Category: cybersecurity

Protect Your CEO’s Tweets and Posts from U.S. Securities Exchange Commission (SEC) Enforcement Action

vonBriesen

The U.S. Securities Exchange Commission (SEC) Enforcement Division altered the jet stream of blogosphere commentary last December by, for the first time, recommending legal action against a CEO on account of a Facebook post. Immediately after the announcement, a blizzard of articles, tweets, and blogs buried the mediascape with opinions about the critical role of CEO social media use in the new economy, the wisdom or foolishness of allowing CEO’s to Tweet or post, and whether the SEC should be time warped back to the Stone Age it seems to prefer.

Sweeping away the accumulated hyperbole reveals two important takeaways from the SEC’s announcement, applicable to both public and private companies: i) the more things change, the more they remain the same, and ii) this latest “grave threat” to the modern world is not a crisis, but an opportunity. Social media can be a valid, legal, and effective way to communicate with investors, if it’s done right.

About Regulation FD

The SEC’s action responded to a July 2012 Facebook post by CEO Reed Hastings stating that members watched over 1 billion hours on Netflix in June. Netflix estimated that Hastings had reached 200,000 people through his Facebook, Twitter, and LinkedIn accounts. The SEC felt this was material information for investors and that by announcing it through social media, rather than more traditional outlets, Netflix had violated Regulation Fair Disclosure (Reg. FD).

The SEC adopted Reg. FD in 2000 to fix a perceived lack of fairness in the public securities markets. Before Reg. FD, public companies could share material information with analysts who participated in conference calls or meetings not open to smaller investors. Well-connected investors got trading advantages over the general public. Reg. FD prohibits public companies from providing material information to limited groups of investors without simultaneously making the information available to the entire marketplace.

Under Reg. FD, public disclosures must be made by “filing or furnishing a Form 8-K, or by another method or combination of methods that is reasonably designed to effect broad, non-exclusionary distribution of the information to the public.” The “other method” most often employed is a press release to an array of media outlets likely to disseminate the information broadly and quickly. Individuals and companies violating Reg. FD risk injunctions and monetary penalties.

Use of Social Media Growing, Creating Risks

Social media channels first became critical communication tools for companies after adoption of Reg. FD. A 2010 study of the 100 largest companies in the Fortune 500 found that 79% were using at least one of the four most popular social media platforms. See Burson-Marsteller Fortune Global 100 Social Media Study, Feb. 23, 2010, available at http://www.burson-marsteller.com/Innovation_and_insights/blogs_and_podcasts/BM_Blog/Lists/Posts/Post.aspx?ID=160

A 2012 Forbes article cited an IBM study saying 57% of surveyed CEO’s likely would be using social media by 2017. Mark Fidelman, IBM Study: If you Don’t Have a Social CEO, YourGoing to be Less Competitive, FORBES, May 22, 2012.

The SEC itself uses social media to disclose important information such as speeches, trading suspensions, litigation releases, and administrative proceedings.

While some CEOs see social media as “part of their job description,” others try to minimize risk by having employees write or review tweets before posting, and some CEOs have already tried social media and moved on. See Leslie Kwoh and Melissa Korn, 140 Characters of Risk: Some CEO’s Fear Twitter, WALL STREET JOURNAL, September 26, 2012.

Not everyone does, or should, use all forms of social media. The point of Twitter, for example, is to provide information contemporaneously with the occurrence of a thought or an event. This promptness is both the differentiating touchstone of the medium and its source of danger. Quick, unconsidered, unscripted communications by senior executives of public companies pose risks in the form of leaked intellectual property, disclosed business plans, angered customers, litigious investors, and frothy regulators. The SEC Netflix announcement demonstrates the potential for liability arising from disclosures of information requiring consideration through social media focused solely on promptness. A Facebook post subjected to prior review might have been a better choice.

Even where the SEC does not act, executives may be at risk. In May 2012, retailer Francesca’s Holdings Corporation fired its CFO, Gene Morphis after he tweeted: “Board meeting. Good numbers = Happy Board.” Mr. Morphis, who was also active on other social media outlets, had a history of postings about earnings calls, road shows, and other work related matters. Morphis lost his job even though the SEC took no action. Rachel Emma Silverman, Facebook and Twitter Postings Cost CFO His Job, WALL STREET JOURNAL, May 14, 2012.

