Category: IP and Technology Blog

  • by 
  • Companies raise money in several different phases. These phases are commonly divided
    into the following rounds: Seed, Series A, Series B, and Series C (additional rounds added if
    necessary). Each round attracts different types of investors and generally raises a higher amount
    as each round passes. In general, companies use the funds from each round for certain types of
    business activities. A detailed breakdown of each of these phases follows.

    To continue reading, please download this free PDF

  • by 
  • Seed rounds typically involve one or more of the following instruments: convertible notes,
    simple agreements for future equity (“SAFEs”), convertible preferred stock, and common stock.
    Convertible notes are the most common instrument used for seed round fundraising, however,
    SAFEs are becoming more popular. Common stock is the simplest and easiest to use instrument
    for seed rounds.

    to continue reading, please download this free PDF

  • by 
  • Introduction

    The Children’s Online Privacy Protection Act (“COPPA”) aims to protect the privacy of children under the age of 13 years old. Specifically, COPPA was enacted to address the rise of online marketers targeting children and collecting their personal data. The Federal Trade Commission (the “FTC”) is the primary government body that enforces COPPA.

    COPPA Requirements

    COPPA applies to operators of commercial websites and online services, including mobile apps, that are directed at children under the age of 13 (the “Protected Children”) which collect, use, or disclose the personal information of Protected Children. COPPA also applies to operators of any general websites or online services, including mobile apps, which have actual knowledge that they are collecting, using, or disclosing personal information of Protected Children. Collectively, the operators of both of these classes of websites and online services are referred to herein as the “Operators”. COPPA does not apply to nonprofit entities.

    Enforcement agencies apply several factors when determining whether a website or online service is “directed to children”, such that COPPA would apply. These factors include the subject matter of the website, visual content and use of animation, music and audio, advertising on the website that is directed to children, and the presence of child celebrities.

     

    Personal Data” under COPPA is defined as any personally identifiable information including name, physical address or any other geolocation information, online contact information, screenname or username, telephone number, social security number, and any photograph, video, or audio file containing a Protected Child’s image or voice. Any information concerning the Protected Child that is collected and combined with any Personal Data is also subject to the same protections under COPPA. Personal Data under COPPA only includes information collected from a Protected Child; COPPA does not regulate personal data about a child if it is not collected from the child.

    COPPA applies to not only websites but also mobile apps and any service that connects to the internet or a wide-area network. COPPA regulations cover network-connected video games, social media platforms, online advertisements, VoIP services, and any internet-connected mobile apps.

    COPPA regulations apply to Personal Data of Protected Children regardless if that data is collected voluntary or as a mandatory condition of using the goods or services. COPPA is read broadly enough to stretch this to include information that Protected Children voluntarily post on social media platforms and through other internet services.

    The age requirement under COPPA does not require Operators to verify a user’s age. COPPA’s requirements only apply when Operators have “actual knowledge”; if a user lies about their age, an Operator is not required to verify.

    COPPA sets forth the following requirements:

    Parental Consent. Operators must obtain verifiable parental consent before collecting or using Personal Data of Protected Children.

    Option to Prohibit Disclosure. Operators must give parents the option to prohibit the Operator from disclosing and/or sharing any Personal Data of the parent’s Protected Child but give consent to the Operator to collect and use internally the Personal Data of the Protected Child.

    Right to Access and Review. Operators must give parents access to the Personal Data for review.

    Privacy policy. Operators must post a clear and comprehensive privacy policy that is prominently displayed (either directly on the homepage or through a link).

     

    The following must be included:

    -Name, address, telephone number, and email address of all Operators collecting or maintain personal information through the website/service;

    -Description of what information is collected;

    -Whether Protected Children can make Personal Data publicly available;

    -How the Operator uses collected information; and

    -Disclosure practices for collected information.

     

    A privacy policy must also explicitly state that a parent can review and have deleted any of the Protected Child’s Personal Data and prohibit the further collection and use of previously collected data.

