Category: Privacy Law

Heated Debate Surrounds Proposed Federal Privacy Legislation

As we previously reported on the CPW blog, the leadership of the House Energy and Commerce Committee and the Ranking Member of the Senate Commerce Committee released a discussion draft of proposed federal privacy legislation, the American Data Privacy and Protection Act (“ADPPA”), on June 3, 2022. Signaling potential differences amongst key members of the Senate Committee on Commerce, Science, and Transportation, Chair Maria Cantwell (D-WA) withheld her support. Staking out her own position, Cantwell is reportedly floating an updated version of the Consumer Online Privacy Rights Act (“COPRA”), originally proposed in 2019.

Early Stakeholder Disagreement

As soon as a discussion draft of the ADPPA was published, privacy rights organizations, civil liberty groups, and businesses entered the fray, drawing up sides for and against the bill. The ACLU came out as an early critic of the legislation. In an open letter to Congress sent June 10, the group urged caution, arguing that both the ADPPA and COPRA contain “very problematic provisions.” According to the group, more time is required to develop truly meaningful privacy legislation, as evidenced by “ACLU state affiliates who have been unable to stop harmful or effectively useless state privacy bills from being pushed quickly to enactment with enormous lobbying and advertising support of sectors of the technology industry that resist changing a business model that depends on consumers not having protections against privacy invasions and discrimination.” To avoid this fate, the ACLU urges Congress to “bolster enforcement provisions, including providing a strong private right of action, and allow the states to continue to respond to new technologies and new privacy challenges with state privacy laws.”

On June 13, a trio of trade groups representing some of the largest tech companies sent their open letter to Congress, supporting passage of a federal privacy law, but ultimately opposing the ADPPA. Contrary to the position taken by the ACLU, the industry groups worry that the bill’s inclusion of a private right of action with the potential to recover attorneys’ fees will lead to litigation abuse. The groups took issue with other provisions as well, such as the legislation’s restrictions on the use of data derived from publicly-available sources and the “duty of loyalty” to individuals whose covered data is processed.

Industry groups and consumer protection organizations had the opportunity to voice their opinions regarding the ADPPA in a public hearing on June 14. Video of the proceedings and prepared testimony of the witnesses are available here. Two common themes arose in the witnesses’ testimony: (1) general support for federal privacy legislation; and (2) opposition to discrete aspects of the bill. As has been the case for the better part of a decade in which Congress has sought to draft a federal privacy bill, two fundamental issues continue to drive the debate and must be resolved in order for the legislation to become law: the private right of action to enforce the law and preemption of state laws or portions of them. . While civil rights and privacy advocacy groups maintain that the private right of action does not go far enough and that federal privacy legislation should not preempt state law, industry groups argue that a private right of action should not be permitted and that state privacy laws should be broadly preempted.

The Path Forward

The Subcommittee on Consumer Protection and Commerce of the House Energy and Commerce Committee is expected to mark up the draft bill the week of June 20. We expect the subcommittee to approve the draft bill with little or no changes. The full Energy and Commerce Committee should complete work on the bill before the August recess. Given the broad bipartisan support for the legislation in the House, we anticipate that the legislation, with minor tweaks, is likely to be approved by the House, setting up a showdown with the Senate after a decade of debate.

With the legislative session rapidly drawing to a close, the prospects for the ADPPA’s passage remain unclear. Intense disagreement remains amongst key constituency groups regarding important aspects of the proposed legislation. Yet, in spite of the differences, a review of the public comments to date regarding the ADPPA reveal one nearly unanimous opinion: the United States needs federal privacy legislation. In light of the fact that most interested parties agree that the U.S. would benefit from federal privacy legislation, Congress has more incentive than ever to reach compromise regarding one of the proposed privacy bills.

Article By Shea Leitch, Jeffrey L. Turner, Kristin L. Bryan, and Kyle R. Fath of Squire Patton Boggs (US) LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Privacy Tip #335 – Health Care Sector Continues to Be Hit with Ransomware

According to the 2022 State of Ransomware Report issued recently by Sophos, it surveyed 5,600 IT professionals from 31 countries, including professionals in the health care sector. Those professionals in the health care sector shared that 66 percent of them had experienced a ransomware attack in 2021, which was an increase of 69 percent over 2020. This was the largest increase of all sectors surveyed.

If you look at the Office for Civil Rights data breach portal, you will see that a vast majority of breaches reported by health care providers and business associates are related to “Hacking/IT incident.” This confirms that the health care sector continues to be attacked by threat actors seeking to steal protected health information of patients.

If you are a patient who receives a breach notification letter from a health care provider or business associate, the letter will provide guidance on how to protect yourself following a data breach and may offer some protection guidance, including credit monitoring or fraud resolution. Such a letter has been sent to patients to comply with the breach notification requirements of HIPAA and state law. Part of those requirements includes that the patients be provided mitigation steps following the breach to protect themselves from fraud. Avail yourself of these protections in the event your information is compromised. Take the time to sign up for the mitigation offered. It is clear that these attacks will not subside any time soon.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity and media legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Six Tips for Selecting the Right CRM System

Before deciding on a new CRM, follow these steps to select the right CRM system that meets your requirements, enhances adoption, offers value to your users – and can provide a return on your investment.

Research estimates that up to 70% of CRM systems fail to meet expectations – and a failed CRM implementation can be extremely costly, not just in terms of the financial expense, but also because of the costs in lost time – and credibility. Even more impactful: you don’t often get a second chance at CRM success. This means that it’s critical to select the right CRM system the first time.

The good news is CRM success is more than possible. If you simply follow a few critical steps before and during the CRM selection process, you can ensure that the system you select will help you achieve your organization’s goals, enhance adoption and provide value to your users – and deliver a return on your technology investment.

Tip 1: Problems First, Then Products

When attempting to successfully select and implement CRM software, it’s essential to focus on people and processes first, products second. Too many people immediately rush out to find potential vendors, so they can set up demonstrations of the most popular CRM software.

While it’s easy to get caught up in the shiny bells and whistles of a good CRM demo, it’s important to resist the temptation to dive into features and functions too soon without first taking the time to gain a real understanding of your organizational and user needs.

Tip 2: Assess Your Needs

Organizations buy CRM software for a number of reasons – but each organization is unique. To provide real value and ROI, before making the purchase, you have to understand what you are trying to accomplish.

Start by putting together a list of the key reasons you think you need a CRM.