Social Media Without Big Risk

The SEC has never issued guidance about the use of social media, but it has issued guidance that websites could be deemed sufficiently “public” to satisfy Reg. FD when: (1) it is a recognized channel of distribution, (2) posting on the web site disseminates the information in a manner making it available to the securities marketplace in general, and (3) there has been a reasonable waiting period for investors and the market to react to the posted information. Indeed, “for some companies in certain circumstances, posting … information on the company’s web site, in and of itself, may be a sufficient method of public disclosure,” SEC Release No. 34-58288 (Aug. 7, 2008) at 18, 25.

This is an example of how “the more things change, the more they stay the same” when it comes to the intersection of law and technology. The purpose of Reg. FD is to make sure that all investors have access to the same information roughly simultaneously. The specific communications method is not important so long as the principle of public disclosure to the general market, not subsets of investors, is served. Because 8-K filings and press releases were the most common ways to quickly and broadly disseminate information in the past, investors knew where to look for them and could monitor those information outlets. Now, when companies establish their websites as well-known places to find press releases, SEC filings, and supplemental information, they, too, have become acceptable means for Reg. FD disclosures.

The same analysis applies to social media, as well as any new communications technology that may exist in the future. The critical question is: has the company sufficiently alerted the market to its disclosure practices based on the regularity, prominence, accuracy, accessibility, and media coverage of its disclosure methods? If so, social media should be just as acceptable as any other communication tool.

One company seems to have found the right balance. Alan Meckler, CEO of WebMediaBrands Inc. drew the SEC’s attention after a pattern of regularly disclosing company information through social media back in December 2010. The SEC’s Division of Corporation Finance questioned whether Mr. Meckler’s Tweets “conveyed information in compliance with Regulation FD.”SEC letter dated December 9, 2010. Despite, the investigation, the SEC brought no enforcement action.

To use social media with minimum SEC risk, the company must educate investors so that they know such communications will always occur at a particular place and at least simultaneously with other outlets. This is done by a regular pattern of social media disclosure and links to other sources, such as SEC filings, showing the way. A company should not force investors to win a shell game, finding the nut of important information in Twitter this time, on Facebook the next time, and Instagram after that. Consistency, predictability, and transparency are key. Used this way, social media present an opportunity to communicate with investors in new ways, not a source of legal problems.

©2013 von Briesen & Roper, s.c

Administration Launches Strategy on Mitigating Theft of U.S. Trade Secrets

The National Law Review recently published an article, Administration Launches Strategy on Mitigating Theft of U.S. Trade Secrets, written by Lauren M. Papenhausen with McDermott Will & Emery:

McDermottLogo_2c_rgb

 

The strategy announced on February 20, 2013, should serve as both a wake-up call from the government and an offer of assistance.  Given the losses that can arise from competitors’ purposeful theft of trade secrets, entities should review the announcement and decide whether they need to be more active in protecting their trade secrets.  The strategy also offers opportunities for increased collaboration with the government.

On February 20, 2013, the White House announced an “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.”  Companies should view the announcement of this strategy as both a wake-up call from the government and an offer of assistance.  Given the losses that can arise from competitors’ purposeful theft of trade secrets, entities should review this government announcement and decide whether they need to be more active in protecting their trade secrets.

The administration strategy articulates a broad governmental commitment to addressing an “accelerating” threat to U.S. intellectual property.  The strategy encompasses five action items:

  • Focusing diplomatic efforts to protect trade secrets through diplomatic pressure, trade policy and cooperation with international entities
  • Promoting voluntary best practices by private industry to protect trade secrets
  • Enhancing domestic law enforcement, including through outreach and information-sharing with the private sector
  • Improving domestic legislation to combat trade secret theft
  • Improving public awareness and stakeholder outreach

Three main themes emerge from the administration strategy that are important for U.S. businesses.

