Category Archives: Uncategorized

SEC ALLOWS START-UP INVESTING VIA CROWDFUNDING UNDER TITLE III OF THE JOBS ACT

The SEC recently voted on and passed the final rules to implement Title III of the JOBS Act, allowing non-accredited investors to invest in startups and other small companies via equity crowdfunding.  Before the new rules, private companies could seek money only from “accredited investors,” defined as individuals who own more than $1 million in assets, excluding their primary residence, or have received an income of more than $200,000 for at least two years.

The Jumpstart Our Business Startups Act or JOBS Act, is a law intended to encourage funding of small businesses by simplifying various securities regulations. While it was signed into law by the President in April, 2012, Title III of the JOBS Act could not become effective until the SEC passed rules to implement it. The SEC finally did that on October 30, 2015.

Entrepreneurs raising money through crowdfunding campaigns have typically rewarded their backers with early access to products and with T-shirts and coffee mugs.

But under new rules the entrepreneurs will be able to offer something that could potentially be more lucrative: an equity stake in their business.

The rules will allow small investors to buy shares of private companies under the provisions of the JOBS Act.

The new rules allow companies to raise up to $1 million in a 12-month period through a crowdfunding campaign. Companies will need to provide their potential investors with financial statements, but some first-time issuers and those seeking less than $500,000 will not be required to have the statements audited. Since the cost of audited financials can be substantial, this exception can be of big help to a start-up. However, it also poses risks for the investors since they must invest in an unaudited company.

Companies will be able to advertise their offerings in a variety of ways, including posting them on Kickstarter-like portals for investors to inspect.

The amount of money backers will be allowed to invest depends on their income. Those with an annual income or net worth of less than $100,000 will be allowed to invest up to $2,000 in a 12-month period, or 5 percent of the lesser of their income or net worth, whichever is greater. Those with an income and net worth of more than $100,000 will be permitted to invest up to 10 percent of the lesser of their annual income or net worth.

This is great news for both entrepreneurs who now have easier access to capital and for regular investors who can invest and acquire equity in the next Facebook or Google.

However, it should be noted that the equity shares that one may buy under Title III are risky investments. The entrepreneurs offering these investments do not run established, tested business. Instead, they run start-ups and companies at the beginning of the road who can go out of business without much notice of recourse for the investors.  Additionally, these are illiquid investments. Investors will generally be required to hold on to the shares for at least one year, and there are not yet many marketplaces for those seeking to sell shares in private companies, which are difficult to value.

With this latest development, private companies can now raise money from non-accredited investors in a number of ways. In June, new federal rules took effect allowing companies to raise up to $50 million through a provision known as Regulation A. Those deals carry stricter disclosure and compliance requirements than the crowdfunding process outlined on in this post, which is intended to be much cheaper and faster for issuers.

Taken together, the new rules give entrepreneurs a much wider set of options for raising money from a diverse pool of investors.

Title III Summary

  • Equity crowdfunding expands to include non-accredited investor participation
  • Startups and small businesses can raise up to $1M in a period of a year
  • Investors making less than $100,000 per year can invest the greater of $2,000 or 5% of annual income
  • Investors making more than $100,000 per year can invest up to 10% of their annual income
  • Offerings must be made via Broker-Dealer or Portal Intermediary
  • Significant disclosures are required for companies to help provide transparency

 

The end of Safe Harbor….what’s next?

On October 6, 2015, the Court of Justice of the European Union (“CJEU”) – the European Union’s highest court – struck down the 15-year old Safe Harbor Agreement that allows companies to transfer personal data about EU citizens from European Union countries to servers in the United States, and replaced it with Privacy Shield. The information routinely transferred between the EU and the US included items like people’s web search histories and social media updates on platforms like Facebook or Instagram. The full text of the decision can be found here:

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

As background information, EU law prohibits the transfer of personal information outside the EU, unless the receiving country provides an adequate level of privacy protection.  The European Commission determined that the US doesn’t offer the required level of protection.  In order to address that issue, the EU and the US entered into the Safe Harbor Agreement in 2000, allowing American companies to self-certify that they provide protections that are equivalent to the requirements of the EU’s Data Protection Directive.  At the time of the decision, approximately 5,000 companies relied on the Safe Harbor Agreement to transfer personal data from the EU to the US.

