The New Wave of Data-Breach Outrage

You can almost feel it, like a power-line buzz in the air. If 2014 was the year that consumers and legislators woke up to the real threat to privacy and information security, 2015 may be the year that sees a shift in both enforcement and penalties.

On February 5, Anthem, Inc., the country’s second-largest health insurer by market value announced a security breach resulting in unauthorized access to tens of millions of current and former customer and employee accounts, Bloomberg reports.

Of particular concern is that the compromised data included social security numbers and birth dates, etc. Very different than having a credit card number stolen.

Last week, a group of 10 state attorneys general (AGs) sent a letter chastising Anthem for the length of time it took to notify the public of the breach. The letter was written on behalf of Arkansas, Connecticut, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island.

Some observers have commented that current encryption technology can limit the amount of data that even “authorized users” can view at one time, making it more difficult to compromise massive amounts of data.

In this situation, the breach occurred through misuse of an authorized user’s credentials, so encryption alone would not have worked. While most companies give universal access to data to some employees (senior level or IT), for the encryption approach to work, no one person or set of credentials should allow access to all data.

In the end, the new “best practices” approach may be a combination of encryption plus controls to limit the amount of data that any one set of credentials can access.

When it comes to addressing data privacy risks, it is often difficult to determine whether you should slow down, change course, signal for help, or simply muddle through. Often, teams tasked with managing privacy need to quickly identify potential issues, assess the risk, and implement controls to steer clear of unneeded exposure. The privacy professionals at the Adler Law Group can help you adopt Privacy Impact Assessments – or similar tools – and standardize a methodology for approaching these challenges by setting objectives, determining scope, allocating resources, and developing practices that will efficiently and effective manage privacy, while keeping pace with the business. For a free consultation, call us at (866) 734-2568, send and email to info@ecommerceattorney.com or visit our web site www.adler-law.com.

Contract Drafting: Limitations of Liability & Exceptions

One of the most important functions of a contract is to reduce uncertainties and mitigate risks. That is why almost all professional or personal services contracts contain “limitations of liability” provisions. Although they may seem like densely-worded, “boilerplate” provisions, and often overlooked, these provisions broadly affect a party’s ability to bring a claim, show liability, and prove damages that can be recovered.

A limitation of liability clause is a provision in a contract that limits the amount of exposure a company faces in the event a lawsuit is filed or another claim is made. As a preliminary observation, it is important to note that enforcement of limitation of liability provisions vary from state to state. The general rule in contract law is that in the commercial context, many states have found these clauses to be a mere shifting of the risk and enforce them as written.

Limitations of Liability generally address two areas of concern. First, the types of claims that may be barred. Second, the amount or scope of liability for claims that are not barred.

Limiting The Type Of Claim

A typical limitation of liability clause may look something like this:

“IN NO EVENT SHALL A PARTY OR ITS DIRECTORS, OFFICERS, EMPLOYEES, OR AGENTS, BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FOR LOST PROFITS. IN NO EVENT SHALL THE TOTAL LIABILITY OF A PARTY EXCEED THE AMOUNTS PAID BY CLIENT, IF ANY, FOR THE SERVICES.”

This clause limits the types of damages that may be claimed, prohibiting claims for:

  • Consequential damages (damages resulting naturally, but not necessarily, from the defendant’s wrongful conduct, BUT they must be foreseeable and directly traceable to the breach)
  • Incidental damages (includes costs incurred in a reasonable effort, whether successful or not, to avoid loss, or in arranging or attempting to arrange a substitute transaction)
  • Special damages (often treated the same as “consequential” by courts, “special” damages have been defined as those that arise from special circumstances known by the parties at the time the contract was made)
  • Punitive damages (damages that may be awarded which compensate a party for the exceptional losses suffered due to egregious conduct; a way of punishing the wrongful conduct and/or preventing future, similar conduct)
  • Exemplary damages (See “Punitive damages”)
  • Indirect damages (See “Consequential damages”)
  • Lost Profits (Cases in New York (and elsewhere) have a held that a clause excluding “consequential damages” may no longer be enough to bar “lost profits” claims; therefore, consider including more specific provisions in contracts- if parties want to exclude lost profits for breach of contract, a clause specifically excluding “lost profits” should be included.)

