the best defense is a good data breach fence: necessary...

6/16/2014

1

The Best Defense is a Good Data Breach Fence:

Necessary Steps to Protect Your Network

Christin S. McMeley, Attorney, CIPP/USJerry L. Cochran, CISSP, CISM

Sean B. Hoar, Attorney, CIPP/USJune 3, 2014

Topics

The Breach Environment Legal and Policy Issues Compliance, Preparedness and Risk Management Vendor Contracting Issues

– Risk management & compliance– Identifying threats

• Risk assessments

Enforcement and Litigation– Best practices

• Necessary to obtain cyber insurance coverage• May reduce liability

2

6/16/2014

2

The Breach EnvironmentSome highlights from the Verizon 2014 Data Breach Investigation Report “The dataset that underpins the DBiR is comprised of over

63,000 confirmed security incidents …. we are no longer restricting our analysis only to confirmed data breaches…. an incident needn’t result in data exfiltration for it to have a significant impact on the targeted business.”

“2013 may be remembered as the ‘year of the retailer breach,’ but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems”

“[W]e don’t see any industries flying completely under the radar. And that’s the real takeaway here — everyone is vulnerable ….”

“Cyber” is “increasingly THE collectively used and understood modifier for the type of attacks we discuss here.”

3

Existing State of Affairs

Federal– Sector-Specific

• Health (HIPAA)• Finance (GLBA)• Traditional Communications (Sections 222,338 and 631 of

Communications Act)• Energy• Government Limitations (Wiretap Act, ECPA, SCA, CALEA, U.S.

Patriot Act, etc.)• Consumer Protection (FTC Act)

States– 47 Breach Notification Statutes– Data Protection Statutes– Data Disposal/Destruction Statutes

Contractual Requirements– PCI DSS– Service Provider Agreements

4

6/16/2014

3

Many Entities Weighing in on Cyber Issues

White House / Administration– Executive Order 13636 directing DHS and NIST to (1) Identify

at-risk segments of critical infrastructure; (2) Develop a voluntary baseline framework for the protection of critical infrastructure against cyber threats; (3) Develop a program to promote the adoption of the baseline framework; and (4) Develop a process for the government to share more threat information with the private sector.

– Accompanying Presidential Policy Directive 21 directs federal agencies to take steps in furtherance of the Order and specifically identifies energy systems as “uniquely critical.”

NIST– Framework for Improving Critical Infrastructure

Cybersecurity, Version 1.0 released February 12, 2014

5

Many Entities Weighing in on Cyber Issues*

Executive Agencies– Department of Homeland Security– Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and

Cybersecurity for Energy Delivery Systems (CEDS) program– Department of Justice

Independent Agencies– Federal Trade Commission– Securities and Exchange Commission– Federal Energy Regulatory Commission (FERC) Office of Energy Infrastructure

Security (OEIS) & Cybersecurity Reliability Standards and NERC CIPs– Federal Communication Commission (FCC’s) Communications Security,

Reliability and Interoperability Council (CSRIC) State Legislatures and Regulators

– California– Public Utility Commissions

Industry “Coalitions”– Various combinations of advertising, retail, financial and technology industry

alliances formed for lobbying, information sharing, etc. Standards Setting Organizations

– NIST– ISO/IEC– IETF

6*Illustrative, not an exhaustive list

6/16/2014

4

Many Entities Weighing in on Cyber Issues

U.S. Congress (maybe)– Many cybersecurity-related bills pending in Congress– HR 3696, the National Cybersecurity and Infrastructure

Protection Act, would amend the SAFETY Act to provide protection for sharing threat information.

• It was reported unanimously on Feb. 5 by House Homeland Security Committee and sent to the full House for consideration

• Similar legislation passed in the Senate last year, S. 1353, the Cybersecurity Act

– Best Projection? • White House Big Data Report • Continued breaches • FTC Commissioner Olhausen stated she is “somewhat optimistic”

that Congress could pass breach legislation at the State of the Net Wireless Conference in early May

7

How the pieces fit together

Framework/Model– Can be more comprehensive– Flexible/Scalable– Risk-Based

Standards– May be required – Specific– Specificity may lead to gaps

8

6/16/2014

5

The NIST Framework Overview

– The framework, according to NIST’s introduction, provides a “common language to address and manage cybersecurity risk,” while allowing organizations flexibility in how they implement the practices

– Meant to “complement” existing business and cybersecurity operations

– Is VOLUNTARY, but Plaintiffs’ attorneys and government enforcement agencies may use the framework as a possible de facto legal standard of care for cybersecurity

Development– NIST RFI– 5 Workshops between May and November 2013– 2 Drafts– Framework released 2/12/2014

Ongoing– “v.1”– Executive agencies are considering incentives tied to compliance

with the standards, including technical assistance, grants, cost recovery, public recognition, regulatory streamlining, and government procurement

9

Effects of the NIST Framework

The Framework endorses a risk-based approach to managing cyber risk; Conducting a risk assessment is the fourth of seven steps recommended to improve cybersecurity programs.

A risk-based approach is also consistent with many other security standards.

The Framework cites several such standards:– NIST SP 800-53 Rev. 4, – ISO/IEC 27001:2013, – COBIT 5, and others. Framework, 22.

10

6/16/2014

6

Effects of the NIST Framework Highlights the need for communication and awareness of

cybersecurity management processes, procedures, and risks throughout the organization.

11

A Comprehensive Security Program

A Privacy/Security Audit (Gap Assessment)– What kind of program does the organization need?– What are the applicable legal requirements?– What is in place already and what should be

supplemented? A written security policy/program

– Designated Owner/Administrator– Risk Assessments– Administrative, Technical and Physical Controls– Training– Audits– Program Assessments and Revisions– Enforcement

An Incident Response Plan

12

6/16/2014

7

Risks

Federal and State Enforcement– FTC– SEC– DOJ– HHS– State Enforcement Actions

Consumer Class Actions Shareholder Suits Reputation/Brand/Revenue Loss

– Target: Remediation costs related to the breach totaled $61 million in Q4 2013; lower stock price; litigation; loss of consumer confidence

– Some evidence that consumers’ willingness to continue doing business with a company decreases after they find out a breach has occurred

13

Breach Defense: Protecting Your Network

from Evil DoersJerry Cochran

Principal security managerOffice 365 security

Microsoft

6/16/2014

8

agenda

Who wants to attack you (and your users and data…)

The Changing IT Security Landscape Information Security Risk Management &

Compliance The Defender’s “Top 5 List” (If I could only do five

things…)

Many Actors and Motives

Attacks Look the Same

A Shared and Integrated Domain

Consequences Hard to Predict

State vs. StateConflict

MilitaryEspionage

Economic Espionage

Cyber Crime

6/16/2014

9

Attacker’s Gain

increased by:

Attacker’s Cost

increased by:

Short window of vulnerability

Short window of vulnerability

Difficulty in developing

reliable exploits

Difficulty in developing

reliable exploits

Difficulty in finding usable vulnerabilities

Difficulty in finding usable vulnerabilities

Long window to recover

investment

Long window to recover

investment

Low exploit development

cost

Low exploit development

cost

Low vulnerability discovery cost

Low vulnerability discovery cost

•Remove entire classes of vulnerabilities where possible

•Focus on automation to scale human efforts

Increase investment

to find vulnerabilities

Increase investment

to find vulnerabilities

•Build mitigations that add brittleness to exploits

•Make exploits impossible to write completely reliably

Increase investment

to write exploits

Increase investment

to write exploits

•Shrink window of vulnerability•Fewer opportunities via artificial diversity

•Work on rapid detection & suppression of exploit usage

Decrease opportunity to recover investment

Decrease opportunity to recover investment

Source: Verizon Data Breach Report 2013

Source: Mandiant M-Trends 2013

6/16/2014

10

A Shift in Security Strategy

Traditional New Approach Required

Uniform Asset Protection Layered Defenses with Differentiated Asset

Protection

Perimeter‐centric Data‐ and Infrastructure‐centric

Collection of Controls Purposely‐engineered System of Controls

Threat Reaction Threat Intelligence and Management

Defensive Purity (Keep them out) Resilient and Secure Operations

Good References:SBIC APT Paper - http://www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf RSA APT Summit Findings - http://www.rsa.com/innovation/docs/APT_findings.pdfTAO Security Effectiveness - http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html

GRC Activities On-Premises

(TraditionalIT)

Cloud Service

IaaS PaaS SaaS

Compliance Obligations & Reporting

Prevent & Protect

Monitor & Detect

Respond & Eradicate

Remediate

Enterprise

Cloud Service ProviderGRC = Governance, Risk Management & ComplianceIaaS = Infrastructure as a Service (i.e. Azure, AWS, etc.)PaaS = Platform as a Service (i.e. Azure)SaaS = Software as a Service (i.e. Office 365)

6/16/2014

11

Compliance and Regulatory Obligations are overwhelming IT security

Most GRC programs are really “C” programs

Is the auditor my

onlyAdversary?