First, the strategy and its supporting documentation highlight how frighteningly real the prospect of trade secrets theft is.  The White House report is peppered with references to household name companies that have been victimized by trade secrets theft over the past few years, often at a cost of tens of millions of dollars or more.  Mandated reports from the defense industry to the government indicate a 75 percent increase between FY2010 and FY2011 in reports of suspicious activity aimed at acquiring protected information.  Coupled with a recent New York Times article asserting Chinese government involvement in more than 100 attempted cyber attacks on U.S. companies since 2006, these reports warrant sitting up and taking notice.  According to a report by the Office of the National Counterintelligence Executive, particular targets include companies that possess the following:

  • Information and communications technologies
  • Business information that relates to supplies of scarce natural resources or that gives foreign actors an edge in negotiations with U.S. businesses or the U.S. government
  • Military technologies, particularly in connection with marine systems, unmanned aerial vehicles and other aerospace/aeronautic technologies
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy, health care and pharmaceuticals, advanced materials and manufacturing techniques, and agricultural technology

Second, the government alone cannot solve the problem.  The administration commits to making the investigation and prosecution of trade secret theft a “top priority” and states that the Federal Bureau of Investigation has increased the number of trade secret theft investigations by 29 percent since 2010.  On its face, however, a 29 percent increase in investigations cannot keep pace with a 75 percent increase in attempted trade secret thefts.  Historically, as a result of limited resources, the government has been able to address only a tiny fraction of trade secret thefts, and there is no indication that there will be the massive influx of resources necessary to change this dynamic materially.  Indeed, the administration strategy recognizes the need for public-private partnerships on this issue and asks companies and industry associations to develop and adopt voluntary best practices to protect themselves against trade secret theft.  And, of course, there are significant drawbacks to any after-the-fact solution, whether relying on government intervention or a private lawsuit.

The best solution is to prevent a trade secret theft from ever occurring.  Even if that is not possible, having taken strong measures to protect trade secrets will aid success both in any civil litigation against the perpetrator and in any criminal action the government may bring.  Entities should consider at least the following types of protective measures:

  • Research and development compartmentalization, i.e., keeping information on a “need to know” basis, particularly where outside contractors are involved in any aspect of the process
  • Information security policies, e.g., requiring multiple passwords or multi-factor authentication measures and providing for data encryption
  • Physical security policies, e.g., using controlled access cards and an alarm system
  • Human resources policies, e.g., using employee non-disclosure agreements, conducting employee training on the protection of trade secrets and performing exit interviews.

It also will be important in any future litigation that a company has clearly designated as confidential any materials it may wish to assert are trade secrets.

Third, the new administration approach to trade secrets offers some opportunities for U.S. companies.

The government interest in enhancing law enforcement operations indicates that businesses may have a better chance of encouraging the government to investigate and bring criminal charges under the Economic Espionage Act (EEA) against the perpetrators of trade secret thefts.  The possibility of seeking government involvement is a powerful tool that should be considered and discussed with counsel any time there is a significant suspected trade secret theft.  Obtaining government involvement in specific instances of trade secret theft can allow businesses to take advantage of information learned via government tactics such as undercover investigations and search warrants.  It also can significantly enhance any civil litigation—for example, a finding of criminal liability can make a civil outcome a foregone conclusion.

The administration strategy’s focus on improving domestic legislation and increasing communication with the private sector suggests that there is an opportunity for the private sector to collaborate with government actors in communicating industry needs and shaping policy.  For example, it is possible that the time is ripe for an amendment to the EEA (currently a federal criminal statute that offers no private right of action) to create a federal, private cause of action for misappropriation of trade secrets.  A bill to this effect was introduced in Congress in 2012 and did not progress, but two other amendments to strengthen the EEA that passed overwhelmingly in December 2012, plus the recently issued administration strategy, suggest there may be gathering momentum for such a change.

In an executive order signed on February 12, 2013, entitled “Improving Critical Infrastructure Cybersecurity,” President Obama outlined government plans to significantly increase the amount of information that the government shares with private sector entities about cyber threats.  Specifically, the order directs government agencies to develop procedures to create and disseminate to targeted entities unclassified reports of cyber threats that identify them as targets, to disseminate classified reports of cyber threats under certain circumstances to “critical infrastructure entities,” and to expand the Enhanced Cybersecurity Services program (previously available only to defense contractors to assist in information-sharing about cyber threats and protection of trade secrets) to “eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”  The directives in the executive order are in addition to and complement various information-sharing tactics set forth in the administration strategy designed to provide warnings, threat assessments and other information to industry.  Companies, particularly those involved in the power grid or the provision of other utilities or critical systems, should be aware of the possibility of obtaining additional information from the government about threats to protected information.