In 2013, Edward Snowden leaked information that the NSA was running a vast surveillance operation covering data about Europeans and other foreign citizens, data stored by American companies operating in the EU.

Privacy campaigner Max Schrems asked the Irish Data Protection Commission (the “Commission”) to audit what material Facebook might be passing on.

However, the Commission declined, noting that the data transfer was covered by the Safe Harbor Agreement.

When Schrems contested the decision, the matter was referred to CJEU. As indicated above, CJEU reversed the decision by the Commission; the basis for that reversal was the CJEU’s conclusion that the Safe Harbor Agreement should be struck down. 

Following the October 6, 2015, decision, the European Commission said it would issue “clear guidance” in the coming weeks to prevent local data authorities issuing conflicting rulings. The decision by the CJEU does not order an immediate end to those personal-data transfers. It rules that national regulators have the right to investigate and suspend them if they don’t provide sufficient protections, creating new legal risks for companies.

Meanwhile, U.S. and European regulators are negotiating an updated Safe Harbor Agreement, but the timetable is unclear.

Many large technology companies, including Alphabet, Amazon, Facebook and Microsoft advised they already have set up backup legal mechanisms in a bid to avoid clashes with regulators. One option for the US companies operating in Europe would be to expand the size of their data center in the EU.

Additionally, EU law provides for other ways to transfer personal data legally. Among them are so-called model contracts, which use language published by European officials. Another option would require companies to appeal to individual national regulators in Europe, a lengthy process.

Lastly, as of July 12, 2016, Privacy Shield as been enacted and approved for EU-US data transfer.  There are some similarities and a few differences that we will discuss in a future post.

Operating Agreements – the lifeblood of the LLC

  1. The Operating Agreement.

Like any corporate entity concerned with limiting future liability, all LLCs are governed by a constituent document generally referred to as a “limited liability company [operating] agreement.  These agreements are intended to provide for the corporate governance of the LLC and are intended to be specific as to the rights and obligations of its members as well as the purpose and authority of the LLC itself.

The operating agreement offers maximum flexibility to the client subject to general principles of equity. Principals have the option of varying agreement terms to suit their specific deal terms.  But the ability to make operating agreements unique is the reason why sometimes contributions don’t match distributions, the priorities of distribution is ambiguous, even the conditions pursuant to which a member may be admitted or expelled could be specific to the type of business and the role of the member.

Accordingly, unless the practitioner is actually precisely duplicating a prior deal with the same members, and the exact same deal documents, then the practitioner must approach each matter as one of first impression in order to become cognizant of any differences between the deals that the client may deem legally insignificant but could have a material effect on the outcome of the new operating agreement.

A couple caveats, this post:(i) isn’t a treatise on how to draft an operating agreement but hopefully it; it merely recognizes that the LLC business has evolved beyond the single member, single purpose LLC, and may include varying numbers of members with conflicting interests; and (ii) focuses on a few selected methodologies for creating effective operating agreements which feature fundamental requirements of contract (and, to some degree, tax law).

Don’t have time for a treatise anyway; I think my boss wants this posted by next week.

 

  1. How Important is the Operating Agreement

The Operating Agreement is perhaps the lifeblood of the limited liability company or LLC. It’s not that other constituent documents, contracts, agreements, policies and/or procedures entered into and/or adopted by an LLC aren’t critical components of an LLC’s business, but the operating agreement generally governs the LLC’s very ability or authority to even undertake such corporate actions.

There is no doubt that the LLC through statutory law and its own operating agreement offers significant corporate advantages to entities that can avail itself of some very real business, tax, operational and management advantages. Like the traditional limited partnership, an LLC also has the beneficial feature of an extremely useful pass-through income function that may be exploited in a myriad of ways for tax or other business purposes for the benefit of the LLC and its members.

The lack of statutory limitations on LLCs provides the practitioner with an incredible amount of latitude with respect to the operation of the LLC not normally permitted by the traditional corporation. Subject to principles of equity, it could be said that the LLC is the corporation unshackled.  And as the LLC continues to increase in popularity based largely on the freedom it affords participants in complex transactions, operating agreements have had to keep pace, and, therefore have become similarly varied in purpose and complexity.

