Facebook Post Breaches Confidentiality Provision of Settlement Agreement

Jackson Lewis Logo

 

A Florida appellate court has ruled that a teenaged daughter’s post on Facebookmentioning her father’s confidential settlement of an age discrimination claim breached a confidentiality provision in the settlement agreement, barring the father from collecting an $80,000 settlement. Gulliver Schools, Inc. v. Snay, No. 3D13-1952 (Fla 3d DCA Feb. 26, 2014).

The plaintiff, Patrick Snay, was a headmaster of Gulliver, a private school in the Miami area. After his contract was not renewed, he sued for age discrimination. The parties reached a settlement pursuant to a written agreement, which included a detailed confidentiality provision. The provision stated in part:

13. Confidentiality . . . [T]he plaintiff shall not either directly or indirectly, disclose, discuss or communicate to any entity or person, except his attorneys or other professional advisors or spouse any information whatsoever regarding the existence or terms of this Agreement. . . A breach . . . will result in disgorgement of the Plaintiff’s portion of the Settlement Payments.

A couple of days after the agreement was signed, Snay’s daughter, who had recently been a student at Gulliver, posted the following on her Facebook page:

Mama and Papa Snay won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.

Snay’s daughter had about 1,200 Facebook friends, many of whom were current or former Gulliver students. Gulliver notified Snay of the breach and refused to tender the $80,000 to Snay under the terms of the settlement. (Snay’s attorneys received their portion). Snay moved to enforce the agreement. Limited discovery revealed that Snay and his wife notified their daughter “that the case was settled and they were happy with the result.” Snay denied ever discussing a trip to Europe. The district court held that Snay’s actions did not violate the terms of the agreement, but the appellate court reversed, noting that Snay was prohibited from “directly or indirectly” disclosing even the “existence” of the settlement.

The decision offers lessons for counsel, litigants, and parents. Counsel and litigants need to remember that these types of confidentiality provisions with disgorgement penalties are taken seriously by the courts and can be enforced. Parents need to remind their children to be mindful of what they post on social media, because it might have adult consequences.

Article by:

V. John Ella

Of:

Jackson Lewis P.C.

The Do’s and Don’ts of Investing in a Lead Generation Service

RWLogoWide

 

In order to grow your firm, you need to invest in a reliable marketing and advertising program. Lead generation services are a great alternative to investing and managing your own campaigns, which can be both costly and time consuming for the average attorney. Lead generation services can not only offer you consistent, quality leads but also provide you with a total marketing package that allows you to manage those leads. There are a slew of companies that will make you a lot of promises, but how do you know which ones are legitimate?

What steps should you take before you decide the right company for your firm’s needs?

Lead Generation Service Marketing Law Firm Legal

Do Your Research

Not all lead generation services are equal. Some will scam you. Some will give you old or undesirable leads. Some will give you leads but don’t offer additional marketing services and support that will ensure continued success.

Research several companies and find out their reputation. Look for a company with longevity, positive client testimonials and a desire to see your law firm succeed. One who knows that their best interest as a marketing firm is to do whatever it takes to grow your law firm; their success is 100% dependent upon yours. No other lead generation service will be worth your hard earned dollars if they don’t care enough to be the best.

Do Make a Long Term Commitment to Your Firm’s Success

Be wary of companies that encourage a short-term approach to your advertising needs. Marketing and advertising is an ongoing commitment. Any successful advertising program, whether it’s done internally or through lead generation services requires two things: patience and time. A consistent stream of new potential clients is the key to long-term, sustained growth for any firm. This can’t be done with a stop and start approach to your marketing.

Don’t Ignore Industry Trends

Effective marketing for a personal injury practice is changing and evolving. It is imperative that you invest in an advertising service that follows closely with potential client’s search behaviors. The firm must employ a diversified approach that will reach at anytime a wide variety of potential clients. Advances in media means potential clients use various devices to stay connected. Whether it’s TV, internet or mobile, the right company will employ more than one of these sources to generate leads for your firm. Using an agency that employs only one of these methods means you are putting all your eggs in one basket – which is never an effective way to spend your advertising dollars.

