Tag: Technology

What 2014’s Continued IPO Surge Means for Clean Tech and Renewable Energy Companies

Mintz Levin Law Firm

The year 2014 is on track to be the most active IPO marketin the United States since 2000, with the mid-year total number of IPOs topping last year’s mid-year total by more than 60%.[1] There were 222 US IPOs in 2013, with a total of $55 billion raised, and 2014 has already seen 151 US IPOs, for a total of $32 billion, completed by the mid-year mark. The year 2000 (over 400 IPOs) was the last year of a 10-year boom in US IPOs that reached its peak in 1996 (over 700 IPOs).

What does this mean for emerging energy technology andrenewables companies that might be looking to the capital markets? As of mid-year 2014, there have been six cleantech/renewables IPOs, while there were a total of seven in all of 2013. In both years, these deals have represented a relatively small percentage of total IPOs and still do not match the level of activity in the more traditional energy and oil & gas sector.  In 2014, IPOs were completed by a range of innovative companies, including Aspen Aerogels, TCP International and Opower.

Two unambiguously positive developments for clean energy in 2013 and the first half of 2014 have been the strong market for follow-on offerings and YieldCo IPOs. As was the case in 2013, several larger energy tech companies that are already public completed follow-on offerings to bolster cash for growth in 2014. Following in the footsteps of Tesla, SunEdison, First Solar, and other companies who completed secondary offerings in 2013, Jinko Solar (January 2014), Pattern NRG (May 2014), Plug Power (January and April 2014), Trina Solar (June 2014), and several other public companies capitalized on the continued receptiveness of clean-tech capital markets.

Following on successful YieldCo IPOs in 2013 (NRG Yield, Pattern Energy), there have already been three YieldCo IPOs in 2014: Abengoa Yield, NextEra Energy Partners, and, most recently, Terraform Power. The continued growth of YieldCo deals as well as the growing dollar amount of such offerings is an extremely encouraging sign for the energy and clean-tech sector as a whole, signaling a longer-term market acceptance of the ongoing changes in domestic and global energy consumption. The successful public market financings of these companies – whose strategy typically involves the purchase and operation of existing clean, energy-generating assets – should result in increased access to capital for renewable energy generation assets, as well as related technologies and services across the sector.

If the first half of this year is any indication, 2014 should prove to be a strong year for clean-tech and renewable energy companies opting to pursue the IPO path. The IPOs, follow-on offerings, and YieldCo successes that we’ve seen so far should improve the prospects for forthcoming clean-energy IPOs in the second half of 2014 and beyond.  I expect to see more renewable/clean energy companies follow the IPO route and make the most of the market’s continued receptiveness.

[1]  Please note that there will be some variance in the statistics for IPOs generally. This is because most data sets exclude extremely small initial public offerings and uniquely structured offerings that don’t match up with the more commonly understood public offering for operating companies. The data above is based on information from http://bear.warrington.ufl.edu/ritter/IPOs2012Statistics.pdf and Renaissance Capital www.renaissancecapital.com.

ARTICLE BY:

Sahir Surmeli
OF:
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C

The National Law Review is Going Back to the Future. New website coming up soon!

The National Law Review is honoring its roots as one of the country’s first nation-wide legal journals by returning to a more journalistic style.   At the same time, we’re adding enhanced features to help our readers more quickly find the nation’s breaking legal news and analysis.

NLR-Transition-3-slide-7-16-14_256

Look for changes over the next few weeks.

Launch date soon!

HEARTBLEED: A Lawyer’s Perspective on the Biggest Programming Error in History

Jackson Lewis Logo

By now you have probably heard about Heartbleed, which is the biggest security threat to the Internet that we have ever seen. The bottom line of Heartbleed is that for the past two years most web sites claiming to besecure, shown by the HTTPS address (the S added to the end of the usual HTTP address was intended to indicate a web secured by encryption), have not been secure at all. Information on those webs could easily have beenbled out by any semi-skilled hacker who discovered the defect. That includes your user names and passwords, maybe even your credit card and bank account information.

