Business and Technology Law

The Supreme Court’s decision in Scott v. Harris, 2007 WL 1237851 (U.S. 2007), may give appellate courts more freedom to decide issues on summary judgment that might previously have been left for resolution by juries. The factual scenario in Scott v. Harris would have made a fascinating episode of “Cops.” A Georgia county deputy attempted to pull over Harris after clocking him at 73 miles per hour in a 55 mile per hour zone. Harris instead sped away initiating a chase down mostly two-lane roads at speeds exceeding 85 miles per hour. Deputy Scott joined the chase in his patrol car and radioed his supervisor for permission to employ a PIT maneuver, where the pursuing vehicle pulls alongside the fleeing vehicle, makes contact with the fleeing vehicle’s side, steers sharply into that vehicle and then, by applying its brakes at the right moment, causes the fleeing vehicle to either spin out or exit the roadway. Deputy Scott received permission but decided not to employ the PIT maneuver, instead applying his push bumper to the rear of Harris’ vehicle. Harris lost control of his car, which ran down an embankment, overturned, and crashed, rendering Harris a quadriplegic. Harris filed suit under 42 U.S.C. § 1983 contending that Scott and others used excessive force in violation of his Fourth Amendment rights during the high-speed chase car chase. The District Court denied Scott’s summary judgment motion on his qualified immunity claim, and the Eleventh Circuit affirmed. The Supreme Court, in an 8-1 decision, reversed and held that as a matter of law, Scott’s attempt to terminate the case by forcing Harris of the road was reasonable, and he was therefore entitled to qualified immunity.

While significant with respect to Fourth Amendment jurisprudence, the decision in Scott v. Harris also signals a willingness on the part of the Supreme Court to allow appellate courts when presented with certain types of evidence (like video records) to decide factual issues as a matter of law. In this case, there was a videotape record of the car chase. The justices themselves reviewed the video and even posted it on the Supreme Court’s website for downloading. http://www.supremecourtus.gov/opinions/video/scott_v_harris.rmvb

In summary judgment practice, a court is tasked with viewing the evidence in a light most favorable to the nonmovant. Justice Scalia, writing for the court, concluded, however, that the videotape blatantly contradicted Harris’s version of the facts, such that no reasonable jury could adopt his version. It was therefore permissible for the appellate court to conclude, as a matter of law, that Scott did not act unreasonably. Of course, as Justice Stevens pointed out in his descent, both the district court and the Eleventh Circuit had seen the same videotape and reached different conclusions regarding whether the tape resolved the factual issues as a matter of law. In decrying their decision to resolve the factual issues themselves based on the video, Justice Stevens repeatedly referred to the justices in the majority as “jurors” in his strongly worded descent.

In future cases where video evidence is available, parties will be able to cite Scott v. Harris for the proposition that a court, and not a jury, is capable of deciding issues that were traditionally left for the jury to resolve, particularly where the video evidence contradicts the nonmovant’s version of the facts. As Justice Scalia stated, “when opposing parties tell two different stories, one of which is blatently contradicted by the record, so that no reasonable jury could believe it, a court should not adopt that version of the facts for purposes of ruling on a motion for summary judgment.” Scott v. Harris, 2007 WL 1237851 at *4. This may be particularly significant on appeal, where at least five circuits have held that a federal appellate court has the authority to affirm entry of summary judgment on any ground presented by the record, whether or not the issue was raised, briefed, or argued in the district court. See Iverson v. City of Boston, 452 F.3d 94, 98 (1st Cir.2006); Cromwell Assocs. v. Oliver Cromwell Owners, Inc., 941 F.2d 107, 111 (2d Cir.1991); Reasonover v. St. Louis County, Mo., 447 F.3d 569, 578 (8th Cir. 2006); Bones v. Honeywell, Int’l, Inc., 366 F.3d 869, 875 (10th Cir.2004); Banner v. United States, 238 F.3d 1348, 1355 (Fed. Cir. 2001). The appellate review procedure approved in Scott v. Harris could allow an appellate court to decide a case as a matter of law based on video evidence where that evidence discredits the nonmovant’s version of events.

Part I – Microsoft Corp. v. AT&T, 550 U.S. ____ (2007)

The question presented to the Supreme Court was whether Microsoft’s liability would extend to computers made in another country when loaded with Windows software copied abroad from a master disk or electronic transmission dispatched by Microsoft from the United States?

Generally, no patent infringement occurs when a patented product is made and sold in another country, except where the patented invention’s components are supplied from the United States for combination abroad. 35 U.S.C. § 271(f)(1).

AT&T holds a patent on a computer used to digitally encode and compress recorded speech. Microsoft’s Windows incorporates software that enables a computer to process speech in the manner claimed by AT&T’s patent. Microsoft sends its software on a master disk to foreign manufacturers, who then make copies of the disk and install them onto computers that they sell. The master disk is not installed.

AT&T sued Microsoft and argued that Microsoft infringed on its patent by supplying from the United States, for combination abroad, components of AT&T’s patented computer, and therefore Microsoft would be liable under § 271. Microsoft argued that the copies were not supplied from the United States and were not a component under § 271.

The Supreme Court answered the question presented in the negative, and characterized the copies of the Windows operating code as a blueprint giving instructions rather than a component as AT&T argued. The Supreme Court reasoned that a blueprint may contain precise instructions related to components of a patented instrument, but the blueprint itself is not a component of the patented instrument. Specifically, the court ruled that if the code is sent abroad, the copy made from it will not be considered a component under § 271. The Court explained that AT&T’s only options would be to seek foreign patent prosecution or seek a change in § 271 from Congress.

Increasingly, generally-accepted industry standards and best practices seem to be saving our legislators much of the detail work when it comes to enacting laws pertaining to technical or otherwise complex fields. For instance, we know that the internal control framework disseminated by the Committee of Sponsoring Organizations of the Treadway Commission (thankfully, generally shortened to “COSO”) is identified by name by the U.S. Securities and Exchange Commission as a standard that businesses may use to achieve compliance with the rigorous internal control evaluation and disclosure requirements contained in the Sarbanes-Oxley Act of 2002 and related regulations.

Now, legislation proposed in Texas goes one step further and stops just shy of naming an industry standard by name in the text of a bill designed to ensure the security of personal data stored in portable “access devices,” such as credit cards. Texas House Bill No. 3222 contains the following provisions:

A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry [“PCI”] data security standards [“DSS”].

…[and]…

A financial institution may bring an action against a business that is subject to a breach of system security if, at the time of the breach, the business is [not in compliance with PCI DSS].

The bill goes on to provide that a business may avoid a lawsuit brought under the statute if the business was certified by a “[PCI]-approved auditor” as being in compliance with PCI DSS at least 90 days before the date of a security breach. However, if the business was not in compliance, and if the lawsuit moves forward, the business may end up having to pay the financial institution’s “actual damages” – including costs incurred in connection with “cancellation or reissuance of an access device affected by the breach,” “closing of a deposit, transaction, share draft, or other account affected by the breach and any action to stop payment or block a transaction with respect to the account,” “opening or reopening of a deposit, transaction, share draft, or other account affected by the breach,” “refund or credit made to an account holder to cover the cost of any unauthorized transaction related to the breach,” and “notification of account holders affected by the breach” – in addition to the financial institution’s attorney’s fees. Obviously, for even a moderately large breach of, for example, credit card account information, the potential penalties flowing from this legislation for noncompliance with PCI DSS could be staggering.

