shutterstock_369954692Seyfarth Shaw, AlixPartners, and Directors Roundtable invite you to attend Cyber Risk Management Facing Boards, C-Suites & General Counsel: Prevention, Crisis Management, and Mitigating Personal Liability, a program for corporate directors, executive officers and general counsel, focused on approaches and strategies to forensic preservation of electronically stored information, as well as an expert summary of forensic technologies and methodologies used in the field.

The speakers for this program include:

The speakers will address key topics, including:

  • Cyber Attacks and Defenses
  • Governance, Compliance & Disclosure Issues
  • Potential Liability to Government and Shareholders
  • Litigation Defense and Insurance Coverage
  • Prioritizing Risk Management Dollars
  • Different Risks for Different Data Types and Industries
  • Incidence Response and Planning

The program is Wednesday, May 10 from 8 to 10:30 a.m. at The City Club of San Francisco, 155 Sansome Street.

There is no fee to attend and continental breakfast will be served. To find more information and to register, click here.

register

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

WebinarDo you and your firm have adequate cybersecurity to prevent yourself (and your confidential client data) from getting hacked?

On Wednesday, December 7, at 11:00 a.m. Pacific, Richard Lutkus, a partner in Seyfarth Shaw’s eDiscovery and Information Governance Practice; and Joseph Martinez, Chief Technology Officer and Vice President of Forensics, eDiscovery & Information Security at Innovative Discovery, will present “A Big Target: Cybersecurity for Attorneys and Law Firms.”

This webinar will cover any considerations that attorneys should take into account when in possession of any client data from an information security perspective. Coverage will include both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

This program will specifically address the following topics:

  • Information storage, retention, and remediation
  • Device management
  • Phishing and social engineering
  • Security considerations
  • Cloud storage and ethical considerations

Please join us for this informative webinar.

register

shutterstock_236620168On July 12, 2016, the Ninth Circuit filed its published opinion in Facebook, Inc. v. Power Ventures, Inc., et al., Case No. 13-17154 (“Power Ventures”).  Power Ventures is the latest in a series of decisions from the Ninth Circuit relating to the type of activities potentially giving rise to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030) (“CFAA”). Power Ventures has potentially important implications for the ways that businesses create, store, and monetize data through computers and web-based applications. Unlike the court’s Nosal line of decisions, Power Ventures is focused more on internet-based conduct that may violate the CFAA.

The underlying legal dispute between the parties began in 2008, when Facebook filed suit against Power Ventures, Inc. (“Power”) in the USDC for the Northern District of California. Power, which aggregated data from different social networking sites using, among other things, automated scripts (i.e., “scraping”), enabled people with various social media accounts to access all of their information in one place. Power used user-provided social media log-in information to import people’s information to a Power portal. In an effort to promote itself and attract users, Power then contacted via e-mail Facebook users’ friends, making it appear as if the e-mails came from Facebook.

Upon learning of Power’s activities, Facebook sent Power a cease and desist letter and used IP blocks in an attempt to prevent Power from obtaining Facebook data (IP blocking is a process by which a computer or network is directed to ignore all communications from a particular IP address). But Power continued to copy Facebook data and took measures to evade the IP blocks.

Although the Ninth Circuit analyzed whether Power’s conduct violated the federal CAN-SPAM Act (finding that it did not, and reversing District Court Judge Lucy Koh), the court’s analysis of the CFAA issues are most noteworthy. The court first walked through its United States v. Nosal CFAA decisions (from 2012 and July 5, 2016; see our coverage of these decisions here and here) to “distill two general rules” in analyzing the issue of authorized access under the CFAA:

(1) “a defendant can run afoul of the CFAA when he or she has no permission to access a computer or when such permission has been revoked explicitly” (noting that “once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability”); and

(2) “a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA.”