Lost profits that do not directly flow from a breach are consequential damages, and thus typically excluded by a limitation of liability clause like that above. But lost profits can be considered general damages (and thus recoverable) where the non-breaching party bargained for those profits, and where the profits are a direct and probable result of the breach.

Limiting The Amount Of The Claim

If found to be enforceable, a limitation of liability clause can “cap” the amount of potential damages to which a party is exposed. The limit may apply to all claims arising during the course of the contract, or it may apply only to certain types of claims. Limitation of liability clauses typically limit the liability to one of the following amounts: (i) the compensation and fees paid under the contract; (ii) an sum of money agreed in advance; (iii) available insurance coverage; or (iv) a combination of the above.

Parties can and typically do agree in their contract that liability is capped at some dollar amount. If liability exists and if damages can be proved, then the aggrieved party recovers those damages, but only up to the agreed cap. Sometimes these are mutual; other times they are one-sided. Sometimes the cap is a fixed sum (e.g., “the amounts paid for the services” or “$100,000”). Other times, the parties may choose to tie the cap to the type of harm, (e.g. personal injury, property damage, violations of confidentiality obligations).

However, sometimes that parties may agree that certain types of harm should not be limited. These “exceptions” put the parties in the same position they would have occupied if there was no limitation of liability provision in effect. For example:

  • exposure for violations of intellectual property (copyright, trademark, trade secret, patent) or proprietary rights (right of publicity, right of privacy, contractually-defined proprietary information)
  • in the event of an obligation to indemnity and defend for 1) breach of intellectual property representations, and/or 2) third party intellectual property or proprietary rights
  • in the event of an obligation to indemnify because a party didn’t have the right to provide data or information
  • in the event of an obligation to indemnify and defend for non-compliance with data security standards
  • exposure for violations of confidentiality obligations
  • personal injury or property damage due to negligent acts or omissions

Best Practices

Businesses that rely upon limitation of liability clauses should periodically reexamine those clauses. Questions that you should be asking include: “what’s my maximum recovery if the other party breaches,” and “what’s my maximum liability if I breach?”

These are only effective if enforceable, that’s why drafting is key. According to many courts, following certain drafting guidelines will help reduce the likelihood that a limitation of liability clause will not be enforced. Such guidelines include:

  • Make the clause conspicuous: set the clause in bold face print or underline or otherwise place the clause apart from the rest of the text on the page on which it appears so that the other party is aware of its existence.
  • Make the language clear and concise: make sure that the clause is concise and unambiguous as it relates to the contract as a whole.
  • Identify specific risks: be specific in identifying the types of damages you think should be excluded.
  • Negotiate the clause: discuss the clause with the party that is signing the agreement and negotiate if there is a discrepancy.
  • Retain drafts of revisions: keep drafts of any revisions made to the limitation of liability clause so that you have proof that the clause was negotiated.
  • Add language stating that these damages are not recoverable even if they were, or should have been, foreseeable or known by the breaching party.
  • Recite that the limitation of liability clause is an agreed benefit of the bargain, and that it remains in effect even if any remedy under the contract fails of its essential purpose.
  • Consider including a liquidated damages clause for specific breaches, which would replace a damages claim.

DISCLAIMER: THIS IS NOT LEGAL ADVICE. Please consult  qualified attorney to discuss your specific situation.

If you are concerned about how to tighten your contracts, we may be able to help. We can review your contracts, your business practices, and advise on whether there is room for improvement.