The interesting part of this for me, though, is the bill’s almost express naming (but for the initial capital letters) of a specific industry standard – the Data Security Standard published by the Payment Card Industry Security Standards Council – to substitute for a detailed description of the actions a business must take to be in compliance with the law. Businesses should expect to see ever more numerous examples of this sort of legislation in coming years, making familiarity with and early adoption of generally-accepted business standards all the more advisable.

You can read the full text of HB 3222 here.

In addition, you can download a free copy of the PCI DSS here.

The Eastern District of Texas originally claimed fame partially through its implementation of its original local patent rules. Patterned after the local patent rules of districts like the Northern District of California with heavy intellectual property dockets, and the original “rocket docket” in the Eastern District of Virginia, the Eastern District of Texas used the patent rules to speed up its patent trials, as well as its civil case docket in general. Typically complex, drawn-out affairs, patent litigation suddenly became streamlined in a Texas federal court located in the tiny Texas town of Marshall, drawing national attention.

Now, with its recent implementation of its own set of local patent rules, the Northern District of Texas attempts to make headway of its own on the national intellectual property scene and demonstrates its seriousness about its participation in the new federal pilot program. Whether it achieves the same notoriety as the Eastern District remains to be seen. Certainly the Eastern District boasts more than simply a speedy docket. It has gained its reputation by stacking its bench with a judiciary that has become highly savvy in the worlds of engineering and technology. But the Northern District bench does not sit light in those areas itself, and it has the advantage of being located in a major metropolitan area. Thus, if the Northern District manages to accomplish the same speedy “rocket docket” trial reputation, and combines it with expertise and its desirable geography, it will certainly give the Eastern District a run for its money in the “something to talk about” department. Not least because it will be a district most attractive to the multi-million dollar corporate clientele that tends to take up the space on each side of those intellectual property case captions.

Certainly, though, the Northern District has its work cut out for it. The patent rules contain numerous mechanisms to eliminate the traffic jams typically caused by intellectual property litigation. They allow the district to conduct speedier patent trials and civil cases in general by placing strict time constraints on parties’ pretrial activities, such as discovery and claim construction, and by clarifying positions early in the case. The rules eliminate discovery disputes by scheduling mandatory early conferences with the court, with obligations that push parties to be liberal in their disclosure and production, and to produce any relevant materials. Claim term lists and proposed claim constructions must be served early. These provisions, among others, ensure the relatively smooth and continuous flow of patent cases, and prevent them from obstructing the smooth and continuous flow of other cases. Nevertheless, it will be truly interesting to watch as the Northern District implements the pilot program and attempts to remedy the congestion of a docket for one of the busiest metropolitan districts in the nation. Interesting and, if successful, a true achievement and benefit to the bar and the state.

Article 9 of the New York Civil Practice Law and Rules (CPLR) governs class actions. CPLR 901(b) provides that a suit that seeks to collect on a liability imposed by statute that is in the nature of a penalty may not be maintained as a class action. Notwithstanding 901(b), where the enabling legislation creating the statutory remedy authorizes a class action, maintenance of such a suit is permissible. In Sperry v. Compton Corp., 8 N.Y.2d 204, 863 N.Y.S.2d 1012 (2007), the New York Court of Appeals ruled that the legislative history of the amendment to the Donnelly Act that authorized treble damages confirmed that it was intended as an incentive for an individual plaintiff above compensatory losses and therefore could only be construed as a penalty. Inasmuch as the Court of Appeals found the authorization for treble damages to be a penalty, and the Donnelly Act did not expressly authorize a class action, class certification was denied.

The lesson to be learned from this decision is that while courts generally don’t go behind the plain language of a statute, where the intent of the legislation is at issue, legislative history may drive the outcome of the case as happened here.

Although the Privacy Act does not apply to private businesses, entities whose data has been breached, like Ernst & Young and General Electric, must ensure that they comply with the relevant state security breach notification statutes. Thirty-four states already have security breach notification laws in effect. If a company suspects that its data has been breached, it is critical for the company to determine which state breach notification laws apply to its data breach, and it must comply with the specific terms of each of the notification laws.

In addition to breach notification laws, companies that experience a data loss must also be concerned that the affected individuals will file a civil suit seeking redress for their damages. For instance, a group of plaintiffs filed a class-action lawsuit against Providence Health Systems – Oregon for negligent loss and disclosure of protected health information and for violation of Oregon’s Unlawful Trade Practices Act.

In the Providence case, Providence’s employee left the office with tape back ups and disks containing more than 365,000 patient records. The employee left the information in the car, where it was stolen. When the patients indicated that they would like Providence to protect them from possible identity theft by providing credit monitoring, Providence refused and suggested that the patients take steps to protect themselves.

Because the information stolen was medical information, plaintiffs claimed that Providence violated the Oregon statute requiring protection of medical information. Plaintiffs further sought damages under the Unlawful Trade Practices Act because Providence represented that it would keep all personal information confidential when it sold medical services and products to the patients.

Many commercial liability policies do not provide coverage for data security breaches. However, some insurance providers are offering businesses new types of coverage specifically designed to assist with the new risks associated with technology, including costs associated with data breaches. Initially, many corporate identity or security breach insurance policies will defray the costs associated with investigating the breach to determine whether state laws require notification of the breach. Additionally, the insurance coverage will provide assistance to pay for the costs associated with breach notification requirements.

The new policies include coverage for the following claims:
• Failure of network security;
• Wrongful disclosure of private or confidential information;
• Failure to protect confidential or private information; and
• Violations of federal, state, or local privacy statutes.

Most importantly, the insurance coverage will provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG’s Corporate Identity Protection offers a unique product that covers administrative expenses resulting from an administrative action related to a breach of personal information. Like a traditional commercial policy, the security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the unfortunate event that the company experiences a data or security breach. Finally, the insurance products also cover the costs post-event services, like credit monitoring and identity theft education, to the individuals affected by the security breach.

It is no surprise that the open source software community has been shaken by the litigation begun by SCO. To begin with, Caldera Systems, the corporate entity now doing business as SCO, originated as an open source company whose only product was based on Linux. Therefore, the open source software community feels betrayed by a company whose interests it once shared and supported.

If SCO wins it fundamental claim that it owns the underlying source code to UNIX, the open source software community will lose control over one of its most used programs. To the open source software community, the loss comes not only in the UNIX source code but the many man-hours invested by subsequent developers in customizations and derivations built on the original UNIX source code.

Because the open source software community depends on the free exchange of intellectual property within the source code, a system that works only if each developer that contributes to the whole has sufficient access to the intellectual property, a win for SCO could threaten the very model of open source software. The open source software model breaks when one developer contributes an infringing work, because as SCO has claimed, every user thereafter is infringing.

