Intellectual Property

World Intellectual Property Day

Happy World Intellectual Property Day!

To increase IP awareness around the world, member states of the World Intellectual Property Organization (WIPO) chose April 26  the day when the WIPO Convention came into force in 1970  as World IP Day.  According to WIPO, World IP Day celebrates innovation and creativity and how intellectual property fosters and encourages them. To celebrate this day, what follows is a discussion of four significant US court rulings decided in April 2012 each involving one of the major IP domains:   patent, trademark, copyright and trade secret.

Communications Involving Patent Settlements are Discoverable

On April 9, 2012, the United States Court of Appeals for the Federal Circuit ruled that communications involving reasonable royalty rates and damage calculations were discoverable.   Specifically, the Federal Circuit ruled that such communications that may underlie settlement agreements were not worthy of creating a new federal privilege.   In re  MSTG, Inc., No. 996 (Fed. Cir. April 9, 2012).   There was previously an open question as to whether settlement discussions were privileged and not subject to disclosure.  The Sixth Circuit in Goodyear Tire & Rubber Co. v. Chiles Power Supply, Inc., 332 F.3d 976, 979-83 (6th Cir. 2003) adopted a settlement privilege while such a privilege was rejected by the Seventh Circuit in In re General Motors Corp. Engine Interchange Litigation, 594 F.2d 1106, 1124 n.20 (7th Cir. 1979).

In rejecting MSTG’s request to create a settlement privilege that would protect the reasonable royalty rate discussions had with other defendants, the Federal Circuit distinguished Fed R. Evid. 408. According to the court, Fed. R. Evid. 408, only addresses the inadmissibility of settlement discussions (for purposes of showing the validity or amount of a claim) and does not expressly prohibit the discovery of such material.   Id. at 11 – 12.   Finding there was no good reason to create a new privilege under the circumstances, the Federal Circuit found communications underlying settlement discussions to be fair game at least so long the requests otherwise comport with the rules of discovery.

Given the In re MSTG, Inc. decision, future patent plaintiffs will now have to contend with the possibility of disclosures being made on sensitive settlement discussions. This decision is noteworthy given that settlements are sometimes done for strategic reasons that may not be directly tied the relative worth of the settled patents – one settlement against a competitor may yield very different results as against another competitor.  Moreover, it may make it more difficult to settle patent disputes if a patent holder feels it needs to establish a certain record it can use in future disputes. This is further complicated by the fact patent litigation may eventually reach new heights with the September 2011 passage of the Leahy-Smith America Invents Act and the current status of patent portfolios as a competitive currency for very large corporations.   Microsoft’s $1.1 billion purchase of 925 AOL patents and Facebook’s subsequent purchase of 650 of these Microsoft/AOL patents for $550 million are illustrative of this competitive currency approach to patents.  No matter how the patent litigation landscape changes down the road, plaintiffs now need to take a structured and strategic approach to settlement discussions given what is said in one case can very well impact the results of future litigation.

Keyword Trademark Cases Remain Viable

In this latest of a long line of cases against Google for keyword trademark infringement, a surprise appellate decision was handed down on April 9, 2012.   Rosetta Stone Ltd. v. Google, Inc., No. 10-2007 (4th Cir. April 9, 2012), reversing, Rosetta Stone Ltd. v. Google Inc., 730 F. Supp. 2d 531 (E.D. Va. 2010).   In reversing portions of the lower court’s summary judgment grant in favor of Google, the Fourth Circuit reinstated plaintiff’s direct infringement, contributory infringement and dilution trademark claims.   In reviving the direct infringement claim which only involved a likelihood of confusion analysis, the court ruled that even well-educated, seasoned Internet consumers are confused by the nature of Google’s sponsored links and are sometimes even unaware that sponsored links are, in actuality, advertisements.   At the summary judgment stage, we cannot say on this record that the consumer sophistication factor favors Google as a matter of law.   Id. at 24 – 25.   In fact, the Court noted, such uncertainty may constitute “quintessential actual confusion evidence.”  Id. at 22.  The Fourth Circuit relied on various internal Google studies analyzing consumer confusion in connection with sponsored links, including studies that concluded “the likelihood of confusion remains high when trademark terms are used in the title or body of a sponsored link appearing on a search results page and 94% of consumers were confused at least once.”  Id. at 21.

This decision stands in sharp contrast to other decisions that have ruled on this particular likelihood of confusion issue. Previously, courts have found that in an age of sophisticated Internet users, it makes little sense to continue with the notion that users will be confused between sponsored results with trademark-protected keywords and standard search results or even by domain names containing trademarked words.  See Network Automation, Inc., v. Advanced System Concepts, Inc., 638 F.3d 1137, 1152 (9th Cir. 2011).

