Category: Internet

Federal Judge Finds that Apple Conspired to Raise E-book Prices

McDermottLogo_2c_rgb

On July 10, 2013, Judge Denise Cote of the Southern District of New York issued a 160-page opinion holding that Apple conspired with five book publishers to raise e-book prices and eliminate retail price competition in violation of Section 1 of the Sherman Act and several relevant state statutes.  United States v. Apple Inc., case number 12-civ-2826 (DLC).  The five publishers – Hatchett, HarperCollins, Macmillan, Penguin and Simon & Schuester – had all previously settled with the U.S. Department of Justice (DOJ).

The opinion stated that as Apple prepared to launch its iPad to the public and sought to concurrently enter the e-book market with its iBookstore, it met with the publishers and agreed to provide them with an “agency model” for e-book pricing that allowed the publishers to set the prices of the e-books themselves, subject to certain price caps.  Apple’s agreements with the publishers also included Most Favored Nation provisions which ensured that Apple could match its competitors’ prices and also provided an incentive for the publishers to lobby Amazon and other retailers to change their wholesale business models to agency models.  According to the court’s opinion, these agency model agreements caused e-book prices to increase, sometimes 50% or more for a specific title.

A separate trial for potential damages will be scheduled later.  Apple said it will appeal the ruling.

Article By:

 of

The “Dot-Brand” Explosion: What You Need To Do Now

Dickinson Wright LogoEarlier this year the company that manages the global internet address system (the Internet Corporation for Assigned Names and Numbers, or ICANN) accepted the first round of applications for new “generic top level domains,” or gTLDs – the part of an address that goes to the right of the dot. Most businesses register domain names that use the familiar “.com” suffix or one of a handful of other available options such as “.org” or “.biz.” The new program makes it possible to register a business name, a trademark – indeed, virtually any word in any language – as a TLD in its own right. Depending on whose crystal ball you consult, this Dot-Brand initiative could revolutionize the way the internet works, or hopelessly complicate it, or both.

The initial application window recently closed. The list of applications offered a few surprises, a number of omens for the future – and some important action items for brand owners who did not apply for a gTLD this time around.

  • One surprise was the sheer number of applications. Originally, ICANN was anticipating 500 or so. In the end there were almost 2,000 (at $185,000 apiece!) The unexpected volume slowed down the application process, and will surely slow the review and approval process even more.
  • Many of the applications were for famous brand names (.chevy, .nikon, .walmart) and several were for geographic locations (.paris, .nyc, .amersterdam). The most interesting ones were for generic terms like .art, .tech, and .store, which will be of interest to a great many people. Lots of brand owners in the auto industry, forexample, may want to be part of the “.cars” domain.
  • Not surprisingly, many of these generic domains are the subject of multiple applications: thirteen for .app; seven each for .mail and .news; nine for .shop. There will be a lengthy dispute-resolution process, probably culminating in an old-fashioned auction to the highest bidder, to see who ultimately gains control of these domains.

A recent survey of attorneys responsible for protecting trademarks found that while 91 percent were aware of the new gTLD program, only 36 percent had read the Applicant Guidebook, which explains how the process work. That Guidebook, and the initial application list, suggests some important steps you should take now to protect your brand:

1. Make sure no one has applied for a domain that incorporates one of your trademarks. A formal objection period for addressing such issues is now open and will run until January 2013.

2. Identify “generic” domains of interest, and investigate the applicants and their business plans. If you’re in the financial services sector, for example, you’ll want to know who’s behind the applications for .bank, .broker, .finance, .fund, .insurance, .investsments, .lifeinsurance, .loans, .money, .mutualfunds, and others. A 60-day comment period, open to anyone, runs through August 12; if there is something ICANN ought to know about one or more of the applicants or proposed domains, now is the time to tell them.

3. Start planning for defensive domain-name registrations in appropriate generic and geographic domains. Depending on the business you’re in, you may want to make sure you are the first to register your company name and key trademarks within appropriate domain names – before someone else does. The “someone else” could be a competitor, or just an old-fashioned cyber-squatter of the sort brand owners have been dealing with in the .com sphere for years. And don’t forget about domains like “.sucks,” where having someone else register your brand could be embarrassing.

The best defense is a good offense. Starting in October 2012, for a small fee you will be able to list your brand names in ICANN’s Trademark Clearinghouse; anyone that tries to register your brand as a domain name will be advised of your rights.

