Contract Drafting: Limitations of Liability & Exceptions

One of the most important functions of a contract is to reduce uncertainties and mitigate risks. That is why almost all professional or personal services contracts contain “limitations of liability” provisions. Although they may seem like densely-worded, “boilerplate” provisions, and often overlooked, these provisions broadly affect a party’s ability to bring a claim, show liability, and prove damages that can be recovered.

A limitation of liability clause is a provision in a contract that limits the amount of exposure a company faces in the event a lawsuit is filed or another claim is made. As a preliminary observation, it is important to note that enforcement of limitation of liability provisions vary from state to state. The general rule in contract law is that in the commercial context, many states have found these clauses to be a mere shifting of the risk and enforce them as written.

Limitations of Liability generally address two areas of concern. First, the types of claims that may be barred. Second, the amount or scope of liability for claims that are not barred.

Limiting The Type Of Claim

A typical limitation of liability clause may look something like this:

“IN NO EVENT SHALL A PARTY OR ITS DIRECTORS, OFFICERS, EMPLOYEES, OR AGENTS, BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FOR LOST PROFITS. IN NO EVENT SHALL THE TOTAL LIABILITY OF A PARTY EXCEED THE AMOUNTS PAID BY CLIENT, IF ANY, FOR THE SERVICES.”

This clause limits the types of damages that may be claimed, prohibiting claims for:

  • Consequential damages (damages resulting naturally, but not necessarily, from the defendant’s wrongful conduct, BUT they must be foreseeable and directly traceable to the breach)
  • Incidental damages (includes costs incurred in a reasonable effort, whether successful or not, to avoid loss, or in arranging or attempting to arrange a substitute transaction)
  • Special damages (often treated the same as “consequential” by courts, “special” damages have been defined as those that arise from special circumstances known by the parties at the time the contract was made)
  • Punitive damages (damages that may be awarded which compensate a party for the exceptional losses suffered due to egregious conduct; a way of punishing the wrongful conduct and/or preventing future, similar conduct)
  • Exemplary damages (See “Punitive damages”)
  • Indirect damages (See “Consequential damages”)
  • Lost Profits (Cases in New York (and elsewhere) have a held that a clause excluding “consequential damages” may no longer be enough to bar “lost profits” claims; therefore, consider including more specific provisions in contracts- if parties want to exclude lost profits for breach of contract, a clause specifically excluding “lost profits” should be included.)

Lost profits that do not directly flow from a breach are consequential damages, and thus typically excluded by a limitation of liability clause like that above. But lost profits can be considered general damages (and thus recoverable) where the non-breaching party bargained for those profits, and where the profits are a direct and probable result of the breach.

Limiting The Amount Of The Claim

If found to be enforceable, a limitation of liability clause can “cap” the amount of potential damages to which a party is exposed. The limit may apply to all claims arising during the course of the contract, or it may apply only to certain types of claims. Limitation of liability clauses typically limit the liability to one of the following amounts: (i) the compensation and fees paid under the contract; (ii) an sum of money agreed in advance; (iii) available insurance coverage; or (iv) a combination of the above.

Parties can and typically do agree in their contract that liability is capped at some dollar amount. If liability exists and if damages can be proved, then the aggrieved party recovers those damages, but only up to the agreed cap. Sometimes these are mutual; other times they are one-sided. Sometimes the cap is a fixed sum (e.g., “the amounts paid for the services” or “$100,000”). Other times, the parties may choose to tie the cap to the type of harm, (e.g. personal injury, property damage, violations of confidentiality obligations).