    Enforcement, Violations, and Fines.

    Individuals who believe a COPPA violation has occurred may file a complaint online with the FTC at https://www.ftccomplaintassistant.gov. Other state and federal agencies also have the authority to enforce COPPA. Fines for violations of COPPA can reach up to $40,000 per violation.

  • by 
  • Depending on the geographic region, different opt-out and opt-in rules may apply to a company that sends direct email marketing messages.

    When sending direct email marketing messages to recipients, the location of the recipient will determine which set of regulations apply. Generally, a recipient’s location is where the message will be opened.

     

    United States

    Commercial electronic communications in the United States are regulated by the CAN-SPAM Act (the “U.S. Regulations”). The U.S. Regulations cover commercial email messages with the primary purpose of advertising or promotion of a commercial service or product. The U.S. Regulations do not govern collection of new email addresses. Companies in the U.S. are permitted to buy lists of email addresses. The U.S. is unique in this respect as it is one of the few countries that allows companies to send direct email marketing messages without first obtaining the permission from the recipient.

    The U.S. Regulations does not have an “opt-in” requirement. Companies are free to send direct email marketing messages to anyone, subject to the “opt-out” provisions.

    The US Regulations require companies to include an “opt-out” option for recipient. The direct email marketing messages must include instructions for the recipient to opt-out of future messages. A company may not charge the recipient a fee to opt-out. Companies must honor opt-out requests within 10 days. Further, opt-out requirements may not require the recipient to do more than reply to the direct email marketing message or visit a single internet website in order to opt-out.

    There are several consumer protection mechanisms within the U.S. Regulations to guard against spam messages. The U.S. Regulations prohibit false email header information, open relay abuses, sending direct email marketing messages from multiple email addresses, address harvesting, dictionary attacks, and other fraudulent spamming methods. Further, the subject line of the direct email marketing message must be accurate and cannot mislead the recipient. The direct email marketing message must identify that the message is an advertisement or solicitation.

    A company must maintain a valid physical postal address under the U.S. Regulations. This physical presence may be a registered post office box or private mailbox.

    Violations of the U.S. Regulations can subject a company to a $16,000 penalty per violation, per recipient. Violations are investigated and enforced by the state attorney general. The U.S. Regulations do not provide a private cause of action.

    The U.S. Regulations do not apply to, nor does they prohibit a company from encouraging a recipient to forward the direct email marketing message to non-recipients. Direct email marketing messages can include clickable links that can be forwarded to non-subscribing recipients. However, if a company offers an incentive, such as a discount, to the subscribing recipient to forward the message, then the forwarding of that message will be subject to the U.S. Regulations and the company will be responsible for ensuring adherence to the regulations.

     

    Canada

    Canada’s Anti-Spam Law (the “Canadian Regulations”) regulates all commercial electronic messages, including emails. Commercial electronic messages under the Canadian Regulations includes any messages that are sent with the purpose of encouraging participation in a commercial activity. Unlike the U.S. Regulations, the Canadian Regulations apply to more than just emails. The Canadian Regulations apply to any means of telecommunication including text messages, sound messages, voice messages, as well as emails. Another primary difference between the Canadian Regulations and the U.S. Regulations is that the Canadian regulations are considered “opt-in” rules, while the U.S. Regulations are considered “opt-out” rules.

    The Canadian Regulations require companies to first obtain the consent of recipients before a company is permitted to send them direct email marketing messages. This is known as the “opt-in” requirement.

    An exception to the opt-in requirement exists if there is an “existing business relationship” between the company and the recipient. A business relationship can be established in several situations including the purchase or lease of a product or service by the recipient, the bartering for a product or service, as well as several other contractual arrangements between the company and the recipient. If there is an existing business relationship, then consent is implied and a recipient does not need to opt-into receiving direct email marketing messages. Implied consent is good for two years beginning on the day before the business relationship was formed.