  • Are you trying to communicate more effectively with clients and prospects?
  • Manage and evaluate the ROI of events or sponsorships?
  • Track and enhance business development efforts?
  • Help the organization be more efficient?
  • Increase business and revenue?

After assessing your organization’s needs, you may discover that you have more goals than you first thought.

If this is the case, it will be important to prioritize the goals. Don’t try to boil the ocean. If you try to tackle too many things at once, especially during the initial rollout, you will be less likely to succeed. Instead, assign your goals to a timeline based on importance and value to users. For the initial implementation, set a few relevant goals, achieve those initial successes, communicate the successes – and repeat.

Making your users part of the process up front will also make them more likely to adopt the software later.

Once you understand your organization’s unique needs and requirements, it’s time to talk to your users. One of the biggest frustrations we hear from clients is a lack of CRM adoption. This isn’t surprising since, in many of these organizations, system users were not involved during the selection process. To get people to buy in and use software, it has to provide value not only to the organization, but to the users individually. The challenge is that different people define value differently, which means different groups or types of users will have their own unique needs and requirements. That’s why it’s so important to get them involved early. Making your users part of the process up front will also make them more likely to adopt the software later.

To gather user input, consider creating focus groups to provide feedback on product features and functions. You may even want to meet with some of the naysayers individually to start encouraging their participation and head off future roadblocks. Finally, be sure to involve key stakeholders in system demonstrations to help evaluate the software and solicit their feedback before proceeding with system selection. In fact, it’s beneficial to have users involved throughout the rollout to offer ideas on how to improve the CRM implementation for everyone.

Tip 3: Evaluate the Systems and Providers

After gathering all the relevant information, it’s important to fully document your requirements and make sure you are well-prepared before reaching out to providers. The best way to do this is with what I call a ‘demo roadmap.’ This is a comprehensive two- to three-page document that sets out all of the details for the demonstrations along with all the needs and requirements gathered during the needs assessment and the features and functionality that you want to see.

Your ‘roadmap’ will guide the CRM providers so that they show you the key system attributes that are critical to the success of your organization and users and also helps to prevent the demonstrations from becoming a ‘dog and pony show.’ Your roadmap should be shared with the CRM providers well in advance of the demonstrations to give them time to adequately prepare.

Some larger organizations may also find it beneficial to take an additional step and create a much more detailed, formal RFP document. This request for proposals would be sent to potential CRM providers to solicit answers to a number of questions before scheduling any demos. The formal responses allow you to evaluate and compare the vendors and their system features and pricing in advance of the demonstrations. Many organizations use the RFP to limit the demonstrations to only the potential providers who are able to meet the organization’s budget and other requirements.

Once you have identified a few CRM systems that meet your requirements, you can begin the vetting process to select the right CRM system for your organization.

Tip 4: Direct the Demonstrations

It’s essential that the CRM demonstrations allow you to make an informed decision and adequately and accurately compare systems, features and pricing. It’s also important at this phase to again involve your users. CRM systems have a reputation for being notoriously difficult to implement, and the last thing you want is to be responsible for unilaterally selecting a system that then doesn’t meet user expectations. This can also help to make them more invested in system success.

It’s also important to structure the participation and demonstrations so you maximize the benefits.

First, it can be helpful to thin the field of participating CRM providers to a manageable number.

Next, select a group of users to participate. It can be good to choose users from different groups such as professionals and administrative, so you get some different perspectives.

Participants selected must have the time and inclination to participate and must be willing to sit through all of the demonstrations so they can accurately compare all the systems.

Finally, you may want to prepare the users by sharing the requirements and/or roadmap with them and asking them to be prepared to ask any questions they may have.

You should also prepare the providers. First, let them know how much time they have. A typical CRM demonstration can take between one and two hours.

Also let them know who will be participating and what their needs and interests are. If you have professional or executive users who have limited time for demonstrations, it can be helpful to direct the providers to spend the first 30 minutes to an hour of the demo on the features that are most relevant to those users.

Then they can step out and the rest of the time can be spent showing you the more detailed back-end functionality. Finally, be sure to leave at least 15 minutes at the end of the demonstrations for questions.

Tip 5: Check References

CLIENTSFirst CRM References Checklist

Before making the final commitment to a CRM system, it’s important to make sure you go through a thorough vetting process. It’s important to make sure you get all the information you need before finalizing your purchase.

First, ask the CRM vendor for references you can speak with. But don’t stop there. Talk to other companies or organizations in your industry who have used the software. Be sure to ask open-ended questions that will help you learn not only about the software, but also about other important areas. A few good questions to ask include:

  • Would you recommend the software?
  • Has the system performed as expected?
  • What were the biggest challenges with the implementation?
  • Were there any unexpected costs or delays?
  • What do you wish you had done differently during the selection and implementation?
  • How was the service after the sale?

For a comprehensive list of good questions to ask before finalizing the sale, check out our CLIENTSFirst CRM Reference Checking Questions Document.

Tip 6: Final Selection Steps

Once you have selected the right CRM system for your organization, there are still a few additional important details that require attention. You will want to have a formal scoping call with the provider to be able to accurately gauge the actual cost. The final price can vary depending on a number of variables including:

  • The number and types of licenses
  • Additional modules or software needed
  • Professional services to implement
  • Ongoing annual subscription or maintenance costs
  • Any proposed integrations
  • The types of training and materials
  • Data conversion and/or quality

If the price is an issue with your system of choice, there are also options. First, there may be room for negotiation. Alternatively, you can do a phased rollout to spread the costs over time. Some organizations prefer to start the rollout with Marketing and power users and then roll out to a small pilot group. Then additional groups can be added in later phases over time.

Finally, remember that in any sale, you are not finished until the paperwork is done. After the price is agreed upon, you will need to review the contract or agreement. While these documents may look official and final, in fact they are often open to negotiation, so it can be beneficial to modify some of the contract terms.

For instance, if the software is new to the market, you may be able to get a discount or arrange a beta test at a reduced rate.

Additionally, instead of paying the entire invoice up front, you can often negotiate payment terms that are stepped over time based on the satisfactory completion of key deployment steps. This can enhance your chances of CRM success by aligning your CRM vendor’s success with yours.

One Last Tip: Don’t Do It Alone

Selecting the right CRM system can be a daunting process. Most firms have never been through the process before – and few want to repeat it.

Article By Christina R. Fritsch JD of CLIENTSFirst Consulting

For more business of law legal news, click here to visit the National Law Review.

