the best defense is a good data breach fence: necessary...
TRANSCRIPT
6/16/2014
1
The Best Defense is a Good Data Breach Fence:
Necessary Steps to Protect Your Network
Christin S. McMeley, Attorney, CIPP/USJerry L. Cochran, CISSP, CISM
Sean B. Hoar, Attorney, CIPP/USJune 3, 2014
Topics
The Breach Environment Legal and Policy Issues Compliance, Preparedness and Risk Management Vendor Contracting Issues
– Risk management & compliance– Identifying threats
• Risk assessments
Enforcement and Litigation– Best practices
• Necessary to obtain cyber insurance coverage• May reduce liability
2
6/16/2014
2
The Breach EnvironmentSome highlights from the Verizon 2014 Data Breach Investigation Report “The dataset that underpins the DBiR is comprised of over
63,000 confirmed security incidents …. we are no longer restricting our analysis only to confirmed data breaches…. an incident needn’t result in data exfiltration for it to have a significant impact on the targeted business.”
“2013 may be remembered as the ‘year of the retailer breach,’ but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems”
“[W]e don’t see any industries flying completely under the radar. And that’s the real takeaway here — everyone is vulnerable ….”
“Cyber” is “increasingly THE collectively used and understood modifier for the type of attacks we discuss here.”
3
Existing State of Affairs
Federal– Sector-Specific
• Health (HIPAA)• Finance (GLBA)• Traditional Communications (Sections 222,338 and 631 of
Communications Act)• Energy• Government Limitations (Wiretap Act, ECPA, SCA, CALEA, U.S.
Patriot Act, etc.)• Consumer Protection (FTC Act)
States– 47 Breach Notification Statutes– Data Protection Statutes– Data Disposal/Destruction Statutes
Contractual Requirements– PCI DSS– Service Provider Agreements
4
6/16/2014
3
Many Entities Weighing in on Cyber Issues
White House / Administration– Executive Order 13636 directing DHS and NIST to (1) Identify
at-risk segments of critical infrastructure; (2) Develop a voluntary baseline framework for the protection of critical infrastructure against cyber threats; (3) Develop a program to promote the adoption of the baseline framework; and (4) Develop a process for the government to share more threat information with the private sector.
– Accompanying Presidential Policy Directive 21 directs federal agencies to take steps in furtherance of the Order and specifically identifies energy systems as “uniquely critical.”
NIST– Framework for Improving Critical Infrastructure
Cybersecurity, Version 1.0 released February 12, 2014
5
Many Entities Weighing in on Cyber Issues*
Executive Agencies– Department of Homeland Security– Department of Energy’s Cybersecurity Capability Maturity Model (C2M2) and
Cybersecurity for Energy Delivery Systems (CEDS) program– Department of Justice
Independent Agencies– Federal Trade Commission– Securities and Exchange Commission– Federal Energy Regulatory Commission (FERC) Office of Energy Infrastructure
Security (OEIS) & Cybersecurity Reliability Standards and NERC CIPs– Federal Communication Commission (FCC’s) Communications Security,
Reliability and Interoperability Council (CSRIC) State Legislatures and Regulators
– California– Public Utility Commissions
Industry “Coalitions”– Various combinations of advertising, retail, financial and technology industry
alliances formed for lobbying, information sharing, etc. Standards Setting Organizations
– NIST– ISO/IEC– IETF
6*Illustrative, not an exhaustive list
6/16/2014
4
Many Entities Weighing in on Cyber Issues
U.S. Congress (maybe)– Many cybersecurity-related bills pending in Congress– HR 3696, the National Cybersecurity and Infrastructure
Protection Act, would amend the SAFETY Act to provide protection for sharing threat information.