The contributory infringement claim was revived given Rosetta Stone provided Google with approximately 200 instances of counterfeit products found on sponsored links.  This was deemed sufficient to raise a question of fact regarding Google’s knowledge of identified individuals using sponsored links to infringe Rosetta Stone’s marks.  Rosetta Stone Ltd. v. Google, Inc., Slip Op. at 30.  The Fourth Circuit also reversed summary judgment on the dilution claim given the lower court applied the wrong standard when applying available defenses to a dilution claim under the Lanham Act. Id. at 39 – 41.  This and other technical errors made by the lower court claim may be a short-term victory for Rosetta Stone given on remand the court will ultimately determine whether Rosetta Stone’s brand was famous in 2004 – if it was not, the dilution claim is lost.  Id. at 47.  This may be a difficult burden for Rosetta Stone since the court recognized the brand actually became more famous in the years after 2004.  Given the dilution reversal was based largely on technical deficiencies in how the lower court interpreted the fair use defense, the Fourth Circuit missed an opportunity to opine on the more interesting question of whether or not Rosetta Stone could even bring a dilution claim as against Google given there is a very real question as to whether Google sufficiently used the Rosetta Stone marks in commerce.  Id. at 39-40.

The ultimate significance of this case may eventually pivot outside of the search engine context.  For example, despite the solid body of law that continues to sanction keyword marketing, contextual advertisers may benefit from reevaluating their use of keyword triggers associated with famous marks.   And, likelihood of confusion inquiries may reach a new realm with augmented reality devices such as Google’s Project Glass given advertisers may be able to physically guide users towards products and services based on verbal commands and trademark usage all the while without a single trademark being displayed.

DMCA Safe Harbor Provisions Raise Copyright Infringement Questions of Fact

On April 5, 2012, the Second Circuit reinstated Viacom’s long-running copyright infringement action against YouTube.  Viacom Intl., Inc. v. YouTube, Inc.,�Nos. 10-3270-cv, 10-3342-cv (2nd Cir. April 5, 2012).   In its ruling, the court offered an analysis regarding the complete safe harbor framework available to online service providers under the Digital Millennium Copyright Act (DMCA), 17 U.S.C.  512.  It also reaffirmed that the DMCA safe harbor provisions can protect a defendant from all affirmative claims for copyright infringement, including claims for direct infringement, vicarious liability, and contributory liability.

At its most basic, the Second Circuit found that existing questions of fact regarding YouTube’s level of knowledge precluded summary judgment.  Viacom’s five-year suit for direct and secondary copyright infringement previously came to a halt when the trial court found that YouTube was protected by the DMCA’s safe harbor provision given it had insufficient notice of the particular infringements in suit.  Viacom Intl., Inc. v. YouTube, Inc.,718 F. Supp. 2d 514, 529 (S.D.N.Y. 2010).  Under 512(c)(1)(A), safe harbor protection is available only if the service provider:

(i) does not have actual knowledge that the material or an activity using the material on the system or network is infringing;

(ii) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; or

(iii) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material

Viacom Intl., Inc. v. YouTube, Inc., Slip Op at 15 (citing 17 U.S.C.  512(c)(1)(A)).  The lower court held that the actual knowledge and the “facts and circumstances” requirements both refer to knowledge of specific and identifiable infringements and not mere general awareness of infringing activity.  Viacom Intl., Inc. v. YouTube, Inc., 718 F. Supp. 2d at 523.  Although it affirmed this ruling, the Second Circuit further distinguished as follows:

The difference between actual and red flag knowledge is thus not between specific and generalized knowledge, but instead between a subjective and an objective standard. In other words, the actual knowledge provision turns on whether the provider actually or subjectively knew of specific infringement, while the red flag provision turns on whether the provider was subjectively aware of facts that would have made the specific infringement objectively obvious to a reasonable person.

Viacom Intl., Inc. v. YouTube, Inc., Slip Op at 17.  Parting company with the lower court, the Second Circuit found that the current state of facts raised triable questions of fact regarding these two tests.  Id at 20 – 22.  The remand was to determine specific instances of knowledge or awareness and whether such instances mirror the actual clips-in-suit.  Id. at 22.

The Second Circuit also offered the doctrine of “willful blindness” a concept not referenced in the DMCA as yet another means of demonstrating actual knowledge or awareness of specific instances of infringement.   To that end, it remanded for further fact-finding and resolution regarding whether YouTube made a “deliberate effort to avoid guilty knowledge.” Id.at 24.