Risk Management: What I Desire to Do

Governance: What I Should Do

Compliance: What I Must

Do

Other notable Cybersecurity hot topics…

Encryption & Privacy in a Post-Snowden Era Shifting Compliance Boundaries Location of Data Breach Disclosure and Notification Cyber Insurance

6/16/2014

12

The Defender’s “Top 5 List”

(If I could only do five things…)

#5: Know Your Enemy #4: Start secure & Stay secure #3: Partition or Compartmentalize Risk #2: Plan and Practice your defense #1: Align your defense with your

adversary(S)

23

24

6/16/2014

13

So you’ve done your best … but you’ve been breached … now what?

Sean B. HoarAttorney, CIPP/US

Davis Wright Tremaine

First, do you still doubt the risk?

If you receive, process or store sensitive data, you are a target

The primary data targets– 96% Customer Records (Payment Card Data, PII,

email addresses)– 2% Intellectual Property – 1% Electronic Protected Health Information– 1% Business Financial Account Information

Why? What can be most easily monetized?

Trustwave 2013 Global Security Report, p. 8.

26

6/16/2014

14

So what happened in 2013?

63,437 security incidents 1,367 security incidents with confirmed data loss The security incidents and data breaches occurred

across all industries– Those that stored payment card or other financial

data were the largest targets Takeaway – “… everyone is vulnerable to some

type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.”

Verizon 2014 Data Breach Investigations Report, p. 6.

27

How can you reduce the cost of a breach?

Factors that reduce the cost of a breach– strong security posture prior to breach– incident response plan prior to breach– consultant engaged to remediate breach– management of data collection is centralized for

privacy and security Factors that increase the cost of a breach

– Lack of any or all of the above factors– Data lost due to third party error– Data breach involved lost or stolen devices– Notifications of breach sent too quickly

2013 Cost of Data Breach Study: Global Analysis; Ponemon Institute

28

6/16/2014

15

So how much do breaches cost?

Issuers, merchants, and acquirers of credit, debit, and prepaid cards experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year.

Card issuers lost 63% and merchants and acquirers lost the other 37%.

Business Wire, August 19, 2013, citing The Nilson Report.

29


Global Payments, Inc. (payment processor, 2012)– 1.5 million card data sets stolen– $121.2 million total losses through mid-2013

(10/1/13 10-Q) (offset by $20 million in insurance payments) including

• $105.5 million in professional fees, investigation and remediation costs, incentive payments to business partners, and credit monitoring and identity-protection insurance costs.

• $35.7 million card brand fines and assessments.

30

6/16/2014

16


TJX Companies, Inc.; 2007 retailer breach – 45.7 million card data sets stolen– $256 million total losses (8/15/2007 Boston Globe

article), including• Settlements of 27 lawsuits brought by more than 200

issuing banks:– $40.9 million - Visa and banks (USA Today report); – $24 million - MasterCard and banks (TJX press

release)– $9.75 million - State attorneys general (Computer

World) – Unspecified – customer class-action claims (TJX

9/21/07 8-K)

31


Estimates of Target’s probable losses:– Avivah Litan, Gartner: $420 million (PCI fines, banks

card-replacement costs, customer costs, legal fees, credit monitoring) (http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-

hvac-company/);– Daniel Binder, Jeffries: $400 million to $1.1 billion

(PCI fines and assessments) (theflyonthewall.com, 1/30/2014)

Estimated number of individuals who did not shop at Target in early January due to the reported breach:– 7% of pre-breach volume: 4.6 million shoppers

(http://www.forbes.com/sites/prospernow/2014/01/24/amazon-sets-the-standard-for-shopper-security-while-target-struggles/ )

32

6/16/2014

17


Costs for 137 insurance claims (2012 NetDiligence report):

– Range: $2k to $76 million;– Average costs per breach: $3.7 million total

• Average cost of legal settlements: $2.1 million• Average legal fees for litigation: $582k• Average crisis services (forensics, breach response

counsel, credit monitoring): $983k

33

So what are my first steps?

Preparation is the best defense – development of a thorough security incident/breach response plan is critical

How do I develop a security incident/breach response plan?– Engage privacy and security counsel to customize

plan for scope and scale of company– Developing a plan will involve thorough review of

business practices pertaining to the collection, processing, and/or storing of personal information, including third party relationships, administrative practices, historical experience with security breaches, cyber insurance, etc.

34

6/16/2014

18

So what are my first steps?

When breach is discovered, immediately implement security incident/breach response plan– Contact security counsel for guidance on

implementing multi-prong approach• Activate forensic team to conduct risk assessment, and

contain, analyze, and remediate– Identify target of breach, i.e. intellectual property,

payment card systems, financial account information– Determine whether data loss occurred

» If so, determine whether data loss has stopped– Determine extent of loss

• Contact insurance provider • Determine whether breach notification is required• Determine whether law enforcement should be contacted

35

What do the experts recommend?

A SANS Critical Controls Gap Assessment:

36

6/16/2014

19

Risk assessment report can be privileged

If the risk assessment is conducted by or at the direction of counsel and the primary purpose of the assessment is to determine the extent of the business’s potential liability for lost or stolen data– The risk assessment report should be protected

from discovery by the attorney-client privilege.

37

Cost-effective security measures

For compliance purposes, ensure you have “appropriate” security measures as required by FTC consent orders:– Assign responsibility;– Identify information assets;– Conduct risk assessments;– Select and implement responsive security controls;– Monitor effectiveness;– Regularly review program; and– Address third party issues.

Thomas J. Smeddinghoff, “Data Security Requirements for Non-Regulated Business Sectors,” 14th Annual Institute on Privacy and Data Security, Vol. 2, Ch. 9 (May 2013)

38

6/16/2014

20


But beyond “compliance,” what will protect your digital infrastructure?

And what is “appropriate” when firewalls, AVS, antimalware protection, endpoint protection and IDPS can be bypassed by attacks that use customized malware?

Become offensively defensive– Use layered defenses to protect high-value assets– Constantly and actively monitor system– Regularly test system for vulnerabilities– Assume you have been or will be breached, and

actively look for the evidence

39


Basic measures must be maintained, e.g., – Implement administrative, physical, and

technical safeguards no less rigorous than those required by industry standards, including

• ISO-IEC 27001:2005 and ISO-IEC 27002:2005;• The HIPAA Security Rule for businesses to which the Rule

applies;• PCI DSS 3.0 for payment card data; and• GLB requirements for federally regulated financial

entities.

40

6/16/2014

21


At a minimum: – limit access to confidential information to authorized persons

who need access; – physically secure business facilities, data centers, paper files,

servers, back-up systems, and computing equipment; – implement authentication and access controls; – encrypt confidential information stored on mobile devices and

media and transmitted over public or wireless networks; – segregate sensitive information and provide additional

safeguards; – implement appropriate personnel security practices, including

conducting background checks; and – provide privacy and security training to employees.