Applying these rules, the court noted that Power users “arguably gave Power permission to use Facebook’s computers to disseminate messages” (further stating that “Power reasonably could have thought that consent from Facebook users to share the [Power promotion] was permission for Power to access Facebook’s computers”) (emphasis in original). Importantly, the court found that “[b]ecause Power had at least arguable permission to access Facebook’s computers, it did not initially access Facebook’s computers ‘without authorization’ within the meaning of the CFAA.”

The court declined, in a footnote, to “decide whether websites such as Facebook are presumptively open to all comers, unless and until permission is revoked expressly” (citing to a law review article asserting that “websites are the cyber-equivalent of an open public square in the physical world”).
Instead, the court found that a cease and desist letter sent to Power by Facebook expressly rescinded the permission granted by Facebook users to Power and put Power on notice that it “was no longer authorized to access Facebook’s computers.” The letter informed Power that, in Facebook’s view, Power had violated Facebook’s Terms of Use and directed Power to cease using Facebook content or otherwise interacting with Facebook through automated scripts.

Power continued to access Facebook and took steps to evade the IP blocks that Facebook put in place. The court noted discovery from the trial court that appears to reflect a concerted effort by Power to wire around Facebook’s countermeasures and a likely awareness that Power’s conduct implicated the CFAA.

To explain its finding that the Facebook cease and desist letter had revoked Power’s permission to access Facebook, the court analogized the circumstances to a person who wanted to borrow a friend’s jewelry held in a bank safe deposit box. The court said that the borrower would need permission from the bank and the safe deposit box holder to access the box if the bank had determined that it did not want the borrower on its premises (in the court’s example, because the borrower brought a shotgun to the bank when entering to access the safe deposit box).

Although the court’s analogy might have helped it better understand the technology and information flow at issue in Power Ventures, it lacks the nuance that can swirl around alleged “scraping” scenarios where there are sometimes questions concerning whether “access” under the CFAA has occurred and whether there is a protectable or property interest in the data scraped (in the court’s analogy, the jewelry was the safe deposit box holder’s property, but what was the data equivalent in Power Ventures and, under different facts, what might be the bank’s property interest?).

The court then went on to distinguish Power from its Nosal decisions and, in doing so made some interesting observations (arguably in dictum) about the legal effect of Facebook’s Terms of Use. The court observed that “Facebook and Power had no direct relationship, and it does not appear that Power was subject to any contractual terms that it could have breached.” It is unclear whether, by making this statement, the court is saying that, by its conduct, Power and Facebook had not entered into a contract (e.g., the Facebook Terms of Use) or rather there simply were no terms within the Terms of Use that prohibited Power’s conduct.

Notably, Facebook does not appear to have pleaded a breach of contract claim in the trial court.

In any event, whether a website’s terms of use will apply to and bind a party that attempts to “scrape” data from the website is likely to be further litigated as the intersection of traditional contact formation principles meet the evolving standards under “browser-wrap” and “click-wrap” agreements.

This much is clear from Power Ventures: Those who use websites to conduct business would be well-served to (1) carefully consider the drafting and use of website terms of use; (2) diligently monitor their websites and associated computers/servers for any access, and the means of access, by anyone other than authorized users; and (3) where unauthorized access is detected, to act promptly to notify in writing those who have potentially made such access of the conduct alleged to be improper/unlawful and demand that such conduct cease.

Cyberspace and e-commerce law will continue to evolve rapidly, so banks best keep an eye out for those skilled in the programming arts along with shotgun-toting borrowers of jewelry.

WebinarOn Thursday, February 25, 2016 at 12:00 p.m. Central, Seyfarth attorneys, Richard D. Lutkus and James S. Yu, will be joined by Joseph Martinez, Chief Technology Officer and Vice President of Forensics at Innovative Discovery to present the second installment of the 2016 Trade Secrets Webinar series. This program will cover considerations that attorneys should take into account when in possession of any client data. Coverage will include both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

The panel will specifically address the following topics that often arise in trade secret investigations and litigation:

  • Information Storage, Retention, and Remediation
  • Device Management
  • Phishing and Social Engineering
  • Security Considerations
  • Cloud Storage and Ethical Considerations

There is no cost to attend this program, however, registration is required.

