Business and Technology Law

“Texans expect their personal information to remain confidential. The Office of the Attorney General will take all necessary steps to protect consumers from identity thieves.”
– Texas Attorney General Greg Abbott

Don’t mess with Texas and you better be sure not to mess with a Texan’s nonpublic personal information. Texas Attorney General Greg Abbott has declared war on identity theft and he’s holding companies responsible. Over the past several weeks, Mr. Abbott filed no less than six lawsuits against companies for violations of the Texas Identity Theft Enforcement and Protection Act of 2005, Tex. Bus. & Com. Code Ann. §§17.41, et seq., and the Tex. Bus. & Com. Code Ann. § 35.48. In May 2007, Attorney General Abbott filed an enforcement action against CNG Financial Corporation, its subsidiaries, and EZPAWN for improperly dumping customer records, including promissory notes and bank statements. In April, Attorney General Abbott took legal action against CVS/pharmacy and RadioShack Corporation for exposing hundreds of customers to identity theft by failing to properly dispose of records that contained sensitive information. In March, the Attorney General filed an enforcement action against Jones Beauty College in Dallas for improperly discarding student financial aid forms containing Social Security numbers and other personal information. Also in March, Attorney General Abbott took legal action against On Track Modeling, a North Carolina-based talent agency that abruptly shut down its North Texas office and abandoned more than 60 boxes containing hundreds of confidential client records.

The Identity Theft Enforcement and Protection Act.

The Identity Theft Enforcement and Protection Act (the “ITEP Act”), mandates that businesses have a legal duty to protect and safeguard sensitive personal information. Similar to the Gramm-Leach Bliley Act, the ITEP Act requires businesses that collect or maintain sensitive personal information in the regular course of business to implement and maintain reasonable procedures and corrective measures to protect and safeguard sensitive personal information from unlawful use or disclosure. Furthermore, the ITEP Act includes a “Dumpster Diving” provision where companies are required to destroy customer records no longer in use by shredding, erasing or modifying the records to make the information unreadable or undecipherable. Section 35.48 of the Texas Business & Commerce Code also mandates that companies destroy business records that contain personal identifying information in a secure manner. The ITEP Act provides an exception to financial institutions governed by the GLBA.

The ITEP Act requires corporations to give notice if their system security is breached and may compromise the security, confidentiality or integrity of sensitive personal information. A company must disclose such breach as quickly as possible by either written notice, electronic notice, or by providing conspicuous notice on its website and publishing or broadcasting such notice through the mass media. The type of disclosure depends upon the number of persons affected and the companion Federal statute, if any.

The State of Texas v. CNG Financial Corporation, Check ‘N Go of Texas, Inc. and Southwestern & Pacific Specialty Finance, Inc.

On May 24th, 2007, the Texas Attorney General filed an enforcement action against CNG Financial Corporation and its related entities, Check ‘n Go of Texas, Inc., and Southwestern & Pacific Specialty Finance, Inc. (herein after collectively referred to as “Defendants” or “Check ‘N Go”). The lawsuit claimed the Defendants violated the Identity Theft Enforcement and Protection Act, the Deceptive Trade Practices Act and the Credit Services Organizations Act. All of these claims are based upon the Defendants’ failure to protect its consumers’ sensitive personal information.

According to the lawsuit, Check ‘N Go is in the business of finding third party lenders to provide its customers cash advances, more commonly referred as payday loans or fast cash loans. These payday loans are short-term loans that are repaid via a pre-authorized withdrawal from the customer’s checking account on the next payday after the loan is given. In order to process the payday loans, Check ‘N Go collects a myriad of non-public personal information including but not limited to the applicant’s address, date of birth, Social Security number, and driver’s license number. Additionally, Chen ‘N Go collects the applicant’s employment information, his or her bank checking account number, bank routing number, the applicant’s signature and thumb print. However, according to the lawsuit, on numerous occasions and in several locations throughout Texas, Check ‘N Go disposed of its customers’ sensitive personal information without shredding or modifying the information in publicly available dumpsters located behind its retail locations.

First, the Defendants were charged with violating the Deceptive Trade Practices Act because they misrepresented to their customers in writing that they were “committed to protecting our customers’ privacy and security” by “restrict[ing] access to nonpublic personal information”, maintaining “physical, electronic and procedural safeguards… designed to safeguard your nonpublic personal information” and “prevent[ing] unauthorized access to your nonpublic personal information by regularly assessing our security standards and privacy policies, and by regularly training our employees and requiring our vendors to comply with those standards and policies.” Attorney General Abbott instead alleges that the Defendants “in truth and in fact… fail[ed] to safeguard sensitive personal information.” The lawsuit also contends that, “When specifically asked what would happen to their checks by at least two customers, Defendants represented to them that the checks would be shredded. In truth and in fact, the checks were dumped into the trash without even being torn.”

Second, the Defendants were charged with violating various provisions of the Texas Identity Theft Enforcement and Protection Act. Attorney General Abbott alleged that Check ‘N Go failed to implement and maintain reasonable procedures to protect and safeguard their customers’ sensitive personal information that it collected and especially failed to destroy or arrange to destroy its customer records in a secure manner.

Third, the Defendants were charged with violating the Texas Credit Services Organizations Act (the “CSOA”). The lawsuit claims that Check ‘N Go misrepresented the quality and degree of security and protection afforded to its customers’ sensitive personal identifying information that they provided in ordered to purchase credit services. Specifically, the lawsuit alleges that the Defendants represented in their privacy policies that “[w]e… protect… our customers’ privacy and security…” and then “dump[ed] such information into trash receptacles making it easily accessible to the public…”

Why is this lawsuit a big deal? It goes directly to Check ‘N Go’s bottom line. First, the Defendants cannot compete with the Texas government and its unlimited resources. Next, the Attorney General announced in a press conference to anyone who would listen, that Check ‘N Go was negligent and its customers’ may be at risk. The damage to Check ‘N Go’s brand image may not be immediately quantifiable, but in time the free market will let them know. Third, Attorney General Abbott sought a temporary injunction and a permanent injunction to prevent the Defendants from its current business practices. If granted, the injunctions will force the Defendants stop certain aspects of its business and that will cost Check ‘N Go time and money. Finally, Check ‘N Go will pay monetary damages to the State. How much money Check ‘N Go will pay is uncertain, but they will pay.

For violating Chapter 35 of the Texas Business Commerce & Commercial Code, the Defendants may be liable for a civil penalty of up to $500 for each record. Section 48.201 of the ITEP Act not only allows the Attorney General to seek a permanent injunction, but also exposes Defendants to a civil penalty of at least $2,000 and up to $50,000 against each Defendant. The DTPA adjudges a civil penalty against each Defendant up to $20,000 for each violation. Similarly, for violating the CSOA, each Defendant may be liable for up to $20,000 per violation. If the customers can be identified whose nonpublic personal information was unlawfully dumped, those customers may be awarded damages of “not less than the amount the consumer paid” Check ‘N Go in the first place. Finally, the Defendants are liable for the State’s reasonable attorney’s fees, investigatory costs and court costs.

In summary, the cost of noncompliance is high and very few companies have a check book that big.

The Ninth Circuit has recently clarified the scope of immunity for internet services provides under the Communications Decency Act. That statute contains an immunity provision, stating that that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 USC § 230 (c)(1). This immunity is limited, however, in that it does not apply to claims “pertaining to intellectual property.” The Ninth Circuit has now interpreted this provision as only applying to intellectual property as defined under federal law, e.g. patents, trademarks, copyrights. Perfect 10 v. CCBill LLC, 2007 WL 1557475 (9th Cir. 2007).

What does this mean?

As a defendant service provider it means that you may seek immunity under § 230(c)(1) where state intellectual property claims are brought against you. Of course, if the federal and state claims are similar, you won’t be escaping much because the federal claim will still survive.

