Category: Communication Media & Internet

Third-Party Litigation Funding Comes of Age

NEWLogoBurford_Final

Law firm Chief Marketing Officers (CMOs) are on the front line of client development, and thus have an unobstructed view of how the legal market for complex litigation is developing. As budget pressures continue to weigh on corporate general counsel, the need for law firms to adjust their pricing to secure new clients is clearly being felt – some firms are now hiring specialty personnel to focus solely on the question of proper pricing. CMOs are thus actively speaking the lingua franca of today’s latest fee structures – from RFPs to AFAs and discounted fees.

Given this, it is surprising to discover that many otherwise business savvy CMOs know little about the emergence of commercial litigation finance. While some are keenly aware of the new industry’s progress – and eager to share their involvement in the funding of multiple cases – others are seemingly unfamiliar with the advent of specialist funding companies and the business development opportunities that they could present for them.

In fairness, due to the often confidential nature of commercial litigation finance, the commercial litigation finance industry has been somewhat constrained in publicizing itself. One example of this is at a recent conference I sat next to the sharp CMO of a top firm who asked me what litigation finance did and what company I worked for. I explained to him that we financed legal fees in multi-million dollar cases, and that we had recently funded a case involving his own firm!

At its most basic level, litigation finance is very straightforward. A third-party funds legal fees and expenses associated with a litigation or arbitration, in return for a portion of the ultimate proceeds (settlement or judgment), if any. Importantly, the funding is typically “non-recourse”, meaning that if there is no recovery for the plaintiff, the litigation financier receives no fee.

Claimants have historically found ways to fund their cases – with available capital, through a bank loan, or by agreeing to a contingency fee with their attorney. What has changed recently is the emergence of specialty finance companies that limit their work to the financing of litigation. These firms – which first appeared in Australia a decade ago, and are now active in the United Kingdom and the United States.  They typically invest in large-scale and complex commercial litigation, with investments (and thus legal fees) on the order of several million dollars.

Not all cases are appropriate for litigation financing, and certain criteria must be met as part of a careful due diligence process. Four considerations include:

  1. the merits of the claim – the case must stand a very strong chance of success on the law and facts;
  2. the ratio of costs/proceeds – the ratio of legal fees (and other costs) must be in proper proportion to the expected proceeds (to allow for reasonable costs associated with financing – typically a ratio of at least 1:4 is required);
  3. the duration of the proceedings – as the cost of financing will usually be related to the time the case takes to resolve (given the time value of money), notice must be paid to the expected length of the case; and
  4. the enforceability of judgment – it must be clear at the outset that, if the claim is successful, the plaintiff will be able to collect its judgment from the defendant.

Once an investment is made, litigation financiers are careful as to their involvement in a given case. Important rules of legal ethics are respected so that the funder does not interfere with case strategy, settlement decisions, or the attorney-client relationship. And, as mentioned above, the financing is typically kept confidential between the parties.

Given the challenge of drawing in new clients, law firm CMOs must leverage every available advantage. In several business development scenarios, the prospect of litigation finance can help:

  • Fee negotiations – in situations where a client would prefer to work with a given firm – but the client will not (or cannot) pay the firm’s standard hourly fees – financing can be used to pay such fees and allow the case to proceed;
  • Alternative to contingency fee – in situations where a firm is asked to act on a contingency fee basis, a litigation financier can step in to provide a similar result: the firm receives its standard hourly fees, paid for by the funder, which in turn only receives compensation in the event of a “win” (sometimes referred to as a “synthetic contingency”);
  • RFP (request for proposal) – in situations where an RFP has been issued by a potential client, a firm’s response may be better received if it makes proper mention of litigation finance as an innovative variation to AFA (alternative fee arrangements); and
  • Fee “fatigue” – in situations where an existing client involved in extended litigation has begun to express concern regarding mounting fees (perhaps on the eve of trial), litigation finance can offer immediate cash-flow relief and allow the firm to receive its full fees.