If you have any questions, please contact events@seyfarth.com.

*CLE Credit for this webinar has been awarded in the following states: CA, IL, NJ and NY. CLE Credit is pending for GA, TX and VA. Please note that in order to receive full credit for attending this webinar, the registrant must be present for the entire session.

register

shutterstock_337013828The Trans Pacific Partnership Agreement (“TPP) between twelve Pacific Rim counties, including Australia and the United States, was finally made public on 5 November.

The text of the Agreement will now be reviewed by various parliamentary committees before Parliament votes on legislation to implement the Agreement in Australia, likely to be in February or March next year. If the implementing legislation is passed in Australia and the other signatory countries, the Agreement will be ratified and come into force. It is expected that it could take up to two years before the Agreement comes into force in all 12 signatory countries.

The intellectual property provisions of the TPP Agreement are contained in Chapter 18. Chapter 18 includes a number of measures designed to protect intellectual property rights, many of which reflect Australia’s current intellectual property laws. However, a number of concerns have been raised including by the Australian Competition and Consumer Commission (ACCC), Australia’s competition regulator, in its submissions to the Productivity Commission. The ACCC is concerned that some of the provisions in Chapter 18 may “tilt the balance in favour of IP rights holders to the detriment of competition and consumers”. In addition, the ACCC has warned that the investor-state dispute settlement provisions (which give foreign companies the right to sue the Australia government for introducing laws which harm their interests) “risk impeding domestic reforms in the public interest”.

The biggest change to intellectual property law in Australia which will result if the Agreement is implemented in its current form is Australia would be required to implement criminal procedures and penalties for acts including the unauthorised misappropriation of trade secrets. Currently in Australia the only action which can be taken against a person or company who misappropriates trade secrets is a civil claim for breach of confidence. The Agreement also does not make clear what defences will be available to those alleged to have misappropriated trade secrets which is concerning for journalists and whistleblowers.

At this stage, it is still a case of wait and see. Various bodies are expected to conduct further analysis on the provisions of the Agreement to determine the likely impact on Australia. Also, depending on Parliament’s assessment of the implementation legislation, the Agreement may need to be renegotiated or side letters entered into to address any issues.

shutterstock_147820271In recent years, the prevalence of data and information security breaches at major corporations have become increasingly more commonplace.  While general awareness may be increasing, many companies are still neglecting to address serious information security issues.

Breached data can include proprietary or confidential information, trade secrets, personally identifiable information, health-related data, privileged communications, and regulatory data.  Such data is often subject to preservation due to pending or reasonably anticipated litigation, government investigation, due diligence, or other applicable legal matter, meaning the data is routinely transferred and shared with outside counsel for analysis and support of clients’ claims and defenses.

Many law firms provide guidance regarding information governance to clients, however more times than not, firms fail to realize that they too are also responsible for following similar guidelines. Appropriate precautions must be in place throughout a firm to protect the integrity and sanctity of client data, prevent unauthorized access, and to ensure timely remediation.  However, firms must also have this data available for litigation response, analysis, and review. Therefore, keeping data entirely offline is rarely an option.

There are several pillars of governance that law firms should consider when examining the handling of both their own data as well as that of clients.  As a fiduciary of their clients’ data, firms that fail to address these issues will eventually find themselves in an ethical nightmare, that when applied to a partnership creates a considerable problem.

Continue Reading Untrusted Advisor: How Your Law Firm May Fail to Protect Your Data

shutterstock_242602567While employee Lehman was employed by Experian and allegedly subject to various employment covenants, he incorporated Thorium, a competitor.  After Experian laid him off, he operated Thorium.  Experian sued Lehman and Thorium in a Michigan federal court, accusing them of wrongdoing including violations of the federal Computer Fraud and Abuse Act.  Holding that the CFAA is intended to criminalize hacking and that Experian’s allegations of hacking were oblique at best, the court dismissed most of Experian’s claims under that statute.