As a plaintiff seeking to enforce a state trade secret claim or any other intellectual property interest recognized and created under state law, the results are not so good. It will be much more difficult to bring a state intellectual property claim, or seek an injunction based on a trade secrets claim. For instance, when a service provider hosts user-posted material misappropriating your trade secrets or infringing on other state-recognized intellectual property rights, the service provider will be immune under § 230(c)(1), and your only recourse will be a claim against that user who posted the material.

The original opinion was amended so that the Ninth Circuit could insert a footnote that reiterates that it really did mean that intellectual property means “federal intellectual property” and state intellectual property claims are preempted by § 230. There are two other cases pending before the Ninth Circuit dealing with the same types of questions, and those decisions will indicate just how far the Ninth Circuit believes the immunity provision extends. In the meantime, service providers in particular should take note that they can now invoke section 230 immunity for the acts of third-parties where the claims raised are state intellectual property claims.

It is no secret that patent litigation is a costly endeavor. It can price small defendants out of being able to defend themselves on the merits and can likewise be the prohibitive factor when small plaintiffs want to enforce their claims. For the small or mid-sized company, the amount at issue many times simply does not justify the high-cost and high-risk of patent litigation.

The costs of litigation can be managed and decreased using court rules that promote efficient litigation and provide for speedy resolution of disputes. Courts in the Eastern District of Texas are widely recognized as national leaders in patent litigation, in large measure, because they provide a relatively quick system for resolving patent disputes. For the party that employs experienced counsel and a strategy to maximize those attributes, the cost of preparing a patent case can be reduce on both sides. This efficiency is accomplished in various ways, including the use by several judges of special rules for patent cases and those same judges’ continuation of the district's tradition of early, firm trial settings. Experienced counsel can see that speedy trial settings and discovery limitations can be used not only to the benefit of a plaintiff, but to the small defendants’ favor as well when defending commercial patent cases. In fact, the settings provide a way of defending a case on the merits that would otherwise cost too much. A small patent defendant is best off in the Eastern District when it has a defense on the merits because there it may possibly get the cheapest path to a trial setting of anywhere in the nation. The truth is, with a valid case and good lawyering, there is no reason that tremendous advantage cannot be found and a path to more efficient litigation discovered by all parties by using the resources of the Eastern District.

The United States Supreme Court has recently agreed to address the question of whether parties may contractually agree to alter the standard for reviewing arbitration awards. Because so many business contracts, software licenses, and other agreements now include provisions requiring the parties to submit their dispute to binding arbitration instead of filing a lawsuit, business should pay careful attention to this case, as the court’s decision will have significant implications. The court will decide whether the parties to an arbitration agreement have the freedom to contract for meaningful review of an arbitration award in a court. This will be particularly significant if the decision to agree to arbitration was premised on the availability of meaningful judicial review after an arbitration award has been made.

By statute, such review is not now available, and parties who consent to arbitration will find themselves at the mercy of the arbitrator, whose decision, as a practical matter, is unreviewable. Under the Federal Arbitration Act, which applies if an agreement containing an arbitration clause involves interstate commerce, an arbitrator’s decision may only be vacated, modified, or corrected by a court under very limited, rarely applicable circumstances. See 9 U.S.C. § 10 & 11. Indeed, under the FAA, an arbitration award will still be confirmed and converted into an enforceable judgment even if the award was based on clear legal or factual errors. See Kyocera Corp. v. Prudential-Bache Trade Servs., Inc., 341 F.3d 987, 994 (9th Cir. 2003) (en banc). Many states have enacted similar provisions limiting the scope of review of arbitration awards for agreements governed by state law.

In an attempt to avoid this potentially frightening result and create an opportunity for meaningful review of an erroneous arbitration awards, businesses have begun to include in their arbitration agreements provisions purporting to establish different standards under which an award will be reviewed. For instance, the parties to an agreement may specify that an arbitration award is reviewable for legal errors or must be supported by substantial evidence. It is not clear, however, that such provisions are enforceable. The Ninth and Tenth Circuits have held that parties may not expand the judicial review provisions found in the FAA, reasoning that allowing such an expansion would threaten the independence of arbitration. See Kyocera, 341 F.3d at 998; Bowen v. Amoco Pipeline, Inc., 254 F.3d 925, 936 (10th Cir. 2001). California courts have similarly held that under the FAA and the California arbitration statutes, an agreement to expand judicial review is unenforceable, though the California Supreme Court is currently considering the validity of those decisions. See Cable Connection, Inc. v. Directv, Inc., 53 Cal.Rptr.3d 318 (Cal. 2006). In contrast, the First, Fourth, Fifth, and Sixth Circuits have held that parties may contract for more expansive judicial review, concluding that the parties’ agreement with respect to arbitration must be enforced.

The Supreme Court has now granted certiorari in a case presenting the issue of whether such contractual provisions are enforceable. On May 29, 2007, the court granted the petition in Hall Street Assoc. v. Mattel, Inc., No. 06-989. The court will address the specific question of whether the Ninth Circuit erred when it held that the FAA “precludes a federal court from enforcing the parties’ clearly expressed agreement providing for more expansive judicial review of an arbitration award than the narrow standard of review otherwise provided for in the FAA.” The case will not be set for argument until the next court term, which begins in October 2007. In the meantime, businesses concerned about the limited reviewability of arbitration awards should still consider including clauses providing for expanded judicial review. Given that such provisions may be invalidated, however, businesses may want to re-examine whether they really want to agree to arbitration in the first place, knowing that an erroneous decision by an arbitrator may be the final word.

On May 14, 2007, the office of the U.S. Attorney General transmitted a legislative proposal to U.S. House Speaker Nancy Pelosi that would represent one of the most significant overhauls of federal copyright law in recent years. Most of the proposal’s provisions work to expand the scope of the statute and include more tools to combat criminal copyright violations. However, one provision in particular would represent a significant new weapon for those who target businesses for copyright litigation based on software use. The proposed modification to 17 U.S.C. § 503(a) is underlined below:

At any time while an action under this title is pending, the court may order the impounding, on such terms as it may deem reasonable, of all copies or phonorecords claimed to have been made or used in violation of the copyright owner’s exclusive rights, and of all plates, molds, matrices, masters, tapes, film negatives, or other articles by means of which such copies or phonorecords may be reproduced, and records documenting the manufacture, sale, or receipt of things involved in such violation. The court shall enter an appropriate protective order with respect to discovery by the applicant of any records that have been seized. The protective order shall provide for appropriate procedures to assure that confidential information contained in such records is not improperly disclosed to the applicant.

The potential for this or similar legislative proposals to affect the operations of your business makes it even more important to ensure that all records regarding software license purchases and installations are readily available, or at least easy to retrieve. Such pro-active organization on your part not only makes good business sense, it also greatly facilitates the software audit process for those destined to receive letters from the Business Software Alliance or the Software & Information Industry Association (as are an ever-increasing number of U.S. businesses)…and it might help to avoid some of the harsher remedies that the future may hold under the Copyright Act.

A copy of the legislative proposal may be found here.

Companies attempting to measure their potential exposure for patent infringement should review a recent decision by the Federal Circuit. Business often calculate their exposure based on the concept of a “reasonable royalty,” and look at the terms on which the patent holder has previously licensed the technology. Such an established royalty is usually the best measure of potential exposure. In a case addressing the issue of damages in a patent infringement case involving the burgeoning field of genetically modified crop seeds, the Federal Circuit has expanded the definition of what constitutes a reasonable royalty. The court indicated that in calculating the ”reasonable royalty,” a court may also consider costs and charges beyond those that the patent holder has labeled as royalties, as well as other benefits received by the infringer as a result of using the patented technology. When assessing potential patent infringement damages, businesses should consult with counsel before attempting to assess how a damages award might be calculated.