In short, litigation finance can offer law firm CMOs (and anyone involved in legal business development) a new tool with which to hammer out difficult pricing issues and fee structures for big-ticket litigation.

Article By:

 of

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.

Round Up – Intellectual Property and Cyber Security Things You May Have Missed (Including Some Good Summer Cocktail Banter Material)

Giordano Logo

Cyber Security Report – Earlier this year, Verizon released its 2013 Data Breach Investigations Report.  The report analyzes and presents data regarding the current state of various data breaches and network attacks.  Some of the results are surprising.

  •             92% of breaches are perpetrated by outsiders
  •             19% of breaches are attributed to state-affiliated actors
  •             76% of network intrusions exploit weak or stolen credentials
  •             66% took months or more to discover

Do Trademark Lawyers Matter? – An empirical study, published in the Stanford Technology Law Review, provided the results of a grueling analysis of 25 years worth of data from the United States Patent and Trademark Office records on whether being represented by a trademark attorney makes a difference in the likelihood of success in getting your mark registered.  The results?  YES!  It turns out that, overall, trademark applicants who are represented by an attorney are 50% more likely to have their marks registered.  The results are even more dramatic when an application faces an obstacle (e.g., an office action).  In those instances, applicants were found to be 68% more likely to proceed to publication when represented by counsel.  Perhaps its time for a national trademark lawyer appreciation day! (I’m not holding my breath).

Does Keyword Advertising Really Work?  eBay recently released a study, entitled “Consumer Heterogeneity and Paid Search Effectiveness: A Large Scale Field Experiment” which analyzed the effectiveness of eBay’s keyword advertising efforts.  So does keyword advertising really work?  Not so much.  According to the study, for well known brands (like eBay), new and infrequent users may be more influenced by keyword triggered advertisements.  But more experienced searchers and otherwise loyal brand users are not influenced by the ads.  When eBay stopped its keyword advertising, almost all of the traffic lost from the absence of the ad was picked up in the native search results.  It’s important to note, however, that this study was focused on a single well known brand.  The results may be quite different for other brands or for less well known brands.  Moreover, the study says nothing about the use of a trademark by a competitor as a keyword to drive traffic to the competitor’s website.

Marketing Your Mobile App – The FTC has released guidelines for mobile app developers when advertising their software.  The plain language guide is very high level, but does include some helpful tid bits to remember.  Highlights include:

  • Advertising is everything a company tells a prospective buyer about its app (whether its in the formal ad campaign or in other communications).
  • Don’t bury key disclosures in “dense blocks of legal mumbo jumbo” or behind hyperlinks.
  • Build in privacy by design, including principles used in selecting default settings.
  • If you change your privacy policy, you need to get user’s consent.  Merely editing the language of the policy isn’t enough.

Effective Disclosures in Digital Advertising – The FTC also released guidelines for online advertising.  This new guidance focuses on the peculiarities and challenges associated with online advertising.  Where this adds new value is in its analysis and detail (with examples!) of the following areas:

  • Proximity and Placement – where disclosures have to be placed to be effective
  • Hyperlinks – including proper labeling and placement
  • Prominence – including use of size, color and graphics
  • Distractions – risks from graphics, sounds and links that may distract from disclosures
  • Multimedia – use of audio and video

Attack on “Happy Birthday” Copyright.  Salon.com reported yesterday that a class action suit has been filed to attack the copyright in the popular birthday celebration tune.  According to the report, the lawsuit was prompted by a documentary uncovering evidence that the song was originally published as early as 1893 and that the current copyright is based on a 1924 publication date which grants the work 95 years of copyright protection.  Based on my count, there’s only about 6 years left in the alleged copyright to begin with.  Hopefully the lawsuit gets resolved before then.

Article By:

 of

China’s First-Ever National Standard on Data Privacy – Best Practices for Companies in China on Managing Data Privacy

Sheppard Mullin 2012

Companies doing business in China should take careful notice that China is now paying more attention to personal data privacy collection. This would be an opportune time for private companies to internally review existing data collection and management practices, as well as determine whether these fall within the new guidelines, and where necessary, develop and incorporate new internal data privacy practices.