For this reason every security expert that I follow, or have talked to about this threat, advises everyone to change ALL of their online passwords. No one knows who might have acquired this information in the past two years. Unfortunately, the nature of this software defect made it possible to steal data in an untraceable manner. Although most web sites have upgraded their software by now, they were exposed for two years. The only safe thing to do is assume your personal information has been compromised.

Change All of Your Passwords

After you go out and change all of your passwords – YES – DO IT NOW – please come back and I will share some information on Heartbleed that you may not find anywhere else. I will share a quick overview of a lawyer’s perspective on a disaster like this and what I think we should do about it.

Rules of the Internet

One of the things e-discovery lawyers like me are very interested in, and concerned about, is data security. Heartblead is the biggest threat anyone has ever seen to our collective online security, so I have made a point of trying to learn everything I could about it. My research is ongoing, but I have already published on detailed report on my personal blog. I have also been pondering policy changes, and changes in the laws governing the Internet that be should made to avoid this kind of breach in the future.

I have been thinking about laws and the Internet since the early 1990s. As I said then, the Internet is not a no-mans-land of irresponsibility. It has laws and is subject to laws, not only laws of countries, but of multiple independent non-profit groups such as ICANN. I first pointed this out out as a young lawyer in my 1996 book for MacMillan, Your Cyber Rights and Responsibilities: The Law of the Internet, Chapter 3 of Que’s Special Edition Using the Internet. Anyone who commits crimes on the Internet must and will be prosecuted, no matter where their bodies are located. The same goes for negligent actors, be they human, corporate, or robot. I fully expect that several law suits will be filed as a result of Heartbleed. Time will tell if any of them succeed. Many of the facts are still unknown.

One Small Group Is to Blame for Heartbleed

The surprising thing I learned in researching Heartbleed is that this huge data breach was caused by a small mistake in software programming by a small unincorporated association called OpenSSL. This is the group that maintains the open source that two-thirds of the Internet relies upon for encryption, in other words, to secure web sites from data breach. It is free software and the people who write the code are unpaid volunteers.

According to the Washington Post, OpenSSL‘s headquarters — to the extent one exists at all — is the home of the group’s only employee, a part timer at that, located on Sugarloaf Mountain, Maryland. He lives and works amid racks of servers and an industrial-grade Internet connection. Craig Timberg, Heartbleed bug puts the chaotic nature of the Internet under the magnifying glass (Washington Post, 4/9/14).

The mistake that caused Heartbleed was made by a lone math student in Münster, Germany. He submitted an add-on to the code that was supposed to correct prior mistakes he had found. His add on contained what he later described as a trivial error. Trivial or not, this is the biggest software coding error of all time based upon impact. What makes the whole thing suspicious is that he made this submission at one minute before midnight on New Year’s Eve 2011.

Once the code was received by OpenSSL, it was reviewed by it before it was added onto the next version of the software. Here is where we learn another surprising fact, it was only reviewed by one person, and he again missed the simple error. Then the revised code with hidden defect was released onto an unsuspecting world. No one detected it until March 2014 when paid Google security employees finally noticed the blunder. So much for the basic crowd sourcing rationale behind the open source software movement.

Conclusion

Placing the reliance of the security of the Internet on only one open source group, OpenSSL, a group with only four core members, is too high a risk in today’s world. It may have made sense back in the early nineties when an open Internet first started, but not now. Heartbleed proves this. This is why I have called upon leaders of the Internet, including open source advocates, privacy experts, academics, governments, political leaders and lawyers to meet to consider various solutions to tighten the security of the Internet. We cannot continue business as usual when it comes to Internet data security.

Article By:

Ralph C. Losey
Of: 
Jackson Lewis P.C.

Tri-Agency Health Information Technology Report Issued

MintzLogo2010_Black

On Thursday, April 3rd, the three federal agencies charged with regulating components of health information technology (“Health IT”) issued their long-awaited Health IT Report: Proposed Strategy and Recommendations for a Risk-Based Framework (the “Report”).  The Report seeks to develop a strategy to address a risk-based regulatory framework for health information technology that promotes innovation, protects patient safety, and avoids regulatory duplication.