So the construction of the operating agreement is critical, arguably almost as crucial as the determination of transactional terms between the contracting members.

Unfortunately, the flexibility afforded in the construction of an operating agreement is often the very reason the agreement doesn’t work as intended.  Forced creativity often leads to ambiguity and/or inconsistency. And whether it’s because of unreasonable client demands, professional pressure at work, or, sometimes, just plain old laziness, practitioners may sometimes take license with various sections of an operating agreement governed by laws or statute not superseded by the laws governing LLCs.

Ah, but therein lies the rub.

The question is not whether, but how does the practitioner institutionalize a process pursuant to which he can produce (perhaps a large volume of) LLC operating agreement that are specific, precise and fully satisfactory to his client.

Every agreement is unique but a good method should facilitate a beneficial result for all parties involved. I promise none of it is rocket science.

  1. Treat each Operating Agreement as a New Operating Agreement.

Treat each operating agreement as a new operating agreement. No assumptions. Regardless of whether you’ve worked with a client before, or it’s a new client, get as many as the principals in a meeting at one time to tell you the terms, all the terms.   Deals tend to change sometimes when all the principals meet at the same time with their attorney. I like to start a call with a “what’s new with you?” “what’s new with the business?, have you got any new prospects, partners?” I’ve personally been surprised over the years where a simple personal conversation with a client in an impersonal setting leads to significant changes to how I’ve approached managing the client’s legal affairs on a going-forward basis.

Clients don’t always appreciate the legal significance of new information or future plans. That interview should also include inquiries designed to elicit information the practitioner may believe relevant to the new deal that may not have been pertinent to prior transactions.

Lastly, let’s be honest, attorney’s, when faced with a new task of drafting an operating agreement, will usually seek out in his firm’s files a “similar” document on which to base the new agreement.  This is admittedly easy but sometimes a formula for disaster, especially if you didn’t draft the first agreement.

The obvious changes are easy for the novice attorney.. He compares the material deal terms of the found document to the term sheet of the current deal and proceeds to revise the document appropriately. Generally, this is a simple process. But frequently, when the document seems on point, the practitioner runs the risk of overlooking subtle differences driven by specific deal terms of the prior transaction in the more technical areas of the agreement thereby producing a document inconsistent with the client’s needs.

 

  1. Basic Contract Law

Regardless of the type of governing instrument used by a corporate entity (or the versatility its form may offer), basic contract rules developed over 250 years of jurisprudence always apply, and more importantly, govern. This isn’t always easy to explain to a client, but it’s necessary. The flexibility offered to drafting operating agreements does not obviate those requirements.  So it’s up to the practitioner to advise his client that he is not entitled to a member’s first born child should the member commit a material breach , but to advise him on the potential for injunctions, indemnifications and other damages. Similarly, the LLC must appoint a “Tax Matters Partner” and pay its taxes (and allocate taxable income to the capital accounts of its members). And contributions should match distributions, subject to deal terms, and the priority of allocations, if not properly documented, could lead to violations of state or federal tax laws.

  1. Tax

If you’re not tax counsel, have one at the ready. If your instincts tell you that you don’t fully grasp the tax-related consequences of an operating agreement, don’t guess, seek a consult. .

  1. Leverage the Experience Around You

Simple, if you don’t know or understand and you’ve exhausted your research sources, ASK YOUR COLLEAGUES.   Even if they haven’t experienced the type of agreement, attorney’s collaborating on something unique or spectacular can only result in the best result of the client.

  1. Don’t let the Client off the hook

Stay in constant contact with as many principals as possible. Transactions are fluid and the attorney is must keep the lines of communication open.  More communication will result in less drafts being produced and costs being reduced.

Why Aereo Matters: Where did Secondary Liability Go?