However, sometimes that parties may agree that certain types of harm should not be limited. These “exceptions” put the parties in the same position they would have occupied if there was no limitation of liability provision in effect. For example:

  • exposure for violations of intellectual property (copyright, trademark, trade secret, patent) or proprietary rights (right of publicity, right of privacy, contractually-defined proprietary information)
  • in the event of an obligation to indemnity and defend for 1) breach of intellectual property representations, and/or 2) third party intellectual property or proprietary rights
  • in the event of an obligation to indemnify because a party didn’t have the right to provide data or information
  • in the event of an obligation to indemnify and defend for non-compliance with data security standards
  • exposure for violations of confidentiality obligations
  • personal injury or property damage due to negligent acts or omissions

Best Practices

Businesses that rely upon limitation of liability clauses should periodically reexamine those clauses. Questions that you should be asking include: “what’s my maximum recovery if the other party breaches,” and “what’s my maximum liability if I breach?”

These are only effective if enforceable, that’s why drafting is key. According to many courts, following certain drafting guidelines will help reduce the likelihood that a limitation of liability clause will not be enforced. Such guidelines include:

  • Make the clause conspicuous: set the clause in bold face print or underline or otherwise place the clause apart from the rest of the text on the page on which it appears so that the other party is aware of its existence.
  • Make the language clear and concise: make sure that the clause is concise and unambiguous as it relates to the contract as a whole.
  • Identify specific risks: be specific in identifying the types of damages you think should be excluded.
  • Negotiate the clause: discuss the clause with the party that is signing the agreement and negotiate if there is a discrepancy.
  • Retain drafts of revisions: keep drafts of any revisions made to the limitation of liability clause so that you have proof that the clause was negotiated.
  • Add language stating that these damages are not recoverable even if they were, or should have been, foreseeable or known by the breaching party.
  • Recite that the limitation of liability clause is an agreed benefit of the bargain, and that it remains in effect even if any remedy under the contract fails of its essential purpose.
  • Consider including a liquidated damages clause for specific breaches, which would replace a damages claim.

DISCLAIMER: THIS IS NOT LEGAL ADVICE. Please consult  qualified attorney to discuss your specific situation.

If you are concerned about how to tighten your contracts, we may be able to help. We can review your contracts, your business practices, and advise on whether there is room for improvement.

Please contact us for a no-fee, no-obligation consultation. (866) 734-2568 David [at] adler-law.com

Is Your Company’s Web Site Privacy Policy Compliant With New California Law?

Privacy Law Update: California “Do Not Track” 

Two California laws went into effect at the beginning of the year that  require additional notifications to consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that web sites, mobile apps and other online services available to California residents (in reality anyone with a web site that may be accessed by a CA resident) post a privacy policy that gives notice to consumers regarding behavioral or interest-based advertising practices (“OBA”).

Disclosures must explain:
1. If a web site operator allows other parties to use tracking technologies in connection with the site or service to collect certain user data over time and across sites and services; and
2. How it responds to browser “do not track” signals or other mechanisms designed to give consumers choice as to the collection of certain of their data over time and across sites and services

In addition, the “California Shine the Light Act” requires that companies (except non-profits and businesses with less than 20 employees) collecting broadly defined personal information from California consumers on or offline either: (a) give consumers a choice as to the sharing of that information with third parties (including affiliates) for direct marketing purposes; or (b) provide notice of, and maintain, a method by which consumers can annually obtain information on the categories of information disclosed the names and addresses of the recipients of that data, and a description of the recipients’ business.

If an e-commerce service offers tangible goods or services, or vouchers for them, to California consumers, it must give certain notices to consumers, including how they can file a complaint with the CA Department of Consumer Affairs.

Are you  concerned about how to disclose how your service responds to “Do Not Track” signals or similar tools and settings, and whether third parties are permitted to collect personally identifiable information about consumer online activities over time and across different websites when a consumer uses that online service? We may be able to help. We can review your policies, your information gathering and sharing practices, and advise on whether there is room for improvement.

Please contact us for a no-fee consultation.

Latest Illinois Case on Restrictive Covenants Increases Uncertainty, Burden For Employers

English: A customer signing the at A Stone's T...
English: A customer signing the at A Stone’s Throw Jewelers in . (Photo credit: Wikipedia)

Fifield v. Premier Dealer Services, Inc.