Getting your firm’s name out there and making it effortless for potential clients to reach you in their time of need is critical to growing your practice. Paid lead generation can be beneficial when used and managed correctly.

Finding the right legal marketing firm that can provide you the ultimate lead generation service, that has exclusive, quality leads in your geographic area in combination with a marketing package that is all inclusive, can be a challenging process.

Article by:

Anush Alexander

Of:

RW Lynch Company, Inc.

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP

New Social Network for Attorneys Now Online

The Rainmaker Institute mini logo (1)

 

A new social network for attorneys – Foxwordy – has now launched and is offering any lawyer who is “an innovator and influencer in the legal industry” a free three-month membership to what its founder is calling an “invitation-only private social-networking platform brings together relevant top-tier legal colleagues to efficiently collaborate in real-time.”

Lawyer Attorney Social Media

It appears that this new site is aimed at creating a new attorney-to-attorney referral platform.  Foxwordy founder Monica Zent said that the site provides a way for attorneys to gain a peer validated reputation and encourages collaborations that would normally happen via the phone, in person or by email.

Some of the site’s features include:

  • Real-time collaboration with other lawyers working on common issues
  • Ability for attorneys to share best practices and language for legal documents
  • Listing of job opportunities similar to LinkedIn

Zent says there are currently 1,000 members on the website that is now out of beta.  The network will not be available to the public; it is designed solely as a website for attorneys to share information and collaborate, and membership is by invitation only.  You provide your name and email address on the home page to request an invitation.

It was unclear on the site how you are vetted for membership; since the site’s revenue model is based on subscriptions alone ($10 per month), I was guessing that the bar isn’t set too high.  And I was proven right after I had one of my non-attorney staff members enter her name and Gmail address, and she received a congratulatory email minutes later on her acceptance.

I’d be interested to hear from attorneys who sign up and participate on this new social network for lawyers – what are you finding of most value for your practice from this new social media tool?

Article by:

Stephen Fairley

Of:

The Rainmaker Institute

Digital Currency Identified as an “Emerging Risk” in the Canadian Federal Government’s 2014 Budget

Dickinson Wright Logo

 

On February 11, 2014, the Canadian Federal Government released its 2014 Budget. In the 2014 Budget, the Federal Government pledged to introduce legislative amendments to strengthen Canada’s anti-money laundering and terrorist financing regime in the area of virtual (digital) currency.

2013: Year of Bitcoin?

At the beginning of 2013, one bitcoin could be purchased for $12. For a brief period in November 2013, one bitcoin was worth more than one ounce of gold ($1242 to $1240, respectively). Forbes and MarketWatch wrote articles proclaiming 2013 as the year of bitcoin, and “bitcoin” was chosen as the word of the year by the Australian National Dictionary Centre (beating out worthy candidates, including “selfie” and “twerk”).

This increased popularity of digital currency has brought increased scrutiny from regulators and law enforcement. Last year in the United States, the Financial Crimes Enforcement Network issued guidance with respect to whether activities by individuals and companies related to virtual currencies are subject to registration, reporting, and recordkeeping requirements, and the FBI arrested the “mastermind” of Silk Road (a marketplace selling illegal items and accepting payment in virtual currency). In early 2014, a prominent member of the bitcoin community was indicted on money laundering charges.

Canada Revenue Agency (“CRA”) Release Its Position on Bitcoin

Prior to the release of the 2014 Budget, the main Canadian government references to digital currency were from the CRA. The first notable CRA acknowledgment of bitcoin was in April 2013 in the form of a CRA communication to the Canadian Broadcasting Corporation (“CBC”). The communication stated that transactions involving bitcoin are barter transactions and that gains resulting from bitcoin transactions could be income or capital depending on the specific facts.

On November 5, 2013, the CRA issued its first release on the taxation of digital currency. This release reinforced the CRA’s earlier position on bitcoin that was set out in its April 2013 e-mail to the CBC. On December 23, 2013, in CRA Document No. 2013-0514701|7, subject “Bitcoins,” the CRA further clarified its position with respect to bitcoin “in response to a summary of comments that were provided in response to a recent media enquiry describing the income tax consequences of various transactions involving digital currency.”

