Federal Trade Commission (FTC) Settles with HTC America Over Charges it Failed to Secure Smartphone Software

RaymondBannerMED

Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In its complaint, the FTC charged HTC with violations of the Federal Trade Commission Act.  On July 2 the FTC approved a final order settling these charges.

trade FTC smartphone HTC

The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.

HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.

As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

China’s First-Ever National Standard on Data Privacy – Best Practices for Companies in China on Managing Data Privacy

Sheppard Mullin 2012

Companies doing business in China should take careful notice that China is now paying more attention to personal data privacy collection. This would be an opportune time for private companies to internally review existing data collection and management practices, as well as determine whether these fall within the new guidelines, and where necessary, develop and incorporate new internal data privacy practices.

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries.

What should companies look for when examining existing data privacy and collection policy and practices? As the Guidelines provide for rules on collecting, handling, transferring and deleting personal information, these areas of a company’s current policies should be reviewed.

“Personal Information”

What personal information is subject to the Guidelines? The Guidelines define “personal information” as “computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person.”

“General” and “Sensitive” Personal Information

The Guidelines makes a distinction on handling “general” as opposed to “sensitive” personal information. Sensitive personal information is defined as “information the leakage of which will cause adverse consequences to the subject individual” e.g. information such as an individual’s identity card, religious views or fingerprints.

Consent Required

If an individual’s personal information is being collected, that individual should be informed as to the purpose and the scope of the data being collected; tacit consent must be obtained- the individual does not object after being well informed. With “sensitive” personal information being collected, a higher level of consent must be obtained prior to collection and use; the individual must provide express consent and such evidence be retained.

Notice

Best practices dictate a well-informed notice be given the individual prior to collection of any personal information. The notice should clearly spell out, among other items, what information is being collected, the purpose for which the information will be used, the method of collection, party to whom the personal information will be disclosed and retention period.

Cross Border Transfer

The Guidelines further limit the transfer of personal information to any organization outside of P.R. China except where the individual provides consent, the government authorizes the transfer or the transfer is required by law. It is unclear as to which law applies where transfer is “required by law”- PRC law or law of any other country.

Notification of Breach

There is a notification requirement. The individual must be notified if personal information is lost, altered or divulged. If the breach incident is material, then the “personal information protection administration authority.” The Guidelines, however, do not define or make clear this administration authority is here.

Retention and Deletion

Best practices for a company is to minimize the amount of personal information collected. Personal information once used to achieve their intended purpose should not be stored and maintained, but immediately deleted.

The Guidelines may not be binding authority, but at a minimum sets certain standards for the collection, transfer and management of personal information. Especially for companies operating in China, the Guidelines is a call to action, and for implementation of best practices relating to data privacy. Companies should take this opportunity to assess their data privacy and security policies, review and revise customer information intake procedures and documentation, and develop and implement clear, company-wide internal data privacy policies and methods.

Article By:

 of

What’s New Out There? A Trade and Business Regulatory Update

Sheppard Mullin 2012Proposed DoD Rule: Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D-005)

On May 16, 2013, the Department of Defense (“DoD”) issued a proposed rule that would amend the Defense Federal Acquisition Regulation Supplement (“DFARS”) relating to the detection and avoidance of counterfeit parts, in partial implementation of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2012 (Pub. L. 112-81) and the NDAA for FY 2013 (Pub. L. 112-239). 78 Fed. Reg. 28780 (May 16, 2013). The proposed rule would impose new obligations for detecting and protecting against the inclusion of counterfeit parts in their products. Public comments in response to the proposed amendment are due by July 15, 2013.

The proposed rule, titled Detection and Avoidance of Counterfeit Electronic Parts (DFARS Case 2012-D-005), partially implements Section 818 of the NDAA for FY 2012 requiring the issuance of regulations addressing the responsibility of contractors (a) to detect and avoid the use or inclusion of counterfeit – or suspect counterfeit – electronic parts, (b) to use trusted suppliers, and (c) to report counterfeit and suspect counterfeit electronic parts. Pub. L. 112-81,§ 818(c). Section 818(c) also requires DoD to revise the DFARS to make unallowable the costs of re-work or other actions necessary to deal with the use or suspected use of counterfeit electronic parts. Id. The new rule also proposes the following in order to implement the requirements defined in Section 818.