BACKGROUND

The plaintiff in this declaratory judgment action had been employed by a subsidiary of an insurance company that marketed finance and insurance products to the automotive industry. After a sale of that business, plaintiff’s employment was terminated, but he was offered employment conditioned upon his acceptance of an “Employee Confidentiality and Inventions Agreement” (the agreement) which included non-solicitation and non-compete provisions. The agreement states in pertinent part:

“Employee agrees that for a period of two (2) years from the date Employee’s employment terminates for any reason, Employee will not, directly or indirectly, within any of the 50 states of the United States, for the purposes of providing products or services in competition with the Company (i) solicit any customers, dealers, agents, reinsurers, PARCs, and/or producers to cease their relationship with the Company *** or (ii) interfere with or damage any relationship between the Company and customers, dealers, agents, reinsurers , PARCs, and/or producers *** or (iii) *** accept business of any former customers, dealers, agents, reinsurers, PARCs, and/or producers with whom the Company had a business relationship within the previous twelve (12) months prior to Employee’s termination.”

Plaintiff successfully negotiated with Premier a provision that the restrictive covenants would NOT apply if he was terminated without cause during the first year of his employment (the first-year provision). Three months later, plaintiff resigned, began working for a competitor and sued to have the restrictive covenants held unenforceable stating that plaintiff had no access to confidential and proprietary information. The trial court held that the restrictive Covenants were unenforceable for lack of “consideration” – a legal term of art that generally means a bargained-for exchange of value. The appeals court affirmed.

ANALYSIS

Defendant argued that the non-solicitation and non-compete provisions were enforceable because the offer of employment was adequate consideration, there was a mutual exchange of promises (employment in exchange for restrictions), and the covenants were pre-employment, not post- employment. Defendant further argued that “the purpose of Illinois law regarding restrictive covenants is to protect against the illusory benefit of at-will employment” which was “nullified by the inclusion of the first-year [non-enforcement] provision in the agreement.”

Plaintiff countered with the argument that the provisions in the agreement are unenforceable because Illinois law requires employment to continue for a substantial period of time and that “Illinois courts have repeatedly held that two years of continued employment is adequate consideration to support a restrictive covenant…regardless of whether an employee is terminated or decides to resign on his own.”

The appellate court agreed with plaintiff citing Brown & Brown, Inc. v. Mudron, 379 Ill. App. 3d 724, 728 (2008) which held that the promise of continued employment in the context of post-employment restrictive covenants may be an illusory benefit where the employment is at-will. “Illinois courts have held that continued employment for two years or more constitutes adequate consideration. Id. at 728-29.”

TAKE AWAYS

The Fifield decisions has already generated a great deal of discussion from corporate board rooms to legal blogs. Unfortunately for businesses and their lawyers, the case leaves many unanswered questions.

For example, the court does not discuss whether the outcome would have been different if the employee were a high-level executive with immediate access to a wide range of highly sensitive confidential and proprietary information. At best,mother court simply mentions the plaintiff’s allegations that he had no access to such information.

Another area of uncertainty impacts start-up and early stage businesses. Very young businesses are often highly dynamic and early employees have access to a broad swath of the company’s Intangible assets such as business and revenue models, marketing plans, computer software and hardware and prospective customers, regardless of whether they serve a customer service function or “C-suite” executive function. The requirement that an employee have two years continued employment before a restrictive covenant becomes enforceable ignores the very real dynamic of start-up companies.

Lastly, an important question that went unanswered is whether the employer can offer some other “consideration” besides two years continued employment. For example, is there a pure monetary consideration that would support enforcement of the covenant? What if the covenant only lasted as long as the period of the departing employee’s employment?

