and data protection violations based on a video uploaded on a Google-controlled website by a student that depicted an autistic child being bullied. The Google executives were sentenced to six-month suspended jail sentences, despite the fact that Google eventually removed the video after receiving warnings from advocacy groups.

Lastly, just a few weeks ago the European Court of Human Rights rejected the application of Internet news portal website, Delfi, who was found by the Estonian Supreme Court to have violated the “personality rights” of an individual who was the subject of the website’s users’ defamatory online comments. Despite operating one of the largest news websites in Estonia, with hundreds of articles posted daily and tens of thousands comments appended to the articles, the Estonian Supreme Court upheld the lower court’s finding that Delfi “had not been required to exercise preliminary control over comments posted on its news portal. However, having chosen not to do so, it should have created some other effective systems which would have ensured rapid removal of unlawful comments from the portal.” The Estonian lower court’s finding that “the measures taken by [Delfi] were insufficient and that it was contrary to the principle of good faith to place the burden of monitoring the comments on their potential victims” were also upheld.

At the time this post was written, Congress has yet to respond to the AGs’ letter.
In the meantime this firm will be on the lookout for updates.

BitTorrent Lawsuits

Peer-to-Peer (P2P) file sharing websites such as Napster, BitTorrent, Kazaa and Pirate Bay have become household names for allegedly assisting in the copyright infringement of songs, films and games. Although the technology behind P2P is not illegal, the controversial ability of users of these services to upload and share files without the copyright owner’s permission has been strongly criticized by the courts and copyright owners. However, the litigation practice that has emerged to combat this form of piracy has met with its own condemnation.

​The BitTorrent protocol is the latest generation of P2P file-sharing which allows users to download large files at faster rates than previously possible. Instead of downloading the entire file containing the song, film or game from one user, BitTorrent users can download multiple pieces of a file simultaneously from many users. Further, while the BitTorrent user is downloading a file, the user’s computer is part of a connected network of other BitTorrent users’ computers which allow them to download and upload designated BitTorrent files. This group of connected computers is called a “swarm” and the larger the swarm, the faster the download. These features distinguish the BitTorrent protocol from other P2P protocols. Moreover, this technology forms the basis of the shaky but common argument that members of a swarm can be sued together in one lawsuit for copyright infringement.

​You may be someone, or know of someone, who received a letter from their Internet Service Provider (ISP) stating that the IP-address associated with the Internet account has been identified for allegedly downloading copyrighted material from a BitTorrent website. When a user is on a BitTorrent website, the user’s IP-address serves as form of pseudo-ID. Instead of an avatar or username, users are distinguished from one another by their unique IP-address. As such, copyright owners monitoring BitTorrent can see which IP-addresses are downloading and uploading their content. Once an IP-address is identified, it is easy to determine their ISP. Since the copyright owners’ only lead is the ISP, they will subpoena the ISP to provide the name and contact information of the individual who owns the Internet account assigned that particular IP-address. From there, ISPs will notify the Internet account holders about the BitTorrent activity and inform them of the ISP’s duty to provide the copyright owner’s attorneys with the Internet account holder’s information unless the account holder takes action. Once the copyright owner and its attorneys know the identity of the Internet account holder, he or she can be named personally in a federal lawsuit.

​Over the last few years, these types of lawsuits have become prevalent and highly criticized by the courts. Back in May 2013 we previously reported that the law firm, Prenda Law and its principal attorneys were sanctioned by U.S. District Court Judge Otis Wright for their part in orchestrating in what Judge Wright called a scheme which exploited the “nexus of antiquated copyright laws, paralyzing social stigma, and unaffordable defense costs.” The plaintiffs in the case were ordered to pay $81,319.72 in attorneys’ fees, court costs, and punitive damages. Further, the court referred the attorneys involved in the case to their respective state and federal bars. Prenda law voluntarily dissolved just two months later.

​The plaintiffs in the Prenda suit represent the worst extreme and are in a category by themselves. However, the reality that this type of litigation has matured into a business model for many law firms and copyright holders ensures that these types of lawsuits are going to be around for a while.

​If you are one of the unlucky individuals who have received a letter from your ISP like the one described above or have been contacted by a copyright owner, immediately seek out an attorney. Reactions to these types of lawsuits vary not only by jurisdiction but often-times by courtroom. Kuzas Neu has been handling these types of issues for years and we would be glad to sit down with you to discuss the available options.

Updated: Data Security Breach Notification Requirements in the United States, European Union and Canada

Overview

​An entity that compiles, maintains, or leases computerized records containing personal information is subject to the data security breach notification laws. These notification laws serve to instruct entities that have suffered a breach in their data security on what kinds of personal information are protected under the law, what events are considered improper disclosures that trigger the notification duty, and the prescribed methods of notification. This post will provide a brief overview of relevant U.S. federal laws, U.S. state laws, as well as the US-EU Safe Harbor Program and Canada’s Personal Information Protection and Electronic Documents Act.

