Category: Communication Media & Internet

Online Behavioral Advertising: Industry Guides Require Real Time Notice When Data Are Collected or Used for Personalized Ads

Greenberg Traurig Law firm

WHAT’S COVERED?

Online behavioral advertising (OBA) has become a very common tool for commercial websites. OBA can be defined as follows:

the collection of data online from a particular computer or device regarding web viewing behaviors over time and across Web sites for the purpose of using such data to predict preferences or interests and to deliver advertising to that computer or device presumed to be of interest to the user of the computer/device based on observed Web viewing behaviors.

OBA might be implemented by use of cookies directly on a company’s website by the company itself. Or it might occur through technology embedded in ads from other parties displayed on the company’s site. Either way, the operators of commercial websites need to be aware when OBA is occurring on their sites and should be taking steps to provide greater transparency about OBA occurring on their sites.

WHAT’S THE CONCERN?

While the use of OBA is largely unregulated by law in the U.S. at this time, its spread has generated concern among privacy advocates. Of particular concern is the gathering of data about consumers without their knowledge where such information is supposed to be anonymous but advances in technology make it more and more possible to link that information to individuals (not just devices) through combination with other information. Examples can include information about health conditions and other sensitive information gleaned by watching the sites a user visits, the searches he/she conducts, etc. Key characteristics of OBA include that it is: (a) invisible to the user; (b) hard to detect; and (c) resilient to being blocked or removed.

In an effort to stave off government regulation of OBA in the United States, the Digital Advertising Alliance (DAA), a consortium of the leading advertising trade associations, has instituted a leading set of guidelines. Based on standards proposed by the Federal Trade Commission, the DAA Self-Regulatory Program is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for OBA purposes.

WHAT’S REQUIRED?

The key principles of the DAA’s guides are to provide greater transparency to consumers to allow them to know when OBA is occurring and to provide the ability to opt out. For commercial website operators that allow OBA on their sites, the compliance implications are as follows:

  1. First Party OBA. First Parties are website operators/publishers. If a company simply gathers information for its own purposes on its own site, it is generally not covered by the guidelines. However, as soon as the First Party allows others to engage in OBA via the site, it has a duty to monitor and make sure that proper disclosures are being made and even to make the disclosures itself if the others do not do so, including assuring that “enhanced notice” (usually the icon discussed below or a similar statement) appears on every page of the First Party’s site where OBA is occurring.

  2. Third-Party OBA. Third parties are ad networks, data companies/brokers, and sometimes advertisers themselves, who engage in OBA through ads placed on other parties’ sites. These Third Parties should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes. (See below on how to provide recommended disclosures.)

  3. Service Providers. These are providers of Internet access, search capability, browsers, apps or other tools that collect data about sites a user visits Service Providers generally are expected to provide clear disclosure of OBA practices which may occur via their services, obtain consumer consent for such practices, and provide an easy-to-use opt-out mechanism.

HOW TO COMPLY

Generally, Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own websites that describes their OBA data collection and use practices. Such notice should include clear descriptions that include:

  • The types of data collected online, including any PII for OBA purposes;

  • The uses of such data, including whether the data will be transferred to a nonaffiliate for OBA purposes;

  • An easy to use mechanism for exercising choice with respect to the collection and use of the data for OBA purposes or to the transfer of such data to a nonaffiliate for such purpose; and

  • The fact that the entity adheres to OBA principles.

In addition, “enhanced notice” should appear on each and every ad (or page) where OBA is occurring. The “enhanced notice” means more than just traditional disclosure in a privacy policy. It means placement of a notice on the page/ad where OBA is occurring. The notice typically is given in the form of the following icon (in blue color) which should link to a DAA page describing OBA practices and providing an easy-to-use opt-out mechanism:

online behavioral advertising

The icon/link should appear in or around each ad where data are collected. Alternatively, it can appear on each page of a website on which any OBA ads are being served. It is normally the duty of the advertisers (Third Parties) to deploy the icon. However, if they fail to do so, then the operator of the site where the OBA ads appear has the duty to make appropriate real-time disclosures about OBA on each page where OBA activity is occurring, including links to the DAA page describing OBA practices and providing an easy-to-use opt-out mechanism.