41


Data encryption is important but, depending on how it’s deployed, will not stop some attacks:– Alleged Global Payments hacker:

• “They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threat.”

– The alleged hacker claimed he and his colleagues had been in Global Payments’ system for 13 months, collecting data monthly.

Brian Krebs, Global Payments: Rumor and Innuendo, (April 2, 2012), http://krebsonsecurity.com/2012/04/global-payments-rumor-and-innuendo/.

42

6/16/2014

22


Data Loss Prevention tools can help blockemployees and others from exfiltrating confidential data.

Employee training, coupled with tools that monitor employee activity on business networks, can also help stop careless, uninformed , and malicious employees from disclosing sensitive data.

43


Ensure the software you run does not have common security flaws such as those listed in– the CWE/SANS Top 25 Programming Errors

http://cwe.mitre.org/top25/ or http://www.sans.org/top25-programming-errors/

and– the Open Web Application Security Project’s

(OWASP) Top Ten Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.

44

6/16/2014

23


Technologies that may serve as part of a layered security program :– Firewalls/next-generation firewalls;– Intrusion prevention/detection systems (IPS/IDS);– UTMs (firewall, IPS, anti-malware, Web filtering, etc.);– Endpoint protection suites (anti-malware, host firewalling, filtering);– Message hygiene filters;– Web hygiene filters;– Network access control (NAC);– Data loss prevention;– Security information and event management (SIEM)/log aggregation;– Network vulnerability scanners/Web app scanners;– Policy and configuration management;– Patching and software delivery;– Web application firewalls/database monitors;– Penetration testing tools; and– Strong authentication.

Diana Kelley, “Threat prevention techniques: Best practices for Threat Management,” Information Security Magazine (Sept. 22, 2012).

45


Attackers must succeed at all steps of the “kill chain,” including– Reconnaissance, delivering and installing

malware, exploiting weaknesses in network defenses, communicating with C2 servers, and exfiltrating data.

Make the attacker’s job more difficult and more expensive at every step.

46

6/16/2014

24


Train users to recognize socially engineered attempts to get them to open email attachments or click on links to poisoned websites.

Regularly test users on how well they’re following anti-phishing rules.

Discipline users who refuse to learn.

47


The SANS Critical Security Controls for Effective Cyber Defense describe a step-by-step, prioritized deployment of these and other layered defenses.

The 20 SANS Critical Security Controls are:– 1: Inventory of Authorized and Unauthorized Devices – 2: Inventory of Authorized and Unauthorized Software – 3: Secure Configurations for Hardware and Software on Mobile

Devices, Laptops, Workstations, and Servers – 4: Continuous Vulnerability Assessment and Remediation – 5: Malware Defenses – 6: Application Software Security

48

6/16/2014

25


– 7: Wireless Device Control – 8: Data Recovery Capability – 9: Security Skills Assessment and Appropriate Training to Fill Gaps – 10: Secure Configurations for Network Devices such as Firewalls,

Routers, and Switches – 11: Limitation and Control of Network Ports, Protocols, and Services – 12: Controlled Use of Administrative Privileges – 13: Boundary Defense– 14: Maintenance, Monitoring, and Analysis of Audit Logs – 15: Controlled Access Based on the Need to Know – 16: Account Monitoring and Control – 17: Data Loss Prevention – 18: Incident Response and Management – 19: Secure Network Engineering – 20: Penetration Tests and Red Team Exercises

See http://www.sans.org/critical-security-controls/, v.4.1, p.1 (March 2013).

49


The Consortium of Cybersecurity Action, which maintains the Controls, notes a pattern of steps organizations have taken to effectively implement the Controls:

– 1. Perform an Initial Gap Assessment – determining what has been implemented and where gaps remain for each control and sub-control.

– 2. Develop an Implementation Roadmap – selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations.

– 3. Implement the First Phase of Controls – identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training.

– 4. Integrate Controls into Operations – focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.

– 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap.

Id. at 4.

50

6/16/2014

26


The SANS Critical Security Controls “focus on automation to provide cost efficiency, measurable results, scalability, and reliability.” Id. at 3.

The SANS site lists vendors who offer tools to help implement the Controls. Seehttp://www.sans.org/critical-security-controls/vendor-solutions.

51

Evaluating cyber insurance

Gaps in traditional insurance coverage:– Intentional acts excluded (GL)– Data is not tangible property (GL, Prop., Crime)– Property damage required to trigger (GL)– Theft or disclosure of intellectual property and 3d-

party info. often excluded (GL)– External hosting losses excluded (GL)– Only money, securities, tangibles covered (Crime)– Coverage restricted to acts U.S.– Sublimits or long wait periods for losses related to

viruses (Prop.)

52

6/16/2014

27


Cyber insurance coverage to consider:– First party:

• Crisis management• Forensics• Business interruption• Remediation (notifications, credit monitoring)• Litigation defense• PCI fines and assessments• Regulatory fines and penalties• Extortion costs

– Third Party• “Privacy and Security,” “Media Liability”

53


Exclusions to watch for:– Unencrypted data on portable devices;– Data not on insured’s system (cloud, others);– “Wild virus” exclusion;– Failure to maintain system or update software;– Short notice requirements;– Exclusion of employee data;– Prior acts insured “should have foreseen”; and– Physically stolen files excluded.

54

6/16/2014

28


Limits to watch for:– Narrow definition of “personal information”;– U.S. privacy statutes and regulations only;– Coverage limited by territory where cost incurred;– Voluntary costs excluded (coverage triggered by

legal liability);– Requirements to use specific vendors, counsel;– Inadequate sublimit for forensics;– Inadequate sublimit for business interruption;– Sublimit for number of records; – Deductibles, retentions, limits tied to “incident,” and– Restricted right to settle.

55


Enhancements to consider:– Choice of counsel– Prior acts– One retention for entire policy– 1st party coverage for insured’s negligence that

causes system interruption– Limit intentional acts exclusion to control group

to ensure rogue employee acts are covered– Ensure terrorism and “acts of war” exclusions do

not exclude state-sponsored thefts

56

6/16/2014

29


Factors that affect costs of coverage:– Industry, loss record, revenue, likelihood of loss,

number of records, number of employees, geography.

How much coverage is enough?− Benchmark to peer data for claims, considering

• Type of records (PCI, PHI, PII, IP), number of records, company’s public profile.

57

Questions?

Christin S. McMeley, Attorney, CIPP/US Davis Wright Tremaine LLP | D.C.

[email protected]

Jerry L. Cochran, CISSP, CISMMicrosoft | Seattle

[email protected]

Sean B. Hoar, Attorney, CIPP/USDavis Wright Tremaine LLP | Portland

[email protected]

58

1

1

BYOD = a dual use device

Explore key legal issues:

Privacy Wage & Hour Trade secrets National Labor Relations Act

Weigh advantages and disadvantages of allowing BYOD

Consider best practices for BYOD policies

Apply your knowledge

2

Rapid increase in the use of mobile devices byemployees

Mobile phones/Smart phones Tablets Laptops Non-company owned PCs USB sticks External hard drives Cloud-based storage (e.g., Drop Box) etc.

3

2

38% of companies will stop providing devices to workers by2016.

By 2017, half of employers will require employees to providetheir own devices.

Source:

http://www.gartner.com/newsroom/id/2466615

4

Result: “Dual-Use” Device

Both personal and company data accessed and stored

Dual activities

Handling personal matters while at work – more difficultto monitor

Handling work matters while on personal time – moredifficult to monitor

5

Upgrades: Too fast!

Lost Data

Rights affecting access andmonitoring Privacy NLRA Rights

Who owns data stored onpersonal devices? Corporate information and trade

secrets; Personal information of

employees or customers.