Please contact us for a no-fee, no-obligation consultation. (866) 734-2568 David [at] adler-law.com

GEAR UP FOR FALL! Now Is A Good Time To Take A Look At Those Contracts

Contracts

One of the most important tools to protect your business – your ideas, customer relationships and talent pool – is your written contract. A solid contract is the foundation for a reliable relationship for you, your customers and your employees. More importantly, it helps to prevent misunderstandings and false expectations that can lead to a breakdown in your customer relationship, jeopardize the project and result in litigation.

Many companies start with a model or “form” contract adapted from forms available online or drafted when the business first started. As businesses develop over time, you may have revised your contracts, adding a little here, removing a little there. Maybe you read an article about an important case in your industry and decided to add some text from the contract discussed in the court’s legal opinion. In many cases, over time, the agreements become “Franken-contracts” an odd amalgamation of trade lingo, inconsistent terms and even contradictory conditions. At best these are ambiguous and confusing to read. At worst, they become unenforceable.

At some point, you should review, revise and generally “tighten” existing contracts. You should have your lawyer review them to make sure that there are no mistakes, ambiguities or omissions that could cost you or your customers. I urge clients to have their contract forms reviewed on an annual basis. Depending on changes in the law, changes in the industry or changes in your own business, this process should only take a few hours.

The following are six things to consider as you review your existing contract forms and business practices.

First, are you using a written contract? Simply having a written agreement in place will help prevent the often difficult, time-consuming and expensive dispute that comes down to a “he said / she said” situation.

Second, make sure that the key terms of your contract are consistent and understandable. Pricing and payment terms, clear descriptions of the services to be performed or the goods to be delivered, as well as due dates and acceptance criteria will go a long way toward preventing breach of contract claims. More importantly, ambiguous and internally-contradictory terms may expose you to fraud claims or claims under an unfair business practices act. These types of claims are typically much more difficult and more expensive to defend against.

Third, create a mechanism for changes in your contract. Circumstances change. When they do, make sure that you document them and that your customer initials and dates any additions or changes to the contract after it is signed.

Fourth, don’t overlook intellectual property (“IP”) rights, Many business relationships involve collaborative sharing or development of knowledge, skills and protectable IP assets such as copyrights, trademarks, patents and trade secrets. Intangible assets are often the most important drivers of revenue creation and value. Overlooking creation, ownership and control of IP rights may result in the loss of these assets.

Fifth, ensure that your contracts are up-to-date with respect to local laws and industry regulations. Recent developments in technology, e.g., BYOD, Social Media, Mobile commerce, and online privacy had produced a raft of state, federal and industry specific laws, rules and regulations. Do you regularly update your forms to make sure they comply with changes to local laws?

Sixth, understand your “escape” options. Not every relationship is meant to last forever. Your contracts should have clear and concise terms for ending the relationship such as failure to perform, failure to pay or adverse business conditions.

To find out more about how the Adler Law Group can help you tighten your contracts, or even draft new ones, contact us for a free, no-obligation consultation.

Drafting Contract Termination Clauses – Termination for Breach by Non-Breaching Party

One of the key issues that must be examined when negotiating or drafting any contract is how the parties may get out of, or “terminate,” that contract. While many attorneys will rest on standard “termination for breach with notice and cure” language, the recent case of Powertech Tech. v. Tessera, Inc. demonstrates how artful drafting can put limitations on a party’s right to terminate. The Opinion in U.S. District Court for the Northern District of California case No. C 11-6121 can be found here.

Powertech and Tessera were parties to a patent license agreement, although the court’s reasoning does not seem limited to only those types of agreements. The license agreement allowed Powertech to use Tessera’s patents in exchange for payment of license fees.

The contract contained the following clause regarding termination for breach:

“Termination for Breach. Either party may terminate this Agreement due to the other party’s breach of this Agreement, such as failure to perform its duties, obligations, or responsibilities herein (including, without limitation, failure to pay royalties and provide reports as set forth herein). The parties agree that such breach will cause substantial damages to the party not in breach. Therefore, the parties agree to work together to mitigate the effect of any such breach; however, the non-breaching party may terminate this Agreement if such breach is not cured or sufficiently mitigated (to the non-breaching party’s satisfaction) within sixty (60) days of notice thereof.”