ENFORCEMENT

The DAA is taking its OBA guidelines seriously. It has issued sets of “compliance warnings” to many major U.S. companies. While DAA has no direct authority to impose fines or penalties, its issuance of a ruling finding a violation of its guidelines could create a tempting target for the FTC or plaintiffs’ class action lawyers to bring separate actions against a company not following the DAA guidelines. For all these reasons, operators of websites employing OBA (either first party or third party) should pay heed to the DAA Guidelines.

ARTICLE BY

Ed Chansky
David A. Wheeler
OF
Greenberg Traurig, LLP

Data Analytics as a Risk Management Strategy

Risk-Management-Monitor-Com

In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.

ARTICLE BY

Risk Management Magazine
OF
Risk and Insurance Management Society, Inc. (RIMS)

Online Presence Management: You Down with OP…M? Yeah, You Should Be!

Morgan Lewis logo

The stakes are higher than ever when it comes to your company’s online presence management (OPM), and you should be proactive in ensuring that your company is best positioned for success.

We are talking about total OPM. Yes, it is a real thing. The soaring growth of online media revenues (over 17%, recently), thesophistication of bad actors responsible for “mega-hacks,” and the ever-expanding social media market are but a few of the headlines that top the news on a daily basis.

Public interest is extremely high. As such, the risks and liabilities to your company are self-evident.

As a responsible lawyer (or, at least, someone interested enough in the law to read this blog), you should take a proactive approach to ensuring your organization is aligned with measures to both capitalize on the enormous opportunities presented by, as well as mitigate the risks associated with, managing your company’s total online presence.

So, where do you begin? What are the first steps? We recommend scheduling an internal discussion with your relevant stakeholders to take inventory of where you are with respect to your company’s OPM. You don’t need to involve outside counsel or be an expert in every nuance of the OPM space. Instead, the goal is to get a discussion between your business team and legal team about the structure and needs of your company. That is, the goal is to get the dialogue started internally so you have the information that you need to provide or to seek artful advice.

Here are the top three agenda items for your initial meeting:

1. Online Contracting Discussion—What agreements do you use, or should you use, on your website? Terms of service? Terms of use? Privacy policies? Codes of conduct? Foreign Corrupt Practices Act policies? Open-source policies? Once the inventory is completed, have a candid discussion with your business/marketing/OPM teams about (1) how each agreement is executed and used within the organization, (2) how updates are communicated, and (3) any pain points experienced by the business team. Special attention should be given to agreements that control services or products that produce revenue or that deal with the handling of important data or information. Understanding the total picture of your company’s online contracting structure allows you to identify risks and install protections to mitigate them.

2. Security Protocol Discussion—What are the processes in place to monitor and respond to potential security threats? What would your company do if it suspected a breach? How long would it react? What reporting systems are in place to alert responsible OPM team members of suspicious activities? Lawyers, like CEOs, can no longer assume that their company’s IT personnel handles these issues. By understanding the lay of the land, in-house lawyers and well-integrated outside counsel can better respond to emergency situations.

3. Data Leverage Discussion—What data is collected by your company’s internal tools? What data is collected by third-party tools and services? How is the data collected from the website (both personally identifiable and commercial) used by the company? Are there any synergies that can be gained by various business teams by gaining access to either of the above? Understanding what data is collected, especially commercial data such as user tendencies and product information, can assist lawyers in understanding the rights to negotiate when dealing with outside vendors and in drafting privacy policies.

As you can probably tell, the “discussions” approach will likely lead to many tangent discussions and identification of issues that you didn’t even realize existed in your organization. This is intentional.

In today’s online environment, you need to be proactive and agile to ensure that your company’s OPM is handled in a responsible, predictable, and measured manner. Having the discussions above will at least give you a starting point to demonstrate a more active approach and likely result in you being able to provide better and more business-focused counsel.