In addition to the above DMCA knowledge provisions, the DMCA provides that an eligible service provider must “not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity.” Id. at 24 (citing 17 U.S.C.  512(c)(1)(B)).  After reviewing this “right and ability to control” test, the Second Circuit rejected the lower court’s view that a service provider must actually know of a particular case of infringement before it can control it.  Id. at 25.   Rather, the Second Circuit chose to agree with other courts that have determined a finding of liability only requires something more than the ability to remove or block access to materials posted on a service provider’s website.  Id. at 27 (citations omitted).   And, this “something more” involves “exerting substantial influence on the activities of users” so a remand was necessitated to flesh out this standard and determine whether YouTube satisfied it.  Id. at 28 – 29.

Although in its decision the Second Circuit has provided solid authority on a wide range of DMCA safe harbor interpretive issues, the decision may ultimately provide content owners and online service providers with some potential future problems to the extent the ruling leaves the summary judgment door unpredictably ajar for future litigants.

Theft of Trade Secrets Not Necessarily a Federal Offense

On April 11, 2012, the Second Circuit overturned the eight-year sentence imposed on a computer programmer for the theft of trade secrets under the Economic Espionage Act of 1996, 18 U.S.C. 1832(a)(2) & (4) (EEA) and transportation of stolen property in interstate commerce under the National Stolen Property Act, 18 U.S.C. 2314 (NSPA).  United States v. Aleynikov, No. 11-1126 (2d Cir. April 11, 2012).   The NSPA makes it a crime to “transport, transmit, or transfer in interstate or foreign commerce any goods, wares, merchandise, securities or money, of the value of $5,000 or more, knowing the same to have been stolen, converted or taken by fraud.  18 U.S.C. 2314. The statute does not define the terms “goods, wares, or merchandise.”

The EEA makes it a crime for someone to “convert a trade secret, that is related to or included in a product that is produced for or placed in interstate or foreign commerce, to the economic benefit of anyone other than the owner thereof, and intending or knowing that the offense will, injure any owner of that trade secret, knowingly. . . steals, or without authorization appropriates, takes, carries away, or conceals, or by fraud, artifice, or deception obtains such information…” 18 U.S.C. 1832(a).

Although the defendant computer programmer was convicted of stealing computer source code from his former employer, the Second Circuit strictly construed both of these two federal laws when tossing the convictions.  Id. at 10. First, the court determined the defendant was wrongly charged with theft of property because the intangible code did not qualify as a physical object that was “produced for or placed in interstate or foreign commerce under the NSPA.”  Id. at 14 – 15.  Declining “to stretch or update statutory words of plain and ordinary meaning in order to better accommodate the digital age”, the Second Circuit held that because the defendant did not “assume physical control” over anything when he took the source code, and because “he did not thereby deprive [his employer] of its use, [defendant] did not violate the [NSPA].”  Id. at 18.  And, given that the stolen code was neither “produced for nor placed in interstate or foreign commerce given the employer had no intention of selling its HFT system or licensing it to anyone”, the EEA was not violated. Id. at 27.

The failure of the EEA to address defendant’s conduct here is problematic given the EEA was “passed after the Supreme Court and the Tenth Circuit said the NSPA did not cover intellectual property.”   Id. at 2 (Calabresi, J., concurring) (citations omitted).  The statute was apparently expressly meant to pick up the theft of intellectual property such as proprietary source code.   The concurrence by Judge Calabresi suggests that Congress should jump in to rectify this apparently significant hole in the EEA:  “While the legislative history can be read to create some ambiguity as to how broad a reach the EEA was designed to have, it is hard for me to conclude that Congress, in this law, actually meant to exempt the kind of behavior in which Aleynikov engaged. . . . I wish to express the hope that Congress will return to the issue and state, in appropriate language, what I believe they meant to make criminal in the EEA.”  Id. at 2 (Calabresi, J., concurring)

If nothing else, this decision reaffirms the need for companies to be proactive in the defense of their trade secrets.  Until Congress fixes the EEA, it is just not enough to assume that criminal conduct such as the theft of source code will rise to a federal offense.

Privacy, Risk Management

Basketball, Julius Caesar, and Privacy

March Madness and murdered dictators aside, next month may be memorable for significant new privacy polices and obligations coming online — especially those for vendors holding sensitive information of a Massachusetts resident.  Given the expiration of a two-year grace period, Massachusetts will require effective March 1, 2012 that all service provider contracts include provisions requiring that the service provider  implement and maintain security measures for personal information that is consistent with the Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 CMR 17.00.

A service provider must comply with this regulation if it “receives, stores, maintains, processes, or otherwise has access to personal information” of Massachusetts residents, e.g., social security numbers, driver license numbers, and financial account information,  in connection with the provision of goods or services or in connection with employment.  For compliance purposes, it does not matter whether the service provider actually maintains a place of business in Massachusetts.    In addition, those companies who are subject to the regulation must oversee service providers by taking reasonable steps to select and retain service providers who are compliant.  Penalties for non-compliance can be enforced through the Massachusetts Consumer Protection Statute and include penalties under that law as well as possible civil penalty of up to $5,000 for each violation, plus reasonable costs of investigation and attorney’s fees.