Duty to monitor employeeconduct?Malicious software attacks.

Compliance risks: HIPAA; Encryption (MA & NV); Client demands; e-Discovery.

Data breaches

Wage & Hour violations

6

3

Data lost – intentionally or unintentionally.

Lost or stolen devices.

Consultants use their own PCs to access your internalnetwork.

Employees upload sensitive data to document sharing sites

Sales teams copying customer lists to their USB before theyleave the company.

Employees email themselves, or others, company information.

Employees access company email on their own device.

Employees access “company webmail” from their home PC(downloading attachments).

Employees upgrade to a new device and discard the old

7

Legal /Compliance

- HIPAA

- FCRA- ADA/FMLA/GINA

- - State law

- Litigation- International

H.R.

- Information aboutemployees

* Hiring

* Testing

* Monitoring

* Record retention

- Ensuring compliance byemployees

- Smart phones- Social media- Email

8

- E-commerce- Vendors- Customers- Data breach

- Confidentiality- Trade secrets- Policies- Agreements- Whistle blowing

I.T.

- Passwords

- Access management

- Firewalls

-Malware

- Encryption

No currently broadly applicable federal privacy law

Piecemeal: HIPAA, FCRA, ECPA, SCA, CFAA, ADA, GINA,FMLA

States generally have one or more of the following:

Affirmative obligations to safeguard (e.g., MA, MD, CT, CA, TX,IL (biometric information))

Data breach notification (46 states plus some cities)

Various Social Security number protections

Data destruction requirements

9

4

Employee Privacy

Different throughout the world.

EU most restrictive.

The Remote Wipe

Accessing truly “personal” information/content

Multiple email accounts

GINA/Disability Information

10

Encryption.

Do you need to get possession of device?

Storage card.

Handling old devices—destruction.

Lower employee’s privacy expectation.

11

Key Cases:

Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (2010)

Did employee waive her attorney-client privilege bycommunicating with her counsel using her own private e-mailaccount, which was accessed via the employer’s system?

Held: The employee did not waive her privilege.

12

5

Aventa Learning, Inc. v. K12, Inc., 830 F. Supp. 2d1083 (W.D. Wash. 2011)

Plaintiff I’s failure to assert privilege in relinquished lap topover 1.5 years later waived privilege

Plaintiff II asserted privilege before relinquishing lap top.

Handbook’s Electronic Communications policy clearlystated "[e]lectronic communications are not private" andpolicy reserved the company's right "to access, search, . . .or disclose any file or stored communication."

13

Aventa Learning, Inc. v. K12, Inc., cont’d

Applied In re Asia Global, 322 B.R. 247, 257 (S.D.N.Y. 2005) factors:

(1) Does the company maintain a policy banning personal or otherobjectionable use,

(2) Does the company monitor the use of the employee's computer oremail,

(3) Do third parties have a right of access to the computer or emails,and

(4) Did the corporation notify the employee, or was the employeeaware, of the policy.

14

Aventa Learning, Inc. v. K12, Inc., cont’d

Held: Stengart rule does not apply

“Washington would also take a broader view of the waiver issuehere, and adopt a balanced approach and not a non-waiver ruleconcerning web-based personal email accounts that areaccessed through an employee's company computer or laptop.”

Held: (1) The policy was broad enough to cover personal emailsfrom their web-based personal email accounts on companylaptops or ' servers. (2) Any privilege that once may have appliedto these communications was waived.

15

6

Washington’s Social Media Privacy Law

Employer may NOT:

Ask for login information (including username or password) for an employee’s orapplicant’s personal social networkingaccount.

Engage in “shoulder surfing.”

Compel or coerce an employee or applicantto add a person, including the employer, asa friend or contact on the person’s socialnetworking account.

Request or require a person to alter settingsaffecting third party’s ability to view content.

16

Limited investigation exception

The law does NOT apply to an employer’s requestor requirement that an employer share content of apersonal networking account if ALL of thefollowing four conditions are met:

17

1. Employer’s request tied to a factual determination for aninvestigation.

2. Employer undertakes investigation to respond to reportedinformation about the employee’s activity on personal networkingaccount.

3. The purpose of the investigation is -

• To ensure compliance with applicable law or prohibitions againstwork-related employee misconduct; or

• To investigate an allegation of unauthorized transfer of anemployer’s proprietary information, confidential information orfinancial data to the employee’s social networking account

4. The employer does not request or require the employee to providehis or her login information.

18

7

All employees have the right to engage in “protected, concertedactivities” concerning wages, hours and other terms andconditions of employment.

“Concerted” = “engaged in, with, or on the authority of other employees, andnot solely by and on behalf of the employee himself.”

“Constructive” = A single employee “seeks to initiate, induce or prepare forgroup action” or raises “groups complaints to the attention of management.”

19

Can be a singleemployee

Can be a singlelistener

Expansive application of “concerted” protected activity

The “facebook” case involving one employee’s profane on-line statements about a supervisor made to “friends” whoresponded to such statements

Facebook = the virtual “water cooler”

20

Expansive application of “concerted” protected activity

In Register Guard, 351 NLRB 1110 (2007), the Board flatly statedthat “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”

Late last year, an ALJ applied Register Guard rule and upheld anemployer’s blanket prohibition against using its email system fornon-work-related purposes. Purple Communications, Inc. (Bogas,ALJ, Oct. 24, 2013).

BUT the General Counsel and the union have asked the Board tooverturn the Register Guard rule.

21

8

Safety: Mobile device use and driving.

The Need to Control Employee Conduct:

Discrimination, harassment, retaliation.

Negligent supervision: An employer may be held liable foran employee’s wrongful acts if the employer knew or hadreason to know of the risk the employment created.

22

Doe v. XYC Corp., 382 N.J. Super. 122 (2005)

Employee used work computer to send photos taken of step-daughter to child pornography sites

Employee's server logs revealed that he was visitingpornographic sites on his office computer

Employee was arrested on child pornography charges.

Mother sued on behalf of her child.

Held: Employer has an affirmative duty to investigate theemployee's activities and to take prompt and effectiveaction to stop the unauthorized activity, includingtermination of employment and a report to the police.

23

Negligent Hiring

24

9

Generally, no expectation of privacy in employer-ownedphone, but what about BYOD phone?

Tracking employees using GPS and/or phone trackingability:

Real-time updates.

Streamline travel.

Taking breaks?

Tracking time?

25

Tracking software/apps:

Find My iPhone:

• Features include tracking location, remote erase.

Android Lost App:

• Features include viewing SMS messages, erasing SDcard, taking remote pictures.

mSpy/Webwatcher/keylogging/spyware:

• Monitor calls, track messages, read emails, “bugging”,websites visited, keystrokes typed.

26

Employment Specific Statute: Conn. Gen. Stat. § 31-48d – Not limited to vehicles; must give

written notice; must post notice of practice

Criminal Statutes Cal. Penal Code § 637.7 – Not limited to vehicles; requires

consent

Tex. Penal Code Ann. §16.06 – Limited to vehicles; cannot trackwithout consent

Del. Code Ann 11 §1335(a)(8) – Limited to vehicles; cannot trackwithout consent

Minn. St. §626a.35 – Not limited to vehicles; requires consent

27

10

Case Law U.S. v. Jones 132 S. Ct. 945, 565 U.S. ___ (2012)

Held: Government’s installation of a GPS tracking device on asuspected drug trafficker's vehicle to monitor the vehicle'smovements constituted an unlawful search under the FourthAmendment

Police exceeded the warrant's scope in both geography andlength of time.

Majority’s reasoning: By physically installing the GPS device onthe defendants car, the police had committed a trespass againstJones' "personal effects" – this trespass, in an attempt to obtaininformation, constituted a search per se.

Could an employer’ s tracking through employee’s personal cellphone constitute a common law trespass?