ARTICLE BY

Glen W. Rectenwald
Doneld G. Shelkey
OF
Morgan, Lewis & Bockius LLP

Not Just Your (Company) Email System Anymore! re: NLRB Purple Communications Ruling

Godfrey Kahn Law Firm

On December 10, 2014, the National Labor Relations Board (Board) ruled in Purple Communications, Inc., 361 N.L.R.B. No. 126, thatemployees have a right, protected by the National Labor Relations Act (Act), to use an employer’s email system during non-working time for communications protected by the Act(e.g., to discuss union issues or other protected concerted activities protected by Section 7 of the Act). The Board has thus overruled prior precedent, as set out in Register Guard, 351 N.L.R.B. 1110 (2007), that the Act did not give employees the right to use their employer’s email systems for Section 7 purposes.

A copy of the December 10, 2014 Board decision can be found here. The following passage sums up the scope of the Board’s ruling:

First, [this ruling] applies only to employees who have already been granted access to the employer’s email system in the course of their work and does not require employers to provide such access. Second, an employer may justify a total ban on nonwork use of email, including Section 7 use on nonworking time, by demonstrating that special circumstances make the ban necessary to maintain production or dEmail Selection on Computeriscipline. Absent justification for a total ban, the employer may apply uniform and consistently enforced controls over its email system to the extent such controls are necessary to maintain production and discipline. Finally, we do not address email access by nonemployees, nor do we address any other type of electronic communications systems, as neither issue is raised in this case.

The Board’s decision may be appealed by the employer, but even if it is not appealed, the email issue will likely continue to be litigated before the Board. For now, employers should review their electronic communications policies to ensure compliance with the Board’s new standards or to, at a minimum, understand their risk.

ARTICLE BY

Rufino Gaytán
OF
Godfrey & Kahn S.C.

QVC Sues Shopping App for Web Scraping That Allegedly Triggered Site Outage

Proskauer Law firm

Operators of public-facing websites are typically concerned about the unauthorized, technology-based extraction of large volumes of information from their sites, often by competitors or others in related businesses. The practice, usually referred to as screen scraping, web harvesting, crawling or spidering, has been the subject of many questions and a fair amount of litigation over the last decade.

However, despite the litigation in this area, the state of the law on this issue remains somewhat unsettled: neither scrapers looking to access data on public-facing websites nor website operators seeking remedies against scrapers that violate their posted terms of use have very concrete answers as to what is permissible and what is not.

In the latest scraping dispute, the e-commerce site QVC objected to the Pinterest-like shopping aggregator Resultly’s scraping of QVC’s site for real-time pricing data.  In its complaint, QVC claimed that Resultly “excessively crawled” QVC’s retail site (purpotedly sending search requests to QVC’s website at rates ranging from 200-300 requests per minute to up to 36,000 requests per minute) causing a crash that wasn’t resolved for two days, resulting in lost sales.  (See QVC Inc. v. Resultly LLC, No. 14-06714 (E.D. Pa. filed Nov. 24, 2014)). The complaint alleges that the defendant disguised its web crawler to mask its source IP address and thus prevented QVC technicians from identifying the source of the requests and quickly repairing the problem.  QVC brought some of the causes of action often alleged in this type of case, including violations of the Computer Fraud and Abuse Act (CFAA), breach of contract (QVC’s website terms of use), unjust enrichment, tortious interference with prospective economic advantage, conversion and negligence and breach of contract.  Of these and other causes of action typically alleged in these situations, the breach of contract claim is often the clearest source of a remedy.

This case is a particularly interesting scraping case because QVC is seeking damages for the unavailability of their website, which QVC alleges to have been caused by Resultly.  This is an unusal theory of recovery in these types of cases.   For example,  this past summer, LinkedIn settled a scraping dispute with Robocog, the operator of HiringSolved, a “people aggregator” employee recruting service, over claims that the service employed bots to register false accounts in order to scrape LinkedIn member profile data and thereafter post it to  its service without authorization from Linkedin or its members.  LinkedIn brought various claims under the DMCA and the CFAA, as well as state law claims of trespass and breach of contract, but did not allege that their service was unavailable due to the defendant’s activities.  The parties settled the matter, with Robocog agreeing to pay $40,000, cease crawling LinkedIn’s site and destroy all LinkedIn member data it had collected.  (LinkedIn Corp. v. Robocog Inc., No. 14-00068 (N.D. Cal.  Proposed Final Judgment filed July 11, 2014).