© 2013 McDermott Will & Emery

Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps

The National Law Review recently published an article, Federal Trade Commission (FTC) Recommends Privacy Practices for Mobile Apps, written by Daniel F. GottliebRandall J. Ortman, and Heather Egan Sussman with McDermott Will & Emery:

McDermottLogo_2c_rgb

On February 1, 2013, the Federal Trade Commission (FTC) released a report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency” (Report), which urges mobile device application (app) platforms and developers to improve the privacy policies for their apps to better inform consumers about their privacy practices.  This report follows other recent publications from the FTC concerning mobile apps—including “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” released December 2012 (December 2012 Report), and “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing,” released February 2012 (February 2012 Report)—and the adoption of the amended Children’s Online Privacy Protection Act (COPPA) Rule on December 19, 2012.  (See “FTC Updates Rule for Children’s Online Privacy Protection” for more information regarding the recent COPPA amendments.

Among other things, the Report offers recommendations to key stakeholders in the mobile device application marketplace, particularly operating system providers (e.g., Apple and Microsoft), application developers, advertising networks and related trade associations.  Such recommendations reflect the FTC’s enforcement and policy experience with mobile applications and public comment on the matter; however, where the Report goes beyond existing legal requirements, “it is not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC.”  Nevertheless, such key stakeholders should take the FTC’s recommendations into account when determining how they will collect, use and transfer personal information about consumers and preparing privacy policies to describe their information practices because they reflect the FTC’s expectations under its consumer protection authorities.

At a minimum, operating system providers and application developers should review their existing privacy policies and make revisions, as necessary, to comply with the recommendations included within the Report.  However, all key stakeholders should consider the implications of recommendations specific to their industry segment, as summarized below.

Operating System Providers

Characterized within the Report as “gatekeepers to the app marketplace,” the FTC states that operating system providers have the “greatest ability to effectuate change with respect to improving mobile privacy disclosures.”  Operating system providers, which create and maintain the platform upon which mobile apps run, promulgate rules that app developers must follow in order to access the platform and facilitate interactions between developers and consumers.  Given their prominent role within the app marketplace, it is not surprising that the FTC directs numerous recommendations toward operating system providers, including:

  • Just-In-Time Disclosures.  The Report urges operating system providers to display just-in-time disclosures to consumers and obtain express, opt-in (rather than implied) consent before allowing apps to access sensitive information like geolocation (i.e., the real world physical location of a mobile device), and other information that consumers may find sensitive, such as contacts, photos, calendar entries or recorded audio or video.  Thus, operating system providers and mobile app developers should carefully consider the types of personal information practices that require an opt-in rather than mere use of the app to evidence consent.
  • Privacy Dashboard.  The Report suggests that operating system providers should consider developing a privacy “dashboard” that would centralize privacy settings for various apps to allow consumers to easily review the types of information accessed by the apps they have downloaded.  The “dashboard” model would enable consumers to determine which apps have access to different types of information about the consumer or the consumer’s device and to revisit the choices they initially made about the apps.
  • Icons.  The Report notes that operating system providers currently use status icons for a variety of purposes, such as indicating when an app is accessing geolocation information.  The FTC suggests expansion of this practice to provide an icon that would indicate the transmission of personal information or other information more broadly.
  • Best Practices.  The Report recommends that operating system providers establish best practices for app developers.  For example, operating system providers can compel app developers to make privacy disclosures to consumers by restricting access to their platforms.
  • Review of Apps.  The Report suggests that operating system providers should also make clear disclosures to consumers about the extent to which they review apps developed for their platforms.  Such disclosures may include conditions for making apps available within the platform’s app marketplace and efforts to ensure continued compliance.
  • Do Not Track Mechanism.  The Report directs operating system providers to consider offering a “Do Not Track” (DNT) mechanism, which would provide consumers with the option to prevent tracking by advertising networks or other third parties as they use apps on their mobile devices.  This approach allows consumers to make a single election, rather than case-by-case decisions for each app.