What does this mean for a company using or developing open source software? First, a company must know that it may be liable for copyright infringement even without knowledge that a work was subject to copyright infringement. Like any other software the company uses, the company must know where the software originated from. However, unlike most software programs where the company has assurance from a license that the vendor owns the copyright in the source code and the company, through the license, is allowed to use the software, with open source software the SCO litigation means that a company must complete some due diligence regarding the chain of title of the source code of the open source software to ensure that there are no other intellectual property claims to the source code.

The deadlines for filing a notice of appeal in limited jurisdiction civil cases have been clarified by the amendments to the California Rules of Court that took effect at the beginning of 2007. In limited civil cases, decisions are appealed to the appellate division of the superior court and not to the Court of Appeal. If you want to appeal a judgment in a limited civil case, you need to be aware that the deadlines for appealing a decision in a limited civil case are significantly shorter than in unlimited civil cases. The appellate deadlines in appeals in unlimited jurisdiction cases have not changed. In civil appeals, a notice of appeal must be filed within 60 days of the date notice of entry is served by the clerk or by a party or, if no notice was served, within 180 days of the date the appealable judgment or order was entered. (CRC 8.104.) The rules regarding appeals in limited civil cases were previously not clear because the appellate rules had not been amended to reflect the unification of the municipal and superior courts. Courts usually pointed to former Rule 122(a), a 1964 rule for “Appeals from Municipal and Justice Courts in Civil Cases,” and applied that rule to appeals in limited civil cases.

The reorganization of the rules includes new rules specifically applicable to appeals in limited civil cases. Rule 8.751 provides that a notice of appeal must be filed on or before the earliest of (1) 30 days after the clerk mails a notice of entry, (2) 30 days after a party mails a notice of entry, or 90 days after entry of the judgment or appealable order. Under Rule 8.752, if a motion for new trial is filed, the time to file a notice of appeal is extended until 15 days after entry of the order denying the motion or denial of the motion by operation of law, but in no event may the notice of appeal be filed later than 90 days after the date of entry of the judgment. A cross appeal must be filed within 10 days after the trial court clerk mails a notification of the first appeal or within the time period otherwise prescribed by local rules. These short deadlines cannot be extended by the court or by agreement. When appealing in a limited civil case, these deadlines must be honored or your appeal will be dismissed for lack of jurisdiction.

The Supreme Court unanimously rejected the Federal Circuit’s strict application of the teaching-suggestion-motivation (“TSM”) test for obviousness – making it easier to invalidate patents on obviousness grounds.

Teleflex sued KSR for patent infringement. Teleflex held the exclusive license to the patent entitled “Adjustable Pedal Assembly With Electronic Throttle Control.” KSR International Co. v. Teleflex, Inc., 127 S.Ct. 1727, 1734 (2007). The case revolved around Claim 4 of Teleflex’s patent. Claim 4 describes a mechanism for combining an electronic sensor with an adjustable automobile pedal so that the position can be transmitted to a computer that controls the throttle in the automobile. Id. KSR added an electronic sensor to one of its previously designed automobile pedals, and Teleflex sued for patent infringement. KSR claimed that Teleflex’s Claim 4 was invalid under the Patent Act, 35 U.S.C. § 103, because the Claim was obvious. Section 103 provides that a patent cannot be issued when “the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art.” Id.

The District Court granted summary judgment in favor of KSR, reasoning the KSR had demonstrated that Claim 4 was obvious. Id. at 1737. The District Court also held that KSR satisfied the TSM test. Id. at 1738. The Federal Circuit reversed, reasoning that the District Court did not apply the TSM test strictly enough. Id.

The Supreme Court held that the Federal Circuit addressed the obviousness question in a “rigid” manner, reasoning that helpful insights like the TSM test need not become “rigid and mandatory formulas,” and the TSM test as applied did not follow Supreme Court precedent. The court threw out the TSM test, explaining that the Federal Circuit made four errors. First, the Circuit erred by holding that courts should only look to the problem the patentee is trying to solve. According to the Supreme Court, “any need or problem” can provide the patentee with a reason for combing elements. Id. at 1741-42. Second, the Federal Circuit erred by holding that a person of ordinary skill would only look to solve a problem with prior art elements designed to solve the same problem. The Supreme Court explained that a person of ordinary skill will be able to fit the teachings of multiple patents together. Id. Third, the Federal Circuit erred by reasoning that a patent cannot be obvious where it is shown that the combination was obvious to try. Instead, a person of ordinary skill attempting to solve a problem will use common sense and ordinary skill to identify and pursue known options in the field, and if success results it is not innovation. Id. Fourth, the Federal Circuit erred by making a wrong conclusion about the risk of hindsight bias. The Supreme Court held that rigid rules denying recourse to common sense are inconsistent with the Court’s caselaw. Id.

It is likely that the change in the obviousness standard will likely increase the amount of patent litigation. This litigation will involve attempts to invalidate patents on obviousness grounds, and many patents will likely be invalidated. Furthermore, it is likely that inventors will not easily resist an infringement claim and will litigate rather than settle the case. In fact, the Federal Circuit’s first decision interpreting KSR was issued May 9, 2007, Leapfrog Enterprises, Inc. v. Fisher-Price, Inc. and Mattel, Inc., No. 06-1402 (Fed.Cir. May 9, 2007). The Federal Circuit affirmed a lower court ruling invalidating Leapfrog’s patent on the grounds of obviousness. There is no doubt that KSR will have a substantial impact on the patent litigation landscape.

JP Morgan Chase recently received an unwanted reminder that information security demands attention to more than just the data residing on network hard drives and digital media. “Protestors” from the Service Employees International Union (“SEIU”) filmed themselves sifting through trash in dumpsters outside several New York City Chase Bank branch locations and apparently finding numerous, un-shredded customer financial statements in trash bags awaiting pickup. (The SEIU has been in a dispute with Chase regarding the bank’s use of non-union security employees.) The video quickly achieved notoriety after being posted on YouTube.com here.

While the video might have been more clearly damning if it had included footage of Chase employees actually dumping the bags, regardless of its weight, it serves as a valuable reminder to all businesses maintaining sensitive customer records that information security does not begin and end with electronic data. Clearly, no IS policy is complete unless it includes provisions for the proper collection, handling, storage and disposal of paper records containing private information. Chase has stated that it has reached out to the SEIU for information regarding the records appearing in the video and that it is investigating whether and/or the extent to which its employees may have violated its internal IS policies.

The consequences for failing to adequately protect against loss or theft of personal customer data are becoming increasingly severe. Expenses associated with information security breaches can and often do include the costs to notify and assist affected persons, loss of customers, litigation and consulting costs, regulatory fines, and diminution of stockholder share value. In Chase’s case, if the video footage does in fact end up being evidence of a failure on the company’s part to effectively enforce the paper record disposal policies it says it has, then it is not difficult to imagine that the number of affected customers – and Chase’s potential loss exposure – could be quite high indeed.