This important case arose out of a seemingly prosaic set of facts involving a dispute between a farmer and a seed company. While Paris Hilton might view farming as part of “The Simple Life,” American agribusiness is actually a high-tech industry with complex legal issues. Indeed, Monsanto Company v. McFarling, 2007 WL 1502080 (Fed. Cir. 2007), is the third opinion issued by the Federal Circuit in a closely watched dispute between a farmer and Monsanto. Monsanto developed a system for weed control using genetically modified crops that are resistant to the effects of certain herbicides. When the genetically modified seeds are planted, farmers are able to spray the herbicide on their fields to kill the weeds while sparing the resistant crops, making weed control more efficient. Monsanto patented this technology.

When McFarling purchased genetically modified soybean seeds from Monsanto in 1998, he paid a license fee and signed a “Technology Agreement” that included a promise not to replant seeds that were produced from the purchased seeds or to supply those seeds to others for replanting. The terms of the Technology Agreement also included payment of a $6.50 “technology fee” per bag of seeds and required the farmer to purchase seeds from an authorized distributor. Despite this agreement, McFarling saved seeds from the 1998 crop and planted those seeds in 1999 and did the same thing in 1999, saving soybean seeds from that crop and planting them in 2000. The saved seeds contained the patented genetic traits, and McFarland did not pay any license fee for 1999 or 2000.

In a previous decision, the Federal Circuit held that McFarling infringed on Monsanto’s patent by saving seeds and replanting them. The court also previously held that the liquidated damages provision in the agreement between Monsanto and McFarling was invalid. At trial, the jury returned a damages verdict of $40 per bag of saved seed. Under 35 U.S.C. § 284, damages for patent infringement are to be adequate to compensate for the infringement and must not be less than a reasonable royalty for use of the invention. McFarling argued that because Monsanto had charged a $6.50 “technology fee” to licensees who purchased the seeds under its Technology Agreement, that fee constituted the established reasonable royalty for use of the technology and should be used as an upper limit on his potential exposure.

The court stated, however, that the technology fee was actually only part of the royalty being charged by Monsanto. By requiring a farmer to purchase seeds only from an authorized distributor, which would charge between $19 and $22 per bag of seeds, Monsanto had elected to impose an additional royalty, although it was not labeled as such. The court concluded that the total out-of-pocket cost to the farmer – the technology fee plus the cost of the seeds purchased from an authorized distributor – should be characterized as a royalty payment for purposes of calculating the reasonable royalty and damages. To decide otherwise would create a windfall for infringers, who would have a huge advantage over other farmers by paying only the technology fee without having to purchase seeds from distributors. The court also held that it was reasonable for the jury, in calculating damages, to consider the benefits Monsanto’s damages conferred on farmers such as McFarling, such as the savings on weed control measures.

By allowing courts to consider charges and costs beyond what a patent holder has labeled as a royalty or technology fee, as well as the economic benefits conferred on the infringer by the technology, the decision in McFarling may lead to higher damages awards in patent infringement cases. It will certainly make it more difficult for businesses concerned about infringement claims to calculate their potential exposure.

The Eleventh Circuit has decided to review en banc a ruling refusing to grant immunity to the NASD on the grounds that it was a self-regulating agency. A Florida lawyer named Steven Weissman purchased a substantial amount of Worldcom stock in trust for his minor children. That stock is now virtually worthless. Rather than suing the now-defunct accounting firm of record, Arthur Anderson, or Worldcom’s former CEO Bernard Ebbers and the other directors, Weissman sued the National Association of Securities Dealers and NASDAQ Stock Market, Inc., the latter of which became a for profit enterprise prior to the events in question. In his diversity complaint, filed in Federal District Court in the Southern District of Florida, Weissman asserted claims for false advertising, fraud, and other deceptive practices under Florida law. He contended that his complaint was limited to the defendants’ commercial activities in promoting and vouching for Worldcom, for which the defendants received indirect profits. The District Court rejected the defendants’ argument that as self-regulatory agencies they were immune from suit. On appeal, a three-judge panel of the Eleventh Circuit ruled that this immunity does not apply to commercial for profit activity such as advertising. Weissman v. National Ass’n of Securities Dealers, 468 F.3d 1306 (11th Cir. 2006), vacated, 481 F.3d 1295 (11th Cir. 2007). One judge dissented, concluding that the acts of alleged misconduct by defendants were closely related to core regulatory functions and should not be actionable. The panel’s opinion is available here: http://www.ca11.uscourts.gov/opinions/ops/200413575.pdf

The Eleventh Circuit has agreed to rehear the matter en banc, reflecting the Court’s recognition of the extraordinary impact of the panel opinion. Weissman v. National Ass’n of Securities Dealers, 481 F.3d 1295 (11th Cir. 2007). If the majority opinion prevails and is adopted by other Circuits, for-profit stock exchanges not only face the specter of significant new liabilities in relation to investments solicited in member companies but the added uncertainty because the theory of liability may derive from a myriad of laws that vary from state to state. Stay tuned . . .

A previous posting entitled “Supreme Court to Decide if Parties Can Agree to Judicial Review of an Arbitration Award,” discussed the U.S. Supreme Court’s intention to review the issue of whether parties may agree to expanded judicial review of arbitration awards under the Federal Arbitration Act. Because businesses may be parties to contracts and licenses that will be governed by state arbitration statutes instead of the FAA, companies should also keep an eye on how this issue is being addressed in the state courts.

For instance, while the federal appellate courts have split on the issue, with most courts allowing parties to agree to expanded judicial review, the trend in California has the been the opposite. The California appellate decisions addressing the issue have concluded that parties may not agree to expanded judicial review. In Baize v. Eastridge Companies (2006) 142 Cal.App.4th 293 [47 Cal.Rptr.3d 763], the parties included a provision in their arbitration agreement requiring the arbitrator to apply California substantive law. The court held that despite this provision, the award could not be vacated on the ground that the arbitrator did not apply the proper law. In Cable Connection, Inc. v. Directv, Inc. (2006) 143 Cal.App.4th 207 [49 Cal.Rptr.3d 187], the court even more strongly rejected the parties’ attempt to expand judicial review. The parties in DirecTV included a provision specifically stating that any arbitration award was reviewable for failure to apply the law. The court held that the grounds for vacating or modifying an award listed in the California arbitration act were exclusive and a court is therefore prohibited under California law from vacating or modifying an award on any ground not listed in the statutes. The parties’ agreement to add another basis for vacating or modifying an award was therefore entirely unenforceable.

The California Supreme Court has granted review of the DirecTV case to address whether parties to a commercial arbitration agreement may contractually expand the jurisdiction of the trial court to permit review of an arbitration award for legal error. The case has been fully briefed by the parties and has generated some interest, including a request by L.F.P., Inc – Larry Flint Publications – to file an amicus brief. Oral argument has not yet been scheduled. Because so many companies do business in California and because decisions of the California courts often influence decisions in other states, this case should be watched closely.

A recent U.S. Supreme Court decision sends a strong message – if you intend to appeal a decision, don’t wait around. If you miss the deadline, even a federal court won’t be able to fix the problem. In Bowles v. Russell, 2007 WL 1702870 (U.S. 2007), the Supreme Court held that federal district courts do not have the power to extend the deadline for filing a notice of appeal beyond the time period established in the Federal Rules of Civil Procedure. If the deadline is not met, the right to appeal will be lost permanently because appellate jurisdiction may not be changed by the courts. In making its decision, the Supreme Court overruled two precedents allowing courts to extend the deadline for invoking appellate jurisdiction in “exceptional circumstances.”