© Copyright 2022 CLIENTSFirst Consulting

Hackers Go Phishing in Beeple’s Deep Pool of Twitter Followers

“Stay safe out there, anything too good to be true is a … scam.” Beeple, a popular digital artist, tweeted to his followers, addressing the phishing scam that took place on May 23, 2022, targeting his Twitter account. The attack reportedly resulted in a loss of more than US$400,000 in cryptocurrency and NFTs, stolen from the artist’s followers on the social media website.

After hacking into Beeple’s Twitter account, perpetrators tweeted links from the artist’s page, promoting a fake raffle for unique art pieces. The links would reportedly take the user to a website that would drain the user’s cryptocurrency wallet of their digital assets.

Phishing scams for digital assets, including NFTs or non-fungible tokens, have steadily increased, with funds as large as $6 million being stolen. Various jurisdictions have adopted privacy and security laws that require companies to adopt reasonable security measures and follow required cyber incident response protocols. A significant part of these measures and protocols is training for employees in how to detect phishing scams and other hacking attempts by bad actors. This incident is a reminder to consumers to exercise vigilance, watch for red flags and not click on links without verifying the source.

The remaining summaries of news headlines are separated by region for your browsing convenience. 

UNITED STATES

Relaxed Deaccessioning COVID-19 Exemptions Expire

The global COVID-19 pandemic brought many changes, including dire financial consequences of the shutdowns for museums. In April 2020, the Association of Art Museum Directors (AAMD) made a decision to ease the rules that dictate how museums may use proceeds from art sales. Until April 2022, museums were permitted to use the funds for “direct care of collections” rather than to procure new artworks for their collections.

This relaxed policy and some of the museums that followed it met with backlash on more than one occasion; others, however, advocate for its continuation, citing considerations of diversity and inclusion. Some further argue that a policy born out of financial desperation should be continued to provide museums with the means to overcome any future financial issues that may arise.

Given that “direct care” is vague and open to interpretation, opponents of the relaxed rules counter giving museums such latitude to decide on the use of the proceeds, as it can lead to abuses and bad decisions. While AAMD has returned to its pre-pandemic regulations, and museums have followed suit, it appears that the public debate around deaccessioning is far from over.

Inigo Philbrick Sentenced to a Prison Term

Former contemporary art dealer Inigo Philbrick was sentenced by a federal court in New York to serve seven years in prison for a “Ponzi-like” art fraud, said to be one of the most significant in the history of the art market, with more than an estimated US$86 million in damages. Philbrick stood accused of a number of bad acts, including forging signatures, selling shares in artworks he did not own and inventing fictitious clients.

New York Abolishes Auction House Regulations

As the U.S. government is studying whether the art market requires further regulations to increase transparency and to combat money laundering, New York City repealed its local law that required auctioneers to be licensed and required disclosures to bidders, including whether an auction house had a financial stake in the item being auctioned. While the abolition of the regulation was ostensibly to improve the business climate after the pandemic, some commentators note that the regulations were outdated and not serving their purpose in any event. As an illustration, a newcomer to an auction will likely struggle to understand the garbled pre-action announcements or their significance. Whether the old regulations are to be replaced with new, clearer rules remains to be seen.

EUROPE

Greece and UK to Discuss Rehoming of Displaced Parthenon Marbles

The Parthenon marbles, also known as the Elgin marbles, have been on display in London’s British Museum for more than 200 years. These objects comprise 15 metopes, 17 pedimental figures and an approximately 250-foot section of a frieze depicting the birthday festivities of the Greek goddess Athena. What museum goers might not know is that these ancient sculptures were taken from the Acropolis in Greece in 1801 by Lord Elgin.

Previously, the British government, seeking to retain the sculptures, relied on the argument that the objects were legally acquired during the Ottoman Empire rule of Greece. However, for the first time, the UK has initiated formal talks with Greece to discuss repatriation of the Parthenon sculptures. These discussions are expected to influence future intergovernmental repatriation negotiations.

ASIA

Singapore High Court Asserts Jurisdiction over NFTs after Ruling Them a Digital Asset

The highest court in Singapore has granted an injunction to a non-fungible token (NFT) investor, Janesh Rajkumar, who sought to stop the sale of an NFT that once belonged to him and was used as collateral for a loan. The subject NFT from the Bored Ape Yacht Club Series is a rarity, as it depicts the only avatar that wears a beanie. Rajkumar now is seeking to repay the loan and have the NFT restored to his cryptocurrency wallet. The loan agreement specified that Rajkumar would not relinquish ownership of the NFT, and should he be unable to repay the loan in a timely manner, an extension would be granted. Instead of granting Rajkumar an extension, the lender, who goes by an alias “chefpierre,” moved to sell the NFT. The significance of the Singapore court’s decision is two-fold: the court has (1) recognized jurisdiction over assets cited in the decentralized blockchain, and (2) allowed for the freezing order to be issued via social media platforms.

THE MIDDLE EAST

Illegal Trading Leads to Raiding of Antique Dealer by the Israeli Authorities

A recent raid on an unauthorized antiquities dealer in the city of Modi’in by the Israel Antiquities Authority recovered hundreds of artifacts of significant historical value, including jewelry, a bronze statue and approximately 1,800 coins. One the coins is a nearly 2,000-year-old silver shekel of great historical significance. The coin is engraved with the name Shimon, leader of the 132–136 C.E. Bar Kokhba revolt.

Investigations are ongoing to determine where the antiquities were obtained. The Antiquities Robbery Prevention Unit intends to charge the dealer and their suppliers upon obtaining this information.

Article By Jana S. Farmer and Meenka Maharaj of Wilson Elser Moskowitz Edelman & Dicker LLP

For more entertainment, art, and sports news, click here to visit the National Law Review.