    The Canadian Regulations include an opt-out provision. Under the Canadian Regulations, companies must provide opt-out instructions within every direct email marketing message sent. Opt-out procedures must be simple and cannot require the recipient to pay a fee. Opt-out requests must be honored within 10 business days after the company receives the request.

    Spam, malware, spyware, address harvesting, and false and misleading messages are prohibited under the Canadian Regulations.

    Direct email marketing messages sent to Canadian recipients must include a valid physical postal address of the company. This information can either be included in the direct email marketing message itself or contained on a webpage whose link is clearly and prominently contained within the email.

    The Canadian Regulations went into effect in 2014 and include a transition period until July 1, 2017. During the transition period, only the Canadian Radio-Television and Telecommunications Commission, the Competition Bureau, and the Office of the Privacy Commissioner of Canada may investigate and punish companies. However, once the transition period ends, any recipient will be permitted to bring a private claim if they believe a violation has taken place. Penalties for violations of the Canadian Regulations range from $1-10 million per violation.

     

    European Union

    The European Union regulates direct email marketing messages through the EU Opt-In Directive (the “EU Regulations”).

    The EU Regulations include an “opt-in” provision. Companies may only send direct email marketing messages to EU recipients who have previously consented to such messages. Business-to-Business marketing messages are not subject to the opt-in requirement under the default EU Regulations, however, individual EU member states may extend the opt-in requirement to cover business to business communications as well.

    The EU Regulations require every direct email marketing message to include opt-out instructions. A recipient must be able to respond to the email address from which the direct email marketing message was sent from and request to opt-out.

    Under the EU Regulations, a company may not conceal or disguise the identity of the sender.

    The EU Requirements state that the same requirements for direct email marketing messages apply to physical business mailings. The direct email marketing message must also include a physical return address. Direct email marketing messages sent to EU recipients should include (i) the full name of the company; (ii) country and state/province of the company’s registration; (iii) applicable registration number; (iv) address of the registered office, and (v) the company’s VAT number.

     

     

  • by 
  • Introduction

    Canadian regulations are generally stricter than US regulations; Canadian regulations are on par with EU regulations. Two sets of Canadian laws govern the collection, storage, and use of data, the Personal Information and Electronic Documents Act (“PIPEDA”) and the Privacy Act (the “Privacy Act”). While the Privacy Act applies only to federal government departments, PIPEDA applies to private sector companies. In addition to federal regulations, each territory and province also has its own data security regulations. Companies may be exempted from PIPEDA if the province in which they operate has substantially similar data security regulations. Currently, British Columbia, Alberta, and Quebec are the only three provinces where a company may obtain a federal exemption.

     

    Federal Regulations – PIPEDA

    PIPEDA applies to all companies that collects, uses, or discloses personal information. PIPEDA is a federal act and individual provinces may have stricter regulations that impose additional data protection requirements. Under PIPEDA, personally identifiable information includes age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, and medical records (“PII”). PIPEDA sets forth five requirements for companies that collect or use PII: (1) PII must be collected with consent and for a reasonable purpose; (2) PII must be used and disclosed for the limited purpose for which it was collected; (3) PII must be accurate; (4) PII must be accessible for inspection and correction; and (5) PII must be securely stored. Companies that collect PII are fully accountable and responsible for the protection of collected PII. PIPEDA does not require data to be stored on servers physically located in Canada, however, regulations based on Province and/or industry may require that data be stored within Canadian borders.

     

    PIPEDA defines “personal information” very broadly. Section 2(1) states personal information is “information about an identifiable individual.” Information “about” an individual includes any information that relates or concerns the individual. Further, Canadian courts have concluded that information is “personal information” if there is a high likelihood that the individual’s identity could be revealed through the use of the information, independently or in combination with other information. Personal information under PIPEDA does not include personal information that is collected and used for the sole purpose of communicating with the individual.