28

Unauthorized use of, or access to, records or data containingpersonal information.

Personal Information (PI) typically includes:

• First name or first initial and last name in combination with:

– Social Security Number

– Driver’s Licenses or State identification number

– Account number or credit or debit card number in combination with accessor security code

– Biometric Information (e.g. NC, NE, IA, WI)

– Medical Information (e.g. CA, VA)

PI typically maintained where?

– Human Resources-Applications, FMLA, Disability, etc.

– Accounting-Payroll documents.

– Benefits-Health, Vision, Dental.

29

Loss, theft, improper access, inadvertent disclosure:

The lost laptop/bag;

Inadvertent access;

Data inadvertently put in the “garbage;”

Theft/intentional acts;

Inadvertent email attachment;

Stressed software applications;

Rogue employees;

Remote access;

Wireless networks;

Peer to peer networks;

Vendors.30

11

Fines, Penalties, Settlements:

State Attorney Generals

• Varies By State

– Multipliers: Michigan permits civil fines of not more than $250 per failure(each person), with a maximum of $750,000.

– Length of notification delay: Florida imposes fines when notification is notprovided within the statute’s mandated time frame (45 days). Calculate thefine as $1,000 per day for the first 30 days, and $50,000 for each 30 dayperiod thereafter with a maximum fine of $500,000.

Health and Human Services

• Penalties and settlements in the millions of dollars

Private Cause of Action

14 states have some form of private action

31

State laws may have notice or other requirements

Washington, RCW 19.255.010 – 19.255.020

• Covers unencrypted computerized data containing “personalinformation”

• Duty to notify triggered at discovery of a breach or notification ofbreach

• Expedient written or electronic notice if consistent with 5 U.S.C. §7001.15

• Damages relate to actual costs re credit cards

See also e.g., California Civil Code §§ 1798.29, 1798.82

32

Data loss.

Financial loss.

Public relations.

Negative publicity.

Loss in customer confidence.

It happens!

Cisco Systems in their Whitepaper titled “Data Leakage Worldwide:Common Risks and Mistakes Employees Make:”

46 % of employees admitted to transferring files between work and personalcomputers when working from home.

13 % of those who work from home admit that they cannot connect to theircorporate networks, so they send business email to customers, partners, andco-workers via their personal email.

33

12

Have a strategy.

Proxy Servers to control access to file-sharing web sitesand personal email accounts.

Data encryption.

Anti-virus and spyware protection.

MDM (Mobile Device Management) software andenforcement.

34

Employee uses phone or tablet to receive and storeinformation

Employee uses phone or tablet to transmit or forwardinformation

Employee or visitor uses phone to capture information(including photographs or video)

35

Case Law:

United States v. Howley and Roberts, 2013 U.S. App. LEXIS 2397(6th Cir. Feb. 4, 2013)

Wyko had contract to build parts for Chinese company’s tireassembly machines; Wyko had not build such parts before

Goodyear had built such parts; Goodyear asked Wyko to repair someof its tire assembly machines

Senior engineers Howley & Roberts sent; reminded they could notuse cameras at the plant, but not cautioned about cell phones

Goodyear made Howley and Roberts sign confidentiality agreementsprohibiting their use or disclosure of Goodyear’s confidentialinformation and trade secrets.

36

13

United States v. Howley and Roberts, cont’d

Howley uses his cell-phone camera to take pictures of a Goodyearmachines

Howley sends photo to his Wyko email account and then Robertsforwards it to Wyko design team

Wyko’s IT manager discovers email and photo on server

IT manager sends it to Goodyear

Goodyear sends it to the FBI

Howley and Robert were eventually tried and convicted under theEconomic Espionage Act of stealing Goodyear’s trade secrets

37

United States v. Howley and Roberts, Cont’d.

Held: Although Goodyear did not confiscate Howley’s cell phone ordisable picture taking ability, its protection efforts were sufficient to showthat it took reasonable efforts to protect its trade secrets.

Goodyear’s Topeka plant was surrounded by a fence and all visitorshad to pass a security check point.

Visitors were required to get permission to enter the plant, to sign asecrecy agreement, and to agree not to take any pictures.

Take away? Employers that allow non-employees to access areas withconfidential business information may consider requiring visitors toplace an opaque sticker over the lens of their Smartphone camera orconfiscating them for the length of the visit.

38

To help defend cases:

Wage and Hour cases:

Determine worked time using data.

Use data to identify meal and rest breaks taken.

Could be used for credibility purposes.

Harassment, discrimination and retaliation cases:

• Photographs, texts and call history to refute claims.

39

14

Possible sources of liability:

Wage & Hour

• Off the clock work: Checking email and texting.

• Compensable time?

Invasion of privacy:

• Tracking employee whereabouts after hours.

• Apps that take pictures remotely.

Destruction of data and/or evidence:

• Remote access to company’s servers.

• Deletion of photos, texts or other evidence.

40

E-discovery obligations with ESI

Day v. LSI Corp., No. 11-186, 2012 U.S. Dist. LEXIS180319 (D. Ariz.)

Discrimination case becomes spoliation case

Court awards monetary sanctions and partial default againstCompany, based on a finding that IHC inadequately superviseddiscovery efforts.

Conflicting testimony from IHC and the Company’s IT personnelregarding document retention activities.

Court concluded that IHC had a “culpable mind,” and that the failureto preserve evidence prejudiced plaintiff.

“Key documents” were lost, e.g., hiring manager’s notes41

A bill is being considered in Franceto require employees “to disconnectfrom remote communications tools.”

• http://www.nytimes.com/2014/04/12/world/europe/in-france-a-move-to-limit-off-the-clock-work-emails.html.

Under the Fair Labor Standards Act,non-exempt employees must be paidfor all time worked.

Work-related e-mails are work!

42

15

The safest legal answer:

No mobile devices for non-exempt employees

Block access by non-exempt employees to the work network

This may avoid legal risk. But it may be business blind!

Employers need to consider when there are compellingcircumstances for e-mail use by non-exempt employees outsideof regular working hours

43

Why allow it? You may not have a choice!

44

Expected in today’s fast paced and instant gratificationenvironment Tablets and Smartphones are replacing traditional PCs &

laptops

Cost savings?

Employee tracking and monitoring

Improves Employee Productivity and Availability Always reachable, employees are familiar with device functions

and capabilities

45

16

Mobility Work remotely: Home and on the road

Work/Life Balance Good technology survey:

• 80% of people continue working after theyleave the office;

• 76% of enterprises support BYOD;

• 7 extra hours/week = 365 hours/year;

• 50% check work email in bed;

• 38% at dinner table;

• 57% on family outings.

46

Personalization/Familiarity

Employees know their devices

Choice:

Eliminate the need for two devices.

Allow employees to choose own device.

47

Prevent data loss

Need to monitor v. privacy concerns

Protect trade secrets

Technical controls

Limit wage & hour violations

Consider technical controls

Enforce anti-harassment and anti-retaliation policies

48

17

Put employees on notice; consequences to employeeshould something happen.

Make decisions about which devices, platforms,networks can be used.

Clearly state company ownership of information.

Company ability to access and control that information.

Company ability to remove data from the device upondeparture.

Remote wipe/MDM (Mobile device management).

49

Eligibility

Authorized Use v. Unauthorized Use?

Reimbursement

Security

Monitoring

Support

Discipline

50

Eligibility:

Eligibility requirements.

Device support limitations.

Risk and responsibilities.

Access limitations:

Role/Title/Geography.

Applicability of other policies.

51

18

All other workplace conduct policies apply

Conditions for reimbursement:

Device purchase and/or replacement.

Plans.

Limitations (e.g. max amount).

Substantiation of expenses.

52

Security:

Prohibit:

• “Jail Breaking,” “Rooting,” or unlocking

• Modifications to device hardware or operating software beyondroutine updates.