• It was reported unanimously on Feb. 5 by House Homeland Security Committee and sent to the full House for consideration
• Similar legislation passed in the Senate last year, S. 1353, the Cybersecurity Act
– Best Projection? • White House Big Data Report • Continued breaches • FTC Commissioner Olhausen stated she is “somewhat optimistic”
that Congress could pass breach legislation at the State of the Net Wireless Conference in early May
7
How the pieces fit together
Framework/Model– Can be more comprehensive– Flexible/Scalable– Risk-Based
Standards– May be required – Specific– Specificity may lead to gaps
8
6/16/2014
5
The NIST Framework Overview
– The framework, according to NIST’s introduction, provides a “common language to address and manage cybersecurity risk,” while allowing organizations flexibility in how they implement the practices
– Meant to “complement” existing business and cybersecurity operations
– Is VOLUNTARY, but Plaintiffs’ attorneys and government enforcement agencies may use the framework as a possible de facto legal standard of care for cybersecurity
Development– NIST RFI– 5 Workshops between May and November 2013– 2 Drafts– Framework released 2/12/2014
Ongoing– “v.1”– Executive agencies are considering incentives tied to compliance
with the standards, including technical assistance, grants, cost recovery, public recognition, regulatory streamlining, and government procurement
9
Effects of the NIST Framework
The Framework endorses a risk-based approach to managing cyber risk; Conducting a risk assessment is the fourth of seven steps recommended to improve cybersecurity programs.
A risk-based approach is also consistent with many other security standards.
The Framework cites several such standards:– NIST SP 800-53 Rev. 4, – ISO/IEC 27001:2013, – COBIT 5, and others. Framework, 22.
10
6/16/2014
6
Effects of the NIST Framework Highlights the need for communication and awareness of
cybersecurity management processes, procedures, and risks throughout the organization.
11
A Comprehensive Security Program
A Privacy/Security Audit (Gap Assessment)– What kind of program does the organization need?– What are the applicable legal requirements?– What is in place already and what should be
supplemented? A written security policy/program
– Designated Owner/Administrator– Risk Assessments– Administrative, Technical and Physical Controls– Training– Audits– Program Assessments and Revisions– Enforcement
An Incident Response Plan
12
6/16/2014
7
Risks
Federal and State Enforcement– FTC– SEC– DOJ– HHS– State Enforcement Actions
Consumer Class Actions Shareholder Suits Reputation/Brand/Revenue Loss
– Target: Remediation costs related to the breach totaled $61 million in Q4 2013; lower stock price; litigation; loss of consumer confidence
– Some evidence that consumers’ willingness to continue doing business with a company decreases after they find out a breach has occurred
13
Breach Defense: Protecting Your Network
from Evil DoersJerry Cochran
Principal security managerOffice 365 security
Microsoft
6/16/2014
8
agenda
Who wants to attack you (and your users and data…)
The Changing IT Security Landscape Information Security Risk Management &
Compliance The Defender’s “Top 5 List” (If I could only do five
things…)
Many Actors and Motives
Attacks Look the Same
A Shared and Integrated Domain
Consequences Hard to Predict
State vs. StateConflict
MilitaryEspionage
Economic Espionage
Cyber Crime
6/16/2014
9
Attacker’s Gain
increased by:
Attacker’s Cost
increased by:
Short window of vulnerability
Short window of vulnerability
Difficulty in developing
reliable exploits
Difficulty in developing
reliable exploits
Difficulty in finding usable vulnerabilities
Difficulty in finding usable vulnerabilities
Long window to recover
investment
Long window to recover
investment
Low exploit development
cost
Low exploit development
cost
Low vulnerability discovery cost
Low vulnerability discovery cost
•Remove entire classes of vulnerabilities where possible
•Focus on automation to scale human efforts
Increase investment
to find vulnerabilities
Increase investment
to find vulnerabilities
•Build mitigations that add brittleness to exploits
•Make exploits impossible to write completely reliably
Increase investment
to write exploits
Increase investment
to write exploits
•Shrink window of vulnerability•Fewer opportunities via artificial diversity
•Work on rapid detection & suppression of exploit usage
Decrease opportunity to recover investment
Decrease opportunity to recover investment
Source: Verizon Data Breach Report 2013
Source: Mandiant M-Trends 2013
6/16/2014
10
A Shift in Security Strategy
Traditional New Approach Required
Uniform Asset Protection Layered Defenses with Differentiated Asset
Protection
Perimeter‐centric Data‐ and Infrastructure‐centric
Collection of Controls Purposely‐engineered System of Controls
Threat Reaction Threat Intelligence and Management
Defensive Purity (Keep them out) Resilient and Secure Operations
Good References:SBIC APT Paper - http://www.rsa.com/innovation/docs/SBIC_RPT_0711.pdf RSA APT Summit Findings - http://www.rsa.com/innovation/docs/APT_findings.pdfTAO Security Effectiveness - http://taosecurity.blogspot.com/2011/08/taosecurity-security-effectiveness.html
GRC Activities On-Premises
(TraditionalIT)
Cloud Service
IaaS PaaS SaaS
Compliance Obligations & Reporting
Prevent & Protect
Monitor & Detect
Respond & Eradicate
Remediate
Enterprise
Cloud Service ProviderGRC = Governance, Risk Management & ComplianceIaaS = Infrastructure as a Service (i.e. Azure, AWS, etc.)PaaS = Platform as a Service (i.e. Azure)SaaS = Software as a Service (i.e. Office 365)
6/16/2014
11
Compliance and Regulatory Obligations are overwhelming IT security
Most GRC programs are really “C” programs
Is the auditor my
onlyAdversary?