App Developers

Although some practices may be imposed upon app developers by operating system providers, as discussed above, app developers can take several steps to adopt the FTC’s recommendations, including:

  • Privacy Policies.  The FTC encourages all app developers to have a privacy policy, and to include reference to such policy when submitting apps to an operating system provider.
  • Just-In-Time Disclosures.  As with the recommendations for operating system providers, the Report suggests that app developers provide just-in-time disclosures and obtain affirmative express consent before collecting and sharing sensitive information.
  • Coordination with Advertising Networks.  The FTC argues for improved coordination and communication between app developers and advertising networks and other third parties that provide certain functions, such as data analytics, to ensure app developers have an adequate understanding of the software they are incorporating into their apps and can accurately describe such software to consumers.
  • Participation in Trade Associations.  The Report urges app developers to participate in trade associations and other industry organizations, particularly in the development of self-regulatory programs addressing privacy in mobile apps.

Advertising Networks and Other Third Parties

By specifically including advertising networks and other third parties in the Report, the FTC recognizes that cooperation with such networks and parties is necessary to achieve the recommendations outlined for operating system providers and app developers.  The recommendations for advertising networks and other third parties include:

  • Coordination with App Developers.  The Report calls upon advertising networks and other third parties to communicate with app developers to enable such developers to provide accurate disclosures to consumers.
  • DNT Mechanism.  Consistent with its recommendations for operating system providers, the FTC suggests that advertising networks and other third parties work with operating system providers to implement a DNT mechanism.

Trade Associations

The FTC states that trade associations can facilitate standardized privacy disclosures.  The Report makes the following recommendations for trade associations:

  • Icons.  Trade associations can work with operating system providers to develop standardized icons to indicate the transmission of personal information and other data.
  • Badges.  Similar to icons, the Report suggests that trade associations consider developing “badges” or other visual cues used to convey information about a particular app’s data practices.
  • Privacy Policies.  Finally, the FTC suggests that trade associations are uniquely positioned to explore other opportunities to standardize privacy policies across the mobile app industry.

Children and Mobile Apps

Commenting on progress between the February 2012 Report and December 2012 Report, both of which relied on a survey of 400 mobile apps targeted at children, the FTC stated that “little or no progress has been made” in increasing transparency in the mobile app industry with regard to privacy practices specific to children.  The December 2012 Report suggests that very few mobile apps targeted to children include basic information about the app’s privacy practices and interactive features, including the type of data collected, the purpose of the collection and whether third parties have access to such data:

  • Privacy Disclosures.  According to the December 2012 Report, approximately 20 percent of the mobile apps reviewed disclosed any privacy-related information prior to the download process and the same proportion provided access to a privacy disclosure after downloading the app.  Among those mobile apps, the December 2012 Report characterizes their disclosures as lengthy, difficult to read or lacking basic detail, such as the specific types of information collected.
  • Information Collection and Sharing Practices.  The December 2012 Report notes that 59 percent of the mobile apps transmitted some information to the app developer or to a third party.  Unique device identifiers were the most frequently transmitted data point, which the December 2012 Report cites as problematic, suggesting that such identifiers are routinely used to create user “profiles,” which may track consumers across multiple mobile apps.
  • Disclosure Practices Regarding Interactive App Features.  The FTC reports that nearly half of the apps that stated they did not include advertising actually contained advertising, including ads targeted to a mature audience.  Similarly, the December 2012 Report notes that approximately 9 percent of the mobile apps reviewed disclosed that they linked with social media applications; however, this number represented only half of the mobile apps that actually linked to social media applications.  Mobile app developers using a template privacy policy as a starting point for an app’s privacy policy should carefully tailor the template to reflect the developer’s actual privacy practices for the app.

Increased Enforcement

In addition to the reports discussed above and the revisions to the COPPA Rule, effective July 1, 2013, the FTC has also increased enforcement efforts relating to mobile app privacy.  On February 1, 2013, the FTC announced an agreement with Path Inc., operator of the Path social networking mobile app, to settle allegations that it deceived consumers by collecting personal information from their mobile device address books without their knowledge or consent.  Under the terms of the agreement, Path Inc. must establish a comprehensive privacy program, obtain independent privacy assessments every other year for the next 20 years and pay $800,000 in civil penalties specifically relating to alleged violations of the COPPA Rule.  In announcing the agreement, the FTC commented on its commitment to continued scrutiny of privacy practices within the mobile app industry, adding that “no matter what new technologies emerge, the [FTC] will continue to safeguard the privacy of Americans.”