Update on Advanced Micro Devices (AMD) Trade Secret Misappropriation Case: Judge Hillman Issues Narrow Interpretation of the Computer Fraud and Abuse Act (CFAA)

RaymondBannerMED

As originally discussed on this blog back in February, a lawsuit brought by Advanced Micro Devices (AMD) against former employees accused of taking AMD trade secrets with them to competitor Nvidia has been ongoing and a recent opinion in the case highlights the uncertainty surrounding the Computer Fraud and Abuse Act (CFAA).

recent opinion issued by Judge Timothy S. Hillman narrowly interpreted the CFAA in this case. Judge Hillman declined a broad interpretation of the CFAA and held that AMD’s allegations in its complaint are insufficient to sustain a CFAA claim.

The relevant portion of the CFAA provides that it is a violation of the CFAA to:

Knowingly and with intent to defraud, [access] a protected computer without authorization or [exceed] authorized access, and by means of such conduct [further]the intended fraud and [obtain] anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.

computer broadcast world

There exists a circuit split on the interpretation of this clause. As Judge Hillman noted, the 1st Circuit has not clearly articulated its position on the issue. The broad interpretation defines access in terms of agency or use. That is, whenever an employee breaches a duty of loyalty or a contractual obligation and acquires an interest adverse to their employer, then all subsequent access exceeds the scope of authorized access. Proponents of the narrower interpretation argue that the intent of the CFAA was to deter computer hacking and not to supplement common law trade secret misappropriation remedies and therefore fraudulent means must be used to obtain the information initially.

Judge Hillman utilized a narrow interpretation of the CFAA and held that AMD had not pleaded sufficient facts to maintain a cause of action under the CFAA. AMD had pleaded that the defendants used their authorized access to computer systems to download and retain confidential AMD information which they retained when they left to go work at Nvida. The complaint, while alleging the defendants had the intent to defraud AMD, provided no facts which support the allegation that the defendants obtained the information through fraudulent or deceptive methods.

Judge Hillman did not outright dismiss the claim given the truncated evidentiary record and has allowed AMD the opportunity to plead specific details indicating that some or all of the defendants used fraudulent or deceptive means to obtain the confidential information and that they intentionally defeated or circumvented technologically implemented restrictions to obtain the confidential information. If other judges in the 1st Circuit follow Judge Hillman’s approach, plaintiffs will need to ensure that they plead with sufficient detail that the defendants obtained the information through a fraudulent or deceptive method as opposed to simply obtaining the information through permissible access.

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.

Round Up – Intellectual Property and Cyber Security Things You May Have Missed (Including Some Good Summer Cocktail Banter Material)

Giordano Logo

Cyber Security Report – Earlier this year, Verizon released its 2013 Data Breach Investigations Report.  The report analyzes and presents data regarding the current state of various data breaches and network attacks.  Some of the results are surprising.

  •             92% of breaches are perpetrated by outsiders
  •             19% of breaches are attributed to state-affiliated actors
  •             76% of network intrusions exploit weak or stolen credentials
  •             66% took months or more to discover

Do Trademark Lawyers Matter? – An empirical study, published in the Stanford Technology Law Review, provided the results of a grueling analysis of 25 years worth of data from the United States Patent and Trademark Office records on whether being represented by a trademark attorney makes a difference in the likelihood of success in getting your mark registered.  The results?  YES!  It turns out that, overall, trademark applicants who are represented by an attorney are 50% more likely to have their marks registered.  The results are even more dramatic when an application faces an obstacle (e.g., an office action).  In those instances, applicants were found to be 68% more likely to proceed to publication when represented by counsel.  Perhaps its time for a national trademark lawyer appreciation day! (I’m not holding my breath).

Does Keyword Advertising Really Work?  eBay recently released a study, entitled “Consumer Heterogeneity and Paid Search Effectiveness: A Large Scale Field Experiment” which analyzed the effectiveness of eBay’s keyword advertising efforts.  So does keyword advertising really work?  Not so much.  According to the study, for well known brands (like eBay), new and infrequent users may be more influenced by keyword triggered advertisements.  But more experienced searchers and otherwise loyal brand users are not influenced by the ads.  When eBay stopped its keyword advertising, almost all of the traffic lost from the absence of the ad was picked up in the native search results.  It’s important to note, however, that this study was focused on a single well known brand.  The results may be quite different for other brands or for less well known brands.  Moreover, the study says nothing about the use of a trademark by a competitor as a keyword to drive traffic to the competitor’s website.