Risk Management: What I Desire to Do
Governance: What I Should Do
Compliance: What I Must
Do
Other notable Cybersecurity hot topics…
Encryption & Privacy in a Post-Snowden Era Shifting Compliance Boundaries Location of Data Breach Disclosure and Notification Cyber Insurance
6/16/2014
12
The Defender’s “Top 5 List”
(If I could only do five things…)
#5: Know Your Enemy #4: Start secure & Stay secure #3: Partition or Compartmentalize Risk #2: Plan and Practice your defense #1: Align your defense with your
adversary(S)
23
24
6/16/2014
13
So you’ve done your best … but you’ve been breached … now what?
Sean B. HoarAttorney, CIPP/US
Davis Wright Tremaine
First, do you still doubt the risk?
If you receive, process or store sensitive data, you are a target
The primary data targets– 96% Customer Records (Payment Card Data, PII,
email addresses)– 2% Intellectual Property – 1% Electronic Protected Health Information– 1% Business Financial Account Information
Why? What can be most easily monetized?
Trustwave 2013 Global Security Report, p. 8.
26
6/16/2014
14
So what happened in 2013?
63,437 security incidents 1,367 security incidents with confirmed data loss The security incidents and data breaches occurred
across all industries– Those that stored payment card or other financial
data were the largest targets Takeaway – “… everyone is vulnerable to some
type of event. Even if you think your organization is at low risk for external attacks, there remains the possibility of insider misuse and errors that harm systems and expose data.”
Verizon 2014 Data Breach Investigations Report, p. 6.
27
How can you reduce the cost of a breach?
Factors that reduce the cost of a breach– strong security posture prior to breach– incident response plan prior to breach– consultant engaged to remediate breach– management of data collection is centralized for
privacy and security Factors that increase the cost of a breach
– Lack of any or all of the above factors– Data lost due to third party error– Data breach involved lost or stolen devices– Notifications of breach sent too quickly
2013 Cost of Data Breach Study: Global Analysis; Ponemon Institute
28
6/16/2014
15
So how much do breaches cost?
Issuers, merchants, and acquirers of credit, debit, and prepaid cards experienced gross fraud losses of $11.27 billion in 2012, up 14.6% over the prior year.
Card issuers lost 63% and merchants and acquirers lost the other 37%.
Business Wire, August 19, 2013, citing The Nilson Report.
29
So how much do breaches cost?
Global Payments, Inc. (payment processor, 2012)– 1.5 million card data sets stolen– $121.2 million total losses through mid-2013
(10/1/13 10-Q) (offset by $20 million in insurance payments) including
• $105.5 million in professional fees, investigation and remediation costs, incentive payments to business partners, and credit monitoring and identity-protection insurance costs.
• $35.7 million card brand fines and assessments.
30
6/16/2014
16
So how much do breaches cost?
TJX Companies, Inc.; 2007 retailer breach – 45.7 million card data sets stolen– $256 million total losses (8/15/2007 Boston Globe
article), including• Settlements of 27 lawsuits brought by more than 200
issuing banks:– $40.9 million - Visa and banks (USA Today report); – $24 million - MasterCard and banks (TJX press
release)– $9.75 million - State attorneys general (Computer
World) – Unspecified – customer class-action claims (TJX
9/21/07 8-K)
31
So how much do breaches cost?