Bowles arose out of a habeas proceeding, but the holding applies in all civil appellate cases. After being given a sentence of 15 years to life for murder by an Ohio jury, Bowles filed a habeas corpus petition in the federal district court. This application was denied. Under Federal Rule of Appellate Procedure 4(a)(1)(A) and 28 U. S. C. § 2107(a), Bowles had thirty days in which to file his notice of appeal but did not meet this deadline. Subsequently, Bowles filed a motion to reopen the period during which he could file his notice of appeal pursuant to under Rule 4(a)(6) and 28 U.S.C. § 2107(c). These provisions allow district courts to extend the filing period for 14 days from the day the district court grants the order to reopen when certain conditions are met. The district court granted Bowles’ motion to reopen the filing period but instead of extending the time period by 14 days, as Rule 4(a)(6) and § 2107(c) allow, the district court gave Bowles 17 days to file his notice of appeal. Bowles filed his notice on the sixteenth day of that time period, within the time allowed by the district court’s order but after the 14-day period allowed by Rule 4(a)(6) and § 2107(c). The Sixth Circuit ruled that Bowles appeal was untimely and the Supreme Court agreed.

In a 5-4 decision written by Justice Thomas, the Supreme Court noted that filing a timely notice of appeal is “mandatory and jurisdictional.” If a notice of appeal has not been timely filed, there is no appellate jurisdiction over the case. The authority to extend the time for filing an appeal comes from 28 U.S.C. § 2107(c), which specifies only a 14-day extension of the time period. The Supreme Court made it clear that statutory time limits are jurisdictional. Only Congress has the power to determine the lower federal court’s subject matter jurisdiction, and appellate jurisdiction cannot be altered by court order. The Supreme Court stated that “because Congress decides whether federal courts can hear cases at all, it can also determine when, and under what conditions, federal courts can hear them.” As an example, the Supreme Court pointed to its own certiorari procedures, which recognize that the 90-day time limit for filing a petition is based on a statute. When a cert petition is not timely filed, the Supreme Court has repeatedly held that the failure to do so is jurisdictional.

The Supreme Court applied the same reasoning in holding that the time limits for filing a notice of appeal must be strictly enforced and cannot be varied by court order. Bowles argued that in any event, the court should recognize an exception with respect to appellate jurisdiction in his case, given that he relied on a federal court order in filing his late notice of appeal. The Supreme Court held that the federal courts did not have the authority to create an equitable exception to the statutes and rules governing appellate jurisdiction. In doing so, the court overruled Truck Lines, Inc. v. Cherry Meat Packers, Inc., 371 U. S. 215 (1962), and Thompson v. INS, 375 U. S. 384 (1964), two earlier U.S. Supreme Court cases applying a “unique circumstances” doctrine allowing for equitable relief from a jurisdictional deadline. The court overruled both decisions “to the extent they purport to authorize an exception to a jurisdictional rule.” The Supreme Court recognized that the result in this case might be harsh but stated that Congress could change the rules governing appellate jurisdiction if it wished to. Writing for the four dissenters, Justice Souter rejected the notion that the notice of appeal deadline was mandatory and jurisdictional and asserted that courts could allow for equitable exceptions to the appellate jurisdiction deadline.

In the wake of the Supreme Court’s decision in Bowles, even if a federal court issues an order extending the time in which to file a notice of appeal, businesses and individuals planning to appeal a federal district court decision should know they still have to meet the statutory deadline and cannot rely on the federal court’s order. Otherwise, there will be no appellate jurisdiction, and the right to appeal will be permanently lost.

Opinion text: http://www.supremecourtus.gov/opinions/06pdf/06-5306.pdf

Louis Vuitton is once again making headlines by aggressively seeking to protect its valuable trademark and reputation. Louis Vuitton recently filed suit in U.S District Court for the Middle District of Florida in Tampa, Florida alleging trademark infringement by the Home Shopping Network (“HSN”). Louis Vuitton claims that HSN has been selling look-alike Louis Vuitton handbags and thereby violating at least six of its trademarks. The complaint also asserts claims for copyright infringement, misappropriation of advertising ideas, and intentional counterfeiting. In addition to its claims against HSN, Louis Vuitton also makes claims against American Elite Inc., the distributor that sold the merchandise to HSN.

This latest lawsuit is part of Louis Vuitton’s ongoing fight against counterfeiting and trademark infringement. On its website, the company proclaims that it has a special team devoted to fighting counterfeiting and is trying to make consumers aware of the risks inherent in purchasing counterfeit merchandise. Furthermore, Louis Vuitton notes that 13,000 counterfeiting proceedings and 600 raids were launched last year, with 1000 arrests. Finally, Louis Vuitton makes it clear that its products are sold exclusively in its stores and on it websites, so no one can claim they thought they were making a legitimate purchase when they bought a product on the street or at a “purse party.” Louis Vuitton’s actions and strategy are an example to other businesses of the steps that should be taken to protect a valuable trademark. A business that does not actively fight against trademark infringement risks tarnishing the company’s reputation by allowing counterfeiters to sell inferior product and weaken its trademark.

“I don't know if it's such a hot idea to have a court confined to California. You would still get a court full of activist judges, and a court that doesn't represent the whole of the state." - Retired Judge Robert Bork

Always interesting and never ceasing to befuddle legal scholars, another California Federal Judge is attempting to re-write the Federal Rules of Evidence by requiring a popular BitTorrent indexing Web Site to preserve and disclose information kept on its computers’ random access memory (“RAM”). California Federal Magistrate Judge Jacqueline Chooljian ruled that information found in RAM is “electronically stored information” and therefore subject to the rules of evidence. If upheld on appeal, the implications of this ruling could force companies to rewrite their privacy policies and cost millions to implement.

MPAA v. TorrentSpy

In February 2006, six movie studios brought a Federal copyright infringement suit against TorrentSpy, a Web Site that allows peer-to-peer (“P2P”) file sharing. The MPAA’s alleges that TorrentSpy directs its users to files which allow downloading of copyrighted videos. The MPAA further contends that TorrentSpy’s RAM data will show that TorrentSpy is used primarily for copyright infringement. When the MPAA accused TorrentSpy of wrongfully withholding its login user information, TorrentSpy objected arguing that such information was transitory and by RAM’s very nature, takes the form of integrated circuits without the physical movement of the storage medium or a physical reading head. Stated another way, once the server’s login function is shut off, the information is gone. Judge Chooljian justified her decision stating that the Server Log Data was relevant and that the information was already “stored” in the RAM. Judge Chooljian then backtracked and inserted her own disclaimer stating that her ruling does not mean that litigants in all cases are required to preserve and produce data that is temporarily stored in RAM. Despite her reluctance or lack of intent, Judge Chooljian is most likely creating legal precedent that will be used in future DMCA cases.

The Business Impact on a Company’s Privacy Policies

This is the first highly publicized case in which a judge held that RAM was discoverable. The ramifications of this ruling would require a company to store, collect and turn over RAM data every time a company was sued. Preservation letters would become the new form of legal intimidation along with a Digital Millennium Copyright Act (“DMCA”) notice. Businesses may have to significantly re-write their data privacy policies essentially stating that a customer’s information is private… as long as they don’t get sued. The economic cost, both in manpower and infrastructure, of collecting and storing RAM data could be significant regardless of a company’s size.

Scorched Earth: The DirecTV End User Shakedown Part Deux

Another practical concern for TorrentSpy is that if it is forced to disclose RAM data about its end users, then the end users will be sued by the MPAA as well. Earlier this decade, DirecTV sued thousands of its own customers who registered on a Web Site that sold smart card equipment. Because there was no way to tell whether or not the registered users merely browsed the Web Sites, which required its visitors to login, or actually bought and used the smart cards for illegal purposes, DirecTV took a scorched earth policy and sued everyone… and I mean everyone. DirecTV apparently knew that most Americans cannot afford an expensive Federal court battle.