© 2022 Wilson Elser

SEC Commissioner Signals Need to Fulfill Mandate of Sarbanes-Oxley Act and Develop “Minimum Standards” for Lawyers Practicing Before the Commission

In remarks on March 5, 2022, on PLI’s Corporate Governance webcast, Commissioner Allison Herren Lee of the Securities and Exchange Commission stated that 20 years after its enactment, it is time to revisit the “unfulfilled mandate” of Section 307 of the Sarbanes-Oxley Act of 2002 and establish minimum standards for lawyers practicing before the Commission.1  Commissioner Lee, who announced that she will not seek a second term when her current one ends this month, took issue with what she called the “goal-directed reasoning” of some securities lawyers—that is, focusing primarily on the outcome sought by executives, rather than the impact on investors and the market as a whole.  Such lawyering, Commissioner Lee observed, has a host of negative consequences, including encouraging non-disclosure of material information, harming investors and market integrity, and stymying deterrence.  The solution, Commissioner Lee opined, is to fulfill the mandate of Section 307, which empowered the Commission to “issue rules, in the public interest and for the protection of investors, setting forth minimum standards of professional conduct for attorneys appearing and practicing before the Commission in any way in the representation of issuers.”2

Over the last 20 years, the Commission has declined to adopt enhanced rules of professional conduct for lawyers appearing before the Commission.  There are good reasons for the Commission’s inaction, including the attorney-client privilege, the goal of zealous advocacy, the fact-specific nature of materiality determinations, and the traditionally state-law basis for the regulation of attorney conduct.  Commissioner Lee, moreover, did not propose specific new rules and recognized that the task was difficult and should be informed by the views of the securities bar and other stakeholders.  Nor did she say that action by the Commission was imminent; it is unclear whether the Commission has authority to promulgate new rules under Section 307 given a 180-day sunset under the statute that occurred in 2003.  Indeed, neither Commissioner Lee nor any of the other SEC commissioners have issued statements on this topic since the PLI webcast.  SEC Enforcement Director Gurbir Grewal has, however, indicated an increased emphasis on gatekeeper accountability in order to restore public trust in the market.3  Nonetheless, given the Commission’s existing authority to impose discipline under its Rules of Practice, practitioners should be mindful of the potential for increased scrutiny moving forward.

Background

In the wake of corporate accounting scandals involving Enron, Worldcom, and other companies, Congress enacted the Sarbanes-Oxley Act in 2002 “[t]o safeguard investors in public companies and restore trust in the financial markets.”4  The Act was aimed at “combating fraud, improving the reliability of financial reporting, and restoring investor confidence,”5 including by empowering the SEC with increased regulatory authority and enforcement power.6  To that end, the Act includes provisions to fortify auditor independence, promote corporate responsibility, enhance financial disclosures, and enhance corporate fraud accountability.7

The Sarbanes-Oxley Act was passed just six months after the collapse of Enron in December 2001, and neither the House nor Senate bills originally contained professional responsibility language.8  Hours before the Senate passed its version of the Act, however, the Senate amended the bill to include language that would eventually become Section 307.9  Around the same time, 40 law professors sent a letter to the SEC requesting the inclusion of a professional conduct rule governing corporate lawyers practicing before the Commission.10  The letter picked up on a 1996 article by Professor Richard Painter, then of the University of Illinois College of Law, which recommended corporate fraud disclosure obligations for attorneys similar to those imposed on accountants by the Private Securities Litigation Reform Act of 1995.11  Senator John Edwards, one of the sponsors of the Senate floor amendment of the bill, emphasized the importance of including professional conduct rules for attorneys in such a significant piece of legislation, stating that “[o]ne of the problems we have seen occurring with this sort of crisis in corporate misconduct is that some lawyers have forgotten their responsibility” is to the companies and shareholders they represent, not corporate executives.12

In its final form, Section 307 imposed a professional responsibility requirement for attorneys that represent issuers appearing before the Commission.  Specifically, Section 307 directed the Commission, within 180 days of enactment of the law, to “issue rules, in the public interest and for the protection of investors, setting forth minimum standards of professional conduct for attorneys appearing and practicing before the Commission in any way in the representation of issuers,”13 and, at minimum, promulgate “a rule requiring an attorney to report evidence of a material violation of securities laws or breach of fiduciary duty or similar violation by the issuer or any agent thereof to appropriate officers within the issuer and, thereafter, to the highest authority within the issuer, if the initial report does not result in an appropriate response.”14

Since the enactment of Section 307, however, the Commission has promulgated only one rule pursuant to its authority, commonly known as the “up-the-ladder” rule.15  The up-the-ladder rule imposes a duty on attorneys representing an issuer before the Commission to report evidence of material violations of the securities laws.  When an attorney learns of evidence of a material violation, the attorney has a duty to report it to the issuer’s chief legal officer (“CLO”) and/or the CEO.16  If the attorney believes the CLO or CEO did not take appropriate action within a reasonable time to address the violation, the attorney has a duty to report the evidence to the audit committee, another committee of independent directors, or the full board of directors until the attorney receives “an appropriate response.”17  Alternatively, attorneys can satisfy their duty by reporting the violation to a qualified legal compliance committee.18  To date, the SEC has never brought a case alleging a violation of the up-the-ladder rule.

Commissioner Lee’s Remarks

In her remarks, Commissioner Lee stated that it is time to revisit the “unfulfilled mandate” of Section 307 and consider whether the Commission should adopt and enforce minimum standards for lawyers who practice before the Commission.  Commissioner Lee criticized “goal-directed reasoning” employed by sophisticated counsel in securities matters, and cited as an example Bandera Master Fund v. Boardwalk Pipeline,19 a recent decision in which the Delaware Court of Chancery rebuked the attorneys involved for their efforts to satisfy the aims of a general partner instead of their duty to the partnership-client as a whole.  The Court, specifically, stated that counsel “knowingly made unrealistic and counterfactual assumptions, knowingly relied on an artificial factual predicate, and consistently engaged in goal-directed reasoning to get to the result that [the general partner] wanted.”20  Bandera and cases like it, according to Commissioner Lee, are emblematic of a “race to the bottom” caused by pressure on securities lawyers to compete with each other for clients, while failing to give due consideration to the potential impact on investors, market integrity, and the public interest.

In Commissioner Lee’s view, “goal-directed” lawyering not only falls short of ethical standards but causes harm to the market and reduces deterrence.  Commissioner Lee expressed concern that, in an effort to give management the answer it wants, lawyers may downplay or obscure material information.21  Although recognizing that materiality determinations are fact-intensive, Commissioner Lee said that should not provide blanket cover for legal advice aimed at concealing material information from the public.  Non-disclosure has a host of negative consequences, including distorting market-moving information, interfering with price discovery, misallocating capital, impairing investor decision-making, and eroding confidence in the financial markets and regulatory system.  Further, such lawyering diminishes deterrence by creating a legal cover for inadequate disclosure, making it more difficult for regulators to hold responsible individuals accountable.  This type of legal counsel, in Commissioner Lee’s view, “is merely rent-seeking masquerading as legal advice, while providing a shield against liability.”