  • Definitions: Adds definitions to DFARS 202.101 for the terms “counterfeit part,” “electronic part,” “legally authorized source,” and “suspect counterfeit part.”
  • Cost Principles and Procedures: Adds DFARS section 231.205-71, which would apply to contractors covered by the Cost Accounting Standards (“CAS”) who supply electronic parts, and would make unallowable the costs of counterfeit or suspect counterfeit electronic parts and the costs of rework or corrective action that may be required to remedy the use or inclusion of such parts. This section provides a narrow exception where (1) the contractor has an operational system to detect and avoid counterfeit parts that has been reviewed and approved by DoD pursuant to DFARS 244.303; (2) the counterfeit or suspect counterfeit electronic parts are government furnished property defined in FAR 45.101; and (3) the covered contractor provides timely notice to the Government.
  • Avoidance and Detection System: Requires contractors to establish and maintain an acceptable counterfeit avoidance detection system that addresses, at a minimum, the following areas: training personnel; inspection and testing; processes to abolish counterfeit parts proliferation; traceability of parts to suppliers; use and qualification of trusted suppliers; reporting and quarantining counterfeit and suspect counterfeit parts; systems to detect and avoid counterfeit electronic parts; and the flow down of avoidance and detection requirements to subcontractors.

Potential Impacts on Contractors and Subcontractors

Although the rule is designed constructively to combat the problem of counterfeit parts in the military supply chain, it imposes additional obligations and related liabilities on contractors and subcontractors alike.

  • The proposed rule shifts the burden of protecting against counterfeit electronic parts to contractors, thus increasing contractor costs and potential contractor liability in this area.
  • Under the proposed rule, contractors would need to take steps to establish avoidance and detection systems in order to monitor for and protect against potential counterfeit electronic parts, also increasing the financial and temporal impact on contractors.
  • Avoidance and detection system requirements will need to be flowed down to subcontractors, increasing subcontractors’ responsibility – and thus liability – for counterfeit parts.
  • The proposed rule would also make unallowable the costs incurred to remove and replace counterfeit parts, which could have a significant financial impact on contractors – even under cost type contracts.
  • As it currently stands, the narrow exception regarding the allowability of such costs applies only where the contractor meets all three requirements of the exception, which likely would be a rare occurrence.

Interim SBA Rule: Expansion of WOSB Program, RIN 3245-AG55

On May 7, 2013, the Small Business Administration (“SBA”) issued an interim final rule implementing Section 1697 of the NDAA for FY 2013, removing the statutory dollar amount for contracts set aside for Women-Owned Small Business (“WOSB”) under the Women-Owned Small Business Program. 78 Fed. Reg. 26504 (May 7, 2013). Comments are due by June 6, 2013.

The new rule would amend SBA 127.503 to permit Contracting Officers (“COs”) to set aside contracts for WOSBs and Economically Disadvantaged WOSBs (“EDWOSBs”) at any dollar amount if there is a reasonable expectation of competition among WOSBs as follows: (1) in industries where WOSBs are underrepresented, the CO may set aside the procurement where two or more EDWOSBs will submit offers for the contract and the CO finds that the contract will be awarded at a fair and reasonable price; or (2) in industries where WOSBs are substantially underrepresented, the CO may set aside the procurement if two or more WOSBs will submit offers for the contract, and the CO finds that the contract will be awarded at a fair and reasonable price.

The new rule would amend SBA 127.503 to permit Contracting Officers (“COs”) to set aside contracts for WOSBs and Economically Disadvantaged WOSBs (“EDWOSBs”) at any dollar amount if there is a reasonable expectation of competition among WOSBs as follows: (1) in industries where WOSBs are underrepresented, the CO may set aside the procurement where two or more EDWOSBs will submit offers for the contract and the CO finds that the contract will be awarded at a fair and reasonable price; or (2) in industries where WOSBs are substantially underrepresented, the CO may set aside the procurement if two or more WOSBs will submit offers for the contract, and the CO finds that the contract will be awarded at a fair and reasonable price.

Article By:

 of

Weighing Going Private or Sale to Carl Icahn, Dell Cuts off Info

McBrayer NEW logo 1-10-13

As Dell Inc. considers its future after a massive loss in value over the past decade, the question may fundamentally be this: are the company’s problems are the result of poor leadership or a relatively straightforward matter of shedding its stock obligations?

Two proposals are on the table. First, founder Michael Dell has proposed taking the company private by buying out the company’s stock for $24.4 billion through a private equity firm called Silver Lake. Second, business magnate Carl Icahn’s Southeastern Asset Management has offered to buy Dell for $12 in cash per share. Unfortunately, it’s not clear how the buyout negotiations are going.

An unquestioned leader in the personal computer industry in the 90s, Dell had lost some $68 billion in stock market value by 2010, reportedly due to a change in its customer base and inability to respond to Apple’s iPhone and iPad products. Sales at Dell continue to shrink, reportedly showing a 79 percent drop in a quarterly profit report filed last week.

As part of the buyout negotiations, Icahn sent a letter on seeking more detailed information from Dell, including data room access for a certain potential lender This week, however, a special committee of Dell’s board of directors sent Icahn a letter refusing access to that information until it can determine whether his offer is “superior” to Michael Dell’s.