NEXT STEPS

If you have restrictive covenants in your agreements with employees, it is strongly recommended that you meet with your lawyer to discuss the impact of this case on these agreements and your business. At the very least, you should carefully review your non-compete and non-solicitation agreements to see if they are supported by adequate consideration. If you have questions or concerns, or just don’t know how to begin, feel free to contact the lawyers at Leavens, Strand, Glover & Adler for a free, in-person or over-the-phone consultation. You can also email the author here: dadler@lsglegal.com.

Proposed Amedments To Computer Fraud & Abuse Act

Enacted by Congress in 1986, the Computer Fraud and Abuse Act (CFAA) builds upon existing computer fraud law (18 U.S.C. § 1030). Initially, the CFAA was intended to limit federal jurisdiction to cases “with a compelling federal interest-i.e., where computers of the federal government or certain financial institutions are involved or where the crime itself is interstate in nature.” Notably, the CFAA criminalized certain computer-related acts such as distribution of malicious software code, propagating denial of service attacks as well as trafficking in passwords and similar items. Recently, the CFAA has gained prominence as a bludgeon used to prosecute a wide-range of activities, some broadly labelled “hacking” and other stretching the boundaries of “unauthorized” computer access.

Two recently introduced bills, one by Representative Zoe Lofgren (D-CA) in the House and one by Senator Ron Wyden (D-OR) in the Senate aim to amend the CFAA in hopes of ameliorating application of the CFAA to claims of breach of terms of service, employment agreements. Additionally, with the nickname “Aaron’s Law,” they also seek to limit what some see as the CFAA’s tendency to allow for overzealous prosecution that they claim characterized Aaron Swartz’s case.

In short the bills would amend the meaning of “exceeds authorized access,” changing it to “access without authorization,” which is defined to mean:

“to obtain information on a protected computer”;
“that the accesser lacks authorization to obtain”; and
“by knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information.”

For a well-documented discussion of the application and boundaries of the CFAA, check out the Electronic Frontier Foundations Legal Treatise on civil and criminal cases involving the Computer Fraud and Abuse Act here.

As businesses become ever more dependent on digital assets and systems, a working knowledge of the legal and regulatory framework that defines and protects those assets is paramount.

If you or your executive teams has questions about securing and protecting digital assets, please feel free to contact David M. Adler for a free consultation. LSGA advises a wide range of businesses on creating, protecting and leveraging digital assets as well as computer, data and information security and privacy.

Please tweet, comment on, and forward is article!

David M. Adler | Adler Law Group
300 Saunders Road, Suite 100
Riverwoods, Illinois 60015
Toll free Phone: (866) 734-2568
http://www.ecommerceattorney.com

*2015 Illinois Super Lawyer http://bit.ly/gFfpAt

Twitter: http://twitter.com/#!/adlerlaw
LinkedIn: http://linkedin.com/in/adlerlaw

In U.S. Regulators, Legislators Fill Privacy Void

Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.

Recent developments highlight the trend in Privacy

In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.

GPS, Location & Privacy

The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.

Proposed Federal Privacy Standards

Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.

FTC Protects Privacy Under Mantle of Consumer Protection

As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.

Wyndham’s web site privacy policy claimed that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”

The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.

The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.

Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.

Privacy Remains Top Concern

Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.

Organizations can lose contracts, customers and their reputation. That could put some out of business.

Compliance Preparation & Best Practices

Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.

Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.

Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.

Standardize. Set standards of acceptable information security for networks, facilities, and information systems.

Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.

Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.

Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.

THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.

Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.

#Mobile #Privacy Continues to Challenge Marketers, Developers & Lawmakers

The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.

Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.

FTC Privacy Enforcement Actions

Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.

Congressional Privacy Laws, Bills & Initiatives

Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.

The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.

App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.

Learn more David M. Adler here.

Texas House Votes To Extend #Privacy Over Personal Emails

AUSTIN, Texas — A divided House vote provides momentum for Texas employees who wish to shield personal text messages, email passwords under a bill backed by Democratic State Rep. Hellen Giddings and given preliminary approval Thursday.