Status of the case.  Because some of Experian’s common law causes of action and one of its CFAA contentions were not dismissed, discovery is proceeding. Experian Marketing Solutions, Inc. v. Lehman, Case No. 15:cv-476 (W.D. Mich., Sept. 29, 2015).

Background.  Experian is part of a world-wide marketing services conglomerate that collects and analyzes business data.  At the time he was laid off, Lehman was Experian’s executive vice president.  He was based in Grand Rapids, Michigan, and was authorized to access the company’s computer files.  As a condition of his initial hire, and again later in connection with settlement of a claim he brought against the company while still its employee, he executed non-compete, non-solicitation, and confidentiality agreements.  He allegedly violated those agreements and the CFAA by creating and operating Thorium and by downloading Experian’s confidential information (both while he was an Experian employee and after he was laid off) to a hard drive that company had provided to him.  He also was accused of violations by purportedly instructing three Experian employees, whom Thorium later hired, to provide him with data from Experian’s computers, and by erasing all information on Experian’s hard drive before returning it.

Broad and narrow interpretations of the CFAA.  Federal courts are divided on the meaning of the phrases “[access] without authorization” and “exceeds authorized access” as used in the CFAA with respect to computers.  Four courts of appeal have interpreted the statute broadly, ruling that the purpose for accessing a computer is relevant in determining whether access was authorized.  Two federal appellate courts disagree.

The Sixth Circuit Court of Appeals.  The Sixth Circuit has not ruled definitively as to the meaning of those statutory phrases.  However, that court seemed to signal that it favored the majority position when it wrote, in a 2011 decision (quoting from a 2009 Ninth Circuit opinion), that “an individual who is authorized to use a computer for certain purposes but goes beyond those limitations . . . has exceed[ed] authorized access.”  Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Amer., 648 F.3d 295, 304.

The ruling in Experian.  Concluding that the Sixth Circuit has not weighed in definitively on the meaning of “authorized” as used in the CFAA, and that the quote from Pulte Homes is mere dicta, the district court found the minority interpretation to be the most satisfying.  Since Lehman was “authorized” to access Experian’s computers when he downloaded its confidential data before he was laid off, the court held that the CFAA was not violated regardless of what he did with the data.  Similarly, the court ruled that the defendants did not violate the statute by obtaining, from three Experian employees who had “authorization” to access its computers, the company’s proprietary secrets after Lehman was terminated.  Although his continued use of an Experian computer after he was terminated clearly was not “authorized,” such use was held to be not actionable under the CFAA because Experian failed to allege that he or Thorium thereby obtained anything of value.

One of Experian’s CFAA claims was not dismissed.  The allegation that Lehman caused “impairment to the integrity or availability of data” by wiping the hard drive clean before returning it was held to state a statutory violation.

Takeaways.  A CFAA claim for unauthorized use of a computer not based on hacking is likely to be dismissed in the Fourth and Ninth circuits.  Four other Courts of Appeal — the First, Fifth, Seventh and Eleventh — disagree, holding that the CFAA also prohibits accessing a computer for an unauthorized purpose even though the user has authority to use the computer.  Individual district court judges in the circuits that have not ruled have reached varying decisions on this issue.  Eventually, either Congress must amend the statute to resolve this inconsistencies or the U.S. Supreme Court may be asked to do so.  In the meantime, litigants and their counsel can only guess how those circuit courts which have yet to decide, and the district courts in those circuits, will rule.

shutterstock_299107145While season-long fantasy sports leagues have long been in existence, the emergence of daily fantasy sports (“DFS”) has been relatively recent.  DFS allows participants to enter daily contests for money where a salary cap is used to “draft” a team and compete against anywhere from one to hundreds of thousands of other participants.  Points are allocated based on each player’s respective performance (e.g., receiving yards, touchdowns, etc.) and winners receive cash payouts that can be in the millions.