For more information regarding the consequences of data breaches, you can obtain a copy of a recent national survey on that subject commissioned by Scott & Scott, LLP and independently conducted by the Ponemon Institute by clicking here.

Businesses haled into a Texas court should be able to argue, based on the Texas Supreme Court’s decision in Moki Mac River Expeditions v. Drugg, 2007 WL 623805 (Tex. 2007), that even if they did have contacts with Texas, such as e-mail communications or a website, the connection between those contacts and the subject matter of the plaintiff’s claim is too attenuated to support an exercise of personal jurisdiction. While many courts have seemed eager to exercise long arm jurisdiction on the basis of websites and other internet contacts, the Texas Supreme Court has bucked this trend by placing some strong new limitations on when it will be appropriate to exercise jurisdiction over an out-of-state business based on such contacts. The Druggs’ son was killed during a river rafting expedition in Arizona organized by Moki Mac, a Utah based river-rafting outfitter. The Druggs reviewed Moki Mac’s brochures and website and decided to send their son Andy on the expedition. After he was fatally injured, the Druggs filed suit in Texas for wrongful death due to Moki Mac’s negligence and for intentional and negligent misrepresentation. The lower courts denied Moki Mac’s jurisdictional challenge.

The Texas Supreme Court reversed, holding that a Texas court did not have jurisdiction over the nonresident company because its contacts with Texas were not substantially connected with the operative facts of the litigation. Moki Mac had not established continuous and systematic contacts with Texas. Accordingly, for Texas courts to exercise to exercise personal jurisdiction over Moki Mac, (1) Moki Mac must have made minimum contacts with Texas by purposefully availing itself of the privilege of conducting activities in the state, and (2) Moki Mac’s liability must have arisen from or been related to those contacts. The court noted that Moki Mac did purposefully avail itself of the privilege of conducting business in the Texas market by directly marketing to Texas residents, regularly advertising in Texas, soliciting Texas residents using direct-marketing e-mail campaigns, and establishing channels of regular communication with its Texas customers.

Nevertheless, the court concluded that because Moki Mac’s liability did not arise from its contacts with Texas and was not related to those contacts, there was no personal jurisdiction. The court explained that there must be a substantial connection between those contacts and the operative facts of the litigation. That connection did not exist in this case because the operative facts of the case focused on the guides’ conduct of the expedition and whether they exercised reasonable care in supervising Andy. Those events, which would be the focus of any trial, all took place in Arizona. While the contents of Moki Mac’s brochures and website might have had some connection with the operative facts that led to Andy’s death, the court found that this connection was not sufficiently direct to meet due process concerns. Under Moki Mac, businesses may be able to argue that websites, e-mail marketing, and other advertising in a state is insufficiently related to personal injury claims occurring outside the state to support an exercise of jurisdiction.

Litigants regularly seek advice from counsel before settling or declining to settle a claim or a case. If that litigant subsequently seeks to recover the amount paid from a third party, such as an insurance company in a breach of contract action or under an indemnification agreement, is the attorney-client privilege waived? Proponents of waiver argue that access to the adversary’s work product and communications are critical to the getting to the question of reasonableness or intent of the opponent. Opponents argue that the privilege must be protected. In two decisions, one from New York and the other from Florida, the trial courts held that the privilege was waived by the act of seeking to recover on such claims, but the appellate courts reversed.

In the New York case, Deutsche Bank Trust Co. of America v. Tri-Links Investment Trust, et al., 2007 WL 1412886 (App. Div. 1st Dep’t 2007), the Appellate Division of the Supreme Court of the State of New York, First Department rejected the lower court’s conclusion that Deutsche Bank’s pursuit of the litigation had worked such a waiver. An “at issue” waiver of attorney-client privilege occurs when a party affirmatively places the subject matter of its own privileged communication at issue in the litigation, such that invasion of the privilege is required in fairness to the adversary so as to provide the opponent information vital to its defense. The Appellate Division distinguished between the existence of a privileged communication that contains information relevant to the issues in the case, which does not effect a waiver, and the invocation of a claim or defense which relies upon such privileged materials. In the latter case, selective disclosure is not permitted and will effect a waiver. If Deutche Bank, in pleading its claim, anticipated the defense that the third party settlement was unreasonable by pleading that it relied upon the advice of counsel, the outcome would have been entirely different.

In the Florida case, XL Speciality Ins. Co. v. Aircraft Holdings, LLC, 929 So.2d 578 (1st Dist. 2006), the Florida District Court of Appeal, First District granted a writ quashing an order compelling XL Speciality to produce privileged documents related to the underlying claim. The lower court ruled that because the question of whether the carrier’s refusal to pay the claim was in bad faith, the communications with its counsel and counsel’s work product were relevant to the issue of objective reasonableness. In granting the writ, the Court of Appeal held that that because the statutory cause of action for bad faith did not indicate a legislative intent to waive the attorney-client privilege, no waiver would be found by the filing of such a claim.

The teaching of these decisions is that to avoid a waiver of the privilege, a litigant must be careful not to plead or refer to the advice of counsel to advance its claim or defense.

The Supreme Court’s 2006 decision in eBay, Inc. v. MercExchange, LLC, 126 S. Ct. 1837 (2006), continues to reverberate, with the Federal Circuit applying it just last month to vacate and remand a permanent injunction granted under the previous “general rule” of patent cases. Under that rule, courts would issue injunctions against patent infringement absent circumstances justifying the denial of injunctive relief. In eBay, the Supreme Court held that it is inappropriate to automatically issue an injunction following a finding of patent infringement. Instead, the Supreme Court held that a request for injunctive relief in patent cases is only available if the elements of the traditional four-factor test for injunctive relief are established. In Acumed, LLC v. Stryker Corp., 483 F.3d 800 (Fed. Cir. 2007), after affirming findings of infringement, and willfulness, the Federal Circuit reversed the district court’s decision to grant a permanent injunction. The district court’s decision to issue a permanent injunction had been made before the Supreme Court articulated its new standard for injunctive relief in patent cases. The Federal Circuit rejected Acumed’s argument that the facts underlying the district court’s finding of infringement and willfulness could serve as independent support for the injunction, concluding that making such a determination on appeal would require the appellate court to “weigh the evidence ourselves to reach a conclusion on injunctive relief.”

Acumed is only the latest case to demonstrate the wide-reaching effect that the eBay decision continues to have on patent infringement jurisprudence. Those who have injunctions in place should be wary of challenges under eBay, as Acumed signals the unwillingness of the Federal Circuit to affirm the granting of injunctions by applying the Supreme Court’s rule during an appeal. Moreover, it makes every injunction issued under the previously-existing “general rule” of patent cases vulnerable to reconsideration, and clarifies that evidence separate and independent from that supporting the infringement will be necessary to support the injunction. The resonating message sent by Acumed is that the appellate courts will not only apply eBay to require that there be evidence on the four factors before an injunction issued pre-eBay will be affirmed, but more importantly that the appellate court will not conduct an eBay analysis on appeal. The Federal Circuit’s conclusion in Acumed that evaluating the eBay factors in light of the evidence would be tantamount to weighing the evidence dictates that it cannot affirm any injunction issued prior to eBay, as no district court could have known to conduct the four-factor analysis prior to that time, and the Federal Circuit’s decision precludes it from doing so on appeal. Acumed signals that if injunctions granted in patent infringement cases under the former general rule are challenged on appeal, remand will be necessary for reconsideration of the issues by district courts.