Commissioner Lee stated that the existing framework governing professional conduct is not adequate to hold lawyers accountable for such “reckless” advice.  According to Commissioner Lee, state bars—the principal source for lawyer discipline nationwide—are not up to the task because they lack resources, expertise in securities matters, and the ability to impose adequate monetary sanctions.  Additionally, Commissioner Lee noted that state law standards focused mostly on the behavior of individual lawyers, assigning few responsibilities to the firm for quality assurance.  Indeed, state law standards are mostly drafted in a “one-size-fits-all fashion” according to Commissioner Lee, and do not take into account the different issues faced at large firms that represent public companies, which are quite different from a solo practitioner handling personal injury or estate law matters.  Likewise, although the SEC has the power under Rule 102(e) of its Rules of Practice to suspend or bar attorneys whose conduct falls below “generally recognized norms of professional conduct,” there has been little effort to define or enforce that standard.22  Nor has the SEC rigorously enforced standards of attorney conduct under the one rule it has issued under Section 307, the “up-the-ladder” rule.

Commissioner Lee stated that it was time for the Commission to fulfill its mandate under Section 307.  Although not proposing any specific rules, Commissioner Lee offered the following concepts as a starting point:

  • Greater detail on lawyers’ obligations to a corporate client, including how advice must reflect “the interests of the corporation and its shareholders rather than the executives who hire them”;
  • Requirements of “competence and expertise” (as an example, disclosure lawyers should not opine on materiality “without sufficient focus or understanding of the views of ‘reasonable’ investors”);
  • Continuing education for securities lawyers advising public companies (similar to requirements set by the Public Company Accounting Oversight Board for minimum hours of qualifying continuing professional education for audit firm personnel);
  • Oversight at the firm level (similar to quality-control measures implemented at audit firms);
  • Emphasis on the need for independence in rendering advice (similar to substantive and disclosure requirements implemented in Rule 2-01 of Regulation S-X for auditors);
  • Obligations to investigate red flags and ensure accurate predicates for legal opinions (similar to the obligations that an auditor must perform to certify to the accuracy of their client’s financial statements); and
  • Retention of contemporaneous records to support the reasonableness of legal advice.

Commissioner Lee noted that the content of any specific rules or standards will require “careful thought,” as well as assistance from the securities bar, experts on professional responsibility, and other interested parties and market participants.  She invited input from the legal community and other stakeholders and noted that she appreciated the complexity of the task and concerns of the American Bar Association and others regarding protection of the attorney-client privilege.  Indeed, outside auditors are generally regarded as “public watchdogs” and such communications between the corporation and an auditor are not entitled to the affirmative attorney-client privilege afforded to legal counsel.  Accordingly, regulating the legal profession using a similar framework to that applied to the accounting profession has sparked more controversy.  Nonetheless, in Commissioner Lee’s view, those concerns should be weighed against “the costs of there being few, if any, consequences for contrived or tortured advice.”

Implications

The Commission has declined to adopt enhanced rules of professional conduct for lawyers appearing before it in the 20 years since the enactment of the Sarbanes-Oxley Act.  Commissioner Lee’s call for minimum standards, however, potentially signals increased scrutiny by the SEC with respect to lawyers who “practice before the Commission.”  As Commissioner Lee noted, that means “counsel involved in the formulation and review of issuers’ public disclosure, including those who address the many legal questions that often arise in that context.”23  Nonetheless, Commissioner Lee cautioned that she did “not intend with these comments to address the conduct of attorneys serving as litigators or otherwise representing their client(s) in an advocacy role in an adversarial proceeding or other similar context, such as in an enforcement investigation.”24

Although framing her call for standards in terms of Section 307 of the Sarbanes-Oxley Act, it is not clear that the Commission will—or even can—promulgate any further rules under that authority.  Commissioner Lee did not state that she was speaking on behalf of the Commission or indicate that the Commission would be taking concrete, imminent steps to adopt such standards.  The Commission has not put its imprimatur on the remarks by incorporating them into a formal release or statement of policy.  Moreover, the text of Section 307 appears to foreclose the possibility of further rulemaking, as it provides that the Commission shall issue any such rules “[n]ot later than 180 days after the date of enactment of this act,” i.e., January 27, 2003.  Consistent with that constraint, the SEC proposed the up-the-ladder requirements on November 21, 2002, in Release No. 33-8150, and the rule became final on January 29, 2003.25  But the SEC has not issued any other rule under Section 307 to date.

Even if official action under Section 307 may not be forthcoming, Commissioner Lee’s call for action should not be discounted.  Setting aside the up-the-ladder requirements, the SEC has authority under Rule 102(e) of the SEC’s Rules of Practice to censure or bar a lawyer from appearing or practicing before the Commission if found, among other things, “[t]o be lacking in character or integrity or to have engaged and unethical or improper professional conduct.”26  Commissioner Lee cited prior SEC guidance to indicate that Rule 102(e) may apply to attorney conduct that falls below “generally recognized norms of professional conduct,”27 a standard that has been left undefined to date.28  In practice, the SEC “will hold attorneys who practice before it to the standards to which they are already subject, including state bar rules.”29  At a minimum, then, Commissioner Lee’s objective of greater accountability may be achieved through a more aggressive application of Rule 102(e), which, as she noted, has generally only been applied as a follow-on penalty for primary violations of the securities laws by lawyers.

Commissioner Lee’s term expires on June 5, and she has announced that she intends to step down from the Commission once a successor has been confirmed.30  Should the Commission nonetheless take up her call to action in the future, it will be no easy task to adopt clear standards that can be implemented in a predictable manner.  In particular, Commissioner Lee’s focus on the role of lawyers in advising issuers on determinations of materiality and disclosure does not lend itself well to oversight or enforcement.  The well-established standard for materiality—whether “there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”—is far from clear-cut.31  The Supreme Court, moreover, long has recognized that materiality “depends on the facts and thus is to be determined on a case-by-case basis.”32  As such, and as evidenced by the sundry cases concerning disclosure issues reversed on appeal, disagreement between litigants—as well as jurists—on matters of materiality and disclosure are par for the course.  If that is so, how can a lawyer’s advice on such matters (which will inevitably turn on the facts and the lawyer’s judgment and experience) be subject to oversight in any objective sense?