Earlier this summer, in American Broadcasting Cos., Inc. v. Aereo, Inc., 573 U.S. (2014), the United States Supreme Court held that Aereo infringed the copyright holders’ exclusive rights to publicly perform their works by providing a service which allows subscribers to watch free, over-the-air broadcast television channels over the Internet. Aereo provided the service by mounting an array of small antennas — each dedicated to one individual subscriber. Aereo’s antennas would receive the broadcast signal, which Aereo would then buffer and stream over the Internet to the subscriber, much the same as any individual could do by connecting an antenna to a PC or laptop. The Court’s decision matters because the Court’s reasoning and ultimate decision that Aereo was engaged in direct copyright infringement, if widely followed, could eviscerate the concept of secondary liability on which many online services depend for their legality, and with it, the framework which has provided some degree of predictability to a complex area of law.

Copyright law applies to original works of authorship that are fixed in a tangible medium, and is the protective shield for movies, books, songs, dances, architecture and other artistic endeavors. There exists a “bundle of rights” within each copyrighted work, which are: the right to make copies of the work, the right to distribute copies of that work, the right to prepare derivatives, and depending on the nature of the work, the right to publicly perform or display the work publicly. A copyright owner can then assign or license any of these rights to any number of parties. In the Aereo case, the petitioners — TV broadcasters — alleged that Aereo infringed upon their exclusive right to publicly perform the work, specifically, their right to distribute and broadcast various television shows.

As background, one can become liable for copyright infringement in one of two ways: directly or secondarily (also known as contributory or vicarious infringement). Tracing concepts that are familiar in many other areas of law, direct liability for copyright infringement occurs when the infringer engages in one of the rights described above without authorization, ordinarily requiring some “volitional conduct” on behalf of the person accused of infringing. See Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 422 (1984); 3 W. Patry, Copyright §9:5.50 (2013). Secondary infringement occurs when the infringer has not itself engaged in the infringing activity but “intentionally induces or encourages infringing acts by others or profits from such acts while declining to exercise a right to stop or limit them. See MGM Studios, Inc. v. Grokster, Ltd. 545 U.S. 913, 930 (2005). Think of a secondary infringer as a co-conspirator or enabler.

Prior to the Aereo decision, companies that provide a commercial technology capable of both infringing but also substantial non-infringing uses could count on any copyright challenge being analyzed under principles of secondary, not direct liability. This was established in the landmark case of Sony Corp. of America v. Universal Studios, Inc., 464 U.S. 417 (1984), in which the Court refused to hold a manufacturer of VCR technology liable for copyright infringement. Under the test established by Sony and cases that followed it, the defendant would not be secondarily liable for copyright infringement unless the defendant had (i) actual knowledge of specific instances of infringement and failed to act on that knowledge, or (ii) through public statements or advertisements, promoted the technology’s use as a means to infringe copyright. Id., see also MGM, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005). This legal framework has provided some comfort to the owners of products and services such as the VCR, DVR, peer-to-peer file-sharing networks, cloud storage services, antennas, and many other Internet businesses, that they would not be sued out of existence by overly zealous copyright owners. In light of this clear history, it would seem to have made sense for Aereo’s service to be analyzed under a theory of secondary liability. That’s not what happened.

In the complaint, the petitioners alleged direct and secondary liability. They also requested a preliminary injunction to force Aereo to suspend its services during the pendency of the litigation. The request for a preliminary injunction was based exclusively on the theory of direct liability. The district court denied the injunction, finding Aereo did not itself publicly perform the work; rather, each Aereo user specifically requested be content for his or her own personal viewing. The Court of Appeals denied rehearing the case. Therefore the only issue the Supreme Court could decide on, was whether or not Aereo directly infringed the petitioners’ right to publicly perform the work for purposes of the preliminary injunction.

One possible result, and one that many commentators thought likely, would have been for the Supreme Court to agree with the district court that Aereo did not engage in direct infringement and remand the case back to the lower courts to play out. Instead, the Court steamrolled ahead and seemingly ignored the volitional-conduct requirement for direct infringement. In its place, the Court’s analysis depends on what the dissenting Justices snarkily called the “Looks Like a Cable Company” test in order to analyze Aereo’s technology under a theory of direct infringement.