United States Federal Law

​Financial institutions that are significantly engaged in offering financial products and services are covered by the Gramm-Leach-Bliley Act, referred to herein as the GLB Act. The term “financial institution” is defined broadly by the statute and includes banks, mortgage lenders and in certain circumstances may also include check-cashing businesses, payday lenders, non-bank lenders, personal property and real estate appraisers, professional tax preparers and courier services. The GLB Act supercedes any state law that is inconsistent with the provisions of the GLB Act, unless the relevant state law affords any consumer greater protection than the GLB Act. Therefore, it is advisable that businesses seek the counsel of an attorney familiar with both federal and state provisions.
​Under the GLB Act, a financial institution is required to implement and share its privacy policy with consumers who obtain financial products or services primarily for personal, family or household expenses. The privacy policy is initially shared once a customer relationship is established, and then every 12-months during that customer relationship. Among other things, the privacy policy must describe the conditions under which the financial institution may disclose personal information about consumers to nonaffiliated third-parties and explain the “opt out” procedure for consumers to prevent the financial institution from disclosing his/her personal information to most non-affiliated third parties. Under the GLB Act, there are several exceptions that permit the disclosure of certain nonpublic personal information to non-affiliated third parties. For example, disclosure is permitted to a non-affiliated third party if such third-party performs services on behalf of the financial institution and the disclosed information is necessary to effect, administer, or enforce a transaction that the consumer requested or authorized. Because understanding what is “necessary” under the law may be a difficult standard to meet, businesses should consult with their legal counsel before disclosing information.
​The GLB Act also sets forth the minimum security standards financial institutions must have to protect the confidentiality of its consumer’s information. The GLB Act’s Security Rule has broader reach than the Act’s privacy provisions, applying to all financial institutions subject to the jurisdiction of the Federal Trade Commission, regardless of whether the consumer information was derived from financial services obtained for a personal or business purpose or whether the financial institution’s possession of the consumer information was obtained from a customer relationship. Specifically, the Security Rule requires financial institutions to implement administrative, technical and physical safeguards based on that financial institution’s risk of foreseeable threats. The financial institution’s foreseeable risk is based on a variety of factors, including employee training and management, the condition and integrity of the information systems utilized and methods of detecting, preventing and responding to attacks, intrusions or other system failures. The customized security plan for a financial institution requires periodic evaluation and adjustment.
​For companies in the health care field, the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, provides a set of notification requirements as well as security standards for health plan providers, health care clearinghouses, health care providers and certain other covered entities. HIPAA was enacted in part to prevent the disclosure of “individually identifiable health information,” also referred to as “protected health information” or simply “PHI.” According to HIPAA, PHI is information that relates to the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. There are no restrictions on the use or disclosure of de-identified health information, which can be accomplished by the safe-harbor method or through the use of qualified statistician.
​As part of HIPAA’s own Privacy Rule, covered entities must develop and provide notice to patients of its privacy practices. Notice must be given by covered entities who have a direct treatment relationship to their patients no later than the first service encounter, or in an emergency treatment situation, as soon as practicable thereafter. The covered entities’ privacy policy must also be available upon request and on any website maintained for customer service. The Privacy Rule strictly limits the circumstances in which PHI may be used or disclosed by covered entities with or without a patient’s authorization. Generally, a covered entity is permitted to use or disclose PHI without the patient’s consent at the request of law enforcement, for public health, to avert a serious threat to health or safety, and other specified instances. However, clearance by legal counsel is advisable as these exceptions are not permissible in all circumstances.
​Similar to the regulation of financial entities under the GLB Act, HIPPA also includes a Security Rule that provides that covered entities must protect against reasonably anticipated threats to the security or integrity of PHI and against any reasonably anticipated uses or disclosures not permitted under its Privacy Rule. Further, and notably, covered entities must also have a policy in place that ensures third-parties that possess PHI on the covered entities’ behalf will comply with the same privacy and security standards. Similar to the financial institutions under the GLB Act, covered entities may select what security measures to implement, as long as such measures are reasonable and appropriate to HIPAA standards. The security standards include both required policies (for example, a covered entity must have a sanction policy for workforce members who fail to comply with the security policies and procedures of the covered entity ) and addressable policies which covered entities can evaluate for appropriateness and reasonableness for their company (for example, setting up procedures for monitoring workforce log-in attempts and reporting discrepancies ). Covered entities must appropriately take into consideration its size, its technical infrastructure, the cost of security measures, and probability and criticality of potential risk.
​Third-parties that are in possession of PHI on the covered entities’ behalf are termed “business associates.” Business associates are individuals or organizations, which are not part of the covered entity’s workforce, that create, receive, maintain, or transmit PHI on the covered entity’s behalf. Covered entities are obliged to enter into written agreements with business associates that impose specified written safeguards on the PHI used or disclosed by the business associates.
​The Health Information Technology for Economic and Clinical Health Act (HITECH) extended the breadth of many of HIPAA’s privacy and security measures for health care entities. For example, if there is a breach or suspected breach of PHI, covered entities are required to notify the affected individuals, the Secretary of the Dept. of Health and Human Services and if the breach involves 500 or more individuals within a state or jurisdiction, the state’s prominent media outlets. HITECH also extended the standards of HIPAA’s Privacy Rule and Security Rule to covered entities’ business associates as well as the imposition of civil and criminal penalties.
​The Federal Trade Commission (“FTC”) also imposes the “Health Breach Notification Rule, which applies to certain foreign and domestic businesses who have access or use the PHI of U.S. citizens and residents. The Health Breach Notification Rule applies irrespective of whether the entity is subject to the jurisdiction of the FTC and excludes HIPAA-covered entities.
​What constitutes a breach of PHI under the FTC’s Health Breach Notification Rule, the method of notification, as well as the content of the notice is similar to the provisions of HIPAA. Just like HIPAA, the Health Breach Notification Rules under the FTC requires covered vendors to notify each consumer whose unsecured personal health record was acquired by unauthorized persons as a result of a breach of security. Breached entities must also notify the FTC of the breach. Methods of notice include individual mailed notices and email if the consumer consented to such notice, and in situations of urgency, notice to prominent media outlets in a particular State if the personal health records of 500 or more residents of such State were involved in a suspected or actual breach of security. Further, third-party service providers must notify their vendor in cases of breach or suspected breach. The notice must be sent without reasonable delay and in no case later than 60 calendar days after the breach is known or should have been known.
​The last prominent federal law regarding consumer data breach is Section 5 of the Federal Trade Commission Act (the “FTC Act”). Any private company that indicates in its privacy policy that they will notify individuals whose personal information may have been accessed without authorization, and the company fails to provide such notification, such failure may be an unfair and deceptive trade practice prohibited under the FTC Act.
​As evident from the above synopsis, there is no singular comprehensive federal law governing data security breaches. To further complicate matters, in addition to the federal statutes, almost all states have their own unique set of breach notification laws. Attempts have been made in Congress to pass bills designed to provide greater uniformity among the states’ respective data notification laws, as of the date of this post, some of these attempts include:

Bill Number, Title, and Person Who Proposed It
Status, as of August 21, 2013
H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer)
This bill passed in the House on March 12, 2013 and goes to the Senate next for consideration.
S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown)
This bill was assigned to a Senate committee on March 21, 2013, which will consider it before possibly sending it onto the House or Senate as a whole.
H.R. 1121, Cyber Privacy Fortification Act of 2013 (Rep. Conyers, Jr.)
This bill was referred to the House subcommittee on Crime, Terrorism, Homeland Security, And Investigations on April 15, 2013.
S. 1193, Data Security and Breach Notification Act of 2013 (Sen. Toomey)
This bill was referred to the Senate Committee on Commerce, Science, and Transportation on June 20, 2013.

Unites States State Law

​Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have a Breach Notification Law (BNL) that requires persons and organizations to notify individuals whose personal information has been breached. In addition to these jurisdictions, New York City has its own set of breach notification laws, applicable to any business subject to the jurisdiction of the city’s Department of Consumer Affairs that has personal information of any resident of New York City.
​BNLs vary by jurisdiction although sharing several elements. In many jurisdictions, “personal information” is an individual’s first name or first initial and last name plus one or more of the following pieces of data: (i) Social Security Number; (ii) driver’s license number or state-issued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access the account. Some states have an expanded definition of personal information, such as in Maryland where an individual taxpayer identification number is protected personal information and in North Carolina where personal information includes mother’s maiden name, computer system password, electronic signature and unique biometric data such as fingerprint, voice print, retinal image or iris image.
​In general under most BNLS, in order for there to be a “breach” the following elements must be met, with common variations in parentheses: (i) (Reasonable likelihood of) Unauthorized and Bad Faith; (ii) Acquisition of (iii) Unencrypted or Unredacted (iv) (Computerized) Personal Information (v) (Which is likely to cause harm). The absence of one or more of the elements of the applicable BNL will excuse the notification requirement in that state. Of special note, in many jurisdictions the mere knowledge of a potential breach will often trigger a duty to investigate.
​For an easy to read chart of all BNLs prepared by the National Conference of State Legislatures, click here.