On the consumer side, starting March 1, 2012, Google’s new privacy policy will bring together its various privacy documents into a single umbrella privacy policy.  After being implemented, logged in users will be treated as a single user across  all Google products.   Concern over the way Google’s new policy would grant the data aggregator control over user data and allegedly “hold hostage” consumer personal information has caused attorney generals from around the country to reach out to Google.    Not one to miss out on the fun, one EU regulator has chimed in claiming that it is “deeply concerned” about the new Google policy.  And, EPIC even filed suit to enforce a FTC settlement in its effort to stop the March privacy change — a lawsuit that was dismissed on February 24, 2012.   Given it will likely be implemented in a few days, consumers wanting to avoid some of the potential privacy sting of these changes can heed some advice from the EFF.

Finally, on March 7, 2012, HHS is scheduled to publish in the Federal Register its final proposed rule regarding what constitutes “meaningful use” of EHR sufficient to trigger incentive payments under the HIITECH Act.  A draft of the proposed rule is currently  available.   It remains to be seen whether this push for EHR usage will ultimately add or subtract to healthcare data breaches.  

As it stands, a HIPAA covered entity must provide notice to the HHS Secretary “without unreasonable delay and in no case later than 60 days from discovery of the breach” impacting 500 or more individuals.  To assist in reporting, there is even an online means of disclosing breaches.  The current list of all such disclosed breaches is publicly available; and not surprisingly, incidents have been steadily increasing as per an analysis done by OCR of breaches occurring in 2009 and 2010. 

The annual OCR report indicates that larger breaches occurred “as a result of theft, error, or a failure to take adequate care of protected health information.”  OCR Report at 9.  It is not difficult to imagine efforts to obtain governmental incentive payments by achieving meaningful EHR usage — as the term will be further refined in March — may actually  cause an uptick in breaches.    Despite having a requirement that every EHR Module be certified to a “privacy and security” certification criteria — which will ultimately be determined by the HHS Secretary, these incentive payments will continue to be tied to usage and not necessarily verifiable compliance with a security standard.   Given that HITECH’s financial incentives remain based on usage and not protection, “sticks” such as reductions in Medicare payments and stiff HITECH fines will continue to be the only real governmental incentive to maintain adequate protection.   It would be nice if HHS, instead, developed a financial incentive or reward program for those firms who go the extra distance (as per NIST standards) when providing security.  Maybe such a program will make the agenda after the OCR releases a few more breach reports.

Privacy

Data Privacy Day 2012

Deserving of a fairly large yawn, the International Data Privacy Day came on a Saturday this year.  The US sponsors — who are basically large tech companies — can hardly be faulted for failing to elevate today to true holiday status.  In Europe, the festivities are equally lame.  Last year, it was not much different.

Why was January 28th even chosen to celebrate privacy?  Well, because it is generally recognized that the first stab at a statutory privacy scheme came into being on 28 January 1981 when the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was passed by the Council of Europe.  The purpose of this convention was to secure for residents respect for “rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him.”

It was actually in 1965 — 16 years earlier — when the US Supreme Court, in Griswold v. Connecticut, 381 U.S. 479 (1965), formally recognized that every US citizen enjoys a constitutional “zone of privacy” by way of the Bill of Rights. Indeed, probably the best known judicial wording on the subject was written in 1928 when Justice Brandeis wrote in a dissent:

The protection guaranteed by the Amendments is much broader in scope. The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness. They recognized the significance of man’s spiritual nature, of his feelings, and of his intellect. They knew that only a part of the pain, pleasure and satisfactions of life are to be found in material things. They sought to protect Americans in their beliefs, their thoughts, their emotions and their sensations. They conferred, as against the Government, the right to be let alone — the most comprehensive of rights, and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.

Olmstead v. Unites States, 277 U.S. 438 (1928) (Brandeis, J., dissenting)

Fast forward to January 23, 2012 and the case of United States v. Jones is decided by the Supreme Court.  It is the Court’s first look at how the Fourth Amendment applies to police use of GPS technology.  This fractured decision — only serving up a majority to agree with the view that the defendant’s Fourth Amendment rights were violated when a GPS device was attached to his jeep for 28 days — does provide an interesting glimpse into future rulings even though many relevant questions were left unanswered by the Court.

For example, Justice Sotomayor asks rhetorically:

it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.  This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks…Perhaps, as JUSTICE ALITO notes, some people may find the tradeoff of privacy for convenience worthwhile, or come to accept this diminution of privacy as inevitable, post, at 10, and perhaps not.

Justice Sotomayor may one day get the opportunity to expand on her dicta.  Although it is uncertain when that may happen, what is certain is that the privacy landscape will be quite different by the time Data Privacy Day 2013 rolls around.