Proponents say Texas workers need the same social media protections provided in several other states. The bill prohibits employers from asking job applicants or employees for passwords to access their Facebook, Twitter or other personal accounts. Opponents argue it will provide “safe harbor” for employees to steal proprietary information at the workplace through their personal accounts.

No specific penalties are spelled out for employers who would violate the law.

The Texas law is another reminder of the ongoing evolution of Social Media law and regulation as legislators and private businesses struggle to understand how these technologies affect everyone’s rights, obligations and remedies.

If you or your business is concerned about social media legal and regulatory compliance, contact David Adler at Leavens, Strand, Glover & Adler. 866-734-2568 dadler@lsglegal.com.

Three Things I Learned About Personal Cybersecurity At RSAConference That You Should Be Doing Right Now

Image representing CloudFlare as depicted in C...
Image via CrunchBase

I just returned from RSAConference 2013 where I had the privilege and honor of giving a presentation of the legal risks caused by social media in the workplace. As a speaker-attendee, I had the priceless benefit of access to all the other speakers and programs held during the conference.

One such program I attended was “We Were Hacked: Here’s What You Should Know”. The speakers, Matthew Prince (@eastdakota) CEO of CloudFlare, and Mat Honan (@mat) writer for Wired Magazine, shared their common experience as targets of high profile hacks. Hearing the details from them first hand, including information from interviews with the hackers themselves, I learned how easy it is to be the victim of hacking and how it’s the little things that create exploitable seams in our information security barriers.

Rather than rewrite their stories, I thought I would share three simple lessons I learned that I’ve already implemented and you should too. Besides, Matt does a better job telling his own story which can be found here.

Here are the three things I learned about how you can protect yourself and others in your organization.

First, security attacks go after the “low hanging fruit” and that often means figuring out a way to exploit your personal email address. With so many web-based services and so much login information to remember, many of us use our personal email as our username for everything from the web sites on which we comment, to our online photo gallery, to our online banking service. Unfortunately, this is probably the address we use for password recovery if we forget. Given that our digital lives are easily mapped, hackers already have one piece of the two-piece login puzzle: they know your user name.

TIP NO. 1: Use a private, obscure email address for your more sensitive information.

Second, once a hacker has accessed your accounts, your computer and your files, the fun has just begun for them. As Matt Honan described, these often adolescent script kiddies simply don’t understand the value of your stored memories and other information. In his case, all the photos of his children were permanently deleted. Regardless of a hacker attack, stuff happens and you don’t want to lose everything because you we’re too lazy to back up.

TIP NO. 2: Back Up your digital life, early and often.

Third, today’s’ Internet is an interdependent ecosystem. Just because you or your organization takes security seriously, doesn’t mean that other do as well. Your internal systems are not enough. Like it or not, the seams of your security perimeter are intertwined and permeated by the services and systems of customers and vendors. For most consumers, the there is a Hobbesian choice of Security v. Convenience. Multiple login usernames and super long passwords are difficult to remember and tedious to use. As a result, most people choose the least secure means of authentication on the assumption that using astringent password is enough. Unfortunately, some people don’t even bothers with that. A recent ZoneAlarm study found that “password” was the fourth most commonly used password by consumers.

Google, Facebook and others have started using two-factor authentication. Two-factor authentication requires that one enter a code after entering the username/password combo. The code is sent via, text message, voice call or email. This greatly reduces the chances of unauthorized access because hackers would need to have your phone, in addition to your username/password combo.

TIP NO. 3: Whenever possible enable two-factor authentication.

Please understand that there is no “magic bullet” when it comes to Cybersecurity. Taking these precautions does not guarantee that you won’t be attached or that your account information won’t be accessed. However, these are important and easy steps that you can take to improve your personal data security.

Please comment and follow!

 

Three Key Factors That Small Business Owners Must Consider To Enhance Their Cybersecurity

Awareness
Awareness (Photo credit: Emilie Ogez)

By now most small business owners are aware that Cybersecurity is an issue. But, how much time and capital should be spent on cybersecurity protection? This article discusses three key factors that should play into that decision.