Marketing Your Mobile App – The FTC has released guidelines for mobile app developers when advertising their software.  The plain language guide is very high level, but does include some helpful tid bits to remember.  Highlights include:

  • Advertising is everything a company tells a prospective buyer about its app (whether its in the formal ad campaign or in other communications).
  • Don’t bury key disclosures in “dense blocks of legal mumbo jumbo” or behind hyperlinks.
  • Build in privacy by design, including principles used in selecting default settings.
  • If you change your privacy policy, you need to get user’s consent.  Merely editing the language of the policy isn’t enough.

Effective Disclosures in Digital Advertising – The FTC also released guidelines for online advertising.  This new guidance focuses on the peculiarities and challenges associated with online advertising.  Where this adds new value is in its analysis and detail (with examples!) of the following areas:

  • Proximity and Placement – where disclosures have to be placed to be effective
  • Hyperlinks – including proper labeling and placement
  • Prominence – including use of size, color and graphics
  • Distractions – risks from graphics, sounds and links that may distract from disclosures
  • Multimedia – use of audio and video

Attack on “Happy Birthday” Copyright.  Salon.com reported yesterday that a class action suit has been filed to attack the copyright in the popular birthday celebration tune.  According to the report, the lawsuit was prompted by a documentary uncovering evidence that the song was originally published as early as 1893 and that the current copyright is based on a 1924 publication date which grants the work 95 years of copyright protection.  Based on my count, there’s only about 6 years left in the alleged copyright to begin with.  Hopefully the lawsuit gets resolved before then.

Article By:

 of

Social Media & Emerging Employer Issues: Are You Protected?

McBrayer NEW logo 1-10-13

On June 13, 2013, Business First of Louisville and McBrayer hosted the second annual Social Media Seminar. The seminar’s precedent, Social Media: Strategy and Implementation, was offered in 2012 and was hugely successful. This year’s proved to be no different. Presented by Amy D. Cubbage and Cynthia L. Effinger, the seminar focused on emerging social media issues for employers. If you missed it, you missed out! But don’t worry, a seminar recap is below and for a copy of the PowerPoint slides click here.

McBrayer: If a business has been designated an entity that must comply with HIPAA, what is the risk of employees using social media?

Cubbage: Employers are generally liable for the acts of their employees which are inconsistent with HIPAA data privacy and security rules. As employees’ use of social networking sites increase, so does the possibility of a privacy or security breach. An employee may be violating HIPAA laws simply by posting something about their workday that is seemingly innocent. For instance, a nurse’s Facebook status that says, “Long day, been dealing with a cranky old man just admitted into the ER” could be considered a HIPAA violation and expose an employer to sanctions and fines.

 

McBrayer: Should businesses avoid using social media so that they will not become the target of social media defamation?

Effinger: In this day and age it is hard, if not impossible, for a business to be successful without some use of social media. There is always the risk that someone will make negative comments about an individual or a business online, especially when anonymity is an option. Employers need to know the difference between negativity and true defamation. Negative comments or reviews are allowed, perhaps even encouraged, on some websites. If a statement is truly defamatory, however, then a business should make efforts to have the commentary reported and removed. The first step should always be to ask the internet service provider for a retraction of the comment, but legal action may sometimes be required.

 

McBrayer: When does a negative statement cross the line and become defamation?

Effinger: It is not always easy to tell. First, a statement must be false. If it is true, no matter how damaging, it is not defamation. The same goes for personal opinions. Second, the statement must cause some kind of injury to an individual or business, such as by negatively impacting a business’s sales, to be defamation.

 

McBrayer: Can employers ever prevent employees from “speaking” on social media?

Effinger: Employers should always have social media policies in place that employees read, sign, and abide by. While it is never really possible to prevent employees from saying what they wish on social media sites, some of their speech may not be protected by the First Amendment’s freedom of speech clause.

 

McBrayer: What constitutes “speech” on the internet? Is “liking” a group on Facebook speech? How about posting a YouTube video?