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries.

What should companies look for when examining existing data privacy and collection policy and practices? As the Guidelines provide for rules on collecting, handling, transferring and deleting personal information, these areas of a company’s current policies should be reviewed.

“Personal Information”

What personal information is subject to the Guidelines? The Guidelines define “personal information” as “computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person.”

“General” and “Sensitive” Personal Information

The Guidelines makes a distinction on handling “general” as opposed to “sensitive” personal information. Sensitive personal information is defined as “information the leakage of which will cause adverse consequences to the subject individual” e.g. information such as an individual’s identity card, religious views or fingerprints.

Consent Required

If an individual’s personal information is being collected, that individual should be informed as to the purpose and the scope of the data being collected; tacit consent must be obtained- the individual does not object after being well informed. With “sensitive” personal information being collected, a higher level of consent must be obtained prior to collection and use; the individual must provide express consent and such evidence be retained.

Notice

Best practices dictate a well-informed notice be given the individual prior to collection of any personal information. The notice should clearly spell out, among other items, what information is being collected, the purpose for which the information will be used, the method of collection, party to whom the personal information will be disclosed and retention period.

Cross Border Transfer

The Guidelines further limit the transfer of personal information to any organization outside of P.R. China except where the individual provides consent, the government authorizes the transfer or the transfer is required by law. It is unclear as to which law applies where transfer is “required by law”- PRC law or law of any other country.

Notification of Breach

There is a notification requirement. The individual must be notified if personal information is lost, altered or divulged. If the breach incident is material, then the “personal information protection administration authority.” The Guidelines, however, do not define or make clear this administration authority is here.

Retention and Deletion

Best practices for a company is to minimize the amount of personal information collected. Personal information once used to achieve their intended purpose should not be stored and maintained, but immediately deleted.

The Guidelines may not be binding authority, but at a minimum sets certain standards for the collection, transfer and management of personal information. Especially for companies operating in China, the Guidelines is a call to action, and for implementation of best practices relating to data privacy. Companies should take this opportunity to assess their data privacy and security policies, review and revise customer information intake procedures and documentation, and develop and implement clear, company-wide internal data privacy policies and methods.

Article By:

 of

Social Media & Emerging Employer Issues: Are You Protected?

McBrayer NEW logo 1-10-13

On June 13, 2013, Business First of Louisville and McBrayer hosted the second annual Social Media Seminar. The seminar’s precedent, Social Media: Strategy and Implementation, was offered in 2012 and was hugely successful. This year’s proved to be no different. Presented by Amy D. Cubbage and Cynthia L. Effinger, the seminar focused on emerging social media issues for employers. If you missed it, you missed out! But don’t worry, a seminar recap is below and for a copy of the PowerPoint slides click here.

McBrayer: If a business has been designated an entity that must comply with HIPAA, what is the risk of employees using social media?

Cubbage: Employers are generally liable for the acts of their employees which are inconsistent with HIPAA data privacy and security rules. As employees’ use of social networking sites increase, so does the possibility of a privacy or security breach. An employee may be violating HIPAA laws simply by posting something about their workday that is seemingly innocent. For instance, a nurse’s Facebook status that says, “Long day, been dealing with a cranky old man just admitted into the ER” could be considered a HIPAA violation and expose an employer to sanctions and fines.

 

McBrayer: Should businesses avoid using social media so that they will not become the target of social media defamation?

Effinger: In this day and age it is hard, if not impossible, for a business to be successful without some use of social media. There is always the risk that someone will make negative comments about an individual or a business online, especially when anonymity is an option. Employers need to know the difference between negativity and true defamation. Negative comments or reviews are allowed, perhaps even encouraged, on some websites. If a statement is truly defamatory, however, then a business should make efforts to have the commentary reported and removed. The first step should always be to ask the internet service provider for a retraction of the comment, but legal action may sometimes be required.

 

McBrayer: When does a negative statement cross the line and become defamation?