Accordingly, the CRA considers bitcoin to be a commodity, not a currency. Therefore, using bitcoins to purchase goods or services is considered a barter transaction. The sale of bitcoins at a profit is treated as either income or capital depending on a particular taxpayer’s circumstances.

Virtual Currency in the 2014 Budget

Virtual currency is identified in the 2014 Budget as an “emerging risk” that threatens Canada’s international leadership in the fight against money laundering and terrorist financing. Bitcoin is cited in the 2014 Budget as an example of such virtual currency.

In the 2014 Budget, the Federal Government proposed to introduce anti-money laundering and anti-terrorist financing regulations for virtual currencies, such as bitcoin.

The Federal Government noted in the 2014 Budget that this proposal was based on a report by the Standing Senate Committee on Banking, Trade and Commerce entitled Follow the Money: Is Canada Making Progress in Combatting Money Laundering and Terrorist Financing? Not Really (the “Report”). The Report is a five-year review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (the “Act”) and was issued in March 2013. However, the only reference in the Report to digital currency is a brief note that the development of electronic methods to launder money must be addressed through timely amendments to the Act and its regulations.

2014: Year of Bitcoin Regulation

The Federal Government has identified digital currency as an “emerging risk” in the fight against money laundering and terrorist financing. Accordingly, the regulation of digital currency in Canada is imminent, and individuals and businesses dealing in bitcoin will soon be subject to certain registration, reporting, and recordkeeping requirements.

Article by:

Dickinson Wright PLLC

 

Retail Shopping: Virtual or Reality?

logo

 

In the 1998 movie, “You’ve Got Mail,” the charming children’s bookshop owned by Meg Ryan’s character is threatened by the mega-box book store owned by Tom Hank’s character. Despite the small shop’s long history as a part of the Main Street USA-style neighborhood, the store eventually folds underneath the pressure exerted by the discount powerhouse next door. Flash forward to 2014, and Borders book stores have closed their doors due in large part to Amazon.com’s supremacy in the sale of on-line books. According to Bloomberg News, in December 2013, “Cyber Monday web sales surged, sending online shoppers to a single-day record as Amazon.com and EBay, Inc. siphoned customers from brick and mortar stores.” At first glance, it seems like there’s only bad news for traditional retail shops.

Retail Shopping You've Got Mail

But here’s some good news: physical shopping centers can compete with the convenience of one-click online shopping by offering the right combination of stores, services, restaurants and entertainment that will draw consumers to live retail destinations.

Consumers will be more likely to shop in brick and mortar stores for products they want to touch and try out first hand, such as beauty products by Sephora, home furnishings by Boston Interiors, or high end clothing.  Specialized fitness studios such as yoga studios or indoor cycling classes and luxurious salon and spa services will also attract even the most avid online shoppers.

In addition, many new outdoor centers offer more immersive options than the traditional strip center or enclosed mall: These so-called “urban villages” feature amenities and entertainment venues such as walking boulevards, outdoor plazas for concerts, retro bowling alleys, ice skating rinks and even life-size Chess boards. In addition, many of the new centers offer a wide range of culinary options to satisfy every craving, from an elegant first-class steakhouse to a casual French bakery and cafe — the perfect place to indulge in a sidewalk cappuccino or chocolate croissant. Chain restaurants and discount stores strung along the highway don’t stand a chance against a restaurant or boutique located in one of these vibrant centers. These shopping hubs often have plenty of space and facilities for special events: restaurants can host celebrity chef events, and the outdoor spaces can accommodate fashion shows, fine art performances, art shows and other seasonal and community events.

By offering products and services that people prefer to buy in real life and by creating destination centers where friends and families will flock to shop, eat, socialize and have fun, the experience of shopping on Main Street USA will surely remain an integral part of the future of retail.