Meanwhile, Dell insisted upon more information from Icahn — such as whether his offer is even serious. In its response, the committee specifically asked Icahn to make “an actual acquisition proposal that the Board could evaluate” as opposed to merely offering the board a backup plan in case Michael Dell’s proposal fails to move forward.

“Please understand that unless we receive information that is responsive to our May 13 letter, we are not in a position to evaluate whether your proposal meets that standard,” the special committee reportedly wrote in response to Icahn’s request.

The question on Wall Street is the same as Dell’s: Is the Southeastern Asset Management offer serious? Icahn reportedly already owns 4.5 percent of Dell’s stock, while Southwest, already Dell’s largest outside shareholder, owns 8 percent.

 of

White Collar Crime

The National Law Review would like to advise you of the upcoming White Collar Crime conference sponsored by the ABA Center for CLE and Criminal Justice SectionGeneral Practice,  &   Solo and Small Firm Division:

Event Information

When

February 29 – March 02, 2012

Where

  • Eden Roc Renaissance Miami Beach
  • 4525 Collins Ave
  • Miami Beach, FL, 33140-3226
  • United States of America
Primary Sponsors
  • Highlight

The faculty includes some of the leading white collar lawyers in the United States.  The keynote panels for the 2012 program will continue to focus on the role of ethics and corporate compliance in today’s business environment.

  • Program Description

Each year the National Institute brings together judges, federal, state, and local prosecutors, law enforcement officials, defense attorneys, corporate in-house counsel, and members of the academic community.  The attendees include experienced litigators, as well as attorneys new to the white collar area.  Attendees have consistently given the Institute high ratings for the exceptional quality of the Institute’s publication, its valuable updates on new developments and strategies, as well as the rare opportunity it provides to meet colleagues in this field, renew acquaintances and exchange ideas.

The faculty includes some of the leading white collar lawyers in the United States.  The keynote panels for the 2012 program will continue to focus on the role of ethics and corporate compliance in today’s business environment.  Once again, we expect excellent representation from the corporate sector.

  • CLE Information

ABA programs ordinarily receive Continuing Legal Education (CLE) credit in AK, AL, AR, AZ, CA, CO, DE, FL, GA, GU, HI, IA, ID, IL, IN, KS, KY, LA, ME, MN, MS, MO, MT, NH, NM, NV, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, VI, WA, WI, WV, and WY. These states sometimes do not approve a program for credit before the program occurs. This course is expected to qualify for 11.0 CLE credit hours (including TBD ethics hours) in 60-minute-hour states, and 13.2 credit hours (including TBD ethics hours) in 50-minute-hour states. This transitional program is approved for both newly admitted and experienced attorneys in NY. Click here for more details on CLE credit for this program.

White Collar Crime

The National Law Review would like to advise you of the upcoming White Collar Crime conference sponsored by the ABA Center for CLE and Criminal Justice SectionGeneral Practice,  &   Solo and Small Firm Division:

Event Information

When

February 29 – March 02, 2012

Where

  • Eden Roc Renaissance Miami Beach
  • 4525 Collins Ave
  • Miami Beach, FL, 33140-3226
  • United States of America
Primary Sponsors
  • Highlight

The faculty includes some of the leading white collar lawyers in the United States.  The keynote panels for the 2012 program will continue to focus on the role of ethics and corporate compliance in today’s business environment.

  • Program Description

Each year the National Institute brings together judges, federal, state, and local prosecutors, law enforcement officials, defense attorneys, corporate in-house counsel, and members of the academic community.  The attendees include experienced litigators, as well as attorneys new to the white collar area.  Attendees have consistently given the Institute high ratings for the exceptional quality of the Institute’s publication, its valuable updates on new developments and strategies, as well as the rare opportunity it provides to meet colleagues in this field, renew acquaintances and exchange ideas.

The faculty includes some of the leading white collar lawyers in the United States.  The keynote panels for the 2012 program will continue to focus on the role of ethics and corporate compliance in today’s business environment.  Once again, we expect excellent representation from the corporate sector.

  • CLE Information

ABA programs ordinarily receive Continuing Legal Education (CLE) credit in AK, AL, AR, AZ, CA, CO, DE, FL, GA, GU, HI, IA, ID, IL, IN, KS, KY, LA, ME, MN, MS, MO, MT, NH, NM, NV, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, VI, WA, WI, WV, and WY. These states sometimes do not approve a program for credit before the program occurs. This course is expected to qualify for 11.0 CLE credit hours (including TBD ethics hours) in 60-minute-hour states, and 13.2 credit hours (including TBD ethics hours) in 50-minute-hour states. This transitional program is approved for both newly admitted and experienced attorneys in NY. Click here for more details on CLE credit for this program.