Congress mandated the development of the Report as part of the 2012 Food and Drug Administration Safety and Innovation Act, requiring the Food and Drug Administration (“FDA”), the Office of the National Coordinator for Health Information Technology (“ONC”), and the Federal Communications Commission (“FCC”) to coordinate their efforts to regulate Health IT.  Notably, the Report identifies and distinguishes between three types of Health IT: (i) health administration Health IT, (ii) health management Health IT, and (iii) medical device Health IT.

The recommendations in the Report include continued interagency cooperation and collaboration, the creation of a public-private safety entity—the Health IT Safety Center—and a risk based approach to the regulation of Health IT.  The Report emphasizes that the functionality of Health IT and not the platform for the technology (mobile, cloud-based, or installed software) should drive the analysis of the risk and the regulatory controls on Health IT.

In very good news for the Health IT community, the Report included a recommendation that, “no new or additional areas of FDA oversight are needed.”  The report emphasized that even if the functionality of health management Health IT meets the statutory definition of a medical device, the FDA will not focus its oversight attention in this area.  The Report gives additional guidance on clinical decision support (“CDS”) tools, clarifying that a number of CDS tools can be categorized as health management Health IT and do not require further regulation by FDA.  However, the Report noted that certain types of CDS tools that are currently regulated as medical devices by the FDA would continue to be so regulated.  These FDA-regulated CDS tools include computer aided detection and diagnostic software and robotic surgical planning and control tools.

The agencies intend to convene a public meeting on the proposed strategy within 90 days and to finalize the Report based on public input.

Of:

Ellen L. Janos

Kate F. Stewart
By:
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

New Grants to Help More Students Pursue STEM (Science, Technology, Engineering, Math) Careers

140px-US-DeptOfLabor-Seal.svg__0

Tonight, I’m announcing a new challenge to redesign America’s high schools so they better equip graduates for the demands of a high-tech economy. And we’ll reward schools that develop new partnerships with colleges and employers, and create classes that focus on science, technology, engineering and math – the skills today’s employers are looking for to fill the jobs that are there right now and will be there in the future. President Obama, 2013 State of the Union

In November 2013, President Obama announced a new $100 million competition launched by the U.S. Department of Labor to help American high schools prepare students for college and for careers in a 21st-century economy.

Computer Science Education Week is a perfect time to highlight this new administration effort — called Youth CareerConnect — to inspire and prepare girls and boys in communities across the country to be the designers, programmers, engineers, and innovators of the future through increasing their access to hands-on, real-world-relevant education and skills.

Through Youth CareerConnect, up to 40 grants will be awarded to partnerships between local schools systems, employers, community colleges or universities, and others that are committed to strengthening America’s talent pipeline and providing students with industry-relevant education to prepare them for college and careers.

Schools and their partners will be challenged to focus on addressing key shortages in “H-1B fields” — occupations tied to the H1-B temporary-visa program, which are predominantly in science, technology, engineering and mathematics.

This is an exciting investment that will prepare more American students to be the innovators, researchers, engineers, and entrepreneurs of the future. This initiative also, in part, answers a call by the President’s Council of Advisors on Science and Technology in its 2010 report on STEM K-12 Education, Prepare and Inspire, to increase the number of STEM-focused schools across the country.

Applicants will be judged on their efforts to serve a diverse student population, which will ensure access to preparation and training in the STEM fields for girls and minority groups currently underrepresented in many of these careers.

Importantly, the competition builds on the strong focus of OSTP and the White House Council on Women and Girls on increasing girls’ access to STEM fields and represents an important investment to both level the playing field for women and minority students and to provide them with the inspiration, access to career models, hands-on experiences, and rigorous curricula to prepare them to become the engineers, computer scientists and other STEM leaders of the future.

Success in this competition and meeting the broader challenge of giving all students access to real-world-relevant education experiences will require an all-hands-on-deck effort. That’s why Youth CareerConnect calls on businesses and institutions of higher education to join with school districts in putting together proposals to improve college and career readiness for more high school students.