If the ever-present commercials did not make you aware already, DFS is big business.  Reports indicate that the industry collected approximately $2.6 billion in entry fees this year and may reach as much as $2 billion in revenues by 2020.

On October 5, 2015, the nascent industry was rocked when the New York Times reported that an employee of Draft Kings, the current market leader, used proprietary information regarding player usage in Draft Kings’ contests to win $350,000 in a contest hosted by competitor Fan Duel.  The industry, and Draft Kings in particular, have since come under a flood of criticism for a lack of internal controls and running a rigged game.

The information that was allegedly misused by the Draft Kings employee is player usage data — the percentages that particular players are “drafted” by contest participants.  This information is neither public nor available by any lawful means until changes to a participant’s line-up are “locked” and cannot be changed.  By having this information prior to being “locked” in, a DFS participant would get an unfair advantage by being able to calculate a line-up around the players that are owned by existing participants and thus may have a statistically higher change of winning certain large-format contests where a unique line-up makes the chances of winning much greater.

Prior to the incident becoming public, no ban was in place prohibiting employees from playing on other sites; they were only prohibited from playing in contests hosted by their employers.  The amount of money at stake, however, raises significant questions about how DFS trade secrets may be misappropriated and misused.  Risks include not only employees misusing insider information regarding player usage to compete in competitor’s games, but also leaks to an insider’s friends and family or an employee unfairly competing through an account set-up under an alias.

This scandal evidences the need for public-facing companies in particular to make sure that adequate measures are taken to safe guard company trade secrets and confidential information.  Draft Kings in particular has come under criticism for a lack of internal controls and safeguards to prevent the unauthorized access and use of its non-public information.  If sufficient safe guards are put into place, the threat of a trade secret claim against an employee or other user of player usage data may be used as another tool to prevent unfair competition and a corresponding loss in public confidence.  Trade secret protection, however, is only available to those who establish sufficient safe guards to keep the information confidential in the first place.

While industry leaders Draft Kings and Fan Duel announced the retention of a third-party auditor to investigate their internal controls, only time will tell if the industry can regain the trust lost by this week’s news.

shutterstock_164426618We are pleased to announce the webinar “Information Security Policies and Data Breach Response Plans” is now available as a podcast and webinar recording.

With the recent uptick of high-profile data breaches and lawsuits being filed as a result by both employees and consumers as a result, every business should take a fresh look at its information security policies and data breach response plans with two thoughts in mind: compliance with applicable laws, and limiting liability in the event of litigation. Cybersecurity is a critical and timely issue for all businesses. If your company has employees and pays them or gives them benefits, then your company is maintaining their personally identifiable information and faces liability in the event of a data breach.

Currently, there is no comprehensive federal law that sets forth a uniform compliance standard for information security best practices or data breach response plans. Companies operating in the U.S. must comply with a patchwork of 47 different states’ laws that set forth a company’s obligations in the event of a data breach. In the wake of several high-profile data breaches, state legislators in the U.S. have been updating these state laws in the past few months, adding new requirements.

In addition to dictating how and when a company must respond in the event of a data breach in which personal information has been compromised, a number of these laws also contain substantive requirements about cybersecurity measures a company must take generally. Add into this mix that a U.S. Court of Appeals agreed with the Federal Trade Commission (FTC) that it has the right to file lawsuits against businesses that it deems have lax information security protocols – without informing companies in advance of the standard to which they will be held.

Against this backdrop, Seyfarth attorneys  Karla Grossenbacher and John T. Tomaszewski provided a high-level discussion on how businesses can structure an information security program to comply with applicable law and minimize liability – since waiting for a breach is not an option. They discussed, from a legal perspective:

  • Essential components of a comprehensive information security policy;
  • Key elements of a data breach response plan including strategies for state law compliance; and
  • Best practices for dealing with third party vendors that store personally identifiable information for your company.