Covered Entities
​Breach notification laws tend to cast a wide net, applying to persons or entities that acquire, own, or license computerized data that includes personal information of that particular state’s residents, and in most states, regardless of whether that person or entity is registered to conduct business in that state. As such, not only are the owners or licensees of data have obligations under BNLs, but also individuals and entities who have access to personal data on the covered entities’ behalf. ​

Safe Harbor
​Almost all states’ BNLs have a safe harbor provision, which provide that notification is not required if the personal data that is lost, stolen, or accessed by an unauthorized individual is encrypted, redacted or is otherwise secured by a method or technology that renders it unreadable or unusable. Encrypted data requires that the data be in a form that is unreadable or unusable without use of a confidential process or key. Redacted data is data that has been altered or truncated so that no more than five digits of a social security number or the last four digits of a driver’s license, state identification number or account number are accessible.
​In the event of a breach or suspected breach, the party subject to the BNL will have to prove that the compromised data fits that particular state’s statutory definition or standard of encryption and/or redaction in order to invoke safe harbor protection.

Notify Procedures
​The time frame in which breached entities must notify victims varies by jurisdiction, including “in the most expedient time possible and without unreasonable delay” to “no longer than 7 business days” to “no later than 45 days.” Further, depending on the statute, the notice can be written, electronic or even conveyed over a telephone conversation.
​Most BNLs require covered entities to notify additional parties besides the victims of the breach. For instance, if the number of victims exceeds a certain number, usually 1,000 individuals, the breached entity may have to notify all consumer reporting agencies. Massachusetts, Maryland, Louisiana and a majority of other states and jurisdictions require in the event of a breach that covered entities notify some type of regulatory authority, such as the attorney general, the director of consumer affairs, or insurance commissioner.
​Nevada and other states extend the notification duty to entities that maintain data owned by other entities. In this situation, notice must be given to the owner of the data, which in turn triggers the owner’s duty to notify victims.

Form of Notice
​In many BNLs, notice requires individual written notice that includes a description of the incident in general terms, description of the type of personal information that was subject to the unauthorized access, and contact information of the covered entity for further questions. It is also common for BNLs to mandate that the notice inform the resident that he/she has a right to obtain reports from the police department and consumer reporting agencies, and provide instructions on how to request a security freeze. Often, notification by email may be permitted if the affected resident consented to receive electronic notice by the covered entity or if there is an existing business relationship with the affected resident that includes periodic electronic communications.
​In addition “substitute notice” in the form of an email to affected residents or conspicuous posting on the covered entity’s website may be allowed where the cost of providing individual written notice may be costly or the affected class of individuals is numerous. For example, Massachusetts allows for substitute notice if the cost of providing notice would exceed $250,000, the number of affected Massachusetts residents exceeds 500,000 residents, or if the covered entity does not have sufficient contact information to provide notice.

Mobile App Developer Recommendations
​In January 2013, California’s Attorney General Kamala D. Harris posted a set of privacy recommendations for App Developers, App Platform Providers and Advertising Networks operating in the mobile app sphere.
​These set of recommendations exceed California’s statutory mandates in many areas but industry players including, Amazon, Apple, Google and Facebook have already endorsed them. The voluntary recommendations encourage developers at the outset of the development to adopt the following practices and build-in the following functionalities: (1) avoid collecting personal information from users that are not necessary for an app’s basic functionality; (2) make the app’s privacy policy easily accessible before an the app is downloaded and in an easy to understand writing; (3) provide alerts to users and give them control over data practices delivered in context and just-in-time; and (4) limit the period of time for which data is collected to the time period necessary to complete the function for which the data was collected.
​As many developers’ business models depend on data collection for attracting advertisers, it seems unlikely that these recommendations will be widespread adopted.

United States – European Union Safe Harbor Program

For businesses with relationships with EU companies or have customers in the EU, it should be noted that the European Union’s adequacy standard for privacy protection is defined differently than it is in the United States. The European Commission, the executive body of the EU, mandated that companies operating in the EU are not allowed to send personal data to countries outside the “European Economic Area” (EEA) unless there is a guarantee that it will receive adequate levels of protection. In an effort to streamline the process for US companies to comply with EU Directive 95/46/EC the U.S. Department of Commerce, in consultation with the EU, created the US-EU Safe Harbor Program.

The US-EU Safe Harbor Program is a certification process that US companies can opt-in by complying with the Seven Safe Harbor Privacy Principles. Eligible companies can self-certify or hire a third-party to perform the assessment. All companies must be re-certified every 12 months.

Besides the opportunity to work with EEA companies and clients, enrollment in the US-EU Safe Harbor Program provides that claims brought by EU citizens against U.S. companies will be heard in the U.S., subject to certain limitations. Further, the streamlined process encourages participation by small and medium organizations. A list of certified Safe Harbor organizations is available to the public.