     

    Specific PIPEDA Requirements

    PIPEDA requires businesses to deploy security measures that protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

     

    In the event of a breach, PIPEDA requires businesses to report any breach to the Office of the Privacy Commissioner of Canada (“Commissioner”) as well as notify impacted individuals as soon as possible. PIPEDA does permit a notice exception when law enforcement or other legal prohibitions prevent the business from making the required notices.

     

    Individual Provincial Regulations

    PIPEDA will not apply if a business operates solely in a province with its own legislation, as long as the legislation has been classified as substantially similar to PIPEDA. Alberta, British Columbia, and Quebec have legislation that has been deemed substantially similar, therefore, businesses operating in any of those three provinces will be required to comply with provincial data regulations. Businesses that do not have operations in any of those three provinces must comply with PIPEDA. If the commercial activities result in personal information crossing borders, provincial or national, then PIPEDA will apply regardless.

     

    Alberta & British Columbia

    Data regulations in Alberta and British Columbia are known as the Personal Information Protection Act (“PIPA”). PIPA requires businesses to use reasonable mechanisms to protect personal information against risks including unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. In the event of a breach, PIPA requires businesses to provide notice to the Commissioner of any breach without undue delay. PIPA grants the Commissioner the power to require a business to provide notice to an individual when there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. Reasonableness under PIPA is what a reasonable person would consider appropriate in the context of the situation.

               

    Quebec

    Data regulations in Quebec are known as the Act Respecting the Protection of Personal Information in the Private Sector (“QPA”). Personal information under the QPA is any information that relates to a natural person and allows that person to be identified. QPA has similar notification requirements as PIPEDA and PIPA.

     

    Liabilities and Legal Remedies

    In the event of a data breach, businesses may be liable under PIPEDA and PIPA. PIPEDA requires that any complaints relating to a data breach be filed with the Commissioner. The Commissioner is then required to investigate and provide the parties with a report. The Commissioner’s report is not binding on the business or the complainant and only under select situations may the complainant bring a claim against the business in the Federal Court of Canada. The Commissioner cannot order a business to comply and has no power to award damages or fines in relation to a complaint submitted by an individual. The Commissioner can, however, fine a business for failure to comply with the notice requirements. Individuals can sue a business only after the Commissioner has issued its report against the business. If an individual is successful in bringing a claim against a business, the courts may award damages and require the business to correct its security practices such that they will comply with PIPEDA.

  • by 
  • Introduction

    Canadian regulations are generally stricter than US regulations; Canadian regulations are on par with EU regulations. Two sets of Canadian laws govern the collection, storage, and use of data, the Personal Information and Electronic Documents Act (“PIPEDA”) and the Privacy Act (the “Privacy Act”). While the Privacy Act applies only to federal government departments, PIPEDA applies to private sector companies. In addition to federal regulations, each territory and province also has its own data security regulations. Companies may be exempted from PIPEDA if the province in which they operate has substantially similar data security regulations. Currently, British Columbia, Alberta, and Quebec are the only three provinces where a company may obtain a federal exemption.

     

    Federal Regulations – PIPEDA

    PIPEDA applies to all companies that collects, uses, or discloses personal information. PIPEDA is a federal act and individual provinces may have stricter regulations that impose additional data protection requirements. Under PIPEDA, personally identifiable information includes age, name, ID numbers, income, ethnic origin, blood type, opinions, evaluations, comments, social status, disciplinary actions, employee files, credit records, loan records, and medical records (“PII”). PIPEDA sets forth five requirements for companies that collect or use PII: (1) PII must be collected with consent and for a reasonable purpose; (2) PII must be used and disclosed for the limited purpose for which it was collected; (3) PII must be accurate; (4) PII must be accessible for inspection and correction; and (5) PII must be securely stored. Companies that collect PII are fully accountable and responsible for the protection of collected PII. PIPEDA does not require data to be stored on servers physically located in Canada, however, regulations based on Province and/or industry may require that data be stored within Canadian borders.