However, in one of the early, yet still leading cases on scraping, eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000), the district court touched on the foreseeable harm that could result from screen scraping activities, at least when taken in the aggregate.  In the case, the defendant Bidder’s Edge operated an auction aggregation site and accessed eBay’s site about 100,000 times per day, accounting for between 1 and 2 percent of the information requests received by eBay and a slightly smaller percentage of the data transferred by eBay. The court rejected eBay’s claim that it was entitled to injunctive relief because of the defendant’s unauthorized presence alone, or because of the incremental cost the defendant had imposed on operation of the eBay site, but found sufficient proof of threatened harm in the potential for others to imitate the defendant’s activity.

It remains to be seen if the parties will reach a resolution or whether the court will have a chance to interpret QVC’s claims, and whether QVC can provide sufficient evidence of the causation between Resultly’s activities and the website outage.

Companies concerned about scraping should make sure that their website terms of use are clear about what is and isn’t permitted, and that the terms are positioned on the site to support their enforceability. In addition, website owners should ensure they are using “robots.txt,” crawl delays and other technical means to communicate their intentions regarding scraping.  Companies that are interested in scraping should evaluate the terms at issue and other circumstances to understand the limitations in this area.

ARTICLE BY

Jeffrey D Neuburger
OF
Proskauer Rose LLP

FCC: The New Data Security Sheriff In Town

Proskauer Law firm

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – it assessed a $10 million fine on two telecommunications companies for failing to adequately safeguard customers’ personal information.

The companies, TerraCom, Inc. and YourTel America, Inc., provide telecommunications services to qualifying low-income consumers for a reduced charge.  The FCC found that the companies collected the names, addresses, Social Security numbers, driver’s licenses, and other personal information of over 300,000 consumers.  The data was stored on Internet servers without password protection or encryption, allowing public access to the data through Internet search engines.  This, the FCC found, exposed consumers to “an unacceptable risk of identity theft.”

The FCC charged the companies with violation of Section 222(a) of the Communications Act, which it interpreted to impose a duty on telecommunications carriers to protect customers’ “private information that customers have an interest in protecting from public exposure,” whether for economic or personal reasons.  Additionally, the companies were charged with violation of Section 201(b), which requires carriers to treat such information in a “just and reasonable” manner.

The companies were determined to have violated Sections 201(b) and 222(a) by failing to employ “even the most basic and readily available technologies and securities features.”  The companies further violated Section 201(b), the FCC found, by misrepresenting in their privacy policies and statements on their websites that they employ reasonable and updated security measures, and by failing to notify all of the affected customers of the data breach.

Commissioners Ajit Pai and Michael O’Rielly dissented, arguing that, among other things, the FCC had not before interpreted the Communications Act to impose an enforceable duty to employ data security measures and notify customers in the event of a breach.  Though now that the FCC has so-interpreted the Act, we can expect the FCC to keep its eye on data security.

The FCC made clear that protection of consumer information is “a fundamental obligation of all telecommunications carriers.”  Friday’s decision also makes clear that the FCC will enforce notification duties in the event of a breach, and will look closely at carriers’ privacy policies and online statements regarding data security.

ARTICLE BY

David A Munkittrick
OF
Proskauer Rose LLP

Contract Corner: Cybersecurity (Part 3)

Morgan Lewis logo

Over the last two weeks, we discussed contract provisions designed to address the implementation of preventive security measures, as well as responding to security incidents. Our third and final blog post in this series focuses on contractual provisions that address the allocation of liability for breaches that result in security incidents.

Because of the potential for large-scale damages from a security incident, customers and service providers are generally very focused on the allocation of liability in indemnification and liability provisions. Below we list some key issues to consider when drafting these contract provisions.