Privacy, Risk Management

EU Data Breach Notification in 24 Hours?

On January 25, 2012, the European Union will announce a comprehensive reform of its data protection rules.  This proposed shift will likely toughen existing data-protection requirements and, according to one published report, will include a new rule requiring companies to disclose data breaches within 24 hours of the breach – in effect leapfrogging the toughest existing breach notification laws of the United States.   The EU’s initial Data Protection Directive does not even have a breach notification requirement.

The proposed retooling of the 1995 Directive will also likely prod national data-protection authorities within the 27-member EU to assess administrative sanctions and fines.  Interestingly, an EU conference will be held in Washington, D.C. on March 19, 2012 to obtain feedback from US stakeholders.  One issue that will likely be aired at this D.C. conference is a potential new EU privacy right “to be forgotten” — a hot topic at the most recent International Conference of Data Protection and Privacy Commissioners.   Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, has recently publicly called for such a right:  “I also want to create a right to be forgotten, which will build on existing rules to better cope with privacy risks online. If an individual no longer wants their personal data to be processed or stored by a data controller, and if there is no legitimate reason for keeping it, the data should be removed from their system.”

Although the proposed new directive framework to be announced on January 25, 2012 will take some time to be implemented by EU member countries and then enforced by the respective member Data Protection and Privacy Commissioners, it is clear that the EU privacy world will soon be changing in a dramatic way.  Those firms processing personal data within the EU are well advised to take notice and prepare for potential new obligations and privacy requirements.

Update:  January 25, 2012
The new proposed set of rules will indeed morph into “big news” if ultimately passed.  First of all, the 1995 Directive will be repealed in favor of a consistent approach for all member states.   In fact, these new rules might also  impact US businesses to the extent they process EU protected data and have a EU presence.  In a nod to harmonization hawks, only one member state would have authority to regulate a particular business even if the data was processed among several member states — jurisdiction will ultimately be determined by domicile or where the bulk of processing takes place.

As reported, the proposed new rules do, indeed, have a proposed notification provision that requires notification “without undue delay and, where feasible, not later than 24 hours of becoming aware of [the breach]”.   And, there is also a new “right to be forgotten” that is created via these new rules.  Top fines that can be levied for non-compliance of these rules can reach up to 2% of a firm’s gross worldwide turnover (“revenue”).

There are other noteworthy changes so it is definitely worth taking the time to fully review this proposed comprehensive reform of EU data protection rules found at the European Commission website.

Litigation Management, Network Security, Privacy, Risk Management

Third Circuit Agrees Standing is Lacking in Breach Case

The United States Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, 2011 U.S. App. LEXIS 24561, 3 (3d Cir., December 12, 2011), found that “allegations of an increased risk of identity theft resulting from a security breach” were insufficient to secure Article III standing.  In so doing, the court affirmed the dismissal of claims brought by former employees of a NJ law firm after the firm’s payroll processor was breached.

Recognizing that “a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed”, the Third Circuit sided with those courts finding that plaintiffs lack standing because the harm caused is too speculative.   Specifically, the court did not consider an intrusion that penetrated a firewall and potentially allowed access to employee payroll data sufficient to meet the Article III requirement of an “actual or imminent” injury.  No misuse was alleged so no harm was found.

As well, the Third Circuit rejected the notion that time and money expenditures to monitor financial information conferred plaintiffs with standing.  Id. at 5 (“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.”).  See also In re Michaels Stores PIN Pad Litigation, Slip Op. at 14 (N.D. Ill November 23, 2011) (reasoning that “individuals cannot create standing by voluntarily incurring costs in response to a defendant’s act.  Accordingly, Plaintiffs cannot rely on the increased risk of identity theft or the costs of credit monitoring services to satisfy the ICFA’s injury requirement.”).

The Third Circuit’s decision stands in sharp contrast to those decisions that stretched hard to find a cognizable harm sufficient to trigger constitutional standing as well as a recent ruling from the First Circuit reversing a dismissal because costs associated with credit card reissuance fees and ID theft insurance were deemed sufficient to constitute an injury.

There is now a growing body of law that has sprung from public data breaches that can be used by either side of the class action table.  The key metric will be how such decisions can be tooled by plaintiff’s counsel to defer dismissal.   Given the potential use of cy pres settlements, defense counsel need to cut off the discovery beast before it grows out of control and gives rise to such settlement discussions.  All plaintiff’s counsel needs to do is hope for a sympathetic judge before the wheel is spun.

Litigation Management, Privacy, Risk Management, Social Media

Mexico City Redux: Conference of Data Protection and Privacy Commissioners

On November 2 – 3, 2011, about 600 persons from around the world attended the 33rd International Conference of Data Protection and Privacy Commissioners.   For those unable to make the trek to Mexico City, what follows is selected insight gained from several folks who attended and were kind enough to report back what was discussed in Mexico.