     

    PIPEDA defines “personal information” very broadly. Section 2(1) states personal information is “information about an identifiable individual.” Information “about” an individual includes any information that relates or concerns the individual. Further, Canadian courts have concluded that information is “personal information” if there is a high likelihood that the individual’s identity could be revealed through the use of the information, independently or in combination with other information. Personal information under PIPEDA does not include personal information that is collected and used for the sole purpose of communicating with the individual.

     

    Specific PIPEDA Requirements

    PIPEDA requires businesses to deploy security measures that protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

     

    In the event of a breach, PIPEDA requires businesses to report any breach to the Office of the Privacy Commissioner of Canada (“Commissioner”) as well as notify impacted individuals as soon as possible. PIPEDA does permit a notice exception when law enforcement or other legal prohibitions prevent the business from making the required notices.

     

    Individual Provincial Regulations

    PIPEDA will not apply if a business operates solely in a province with its own legislation, as long as the legislation has been classified as substantially similar to PIPEDA. Alberta, British Columbia, and Quebec have legislation that has been deemed substantially similar, therefore, businesses operating in any of those three provinces will be required to comply with provincial data regulations. Businesses that do not have operations in any of those three provinces must comply with PIPEDA. If the commercial activities result in personal information crossing borders, provincial or national, then PIPEDA will apply regardless.

     

    Alberta & British Columbia

    Data regulations in Alberta and British Columbia are known as the Personal Information Protection Act (“PIPA”). PIPA requires businesses to use reasonable mechanisms to protect personal information against risks including unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction. In the event of a breach, PIPA requires businesses to provide notice to the Commissioner of any breach without undue delay. PIPA grants the Commissioner the power to require a business to provide notice to an individual when there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure. Reasonableness under PIPA is what a reasonable person would consider appropriate in the context of the situation.

               

    Quebec

    Data regulations in Quebec are known as the Act Respecting the Protection of Personal Information in the Private Sector (“QPA”). Personal information under the QPA is any information that relates to a natural person and allows that person to be identified. QPA has similar notification requirements as PIPEDA and PIPA.

     

    Liabilities and Legal Remedies

    In the event of a data breach, businesses may be liable under PIPEDA and PIPA. PIPEDA requires that any complaints relating to a data breach be filed with the Commissioner. The Commissioner is then required to investigate and provide the parties with a report. The Commissioner’s report is not binding on the business or the complainant and only under select situations may the complainant bring a claim against the business in the Federal Court of Canada. The Commissioner cannot order a business to comply and has no power to award damages or fines in relation to a complaint submitted by an individual. The Commissioner can, however, fine a business for failure to comply with the notice requirements. Individuals can sue a business only after the Commissioner has issued its report against the business. If an individual is successful in bringing a claim against a business, the courts may award damages and require the business to correct its security practices such that they will comply with PIPEDA.

     

  • by 
  • Open-source software allows developers to gain access to a wide array of free software which they can then modify and redistribute. However, there are several legal issues associated with open-source code. Businesses and developers who utilize open-source code should be aware of these legal issues including licensing and copyright issues, usage restrictions, warranties and liabilities, as well as other intellectual property concerns.

    In terms of licensing, businesses and developers must ensure that their use and distribution complies with the terms of the applicable licensing agreement. Businesses and developers must be especially aware of copyright issues when using open-source code. Open-source licenses often contain “copyleft” clauses, requiring the open-source code to be redistributed in the same manner in which the developer obtained it. This is important because if a developer receives and modifies an open-source software package for free, the developer must then redistribute the modified code for free. Many open-source licenses, such as the BSD license, require developers to display a copyright notice and disclaimer at all times. Many open-source licenses require the developer to disclose the source code, even if the final product is a closed-software deliverable.