Patent holders contemplating patent litigation in the Northern District should carefully prepare their complaint, taking every available opportunity to carefully and thoroughly analyze infringement contentions prior to filing. They should additionally take every opportunity to reevaluate and update those contentions throughout the course of the litigation. The reason is the Northern District’s newly-adopted local patent rules. Just another symbol of the District’s commitment to the federal pilot program, the rules have particular significance to patent infringement plaintiffs, since Federal Circuit decisions are decidedly unambiguous in allowing district courts considerable discretion when enforcing procedural requirements of the respective local rules. Such requirements can be outcome determinative, and the Federal Circuit has similarly demonstrated no hesitation in affirming the summary dismissal of infringement claims where infringement contentions were not first properly served or updated pursuant to a district’s local rules, or where a party otherwise failed to comply with local patent rule requirements. See 02 Micro International Limited v. Monolithic Power Systems, Inc., 467 F.3d 1355 (Fed. Cir. 2006); Safeclick, LLC v. Visa International Service Assn., 2006 WL 3017347 (Fed. Cir. 2006) (unpublished decision). In both Safeclick and 02 Micro, the federal circuit upheld the discretionary power of a district court to eliminate certain infringement contentions or arguments that were not raised in the final infringement contentions advanced by each Plaintiff. In each case, the Plaintiffs’ argued that the contentions were based on new material revealed in discovery after submission of the final infringement contentions, or advanced as a refined “scope and clarity” of earlier contentions. The district courts in each case rejected these arguments, finding that the Plaintiffs were not diligent in disclosing the theories, and the Federal Circuit affirmed, demonstrating that local patent rules have real teeth, and the district courts that use and apply them have real power.

The Federal Circuit’s jurisprudence evaluating local patent rules therefore provides district court judges with considerable discretionary power to facilitate patent litigation and move along their dockets through enforcing local rule requirements, even where the exercise of that discretion can be outcome determinative. There has been no hesitation to use that discretion among Texas district courts enforcing local patent rules. MGM Well Servcs., Inc. v. Mega Lift Sys., LLC, 2007 WL 433283 (S.D. Tex. 2007) (granting plaintiff’s motion to exclude invalidity contentions, expert testimony, evidence, and argument regarding prior art patents on grounds that Defendant failed to accurately, timely, or properly disclose same in accordance with the patent rules, and with the Court’s discovery and docket control orders); SoftVault Sys., Inc. v. MicroSoft Corp., 2007 WL 1342554 (E.D. Tex. 2007) (denying plaintiff’s motion for leave to amend its claims and contentions disclosures to change the asserted priority date of the claims at-issue, acknowledging that the importance of the priority dates to the overall case weighed in favor of granting the motion, but denying on grounds that plaintiff had access to information earlier in litigation and thus could have amended in accordance with rules and order deadlines, preventing prejudice to opposing party and need for continuance). Thus, patent holders contemplating litigation in the Northern District should take particular care to heed all the procedural requirements of that District’s recently-enacted local patent rules, as the failure to comply could determine the outcome of litigation. Further, given the “abuse of discretion” standard of review on appeal, any discretionary rulings, including dismissals, based upon a failure to comply with local rule requirements in a patent case will likely prove difficult to overturn on appeal. The lesson to take away here is therefore that any patent infringement plaintiff or defendant must take seriously all discovery and procedural obligations imposed by local rule requirements – and in particular the obligations to disclose infringement and invalidity contentions – seeking experienced and knowledgeable counsel to draft and prepare them, and to review and re-examine them at every possible opportunity. All infringement and invalidity theories should be regularly re-examined and updated in accordance with local rule requirements, or should be amended in accordance with a prompt request for leave to amend in the event new information is learned during the course of discovery. Alternatively, given the broad discretion accorded district courts to enforce their local rule requirements, parties will have to be prepared to lose valid infringement and invalidity theories in the face of untimely disclosure under local rules, even where it means losing the litigation as a whole.

Businesses concerned about pending or potential patent infringement suits should pay careful attention to a case now pending in the Federal Circuit that may affect what strategies should be employed in dealing with infringement issues. The Federal Circuit has taken the unusual step of ordering an en banc hearing in In re Seagate Technology, LLC, 214 Fed. Appx. 997 (Fed. Cir. 2007), to address the scope of the attorney-client privilege waiver that may arise when a party sued for willful patent infringement raises advice of counsel as a defense. The court’s answers to these questions could radically alter how parties defend themselves in patent infringement cases.

Plaintiffs asserting an infringement claim often allege that the infringement was willful. If proven by clear and convincing evidence, treble damages may be awarded. As a defense to a claim of willful infringement, defendants often contend that they relied on legal advice before they engaged in any activity that might infringe on another’s patent rights. Seagate raised that defense in an infringement lawsuit in which the plaintiffs sought $800 million in damages. Courts have routinely held that raising that defense waives the attorney-client privilege with respect to the subject matter of the opinion on which the defendant relies. The district court in Seagate also held that this waiver extended beyond communications with counsel who gave the opinion to encompass communications with separate trial counsel and in-house counsel and also constituted a waiver of the work produce privilege.

Seagate asked the Federal Circuit to address whether a party’s assertion of the advice-of-counsel defense constituted a waiver of the attorney-client privilege with respect to that party’s trial counsel or waived the work produce privilege. In a footnote in In re EchoStar, 448 F.3d 1294 (Fed. Cir. 2006), the Federal Circuit stated that the privilege waiver does extend to advice given after litigation begins, and like the district court, a number of courts have relied on this dicta to support extending the waiver to communications involving trial counsel.

In an unusual move, the court itself raised a separate question of whether the court should re-examine the 24-year-old decision in Underwater Devices, Inc. v. Morrison-Knudsen Co., 717 F.2d 1380 (Fed.Cir.1983), imposing a fundamental duty of due care to avoid infringement when a company or party has notice of another’s patent rights. Courts have generally interpreted that duty as requiring a party to obtain a legal opinion on the validity of those patent rights before engaging in or continuing any infringing activity. The court appears to be concerned about the impact of imposing such a duty should it agree with the district court that relying on such an opinion as a defense to a willfulness claim waives the any privilege for work product and attorney-client communications after the infringement opinion was given. The case has generated a great deal of interest, and more than a dozen amicus briefs have been filed. Oral argument is set for June 7, 2007. The decision in Seagate will be of interest to any business that may face a potential patent infringement suit.