Process and timing for reporting loss, theft, new device,unauthorized access, and cessation of employment:

• Remote Wipe.

Password and/or encryption requirements:

• Encryption required?

• Failed Login.

53

End-User (employee) support:

Define what devices are supported.

Define types of support provided:

Applications, services, scenarios.

“Self-service.”

How to request support.

54

19

Data:

Classify devices, users and data accessed.

Clarify ownership of apps and data.

Establish allowable apps and banned apps.

Employee exit procedure.

Monitoring:

Clearly communicate reasonable privacy expectations:

Reserve right to monitor.

Voluntary acceptance of program.

Explicit consent in writing.

Postings? (Walls, Login Screen, Homepage)

55

City of Ontario v. Quon, 130 S.Ct. 2619 (2010)

Search of text messages, sent or received on employerissued pager, was reasonable and did not violateemployee’s Fourth Amendment Rights (decided on thenarrower grounds of reasonableness of search and notprivacy expectations).

Employer policies concerning electroniccommunications… “shape the reasonable expectations”of privacy of their employees, especially to the extentsuch policies are clearly communicated

56

Gov’t alleged that Finazzo, a clothing retailer executvie,received illegal kickbacks from transactions between hisemployer and one of its vendors.

During an unrelated internal investigation, the employerdiscovered an email in his work account to his personalattorney, which contained a list of his personal assets, includingseveral companies he co-owned with the vendor from whom hereceived the illegal kickbacks.

Held: The company’s policy, and Finazzo's knowledge of it,disposed of any claim that the email exchange with thepersonal attorney was private and therefore privileged

57

U.S. v. Finazzo, 2013 U.S. Dist. LEXIS 22479 (E.D.N.Y.2/19/13)

20

58

U.S. v. Finazzo, (E.D.N.Y. 2/19/13), cont’dCompany Systems are provided to serve business purposes only and areconsidered assets of the Company. . .Except for limited and reasonablepersonal use (e.g., occasional personal phone calls or e-mails), CompanySystems should be used for Company business only. Any limited exceptions tothis rule must be approved through the IT department. Under no circumstancesmay Company Systems be used for personal gain or profit; solicitations forcommercial ventures; religious or political issues; or outside organizations.Company Systems may not be used to distribute chain letters or copyrighted orotherwise protected materials[.]

. . .You should have no expectation of privacy when using Company Systems. TheCompany may monitor, access, delete or disclose all use of the CompanySystems, including e-mail, web sites visited, material downloaded or uploadedand the amount of time spent on-line, at any time without notification or yourconsent.

Protecting Trade Secrets and Confidential Information Include trade secret protection in BYOD policies Consider BYOD implications in confidentiality/non-disclosure

agreements.

Limitations? Some employees may not be appropriate for BYOD- Research Scientists- Executives- Sales

Termination procedures: Remote Wipe Inspect phone Signed acknowledgement for return of property

59

GPS Tracking :

Include in policy.

No expectation of privacy in employer-owned property.

Only monitor during work hours.

Focus only on relevant information:

Impact on job performance?

Interferes with job performance?

Ignore personal information

60

21

Policy Violations:

Clear on consequences:

• “Up to and including termination.”

May need to notify business partners.

Guidelines on device configuration.

Safety (e.g. vehicle use).

Plan for breach.

Develop process for litigation preservation, data deletion,device and security updates.

Training. 61

Safety (e.g. vehicle use).

Plan for a data breach.

Develop process for

Litigation preservation (electronic form)

Data deletion

Device and security updates.

62

Address wage & hour issues for non-exempts:

Create parameters for limited use

Monitor employees to make sure they use mobile devicesor access the network only within such parameters

Establish protocol for employees to record time worked

Pay for all time recorded as worked

Pay also if management has actual or constructiveknowledge of off the clock e-mail work.

Give reasonable discipline for off the clock work

63

22

Training – not just the written policy!

Who is affected?

Legal

Human Resources

Finance

Communication/Employee Relations

Information Technology

Exempt/Non-exempts

Everyone!

64

Two-Step Legal Analytic Framework:

1. Unlawful if explicitly restricts Section 7protected activities

2. If not explicit restriction, still Section 8(a)(1)violation if:

– Employees would reasonably construeto restrict Section 7 rights (perception)

– Rule promulgated in response to unionactivity (improper motivation)

– Rule has been applied to restrict Section 7activity (application)

65

Develop a specific, written policy:

Establish information systems are the property of the employer – BE SPECIFIC

Consider additional steps – desktop statement, posting in common area,written consent/acknowledgement . . .

Reserve the right to monitor

Prohibit inappropriate use

Include penalties for policy violations

Train/educate employees and others – temps, I/Cs, etc.

Keep the monitoring work-related

Permit reasonable personal use

66

23

67

TECH monitors break room activities daily. The recording device is visible.

Cindy restocks the company-supplied coffee beans. One morning, she finds allbeans are gone even though she had restocked everything the night before.

TECH HR reviews the tapes and notes Sally, Fred, and Francine taking varioussealed bags of beans out of the break room.

TECH IT pulls Internet history from each employee’s Smartphone, which theyalso use for work. The company pays the monthly data fee for the phone.

TECH HR discovers Sally has been selling beans on eBay > 6 months.

TECH HR accesses Sally’s Facebook page by asking a co-worker Harry, who isher FB friend, to share his password.

Sally has a one-week old posting that reads, “Beans, beans, beans, the magicalfruit! On sale now.”

Sally’s FB shows she is a member of the Unicorn & Rainbow Lovers Brigade,which is a political action group in Seattle.

68

Francine is an hourly employee.

TECH IT uses the find iPhone app for Francine’s phone.

IT discovers Francine’s phone is at a competitor’s office, ANTI-TECH, inanother city, outside of business hours.

When TECH asks Francine for her phone (they are unable to do aremote download), she claims that she does not want to give themaccess because she has been emailing Fred about starting a union atTECH and has personal text messages to her girlfriend Cindy.

IT TECH continues to try the remote download and eventually issuccessful. IT discovers customer lists, sales figures, and proprietarysales tracking software in Francine’s work email account.

HR reports to TECH Legal.

69

24

Craft policies to reduce all privacy expectations

Communicate that personal texting, emailing, etc. shouldnot interfere with job duties

Bar off the clock emails for non-exempts

Review technical controls

70

Encourage responsible use of devices and the Internetwhen discussing the company or its employees

Actually monitor on a consistent basis

Be aware of changing laws and audit policies routinely

71

72

25

73

If you’d like to receive workplace law updates and invitations to localseminars, please leave us a copy of your business card or sign-up online atwww.jacksonlewis.com. Thank you!

74

1

www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 1

Top 10 Intellectual Property Mistakes and Pitfalls

Ed Cavazos, PartnerErin Hennessy, PartnerBracewell & Giuliani LLP


Top 10 Intellectual Property Mistakes and Pitfalls

1. Overlooking Hidden Risks in Non‐disclosure Agreements

2. Neglecting to Spend Some Time and Effort on Trademark Clearance

3. Believing the Open Source Software Myths

4. Failing to Properly Police Trademarks

5. Not Carefully Considering the Best Approach in Trademark Enforcement

6. Taking the “Joint Ownership” Shortcut in Negotiations

7. Agreeing to Partial or Incomplete IP Indemnity

8. Failing to Secure IP Ownership from Contractors

9. Entering into “Half‐Baked” IP Agreements

10. Not Fully Leveraging Your Domain Name Portfolio

2


#1. Overlooking Hidden Risks in Non‐disclosure Agreements

• Beware of the mutual NDA

• Risks to avoid when client is primarily a discloser:

• Short Terms

• Exceptions too broad

• Residuals clauses

• Strict marking requirements

• Risks to avoid when client is primarily a recipient:

• Unintended non‐compete

• No exclusion for or acknowledgement of independent development

• NDA creates Implication of significance

• Inflexible use restrictions

• Keep track of NDAs that have been signed and revisit them to keep them current in light of current state of the relationship


#2. Neglecting to Spend Some Time and Effort on Trademark Clearance

• Conduct trademark clearance before you launch the product.