Applications are due Jan. 27, 2014, so learn more at:  http://www.doleta.gov/ycc/

By Danielle Carnival and Kumar Garg.

Editor’s note: The following has been cross-posted from the WhiteHouse.gov blog

Danielle Carnival is a senior policy advisor and Kumar Garg is the assistant director for learning and innovation at the White House Office of Science and Technology Policy. 

 

Article by:

U.S. Department of Labor

Google Glass In the Workplace

Jackson Lewis Logo

WSJ reported on November 22, 2013, Google’s push to move Google Glass, a computerized device with an “optical head-mounted display,” into the mainstream by tapping the prescription eyewear market through VSP Global—a nationwide vision benefits provider and maker of frames and lenses. If the speed and immersion of technology over the past few years had shown us anything, it is that it will not be too long before employees are donning Google Glass on the job, putting yet another twist on technology’s impact on the workplace.

Employers continue to adjust to the influx of personal smartphones in the workplace, many adopting “Bring Your Own Device” (BYOD) strategies and policies. These technologies have no doubt been beneficial to businesses and workplace around the globe. The introduction of Google Glass into the workplace may have similar benefits, but the technology also could amplify many of the same challenges as other personal devices, and create new ones.

For example, employers may experience productivity losses as employees focus on their Glass eye piece and not their managers, co-workers, customers. Likewise, some businesses will need to consider whether Google Glass may contribute to a lack of attention to tasks that can create significant safety risks for workers and customers, such as for employees who drive or use machinery as a regular part of their jobs.

A popular feature of Google Glass is the ability to record audio and video. Smartphones and other devices do this already, but recording with Glass seems so much easier and become potentially less obvious overtime as we get used to seeing folks with the Glass. Of course, recording of activities and conversations in the workplace raise a number of issues. In healthcare, for instance, employees might capture protected health information with their devices, but potentially without the proper protections under HIPAA. Conversations recorded without the consent of the appropriate parties can violate the law in a number of states. Employees with regular access to sensitive financial information could easily capture a wealth of personal data, raising yet another data privacy and security risk.

The capturing of data on the Glass, even if not collected, used or safeguarded improperly, will add to the challenges businesses have to avoid spoliation of data stored in these additional repositories of potentially relevant evidence.

Only time and experience will tell what the impact of Google Glass will be in the workplace. However, as companies continue to adapt to present technologies, they should be keeping an eye on the inevitable presence of such new technologies, and avoid being caught without a strategy for reducing risks and avoidable litigation.

Article by:

Joseph J. Lazzarotti

Of:

Jackson Lewis LLP

Federal Judge Finds that Apple Conspired to Raise E-book Prices

McDermottLogo_2c_rgb

On July 10, 2013, Judge Denise Cote of the Southern District of New York issued a 160-page opinion holding that Apple conspired with five book publishers to raise e-book prices and eliminate retail price competition in violation of Section 1 of the Sherman Act and several relevant state statutes.  United States v. Apple Inc., case number 12-civ-2826 (DLC).  The five publishers – Hatchett, HarperCollins, Macmillan, Penguin and Simon & Schuester – had all previously settled with the U.S. Department of Justice (DOJ).

The opinion stated that as Apple prepared to launch its iPad to the public and sought to concurrently enter the e-book market with its iBookstore, it met with the publishers and agreed to provide them with an “agency model” for e-book pricing that allowed the publishers to set the prices of the e-books themselves, subject to certain price caps.  Apple’s agreements with the publishers also included Most Favored Nation provisions which ensured that Apple could match its competitors’ prices and also provided an incentive for the publishers to lobby Amazon and other retailers to change their wholesale business models to agency models.  According to the court’s opinion, these agency model agreements caused e-book prices to increase, sometimes 50% or more for a specific title.

A separate trial for potential damages will be scheduled later.  Apple said it will appeal the ruling.

Article By:

 of

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.