A recent Seventh Circuit decision sends the clear message that companies should take precautions to secure their trade secrets by limiting the availability of the information to those who need to know it and by protecting information that is not readily available to the public. Judge Posner delivered the opinion in American Family Mutual Insurance Co. v. Bonnie L. Roth, 2007 WL 1309403 (7th Cir. 2007). The defendants had been insurance agents for the plaintiff. The plaintiff was awarded a preliminary injunction against the defendants enjoining them from using trade secrets, including customer information that they stole upon their termination from the company. The issues were governed by Wisconsin law, which has adopted the Uniform Trade Secrets Act. The court found that the customer information was in fact a trade secret because the information derives independent economic value from sources not readily available, and is information that has been kept secret by reasonable means. Specifically, the customer information was filtered based on their likelihood of buying insurance, and the information was only made available to agents who were assigned those specific customers or potential customers. The court held that the plaintiff was entitled to an injunction because the information was clearly a trade secret under the Uniform Trade Secrets Act and Wisconsin law, but the court remanded to the district court so that the district court could rework the injunction to be more inclusive. In the wake of Roth, it appears that the greater precautions a company takes, the greater the likelihood that an injunction will be granted to continue protecting the companies’ trade secrets.

The NASD requires its member firms to complete and file a U-5 termination notice whenever employment ceases, and in the case of an involuntary separation from employment, to disclose the reasons for the discharge of that employee. See NASD By-laws, Art. IV, § 3(a). Some of the reasons listed by member companies on the U-5 forms have included the employee’s refusal to cooperate with the compliance department, suspicion of fraud or suspicion of other misconduct. This report stays with the former employee throughout their career and could substantially impair their ability to gain employment at another NASD member firm. It is not uncommon under these circumstances for the former employee to sue the member company, claiming libel or other damage to reputation or economic advantage. If these cases must be litigated on the merits of truth or falsity, it is likely that fact issues will require an evidentiary hearing or a trial at great cost to the member company.

In a common law claim for damage to reputation, most jurisdictions recognize privileges belonging to the defendant, which, in varying degrees, may defeat the claim as a matter of law. An absolute privilege bars suit over a communication, even if defamatory, because of competing public policy considerations that recognize the chilling effect of such suits. A qualified privilege is less favorable to the employer and depends on the reasonableness of the employer’s conduct and commonly presents an issue requiring a trial for resolution.

In an unpublished opinion, Galligan v. Edward Jones & Co., 2000 WL 785041 (Ct. Super. 2000), the Court expressed what had been the common view that statements made by the member company on the U-5 termination notice are only protected by a qualified privilege defense and therefore refused to summarily dispose of the issue.

At least in cases subject to New York law, member companies will be protected from suit over pertinent information communicated on the U-5 termination notice by virtue of a recently decided New York Court of Appeals case that expanded the absolute privilege to apply it to the completion of the U-5. The Court’s well reasoned decision provides a blueprint for the public policy arguments that should be pursued in other jurisdictions that have decided this issue less favorably to the employer.

In Rosenberg v. MetLife, 8 N.Y.3d 359 (2007), the New York Court of Appeals declared that statements made by the member firm on the U-5 termination notice are absolutely privileged because it is a preliminary step in the quasi-judicial process the NASD uses to investigate and sanction violations of securities laws. The Court of Appeals rejected the former employee’s claim that the completion of the U-5 was too attenuated from any judicial proceeding to fall under the rubric of the litigation privilege. The Court of Appeals found strong public policy considerations required recognition of an absolute privilege as to pertinent communications on the U-5 termination notice because it is a preliminary step in the NASD’s investigation of brokers in furtherance of regulating the industry. Inasmuch as the absolute privilege defeated the defamation claim, the Court of Appeals agreed that the lawsuit against MetLife was properly dismissed.

Member dealers that have a nexus with New York should also evaluate whether its employment documents are written in such a way so as to invoke these immunities to defeat such claims at an early stage of the case..

Companies doing business in Texas should familiarize themselves with how Texas law defines trade secrets. In Texas, courts apply a six-factor test to determine whether a trade secret exists. The factors, however are not dispositive because it is impossible to set out precise criteria for a trade secret. Astoria Industries of Iowa, Inc. v. SNF, Inc., 2007 WL 937533, *10 (Tex.App.-Fort Worth, n.p.h.).

The six factors that will be considered by Texas courts to determine whether a trade secret exists are:

• The extent to which the information is known outside of the business;
• The extent to which the information was known to employees and others involved in the business;
• The extent of the measures taken by the business to protect the secrecy of the information;
• The value of the information to the business and its competitors;
• The amount of effort or money expended by the business in developing the information;
• The ease or difficulty with which the information could be properly acquired or duplicated by others.

In re Bass 113 S.W.3d 735, 739 (Tex. 2003). These six factors are to be weighed in determining whether the information is a trade secret, but all six factors do not have to be present for the information to be considered a trade secret in Texas. Id. at 740.

Of course, the more of these factors that the information meets, the more likely the information will be considered a trade secret. For instance, Texas businesses should be sure that the information is not widely known outside of the business; the information is only known by employees who have a direct need to know the information; the business should take great measures to protect the privacy of the information; the information should be valuable information; the business should expend significant resources in developing the information; and the business should make it difficult for others to acquire the information. Taking these six steps to protect the trade secrets of your business will also help the Texas courts identify that the protected information is in fact a trade secret worthy of protection from misappropriation.

Currently, businesses responding to a breach of their customers’ personal information must consult a patchwork of state laws to determine what steps they are required take to mitigate the damage, including whether and to what extent they must notify those customers that their information may have been compromised. There is not yet a federal privacy statute applicable to such situations. (More information regarding the present state of the law on this issue can be found here.)

However, since all of the alternative legislation now pending in Congress would preempt state laws to one degree or another, it makes sense for companies to begin to familiarize themselves with the direction that Congress might be heading in this regard in order to ensure early and full compliance with whatever rules Washington ends up enacting. The various privacy bills still pending in the House and Senate described in the article referenced above are a good place to start. In addition, though, on April 30, 2007, Congress received a report on a study conducted by the U.S. Government Accountability Office (“GAO”) in order to assess the government’s own response to data breaches. While the stated aim of the study was to help federal agencies improve their ability to respond to such incidents, the basic framework of the GAO’s policy recommendations incorporates many concepts found in pending federal and enacted state legislation, and it is therefore easy enough to translate to a business context. To the extent that the report will return congressional attention to the issue of data security, it should be a useful resource for businesses wanting to begin early implementation of internal procedures that likely will not be too far from the mark, once a final federal rule is enacted and becomes effective.

Many of the GAO’s policy recommendations will sound familiar to those who have some experience with existing data security regulations and best practices. Among other measures, the report recommends: a “two-tiered” approach to incident reporting, where all incidents are reported to a designated, responsible government office, with only those entailing a risk of identity theft being reported to the affected individuals; the designation of a “core management group” to be responsible for quickly responding to incidents; the implementation of mechanisms to allow for the efficient retrieval of addresses of potentially-affected individuals for notification purposes; and taking steps to ensure awareness and training on data security issues. both among internal staff as well as among contractors.

The full report may be obtained here.

Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975. Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth. In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.