The court held that Powertech was not permitted to terminate a license agreement with Tessera for Tessera’s breach because Powertech itself was in breach of the agreement by its failure to pay royalties to Tessera.

Acknowledging Powertech’s argument that Tessera was itself in breach, that in and of itself did not give Powertech the right to terminate the contract. Only a “non-breaching” party may terminate the agreement. Said the court “[a]lthough the first sentence of the termination clause is broad – ‘Either party may terminate this Agreement due to the other party’s breach’ — the language of the clause as a whole makes clear that only a non-breaching party may terminate. Reading the clause as a whole, the court concluded “[t]he termination clause refers to a “breaching party” and a “non-breaching party” in every sentence after the first… [therefore]…the clause requires the party seeking to terminate for the other party’s purported breach to be substantially in compliance with its own obligations first.

The Powertech agreement’s termination clause is useful because it put conditions on a party’s ability to terminate the agreement even when the other party was in breach.

Evidentiary Authentication of Social Media Data

Although courts have called the Internet “one large catalyst for rumor, innuendo, and misinformation,” nevertheless, it provides large amounts of evidence that may be relevant to litigation matters. Increasingly, courts are facing presentation of, and challenges to, data preserved from various websites. According to a survey conducted by the X1ediscovery blog, there are over 320 published cases involving social media/web data in the first half of 2012.

Evidentiary authentication of web-based data, whether it’s Internet site data available through browsers, or social media data derived from APIs or user credentials, presents challenges. Given the growing importance of social media posts and data, businesses should be prepared to offer foundational evidence to authenticate any posts that are vital to a case.

Authentication of social media and web data is a relatively novel issue for many courts. Courts have been extremely strict in applying foundation requirements due to the ease of creating a profile or posting while masquerading as someone else. Therefore it is important to go beyond the surface of a social media profile or a post to provide the foundation necessary to authenticate what he evidence for use in court.

Regardless of the type of data, it must be authenticated in all cases. The authentication standard is found in Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

The foundational requirement of authentication is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims. See US v. Tank, 200 F. 3d 627, 630 (9th Circuit 2000) (citing Fed.R.Evid. 901(a)). This burden is met when “sufficient proof has been introduced so that a reasonable juror could find in favor of authenticity.” This burden was met where the producer of chat room web logs explained how he created the logs with his computer and stated that the printouts appeared to be accurate representations. Additionally, the government established the connection between the defendant and the chat room log printouts based on IP addresses.

See also, Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154, and Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing additional elements of “circumstantial indicia” for authentication of electronic evidence).

Clearly, there is an emerging trend in the use of social media and web data as evidence. As the use of this type of evidence increases, so too will the consistency and predictability of the foundational matters required by courts. Thus, businesses are well advised to include web collection and social media support in the investigation process so they are prepared to offer the necessary foundational evidence to authenticate any social media posts that may be vital to a case.

20120809-214100.jpg

Social Media Legal Issues: Trade Secrets & Social Media Accounts

Is it “misappropriation of a trade secrets” to contact each person who follows an ex-employer’s Social Media profile for purposes of promoting a competing business?

Early in my law school career, one phrase stuck with me right away: “tough cases make bad law.” This, of course, begs the question, what makes a “tough” case. Usually it’s a unique fact pattern that has limited applicability to a broader spectrum of cases. In the nascent and growing area of Social Media law, there is no shortage of quirky cases.

My hat is off to Eric Goldman who recently blogged about a social media case that is “tough” because of the way that the lawyers framed the issue. On its face, the case of Christou v. Betaport is an unfair competition case between a night club owner and one of his former partners. The case, being tried in a federal court in Denver, Colorado, involves  trade secret theft and antitrust allegations and alleged misuse of MySpace “friends.” Essentially, the complaint alleges that Roulier, a principle of Beatport and former associate of Christou, used a MySpace account to promote his club at the expense of Christou.