The event opened with an exposition of the “big data” concerns driving many large privacy programs.   Ken Cukier of The Economist used the example of how the Sumo wrestling scandal was uncovered using big data analytics, i.e., a complete analysis of 10 years’ worth of Sumo contests, to showcase the fast, ubiquitous, and distributed nature of big data.   A common big data thread turned on the data collection activities of Facebook and Google – with an obvious concern regarding their future usage of collected data.  It was pointed out that a browser configuration is so customized now that it can act as a fingerprint indentifying its owner — leading to even more big data concerns.

Two other covered substantive topics were, not surprisingly, social media and mobile technologies.  Tied to social media was the purported “right to be forgotten.”  Building on prior conferences, it appears as if the commissioners in attendance believed future regulations will eventually create such a right in the EU.  The question of enforcement was not really deemed much of a concern – which is curious given it would be wishful thinking to think anyone can actually completely scrub the Internet of one’s personal data.   Moreover, do we really even want bad information regarding a professional such as a doctor or lawyer ever completely wiped clean?

As for mobile discussions, one session focused exclusively on the ramifications of having over five billion mobile users worldwide.  In ten years time, it was estimated there would be 20 billion SIM cards in use connecting multiple devices to each other.  In effect, chips will be everywhere processing and collecting data — leading to ever-increasing privacy challenges. 

Another area of discussion was the “interoperability” of privacy laws around the world.  The lofty notion of harmonization was abandoned in lieu of the more workable interoperability concept.  This new perspective would entail better cooperation between the various commissioners with perhaps an executive committee to assist in such coordination efforts.  The committee would deal with global issues that would require better cooperation, e.g., regulatory efforts involving multi-national corporations potentially impacting the privacy rights of persons in  many countries.

An interesting sidebar on interoperability was the ability to use of common regulations instead of directives.  Such a change in course would take much longer to implement given the need to, for example, go to a Parliament to pass such  regulations.  It was assumed this path would take 3 – 5 years to implement.  On the other hand, it would allow for much more in the way of teeth to an executive committee’s agenda.   

There was also an interesting debate between the commissioners regarding their perceived roles.  It was universally acknowledged that they are overwhelmed by the explosive privacy issues impacting their respective offices.  What was not universally acknowledges was how they should prioritize their time in meeting this challenge.  One school of thought (spearheaded by Chris Graham, the UK Information Commissioner) was that commissioners and their offices should be counselors assisting companies reach relevant privacy standards — a definitely carrot-centric approach.  The combating school of thought (voiced strongly by Jacob Kohnstamm, Head of the Article 29 Working Group and Chairman of the Dutch Data Protection Authority) was that only enforcement sticks should be used.  Mr. Kohnstamm said that companies have had enough time to be compliant and it is now time to enforce existing laws.  He also apparently stated that even if he wanted to act as a counselor he does not have sufficient advisory personnel on staff to act in that role.  Interestingly, this divide may also be attributable to a common law vs. civil law axis.  Given that Mr. Kohnstamm is up for election as head of the Article 29 Working Group, his election may end up being a referendum on this debate.

There was also interesting insight gained regarding the difference in styles between two newly installed commissioners; the newfound influence of Asia at the conference; the focus — for the first time — on privacy violations involving state actors; and a belief that the closed session resolutions may formalize the working relationships between the various commissioners and their respective offices.  

There is no doubt that the global privacy landscape is expanding at a rapid rate and that this conference will only grow over time – next year it will be at a resort in Uruguay.  Simon Davies, Director of Privacy International, even spoke about how countries such as Pakistan and Afghanistan are now starting a privacy dialogue.   The Dragon also took a privacy bow when Zhou Hanhua of the Chinese Academy of Social Sciences in Beijing gave a keynote address that discussed the new revisions to China’s penal code regarding privacy infractions as well as its revisions to Identification and Telecommunications laws to better address privacy concerns.   And, it was even mentioned Korea will host the conference in a few years. 

In other words, there can be no denying privacy is and will forever be a global issue.  In fact, that truism may very well be the reason this year’s Conference of Data Protection and Privacy Commissioners was titled “PRIVACY: The Global Age.”

Litigation Management, Network Security, Privacy, Risk Management

First Circuit Rules Hannaford Damages Include ID Theft Insurance and Card Reissuance Fees

On October 20, 2011, the United States Court of Appeals for the First Circuit issued an opinion reversing a Maine District Court’s dismissal of negligence and implied contract claims against grocer Hannaford Brothers.  The underlying data breach publicly announced on March 17, 2008 by Hannaford led to a consolidated class action that was ultimately rejected in its entirety by the Maine District Court.   After receiving guidance from the Maine Supreme Court regarding whether time and effort alone could represent a cognizable injury — it did not — the District Court ultimately ruled that even though claims for implied contract and negligence could be alleged by the plaintiffs, because the associated damages were not cognizable in law, the action had to be dismissed. 