Key Takeaways

App developers and other key stakeholders should consider the following next steps:

  • Review existing privacy policies to confirm they accurately describe current privacy practices for the particular app rather than merely following the developer’s preferred template privacy policy
  • Where practical, update actual privacy practices and privacy policies to be more in line with the FTC’s expectations for transparency and consumer choice, including use of opt-in rather than opt-out consent models
  • Revisit privacy practices in light of heightened FTC enforcement under COPPA and its other consumer protection authorities

© 2013 McDermott Will & Emery

Estate Planning with Digital Assets in Mind

McBrayer NEW logo 1-10-13

“It’s ‘Bosco’!!”  Seinfeld fans will recall from “The Secret Code” episode that George Costanza created a good deal of chaos by being reluctant to share his secret code.  By the same token, failing to share the secret codes to your digital assets could put a wrench in your best laid estate plans.  This article will discuss various measures that you can implement to insure that your digital assets will pass in accordance with your desires.

Whether we like it or not, the world is changing at warp speed.  Paper statements for bank accounts and the like are going to the way of the dodo bird.  Those dusty old books that used to gobble up shelf space can now be stored on a device that fits in the palm of your hand.  Same goes for the vinyl records you bought with money from mowing lawns.  And who would have ever thought that you’d be able to share pictures of your children or grandchildren with your friends and family by posting them on Facebook?

As the world becomes more and more digital, so too do the assets which comprise your estate.  Digital assets encompass a wide variety of items.  The website www.digitalestateresourse.com defines digital assets to include the following:

  1. files stored on digital devices, including but not limited to, desktops, laptops,    tablets, peripherals, storage devices, mobile telephones, smartphones, and any    similar digital device which currently exist or may exist as technology develops;    and
  2. e-mails received, e-mail accounts, digital music, digital photographs, digital    videos, digital books, software licenses, social network accounts, file sharing    accounts, financial accounts, banking accounts, tax preparation service accounts,    online stores, affiliate programs, other online accounts, and similar digital items    which currently exist or may exist as technology develops, regardless of the    ownership of the physical device upon which the digital item is stored.”

Failing to properly catalogue your digital assets could have a variety of negative consequences.  By way of example, that rainy day savings account that you never told anyone about could go undetected by the executor of your estate; and those vacation photos which your family would so enjoy could be forever locked in a Shutterfly account.

So what needs to be done to insure that your digital assets are properly accounted for and that they go to their intended beneficiaries?  Taking the following steps will go a long way towards accomplishing your objectives: (1) keep a master list of your digital assets; (2) keep the master list current; (3) tell someone where you keep the master list; (4) determine whether your digital assets are transferable; and (5) consider making specific provisions for them in your Will.

(1) KEEPING A LIST.  The most important step in properly handling your digital assets is to create a master list of such assets.  I find Excel spreadsheets to be a helpful tool for creating and maintaining such lists.  For each of your digital assets, consider including the following information: (i) a description of the asset (e.g., TD Ameritrade Brokerage Account); (ii) where the asset is located (e.g.,www.tdameritrade.com); (iii) any account number or user name associated with the asset; and (iv) any password that is necessary to gain access to the asset.

(2)  CURRENT INFORMATION.  Creating a list of digital assets without keeping the information current is about as useful as having an ashtray on a motorcycle.  It doesn’t do your executor any good to know that the brokerage account you opened in 2004 was with TD Ameritrade.  Rather, he really needs to know that you transferred the assets to Fidelity Investments in 2009 and that is where the assets are currently located.  Ideally you should update the master list every time you change the location of the assets, change a password or make a similar change.  Short of that, you should review your master list at least once every three months and after you have done so, make a notation to that effect on the master list.  Something such as “Current as of 12/1/12” would work nicely.

(3)  LOCATION OF THE LIST.  Creating and maintaining the master list does your heirs no good unless you share its location with someone you trust.  As a best practice, you should tell your executor where the master list is located and you should keep a copy of the master list with your other valuable papers and documents.