Estimates of Target’s probable losses:– Avivah Litan, Gartner: $420 million (PCI fines, banks
card-replacement costs, customer costs, legal fees, credit monitoring) (http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-
hvac-company/);– Daniel Binder, Jeffries: $400 million to $1.1 billion
(PCI fines and assessments) (theflyonthewall.com, 1/30/2014)
Estimated number of individuals who did not shop at Target in early January due to the reported breach:– 7% of pre-breach volume: 4.6 million shoppers
(http://www.forbes.com/sites/prospernow/2014/01/24/amazon-sets-the-standard-for-shopper-security-while-target-struggles/ )
32
6/16/2014
17
So how much do breaches cost?
Costs for 137 insurance claims (2012 NetDiligence report):
– Range: $2k to $76 million;– Average costs per breach: $3.7 million total
• Average cost of legal settlements: $2.1 million• Average legal fees for litigation: $582k• Average crisis services (forensics, breach response
counsel, credit monitoring): $983k
33
So what are my first steps?
Preparation is the best defense – development of a thorough security incident/breach response plan is critical
How do I develop a security incident/breach response plan?– Engage privacy and security counsel to customize
plan for scope and scale of company– Developing a plan will involve thorough review of
business practices pertaining to the collection, processing, and/or storing of personal information, including third party relationships, administrative practices, historical experience with security breaches, cyber insurance, etc.
34
6/16/2014
18
So what are my first steps?
When breach is discovered, immediately implement security incident/breach response plan– Contact security counsel for guidance on
implementing multi-prong approach• Activate forensic team to conduct risk assessment, and
contain, analyze, and remediate– Identify target of breach, i.e. intellectual property,
payment card systems, financial account information– Determine whether data loss occurred
» If so, determine whether data loss has stopped– Determine extent of loss
• Contact insurance provider • Determine whether breach notification is required• Determine whether law enforcement should be contacted
35
What do the experts recommend?
A SANS Critical Controls Gap Assessment:
36
6/16/2014
19
Risk assessment report can be privileged
If the risk assessment is conducted by or at the direction of counsel and the primary purpose of the assessment is to determine the extent of the business’s potential liability for lost or stolen data– The risk assessment report should be protected
from discovery by the attorney-client privilege.
37
Cost-effective security measures
For compliance purposes, ensure you have “appropriate” security measures as required by FTC consent orders:– Assign responsibility;– Identify information assets;– Conduct risk assessments;– Select and implement responsive security controls;– Monitor effectiveness;– Regularly review program; and– Address third party issues.
Thomas J. Smeddinghoff, “Data Security Requirements for Non-Regulated Business Sectors,” 14th Annual Institute on Privacy and Data Security, Vol. 2, Ch. 9 (May 2013)
38
6/16/2014
20
Cost-effective security measures
But beyond “compliance,” what will protect your digital infrastructure?
And what is “appropriate” when firewalls, AVS, antimalware protection, endpoint protection and IDPS can be bypassed by attacks that use customized malware?
Become offensively defensive– Use layered defenses to protect high-value assets– Constantly and actively monitor system– Regularly test system for vulnerabilities– Assume you have been or will be breached, and
actively look for the evidence
39
Cost-effective security measures
Basic measures must be maintained, e.g., – Implement administrative, physical, and
technical safeguards no less rigorous than those required by industry standards, including
• ISO-IEC 27001:2005 and ISO-IEC 27002:2005;• The HIPAA Security Rule for businesses to which the Rule
applies;• PCI DSS 3.0 for payment card data; and• GLB requirements for federally regulated financial
entities.
40
6/16/2014
21
Cost-effective security measures
At a minimum: – limit access to confidential information to authorized persons
who need access; – physically secure business facilities, data centers, paper files,
servers, back-up systems, and computing equipment; – implement authentication and access controls; – encrypt confidential information stored on mobile devices and
media and transmitted over public or wireless networks; – segregate sensitive information and provide additional
safeguards; – implement appropriate personnel security practices, including
conducting background checks; and – provide privacy and security training to employees.
41
Cost-effective security measures
Data encryption is important but, depending on how it’s deployed, will not stop some attacks:– Alleged Global Payments hacker:
• “They finished End2End encryption, but E2E not a full solution; it only defend [sic] from outside threat.”
– The alleged hacker claimed he and his colleagues had been in Global Payments’ system for 13 months, collecting data monthly.