In reversing, the First Circuit recognized that “[t]here is not a great deal of Maine law on the subject [of damages recoverable under § 919 of the Restatement (Second) of Torts].”  Accordingly, it reviewed a good deal of caselaw outside of Maine before applying § 919’s rule that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened” to the specifics of this case.   Several cited cases found such mitigation damages valid even if they exceed the potential savings and are purely financial in nature. 

Recognizing the Hannaford breach involved a large-scale criminal operation that already led to over 1,800 identified fraudulent charges and many banks issuing new cards, the First Circuit ruled that mitigation damages in the form of ID theft insurance and credit card reissuance fees were financial losses recoverable under the negligence and implied contract claims so long as they are considered reasonable mitigation damages.   There was no remand for further factual findings on the issue.  The First Circuit simply made a determination that such damages were both foreseeable and reasonable and reversed on that basis.  Now that the consolidated complaint lives another day, the District Court may certify a class but if it does it remains to be seen how far the lower court will go in sizing the class and allowing for such mitigation damages.

Litigation Management, Privacy, Risk Management

ZIP Code Litigation Update

Earlier this year, the California Supreme Court ruled on the outer reach of a state statute meant to protect consumers during credit card transactions – the Song-Beverly Credit Card Act of 1971.  See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (2011)Specifically, Song-Beverly precludes retailers from requesting and recording a customer’s “personal identification information” during a credit card transaction and the Pineda court reasoned that such information now includes ZIP code information.  The decision was largely driven by the fact current marketing firms can use a ZIP code to tap into vast stores of personal data about a consumer.  Although the law may have only applied to retail stores in California, the decision immediately gave rise to an avalanche of class action suits given class action counsels’ new-found access to statutory damages.

In fact, given this new extension of the law, California legislators quickly amended Song-Beverly to exclude from its reach retail motor fuel sales and state law obligations.  This proposed law passed both the Senate and Assembly, was presented to the Governor on September 22, 2011 and will likely soon be signed into law.   What this proposed law does not do is expressly reverse Pineda or turn the tide against class actions brought against retailers.

It appears, however, courts on their own have found ways to curtail further extensions of Song-Beverly.  In an August 2011 Order, a California trial court sustained an online service provider’s demurrer to a class action complaint under Song-Beverly.  The action involved the purchase of an online advertisement.  The Order simply states that the law “on its face does not apply to online transactions,” and “the applicable case law, legislative intent and public policy indicate that such transactions are not, and should not be, encompassed” by Song-Beverly.

Other jurisdictions have been reluctant to create Pineda-like precedent.  In an unpublished opinion filed on September 26, 2011, a New Jersey District Court Judge decided that New Jersey’s Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA) – which provides for a civil penalty of not less than $100 per violation – was not triggered when plaintiff provided her ZIP code during a retail credit card transaction.  The statute requires that the provisions of a specific consumer contract violate a state or federal law.  In dismissing the Complaint, the District Judge found that a credit card transaction did not implicate a specific consumer contract given the card number and ZIP code at issue were merely a series of numbers and not part of a specific consumer contract.  Given that New Jersey’s version of Song-Beverly (Restrictions on Information Required to Complete Credit Card Transactions, N.J.S.A. § 56:11-17) does not provide for a private right of action, plaintiff did not claim standing under that law.  With no small sense of irony, the case was dismissed against the same defendant as in Pineda.

A bench opinion recently entered by a New Jersey state judge came to the exact opposite conclusion.  In that ruling from the bench, the court found that a violation of N.J.S.A. § 56:11-17 was a sufficient predicate for a violation of the Truth-in-Consumer Contract, Warranty and Notice Act – which, in turn, allowed access to the statutory damages so eagerly sought by class action plaintiffs.  Given that it was only a bench opinion, the decision has no precedential weight.  In other words, it’s a decision that now means nothing to other retailers in New Jersey.  On the other hand, it only takes a chip here and there to sometimes break a levy – or the willing hand of an appellate court.  Stay tuned.

Update:  October 1, 2011
After reading a transcript of the oral argument and opinion, it appears the state court judge ultimately gave too much deference to NJ’s motion to dismiss standard.   Although the court concluded by saying he was “making no comment about the merits of the case”, he ultimately found that a common law privacy claim exists when a retailer obtains a customer’s ZIP code during a credit card transaction.  Moreover, he reasoned that a claim under TCCWNA could also exist given ZIP code information was was part of the writings required to complete the consumer transaction.  Accordingly, there was enough of a consumer contract to trigger the statute.