  • Rather than relying on general negligence or contract breach standards, consider adding security incidents resulting from a contractual breach as separate grounds for indemnification coverage.

  • Determine whether indemnification is limited to third-party claims or includes other direct and/or indirect damages and liabilities caused by a security incident.

  • Coordinate indemnification defense with incident response provisions and consider the effect on the customer’s client relationships where the vendor assumes such defense.

  • Assess whether all potential damages from a security incident are covered by the damages provisions, including any damages that may be considered indirect or consequential.

  • To determine the allocation of liability, consider the contract value, industry norms, type of data at issue, potential business exposure, cost of preventative measures, and cause of the security incident.

  • Consider calling out specific damages related to a security breach that are not subject to any cap or exclusion to provide clarity and protection—such damages can include the costs of reconstructing data, notifying clients, and providing them with identity protection services.

With cyber attacks growing in number and sophistication on a daily basis and the increased amount and value of data that is at risk to such attacks, cybersecurity concerns are top of mind for senior management.

This post is part of our recurring “Contract Corner” series, which provides analysis of specific contract terms and clauses that may raise particular issues or problems. Check out our prior Contract Corner posts for more on contracts, and be on the lookout for future posts in the series.

Click here for Part 1.

Click here for Part 2.

ARTICLE BY

Peter M. Watt-Morse
A. Benjamin Klaber
OF
Morgan, Lewis & Bockius LLP

How to Measure Your Email Marketing Performance

The Rainmaker Institute

Email newsletters have proven to be one of the most effective methods for attorneys to market themselves to prospects, clients and referral sources.  Every year, email marketing service provider MailerMailer provides a report on email marketing metrics across 34 different industries, including Legal.

They have just issued their 2014 report, based on data gathered from 62,000 newsletter campaigns totaling 1.18 billion emails sent between Jan. 1, 2013 and Dec. 31, 2013.  Here are the results — and what should be your new benchmarks — for your law firm newsletter:

Open rate (what percentage of your recipients opened your email):  13.5%

Click rate (what percentage of your recipients clicked on a link in your email)::  1.6%

Click-to-open rate (of the recipients who opened your email, what percentage of them clicked on a link):  11.8%

Bounce rate (the percentage of emails that cannot be delivered):  2.4%

Every email service (Constant Contact, Mail Chimp, iContact, etc.) provides these statistics for each newsletter you send out.  If your newsletters are not delivering at rates that meet or exceed the benchmarks above, you have a problem.

Here’s what you should consider to improve your click, open and bounce rates:

Are your subject lines engaging to entice people to open your email?  Short subject lines — 4 to 15 characters — generate the highest open and click rates.

Are you sending emails on the right day and at the right time?  The highest open rates occur on Mondays and the highest click rates occur on Sundays.  Open rates peak during the early part of the day, between 8 a.m. and noon.

Is your email list updated regularly and cleaned of old, undeliverable email addresses?  Bounce rates are inescapable but can be improved if you send out emails on a regular basis.

Have you segmented your email list so you can tailor your content to your different audiences?  Targeted emails deliver 18 times more revenue than general blast emails.

Are your emails personalized? Personalizing the message content can boost open rates significantly.

Do you use a responsive design template so your emails are displayed properly for every screen size?  More than half of emails are now opened on mobile devices.

If your newsletters are performing at or above these benchmarks, you may still have some work to do: if you don’t know the source of your success, you can’t repeat it.

ARTICLE BY

Stephen Fairley
OF
The Rainmaker Institute

Protecting Trade Secrets in the Cloud

FINAL SW logo wLLP2

The business community’s growing use of cloud-based computing services provides great benefits due to cost-savings and mobile information access.  However, business leaders should understand the risks of storing valuable trade secrets in the cloud.  This article provides the business community tips on how to safeguard valuable trade secrets stored in the cloud from being freely disclosed to the public, thus putting the business at risk of losing protections that courts grant trade secrets.