Article by:

Jane Errico

Of:

Sherin and Lodgen LLP

California Continues to Shape Privacy Standards: Song-Beverly Act Extended to Email Addresses

Womble Carlyle

 

Executive Summary: California retailer restricted from requiring a customer email address as part of a credit card transaction. We knew that asking for zip codes is intrusive personal questioning, and now asking for email has been added to the list.

California’s Song-Beverly Credit Card Act (Cal. Civ. Code Sec. 1747 et seq.) (“Song-Beverly Act” or “Act”) restricts businesses from requesting, or requiring, as a condition to accepting credit card payments that the card holder provide “personal identification information” that is written or recorded on the credit card transaction form or otherwise. “Personal identification information” means “information concerning the cardholder,other than information set forth on the credit card, and including, but not limited to, the card holder’s address and telephone number.” The California Supreme Court has previously ruled that zip codes are also “personal identification information” under the Song-Beverly Act. See Pineda (Jessica) v. Williams-Sonoma Stores, Inc., 2011 Cal. LEXIS 1502 (Cal. Feb. 10, 2011).

Recently, a United States federal district court in California expanded “personal identification information” to include email addresses in a decision denying retailer Nordstrom’s motion to dismiss claims it violated the Song-Beverly Act. The plaintiff sued Nordstrom for collecting his email address as part of a credit card transaction at one of its California stores in order to email him a receipt, then subsequently using his email address to send him frequent, unsolicited marketing emails. See Capp v. Nordstrom, Inc., 2013 U.S. Dist. LEXIS 151867, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013).

Raising a case of first impression under California law, Nordstrom claimed that email addresses are not “personal identification information” under the Song-Beverly Act, so the Act did not apply. The court disagreed with Nordstrom and found the opposite based on the California Supreme Court’s earlier ruling in Pineda. Nordstrom’s argument that email addresses can readily be changed, unlike zip codes, and consumers can have multiple email addresses was not persuasive. The court held that an email address regards a card holder in a more personal and specific way than a zip code. Unlike a zip code that refers to the general area where a card holder works or lives, email permits direct contact with the consumer and implicates their privacy interests. The court concluded that the collection of email addresses is contrary to the Song-Beverly Act’s purpose to guard against misuse of personal information for marketing purposes. In particular, the plaintiff’s allegation that his email address was collected to send him a receipt and then used to send him promotional emails directly implicates the protective purposes of the Act as interpreted in Pineda.

Pineda held that zip codes are personal information for purposes of the Song-Beverly Act, and therefore a brick and mortar retailer violated the Act when it requested and recorded such data. In the Pineda decision, the California Supreme Court found that zip codes, like the card holder’s address expressly called out as “personal identification information” under the Act, were unnecessary to completing the credit card transaction and inconsistent with the protective purpose of the Act. This is especially true when a zip code is collected to be used with the card holder’s name in order to locate the card holder’s address, permitting a retailer to locate indirectly what it is prohibited from obtaining directly under the Act.

Nordstrom also argued that the plaintiff’s claims under the Song-Beverly Act were preempted by the federal “Controlling the Assault of Non-Solicited Pornography and Marketing Act” (better known as the CAN-SPAM Act), but the court disagreed. While the CAN-SPAM Act contains a preemption provision, it only preempts state laws that regulate the manner in which email messages are sent and their content, both of which are not regulated under the Song-Beverly Act.

Retailer tip: The federal court issuing this most recent decision recommends waiting to request an email address (or a zip code) until after the consumer has the receipt from their credit card transaction in hand, and then sending the consumer emails only in conformance with the CAN-SPAM Act.

In the wake of Pineda, retailers faced class action lawsuits for requesting consumer zip codes at check out. This new decision could have a similar effect.

Article by:

Of:

Womble Carlyle Sandridge & Rice, PLLC

Registering Your Trademark with the Trademark Clearinghouse – Is Your House in Order?