    The Open Source Initiative (“OSI”) bars developers from restricting the use of their open-source software. Developers should be allowed to freely modify, copy, and redistribute the open-source code. Developers and businesses need to take care when they distribute open-source software that they do not attach their own “terms and conditions” to the open-source software. Doing so would restrict another developer’s ability to freely modify and use the open-source code.

    Businesses and developers should consider including sufficient disclaimers regarding their use of open-source code. A basic disclaimer may read something like “this product contains open-source code and is subject to the terms of the applicable open-source license.”

    Businesses and developers may also incur liability if their product infringes on any intellectual property rights, even if the infringement results from the incorporated open-source code. Businesses should be especially careful when drafting software agreements with their clients so that both parties understand the potential risks associated with indemnification and intellectual property infringement. Generally, the business or developer who modifies and redistributes the open-source software is responsible for ensuring the terms of the applicable licensing agreement are followed.

    As a final note of caution, if a business decides to utilize open-source software, it is important that all company developers be made aware of the business’s policies regarding open-source software. Developers should always flag or disclose when and how open-source code is incorporated into a final product so that the business can ensure compliance with the applicable open-source license.

  • by 
  • Open-Source Basics

    Open-source software is important not only to developers but also to end users. Open-source software opens the door (sorry) for users to many freedoms and opportunities that would not otherwise be available. Open-source software is defined as software code that is available to its users such that the users can modify and use the source code as they wish and, more importantly, distribute their own versions of the software free of restrictions or costly licensing fees. The Open Source Initiative sets forth the following criteria, all of which must be met in order for software to meet its standard as open-source:

     

    -Free Redistribution. No restrictions on any party regarding sale or distribution.

    -Source Code. Program must include the source code and allow for distribution of the source code.

    -Derivative Works. The license must allow for modification and derivative works. These works must be allowed to be distributed according to the same terms as the original software.

    Integrity of Author’s Source Code. The license can restrict source code from being distributed in modified form only if certain criteria are met.

    No Discrimination. The license may not discriminate against any person, group, or field.

    Distribution of License. Rights attached to the program must apply to every user without the need for additional license agreements.

    Not Product Specific. The license must be attached to the program and may not depend on the program being included as a part of the software distribution.

    No Restrictions on Other Software. The license cannot impose restrictions on other software that is distributed along with the licensed software.

    Technology-Neutral. May not be predicated on any individual technology or interface.

     

    While most open-source software is available free of charge, developers are permitted to charge for copies if the developer allows redistribution of the software and source code.

     

    Common Open-Source Licenses

    There are several different categories of open-source software. The most common classification system differentiates them based on the different licenses used by the open-source software. The GNU General Public License (the “GPL”) is a very common license. The GPL is widely used by Linux users and developers. The GPL incorporates the above requirements into its open-source license and adds the requirement that developers must distribute the source code for any modified or derivative works. This forecloses the possibility that a developer could modify the open-source code to create a “closed-source” program. Another license is the BSD license. Many view the BSD license as placing less restrictions on developers as a developer can modify the open-source code and create a “closed-source” program. Under the BSD license, a developer would not be required to distribute the source code for the closed-source modification. Other open-source licenses include Affero GNU Public license, Apache Software License, MIT license, the Common Development and Distribution License, and the Mozilla Public License.

     

    Benefits of Open-Source Software

    Key benefits of open-source software include the availability of free software that can be openly and freely modified and redistributed. These benefits can be especially useful when setting up clusters of servers. Open-source software is much more flexible and customizable as compared to Microsoft Windows. Users and developers ultimately have more options when using open-source software, allowing them to customize features and create their own software for unique applications. Increased security and accountability are also considered significant benefits of open-source software.

     

    The Open Source Initiative

    The Open Source Initiative (the “OSI”) is a public benefit corporation based in California which seeks to promote and raise awareness for the value of open-source software. The OSI seeks to maintain a consistent definition and standard of what open-source software is. Further, the OSI reviews and approves licenses for open-source software, ensuring the licenses meet its standards. The OSI seeks to bridge the gaps in the open-source community in order to bring more unity and consistency to the open-source software community. Ultimately, the OSI seeks to promote open-source’s key attributes including higher qualify software, better reliability, greater flexibility, and lower costs.