Update:  January 6, 2012
Although it ultimately dismisses an action against Michael’s Stores, Inc. given there is no cognizable common law injury and the applicable law does not provide for statutory damages, a Massachusetts federal court  rules that ZIP code information is “personal identification information”.

Network Security, Risk Management

Anonymous Supports September 17 Efforts

On August 23, 2011, Anonymous released a video endorsing the September 17, 2011 planned “Day of Rage” occupation of Wall Street and other financial areas around the world.   Specifically, in its video, Anonymous urges protesters on September 17th to “flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months … Once there, we shall incessantly repeat one simple demand in a plurality of voices.”

This endorsement might seem fairly harmless.  On the other hand, those in the financial sector are urged to take this implicit threat pretty seriously.  According to a duo of FBI agents talking today at a public briefing regarding the entry of Anonymous to the September 17th efforts, financial institutions are advised to step up their network security during the next few days.  In fact, a recent FBI crackdown on Anonymous may be tied to S17.   Given there is deliberately no leadership core within Anonymous, all that can be hoped is that on the 17th its members choose to take a day off from clicking on a computer; and instead take a relaxing train ride downtown.

Update:  September 19, 2011
As of Monday morning, the “Day of Rage” event showed no publicly reported increase in data security events.  It is estimated that several thousand attended the rally in New York City but there was not much in the way of media reporting given it was largely a peaceful event.

Update:  September 28, 2011
On September 23, 2011, the FBI’s Cyber Division issued the following informational bulletin to Infragard members:

For situational awareness, the following message was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.  In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department.  We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.

September 24, 2011 came and went without any publicly disclosed incident tied to this threat.  The hope is that the FBI’s future warnings are not ignored given the lack of traction of these recent Anonymous warnings.  Bottom line:  Safeguarding against SQL injection exploits is obviously sound advice with or without an Anonymous threat.

Update:  October 12, 2011
Although similar to the October 8-11, 1969 “Days of Rage” riots in Chicago that led to the arrest of several hundred Weatherman radicals, the current Wall Street “Days of Rage” protesters are not facing nearly as much opposition from the police or popular media.   Moreover, despite the Anonymous threat, there have been no reports of cyber incidents directly tied to this protest.  RIM, however, has faced several recent outages.  Although RIM has publicly stated that these Blackberry blackouts were caused by a “core switch failure”, given that there is still strong Blackberry usage in the financial sector, it will be interesting to hear in a few months time whether there was anything else that contributed to these blackouts.

Update:  November 13, 2011
Much has happened since the first Day of Rage took place several months ago on Wall Street — including its morphing  into a national “Occupy” movement in cities around the country.  It’s generally been tough going for these occupiers.  There have been deaths in the Occupy Oakland and Occupy Burlington protests as well as a death at the one in Salt Lake City; a tuberculosis outbreak  hit Occupy Atlanta; and the starting point at Zuccotti Park near Wall Street has seen its share of viruses and STDs thin the ranks.  As for Anonymous, the general consensus is that the hype they generated yielded PR benefits to the organization even though to date they apparently have not been directly involved in any related cyber-security incident.

Network Security, Privacy, Risk Management

Ponemon Second Annual Cost of Cybercrime Study

A detailed study regarding the impact of cybercrime on corporations was recently released by the Ponemon Institute.  According to the Second Annual Cost of Cyber Crime Study, the median annualized cost of cybercrime incurred by a benchmark sampling of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.  This was an increase of 56 percent from the median cost reported in the inaugural study.

According to this Ponemon deep dive of organizations who have sustained incidents of cybercrime, more than 90 percent of all cybercrime costs were caused by malicious code, stolen devices and web-based attacks.  During a four week period, the organizations surveyed by the Ponemon Institute experienced 72 successful attacks per week, an increase of nearly 45 percent from last year.  Interestingly, according to a recent study by Webroot Research, cybercrime on social networks also continues to increase — with the number of US-based users who have experienced attacks on social networks growing from 8% in 2009 to 13% in 2010 to 18% in 2011.

Smaller-sized organizations were found by Ponemon to incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).  This may be given that smaller organizations do not readily negotiate much off of vendor rack rates — another reason to evaluate network security and privacy insurance as well as working with a law firm that has significant experience in dealing with breaches.

According to this Ponemon survey, the average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period.  Interestingly, this represents a 67 percent increase from last year’s estimated average cost of $247,744, which took place over a 14 day period. Results of the study show that malicious insider attacks can take more than 45 days on average to contain.

On September 14, 2011, New York Metro InfraGard and Coalfire are co-sponsoring a New York City event that will feature Dr. Larry Ponemon speaking on the Ponemon Institute’s Cost of Cybercrime Study.  For details on this event, visit the Infragard site or registration site.

Legal and Business Advocacy