As businesses’ profit margins have continued to shrink since the Great Recession, more companies have looked to reduce costs by reducing growing expenses related to their information technology departments.[1] The first line item to draw attention in the IT budget is frequently the rising costs associated with maintaining and upgrading system hardware.  Businesses often find that housing and operating multiple servers stretches IT budgets thin by increasing maintenance, labor, and operational costs.  The solution so many businesses have turned to is to move their valuable data to virtual servers, or the “cloud.”[2]  A recent survey of IT executives provides that companies will triple their IT spending on cloud-based services in 2014 over 2011.[3]  Cloud service providers have also seen demand increase as they increase their cloud capabilities.[4]

Although cloud-based servers provide businesses with substantial financial and operational benefits, businesses must recognize that there are perils to shifting data to the cloud.  One of the key concerns businesses should consider before moving data to the cloud is the risk that its valuable trade secrets will lose protection as a result of insufficient safeguards to protect against disclosure.  This article addresses that concern and provides businesses keys for seeking to protect valuable secrets in the cloud.

What is a Protectable Trade Secret

The initial step for a business to determine how to protect its trade secrets is to understand how the law characterizes a trade secret.  Information qualifies as a trade secret only if it derives independent economic value as a result of not being generally known or readily ascertainable, and be subject to reasonable efforts to maintain its secrecy.  Trade secrets are broadly defined as information, including technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing, process, financial data, strategies, pricing information, and lists of customers, prospective customers, and suppliers.

Businesses Need to Take Reasonable Efforts to Protect Trade Secrets in the Cloud

Trade secrets are only protectable when the owner takes reasonable efforts to prevent them from being freely disclosed to the public so that the information does not become generally known.

Information does not have to be cloaked in absolute secrecy to be a trade secret, as long as a business’s efforts to maintain secrecy or confidentiality are reasonable.  It is easy for one to imagine how a business may protect confidential documents that are stored locally.  Computer files may be password-protected with several layers of encryption software, with access limited to specified personnel.  Similarly, paper files may be stored in locked cabinets, in secured rooms, where only specified personnel are granted access.

However, those seemingly straight-forward security protocols become murky when information is stored in the cloud.  Unlike storing data on local servers, storing data in the cloud requires the owner to disclose confidential information to a third-party vendor.  In most situations, disclosing data to a third-party eliminates trade secret protections.   Therefore, businesses must take additional steps to ensure that its data remains secure.

Three Keys to Protecting Trade Secrets Stored in the Cloud

There are no fail-safe measures to protect data stored in the cloud.  The best way for a business to protect its trade secrets is to locally store and protect its most valuable data with the proper data security protocols.  A business, however, should not fear the cloud as long as it takes certain steps to ensure that it exercises reasonable efforts to protect its cloud-based data.

First, business leaders must conduct appropriate due diligence before selecting a cloud-provider.  The business should conduct necessary research to select a reputable, well-established company that has the physical and technological capabilities to store and protect data.

Conducting due diligence on a provider includes ensuring that the provider has taken necessary steps to establish appropriate physical and virtual security protocols to protect the confidentiality of your information.  Inquire how the provider establishes physical security measures, and monitoring capabilities to prevent unauthorized access to its data centers and infrastructure.  Also, learn how the provider limits its employees’ access to customer data and determine the internal controls that the provider has in place to prevent unauthorized viewing, copying, or emailing of customer information.

A business should also inquire about the provider’s virtual security protocols.  A business must generally understand how its cloud-provider’s encryption software and security management systems work to protect data.  If your business is not capable of independently evaluating whether the provider has proper security protocols, a good indicator is to ask the provider for its client list.  If the provider has clients that are typically security-conscious companies, such as financial institutions or healthcare facilities, that is a good indication that the provider has been vetted and it has proper security measures in place.  Finally, the provider should maintain sufficient data-protection insurance coverage to protect against potential data breaches or system failures.