Factor #1 Awareness.

According to some experts, the biggest problem that small business owners face is simply awareness of the risk. This includes awareness by employees as well.

Most data leaks and other security incidents are caused by employees who are either unaware of security protocols or indifferent to them. Regardless of the level of security in your data center  or the strength of encrypted communications, the weakest link will almost always be the human beings interacting with the network.

To address this risk, small business owners need to focus on training and awareness for employees. However, company management is usually focused on sales and customer service. Further, owners often lack the time and expertise needed to properly assess security risks. Companies in any industry should look to partner with a third-party security firm to asses risks and develop appropriate training.

Factor #2 Employee Training.

Training is the first line of defense against cyber threats. This training needs to include the entire company, and should cover three key areas: (a) proper password management on all company services and devices, including clear procedures for new and departing employees, as well as day-to-day usage; (b) clear guidelines for the sharing of information with remote employees, partners and third parties; and (c) a plan for monitoring usage and privileges to the company’s digital assets.

Employee training needs to account for how the public will access your company’s products or services. For example, what if a hacker got into a system by pretending to be another user? By rolling out new features slowly, its easier to identify and fix security loopholes.

All stakeholders need awareness of: (a) the type of information you’re transmitting (e.g. payment information), (b) the visibility of information you’re transmitting (e.g. highly-publicized public launch vs. a quiet rollout of some new software), and (c) the level of security inherent in the transmission (e.g. encrypted emails and documents shared via a secure server or data shared publicly through public networks and via social media sites.

Factor #3 Vigilance (Monitoring).

For some companies everything is available and accessed online. Since online relationships are built upon trust, it is critical that the company actively monitor the security and transparency of this relationship. Many tools are available to measure and respond to risk factors and gauge likelihood of an impact to help determine the level of investment required. Resources can be assigned to anything with high likelihood and high impact.

For example, monitoring potentially fraudulent user accounts has an immediate commercial benefit as well as reducing risk.

Unfortunately, a common misconception is that putting up basic defenses like firewalls will protect security vulnerabilities. However, after reinforcing your Cybersecurity defense, the focus should shift to monitoring and alerting. In many cases, this may require up-front investments to enable tracking and alerting to irregularities in network and data activity. Fortunately, in the event of a breach or a loss of data, this monitoring information will be the key factor in addressing the problem and pinpointing the issue. Managers, employees and business partners need to understand that Cybersecurity is an ongoing process. Awareness, training and monitoring will go a long way toward enhancing a small business’ Cybersecurity preparedness.

About the Author:

David M. Adler, Esq. is a partner in the Chicago office of Leavens, Strand, Glover & Adler, LLC, a boutique intellectual property and entertainment law firm in Chicago, Illinois whose mission is providing businesses with a competitive advantage by enabling them to leverage their intangible assets and creative content in order to drive innovation and increase overall business value. The practice is organized around five major substantive areas of law: Intellectual Property Law, Commercial & Finance Law, Entertainment & Media Law, Corporate Law and Contract Law.

Contact us for a free consultation today. Dadler @ lsglegal (dot) com or (866) 734 2568

The Impact of Social Media on Privacy is Unsettled

Illustration of Facebook mobile interface
Illustration of Facebook mobile interface (Photo credit: Wikipedia)

A recent New Jersey District Court case underscores the rise in tensions between employers and employees when it comes to Social Media Accounts. In Ehling v. Monmouth-Ocean Hospital Service Corp., the Court denied an employer’s motion to dismiss a former employee’s invasion of privacy claim that alleged a supervisor accessed the employee’s Facebook account. Ehling worked for Monmouth-Ocean Hospital Service Corporation (“MONOC”) and became Acting President of the local union for Professional Emergency Medical Services. Ehling alleged that MONOC began engaging in a pattern of retaliatory conduct against her eventually leading to termination of her employment.

