Category Archives: Electronic Communication

Advanced IP Forum for Advertising Counsel scheduled for April 2011

The American Conference Institute is hosting new seminar that is tailored to help companies learn how to avoid advertising-related pitfalls that can weaken a company’s brand and expose the company to intellectual property litigation.  The new seminar, titled Advanced IP Forum for Advertising Counsel, will feature speakers from leading media and brand-driven companies, along with counsel who represent them.  Topics of the seminar will include:

  • strategies for resolving conflicts and avoiding patent litigation when advertising using new technologies;
  • sidestepping copyright landmines:  what the DMCA, YouTube and Hulu mean to brand media strategies;
  • licensing negotiation strategies for new media; and
  • best practices for combatting widespread IP infringement on the Internet.

The seminar will be held in New York City on April 27-28, 2011, with optional workshops on April 29.  (Full disclosure:  I am one of the speakers at the seminar.  I will discuss strategies for avoiding patent infringement claims when using new advertising technologies.) 

For more details, visit the ACI website.  Early bird registration pricing is available through February 28.

California rules that retailers may not record ZIP codes for credit card transactions; new lawsuits follow

The California Supreme Court recently ruled that ZIP codes are “personal identification information” under the state’s credit card consumer protection statute.  Accordingly, the Court ruled retailers may not collect and record ZIP codes from consumers as a condition to completing a credit card transaction. 

Just a few days later, several law firms in San Francisco and Los Angeles filed class action lawsuits against major retailers, seeking damages for alleged violations of the California law.

First enacted in 1971, the Song-Beverly Credit Card Act prohibits California retailers from Continue reading

Due Diligence 101: can customers’ personally identifiable information be transferred?

When performing due diligence in connection with a merger or acquisition, one item that should not be overlooked is the target company’s privacy policies.   If the business of the target relies on account holders, subscribers, or others who provide the business with personally identifiable information, a seller who ignores the target’s privacy policies may find itself purchasing a business with no ability to access the existing customer base.

This issue was recently highlighted when the Federal Trade Commission sent a warning letter to the potential purchaser of XY Magazine in a bankruptcy proceeding.  XY Magazine was a gay male youth-oriented magazine and website that, according to the FTC letter, collected “a substantial amount of personal information from its members and subscribers, including names and street addresses.”   The magazine and website touted an “Amazing Privacy Policy” and assured subscribers and members that “we never share your information with anybody”.  The FTC’s warning letter stated that transfer of customer data in a bankruptcy proceeding would contradict the privacy statements and constitute unfair or deceptive trade practices, resulting in a possible violation of Section 5 of the FTC Act

The purchaser ultimately acquired the assets, but only after entering into a consent order in which the parties agreed to destroy all personally identifiable information before the asset transfer.

The FTC warning should serve as a reminder that purchasers should carefully review privacy policies as part of their intellectual property due diligence.  In addition, companies with a goal of being acquired should review their privacy policies to ensure that the policies will allow a successor to continue the business with the existing customer base.

New Jersey employers who monitor employees’ computer usage should consider recent court decision

The New Jersey Supreme Court recently issued a decision that caught the interest of companies across the country who are considering whether similar rulings may spread to other jurisdictions.  In Stengart v. Loving Care Agency, Inc., A-16-09, 2010 N.J. LEXIS 241 (Mar. 30, 2010), the court explained that employers may (and may not) take certain actions, and it also discussed conditions on each type of action.  Maureen Dwyer of Pepper Hamilton’s Princeton, NJ office summarized the decision and its implications for New Jersey employers in a recent article.  As Maureen writes:

The court ruled that employers may implement policies limiting personal communications on company computers, and employers may discipline employees for violating those policies.  The court also ruled that employers may review the substance of most private e-mail and computer communications, but only if the employer has implemented and communicated a detailed policy that effectively eliminates any reasonable expectation the employee may have that his or her computer communications are private. [However], the court held that employers are never free to review the substance of certain communications, in particular an employee’s confidential communications with his or her lawyer.

More details and Maureen Dwyer’s article are available at the Pepper Hamilton website via this link.

Considerations for agreements for storage of medical records

The creation and storage of electronic medical records has resulted in medical professionals generating massive amounts of data about their patients.  Privacy requirements, such as those arising under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules mandate that this data be carefully secured from unintentional disclosure.  However, most medical professionals do not have the time or resources to implement security requirements themselves.  Because of this, it is common practice to outsource electronic medical records storage services.

My colleague Anne Newman recently wrote an article describing the items that hospitals, physican practices, and other medical professionals should consider when contracting to outsource medical records storage services.  As Anne notes in the article, agreements to outsource medical records storage must contain several features that are not typically found in agreements for other outsourcing services.

For the complete article, click here.

Companies who do business with residents of Massachusetts must consider new Massachusetts privacy standards

On March 1, 2010, new personal information protection standards took effect in Massachusetts.  The standards are published at 201 CMR 1700 and establish requirements for anyone who owns or licenses personal information about a resident of the state of Massachusetts — regardless of whether the information is maintained in written or electronic form. 

Under the regulations, anyone who owns or licenses personal information about a Massachusetts resident must “develop, implement and maintain” a comprehensive, written information security program.  The written information security program:

must contain[ ] administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

The standards require that the written program include many additional elements, including:

  • designating one or more employees as responsible for maintaining the program;
  • imposing disciplinary measures on employees who violated the policy; and
  • requiring third party service providers to implement and maintain appropriate security measures for personal information.

The standards also contains specific protocols for electronically stored personal information.

Several companies have developed software products to assist with masking of electronically stored personal information.  These include DMSuite from Axis Technology LLC, and products from Grid-Tools.  These products will not allow data holders to avoid developing an information security plan.  However, tools like these can be a useful feature of a plan when it is developed.

“The Value of Corporate Secrets” points out common failures in data security practices

Forrester Research recently published a report entitled “The Value of Corporate Secrets.”  Commissioned by Microsoft and RSA, the report studied data security practices of over 300 companies in North America, Europe and Australia to understand how those companies value sensitive information. 

The findings are revealing.  The report notes that proprietary information and trade secrets contribute nearly twice as much to corporate value as custodial data (such as customer financial information and employee medical information).  However,  corporations devote most of their security resources and budgets to protecting the custodial data.   This is because a wide array of regulations mandate the protection of medical, financial, and other custodial data, while corporations can decide for themselves how best to protect trade secrets.  Because of this, many corporations are unable to assess how effective they are in protecting proprietary information.

RSA has published the full report here.  It’s a worthwhile read for anyone who is involved in protecting a company’s intangible assets.