While not officially called the “Looks Like a Cable Company” test, heavily seasoned throughout the Court’s reasoning was a 1976 Congressional amendment to the U.S. Copyright Act, in which Congress sought to include the activities of cable companies within the statute’s scope. Under the amended Copyright Act, “perform” means “to show its images in any sequence or to make the sounds accompanying it audible.” 15 U.S.C. 101. At the same time, Congress also added the “transmit” clause within The Copyright Act, which expanded the copyright owner’s exclusive right to perform its work to the public to include conduct which “transmits or otherwise communicates a performance… to the public, by means of any device or process.” 15 U.S.C. 101. Despite Aereo’s protests that it does no more than supply equipment that emulates the operation of a home antenna and DVR, the Court found that by providing a service which allowed subscribers to select a TV program to watch on Aereo’s website, which then streamed a single copy specifically downloaded for the subscriber to his or her device, it performed the work. Moreover, the Court held that the transmission to a single subscriber from a personal copy was, under the statute, a “transmission to the public” because “an entity communicates the same contemporaneously perceptible images and sounds to multiple people, it transmits a performance to them regardless of the number of discrete communications it makes.”

Under the Court’s reasoning, it is now more difficult to delineate between online technologies which do and do not run afoul of The Copyright Act. Arguably, the only way online technologies could be 100% certain of their legality under copyright law would be s to implement filtering tools to prevent the use of their service to access copyrighted works unless the user can provide proof they are the copyright owners or are entitled to lawful possession of such works. Obviously, copyright owners would love that to become common practice, but it has very clearly not been a requirement of US law. Seeking assistance from the public on this question, the U.S. Copyright Office, Library of Congress issued a Request for Additional Comments for interested parties to provide thoughts and questions on the relevancy of secondary liability and the meaning of “making available” and “communication to the public” in light of the Aereo decision. Comments must be received by August 14, 2014.

In the meantime, here are the not-so-comforting words of The Supreme Court:

We cannot now answer more precisely how the Transmit Clause or other provisions of the Copyright Act will apply to technologies not before us. We agree with the Solicitor General that “[q]uestions involving cloud computing, [remote storage] DVRs, and other novel issues not before the Court, as to which ‘Congress has not plainly marked [the] course,’ should await a case in which they are squarely presented. And we note that, to the extent commercial actors or other interested entities may be concerned with the relationship between the development and use of such technologies and the Copyright Act, they are of course free to seek action from Congress.

So, the Supreme Court’s advice to tech innovators and entrepreneurs is to either wait for a lawsuit or get Congress to pass a law (which, of course, takes years and lots of lobbying dollars). Not exactly practical or appealing options.

IP Licenses and Bankruptcy

You’ve entered into a software license agreement with a development company. Things are going well until one day you receive notice that the licensor company is bankrupt. Does the licensor’s bankruptcy terminate the license? Well, the answer is a two-step process. First, the trustee presiding over the licensor’s bankruptcy must move to reject the license agreement as executory (legalese for not fully-performed). Next, it’s up to you, the licensee.

Tip #1: Include express language in the agreement where the parties acknowledge that Section 365(n) applies to the licenses of intellectual property.

While specifically stating in the license agreement that the parties consent to Section 365(n) is not required in order for the provisions to apply, by providing notice that the parties are aware of and consent to Section 365(n) may avoid a dispute down the line.

Section 365(n) of the U.S. Bankruptcy Code protects licensees of patents, copyrights and trade secrets by affording the licensee the option to either (i) elect to terminate the contract as a breach of contract by licensor, or (ii) continue the license and retain its rights as such rights existed before the bankruptcy was commenced. 11 U.S.C. § 365(n). Permitting the licensee to even extend the duration of the license as long as the underlying license agreement provides for such. Id.

It is important to note that Section 365(n) does not apply to licenses of trademarks. However, this may be changing and at least one court has extended the protections of Section 365(n) to a licensee of a trademark. See In re Lakewood Eng’g & Mfg. Co., 459 B.R. 306 (Bankr. N.D. Ill.2011), aff’d sub nom. Sunbeam Prods., Inc. v. Chi. Am. Mfg., 686 F.3d 373 (7th Cir. 2012).

Tip #2: Use present grant language, such as “Licensor hereby grants to Licensee a license” as opposed to “Licensor will grant to Licensee a license.”