Effinger: This is a problem that courts and governmental employment agencies, like the National Labor Relations Board, are just starting to encounter. There is no bright-line rule for what constitutes “speech,” but it is safe to say that anything an employee does online that is somehow communicated to others (even “liking” a group or posting a video) qualifies.

 

McBrayer: Since a private employer is not bound by the First Amendment, can they terminate employees for social media actions with no repercussions?

Effinger: No! In fact, it could be argued that private employees are afforded more protection for what they say online than public employees. While a private employer has no constitutional duty to allow free speech, the employer is subject to state and federal laws that may prevent them from disciplining an employee’s conduct. As a general rule, private employees have the right to communicate in a “concerted manner” with respect to “terms and conditions” of their employment. Such communication is protected regardless of whether it occurs around the water cooler or, let’s say, on Twitter.

 

McBrayer: It seems like the best policy would be for employers to prohibit employees from discussing the company in any negative manner. Is this acceptable?

Effinger: It is crucial for companies to have social media policies and procedures, but crafting them appropriately can be tricky. There have been several instances where the National Labor Relations Board has reviewed a company’s policy and found its overly broad restrictions or blanket prohibitions illegal. Even giant corporations like General Motors and Target have come under scrutiny for their social media policies and been urged to rewrite them so employees are given more leeway.

 

McBrayer: Is social media a company asset?

Cubbage: Yes! Take a moment to consider all of the “followers”, “fans”, or “connections” that your business may have through its social media accounts. These accounts provide a way to constantly interact with and engage clients and customers. Courts have recently dealt with cases where a company has filed suit after a rogue employee stole a business account in some manner, for instance by refusing to turn over an account password. Accounts are “assets,” even if not tangible property.

 

McBrayer: What is the best way for an employer to protect their social media accounts?

Cubbage: Social media accounts should first be addressed in a company’s operating agreement. Who gets the accounts in the event the company splits? There are additional steps every employer should take, such as including a provision in social media policies that all accounts are property of the business. Also, there should always be more than one person with account information, but never more than a few. Treat social media passwords like any other confidential business information – they should only be distributed on a “need to know” basis.

Article By:

 of

 

Yahoo!/Tumblr Deal and the Tax Cost of Cash Acquisition Payments

McBrayer NEW logo 1-10-13

When Yahoo! recently acquired the blogging service Tumblr, the two companies structured the deal so that virtually all of the $1.1 billion price tag for Tumblr will be paid in cash. In the current economy, many companies, particularly tech companies, have a lot of cash available, making the more traditional payment in stock appear less desirable. However, tax planning during mergers or acquisitions can be invaluable because, with proper counsel, the organizations can anticipate and mitigate the tax ramifications for the companies, individuals and shareholders.

Specific information about any tax planning in the Yahoo!/Tumblr deal hasn’t been released, but let’s consider the potential tax consequences of an essentially all-cash deal.

Most of Tumblr’s existing shareholders likely purchased their stock for substantially less than it was valued at the time of Yahoo’s acquisition. Since capital gains taxes are levied on the difference between the purchase price and the sale price, those Tumblr shareholders may be facing a hefty capital gains tax bill that will come due as soon as the transaction is complete.

If the deal had been structured as a stock transaction, on the other hand, it might have been structured to defer the capital gains tax for those shareholders until they actually sell their stock to Yahoo! There are a number of methods, such as 1031 exchanges, Section 368 tax-free reorganizations, and or 338(h)(10) stock purchase elections, that might also be effective in mitigating the tax burden.

An all-cash deal also presents challenges for Yahoo! in that it could affect the incentives for Tumblr’s founder and senior management going forward. In a tax-free reorganization, for example, they would generally be compensated in Yahoo! stock, which automatically creates an incentive for Tumblr’s leadership to build value for Yahoo! Without stock, a different incentive plan is needed.

According to The New York Times’ DealBook blog, Yahoo! may not need to worry about incentivizing Tumblr’s leadership, however, as it plans to continue to run the blog service as a separate company with the same group of executives. That may leave the existing incentives for success in place.

In this particular case, we don’t have enough information to determine why Yahoo! and Tumblr structured the acquisition as an all-cash deal. Well-considered tax planning, however, is essential for any business considering a merger or acquisition, stock sale, or major asset sale. Anticipating and minimizing transactional taxes, including business transfer taxes and business succession taxes, can help ensure that companies garner all potential benefits of the deal.

 of

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.