Effinger: It is not always easy to tell. First, a statement must be false. If it is true, no matter how damaging, it is not defamation. The same goes for personal opinions. Second, the statement must cause some kind of injury to an individual or business, such as by negatively impacting a business’s sales, to be defamation.

 

McBrayer: Can employers ever prevent employees from “speaking” on social media?

Effinger: Employers should always have social media policies in place that employees read, sign, and abide by. While it is never really possible to prevent employees from saying what they wish on social media sites, some of their speech may not be protected by the First Amendment’s freedom of speech clause.

 

McBrayer: What constitutes “speech” on the internet? Is “liking” a group on Facebook speech? How about posting a YouTube video?

Effinger: This is a problem that courts and governmental employment agencies, like the National Labor Relations Board, are just starting to encounter. There is no bright-line rule for what constitutes “speech,” but it is safe to say that anything an employee does online that is somehow communicated to others (even “liking” a group or posting a video) qualifies.

 

McBrayer: Since a private employer is not bound by the First Amendment, can they terminate employees for social media actions with no repercussions?

Effinger: No! In fact, it could be argued that private employees are afforded more protection for what they say online than public employees. While a private employer has no constitutional duty to allow free speech, the employer is subject to state and federal laws that may prevent them from disciplining an employee’s conduct. As a general rule, private employees have the right to communicate in a “concerted manner” with respect to “terms and conditions” of their employment. Such communication is protected regardless of whether it occurs around the water cooler or, let’s say, on Twitter.

 

McBrayer: It seems like the best policy would be for employers to prohibit employees from discussing the company in any negative manner. Is this acceptable?

Effinger: It is crucial for companies to have social media policies and procedures, but crafting them appropriately can be tricky. There have been several instances where the National Labor Relations Board has reviewed a company’s policy and found its overly broad restrictions or blanket prohibitions illegal. Even giant corporations like General Motors and Target have come under scrutiny for their social media policies and been urged to rewrite them so employees are given more leeway.

 

McBrayer: Is social media a company asset?

Cubbage: Yes! Take a moment to consider all of the “followers”, “fans”, or “connections” that your business may have through its social media accounts. These accounts provide a way to constantly interact with and engage clients and customers. Courts have recently dealt with cases where a company has filed suit after a rogue employee stole a business account in some manner, for instance by refusing to turn over an account password. Accounts are “assets,” even if not tangible property.

 

McBrayer: What is the best way for an employer to protect their social media accounts?

Cubbage: Social media accounts should first be addressed in a company’s operating agreement. Who gets the accounts in the event the company splits? There are additional steps every employer should take, such as including a provision in social media policies that all accounts are property of the business. Also, there should always be more than one person with account information, but never more than a few. Treat social media passwords like any other confidential business information – they should only be distributed on a “need to know” basis.

Article By:

 of

 

Yahoo!/Tumblr Deal and the Tax Cost of Cash Acquisition Payments

McBrayer NEW logo 1-10-13

When Yahoo! recently acquired the blogging service Tumblr, the two companies structured the deal so that virtually all of the $1.1 billion price tag for Tumblr will be paid in cash. In the current economy, many companies, particularly tech companies, have a lot of cash available, making the more traditional payment in stock appear less desirable. However, tax planning during mergers or acquisitions can be invaluable because, with proper counsel, the organizations can anticipate and mitigate the tax ramifications for the companies, individuals and shareholders.

Specific information about any tax planning in the Yahoo!/Tumblr deal hasn’t been released, but let’s consider the potential tax consequences of an essentially all-cash deal.

Most of Tumblr’s existing shareholders likely purchased their stock for substantially less than it was valued at the time of Yahoo’s acquisition. Since capital gains taxes are levied on the difference between the purchase price and the sale price, those Tumblr shareholders may be facing a hefty capital gains tax bill that will come due as soon as the transaction is complete.