History has proven to repeat itself. Once Judge Chooljian forces TorrentSpy to release its RAM data and login user information, the MPAA may sue TorrentSpy’s many end users. Any residual sense of trust by and between the TorrentSpy and its login visitors will be lost. TorrentSpy’s Internet traffic will drastically decline due to end user fear of retribution by the MPAA. TorrentSpy may be forced out of business. The MPAA, RIAA or another aggressive plaintiff with considerable resources, can and will litigate an Internet company out of business if it is determined enough. The lesson learned from DirecTV is that an individual login user can be guilty by association regardless of intent. Judge Chooljian’s disclaimer will not put the genie back in the bottle.

“Et tu, Brute?"

Moore’s law states that the number of transistors on a chip, hence technology, doubles every two years. Newton’s law of motion states that for every action there is an equal and opposite reaction. In this digital and information age, where technology doubles every 2 years, an equal and opposite reaction has been the exponential dissolution of privacy. Americans love their privacy. Customers want to know that their data privacy is secure. Likewise, companies want to reassure their login users that their information is safe. However, privacy is becoming nothing more than Platonic idealism. The American judicial system was once considered a stalwart institution that protected an individual’s right to privacy. Judge Chooljian’s ruling makes it clear that an end of an era is near and that society is one step closer to fulfilling Scott Nealy’s prophetic words, “Privacy is dead, deal with it.”

Most protections afforded to intellectual property (IP) are available only after the property is in the public realm. For instance, trademarks must be used in commerce to identify products and services offered to consumers. Creators of original works generally must publish or register those works before they may enjoy any meaningful copyright protections. More significantly, prospective patent holders must not only submit their inventions to the scrutiny of the patent process, ultimately resulting in a publicly accessible record of every last detail concerning that invention's construction and use, they also must be willing to see their exclusive rights in that invention vanish upon the expiration of the patent. While patent holders do obtain a large measure of predicable certainty regarding the remedies they have available to protect their inventions, in many cases, the high cost (both substantive and procedural) of obtaining those protections may represent a poor investment, depending on the type of IP to be protected. In those cases, owners might find a more appropriate IP regime under trade secrets law.

In effect, a trade secret operates as a kind perpetual patent; the owner potentially can use the secret for his or her own commercial benefit forever. Moreover, almost anything can be a trade secret, while the availability of trademark, copyright or patent protection may be limited based on the nature of the IP at issue. However, "forever," with respect to trade secrets, may be roughly translated as: "for as long as you can keep it." Unlike with patents, where a fairly complex, federal statutory regime usually provides most of the protection afforded to patent holders, those who intend to protect their inventions as trade secrets must be willing to do more of the heavy lifting themselves, using, in the United States, two primary tools: state law and contracts.

Most states have enacted trade secrets legislation - usually modeled on the Uniform Trade Secrets Act - under which an owner of a trade secret may obtain injunctive relief to prevent another from misappropriating that secret by acquiring or using it without the owner's consent. The Trade Secrets Act also gives the owner the opportunity to seek civil damages arising out of such misappropriation, as well as attorney's fees. However, in many cases, an owner's resort to such statutory protection will represent a failure of the owner's front-line trade secrets defenses: his contracts and internal policies.

The key to effective trade secrets protection lies in addressing those secrets with a holistic set of internal policies regarding their use and with a well-crafted set of contractual agreements designed to restrict the ability of a third party to misappropriate them. Internally, access to the existence or details of a trade secret should be clearly limited by internal policies to only those employees who need to have such access, and those policies themselves must be crafted in such a way as not to attract unnecessary (or, sometimes, any) attention to the secrets they should be designed to protect. Moreover, a trade secrets owner must always be mindful of the extent to which any vendors or contractors or even customers are allowed to access those secrets, and it should include enforceable provisions in contracts with such parties to protect its interests. Finally, a trade secrets owner needs to include a comprehensive set of protections in its employment agreements, which should provide, within the bounds of what is permitted in the owner's jurisdiction, that work completed by employees in the course of their employment constitutes property of the employer and that those employees will remain bound to the terms of specified non-disclosure agreements and non-compete covenants during the course of, and for a period of time following, the term of their employment. What is and is not legally permissible with respect to such clauses usually varies from state to state.

It is worth noting that most of these same protections are good ideas for patent holders as much as they are for trade secrets owners. With trade secrets, though, while the owner must devote more vigilance to the implementation and enforcement of such protections, it need not necessarily undertake the considerable initial expense to obtain the protection in the first place.

Whether it makes sense to construct a comprehensive trade secrets protection regime for your IP will depend on your willingness to commit to full implementation and enforcement, and that willingness may itself depend on the type of property at issue. If that property likely will become obsolete within the patent term (generally, 20 years) just by virtue of the market in which it competes, then it may make more sense to seek protection from other sources. If that is not the case, though, trade secrets protection could be the most appropriate means of protecting your IP.

Recently, the Coalition Against Counterfeiting and Piracy (CACP), a group consisting of heavy-hitting IP stakeholders, such as the Recording Industry Association of America, the Business Software Alliance (BSA), the Software and Information Industry Association (SIIA), and the U.S. Chamber of Commerce, announced its intent to push for rapid improvements in what it perceives to be universally lax enforcement of U.S. laws protecting IP rights. At a news conference on Thursday, June 14, the CACP, through its Chairman, NBC Universal general counsel Rick Cotton, announced that under this "aggressive, comprehensive" effort, the CACP would seek to increase resources for governmental investigation and enforcement of criminal IP laws, to "reform civil and judicial process" (whatever that means), and to educate consumers.

Generally speaking, few would quarrel with the notion that intellectual property is a valuable and important property interest, fully deserving of strong protection. However, in announcing this new, altruistically-titled "Campaign to Protect America," Mr. Cotton verbally expressed a degree of fanaticism that is, in practice, characteristic of many industry organizations that cite to the public interest to justify their sometimes indiscriminate targeting of alleged IP infringers. Mr. Cotton said:

Our law enforcement resources are seriously misaligned...If you add up all the various kinds of property crimes in this country, everything from theft, to fraud, to burglary, bank-robbing, all of it, it costs the country $16 billion a year. But intellectual property crime runs to hundreds of billions a year.

At least Mr. Cotton was kind enough to limit his generalization to "property crimes."

Statements like these should make clear to any business targeted and accused of "piracy" by organizations such as the BSA or the SIIA that the IP "defenders" are more likely to be interested in making examples of their targets, rather than reaching a solution that truly accounts for all the facts (not the least of which is the usually confusing and even deceptive way that software publishers in particular undertake to license and market their content). If your business has been accused of "pirating" software, it is immensely important that you know whom you are dealing with before you divulge any information or sign any agreement.

A copy of the CACP’s press release can be found here.

“Safeguarding information is not a product, but a process.” – Thomas J. Smedinghoff

The GLBA’s Safeguards Rule requires financial institutions to conduct a thorough risk assessment of its security measures and design a comprehensive information security program to protect nonpublic personal information. Specifically, the Safeguards Rule requires financial institutions to “develop, implement, and maintain a comprehensive information security program that is written… and contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The statutory objective of the Safeguards Rule is to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

An Information Security Program Must be Appropriate.

The Safeguards Rule requires an institution to develop, implement, and maintain a comprehensive information security program that is written, contains administrative, technical and physical safeguards, is “appropriate” to the institution’s size and complexity, as well as the nature and scope of its activities, and is appropriate to the sensitivity of the customer information at issue. Therefore, an institution may exercise some latitude in developing its security program. While some critics may view this subjective standard as unenforceable, the FTC places a high level of responsibility upon financial institutions to keep up with the latest technology and the constant bombardment of potential identity thieves.

A Thorough Risk Assessment is Required.

The FTC requires companies to conduct a thorough risk assessment and address such risks to customer information in all areas of their operation, including administrative, technical, and physical safeguards. As part of the risk assessment, the Safeguards Rule requires an institution to:

• Designate someone to coordinate the information security program;


• Perform a thorough risk assessment and identify reasonably foreseeable
  internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.