The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records. The TSA purchased credit monitoring services for employees whose data was involved in the breach.

On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft.

“The world is digital and so is our personal data. In this day and age, almost everything we do results in a third party creating a digital record about us – digital records that we may not even realize exist.” – Senator Russ Feingold.

Congress wants to protect your sensitive personally identifiable information, but this time they meant it. No, seriously, they really do, and they’re willing to throw you in jail to prove their point. Personally identifiable information is a valuable commodity that is bought, sold and of course, stolen. In 2006, over 9,300,000 Americans were victims of identity theft. According to the Better Business Bureau, each victim lost approximately $6,300 and spent over 40 hours on the phone with creditors and credit bureaus to clear their names. Businesses collectively lose $50 billion a year from identity thieves.

In 2005, Senator Patrick Leahy (D-VT) and Senator Arlen Specter (R-PA) introduced a bill, which attempted to protect an individuals’ private information. However, influential critics of this bill viewed it as “unfriendly” to business and the bill was never brought up for vote. In 2007, the political winds shifted and the legislative gavel changed hands. Senators Leahy and Specter reintroduced their bill, joining forces with Senator Dianne Feinstein (D-CA) and Senator Russ Feingold (D-WI). Now, it looks like the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). Congress recently received the blessing of Microsoft and other private ndustry leaders, therefore it is highly anticipated that Federal Government will pass the Privacy and Security Act within the next couple of months.

This Privacy and Security Act associates identity theft to organized crime and imposes new criminal penalties for intentionally concealing a data security breach. The Act is also unique because it regulates data brokers, all businesses that collect personal information, and… the Federal Government, itself.

This report is divided into three parts. Part I will briefly discuss the new criminal penalties imposed for intentionally violating the new legal reporting requirements for data brokers. Part II focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program. Finally, Part III briefly discusses that certain government agencies are required to designate a Chief Privacy Officer and ensure that data brokers which are under government contract have a sufficient data and security program in place.

Title I – Enhancing Punishment for Identity Theft.

The Privacy and Security Act significantly enhances the punishment for identity theft by associating such activity with organized crime. Specifically, the Privacy and Security Act adds subsection 18 U.S.C. § 1030(a)(2)(D) relating to fraud and related activity in connection with unauthorized access to sensitive personally identifiable information. Furthermore, the Act makes it a criminal offense to conceal a security breach, even if such concealment only harms 1 individual. That’s, right. The Privacy and Security Act could land a Chief Privacy Officer in the Federal Penitentiary for up to 5 years, if he or she “knowingly” fails to provide notice of a breach to individuals, if required under Title III of the Act, and he or she attempts to “intentionally and willfully” conceal such breach. To make matters more exciting, the Act puts the United States Secret Service in charge of investigating all alleged offenses. The Act does require that the offender knowingly, intentionally and willfully violate the Act. However, the Privacy and Security Act does make it clear that senior management, corporate officers or their employees will be held criminally responsible for knowing and complying with the law. Remember, ignorance of the law is not an excuse.

Title II - Data Brokers.

The Act is unique because Congress publicly acknowledges that data about individuals is bought and sold and that such data is not merely limited the information found in a credit report. The Act applies to data brokers engaging in interstate commerce. Congress defines a “data broker” as “a business entity which for monetary fees or dues regularly engages in the practice of collecting, transmitting, or providing access to sensitive personally identifiable information on more than 5,000 individuals who are not customers or employees of that business entity or affiliate primarily for the purpose of providing such information to nonaffiliated third parties on an interstate basis.”

Legal Duties. The Privacy and Security Act requires data brokers to disclose to individuals, for a reasonable fee of course, all personal electronic records pertaining to that individual that the data brokers collect and sell to third-parties. The disclosures must also include instructions on the procedures to correct any inaccurate information. If the individual disputes the accuracy or completeness of the information, the data broker shall determine within 30 days, whether the information accurately reflects information found in the public record. If the disputed information did not come from the public record, then the data broker shall investigate and determine whether the personally identifiable information is accurate and complete, free of charge this time. If the data broker determines that the disputed information is in fact inaccurate, then the data broker must correct the information accordingly. If an individual requests, the data broker must also provide the name of the entity providing the disputed information and how to contact the entity. However, if the data broker reasonably determines that the individual’s initial dispute is “frivolous” or “intended to perpetuate fraud”, the data broker may decline to investigate and terminate its review as long as it notifies the individual in writing.

Enforcement. The Federal Trade Commission (“FTC”) is charged with enforcing the Privacy and Security Act. If a data broker violates Title II, it may be enjoined and fined civil penalties up to $1,000 per violation per day, for a maximum of $250,000. If a state law is broken, States are still permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC, if feasible. Otherwise, the State must provide the FTC with a copy of the complaint as soon as practicable. If the FTC already proceeded against the data broker under the Act, the State attorney general may not bring its own claims against the violator. Hence, Federal authority trumps all State actions. Finally, individuals are not allowed to bring private causes of action against a data broker for violating the Act.

“In the information age, any company that wants to be trusted by the public must earn that trust by vigilantly protecting the databases they use and maintain.” – Senator Patrick Leahy.

As noted in Part I of this report, the 110th Congress will pass the Leahy-Specter Personal Data Privacy and Security Act of 2007 (the “Privacy and Security Act” or “the Act”). This Privacy and Security Act is unique because it specifically applies to data brokers, businesses that collect personal information and government agencies.

Part II of this report, focuses on the Act’s “Safeguards Rule” and the legal duty imposed upon all businesses that handle sensitive personally identifiable information to create a Data Privacy and Security Program.

Title III – Privacy and Security of Personally Identifiable Information.
Senators Leahy and Specter wanted to ensure that all businesses, which handle sensitive personally identifiable information, develop and implement administrative, technical, and physical safeguards to protect such information. Title III mirrors the Safeguards Rule requirements found in the Gramm-Leach-Bliley Act (the “GLBA”). Accordingly, the Privacy and Security Act excludes financial institutions that are already governed by the GLBA. Similarly, the Act excludes all entities governed by the Health Insurance Portability and Accountability Act of 1996.

Data Privacy and Security Program. Title III applies to all businesses that collect, access, transmit, use, store or dispose personally identifiable information of 10,000 or more American citizens. The Act requires such businesses to create and implement a comprehensive personal data privacy and security program that includes administrative, technical, and physical safeguards “appropriate” to the size and complexity of the business and the “nature and scope” of its activities. The data privacy and security program must be designed to ensure the privacy, security, and confidentiality of sensitive personally identifiable information, protect against any anticipated vulnerabilities to the privacy, security or integrity of such information and protect against unauthorized access to such information that could result in substantial harm or inconvenience to the individual.

The Act requires a business to conduct a thorough risk assessment and identify internal and external vulnerabilities that could result in the unauthorized access, disclosure, use or alteration of sensitive personally identifiable information or systems containing such information. A business must determine the likelihood of a network breach and the potential damage, if such breach occurred. The risk assessment must also review policies, technologies and safeguards a business employs to minimize unauthorized access and assess how it disposes of sensitive personally identifiable information.