• Trademark Clearance = Risk Management

3



• Consider life‐cycle of product or service

• Not one size fits all

• Cost control



• Teaming Up with Marketing

• Training on Quick “Knock‐Out” Searches

• How can you turn a “no” into a “yes”?

4


#3. Believing the Open Source Software Myths

• The Phrase “Open Source License” Is Meaningful

“The Developers Understand All This So I Don’t Have to”

• Open Source technologies are in the public domain

“Open Source licensing is not consistent with IP ownership”

• Contributors to open source development projects have the necessary right to contribute

“The SCO lawsuit proves the liability risk is all made up”


#3. Believing the Open Source Software Myths

• OSS is “viral” and can change proprietary code to “free” code

“You can inadvertently give away your proprietary software with bad OSS compliance”

• The GPL is a well‐written document

“Millions of adopters can’t be wrong”

• Lawyers can answer the tough questions if they spend enough time on them

“A $30,000 memo on ‘linking’ or ‘derivative works’ is a good idea”

5


#4. Failing to Properly Police Trademarks

• The Problem:

• Trademark owners have a duty to police trademarks or run the risk of giving infringers a strong defense

• Must police against:

• Confusing / competitive uses

• Uses that risk turning the mark generic (“Zipper” or “Escalator”)


#4. Failing to Properly Police Trademarks

• Practice Tips:

• Search the web periodically for improper uses

• Searching the USPTO’s online TESS database of federal trademark applications and registrations

• Using Google Alerts to spot internet uses of the mark

• Following up on customer complaints or communications that are misdirected because of confusing marks

• Using a third‐party watch service

• Monitor social media

• Once issues are identified, carefully consider enforcement strategy….

6


#5. Not Carefully Considering the Best Approach in Trademark Enforcement

• The Problem:

• Notwithstanding, the “duty to enforce”, trademark owners are not obligated to enforce against all unauthorized uses that might conflict


#6. Taking the “Joint Ownership” Shortcut in Negotiations

• Business people and contract negotiators often default to “joint ownership” when relationships become complex

• What is often carelessly characterized as “jointly owned”?

• Improvements

• New inventions resulting from working together

• Derivative works

• Inventions resulting from jointly funded work

7



• The Problem: Joint Ownership is a messy concept

• Patents: “In the absence of any agreement to the contrary, each of the joint owners of a patent may make, use, offer to sell, or sell the patented invention within the United States, or import the patented invention into the United States, without the consent of and without accounting to the other owners.”

• Copyrighted Works: each co‐owner of a copyright has an independent right, without obtaining the consent of the other co‐owners, to exploit the copyright but must share in proceeds

• This is often 100% different that the intent of the parties



• The solution is to thoroughly address joint ownership issues in the agreement

• Start from scratch re: respective rights of joint owners

» Freedom to use and commercialize?

» Accounting to one another?

» Approvals on who can get a license?

• Who prosecutes the patent or future inventions? Who pays? Who makes key decisions?

• Who enforces the IP rights against infringers? Who collects judgments? Can / should the joint‐owner be involved and to what extent?

8


#7. Agreeing to Partial or Incomplete IP Indemnity

• The Problem:

• In‐bound technology licenses or product purchases agreements need to have a stout indemnity against IP infringement

• Licensors / Vendors have a variety of tricks to weaken their obligations. Indemnity exclusions to be wary of:

• knowledge qualified exclusions;

• combination exclusion;

• exclusions for technology requested by or approved by licensor/purchaser;

• Cumbersome notice / timeliness requirements


#7. Agreeing to Partial or Incomplete IP Indemnity

• Practice Tips:

• Assess actual risk, back your assessment with data and use that in negotiations

• Don’t fall for mutuality‐based arguments

• Bridge gaps with IP infringement insurance

9


#8. Failing to Secure IP Ownership from Contractors

• The Problem:

• Many service agreements (development arrangements, outsourcing deals, consulting agreements, etc.) leave ownership unaddressed

• When addressed, many agreements have the contractor provider retaining certain “ownership” rights in all or some of work product, leaving only license rights to the hiring party


#8. Failing to Secure IP Ownership from Contractors

• Practice Tips:

• Clarify ownership issues carefully; “work‐for‐hire”

• Beware of joint inventorship issues (need full assignments)

• Don’t be lulled into false sense of security by:

• Confidentiality provisions that allegedly protect client

• Industry exclusivity purporting to restrict developer’s use of materials to non‐competitors

10


#9. Entering into “Half‐Baked” IP Agreements

• Defined: An agreement that purports to create a binding obligation, but falls short because of indefinite or open material terms

• Examples:

• Letters of Intent that are never finalized

• License Language that only indicate intent:

• “Licensor will grant…” or “Licensor shall grant.”

• See Massachusetts Eye and Ear Infirmary v. QLT Phototherapeutics,412 F. 3d 215 (1st Cir. 2005)


#9. Entering into “Half‐Baked” IP Agreements

• Practice Tips:

• Beware of LOI as a shortcut

• Draft definite language “Licensor hereby grants…”

• Beware of other “open” terms such as “a to‐be‐definedroyalty…”

• Where business terms are not finalized, add a procedure that ensures finalization or spells out what happens if never accomplished

11


#10. Not Fully Leveraging Your Domain Name Portfolio

• Are all domain names pointing to home site?

• Monetization?

• Can legal be a revenue stream?

• Are you tracking launch of new gTLDs?


#10. Not Fully Leveraging Your Domain Name Portfolio

• Practice Tips:

• Conduct an audit of domain name portfolio

• Work with IT to ensure you are fully leveraging domain name assets

• Analyze the list of new gtlds on ICANN’s website ‐gtldresult.icann.org

• Work with company stakeholders – IT, Marketing and Legal –to determine strategy for new gtlds

• Consider your budget and develop a measured enforcement strategy

• Register key marks with the Trademark Clearinghouse

12


THANK YOU!

Questions?

[email protected]

[email protected]

6/16/2014

1

www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 1

Trial Practice in Active Patent Dockets: A Primer on Practice in E.D. Texas and D. Del.

Panelists:

• Susan Brye, Director, Corporate Counsel, Starbucks Corporation

• John Barr, Partner, Bracewell & Giuliani LLP

• Michael Chibib, Partner, Bracewell & Giuliani LLP


Patent Litigation in E.D. Tex. and D. Del.• Remains two of the most popular jurisdictions for patent suits

• Reputations as “plaintiff‐friendly” jurisdictions

• Success rate; time to trial; damage awards; jury pool (1995‐2012)

Source: PwC 2013 Patent Litigation Study, available at http://www.pwc.com/en_us/us/forensic‐services/publications/assets/2013‐patent‐litigation‐study.pdf

District Overall Success Rate

NPE Success Rate

Time to Trial Median Damages Award

E.D. Tex. 57.5% 46.7% 2.19 yrs $10 MM

D. Del. 42.2% 41.2% 1.94 yrs $20.75 MM

Nat’l Average 32.4% 24.3% 2.35 yrs $5.5 MM

6/16/2014

2


Patent Litigation in E.D. Tex. and D. Del.