  • by 
  • With increasing awareness, regulations, and liabilities, business owners must be even more cognizant of their duties and potential liabilities surrounding data breaches. Data breaches are generally defined as any event that releases personal identifiable information (“PII”) without the consent of that individual. PII typically includes information such as name, address, birth date, passwords, and biometric data as well as identification numbers such as Social Security numbers, bank and credit card account numbers with access codes or passwords, and driver’s license numbers. Most business owners are aware of data breaches resulting from the unauthorized access or hacking of company records, however, data breaches can also occur as a result of improperly secured networks, theft, and the use of poor security protocols and policies.

    Virtually any company that conducts business over the internet or utilizes web-based databases is at risk of being a victim of a data breach. Companies of all sizes ranging from Target to local medical practices have been targeted by hackers in recent years. These breaches can have significant impacts on businesses of all sizes. Over two dozen class action lawsuits have been filed against Target as a result of the 2013 data breach. Estimates vary, but business owners can expect data breaches to cost between $90 and $305 per record lost.

    In 2003, California was the first state to pass a law requiring entities to notify individuals impacted by a data breach. Since then, 46 other states have gone on to impose affirmative duties on businesses to notify impacted individuals. While the duties and regulations vary by state, there are several common elements.

    Most states apply these regulations to PII in electronic or hard copy. However, some states exclude password-protected information from data breach regulations while other states only include data that is reasonably likely to cause harm if exposed.

    Some states only require private entities to provide notifications of data breaches, while others require both private and government entities to provide notifications. Further, some states only require notifications of breaches when there is a reasonable likelihood that the breach will result in harm to the individual.

    Notifications must be made within a reasonable amount of time. Several states have a statutory timeframe for when notifications must be made. Generally, four to five weeks from the time the breach is discovered is regarded as a reasonable timeframe. Almost every state allows for a law enforcement exception. Under this exception, businesses are required to withhold notifications while law enforcement authorities investigate the data breaches. Generally, notifications must

    be provided via the mail, however, many states allow for alternative, most cost effective methods for breaches of a certain size.

    Enforcement and penalties vary significantly based on which state law is applied. Some states permit impacted citizens to enforce the data breach laws while other states only allow for charges to be brought by the state’s attorney general. Some states allow for enforcement by both. Penalties can range from $5,000 to $250,000, with most states falling on the higher end of that range.

    Businesses of all sizes should consider data breaches and develop policies and procedures to help avoid data breaches, as well as how to handle the notifications and restoring the integrity of the database after a breach.

     

    Below is a brief summary of Ohio, Texas, Washington, New York, and California data breach laws.

    Ohio Texas Washington New York California
    Who’s regulated? Any person who owns or licenses computerized data Any person or business conducting business in Texas who owns or licenses computerized data Any person or business conducting business in Washington that owns or licenses data that includes personal information Any person or business conducting business in NY who owns or licenses computerized data Any person or business conducting business in California that owns or licenses data that includes personal information
    Information covered First name or first initial and last name in combination with any of the following:–          SSN

    –          Driver’s license number

    –          Account numbers in combination with passwords or access information

     

    *does not include any publicly available information

    First name or first initial and last name in combination with any of the following:–          SSN

    –          Driver’s license number

    –          Account numbers in combination with passwords or access information

     

    Or, information that identifies an individual and relates to physical or mental health, health care of the individual, or payment for health care of the individual

     

    *does not include any publicly available information

    First name or first initial and last name in combination with any of the following:–          SSN

    –          Driver’s license number

    Account numbers in combination with passwords or access information

     

    *does not include any publicly available information

    Personal Information – Any information concerning a natural person which because of name, number, personal mark, or other identifies, can be used to identify such natural person 