Even if lawyers’ materiality advice could be evaluated under objective standards, there are other difficulties.  First and foremost is that oversight of legal advice implicates the attorney-client privilege and the underlying benefit of candid advice from securities disclosure and corporate counsel.  As the Supreme Court has observed, the attorney-client privilege “is founded upon the necessity, in the interest and administration of justice, of the aid of persons having knowledge of the law and skilled in its practice, which assistance can only be safely and readily availed of when free from the consequences or the apprehension of disclosure.”33  Aside from situations in which the client has voluntarily waived privilege (as sometimes occurs in SEC investigations) or where another exception to the privilege applies, it is unclear how the SEC could evaluate legal advice without invading privilege.  Such attempts could have led to an increase in corporate wrongdoing as corporate executives could be more reluctant to seek expert legal advice.  In addition, it is unclear how regulators assessing materiality advice would—or could—balance an assessment of whether a lawyer has given the “correct” advice with a lawyer’s ethical obligations of zealous representation of the client.34  The divide between overreaching “goal-directed” reasoning and permissible zealous advocacy for the client is often murky, and reasonable minds can differ depending on the circumstances.  Moreover, it is already well-accepted that a corporate lawyer’s obligation is to the corporation as its client, not to any individual officer or director.35  That obligation carries with it ethical duties to “proceed as is reasonably necessary for the best interest” of the corporation, including when the lawyer is aware of violations of the law or other misconduct by senior management.36  In that sense, Commissioner Lee’s proposal could be viewed as a call for the SEC to take on enforcement of existing ethical rules, rather than for the development of novel “minimum standards.”

Ultimately, there are good reasons for the Commission’s reluctance to date to formally adopt minimum standards of professional conduct for lawyers appearing before it, including the attorney-client privilege, the goal of zealous advocacy, and the fact-specific nature of materiality inquiries.  The manipulation of facts and bad reasoning targeted by Commissioner Lee are not only the exception, and difficult if not impossible to eliminate completely, but are largely covered by existing rules and practices.  Nonetheless, Commissioner Lee’s call for lawyers to strive for higher legal and ethical standards in their counsel should be welcomed.  Sound legal advice is not only important for issuer clients, but also for the financial well-being of investors, the integrity of the markets, and public confidence in the regulatory system and capital markets.  Enhancements in ethical standards for the legal profession could also lead to reputational benefits and greater integrity in the profession.  It remains to be seen whether Commissioner Lee’s remarks will serve as an aspirational goal for securities lawyers, or translate into concrete action by the Commission.

1 Commissioner Allison Herren Lee, Send Lawyers, Guns and Money: (Over-) Zealous Representation by Corporate Lawyers Remarks at PLI’s Corporate Governance – A Master Class 2022 (Mar. 4, 2022), [hereinafter “Commissioner Lee Remarks”].

See Sarbanes‑Oxley Act, § 307, 15 U.S.C. § 7245 (2002).

3 Gurbir Grewal, Director, Division of Enforcement, Remarks at SEC Speaks 2021 (Oct. 13, 2021).

Lawson v. FMR LLC, 571 U.S. 429, 432 (2014).

5 Stephen Wagner and Lee Dittmar, The Unexpected Benefits of Sarbanes-Oxley, Harvard Bus. Rev. (Apr. 2006).

See Sarbanes–Oxley Act, § 3, 15 U.S.C. § 7202 (2002).

See Sarbanes–Oxley Act, § 1, 15 U.S.C. § 7201 (2002).

8 Jennifer Wheeler, Securities Law: Section 307 of the Sarbanes-Oxley Act: Irreconcilable Conflict with the ABA’s Model Rules and the Oklahoma Rules of Professional Conduct?, 56 Okla. L. Rev. 461, 464 (2003).

Id.

10 Id. at 468-69.

11 See generally Richard W. Painter & Jennifer E. Duggan, Lawyer Disclosure of Corporate Fraud: Establishing a Firm Foundation, 50 SMU L. Rev. 225 (1996).

12 Wheeler, supra note 8, at 465 (quoting 148 Cong. Rec. S6551 (daily ed. July 10, 2002) (statement of Sen. Edwards)).

13 See Sarbanes‑Oxley Act, § 307, 15 U.S.C. § 7245 (2002).

14 Final Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8185 (Sept. 26, 2003).

15 17 C.F.R. §§ 205.1-205.7.

16 17 C.F.R. § 205.3(b)(1).

17 17 C.F.R. §§ 205.3(b)(3), (b)(4).

18 17 C.F.R. § 205.3(c).

19 Bandera Master Fund LP v. Boardwalk Pipeline Partners, LP, No. CV 2018-0372-JTL, 2021 WL 5267734, at *1 (Del. Ch. Nov. 12, 2021).  In Bandera, plaintiffs brought suit against a general partner for breach of a partnership agreement stemming from the general partner’s exercise of a call right without satisfying two requisite preconditions.  The court held for the plaintiffs and found the general partner had engaged in willful misconduct.  Id. at *51.  Contributing to the misconduct was the general partner’s outside counsel, who drafted an opinion letter justifying the general partner’s exercise of the call right.  Id.  Throughout the drafting process, the court found, that the outside counsel manipulated the facts in order to achieve the general partner’s desired conclusion.  Id. at *18-*47.

20 Id. at *51.

21 Commissioner Lee specifically cited, among other matters, environmental, social, and governance (“ESG”) disclosures.  The Commission is currently considering additional climate change-related disclosures to Regulation S-K and Regulation S-X.  See Jason Halper et al., SEC Proposes Climate-Related Changes to Regulation S-K and Regulation S-X, Cadwalader, Wickersham & Taft LLP (Mar. 23, 2022); see also Paul Kiernan, SEC Proposes More Disclosure Requirements for ESG Funds, The Wall Street Journal (May 25, 2022, 6:26 pm ET).

22 Rule 102(e) states, in relevant part:

(1) Generally. The Commission may censure a person or deny, temporarily or permanently, the privilege of appearing or practicing before it in any way to any person who is found by the Commission after notice and opportunity for hearing in the matter:

(i) not to possess the requisite qualifications to represent others; or

(ii) to be lacking in character or integrity or to have engaged in unethical or improper professional conduct; or

(iii) to have willfully violated, or willfully aided and abetted the violation of any provision of the Federal securities laws or the rules and regulations thereunder.

17 C.F.R. § 201.102(e)(1).

23 Commissioner Lee Remarks, supra note 1.

24 Id.

25 Proposed Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8150 (Nov. 21, 2002); Final Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8185 (Sept. 26, 2003); see also 2 Legal Malpractice § 14:114 (2022 ed.).