If the deal had been structured as a stock transaction, on the other hand, it might have been structured to defer the capital gains tax for those shareholders until they actually sell their stock to Yahoo! There are a number of methods, such as 1031 exchanges, Section 368 tax-free reorganizations, and or 338(h)(10) stock purchase elections, that might also be effective in mitigating the tax burden.

An all-cash deal also presents challenges for Yahoo! in that it could affect the incentives for Tumblr’s founder and senior management going forward. In a tax-free reorganization, for example, they would generally be compensated in Yahoo! stock, which automatically creates an incentive for Tumblr’s leadership to build value for Yahoo! Without stock, a different incentive plan is needed.

According to The New York Times’ DealBook blog, Yahoo! may not need to worry about incentivizing Tumblr’s leadership, however, as it plans to continue to run the blog service as a separate company with the same group of executives. That may leave the existing incentives for success in place.

In this particular case, we don’t have enough information to determine why Yahoo! and Tumblr structured the acquisition as an all-cash deal. Well-considered tax planning, however, is essential for any business considering a merger or acquisition, stock sale, or major asset sale. Anticipating and minimizing transactional taxes, including business transfer taxes and business succession taxes, can help ensure that companies garner all potential benefits of the deal.

 of

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.

1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

“Lawfully Made Under This Title” – The New, Global Reach of U.S. Copyright Law’s “First Space” Doctrine

Dickinson Wright Logo

The U.S. Copyright Act grants a copyright owner certain exclusive rights, including the right to distribute copies by sale or other transfer of ownership. 17 U.S.C. § 106(3). But while these exclusive rights are extensive, they are not limitless. Section 109(a), for one, sets forth the “first sale” doctrine:

“Notwithstanding the provisions of section 106(3), the owner of a particular         copy…lawfully made under this title…is entitled, without the authority of the copyright      owner, to sell or otherwise dispose of the possession of that copy.” 17 U.S.C. § 109(a).

In effect, Section 109(a) exhausts the distribution right by permitting the owner of a particular copy to dispose of that copy as she wishes.

Notably, however, the first sale doctrine is itself qualified in that it only applies to copies “lawfully made under this title.” 17 U.S.C. § 109(a) (emphasis added). That this language applies to copyrighted works made and distributed in the U.S. is clear enough. A more difficult question is to what extent the first sale doctrine applies to works produced and/or acquired abroad.

The U.S. Supreme Court partly addressed Section 109(a)’s reach in Quality King Distributors, Inc. v. L’anza Research International, Inc., 523 U.S. 135 (1998). In Quality King, the copyrighted works were manufactured in the U.S., but first sold abroad at prices 35% to 40% less than identical U.S. products. Some of the discounted foreign products were then imported back into the U.S. and sold to unauthorized retailers. The copyright owner sued alleging violation of the Copyright Act’s importation provision, 17 U.S.C. § 602(a)(1) (then §602(a)), which makes importation of a copyrighted work without the authority of the copyright owner an infringement of the distribution right. The Supreme Court, however, found that the first sale doctrine exhausts the copyright owner’s right to prohibit importation of U.S. produced works first sold abroad. In other words, the owner of a copy of a U.S. produced work acquired abroad is free to bring that copy into the U.S. without fear of retribution from the copyright holder.

Because Quality King involved only U.S. produced works – which are unquestionably “lawfully made under” the Copyright Act – the Court had no need to consider any broader implications of Section 109(a). And so, the reach of the first sale doctrine in connection with works manufactured abroad remained in doubt after Quality King.

As a graduate student in California, Supap Kirtsaeng (“Kirtsaeng”) learned that publishers often sell their U.S. textbooks for substantially more than the identical books in Thailand. Seeing an opportunity, Kirtsaeng had friends purchase textbooks in Thailand and mail them to the U.S. where he sold them on EBay. By this simple arbitrage, Kirtsaeng generated roughly $900,000 before one the publishers, John Wiley & Sons, Inc. (“Wiley”), sued.