Currently, the European Commission is talking to replace Directive 95/46/EC with a regulation, which as a regulation, cannot be amended or tailored by individual member states. As Vice President of the European Commission, EU Justice Commissioner Vivane Reding explains:

​The EU already has a data protection law: a Directive which dates back to 1995. ​In the intervening 18 years, the Member States have reacted to new technologies ​differently. The result is an inconsistent patchwork of 27 different national laws. ​It entails huge legal costs for firms who simply want to do business across the EU. ​The European Commission is eliminating those costs by replacing the current ​Directive by one single clear set of rules for all businesses in the Union – ​resulting in savings for companies of around 2.3 billion EUR per year.

Canada’s Personal Information Protection and Electronic Documents Act

​A U.S.-based organization that handles personal information of Canadians is subject to the country’s Personal Information Protection and Electronic Documents Act (PIPEDA). Passed in 2000, PIPEDA is Canada’s national privacy law applying to personal information collected, used and disclosed by private sector organizations involved in commercial activities. In its current form, PIPEDA does not require organizations to notify individuals whose personal information was involved in a breach. Nor does it require organizations to notify a regulatory authority. What PIPEDA does require of organizations is that they meet certain safeguarding standards through the use of physical, technological and organizational measures.
​In February 2013, Bill C-475 was introduced in the House of Commons. In relevant part, organizations would have to “notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.” The Commissioner may then require the organization to notify affected individuals, however at any point an organization may voluntarily notify individuals. For those interested in the progress of the bill, they can visit the Parliament’s website here.

Closing

​The widespread application of the data security breach notification laws cannot be understated. Not only are more businesses collecting personal information but technology has enabled businesses to collect more types of personal information and maintain them for longer periods of time. Somewhat surprisingly, some companies are unaware that they are collecting personal information from their users and employees. Information gathering is a necessary part of a growing business and providing better products and services. With this practice, however, all businesses must have in place appropriate privacy and security measures. Part of any periodic business evaluation should include a review of these privacy and security measures by legal counsel that is well versed in technology and has experience navigating and applying the various laws and regulations.

Updated: Data Security Breach Notification Requirements in the United States, European Union and Canada

Overview

​An entity that compiles, maintains, or leases computerized records containing personal information is subject to the data security breach notification laws. These notification laws serve to instruct entities that have suffered a breach in their data security on what kinds of personal information are protected under the law, what events are considered improper disclosures that trigger the notification duty, and the prescribed methods of notification. This post will provide a brief overview of relevant U.S. federal laws, U.S. state laws, as well as the US-EU Safe Harbor Program and Canada’s Personal Information Protection and Electronic Documents Act.