Another important factor for institutions to consider is the potential discoverability of risk assessments. If internal employees prepare the risk assessments, those assessments could be admitted as evidence, if they are relevant in court proceedings. For example, if a technical professional prepared a risk assessment indicating that the company should replace the firewall, and a security breach or data breach resulted due to the firewall before it could be replaced, the security assessment may be a damaging piece of evidence. To avoid potential discovery issues, companies should determine whether they could have their risk assessments covered by the attorney-client or the attorney work-product privileges. The rules regarding these privileges are state specific and should be examined carefully with experienced counsel.

Employee Training and Management.

The cost of compliance is related to employee training and management. A financial institution’s risk assessment should:

• Check employee references and perform background checks;


• Require employees to sign a confidentiality agreement;


• Limit employee access to sensitive customer information;


• Use password-activated screen savers to lock employee computers;


• Encrypt customer files on laptops and other computers in case of theft;


• Impose disciplinary measures for security policy violations;


• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names.

Information Systems.

Second, the Safeguards Rule requires a financial institution to assess its information systems, including network and software design, as well as information processing, storage, transmission, and disposal. A financial institution’s written information security plan should include both technology concerns and the physical storage and destruction of nonpublic personal information. For example:

• Know where sensitive customer information is stored and stored securely;


• Ensure that the computer or server is accessible only by using a “strong” password and is kept in a physically secure area;


• Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area;


• Take affirmative steps to secure transmission of customer information;


• Encrypt customer data if it is necessary for you to transmit such information by email or Internet;


• If you collect information online directly from customers, secure the data transmission automatically;


• Dispose of customer information consistent with the FTC’s Disposal Rule.



Plan for System Attacks.

Third, the Safeguards Rule requires a financial institution to detect, prevent, and respond to attacks, intrusions, or other system failures. A financial institution must remain constantly vigilant, and employ the latest security measures and technology in order to adequately protect its network. The FTC Guidance report suggests that financial institutions:

• Monitor the websites of software vendors and relevant industry publications for news about emerging threats and available defenses;

Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information;

• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information;


• Take affirmative steps to preserve the security, confidentiality, and integrity of customer information and consider notifying consumers, law enforcement, and credit bureaus in the event of a security breach or data breach;


• Oversee service providers by ensuring that they are able to take appropriate security precautions and in fact do so;


• Update the security program as necessary in response to frequent monitoring and material changes in the business.

Implementing and Maintaining the Information Security Program.

Finally, the Safeguards Rule requires a financial institution to design and implement information safeguards to control the risks identified and regularly test and monitor the effectiveness of the information security program’s key controls, systems, and procedures. This duty also
includes overseeing third-party service providers by taking reasonable steps to ensure that the service provider is capable of maintaining appropriate safeguards and requiring the service providers to contractually agree to implement and maintain such controls. The Safeguards Rule requires a financial institution to evaluate and adjust its information security program in response to its system test results or in response to any changes in its operations or business circumstances.

As Congress attempts to keep pace with the information age and balance the needs of commerce with those of individual protection, the Gramm-Leach-Bliley Act continues to evolve. Financial institutions must be aware of new Federal agency opinions as well as changing state laws. The Privacy and Safeguards Rules allow financial institutions to adopt policies and procedures that are appropriate for their specific needs and size, but the costs of compliance are often great. The costs of non-compliance can be even greater. As technology advances, so does the level of appropriateness a financial institution is required to maintain. Protecting the privacy of consumer information is not only good for business, it’s a legal duty.

“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”- 15 U.S.C.A. § 6801.

In 2006 an estimated 9 million American adults were the victims of identity theft at a total cost of $56.6 billion. There are a number of legislative efforts designed to protect the privacy, security, and confidentiality of customer data. One such law, the Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. The GLBA charged the Federal Trade Commission (the “FTC”), and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA.

The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.

The Financial Privacy Rule.

The Financial Privacy Rule (the “Privacy Rule”) applies to financial institutions that collect and receive nonpublic personal information from consumers, and requires them to disclose and provide a written notice of its policies and procedures to its customers, stating how the customer’s nonpublic personal information is protected and shared. The privacy notice must also provide consumers with a reasonable opportunity to “opt-out” of any information sharing, if required by statute.

The term “financial institution” is defined as any business that is significantly engaged in activities that are financial in nature, as well as companies that receive information that is “incidental” or “complementary” to such financial activity. Financial activities include, but are not limited to lending, exchanging, transferring, investing for others, safeguarding money or securities, providing financial, investment, or economic advice, underwriting, dealing in or making a market in securities, non-bank mortgage lending, real estate settlement services, credit counseling, check-cashing services and individual tax return services.

Notice Requirements: Clear and Conspicuous.

First and foremost the privacy notice must be “clear and conspicuous.” This means that the notice must be understandable and designed to call attention to the nature and significance of the information within the notice. For example, the notice must use easily readable font, present the information in clear, concise sentences, using definite, everyday words, and short, explanatory sentences whenever possible. Similarly, any changes in the privacy policy must be clear and conspicuous and the consumer must be reasonably notified of such changes.

Disclosure Obligations: Consumer v. Customer.

The type and frequency of the notice is dependent on whether the information belongs to a “consumer” or a “customer.” The primary distinction between a consumer and a customer depends upon the relationship that exists between the individual and the financial institution.

A “consumer” is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. Typically, however, a consumer has a limited, “one time” connection with the financial institution. For example, a consumer may be an individual who uses an automatic teller machine to withdraw cash from an account he or she may have at another financial institution, or the consumer obtains a loan from a company that does not retain the rights to service the loan.

A financial institution is only required to send a privacy notice when it shares or intends to share the consumer’s nonpublic personal information with a nonaffiliated third party. Therefore, if a financial institution does not share or intend to share the consumer’s information with a nonaffiliated third party, no privacy notice is required.

A “customer” is a consumer who has a “continuing relationship” with the financial institution. It is the nature of the relationship, not how long it lasts, that defines a customer. For example, a customer may have a deposit or investment account with a bank, obtain a loan, purchase an insurance product or hold an investment account through a brokerage or investment company. If the consumer relationship is a principal one, then the consumer is also a customer.

Financial institutions are required to provide customers with a privacy notice as soon as the customer relationship is established, whether or not the institution plans to share the customer’s nonpublic personal information. Additionally, the institution is required to provide its customer with a privacy notice annually for as long as the customer relationship exists. For purposes of the Privacy Rule, a former customer is considered a consumer.

Required Information.

The privacy notice must accurately reflect the institution’s information collection and sharing practices. The privacy notice must contain the following:

1. The categories of nonpublic personal information the institution collects;


2. The categories of nonpublic personal information the institution discloses;


3. The categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information (with certain statutory exceptions);


4. The categories of nonpublic personal information the institution discloses about its former customers and the categories of affiliates and nonaffiliated third parties in which the institution shares its former customer information (with certain statutory exceptions);


5. If an institution shares nonpublic personal information to a nonaffiliated third party, the institution is required to provide a separate statement of the categories of information institutions disclose and the categories of third parties with whom the institution contracted;


6. An explanation of the customer’s rights to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;


7. Any disclosures an institution makes pursuant to the Fair Credit Reporting Act; and


8. An institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

The Opt-Out Notice and its Exceptions: What is Required in an Opt-Out Notice?

If a financial institution intends to share nonpublic personal information with a nonaffiliated third party, the institution must provide its consumers with an opportunity to “opt-out” and instruct the institution not to share his or her nonpublic personal information in most instances. This opt-out notice is required to be delivered to the consumer within a reasonable time and must be included or incorporated within the privacy notice itself. Just like the privacy notice, the opt-out notice must be clear and conspicuous and state that: (1) the institution reserves the right to disclose the consumer’s nonpublic personal information to a nonaffiliated third party; (2) that the consumer has the right to opt-out; and (3) provide a reasonable means by which the consumer may opt-out. For example, an institution may provide the consumer with a toll-free telephone number or a detachable form which includes a check-off box and mailing information. However, the FTC determined that requiring a consumer to write a letter as the sole means to opt-out fails to meet the reasonable means standard.