Wiley claimed that Kirtsaeng’s unauthorized importation of the foreign-produced textbooks violated Wiley’s distribution right via the Copyright Act’s importation prohibition. Unlike in Quality King, however, Wiley argued that the first sale doctrine did not exhaust its rights because its foreign version textbooks were produced and distributed entirely outside the U.S., and thus were not “lawfully made under [the U.S. Copyright Act],” as required by Section 109(a).

Kirtsaeng countered that “lawfully made under this title” merely means “made in accordance with U.S. copyright law,” i.e., made without infringing copyright. According to Kirtsaeng, because Wiley had authorized the production and distribution of its foreign produced textbooks, they were “lawfully made under [U.S. copyright law]” and thus the first sale doctrine applied. In other words, Kirtsaeng argued, Section 109(a) works a global exhaustion of the copyright holder’s distribution right.

The Supreme Court found – after considerable discussion of statutory construction and the common law history of the “first sale” doctrine – that the phrase “lawfully made under this title” has no geographic significance. Rather, the first sale doctrine applies to copies of works that are lawfully made anywhere in the world. Thus, Section 109(a) effects a global exhaustion of the Copyright Act’s distribution right and the lawful owner of any lawfully made copy, wherever produced and wherever acquired, is free to bring that copy into the U.S. and dispose of it as she wishes.

The Court’s non-geographical interpretation of the first sale doctrine likely will have far reaching effects.

On the one hand, organizations such as libraries, used book dealers, and museums view the Kirtsaeng ruling as a victory because it clarifies that they will not have to seek permission from copyright holders to lend or sell their books or display their artwork acquired from foreign sources. Additionally, the Court’s majority believes its holding will protect the right of American consumers to resell a broad range of foreign produced products that contain copyrighted software.

On the other hand, in the Digital Age, where it is easy to shop for, purchase and ship products globally, Kirtsaeng will greatly limit a copyright holder’s ability to maintain geographic price disparities, as historically necessitated by regional economics. Consequently, one effect of Kirtsaeng may be a trend toward global price equilibration, at least for internationally interchangeable products, such as books. Some goods, however, such as technology products, may be less affected by Kirtsaeng, where various regulations outside of copyright law tend to make the products less internationally fungible.

Kirtsaeng may also foretell a rise in leases or rentals. By its terms, Section 109(a) extends first sale protection to the “owner of a particular copy.” 17 U.S.C. § 109(a) (emphasis added). Lessees are unprotected. So, a copyright holder can circumvent the effects of Section 109(a) by renting works to its customers. In the Internet age, where a myriad of products can be delivered, consumed, and deleted digitally, rental rather than sale may be an attractive way for some industries to protect current regional pricing structures.

Moreover, the Kirtsaeng decision may have implications for the exhaustion doctrine under U.S. patent law. Similar to the first sale doctrine, the exhaustion doctrine limits a patent owner’s exclusive rights in a particular item upon the first authorized sale. In 2005, the Federal Circuit Court of Appeals explained that the exhaustion doctrine only applies to the first sale in the U.S. because the U.S. patent system “does not provide for extraterritorial effect.” Fuji Photo Film Co., Ltd. V. Jazz Photo Corp., 394 F.3d 1368, 1376 (Fed. Cir. 2005). Kirtsaeng, however, casts that reasoning in doubt. While the Supreme Court recently denied certiorari in a case that would have reexamined the exhaustion doctrine, it is widely expected that the Federal Circuit will at some point revisit the issue in light of Kirtsaeng.

Finally, in the wake of Kirtsaeng, one would expect certain rights holders to pressure Congress to rewrite Section 109(a). After Quality King, copyright holders were successful in getting the House to pass a proposed amendment that would have limited Section 109(a) to copies authorized for distribution in the U.S. This proposed “domestic exhaustion” amendment, however, ultimately died in reconciliation. Only time will tell whether copyright holders could ultimately prevail to blunt the impact of Kirtsaeng.