    Private Information – personal information in combination with any of the following:

    –          SSN

    –          Driver’s license number

    –          Account numbers in combination with access information

     

    *does not include any publicly available information

    First name or first initial and last name in combination with any of the following:–          SSN

    –          Driver’s license number

    –          Account number in combination with password

    –          Medical or health insurance information

    Notifications Must notify impacted Ohio residents (and credit reporting agency if breach of more than 1,000). No government notice required. Must notify impacted individuals (and credit reporting agencies if breach of more than 10,000). No government notice required. Must notify impacted individuals (and attorney general for breaches over 500+ records) Must notify impacted individuals and government (and credit reporting agencies if breach of more than 5,000) Must notify impacted individuals (and attorney general for breaches over 500+ records)
    Timing of Notification Must be given within 45 days of discovery of the breach. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception. Must be given within 45 days of discovery of the breach. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception. Within a reasonable amount of time. Permits law enforcement exception.
    Notification Methods Mail, phone, electronic notification, substitute notice if none of the previous methods would be effective Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people Mail, phone, or other method approved by AG (or electronic if individual has consented to electronic notification) Mail, electronic, or other more reasonable method if the cost of providing notice under the other methods would exceed $250,000 or impacts more than 500,000 people
    Enforcement Only enforceable by the state’s attorney general Only enforceable by the state’s attorney general Impacted individuals or state’s attorney general may enforce. Only enforceable by the state’s attorney general Impacted individuals can enforce
    Penalties $2,000 to $50,000 per violation plus civil penalty of $100 per individual. Permitted to recover damages. Additional, penalties for government agencies and payment processors. Damages (plus up to $10,000 per breach if business acted recklessly or knowingly) Permitted to recover damages

     

  • by 
  • The Gramm-Leach-Bliley Act (the “Act”), also referred to as the Financial Modernization Act of 1999, is a federal law designed to regulate the use of individuals’ private financial information by financial institutions. Under the Act, financial institutions are required to conform to a variety of requirements designed to protect consumers’ privacy. Financial institutions are defined as companies that offer financial products and services to individuals. This includes loan providers, firms offering financial and investment advice, as well as insurance providers. All of these institutions will fall under the Federal Trade Commission’s (“FTC”) jurisdiction under the Act as long as they are “significantly” engaged in providing financial products and services to individuals. Many of the provisions of the Act are enforced solely by the FTC and there is no private right of action explicitly granted by the Act for violations. However, many individual state privacy laws and other federal regulations provide for a private right of action that may be relevant in the event of an unpermitted disclosure of private financial information.

    The Act is made of up three components: the Financial Privacy Rule, the Safeguards Rule, and the Pretexting Protection. The Financial Privacy Rule controls financial institutions’ use, collection, and disclosure of individuals’ private information while the Safeguards Rule requires these institutions to deploy measures to protect individuals’ private financial information. The Pretexting Protection prohibits financial institutions from using private financial information under false pretenses. Financial institutions must also distribute information to their customers regarding the measures they use to protect individuals’ private financial information and the institution’s sharing practices.

    Under the Act, there is an important difference between a “customer” and “consumer”. The primary difference between a customer and consumer is the length of the relationship between the financial institution and the individual. A customer is an individual that has a continuing, long-term relationship with a financial institution for financial services or products. Under the Act, only customers are entitled to receive privacy notices from a financial institution required under the Act. Consumers will only receive a notice upon the disclosure of the individual’s private financial information to a non-affiliated third party. Under the Act, financial institutions are required to send annual notices to customers.

    The Act requires financial institutions to provide a notice to individuals that present a clear, conspicuous, and accurate reflection of the institution’s privacy practices. These notices only apply to information that is “nonpublic” private financial information. The notices are required to include relevant details such as what information is collected about the individual, how the information is shared, as well as what safeguards are in place to protect the privacy of the individual’s information.