United States Federal Law

​Financial institutions that are significantly engaged in offering financial products and services are covered by the Gramm-Leach-Bliley Act, referred to herein as the GLB Act. The term “financial institution” is defined broadly by the statute and includes banks, mortgage lenders and in certain circumstances may also include check-cashing businesses, payday lenders, non-bank lenders, personal property and real estate appraisers, professional tax preparers and courier services. The GLB Act supercedes any state law that is inconsistent with the provisions of the GLB Act, unless the relevant state law affords any consumer greater protection than the GLB Act. Therefore, it is advisable that businesses seek the counsel of an attorney familiar with both federal and state provisions.
​Under the GLB Act, a financial institution is required to implement and share its privacy policy with consumers who obtain financial products or services primarily for personal, family or household expenses. The privacy policy is initially shared once a customer relationship is established, and then every 12-months during that customer relationship. Among other things, the privacy policy must describe the conditions under which the financial institution may disclose personal information about consumers to nonaffiliated third-parties and explain the “opt out” procedure for consumers to prevent the financial institution from disclosing his/her personal information to most non-affiliated third parties. Under the GLB Act, there are several exceptions that permit the disclosure of certain nonpublic personal information to non-affiliated third parties. For example, disclosure is permitted to a non-affiliated third party if such third-party performs services on behalf of the financial institution and the disclosed information is necessary to effect, administer, or enforce a transaction that the consumer requested or authorized. Because understanding what is “necessary” under the law may be a difficult standard to meet, businesses should consult with their legal counsel before disclosing information.
​The GLB Act also sets forth the minimum security standards financial institutions must have to protect the confidentiality of its consumer’s information. The GLB Act’s Security Rule has broader reach than the Act’s privacy provisions, applying to all financial institutions subject to the jurisdiction of the Federal Trade Commission, regardless of whether the consumer information was derived from financial services obtained for a personal or business purpose or whether the financial institution’s possession of the consumer information was obtained from a customer relationship. Specifically, the Security Rule requires financial institutions to implement administrative, technical and physical safeguards based on that financial institution’s risk of foreseeable threats. The financial institution’s foreseeable risk is based on a variety of factors, including employee training and management, the condition and integrity of the information systems utilized and methods of detecting, preventing and responding to attacks, intrusions or other system failures. The customized security plan for a financial institution requires periodic evaluation and adjustment.
​For companies in the health care field, the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, provides a set of notification requirements as well as security standards for health plan providers, health care clearinghouses, health care providers and certain other covered entities. HIPAA was enacted in part to prevent the disclosure of “individually identifiable health information,” also referred to as “protected health information” or simply “PHI.” According to HIPAA, PHI is information that relates to the individual’s past, present, or future physical or mental health or condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. There are no restrictions on the use or disclosure of de-identified health information, which can be accomplished by the safe-harbor method or through the use of qualified statistician.
​As part of HIPAA’s own Privacy Rule, covered entities must develop and provide notice to patients of its privacy practices. Notice must be given by covered entities who have a direct treatment relationship to their patients no later than the first service encounter, or in an emergency treatment situation, as soon as practicable thereafter. The covered entities’ privacy policy must also be available upon request and on any website maintained for customer service. The Privacy Rule strictly limits the circumstances in which PHI may be used or disclosed by covered entities with or without a patient’s authorization. Generally, a covered entity is permitted to use or disclose PHI without the patient’s consent at the request of law enforcement, for public health, to avert a serious threat to health or safety, and other specified instances. However, clearance by legal counsel is advisable as these exceptions are not permissible in all circumstances.
​Similar to the regulation of financial entities under the GLB Act, HIPPA also includes a Security Rule that provides that covered entities must protect against reasonably anticipated threats to the security or integrity of PHI and against any reasonably anticipated uses or disclosures not permitted under its Privacy Rule. Further, and notably, covered entities must also have a policy in place that ensures third-parties that possess PHI on the covered entities’ behalf will comply with the same privacy and security standards. Similar to the financial institutions under the GLB Act, covered entities may select what security measures to implement, as long as such measures are reasonable and appropriate to HIPAA standards. The security standards include both required policies (for example, a covered entity must have a sanction policy for workforce members who fail to comply with the security policies and procedures of the covered entity ) and addressable policies which covered entities can evaluate for appropriateness and reasonableness for their company (for example, setting up procedures for monitoring workforce log-in attempts and reporting discrepancies ). Covered entities must appropriately take into consideration its size, its technical infrastructure, the cost of security measures, and probability and criticality of potential risk.
​Third-parties that are in possession of PHI on the covered entities’ behalf are termed “business associates.” Business associates are individuals or organizations, which are not part of the covered entity’s workforce, that create, receive, maintain, or transmit PHI on the covered entity’s behalf. Covered entities are obliged to enter into written agreements with business associates that impose specified written safeguards on the PHI used or disclosed by the business associates.
​The Health Information Technology for Economic and Clinical Health Act (HITECH) extended the breadth of many of HIPAA’s privacy and security measures for health care entities. For example, if there is a breach or suspected breach of PHI, covered entities are required to notify the affected individuals, the Secretary of the Dept. of Health and Human Services and if the breach involves 500 or more individuals within a state or jurisdiction, the state’s prominent media outlets. HITECH also extended the standards of HIPAA’s Privacy Rule and Security Rule to covered entities’ business associates as well as the imposition of civil and criminal penalties.
​The Federal Trade Commission (“FTC”) also imposes the “Health Breach Notification Rule, which applies to certain foreign and domestic businesses who have access or use the PHI of U.S. citizens and residents. The Health Breach Notification Rule applies irrespective of whether the entity is subject to the jurisdiction of the FTC and excludes HIPAA-covered entities.
​What constitutes a breach of PHI under the FTC’s Health Breach Notification Rule, the method of notification, as well as the content of the notice is similar to the provisions of HIPAA. Just like HIPAA, the Health Breach Notification Rules under the FTC requires covered vendors to notify each consumer whose unsecured personal health record was acquired by unauthorized persons as a result of a breach of security. Breached entities must also notify the FTC of the breach. Methods of notice include individual mailed notices and email if the consumer consented to such notice, and in situations of urgency, notice to prominent media outlets in a particular State if the personal health records of 500 or more residents of such State were involved in a suspected or actual breach of security. Further, third-party service providers must notify their vendor in cases of breach or suspected breach. The notice must be sent without reasonable delay and in no case later than 60 calendar days after the breach is known or should have been known.
​The last prominent federal law regarding consumer data breach is Section 5 of the Federal Trade Commission Act (the “FTC Act”). Any private company that indicates in its privacy policy that they will notify individuals whose personal information may have been accessed without authorization, and the company fails to provide such notification, such failure may be an unfair and deceptive trade practice prohibited under the FTC Act.
​As evident from the above synopsis, there is no singular comprehensive federal law governing data security breaches. To further complicate matters, in addition to the federal statutes, almost all states have their own unique set of breach notification laws. Attempts have been made in Congress to pass bills designed to provide greater uniformity among the states’ respective data notification laws, as of the date of this post, some of these attempts include:

Bill Number, Title, and Person Who Proposed It
Status, as of August 21, 2013
H.R. 749, Eliminate Privacy Notice Confusion Act (Rep. Luetkemeyer)
This bill passed in the House on March 12, 2013 and goes to the Senate next for consideration.
S. 635, Privacy Notice Modernization Act of 2013 (Sen. Brown)
This bill was assigned to a Senate committee on March 21, 2013, which will consider it before possibly sending it onto the House or Senate as a whole.
H.R. 1121, Cyber Privacy Fortification Act of 2013 (Rep. Conyers, Jr.)
This bill was referred to the House subcommittee on Crime, Terrorism, Homeland Security, And Investigations on April 15, 2013.
S. 1193, Data Security and Breach Notification Act of 2013 (Sen. Toomey)
This bill was referred to the Senate Committee on Commerce, Science, and Transportation on June 20, 2013.

Unites States State Law

​Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have a Breach Notification Law (BNL) that requires persons and organizations to notify individuals whose personal information has been breached. In addition to these jurisdictions, New York City has its own set of breach notification laws, applicable to any business subject to the jurisdiction of the city’s Department of Consumer Affairs that has personal information of any resident of New York City.
​BNLs vary by jurisdiction although sharing several elements. In many jurisdictions, “personal information” is an individual’s first name or first initial and last name plus one or more of the following pieces of data: (i) Social Security Number; (ii) driver’s license number or state-issued ID card number; (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access the account. Some states have an expanded definition of personal information, such as in Maryland where an individual taxpayer identification number is protected personal information and in North Carolina where personal information includes mother’s maiden name, computer system password, electronic signature and unique biometric data such as fingerprint, voice print, retinal image or iris image.
​In general under most BNLS, in order for there to be a “breach” the following elements must be met, with common variations in parentheses: (i) (Reasonable likelihood of) Unauthorized and Bad Faith; (ii) Acquisition of (iii) Unencrypted or Unredacted (iv) (Computerized) Personal Information (v) (Which is likely to cause harm). The absence of one or more of the elements of the applicable BNL will excuse the notification requirement in that state. Of special note, in many jurisdictions the mere knowledge of a potential breach will often trigger a duty to investigate.
​For an easy to read chart of all BNLs prepared by the National Conference of State Legislatures, click here.

Covered Entities
​Breach notification laws tend to cast a wide net, applying to persons or entities that acquire, own, or license computerized data that includes personal information of that particular state’s residents, and in most states, regardless of whether that person or entity is registered to conduct business in that state. As such, not only are the owners or licensees of data have obligations under BNLs, but also individuals and entities who have access to personal data on the covered entities’ behalf. ​

Safe Harbor
​Almost all states’ BNLs have a safe harbor provision, which provide that notification is not required if the personal data that is lost, stolen, or accessed by an unauthorized individual is encrypted, redacted or is otherwise secured by a method or technology that renders it unreadable or unusable. Encrypted data requires that the data be in a form that is unreadable or unusable without use of a confidential process or key. Redacted data is data that has been altered or truncated so that no more than five digits of a social security number or the last four digits of a driver’s license, state identification number or account number are accessible.
​In the event of a breach or suspected breach, the party subject to the BNL will have to prove that the compromised data fits that particular state’s statutory definition or standard of encryption and/or redaction in order to invoke safe harbor protection.

Notify Procedures
​The time frame in which breached entities must notify victims varies by jurisdiction, including “in the most expedient time possible and without unreasonable delay” to “no longer than 7 business days” to “no later than 45 days.” Further, depending on the statute, the notice can be written, electronic or even conveyed over a telephone conversation.
​Most BNLs require covered entities to notify additional parties besides the victims of the breach. For instance, if the number of victims exceeds a certain number, usually 1,000 individuals, the breached entity may have to notify all consumer reporting agencies. Massachusetts, Maryland, Louisiana and a majority of other states and jurisdictions require in the event of a breach that covered entities notify some type of regulatory authority, such as the attorney general, the director of consumer affairs, or insurance commissioner.
​Nevada and other states extend the notification duty to entities that maintain data owned by other entities. In this situation, notice must be given to the owner of the data, which in turn triggers the owner’s duty to notify victims.