26 17 C.F.R. § 201.102(e).  The Rules of Practice generally “govern proceedings before the Commission under the statutes that it administers.” 17 C.F.R. § 201.100.  The SEC has the authority to administer and enforce such rules pursuant to the Administrative Procedures Act, 5 U.S.C. § 551 et. seq. See Comment to Rule 100, SEC Rules of Practice (July 2003).

27 In the Matter of William R. Carter Charles J. Johnson, 47 S.E.C. 471 (Feb. 28, 1981) (“elemental notions of fairness dictate that the Commission should not establish new rules of conduct and impose them retroactively upon professionals who acted at the time without reason to believe that their conduct was unethical or improper.  At the same time, however, we perceive no unfairness whatsoever in holding those professionals who practice before us to generally recognized norms of professional conduct, whether or not such norms had previously been explicitly adopted or endorsed by the Commission.  To do so upsets no justifiable expectations, since the professional is already subject to those norms.”).

28 In the past, the Commission has sought to discipline lawyers for violating securities laws with scienter, rendering misleading opinions used in disclosures and engaged in otherwise liable conduct, but not for giving negligent legal advice to issuers. See In the Matter of Scott G. Monson, Release No. 28323 (June 30, 2008) (collecting cases).

29 In the Matter of Steven Altman, Esq., Release No. 63306 (Nov. 10, 2010).

30 Statement of Planned Departure from the Commission (Mar. 15, 2022).

31 TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976).

32 Basic Inc. v. Levinson, 485 U.S. 224, 250 (1988).

33 Upjohn Co. v. United States, 449 U.S. 383, 389 (1981) (quoting Hunt v. Blackburn, 128 U.S. 464, 470 (1888)).

34 Rule 1.3: Diligence, American Bar Association, (last visited Mar. 18, 2022) (“A lawyer shall act with reasonable diligence and promptness in representing a client.”); Rule 1.3 Diligence – Comment 1, American Bar Association,  (last visited Mar. 18, 2022) (“A lawyer must also act with commitment and dedication to the interests of the client and with zeal in advocacy upon the client’s behalf.”).

35 See, e.g.Upjohn, 449 U.S. at 389.

36 Rule 1.13: Organization As Client, American Bar Association, cmt. 2  (last visited April 19, 2022).

Article By Jason M. Halper, William P. Mills, Erica Hogan, Adam Magid, James Orth, and Jayshree Balakrishnan of Cadwalader, Wickersham & Taft LLP

For more Securities & SEC, click here to visit the National Law Review.

© Copyright 2022 Cadwalader, Wickersham & Taft LLP

Small Businesses Don’t Recognize Risk of Cyberattack Despite Repeated Warnings

CNBC surveys over 2,000 small businesses each quarter to get their thoughts on the overall business environment and their small business’ health. According to the latest CNBC/SurveyMonkey Small Business Survey, despite repeated warnings by the Cybersecurity and Infrastructure Security Agency and the FBI that U.S.- based businesses are at an increased risk of a cyber-attack following Russia’s invasion of Ukraine, small business owners do not believe that it is an actual risk that will affect them, and they are not prepared for an attack. The latest survey shows that only five percent of small business owners reported cybersecurity to be the biggest risk to their company.

What is unfortunate, but not surprising, is the fact that this is the same percentage of small business owners who recognized a cyber attack as the biggest risk a year ago. There has been no change in the perception among business owners, even though there are repeated, dire warnings from the government. Also unfortunate is the statistic that only 33 percent of business owners with one to four employees are concerned about a cyber attack this year. In contrast, 61 percent of business owners with more than 50 employees have the same concern.

According to CNBC, “this general lack of concern among small business owners diverges from the sentiment among the general public….In SurveyMonkey’s polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.” CNBC’s conclusion is that there is a disconnect between business owners’ appreciation of how much customers care about data security and that “[s]mall businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.” Statistics show that threat actors are targeting small to medium-sized businesses to stay under the law enforcement radar. With such a large target on their backs, business owners may wish to make cybersecurity a priority. It’s important to keep customers.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

Article By Kyle R. Freeny, Linda Ricci, Jena M. Valdetero, and Brittany M. Fisher of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

Trade Mark Infringement – Muslim Dating App Meets its Match [.com]

A recent Intellectual Property Enterprise Court Decision (IPEC) on 20 April 2022 has decided that ‘Muzmatch’, an online matchmaking service to the Muslim Community has infringed Match.com’s registered trade marks.

The decision by Nicholas Caddick Q.C was that Muzmatch’s use of signs and its name amounted to trade mark infringement and/or passing off of Match.com’s trade marks. This case follows successful oppositions by Match.com to Muzmatch’s registration of its marks in 2018, and unsuccessful attempts by Match.com to purchase Muzmatch between 2017 and 2019.

Match.com is one of the largest and most recognisable dating platforms in the UK. It first registered a word mark ‘MATCH.COM’ in 1996 and also owns other dating-related brands including Tinder and Hinge with other marks including the word mark ‘TINDER’. Match.com used a 2012 TNS report to illustrate its goodwill and reputation and 70% of people surveyed would be able to recall Match.com if prompted, 44% unprompted and 31% of people would name Match.com as the first dating brand off the ‘top of their head.’

Muzmatch is a comparatively niche but growing dating platform, which aims to provide a halal (i.e. in compliance with Islamic law) way for single Muslim men and women to meet a partner. Muzmatch is comparatively much smaller and was founded in 2011 by Mr Shahzad Younas and now has had around 666,069 sign-ups in the UK alone.

The Court considered that the marks ‘Muzmatch’ and ‘MATCH.COM’ and each company’s graphical marks, had a high degree of similarity in the services provided. The marks were also similar in nature orally and conceptually and the addition of the prefix ‘Muz’ did not distinguish the two marks, nor could the lack of the suffix ‘.com’ or stylistic fonts/devices.

The key issue of the case relates to the idea of the term ‘Match’ which is used by both marks to describe the nature of the business: match[ing]. Muzmatch argued that as both marks share this descriptive common element, so it is difficult to conclude that there is a likelihood of confusion between the two marks as the term just describes what each business does.

 The Court found that finding that there is a likelihood of confusion for a common descriptive element is not impossible, as the descriptive element can be used distinctively. The average consumer would conclude that the portion ‘Match’ is the badge of origin for Match.com due to its reputation as a brand and the very substantial degree of distinctiveness in the dating industry. An average consumer would have seen the word ‘Match’ as the dominant element in the Match.com trade marks and Match.com is often referred to as just ‘Match’ in advertisements.