Based upon its risk assessment, a business shall design, adopt and implement a personal data privacy and security program. Once again, the measures adopted shall be appropriate to the sensitivity of the data as well as the business’ size, complexity, and scope of activities. The Privacy and Security Act requires that businesses control access to personally identifiable information, detect unauthorized attempts to gain access to such information, protect the information by encryption or other reasonable means, and to dispose of personally identifiable information securely. The Act also requires a business to train its employees regarding its data security program and to ensure that they follow its policies and procedures. Finally, the Act requires companies to frequently test its data security program for vulnerabilities and update their systems accordingly.

Just like the GLBA, the Privacy and Security Act holds companies responsible for their third-party service providers. For example, a business must exercise due diligence and take reasonable steps to select only those service providers that are capable of maintaining appropriate safeguards for the security, privacy and integrity of sensitive personally identifiable information. There must be a contractual agreement by and between the business and the service provider that expressly states the service provider will implement and maintain appropriate measures to protect private information in accordance with the Act. Again, a business must periodically assess the security measures employed by its service providers.

Enforcement. The Federal Trade Commission is charged with enforcing Title III. If a business violates Title III, it may be enjoined and fined civil penalties up to $5,000 per violation per day, for a maximum of $500,000. If the violations are found to be intentional or willful, then a business may be fined an additional $5,000 per violation per day, up to a maximum of $500,000. Just like Title II, States are permitted to bring a civil action in Federal Court. However, the State attorney general must first provide written notice to the FTC. If the FTC already proceeded against the violator, the State attorney general is barred from bringing a separate claim. Hence, Federal authority may be exclusive and trumps all State actions. Individuals are once again barred from bringing a private cause of action.

Do you have a comprehensive data protection program in place? The attorneys at Scott & Scott LLP are the knowledge leaders in privacy, security and IT compliance. Contact us today before the government calls you.

The Act “guarantee[s] that the Federal Government is not wasting money on inaccurate data and that vendors are undertaking the security programs that they have promised and for which the government is paying.” – Senator Russ Feingold

“I’ve got some ocean front property in Arizona. From my front porch you can see the sea. And if you’ll buy that I’ll throw in the Golden Gate for free.” – George Strait

Although Senator Feingold’s optimism is well placed, it may be overstated. However, if the Act is passed as presented, the Federal Government will take a substantial step forward in protecting personally identifiable information. Title IV of the Act requires the Federal Government to evaluate the privacy and security program of all data brokers who bid for government contracts in excess of $500,000. Yes, Virginia, even our own Federal Government hires data brokers in order to find out more about you, the taxpayer.

Title IV’s requirements are very specific. The General Services Administration is in charge of reviewing: (1) the data privacy and security program of a data broker to ensure the privacy and security of data containing the personally identifiable information, including whether such program adequately addresses privacy and security threats created by malicious software or code, or the use of peer-to-peer file sharing software; (2) the compliance of a data broker with such program; (3) the extent to which the databases and systems containing personally identifiable information of a data broker have been compromised by security breaches; and (4) the response by a data broker to such breaches, including the efforts by such data broker to mitigate the impact of such security breaches.

Just like the GLBA, Title IV provides a compliance safe harbor. Section 401(b) states, “The data privacy and security program of a data broker shall be deemed sufficient… if the data broker complies with or provides protection equal to industry standards, as identified by the Federal Trade Commission, that are applicable to the type of personally identifiable information involved in the ordinary course of business of such data broker.” This compliance safe harbor is vague at best and punts the proverbial football over to the FTC to define what exactly “protection equal to industry standards” means.

If a data broker wants to bid on a government contract, the Act also requires Federal agencies to complete a privacy impact assessment, under section 208 of the E-Government Act of 2002. The privacy impact statement must address the use of commercial information services that contain personally identifiable information. This privacy impact assessment must be completed before the Federal agency enters into a data broker contract and must include a laundry list of specific information regarding the data broker, the broker’s data privacy and security program, and information about the government contract, itself. The privacy impact assessment must include a description of: (1) the database; (2) the name of the data broker; and (3) the contract amount. Additionally, a data broker must adopt regulations that specify: (1) the personnel permitted to access, analyze or use such databases; (2) standards governing the access, analysis, or use of such databases; (3) any standards used to ensure that the personally identifiable information accessed, analyzed, or used is the minimum necessary to accomplish the intended legitimate purpose of the Federal agency; (4) standards limiting the retention and redisclosure of personally identifiable information obtained from such databases; (5) procedures ensuring that such data meets standards of accuracy, relevance, completeness and timeliness; (6) the auditing and security measures to protect against unauthorized access, analysis, use or modification of data in such databases; (7) applicable mechanisms by which individuals may secure timely redress for any adverse consequences wrongly incurred due to the access, analysis, or use of such databases; (8) mechanisms, if any, for the enforcement and independent oversight of existing or planned procedures, policies, or guidelines; and (9) an outline of enforcement mechanisms for accountability to protect individuals and the public against unlawful or illegitimate access or use of databases. If the contract exceeds $500,000, then the government contract must also include penalties for failing to comply with Title III of the Act and for failing to comply with the data broker’s own data privacy and security program.

Interestingly, Title IV also requires the Department of Justice to create a department-wide Chief Privacy Officer who reports directly to the Deputy Attorney General. The Chief Privacy Officer shall oversee the D.O.J.’s implementation of Title IV’s privacy impact assessment requirements and to coordinate with the Privacy and Civil Liberties Oversight Board.

Congress may not pass the Data and Privacy Security Act into law this legislative session. However, law makers and industry leaders agree that this bill is long overdue and that it will eventually pass. The only remaining question is in what form will it pass and when?

Approximately 60 percent of PDAs and 59 percent of laptops contain unprotected sensitive or confidential information. Almost half of businesses surveyed by the Ponemon Institute indicated that they would never be able to determine the actual information that they lost. There are a number of precautions businesses and their employees should take to ensure that they have met the minimum standard of care related to protecting sensitive data contained on laptops or other mobile devices. These security measures include:
• Protect information stored on the laptop with a secure password. It should consist of a combination of numbers and upper and lower-case letters.
• Implement advanced security measures such as Remote Laptop Security and laptop encryption.
• Be sure that all important data contained on the laptop is backed up.
• Make use of physical security measures like locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
• When leaving a laptop in the office, make sure it is hidden and secured.
• Keep your laptop in an inconspicuous case. Flashy cases expose your computer by attracting thieves’ attention. A simple padded messenger bag can suffice as a protective container.
• When using a laptop for meetings or conferences, always keep it in your sight. Do not leave the room without taking the laptop with you.

The Ernst & Young laptop theft in Miami could have been prevented if employees had followed these simple instructions. Furthermore, the companies whose data was stolen could have easily identified the compromised data if the companies regularly backed up the information contained on the laptops. Finally, all of the information could have been protected if it was encrypted. Only 65 percent of the Ponemon survey respondents claimed that their organizations utilize encryption to protect information.