The Exceptions to the Opt-Out Notice: Service Providers and Joint Marketing.

Financial institutions often contract with outside service providers to perform certain ordinary business functions such as data processing or servicing accounts. The opt-out requirements do not apply when financial institutions share information with service providers who perform such services or ordinary business functions on the institution’s behalf as long as: (1) the institution provides an initial notice to the consumer; and (2) the institution enters into a contractual agreement with the service provider that prohibits it from disclosing or using the information, other than to carry out the function for which it was hired. These service provider contracts should specify the appropriate use of consumer nonpublic personal information, the requirements for safeguarding such personal information, and expressly prohibit any unauthorized and unlawful use of personal information. This exception also applies to third parties who perform joint marketing services, such as the marketing of an institution’s own products and services or financial products offered by one or more affiliated financial institutions. Again, there must be a contractual agreement with the financial institution that carries out any joint marketing expressly prohibiting the disclosure of information, other than what is necessary in the ordinary course of business.

Servicing Transactions.

A second exception to the opt-out notice requirements allows the sharing of nonpublic personal information that is necessary for a financial institution to “effect, administer, or enforce” a transaction that a customer requests or authorizes. These customer-authorized transactions include: (1) servicing or processing a financial product or service that a consumer requests or authorizes; (2) maintaining or servicing the consumer’s account, including servicing another entity such as a private label credit card program; or (3) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to the consumer. For example, the GLBA allows a financial institution to proceed with a consumer’s loan application without having to provide the consumer with an opt-out notice. The premise of this exception is that the consumer authorizes disclosure of personal information, which is necessary in order to obtain the loan(s) they requested.

Other Exceptions to Notice and Opt-Out Requirements.

Finally, Section 313.15 provides a laundry list of exceptions which allows a financial institution to disclose a consumer’s nonpublic personal information. These exceptions include:

• When the customer consents to his or her information being shared.


• To protect the confidentiality or security of the consumer’s records and to protect against or prevent actual or potential fraud.


• To resolve customer disputes or inquiries.


• To a consumer’s legally appointed representative, such as a power of attorney, or persons acting in a fiduciary capacity on the behalf of the consumer.


• To provide information to insurance rate advisory organizations, guaranty funds, or agencies that rate the institution, persons assessing an institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.


• To the extent permitted or required by law and in accordance with the Right to Financial Privacy Act.


• To a consumer reporting agency in accordance with the Fair Credit Reporting Act.


• To comply with all Federal, State or local laws, including court orders.

“I’ll send an S.O.S. to the world… I’ll send an S.O.S. to the world… I hope that someone gets my… I hope that someone gets my… Message in a bottle…” – The Police.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. However, critics often cite that the GLBA requirements are not specific enough and are subject to interpretation.

Question: How do financial institutions know when they are complying with the GLBA’s Privacy Rule?
Answer: The Safe Harbor Rule… for now.

The Safe Harbor Rule.

The Privacy Rule does not require any specific format or uniform wording to be included in an institution’s privacy notice. Instead, the GLBA allows an institution to draft its own privacy notice as long as it is clear and conspicuous and furnishes the required information. However, Congress recognizes that this broad discretion may result in some confusion. Therefore, Congress attached an appendix to the Privacy Rule that provided model language called “Sample Clauses.” With some specific industry exceptions, if a financial institution incorporated the Sample Clauses within its privacy notice, the financial institution has complied with the GLBA requirements as a matter of law.

Despite Congress’ efforts to ensure that privacy notices were clear and conspicuous, consumers and customers still complained about the notices. “Reaction to the first privacy notices delivered in July 2001 was highly negative… the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.”

On October 13, 2006, Congress passed the Financial Services Regulatory Relief Act of 2006 (the “Relief Act”). The Relief Act charged eight federal agencies (the “Agencies”) to jointly develop a uniform model privacy notice, which would address concerns expressed by financial institutions and reduce consumer confusion. Specifically, the Relief Act instructed the new model form to:

• Be comprehensible to consumers, with a clear format and design;


• Provide for clear and conspicuous disclosures;


• Enable consumers to easily identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and


• Be succinct, and use an easily readable format.

Notice of Data Breach.

The FTC acknowledges that “perfect security” is not attainable and that breaches in security and data breaches may occur even when every reasonable precaution is taken. The GLBA does not specifically require institutions to notify their customers of a security breach or data breach. However, the Safeguards Rule does charge institutions with an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In 2005, the FTC and other federal banking regulatory agencies adopted the Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the “Guidance”). The Guidance outlines a financial institution’s notice responsibilities when its consumers’ nonpublic personal information network is breached and highlights customer notice as a key feature of an institution’s response program.

Once a financial institution discovers that its network was breached and sensitive customer information has been or will be misused, the institution is required to notify its primary Federal regulator. Second, an institution is required to notify appropriate law enforcement authorities including filing a Suspicious Activity Report (“SAR”), when Federal criminal violations are involved. Next, if the institution determines that misuse of customer information has occurred or is likely, then the institution is required to notify its affected customers as soon as possible. However, an institution may delay customer notice if law enforcement determines that such notification will interfere with a criminal investigation. The customer notice must be clear and conspicuous and should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. The customer notification shall include:

• A description of the incident in general terms and the type of customer information that was subject to the unauthorized access or use;


• A description of what the institution has done to protect the customer’s information from further unauthorized access;


• A telephone number customers may call for further information and assistance;


• A reminder that customers need to be vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft to the institution.

• A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;


• A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;


• A recommendation that the customer periodically obtains credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;


• An explanation of how the customer may obtain a credit report free of charge;


• Information about the availability of the FTC online guidance regarding steps a consumer can take to protect against identity theft.

Companies concerned about being sued in one jurisdiction and having the judgment enforced in another should pay attention to a recent Texas appellate decision making it easier to enforce out-of-state judgments in Texas courts. With more businesses finding themselves doing business in more jurisdictions, both in the United States and internationally, and courts having become more willing to exercise jurisdiction based on Internet contacts, this issue has become increasingly important.

It’s often tempting to ignore a lawsuit in another jurisdiction and count on your attorneys to make it unenforceable in places where you do have assets. For instance, Texas has previously recognized a number of circumstances when its courts will refuse to enforce a judgment entered in another state. In EnviroPower, LLC v. Bear Stearns & Co, Inc., 2007 WL 1412849 (Tex. App. – Houston [1st Dist.] 2007, n.p.h.), the court made it clear that one of the ways to avoid enforcement of an out-of-state judgment – claiming the judgment is “penal” in nature – may not work very well in Texas. If your company has assets in Texas, you should be aware that a judgment entered in another jurisdiction will now be easier to get enforced in a Texas court. The decision also highlights the dangers of discovery misconduct and establishes that the consequences of such misconduct may follow you from state to state, or at least to Texas.
The case arose out of a contract dispute between Bear Stearns and EnviroPower. Bear Stearns filed suit in New York state court for breach of contract and quantum meruit, claiming that EnviroPower failed to pay it for services performed and expenses incurred. EnviroPower apparently did not play nicely when it came to responding to discovery. In fact, the New York court found that EnviroPower intentionally withheld documents, and as a sanction, the court struck EnviroPower’s answer. The New York court then held an evidentiary hearing and entered a judgment awarding Bear Stearns $1.3 million in damages.