Aside from its marks, Muzmatch utilised a Search Engine Optimisation strategy from January 2012 whereby it utilised a list of around 5000 keywords which would take a user to a landing page on the its website. In the list of the keywords used, Muzmatch used the words ‘muslim-tinder’, ‘tinder’ and ‘halal-tinder’ which were accepted by Muzmatch during the litigation to have infringed Match’s trade marks of the Tinder brand including the word mark ‘TINDER’. Muzmatch’s SEO use was also found to cause confusion based on some of its keywords including ‘UK Muslim Match’, which again uses the term Match distinctively, therefore a consumer may confuse a link to ‘UK Muslim Match’ with ‘Match.com’.

Therefore, the Court found that there was likely to be confusion between Muzmatch and Match.com because of the distinctive nature of the term ‘Match’ in the world of dating platforms.  An average consumer would conclude that Muzmatch was connected in a material way with the Match.com marks, as if it was targeted at Muslim users as a sub-brand, so this confusion would be trade mark infringement under S10(2) of the Trade Marks Act 1994.

The Court also considered that Muzmatch had taken unfair advantage of Match.com’s trade marks and had therefore infringed those marks under S10(3) of the Trade Marks Act 1994. This was due to the reputation of Match.com’s trade marks and because a consumer would believe that Muzmatch was a sub-brand of Match.com.

The Court rejected Muzmatch’s defence of honest concurrent use and found that Match.com would also have an alternative claim in the tort of passing off.

Key Points:

  • The Court found that a common descriptive element can acquire distinctiveness in an area, solely because of a company’s reputation and influence in that market.
  • The use of Search Engine Optimisation strategies can also constitute a trade mark infringement.
  • The lack of the suffix ‘.com’ in a mark is not sufficient to distinguish use from a household brand such as Match.com, so care should be taken with brands such as ‘Match.com’, ‘Booking.com’[1]

Source:

[1] Match Group, LLC, Meetic SAS, Match.Com International Limited v Muzmatch Limited, Shahzad Younas [2022] EWHC 941 (IPEC)

[1] Note- Blog Post of July 6 2020 Relating to Booking.com- https://www.iptechblog.com/2020/07/us-supreme-court-opens-doors-to-generic-com-trademarks/

Article By Connor Sargeant and the Intellectual Property and Technology Practice Group at Squire Patton Boggs (US) LLP ​.

For more intellectual property legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

NCLC Tells FCC “Callers can easily avoid making calls to telephone numbers that have been reassigned….” – But Is it That Simple?

The National Consumer Law Center is at it again.

In response to the Department of Health and Human Services’ recent letter to the FCC seeking clarity on whether the TCPA applies to texts it would like to make to alert Americans of certain medical benefits, the NCLC–an organization that nominally represents consumers, but really seems to represent the interests of the plaintiff’s bar–has filed a comment.

Unsurprisingly, the NCLC takes the position that HHS needs no relief. Government contractors are covered by the TCPA–it says–but the texts at issue in HHS’ letter are consented, so they’re fine. (Although it later clarifies that only “many” but not “all” of the enrollees whom HHS wishes to call have “probably” given their telephone numbers as part of written enrollment agreements–so perhaps not.)

Hmmmm. Feels like a trap. But we’ll ignore that for now.

The critical piece here though is what the NCLC–very powerful voice, for better or (often) worse–is telling the FCC about the effectiveness of the new Reassigned Number Database:

3. Callers can easily avoid making calls to telephone numbers that have been reassigned to someone other than the enrollee

A primary source of TCPA litigation risk has been calls inadvertently made to numbers that are no longer assigned to the person who provided consent. Courts have held the caller liable for making automated calls to a cell phone number that has been reassigned to someone other than the person who provided consent to be called.29

The Commission has implemented the Reassigned Number Database specifically to address that risk of liability, as well as to limit the number of unwanted robocalls:

The FCC’s Reassigned Numbers Database (RND) is designed to prevent a consumer from getting unwanted calls intended for someone who previously held their phone number. Callers can use the database to determine whether a telephone number may have been reassigned so they can avoid calling consumers who do not want to receive the calls. Callers that use the database can also reduce their potential Telephone Consumer Protection Act (TCPA) liability by avoiding inadvertent calls to consumers who have not given consent for the call.31

The database has been fully operational since November 1, 2021. It provides a means for callers to find out before making a call if the phone number has been reassigned. If the database wrongly indicates that the number has not been reassigned, so long as the caller has used the database correctly, no TCPA liability will apply for reaching the wrong party. 32 Thus, as long as HHS’s callers make use of this simple, readily available database, they can be confident that they will not be held liable for making calls to reassigned numbers.

While I steadfastly support both the creation and use of the RND, it also must be observed that there are myriad problems with the RND as it currently exists. Most importantly, the data sets in the RND are only comprehensive through October 1, 2021 and spotty back to February, 2021 (beyond which there are no records!)

So for folks like HHS–and servicers of mortgages, and retailers, and credit card companies–who want to reach customers who provided their contact information before 10/2021 or 2/2021 the RND is simply not helpful.

The NCLC’s over simplification of a critical issue is not surprising. They once told Congress that the TCPA is “Straightforward and Clear” after all.

Full comment here: NCLC Comments-c3

We’ll keep an eye on developments on HHS’ letter and all the FCC goings ons.

Article By Eric J. Troutman of Troutman Firm

For more TCPA and communications legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Implementing Effective Data Security

Autonomous vehicles can be vulnerable to cyber attacks, including those with malicious intent. Identifying an appropriate framework with policies and procedures will help mitigate the risk of a potential attack.

The National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to reduce the likelihood of an attack’s success and mitigate ramifications if one does occur. NHTSA’s Cybersecurity Framework is structured around the five principles of identify, protect, detect, respond and recover, and can be used as a basis for developing comprehensive data security policies.

NHTSA goes on to describe how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This [analysis] involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.

Other industry associations are also weighing in on best practices, including the Automotive Information Sharing and Analysis Center’s (Auto-ISAC) seven Key Cybersecurity Functions and, from a technology development perspective, SAE International’s J3061, a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems to help AV companies “[minimize] the exploitation of vulnerabilities that can lead to losses, such as financial, operational, privacy, and safety.”

Article By Adam J. Brody, John J. Rolecki, Jeffrey M. Stefan II, Andrea M. Gumushian, and Justin M. Wolber at Varnum LLP

For more transportation legal news, click here to visit the National Law Review.

© 2022 Varnum LLP