Dickinson Wright Logo

 

“It’s happening – the biggest change to the Internet since its inception” is how the president of ICANN’s Generic Domains Division has described the new gTLD Program being implemented by The Internet Corporation for Assigned Names and Numbers (ICANN), and rightfully so. The new program will result in the expansion of available generic Top-Level Domains (gTLDs), such as .COM, .NET or .ORG, from the list of 22 that we’ve all become familiar with through the years, to a list of possibly 1,400 generic Top-Level Domains.

On October 23, 2013, the first new gTLDs were “delegated”. This means they were introduced into the Internet’s “Root Zone”, the central authoritative database for the Internet. As a result, the domain name Registries, the organizations approved to operate these and other soon-to-be-delegated gTLDs, can execute the final processes required to make their domain names available to Internet users. ICANN claims that the purpose of this unprecedented expansion of domain name extensions is to enhance competition, innovation and choice in the Domain Name space, providing a wider variety of organizations, communities and brands new ways to communicate with their audiences. As available real estate in the “.com” territory has become increasingly scarce, it is hoped that the new gTLDs will provide additional space for entities and individuals to set up an online presence. While it is true that virtually every two or three letter combination seems to have already been registered in the “.com” Top-Level Domain, this explosion of new generic top-level domains also means big bucks for domain name registrars and additional costs for trademark owners who properly protect their marks.

While 4 new gTLDs were delegated in October, the delegation has been a rolling process, with new generic Top-Level Domains being released in November, December and January. Below are just a few of some the gTLDs that have successfully completed the process. The list will continue to be expanded as the measured rollout of the new gTLDs progresses over the coming years:

.equipment

.kitchen

.diamonds

.bike

.shoes

.technology

.enterprises

.gallery

.education

.graphics

.ceo

.ventures

As the new gTLD program is rolled out, many trademark owners are wisely looking for ways to protect their brands from being registered by third parties as domain names in the new gTLD space without their knowledge or consent. In view of the rapidly changing gTLD landscape, owners need to be aware of how to protect their marks, sooner rather than later.

What Does All This Mean for Brand Owners?

Over the past year, there has been significant discussion and concern in the legal community regarding the potential for trademark infringement by third parties seeking to register domain names that incorporate the brands of others under these newly released gTLDs.

In light of the potential for infringement, ICANN has established certain mechanisms for the new gTLD program in order to try and protect the rights of brand owners. The main tool for doing so is the Trademark Clearinghouse (TMCH), an entity created by ICANN with which trademark owners can register their marks in advance of the new gTLD launches.

Brand owners who register their trademarks with the TMCH can take advantage of a priority, or “sunrise”, period during which they are entitled to register domain names that are identical to their marks, before registration opens to the general public. In addition, the TMCH provides the brand owner with automatic notification of any third-party attempts to register domain names that are identical to their marks, enabling the mark owner to then take appropriate legal action. To be clear, this mechanism does not stop third-parties from registering domain names identical to marks registered with the TMCH, but does notify the brand owner, or its representative, of such registration. These devices provide brand owners with help against cyber squatters seeking to register infringing domain names under the new gTLDs.

Registration of a trademark with the TMCH is available for registered trademarks, marks protected by statute or treaty, or court-validated marks. Registration is also available for any other marks protectable under the new gTLD registry’s policies and that meet the eligibility requirements of the TMCH. Registration with the TMCH is encouraged for brand owners in order to combat infringement of their brands in cyberspace and registration costs currently are $150 per mark for a one-year term of registration, $435 for a three-year term, and $725 for a five-year term. Such registration with the TMCH does not include fees that will be charged by the new gTLD registrars to register domain names during the “sunrise” or general public registration periods.

The biggest change to the Internet since its inception is happening now…make sure your marks are protected!

Article by:

Nicole M. Meyer

Of:

Dickinson Wright PLLC

New Online Privacy Policy Requirements Take Effect January 1, 2014

VedderPriceLogo

 

California Online Privacy Protection Act (CalOPPA)

Owners of websites, online services or mobile applications (apps) that can be accessed or used by California residents should ensure their compliance with the new amendments to the California Online Privacy Protection Act of 2003 (CalOPPA) by the law’s January 1, 2014 effective date.  The borderless nature of the Internet makes this law applicable to almost every website or online service and mobile application.  Accordingly, companies should review and revise their online privacy policies to ensure compliance with the new law and avoid potentially significant penalties.