Second, a business must have contractual safeguards in place with its cloud-provider to adequately protect its intellectual property and trade secrets.  The contract should establish that the business owns the data, that it will be segregated from other data groups, and that the business may enjoy unfettered access to the data.  The contract should specify that the business can demand that the data be deleted or returned request, and detail how the provider will purge the data to ensure that it is properly deleted upon termination of the relationship.  The contract should require regular data backup and recovery tests, while restricting the provider from accessing, using or copying data for its own purpose.  Finally, the contract should establish the provider’s obligations to notify the business of a data breach or system failure.

Third, a business should also consider adding multiple layers of authentication and encryption to data containing trade secrets before transmitting it to the cloud-provider.  However, a business should consider if the additional encryption efforts could adversely affect the business’s ability to access, utilize, and port data for its normal business use.

Conclusion

There are several financial and operational benefits for a business to store data in the cloud.  However, businesses must understand that there are also risks to storing its valuable trade secrets on virtual servers.  Businesses need to take reasonable efforts to protect the confidentiality and secrecy of its most valuable data and information.

[1] Dave Rosenberg.  Reducing IT Infrastructure Costs via Outsourcing.  May 7, 2009.  news.cnet.com/8301-13846_3-10235742-62.html

[2] Thor Olavsrud.  How Cloud Computing Helps Cut Costs, Boost Profits.  March 12, 2013. www.cio.com/article/730036/How_Cloud_Computing_Helps_Cut_Costs_Boost_Profits

[3] Andrew Horne. Transformational Change in IT Will Drive 2014 Spending.  November 5, 2013.  http://blogs.wsj.com/cio/2013/11/05/transformational-change-in-it-will-drive-2014-spending/

[4] IBM Commits $1.2bn to Cloud Data Centre Expansion.  January 17, 2014. www.bbc.co.uk/news/business-25773266

Think Tanks Ask Supreme Court to Clarify Definition of “Foreign Official” in FCPA (Foreign Corrupt Practices Act)

Katten Muchin Law Firm

Two think tanks, the Washington Legal Foundation and the Independence Institute, have filed anamicus brief in the Supreme Court on behalf of petitioners Joel Esquenazi and Carlos Rodriguez, who were recently convicted of violating the Foreign Corrupt Practices Act (FCPA). The amiciseek clarity of the definition of “foreign official” in the FCPA.  The FCPA prohibits certain persons or entities, including US businesses, from paying a “foreign official” for the purpose of obtaining or retaining business. The FCPA defines “foreign official” to include “any officer or employee of a foreign government or any department, agency, or instrumentality thereof.”

Esquenazi and Rodriguez were executives of Terra Telecommunications Corp., a Florida company that purchased phone time from foreign vendors and resold the time to US customers. Terra conducted business with Haiti-owned vendor Telecommunications D’Haiti S.A. (Haiti Teleco). Prosecutors argued that Esquenazi and Rodriguez made payments to Haiti Teleco officers to obtain lower rates. To determine whether Haiti Teleco was an “instrumentality” under the FCPA, the trial court instructed the jury to consider whether the company “provided services to the citizens and inhabitants of Haiti,” and whether it was majority owned by the Haitian government. Defendants were convicted, and Esquenazi was sentenced to 15 years’ imprisonment and Rodriguez received seven years’ imprisonment. The US Court of Appeals for the Eleventh Circuit affirmed, finding that an “instrumentality” is “an entity controlled by the government of a foreign country that performs a function the controlling government treats as its own,” and setting forth a list of factors.

Amici contend that the business community needs concrete guidance in this undeveloped area. They argue that the Eleventh Circuit’s definition is overly broad because (1) Haiti Teleco was never designated a government entity; (2) Haiti Teleco issues common stock, and the government was not an initial stockholder; and (3) Haiti Teleco, as a telephone service provider, does not perform a traditional government function.

Brief for Esquenazi and Rodriguez as Amici Curiae Supporting Petitioners, Esquenazi, et al. v. U.S., Sup. Ct. No. 14-189 (Aug. 14, 2014).

ARTICLE BY

Bruce M. Sabados
Margaret J. McQuade
OF
Katten Muchin Rosenman LLP