• Recent defense verdicts indicate change . . . at trial

• For example, in 2013, E.D. Tex. juries returned “take nothing” defense verdicts in 11 of 15 patent suits tried

• However, E.D. Tex. and D. Del remain among the most active patent litigation dockets

• And approximately 97% of patent suits are settled pre‐trial


E.D. Tex. Gen. Order No. 14‐3: “Track B” Patent Schedule • Applicability

• Joint election of the parties• Sua sponte

• Accelerated Case Schedule• Within 14 days of answer – P.R. 3‐1 infringement contentions; P.R. 3‐

2 document production; all licenses and settlements*• Within 30 days – initial disclosures; sales data for accused product*• Within 14 days – Good faith estimate of damages*• Within 14 days – P.R. 3‐3 invalidity contentions; P.R. 3‐4 document

production• Within 5 days – Notice of readiness for CMC

*Additional requirements to standard “Track A” schedule

6/16/2014

3


Judge Robinson’s Overhauled Patent Schedule • Beginning to look like E.D. Tex./N.D. Cal. Rules

• May be a sign of things to come

• Requiring certain disclosures prior to a status conference with the assigned magistrate judge

• Plaintiffs ‐ (1) identification of accused products; (2) damages model; and (3) identification of patents the accused products are alleged to infringe

• Defendants ‐ (1) core technical documents demonstrating how the accused products work and (2) sales figures for accused products

• Submitting the following to magistrate• (1) discovery disputes; (2) overall management of discovery; (3)

motions to dismiss; (4) motions to amend; and (5) motions to transfer


Judge Robinson’s Overhauled Patent Schedule • Specific provisions for preliminary and final

infringement and invalidity contentions

• Markman hearing and decision before expert discovery• Aspirational goal for decision 30 days after hearing

• Post‐Markman conference with the Court to discuss scope of case and narrowing of expert discovery

• Eliminating motions in limine, instead addressing evidentiary issues at the pretrial conference and during trial

• Only two patents will be presented to jury at a time

6/16/2014

4


Techniques for E.D. Tex. and D. Del. Patent Trials• Judges in E.D. Tex often place strict time limits on patent trials

• Average patent jury trial is about 6 days in E.D. Tex.; 8 days in D. Del.; compared to national avg. of about 8.5 days

• Bench trials in D. Del are about 5 days and many more bench trials occur in D. Del. than other districts due to generic pharmaceutical patent cases

Source: Mark Lemley, Jamie Kendall, & Clint Martin, Rush to Judgment?, Trial Length and Outcomes in Patent Cases, AIPLA Q. J., v. 41, no. 2, pp. 169‐204 (Spring 2013)

• Recent trial in E.D. Tex. ‐ 3 unrelated patents, 4 unrelated defendants, 6 corporate reps, and 6 experts• Each side 13 hours total to present case, including cross examination


E.D. Tex. Gen. Order No. 13‐20: Limiting Asserted Claims and Prior Art

• Adopting Model Order Focusing Patent Claims and Prior Art

• By completion of claim construction discovery, Plaintiff must limit to 10 asserted claims per patent, 32 claims total*

• Within 14 days, Defendant must limit to 12 asserted prior art references per patent, 40 references total

• No later than 28 days prior to expert reports, Plaintiff must limit to 5 asserted claims per patent, 16 claims total

• By initial expert report, Defendant must limit to 6 asserted prior art references per patent, 20 references total

• No such limitations officially in effect in Delaware* All limits increased by 50% if only one patent is asserted

6/16/2014

5


Trial Practice in Active Patent Dockets: A Primer on Practice in E.D. Texas and D. Del.

Panelists:

• Susan Brye, Director, Corporate Counsel, Starbucks Corporation

• John Barr, Partner, Bracewell & Giuliani LLP

• Michael Chibib, Partner, Bracewell & Giuliani LLP

Pitfalls and Potential of Emerging Payments

Presented by:

Ryan J. Straus, Riddell Williams P.S.

Shata L. Stucky, Riddell Williams P.S.

Patrick Murck, The Bitcoin Foundation

Riddell Williams P.S.

Association of Corporate Counsel – Washington Chapter Technology Summit

June 3, 2014

2

• Definition of Payment

• Monetary Objects vs. Monetary Value

• Payment Mechanisms

• Paymaster

• Scope of Emerging Payments

• Money Transmission

Critical Concepts

3

Definition of Payment

A payment is “an act that discharges a monetary obligation”

A monetary obligation is…

an obligation to pay money

Introduction to Payments

discharged by the transfer of money

4

In modern usage, the concept of “money” includes both:

claims to monetary objects held by 3rd party

• $ in monetary value


Definition of Payment #2

A payment is the “transfer of money that discharges a monetary obligation”

monetary objects

monetary value

5

$5 worth of monetary objects


Illustration:

What does it mean to say that someone has $5?

right to $5 held by another person

6

How does the transfer of money occur?

How does the transfer of money occur online? Can monetary objects be delivered virtually?


What is a payment?

A payment is the “transfer of money that discharges a monetary obligation”

monetary objects = physical delivery

monetary value = payment mechanism

7

A payment mechanism is: • an instruction to a third party (the paymaster)

• to transfer “monetary value”

• from one party to another

The Payment Mechanism

A payment mechanism facilitates the transfer of claims to monetary objects

8

• held by third party

The Payment Mechanism Illustrated

Debt Discharged/Credit Extended

Paymaster

Payer Payee Monetary Obligation Owed (+delivery)

Instruction

Monetary Value or Monetary Objects

9

4. Interbank Clearing and Settlement

Core Payment Mechanisms (check, ach, wire, card)

3. Debit Account

Paymaster = Payer’s Bank

Payer Payee

1. Monetary Obligation Owed (+ delivery)

2. Payment Order

Payee’s Bank

5. Credit Account (+ confirm)

6. Discharge Monetary Obligation

10

• New Third Parties

– Paymasters other than the payer’s bank • Nontraditional Financial Institutions

• New Money

Emerging Payments

11

E-commerce almost always involves at least one third party

Implications? irreversible transactions impossible

New Third Parties

micropayments not feasible

privacy issues

12


Traditional Model = Bank Dependent

3. Debit Account


Payer Payee


2. Payment Order

Payee’s Bank



13


On Us Transactions = Cheaper

3. Debit Account


Payer Payee


2. Payment Order

Payee’s Bank = Paymaster



14

Nonbank Paymasters

Debit Monetary Value

Paymaster


Instruction

Credit Monetary Value

For this to work, both parties must have accounts with paymaster.

15

The Basics

You might be a money transmitter if:

You take funds/value from A and agree to pay them to B

AND/OR

You take funds/value from A and stores it so that A can:

make purchases from third parties

OR

withdraw funds at a later date

Money Transmitters?

16

• held by third party

Money Transmission?

Debit Account/Extend Credit

Paymaster


Instruction

Monetary Value or Monetary Objects

17

Regulatory Regimes

Consumer Financial Protection Bureau

States

FTC

Anti-Money Laundering/Terrorist

Financing

Financial Crimes Enforcement Network

Consumer Protection

Regulation of Money Transmitters

18

E-commerce almost always involves at least one third party

Implications? irreversible transactions impossible

Problems Solved?

micropayments not feasible

privacy issues

19

Federal Trade Commission

FTC Act Unfair

Practices

Deceptive Practices

http://www.google.com/url?sa=i&source=images&cd=&cad=rja&uact=8&docid=yILWEx_APLM84M&tbnid=IBEykhy0Ud5e6M:&ved=0CAgQjRw&url=http://www.factslides.com/s-Apple&ei=7suLU-itFNG9oQTp6oHoBA&psig=AFQjCNECxlGNBNV4zJyfSFa9OB_kyPC61A&ust=1401757038444072

20

State Consumer Protection Statutes

Yunker v. Pandora, No. 11-CV-03113 JSW

(N.D. Cal. Mar. 10, 2014)

21

State Consumer Protection Statutes

Adopted in more than 14 states Prohibit the collection of personal information “as a condition of”

accepting the credit card

Questions? Please contact us any time with additional questions.

Ryan J. Straus Riddell Williams P.S. 206.389.1566 [email protected]

Shata L. Stucky Riddell Williams P.S. 206.389.1786 [email protected]

the best defense is a good data breach fence: necessary...

Documents