Previously, CalOPPA required the owner of any website or online service operated for commercial purposes (an “operator”) that collects California residents’ personally identifiable information (PII) to conspicuously post a privacy policy that met certain content requirements, including identifying the types of PII collected and the categories of third parties with whom that information is shared. The new law requires that companies subject to CalOPPA provide the following additional disclosures in their privacy policies.

  • How an operator responds to “do not track” signals from Internet browsers and any other mechanism that provides consumers a choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites and online services.  A company may satisfy this requirement by revising its privacy policy to include the new disclosures or by providing a clear and conspicuous hyperlink to a webpage that contains a description of any program or protocol the company follows to provide consumers a choice about tracking, including the effects of the consumer’s choice.
  • An affected company must disclose to users whether third parties may collect PII about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.

The California law does not require that operators honor a user’s “do not track” signals. Instead, operators must only provide users with a disclosure about how the website or mobile app will respond to such mechanisms. “Do not track” mechanisms are typically small pieces of code, similar to cookies, that signal to websites or mobile apps that the user does not want his or her website or app activities tracked by the operator, including through analytics tools, advertising networks, and other types of data collection and tracking practices.  Further, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General recently stated that the required disclosures should not be limited to tracking simply for online behavioral advertising purposes, but those disclosures must extend to any other purpose for which online behavioral data is collected by a business’s website (e.g., market research, website analytics, website operations, fraud detection and prevention, or security).

A violation of the law can result in a civil fine of up to $2,500 per incident. The California Attorney General maintains that each noncompliant mobile app download constitutes a single violation and that each download may trigger a fine.

Given that most company websites will have California visitors, companies should consider taking the following steps to ensure compliance with the CalOPPA amendments by January 1, 2014:

  • Identify the tracking mechanisms in place on your company’s websites and online services, including (a) the specific types of PII collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and how the website responses responds to “do not track” signals by seeking input from those familiar with your website, including (i) technicians and developers who understand the mechanics of how the website operates, including how it responds to “do not track signals,” (ii) financial and marketing personnel who understand how user PII is monetized, and (iii) any other stakeholders who access or handle user PII.
  •  Review the practices of any third parties that have the ability to track users on your website. To draft the new disclosures, you will need to understand how those third parties track your users and whether they are capable of doing so before or after the users leave your service.
  • Incorporate the information identified above to modify your online privacy policy to include the required behavioral tracking disclosures.
  • Retain the prior version of the policy in your records, including the date on which each version was posted to the site. The new version should have an updated effective date to distinguish it from the previous version.

Expansion of California’s Data Breach Notification Requirements

Under another new law taking effect on January 1, 2014, California will expand its data breach notification requirements by adding new types of information to the definition of “personal information” under California Civil Code §§ 1798.29 and 1798.82. The new law requires notification if a California resident’s personal information is compromised, and, as with CalOPPA, the breach notification requirements apply regardless of the location of the organization that sustains the breach.  Therefore, to the extent that your business collects and retains California residents’ PII, then the amended California breach notification law would apply.

Previously, the California law required notification of a data breach in the event of the unauthorized access to or disclosure of an individual’s name, in combination with that individual’s (i) Social Security number, (ii) driver’s license or California ID number, (iii) account, credit or debit card number, together with a security or access code, (iv) medical information, or (v) health information, where either the name or the other piece of information was not encrypted. Under the new definition, “personal information” will also include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Accordingly, if your business or organization collects this type of information, then it should consider undertaking the following proactive measures to reduce the risk and magnitude of a potential data breach:

  • Periodically and systematically delete nonessential personal information. By deleting obsolete PII and other sensitive information, businesses can significantly reduce the risk of a breach.  Retaining such obsolete legacy PII serves no business purpose, but only adds unnecessary exposure and potential liability.
  • Conduct a PII inventory and perform a risk assessment of your security measures.  Identify what PII is being collected by your organization, where it is retained, who has access to the PII and  the security measures to protect the PII.  Ensuring that sufficient protections are in place may not prevent every incident, but they can reduce the possibility of an incident occurring in the first place and limit the disruption to your business if there is a breach.
  • Limit the disclosure of PII to third parties only when necessary to provide services or products. You can be equally responsible for a data breach notification if the person or entity who experiences the data breach was a third party who received PII from you. Any vendor or third party with whom you share PII should contractually represent and warrant that they have in place certain standards for protecting that information and agree to indemnify your company for any loss that results from a breach.