EnviroPower had assets in Texas, so Bear Stearns filed its New York judgment in the Harris County, Texas district court. EnviroPower filed a motion to vacate the judgment, which was denied. The Houston First District Court of Appeals rejected EnviroPower’s claim that the judgment was not enforceable. Under the Full Faith And Credit Clause of the federal constitution, a state must give the same force and effect to a judgment of a sister state that it would give its own judgments. Under Texas law, when a judgment creditor files an authenticated copy of a foreign judgment, this satisfies its burden of presenting a prima facie case for enforcement of the judgment, even where the judgment is taken by default. Texas courts recognize exceptions to this rule, however, when a judgment is interlocutory, when it is subject to further modification, when the rendering state lacked jurisdiction, when the judgment was procured by fraud or is penal in nature, or when limitations has expired under Texas Civil Practice and Remedies Code section 16.066.

EnviroPower argued that the New York judgment was not enforceable because it was based on “death penalty” discovery sanctions, which had the effect of allowing the plaintiff to basically take a default. Specifically, EnviroPower claimed that by striking its answer as a discovery sanction, the sanction for discovery misconduct was penal in nature and not enforceable in a foreign jurisdiction. Generally, the question of whether another state’s actions are penal in nature turns on whether the purpose was to punish an offense against the public justice of the state or to afford a private remedy to a person injured by the wrongful act. The Texas court noted that death penalty sanctions serve as a remedy for parties harmed by another party’s wrongful actions during litigation and as a deterrent to others who might abuse discovery procedures during litigation. Such sanctions are not designed as punishment for and deterrence of a wrong to society as a whole. While death penalty sanctions are obviously a “penalty” for the litigants involved, they are not “penal” sanctions for purposes of the Full Faith and Credit Clause. The decision in Enviropower may also have consequences in international commercial law situations, particularly international contract law disputes. In the future, litigants trying to avoid an out-or-state or international judgment will not be able to avoid the consequences of their discovery misconduct by claiming that a foreign judgment based on discovery sanctions is unenforceable.

A recent decision by the United States Court of Appeals Sixth Circuit Court of Appeals prohibited the government from secretly accessing the contents of your e-mails . . . or did it? In Warshak v. United States, the Sixth Circuit affirmed an injunction prohibiting the federal government from using an order under the Stored Communications Act to get the contents of “personal e-mail” held by an ISP unless the government either provides notice and an opportunity to be heard or else makes a fact-specific showing that the account holder maintained no reasonable expectation of privacy “with respect to the ISP.” While the court’s decision specifically only applies to residents of the Southern District of Ohio, the implications of the Warshak decision will no doubt be widespread. But the language in Warshak, in particular the acknowledgement that account holders may easily waive any privacy expectations, is troubling.

Steve Warshak ran a company called Berkeley Premium Nutraceuticals selling things like penis enlargement pills and diet pills. The government began investigating him and his company and obtained court orders under the Stored Communications Act to compel two commercial ISPs to disclose material in Warshak’s e-mail accounts. The Act allows the government to compel disclosure of e-mail contents held by ISPs for more than 180 days using less process than a warrant, and, though the language is unclear, may also allow the government to obtain “opened” e-mail stored less than 180 days through similar methods. Warshak found out about the disclosure of his e-mails by the ISPs and filed a civil suit seeking declaratory and injunctive relief on the grounds that the compelled disclosure of his e-mails violated the Act and the Fourth Amendment. Warshak also sought a preliminary injunction blocking the government from using the Act to compel disclosure of the contents of e-mail with less process than a warrant in all future cases in the Southern District of Ohio. The government later indicted Warshak on 107 counts of wire fraud, bank fraud, money laundering, and assorted other crimes.

At issue in Warshak v. United States was 18 U.S.C § 2703, which tells the government by what means it can access user records, subscriber information, and content of electronic messages. More specifically at issue was whether the government could get access to Warshak’s e-mail content under this provision without giving him prior notice. The court made it clear that a constitutional right may be violated when the government obtains the contents of your e-mails without providing notice.

In an age where millions of Americans are under constant video surveillance, our credit card activity is tracked, our personal information is for sale to millions of marketing companies, and GPS systems are ubiquitous, it was almost shocking that the Sixth Circuit found that Warshak had a “reasonable expectation of privacy” in the content of his e-mails. In its lengthy opinion, the court compared the contents of e-mails to the contents of written letters, phone conversations, and safety deposit boxes at banks. With each of these items, we have a reasonable expectation that our “intermediary service provider” (such as the US Postal Service, AT&T, and the local bank), does NOT examine the contents of our conversations, our letters, and our safes merely because they COULD have access in emergency situations. Further, the court noted that postal workers do not read the contents of our mail in the normal course of business.

The Sixth Circuit made a point to examine Warshak’s agreement with his commercial ISP and assess whether this agreement could amount to a waiver of that reasonable expectation of privacy of the e-mail’s contents with respect to the provider. The court recognized that when a user agreement specifically provides that e-mails will be monitored or audited, the user’s knowledge of this fact may well extinguish any reasonable expectation of privacy. In the absence of such statement, “the service provider’s control over the files and ability to access them under certain limited circumstances will not be enough to overcome an expectation of privacy . . ..” Warshak’s agreement with his ISP allowed access only in limited circumstances, “rather than wholesale inspection, auditing, or monitoring of e-mails.” The court further pronounced that “for now, the government has made no showing that e-mail content is regularly accessed by ISPs, or that users are aware of such access to content.” The court went on to indicate that “if the government can show, based on specific facts, that an e-mail account holder has waived his expectation of privacy vis-à-vis the ISP, compelled disclosure of e-mails through notice to the ISP ALONE would be appropriate.”

This begs the question: Have you read your agreement with your Internet Service Provider? Or, rather, did you merely bypass the scroll bar and click “AGREE”? Was there any language allowing the ISP to audit, monitor, or inspect your e-mails? If so, you may have already waived your expectation of privacy, and this big win against Big Brother no longer applies to you.

Full Opinion text – http://www.ca6.uscourts.gov/opinions.pdf/07a0225p-06.pdf

Businesses and corporate lawyers are familiar with the need to conduct due diligence in corporate transactions. Oftentimes however, the status of a company’s intellectual property may not be properly investigated.

A comprehensive due diligence search must include a thorough search of the company’s intellectual property, including its licensed assets, such as computer software. A company’s intellectual property is essential to valuing a company, and identifying strengths, weaknesses, and exposure to potential liabilities. Indeed, the intellectual property should be evaluated before negotiations begin.

Here are some tips for making your due diligence more effective by ensuring that it includes all intellectual property assets.

The due diligence search should include review of all documents related to the following topics:

• General Intellectual Property due diligence

Identify the origins of all of the company’s IP and assure compliance with obligations related to licensed assets.

Review all threatened or pending litigation. Include review of any cease and desist letters concerning the company’s IP. Be sure to review any settlement agreements related to IP.

• Software

Software is a topic that most people overlook, but it is critical to the intellectual property due diligence search. Be sure to review all software licenses used by the seller, regardless whether the seller is the licensee or licensor, and assess the company’s software asset management program.

• Patents

A schedule of all issued, pending, and abandoned U.S. and foreign patents and patent applications should be assembled. Be sure to include all applications and patents filed by the seller, currently or formerly owned by the seller, or licensed to the seller.

Evaluate the strength of the patents.

• Copyrights

Review a schedule of all copyrightable works.

Review all copyright registrations and applications.

Review all licenses of copyrightable works used by the seller.

• Trademarks

Review a schedule of all trademarks and service marks and trademark names registered or used by the seller.

Review all trademark searches performed or obtained in connection with the marks.

Review all licenses related to the marks.

Evaluate the strength of the trademark rights.

• Trade Secrets

A description of the company’s confidential and proprietary information.

A description of methods and processes in place to protect the company’s trade secrets.

Review all agreements between seller and its employees related to confidentiality, non-disclosure, and assignments of inventions and copyrights.