Goldman gets to the heart of why this case is tough: “the plaintiffs allege that they “secured the profiles through web profile login and passwords.” This is a garbled allegation.” Put another way, the lawyers whose job it is to supply the facts that frame the issues, probably meant to say something else. According to Goldman the plaintiffs probably meant that the defendants accessed an account impermissibly and in so doing accessed information they did not have a right to access. In terms of a claim for trade secret misappropriation, the harm came when defendants used that information.

I like Goldman’s article because he takes the time to break down both the confused framing of the issue, but also the court’s apparent confusion with how to address it. It’s a short article and definitely worth the few minutes it takes to read.

From my perspective the key take-away is a perspective on the trade secret implications of Social Media accounts. Business and their lawyers are constantly trying to evaluate the legal risks of Social Media and provide guidance on how best to mitigate those risks.

Protecting a Social Media account as a trade secret seems a tricky proposition. Ostensibly, the primary “value” of an account is the list of “followers.” A list that is publicly available is, therefore, not a secret. A better approach is to treat the login credentials themselves as the trade secret since this control’s ones ability to access the account and to communicate with those followers.

Please feel free to comment and follow me here: @adlerlaw

Five Things To Know Now

Here are five interesting articles to look at this weekend.

1. Copyright Fair Use Gets a Boost. Last Friday, the federal district court in Nevada held that the non-profit organization Center for Intercultural Organizing’s posting of a copyrighted news article was a non-infringing fair use. The well-reasoned opinion sets a powerful precedent for fair use and against copyright trolling. http://www.eff.org/deeplinks/2011/04/righthaven-v-cio-it-s-hard-out-here-troll

2. Proper Authentication of Social Media “Evidence” Used at Trial. The Maryland Court of Appeals in the case of Griffin v. State examined a relatively new social media legal issue: determining the appropriate way to authenticate at trial electronically stored information printed from a social networking site. http://www.marylandinjurylawyerblog.com/2011/04/the_maryland_court_of_appeals_2.html

3. Commercial Privacy Bill of Rights Act of 2011 Does Not Spell Do Not Track. Although the proposed law requires disclosure of “clear, concise and timely notice” of a company’s privacy policies and practices regarding the collection, use and distribution of personally identifiable information, the bill does not include specific authorization for a do-not-track mechanism. http://www.itbusinessedge.com/cm/blogs/bentley/senators-formally-introduce-online-privacy-bill/?cs=46477

4. Is Your Web Site Eligible For Trade Dress Protection? While Copyright law protects certain original expression from unauthorized copying, Trade dress law protects commercial use of certain distinct features in connection with a product or service. When consumers associate such “look & feel” features with a product or service, trade dress protection exists. Protection has been extended to the packaging of a product, the décor of restaurant, the design of magazine covers, and even kiosk displays.

In Conference Archives v. Sound Images, 2010 WL 1626072 (W.D. Pa. Mar. 31, 2010), a federal district judge in the Western District of Pennsylvania suggested that under the concept of “look and feel,” trade dress law can reach beyond static elements on a website, such as photos, colors, borders, or frames, to include interactive elements and/or the overall mood, style, or impression of the site since a graphical user interface promotes the intuitive use of the website.” Conference Archives, 2010 WL 1626072 at *15.

5. Do We Need An Open Wireless Regime? See what the EFF has to say. http://www.eff.org/deeplinks/2011/04/open-wireless-movement

ABOUT THE AUTHOR

David M. Adler, Esq. is an attorney, author, educator, entrepreneur and founder of a boutique intellectual property law firm based in Chicago, Illinois. With over fourteen years of legal experience, Mr. Adler created the firm with a specific mission in mind: to provide businesses with a competitive advantage by enabling them to leverage their intangible assets and creative content in a way that drives innovation and increases the overall value of the business. Learn more about me HERE and HERE

David M. Adler, Esq. & Assoc.: Safeguarding Ideas, Relationships & Talent®