While the above language is usually always desirable by a licensee, it has further importance in a situation where the licensor goes into bankruptcy. Often times, in software development agreements, the parties will agree to place the source code in escrow until final payment has been issued, and that bankruptcy can trigger the release of escrowed source code to the licensee.

The potential issue that may arise in this situation is the bankruptcy court, driven by its goal of keeping the bankruptcy estate intact, may characterize a license whose release is triggered by bankruptcy of licensor as an unenforceable transfer of assets from the bankruptcy estate. While not foolproof, one tactic to guard against this from occurring is using “present grant of rights” language.

Another tactic is to expand the conditions which may trigger release of the source code from bankruptcy to include indications that bankruptcy may be imminent, such as when licensor is unable to or fails to render payments to its creditors as they come due.

Tip #3: Include a release from the non-solicitation/no-hire clause with regard to licensor’s programmers in the event of licensor’s bankruptcy.

If the parties include a non-solicitation or no-hire clause in the agreement, a licensee should include language that carves out bankruptcy. Specifically, if bankruptcy releases the source code from escrow, the licensee is permitted to hire the licensor’s programmers. By having their expertise involved, the licensee would have an easier time discerning the source code.

Three Steps to Appoint a DMCA Copyright Agent

The Digital Millennium Copyright Act (DMCA) is one of the statutory guiding posts when it comes copyright law in the United States. It is often cited with respect to discussions on the not-so-popular use of digital rights management. However, the most important provision of the DMCA is Title II which provides safe harbor for online service providers on whose sites third parties (i.e. users) post infringing material. Put another way, online service providers cannot be held liable for its users’ copyright infringement simply by providing the website or other online service on which the infringing activity occurs. In order to be worthy of safe harbor, online service providers, among other things, are required to “act expeditiously to remove, or disable access to, the material” when it becomes aware that such use is infringing. 17 U.S.C. 512(c). In order to make it easier for copyright owners to inform online service providers about infringing use on the online service provider’s website, and thus trigger the expeditious movement of the online service provider, the DMCA also requires online service providers to designate a copyright agent to receive notifications of claimed infringement. See 17 U.S.C. 512(c)(2).

Failure to designate a DMCA agent and providing the agent’s name to the U.S. Copyright Office is grounds for waiving DMCA safe harbor. Moreover, subsequent designation of a DMCA agent does not protect an online service provider from infringing activity that occurred before the designation. For a recent opinion on this matter, see: Oppenheimer v. Allvoices, Inc., No.: C-14-00499 LB, (N.D. Cal. Jun. 10, 2014) citing Nat’l Photo Group, LLC v. Allvoices, Inc., No.: C-13-03627 JSC, 2014 WL 280391, at *4 (N.D. Cal. Jan. 24, 2014).

Without safe harbor, online service providers may be facing some stiff penalties. A copyright infringer is liable for either (i) the copyright owner’s actual damages plus any additional profits of the infringer, or (ii) statutory damages, which can be as much as $150,000 per work where the infringement was done willfully and the underlying work is registered with the U.S. Copyright Office.

The good news is that designating a copyright agent is an easy process. Here are the three steps:

(1) Designate a copyright agent. It is not necessary to select an attorney, but someone who regularly checks his/her mail and email will be sufficient. Once any notices are received, the agent should consult with an attorney.

(2) Publish the agent’s name, contact information, with DMCA statutory language on your website in a location that is a publicly-accessible (such as in your Terms of Use); and

(3) Fill out this Interim Form and mail it to the U.S. Copyright Office at Copyright Recordation, P.O. Box 71537, Washington, DC 20024 with the appropriate filing fee. (Sorry, no online filing.)

If you have previously submitted an agent’s name to the U.S. Copyright Office and wish to make an amendment, you can use this Amended Interim Designation and send it to the same address as above with, of course, the appropriate filing fee.

That’s it! Congratulations.

Please note that designating an agent, while required, is just one part of ensuring compliance with the DMCA’s safe harbor. If you have a website or offer services online, consult with an attorney to discuss DMCA and how you can guard your business against copyright infringement.