Posting Limited to “Friends”

Ehling maintained an account on Facebook, but kept access to her wall post limited to Facebook “friends,” many of whom were coworkers, but none of whom were members of MONOC’s management. Ehling alleged that MONOC surreptitiously gained access to her Facebook account when a supervisor summoned a MONOC employee, who was a Facebook friend, and coerced, strong-armed, and/or threatened the employee to access his Facebook account in the supervisor’s presence for the purpose of viewing and copying Ehling’s posts.

Ehling alleged that MONOC then sent letters regarding a certain posting to the New Jersey Board of Nursing and the New Jersey Department of Health, Office of Emergency Medical Services as it was concerned that Plaintiff’s Facebook posting showed a disregard for patient safety. Ehling alleged the letters were malicious and meant to damage her professionally.

Accessing Wall Postings Alleged to be Common Law Invasion of Privacy

Ehling’s claim for common law invasion of privacy was premised on Defendants’ alleged unauthorized “access of her private Facebook postings” The Court denied MONOC’s motion to dismiss which argued that Ehliong did not have a reasonable expectation of privacy in her Facebook posting. The Court stated that Under New Jersey law, to state a claim for intrusion upon one’s seclusion or private affairs, a plaintiff must allege sufficient facts to demonstrate that (1) her solitude, seclusion, or private affairs were intentionally infringed upon, and that (2) this infringement would highly offend a reasonable person. See Bisbee v. John C. Conover Agency Inc., 186 N.J. Super. 335, 339 (App. Div. 1982). “[E]xpectations of privacy are established by general social norms” and must be objectively reasonable – a plaintiff’s subjective belief that something is private is irrelevant. White, 344 N.J. Super. 211, 223 (Ch. Div. 2001).

The Impact of Social Media on Privacy is Unsettled

The Court went on to make further observations on the impact of Social Media on Privacy:

“Privacy in social networking is an emerging, but underdeveloped, area of case law. See Robert Sprague, Invasion of the Social Networks: Blurring the Line between Personal Life and the Employment Relationship, 50 U. Louisville L. Rev. 1, 13 (2011) (discussing the undefined legal boundary between public and private communications on social  networking websites).

No Reasonable Expectation of Privacy

There appears to be some consistency in the case law on the two ends of the privacy spectrum. On one end of the spectrum, there are cases holding that there is no reasonable expectation of privacy for material posted to an unprotected website that anyone can view. See, e.g., United States v. Gines-Perez, 214 F.Supp.2d 205, 225 (D.P.R. 2002), rev’d on other grounds, 90 F. App’x 3 (1st Cir. 2004) (“[I]t it strikes the Court as obvious that a claim to privacy is unavailable to someone who places information on an indisputably, public medium, such as the Internet, without taking any measures to protect the information”); Yath v. Fairview Clinics, N.P., 767 N.W.2d 34, 44(Minn. Ct. App. 2009) (holding that privacy was lost when private information was posted on a publicly accessible Internet website and “[a]ccess to the publication was not restricted”).

Some Reasonable Expectation of Privacy

On the other end of the spectrum, there are cases holding that there is a reasonable expectation of privacy for individual, password-protected online communications. See, e.g., Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (N.J. 2010) (employee could have reasonably expected that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 587 F. Supp. 2d 548 (S.D.N.Y. 2008) (employee had a reasonable expectation of privacy in personal, password-protected e-mail messages stored on a third party’s server, although the employee had accessed that outside server while at work).

Legal Approaches Continue to Develop

The Court note that a consistent approach hasn’t yet developed. While most courts hold that a communication is not necessarily public just because it is accessible there is disagreement as to how far that theory extends. Some courts have adopted the rule that when one shares private information to one or more persons, there may still be a reasonable expectation that the recipients of the information will not disseminate it further. What is clear is that privacy determinations are made on a case-by-case basis, in light of all the facts presented.