1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

Evolving into the Digital Age: Protecting Intellectual Property

WolfeDomain1

While society has evolved from an Industrial to an Information Age over the last hundred years, we’re now operating in a Digital world where technological innovations and intellectual property reign supreme. This fast-moving digital environment–including web, mobile and social media–requires a proactive stance on developing and protecting digital innovations as the global marketplace becomes even more competitive and organizations run the risk of losing critical innovations as others move quickly to steal ideas if the opportunity exists.

While digital strategy is driven largely by marketing or IT departments, every digital asset of the company is and should be treated and protected as an intellectual asset, but today these assets are  often overlooked.  Consider the long list of marketing or IT developments at your company.  Everything from user interfaces, apps, social networking functions, personalization options on web pages, subscriber perks, wi-fi offerings, e-commerce solutions, bridging offline and online experiences and new products and services related to digital activity result in digital assets that an organization deploys.  But, are you taking the next step to protect them or leaving them out in the open to steal?  Worse, are you infringing on someone else’s intellectual property (IP)?   

Innovations at Lightening Speed – Are You Giving It Away?

Today, digital assets can be protected by utility patents, design patents, copyright law and trademark law. Typically, as these innovations occur at such a rapid pace, they are not captured and translated into protected digital assets.  Further, as the use of digital strategies is exploding and the creation of digital assets is a relatively new concept, most organizations have yet to build a formal business case and required methodology for protecting these assets.  Compounding the issue, much of the innovation work is done in collaboration with outsourced vendors in marketing and IT, often in a vacuum, so there isn’t a legal or other IP advocate to even ask the question: “Should we protect this?”.  Finally, much of the technology used to develop these innovations is often open sourced which creates an additional layer of confusion and often one that the legal team won’t touch.

The world is beginning to change in response to protecting their digital assets.  Patent trolls have largely emerged in the digital and technology space attacking companies from Starbucks to Cisco for wi-fi offerings, web functionality and what was previously considered open territory for marketers and web designers. And, these trolls are finding loopholes and great financial gains. Today, the trolls monitor major innovative initiatives by world-class organizations and copy and develop their own innovations around successful ones, improve them, and then ultimately file a new patent for it.  And then in a crazy twist, they send these same organizations a cease and desist letter and ask for a license fee.  Why aren’t organizations protecting these same assets to defend themselves and even use them as additional sources of revenue?

Building and Protecting a Digital IP Portfolio

Most companies need to start by identifying the pipeline of ideas and then turn the right ideas into valuable assets.  The innovation pipeline of digital assets is likely already alive and well in most organizations but they aren’t tapping into it.  So, the first step in building a Digital IP Portfolio is to audit where that innovation is occurring.  Understand when it is outsourced to vendors and assess whether it should be retained, shared or given away.  Once you know where the innovation is occurring, it’s time to funnel it into an IP evaluation pipeline.  At that juncture, an IP business strategy team (comprised of IP strategy experts, IP lawyers, business managers, IT managers and marketers) can evaluate its potential use and strength.  Is it a good defense play against trolls or other competitors?  Is it something you can license to others?  Is it something you just want to ensure you have and your competitors don’t? By assigning values and business goals to all of these assets, you can then channel them into a protection process with budgets and clear return on investment goals.

And, the importance of having a multi-disciplined approach cannot be overstated.  Generating valuable digital assets is not just a legal or IP function, it requires understanding and contribution from other facets of the company that can identify value proposition and weigh in on risk/reward.  Digital is new and evolving and critical thinking about its value proposition is essential. Many digital assets are not worth protecting if it won’t last beyond the next fad.  But others are.  That’s why Facebook, Google, Adobe and others have become some of the top patent filers in the world.  They file for much more than just devices and consider every innovation a potential asset both offensively and defensively.

Once digital assets are channeled into protection they can then be redistributed back out to spur innovative thinking and evaluate licensing or leverage potential.  While many companies don’t see themselves as technology companies, they are quickly becoming so with their digital platforms.  From retailers to entertainment and consumer goods, soon all companies will be a digital or technology company to some extent.  If you don’t own and protect those assets, someone else will and use it against you.  The time is now for savvy IP and technology professionals to identify an untapped resource – their digital assets.

Article By:

 of