Evolving into the Digital Age: Protecting Intellectual Property

WolfeDomain1

While society has evolved from an Industrial to an Information Age over the last hundred years, we’re now operating in a Digital world where technological innovations and intellectual property reign supreme. This fast-moving digital environment–including web, mobile and social media–requires a proactive stance on developing and protecting digital innovations as the global marketplace becomes even more competitive and organizations run the risk of losing critical innovations as others move quickly to steal ideas if the opportunity exists.

While digital strategy is driven largely by marketing or IT departments, every digital asset of the company is and should be treated and protected as an intellectual asset, but today these assets are  often overlooked.  Consider the long list of marketing or IT developments at your company.  Everything from user interfaces, apps, social networking functions, personalization options on web pages, subscriber perks, wi-fi offerings, e-commerce solutions, bridging offline and online experiences and new products and services related to digital activity result in digital assets that an organization deploys.  But, are you taking the next step to protect them or leaving them out in the open to steal?  Worse, are you infringing on someone else’s intellectual property (IP)?   

Innovations at Lightening Speed – Are You Giving It Away?

Today, digital assets can be protected by utility patents, design patents, copyright law and trademark law. Typically, as these innovations occur at such a rapid pace, they are not captured and translated into protected digital assets.  Further, as the use of digital strategies is exploding and the creation of digital assets is a relatively new concept, most organizations have yet to build a formal business case and required methodology for protecting these assets.  Compounding the issue, much of the innovation work is done in collaboration with outsourced vendors in marketing and IT, often in a vacuum, so there isn’t a legal or other IP advocate to even ask the question: “Should we protect this?”.  Finally, much of the technology used to develop these innovations is often open sourced which creates an additional layer of confusion and often one that the legal team won’t touch.

The world is beginning to change in response to protecting their digital assets.  Patent trolls have largely emerged in the digital and technology space attacking companies from Starbucks to Cisco for wi-fi offerings, web functionality and what was previously considered open territory for marketers and web designers. And, these trolls are finding loopholes and great financial gains. Today, the trolls monitor major innovative initiatives by world-class organizations and copy and develop their own innovations around successful ones, improve them, and then ultimately file a new patent for it.  And then in a crazy twist, they send these same organizations a cease and desist letter and ask for a license fee.  Why aren’t organizations protecting these same assets to defend themselves and even use them as additional sources of revenue?

Building and Protecting a Digital IP Portfolio

Most companies need to start by identifying the pipeline of ideas and then turn the right ideas into valuable assets.  The innovation pipeline of digital assets is likely already alive and well in most organizations but they aren’t tapping into it.  So, the first step in building a Digital IP Portfolio is to audit where that innovation is occurring.  Understand when it is outsourced to vendors and assess whether it should be retained, shared or given away.  Once you know where the innovation is occurring, it’s time to funnel it into an IP evaluation pipeline.  At that juncture, an IP business strategy team (comprised of IP strategy experts, IP lawyers, business managers, IT managers and marketers) can evaluate its potential use and strength.  Is it a good defense play against trolls or other competitors?  Is it something you can license to others?  Is it something you just want to ensure you have and your competitors don’t? By assigning values and business goals to all of these assets, you can then channel them into a protection process with budgets and clear return on investment goals.

And, the importance of having a multi-disciplined approach cannot be overstated.  Generating valuable digital assets is not just a legal or IP function, it requires understanding and contribution from other facets of the company that can identify value proposition and weigh in on risk/reward.  Digital is new and evolving and critical thinking about its value proposition is essential. Many digital assets are not worth protecting if it won’t last beyond the next fad.  But others are.  That’s why Facebook, Google, Adobe and others have become some of the top patent filers in the world.  They file for much more than just devices and consider every innovation a potential asset both offensively and defensively.

Once digital assets are channeled into protection they can then be redistributed back out to spur innovative thinking and evaluate licensing or leverage potential.  While many companies don’t see themselves as technology companies, they are quickly becoming so with their digital platforms.  From retailers to entertainment and consumer goods, soon all companies will be a digital or technology company to some extent.  If you don’t own and protect those assets, someone else will and use it against you.  The time is now for savvy IP and technology professionals to identify an untapped resource – their digital assets.

Article By:

 of