New Disclosures Requirements for Website Privacy Policies under California Law

Effective January 1, 2014, website operators and online service companies that collect personally identifiable information (PII) on California residents must describe in their privacy policies how the operator responds to “do not track” elections on users’ website browsers. “Do not track” is an option available in most, if not all, website browsers that allow users to communicate their desire to opt out of behavioral tracking which is commonly used for analytics and advertising. However, according to the California Attorney General’s Office, “there is, however, no legal requirement for sites to honor the [“Do Not Track”] headers.”

Also effective this month, website operators and online service companies must disclose whether third parties collect PII on California residents when the resident visits the operator’s website.

These amendments to Section 22575 of the California Business and Professions Code is an addition to a growing list of the requirements for greater transparency to benefit California residents. California has always been at the forefront of privacy protection, with the state being the first to enact data breach notification laws and now the first to require a “Do Not Track” disclosure. It is important to note that while these amendments do not specifically proscribe how a website operator or online service company must respond, the increased transparency brought by such regulations may bring about greater consumer scrutiny.

This amendment will have far-reaching impact, and in case there was any doubt, California Attorney General Kamala Harris has stated that her office would interpret “online service” to include mobile applications. As such, all companies that operate a website or provide online services, including mobile applications, should have their privacy policies reviewed by legal counsel to ensure compliance with the updates to California’s Section 22575 as well as other data privacy laws.

 

Expansion to Data Breach Notification under California Law

Also effective this month, the California legislature amended its breach notification laws[1] to expand the definition of PII to include “user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Following a breach involving solely such information, website operators and online service providers may notify users of the security breach in electronic form or other method consented to by the user and prompt the user to change his or her password or security question and answer, as applicable. The statute warns that website operators and online service providers do not comply with the notification requirements by sending the notification to the email address involved in the breach but must provide notice by another method proscribed by law or by clear and conspicuous notice delivered online when the user is connected from an I.P. address from which the website operator knows the user customarily accesses the account.

[1] California Civil Code § 1798.29(a) for state agencies and California Civil Code § 1798.82(a) for businesses.

Beware “Leaky Apps”

Based on previously classified reports, the United States’ NSA and Britain’s Government Communications Headquarters have been collecting personal data from so-called “leaky apps” such as Google Maps and Angry Birds for years. While Google and Rovio deny any knowledge of the governments collecting data on their consumers, the fact is that the developers’ cooperation wouldn’t have been necessary since much of the data gathered was in unencrypted view of anyone who wanted to take a look.

While this story may or may not surprise many people, one of the takeaways is that data security is increasingly becoming a primary concern for app developers.

It is probably safe to say that a majority of app developers collect data about consumers who use their apps. This information is used by developers to fix bugs, create better products and offer additional services. Data also allows developers, and their third party partners, to provide targeted advertising. It also follows that the more detailed the data, the more useful and valuable it is to developers. However, caught up with the arms race to collect the most data, some developers seem to have forgotten that with great data comes great responsibility.

SnapChat has been in the news quite a lot recently. They famously rejected Facebook’s $3 billion cash acquisition offer to the shock and perhaps admiration of their peers. They also have been in the news for being hacked not once, but twice. According to numerous reports, the reason why SnapChat was targeted by the “white hat” hackers was to “raise awareness of the app’s security issues.” Apparently SnapChat was made aware several times in the months leading up to the initial attack about vulnerabilities in the app’s security but they chose to ignore them. Following the attacks, SnapChat has taken an apologetic tone and promised to close the security gaps.

Also, last year, Sony was fined £250,000 by the United Kingdom’s Information Commissioner’s Office after it concluded that the breach of Sony’s Playstation Network could have been prevented. The ICO called Sony’s security measures “simply not good enough.” In a statement released by the ICO, it explained:

“If you are responsible for so many payment card details and log-in details then keeping that personal data secure has to be your priority.”

“There’s no disguising that this a business that should have known better. It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.”

Here in the U.S., a data breach could potentially expose an app developer to variety of legal risks, including consumer class action lawsuits, investigations by state attorney generals, and even claims of breached fiduciary duty owed to shareholders.

In addition to installing technical measures to increase app security, app developers should also familiarize its employees with appropriate data destruction practices, put in place procedures to follow in the event of a data breach, and of course, update their privacy policies.