(4)  NOT ALL DIGITAL ASSETS ARE TRANSFERABLE.  Unless you are the one person in 10,000 who actually reads the user agreement when you establish an online account, you should revisit each user agreement for your online accounts to determine which of your digital assets are transferrable upon your death.  By way of example, not all airlines permit the transfer of frequent flyer miles upon the death of the account holder.  Upon making such a determination, you should update your master list accordingly.

(5)  SPECIFIC BEQUESTS OF DIGITAL ASSETS.  Now that your executor knows your digital assets exist, they should pass in accordance with your overall estate plan.  Without making specific provisions for your digital assets, they will pass pursuant to the residuary clause of your Will.  So, while it is not necessary to make specific bequests of your digital assets, as a practical matter it may be advisable to do so.  For example, I know that my wife would love to have the family photos stored on my laptop, but I can promise you that she has no interest in the Alex Cross novels I’ve purchased for my Kindle Fire or the Johnny Cash albums I’ve purchased for my iPhone.

Digital assets are often an overlooked component of even the most complicated estate plans.  However, with proper planning you can make sure that all of your digital assets are properly accounted for and that they pass according to your wishes.  To assess the current health of your estate plan, including a determination of whether your digital assets are properly accounted for, consider scheduling an appointment with your estate planning attorney.

© 2013 by McBrayer, McGinnis, Leslie & Kirkland, PLLC

Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them

Raymond Law Group LLC‘s Stephen G. Troiano recently had an article, Trade Secret Misappropriation: When An Insider Takes Your Trade Secrets With Them, featured in The National Law Review:

RaymondBannerMED

While companies are often focused on outsider risks such as breach of their systems through a stolen laptop or hacking, often the biggest risk is from insiders themselves. Such problems of access management with existing employees, independent contractors and other persons are as much a threat to proprietary information as threats from outside sources.

In any industry dominated by two main players there will be intense competition for an advantage. Advanced Micro Devices and Nvida dominate the graphics card market. They put out competing models of graphics cards at similar price points. When played by the rules, such competition is beneficial for both the industry and consumers.

AMD has sued four former employees for allegedly taking “sensitive” documents when they left to work for Nvidia. In its complaint, filed in the 1st Circuit District Court of Massachusetts, AMD claims this is “an extraordinary case of trade secret transfer/misappropriation and strategic employee solicitation.” Allegedly, forensically recovered data show that when the AMD employees left in July of 2012 they transferred thousands of files to external hard drives that they then took with them. Advanced Micro Devices, Inc. v. Feldstein et al, No. 4:2013cv40007 (1st Cir. 2013).

On January 14, 2013 the District Court of Massachusetts granted AMD’s ex-parte temporary restraining order finding AMD would suffer immediate and irreparable injury if the Court did not issue the TRO. The TRO required the AMD employees to immediately provide their computers and storage devices for forensic evaluation and to refrain from using or disclosing any AMD confidential information.

The employees did not have a non-compete contract. Instead the complaint is centered on an allegation of misappropriation of trade secrets. While both AMD and Nvidia are extremely competitive in the consumer discrete gpu market involving PC gaming enthusiasts, there are rumors that AMD managed to secure their hardware to be placed in both forthcoming next-generation consoles, Sony PlayStation 4 and Microsoft Xbox 720. AMD’s TRO and ultimate goal of the suit may therefore be to preclude any of their proprietary technology from being used by its former employees to assist Nvidia in the future.

The law does protect companies and individuals such as AMD from having their trade secrets misappropriated. The AMD case has only recently been filed and therefore it is unclear what the response from the employees will be. What is clear is how fast AMD was able to move to deal with such a potential insider threat. Companies need to be aware of who has access to what data and for how long. Therefore, in the event of a breach, whether internal or external, companies can move quickly to isolate and identify the breach and take steps such as litigation to ensure their proprietary information is protected.