Form of Notice
​In many BNLs, notice requires individual written notice that includes a description of the incident in general terms, description of the type of personal information that was subject to the unauthorized access, and contact information of the covered entity for further questions. It is also common for BNLs to mandate that the notice inform the resident that he/she has a right to obtain reports from the police department and consumer reporting agencies, and provide instructions on how to request a security freeze. Often, notification by email may be permitted if the affected resident consented to receive electronic notice by the covered entity or if there is an existing business relationship with the affected resident that includes periodic electronic communications.
​In addition “substitute notice” in the form of an email to affected residents or conspicuous posting on the covered entity’s website may be allowed where the cost of providing individual written notice may be costly or the affected class of individuals is numerous. For example, Massachusetts allows for substitute notice if the cost of providing notice would exceed $250,000, the number of affected Massachusetts residents exceeds 500,000 residents, or if the covered entity does not have sufficient contact information to provide notice.

Mobile App Developer Recommendations
​In January 2013, California’s Attorney General Kamala D. Harris posted a set of privacy recommendations for App Developers, App Platform Providers and Advertising Networks operating in the mobile app sphere.
​These set of recommendations exceed California’s statutory mandates in many areas but industry players including, Amazon, Apple, Google and Facebook have already endorsed them. The voluntary recommendations encourage developers at the outset of the development to adopt the following practices and build-in the following functionalities: (1) avoid collecting personal information from users that are not necessary for an app’s basic functionality; (2) make the app’s privacy policy easily accessible before an the app is downloaded and in an easy to understand writing; (3) provide alerts to users and give them control over data practices delivered in context and just-in-time; and (4) limit the period of time for which data is collected to the time period necessary to complete the function for which the data was collected.
​As many developers’ business models depend on data collection for attracting advertisers, it seems unlikely that these recommendations will be widespread adopted.

United States – European Union Safe Harbor Program

For businesses with relationships with EU companies or have customers in the EU, it should be noted that the European Union’s adequacy standard for privacy protection is defined differently than it is in the United States. The European Commission, the executive body of the EU, mandated that companies operating in the EU are not allowed to send personal data to countries outside the “European Economic Area” (EEA) unless there is a guarantee that it will receive adequate levels of protection. In an effort to streamline the process for US companies to comply with EU Directive 95/46/EC the U.S. Department of Commerce, in consultation with the EU, created the US-EU Safe Harbor Program.

The US-EU Safe Harbor Program is a certification process that US companies can opt-in by complying with the Seven Safe Harbor Privacy Principles. Eligible companies can self-certify or hire a third-party to perform the assessment. All companies must be re-certified every 12 months.

Besides the opportunity to work with EEA companies and clients, enrollment in the US-EU Safe Harbor Program provides that claims brought by EU citizens against U.S. companies will be heard in the U.S., subject to certain limitations. Further, the streamlined process encourages participation by small and medium organizations. A list of certified Safe Harbor organizations is available to the public.

Currently, the European Commission is talking to replace Directive 95/46/EC with a regulation, which as a regulation, cannot be amended or tailored by individual member states. As Vice President of the European Commission, EU Justice Commissioner Vivane Reding explains:

​The EU already has a data protection law: a Directive which dates back to 1995. ​In the intervening 18 years, the Member States have reacted to new technologies ​differently. The result is an inconsistent patchwork of 27 different national laws. ​It entails huge legal costs for firms who simply want to do business across the EU. ​The European Commission is eliminating those costs by replacing the current ​Directive by one single clear set of rules for all businesses in the Union – ​resulting in savings for companies of around 2.3 billion EUR per year.

Canada’s Personal Information Protection and Electronic Documents Act

​A U.S.-based organization that handles personal information of Canadians is subject to the country’s Personal Information Protection and Electronic Documents Act (PIPEDA). Passed in 2000, PIPEDA is Canada’s national privacy law applying to personal information collected, used and disclosed by private sector organizations involved in commercial activities. In its current form, PIPEDA does not require organizations to notify individuals whose personal information was involved in a breach. Nor does it require organizations to notify a regulatory authority. What PIPEDA does require of organizations is that they meet certain safeguarding standards through the use of physical, technological and organizational measures.
​In February 2013, Bill C-475 was introduced in the House of Commons. In relevant part, organizations would have to “notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.” The Commissioner may then require the organization to notify affected individuals, however at any point an organization may voluntarily notify individuals. For those interested in the progress of the bill, they can visit the Parliament’s website here.

Closing

​The widespread application of the data security breach notification laws cannot be understated. Not only are more businesses collecting personal information but technology has enabled businesses to collect more types of personal information and maintain them for longer periods of time. Somewhat surprisingly, some companies are unaware that they are collecting personal information from their users and employees. Information gathering is a necessary part of a growing business and providing better products and services. With this practice, however, all businesses must have in place appropriate privacy and security measures. Part of any periodic business evaluation should include a review of these privacy and security measures by legal counsel that is well versed in technology and has experience navigating and applying the various laws and regulations.