1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

Evolving into the Digital Age: Protecting Intellectual Property

WolfeDomain1

While society has evolved from an Industrial to an Information Age over the last hundred years, we’re now operating in a Digital world where technological innovations and intellectual property reign supreme. This fast-moving digital environment–including web, mobile and social media–requires a proactive stance on developing and protecting digital innovations as the global marketplace becomes even more competitive and organizations run the risk of losing critical innovations as others move quickly to steal ideas if the opportunity exists.

While digital strategy is driven largely by marketing or IT departments, every digital asset of the company is and should be treated and protected as an intellectual asset, but today these assets are  often overlooked.  Consider the long list of marketing or IT developments at your company.  Everything from user interfaces, apps, social networking functions, personalization options on web pages, subscriber perks, wi-fi offerings, e-commerce solutions, bridging offline and online experiences and new products and services related to digital activity result in digital assets that an organization deploys.  But, are you taking the next step to protect them or leaving them out in the open to steal?  Worse, are you infringing on someone else’s intellectual property (IP)?   

Innovations at Lightening Speed – Are You Giving It Away?

Today, digital assets can be protected by utility patents, design patents, copyright law and trademark law. Typically, as these innovations occur at such a rapid pace, they are not captured and translated into protected digital assets.  Further, as the use of digital strategies is exploding and the creation of digital assets is a relatively new concept, most organizations have yet to build a formal business case and required methodology for protecting these assets.  Compounding the issue, much of the innovation work is done in collaboration with outsourced vendors in marketing and IT, often in a vacuum, so there isn’t a legal or other IP advocate to even ask the question: “Should we protect this?”.  Finally, much of the technology used to develop these innovations is often open sourced which creates an additional layer of confusion and often one that the legal team won’t touch.

The world is beginning to change in response to protecting their digital assets.  Patent trolls have largely emerged in the digital and technology space attacking companies from Starbucks to Cisco for wi-fi offerings, web functionality and what was previously considered open territory for marketers and web designers. And, these trolls are finding loopholes and great financial gains. Today, the trolls monitor major innovative initiatives by world-class organizations and copy and develop their own innovations around successful ones, improve them, and then ultimately file a new patent for it.  And then in a crazy twist, they send these same organizations a cease and desist letter and ask for a license fee.  Why aren’t organizations protecting these same assets to defend themselves and even use them as additional sources of revenue?

Building and Protecting a Digital IP Portfolio

Most companies need to start by identifying the pipeline of ideas and then turn the right ideas into valuable assets.  The innovation pipeline of digital assets is likely already alive and well in most organizations but they aren’t tapping into it.  So, the first step in building a Digital IP Portfolio is to audit where that innovation is occurring.  Understand when it is outsourced to vendors and assess whether it should be retained, shared or given away.  Once you know where the innovation is occurring, it’s time to funnel it into an IP evaluation pipeline.  At that juncture, an IP business strategy team (comprised of IP strategy experts, IP lawyers, business managers, IT managers and marketers) can evaluate its potential use and strength.  Is it a good defense play against trolls or other competitors?  Is it something you can license to others?  Is it something you just want to ensure you have and your competitors don’t? By assigning values and business goals to all of these assets, you can then channel them into a protection process with budgets and clear return on investment goals.

And, the importance of having a multi-disciplined approach cannot be overstated.  Generating valuable digital assets is not just a legal or IP function, it requires understanding and contribution from other facets of the company that can identify value proposition and weigh in on risk/reward.  Digital is new and evolving and critical thinking about its value proposition is essential. Many digital assets are not worth protecting if it won’t last beyond the next fad.  But others are.  That’s why Facebook, Google, Adobe and others have become some of the top patent filers in the world.  They file for much more than just devices and consider every innovation a potential asset both offensively and defensively.

Once digital assets are channeled into protection they can then be redistributed back out to spur innovative thinking and evaluate licensing or leverage potential.  While many companies don’t see themselves as technology companies, they are quickly becoming so with their digital platforms.  From retailers to entertainment and consumer goods, soon all companies will be a digital or technology company to some extent.  If you don’t own and protect those assets, someone else will and use it against you.  The time is now for savvy IP and technology professionals to identify an untapped resource – their digital assets.

Article By:

 of