© 2013 by Raymond Law Group LLC

Italian Data Protection Authority’s Guide on Cloud Computing

The National Law Review recently published an article, Italian Data Protection Authority’s Guide on Cloud Computing, written by Martino Sforza of McDermott Will & Emery:

 

The Italian Data Protection Authority (DPA) has published a guide on cloud computing, “How to Protect Your Data Without Falling From a Cloud,” which contains useful recommendations on how to select and appoint cloud providers and vendors of data management and storage services. This is the first official guidance issued by the Italian DPA in response to the fast growing use of cloud services in Italy and it might be of particular interest to employers who outsource their data systems to cloud service providers. The guide offers an overview of the potential issues linked to the various types of cloud services, whether they are managed on public, private or hybrid clouds. Under Italian law, cloud providers are appointed as a data processors while employers act as data controllers and will be liable for any wrongdoing committed by the data processors. Employers are therefore well advised to negotiate appropriate terms for the management of the “cloud-based” data and make sure that adequate technical and organizational measures are in place in order to avoid possible loss or unauthorized disclosure.

Click here to read the full guide on the Italian DPA website.

© 2012 McDermott Will & Emery

Cyber Attacks Hit Major Banks. Is Your Business Next?

Roy E. Hadley, Jr. and Joan L. Long of Barnes & Thornburg LLP recently had an article regarding Cyber Attacks published in The National Law Review:

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the “biggest cyber attacks they’ve ever seen.” As this CNN Money article points out, the websites “have all suffered day-long slowdowns and been sporadically unreachable for many customers.”

According to security experts, the “denial of service” attacks, which began on Sept. 19, are the largest ever recorded.

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business?

The CNN Money article can be read in its entirety clicking on the link below.

CNN Money – “Major banks hit with biggest cyberattacks in history

© 2012 BARNES & THORNBURG LLP

AntiSec Hackers Strike Again

An article by Cynthia J. Larose of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding AntiSec Hackers was recently published in The National Law Review:

 

AntiSec – the hacker group that is the “merger” of Anonymous and Lulzsec – claims to have obtained the unique device identifiers (UDIDs) from 12 million Apple iPhone and iPad users by breaching an FBI computer, and have published more than 1 million of them.

Details of the hack can be found at ZdNet , Slateand The Washington Post.According to the hackers, the alleged hack was intended to publicize the existence of some kind of secret FBI tracking project, also raising an embarrassing question of security for the FBI.

If you want to check whether your Apple UDID was in the compromised file, The NextWeb has developed a nifty quick check tool that you can see here.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

FTC Proposes New Rules on Children’s Online Privacy Issues

Michelle Cohen of Ifrah Law recently had an article regarding Children’s Online Privacy published in The National Law Review:

On August 1, 2012, the Federal Trade Commission announced that is issuing a Supplemental Notice of Proposed Rulemaking to modify certain of its rules under the Children’s Online Privacy Protection Act (COPPA). Industry has been waiting on FTC action regarding COPPA, as the agency previously undertook a COPPA rulemaking in September 2011 and proposed modifying certain COPPA rules to account for changes in technology, particularly mobile technology.

The FTC received over 350 comments during that time. After reviewing those comments, the FTC has decided to propose certain additional changes to its COPPA rule definitions.

In summary, COPPA gives parents control over the information websites can collect from their kids. It applies to websites designed for children under 13 – or those that have reason to know they are collecting information from a child. It requires a specific privacy notice and that consent be obtained from parents in many circumstances before children’s information may be collected and/or used.

The FTC has proposed several changes that are of interest. Some are meant to “tighten” the COPPA rule, others are meant to provide some additional flexibility to operators.

  • The proposed change would make clear that an operator that chooses to integrate the services of third parties that collect personal information from visitors (like ad networks or plug-ins) would itself be considered a covered “operator” under the Rule.
  • The FTC is also proposing to allow websites with mixed audiences (e.g., parents and over 13) to age-screen visitors to provide COPPA’s protections only to those under 13. However, kid-directed sites or services that knowingly target under-13s as their primary audience or whose overall content is likely to attract kids under that age could not use that method.
  • Also, the FTC has proposed modifying the definition of what constitutes “personal information” relating to children to make it clear that a persistent identifier falls within that definition if it can be used to recognize a user over time or across different sites or services. The FTC is considering whether activities like site maintenance and analysis, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual ads, and protecting against fraud and theft should not be considered the collection of “personal information” as long what’s collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising.

Comments on the FTC’s proposed rule changes are due by September 10, 2012.

© 2012 Ifrah PLLC