 

Article by:

Of:

Vedder Price

Dark Sites Re: Secret Websites

DrinkerBiddle

 

In our modern media age, it sometimes feels as though everyone in the entire world has noticed the same thing at the same time.  So it is with the Deep Web and the darknes that lurk in the shadows – it was an obscure topic until few months ago, and now your grandparents have probably heard of them.  Once the type of thing that only geeks (like me!) would think and/or talk about, the topic has now made the front cover of Time Magazine (in a piece by legendary fantasy author and critic Lev Grossman).  It has also made national news (with the takedown of the infamous SIlk Road marketplace) and inserted itself into a far more noticeable place of prominence in our culture.

These hidden sites can be found through a collection of anonymous servers that enable a vivid underground of dissidents, hackers, criminals, law enforcement, drug runners and folks who seem like refugees from a James Bond movie.  All you need is a specialized tool like TOR, and (if you believe the stories) you can live a secret life online.  But should you care?  As a character says in one of my novels, “you may not be interested in the deep web, but the deep web is very interested in you.”

In the past when we talked with clients about the dark sites of the deep web, people really thought that it sounded like something out of a William Gibson story, like Chiba City in Neuromancer, or the Night Market in Nick Harkaway’s Angelmaker.   But now companies are suddenly finding themselves confronting deep web issues as never before, whether because someone has “doxed” their employees or executives (by releasing personally identifiable information on persistent sites that cannot be taken down), because their products are being counterfeited and distributed by online networks, because they are being defamed on chat boards that cannot be reached let alone turned off, because someone has used TOR to anonymously hack their passwords — the possibilities are endless, troubling, and happening now.  If you want to steal someone’s trade secrets and want to ensure that the transaction is untraceable, suddenly there are tools to accomplish exactly that.  If you’ve learned how to copy a product using a 3-D printer, you can distribute the plans.  If you want to cause trouble, you can hire someone directly to do that, pay them in bitcoins, and watch the damage from afar.

As a lawyer, it is impossible not to see how this is going to have a dramatic impact on IP, privacy, and nearly every other thing we do.  The Internet of Things is coming shortly (the FTC just held a workshop on the topic this week), and the facial recognition technologies and environmental advertising predicted in Minority Report are no longer futuristic fictions.  3-D and electronic printing promises to give ever smaller groups the ability to make things based on electronic schematics without access to heavy industry.  More and more information will be available about more people, and will be available to more people – and the fact that there are genuinely secure ways where those who are so inclined can use that data for criminal purposes should give everyone pause.

To be sure, all of this seems rather abstract, and it can sound like a tabloid scare tactic.  But there are some things that everyone can do to deal with the risks in their own lives.  First, engage in some data security hygiene: change your passwords regularly, don’t pass them out, don’t allow them to be easily engineered by people who know a few random facts about you.  Second, think about whether you are in a business where people will want to copy your products, will want to pretend to be you, will want to steal your information.  If you are that type of business, it is worth checking from time to time to see if you have been targeted.  And finally, as always, if is critical that everyone in this day and age try to stay abreast of what is happening in the world of tech – it is easy to assume that because you make donuts, or own a small clothing store, or manage a bank, or run a hedge fund, that you don’t need to know about the cutting edge developments coming down the pipe.  But you do.  The time when you could just stick to your knitting and ignore the tech world is past, and you need to assume that the tech world is very interested in you, indeed.

Article by:

Darren S. Cahr

Of:

Drinker Biddle & Reath LLP