Brian Krebs, Global Payments: Rumor and Innuendo, (April 2, 2012), http://krebsonsecurity.com/2012/04/global-payments-rumor-and-innuendo/.
42
6/16/2014
22
Cost-effective security measures
Data Loss Prevention tools can help blockemployees and others from exfiltrating confidential data.
Employee training, coupled with tools that monitor employee activity on business networks, can also help stop careless, uninformed , and malicious employees from disclosing sensitive data.
43
Cost-effective security measures
Ensure the software you run does not have common security flaws such as those listed in– the CWE/SANS Top 25 Programming Errors
http://cwe.mitre.org/top25/ or http://www.sans.org/top25-programming-errors/
and– the Open Web Application Security Project’s
(OWASP) Top Ten Project https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
44
6/16/2014
23
Cost-effective security measures
Technologies that may serve as part of a layered security program :– Firewalls/next-generation firewalls;– Intrusion prevention/detection systems (IPS/IDS);– UTMs (firewall, IPS, anti-malware, Web filtering, etc.);– Endpoint protection suites (anti-malware, host firewalling, filtering);– Message hygiene filters;– Web hygiene filters;– Network access control (NAC);– Data loss prevention;– Security information and event management (SIEM)/log aggregation;– Network vulnerability scanners/Web app scanners;– Policy and configuration management;– Patching and software delivery;– Web application firewalls/database monitors;– Penetration testing tools; and– Strong authentication.
Diana Kelley, “Threat prevention techniques: Best practices for Threat Management,” Information Security Magazine (Sept. 22, 2012).
45
Cost-effective security measures
Attackers must succeed at all steps of the “kill chain,” including– Reconnaissance, delivering and installing
malware, exploiting weaknesses in network defenses, communicating with C2 servers, and exfiltrating data.
Make the attacker’s job more difficult and more expensive at every step.
46
6/16/2014
24
Cost-effective security measures
Train users to recognize socially engineered attempts to get them to open email attachments or click on links to poisoned websites.
Regularly test users on how well they’re following anti-phishing rules.
Discipline users who refuse to learn.
47
Cost-effective security measures
The SANS Critical Security Controls for Effective Cyber Defense describe a step-by-step, prioritized deployment of these and other layered defenses.
The 20 SANS Critical Security Controls are:– 1: Inventory of Authorized and Unauthorized Devices – 2: Inventory of Authorized and Unauthorized Software – 3: Secure Configurations for Hardware and Software on Mobile
Devices, Laptops, Workstations, and Servers – 4: Continuous Vulnerability Assessment and Remediation – 5: Malware Defenses – 6: Application Software Security
48
6/16/2014
25
Cost-effective security measures
– 7: Wireless Device Control – 8: Data Recovery Capability – 9: Security Skills Assessment and Appropriate Training to Fill Gaps – 10: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches – 11: Limitation and Control of Network Ports, Protocols, and Services – 12: Controlled Use of Administrative Privileges – 13: Boundary Defense– 14: Maintenance, Monitoring, and Analysis of Audit Logs – 15: Controlled Access Based on the Need to Know – 16: Account Monitoring and Control – 17: Data Loss Prevention – 18: Incident Response and Management – 19: Secure Network Engineering – 20: Penetration Tests and Red Team Exercises
See http://www.sans.org/critical-security-controls/, v.4.1, p.1 (March 2013).
49
Cost-effective security measures
The Consortium of Cybersecurity Action, which maintains the Controls, notes a pattern of steps organizations have taken to effectively implement the Controls:
– 1. Perform an Initial Gap Assessment – determining what has been implemented and where gaps remain for each control and sub-control.
– 2. Develop an Implementation Roadmap – selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations.
– 3. Implement the First Phase of Controls – identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training.
– 4. Integrate Controls into Operations – focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.
– 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap.
Id. at 4.
50
6/16/2014
26
Cost-effective security measures
The SANS Critical Security Controls “focus on automation to provide cost efficiency, measurable results, scalability, and reliability.” Id. at 3.
The SANS site lists vendors who offer tools to help implement the Controls. Seehttp://www.sans.org/critical-security-controls/vendor-solutions.
51
Evaluating cyber insurance
Gaps in traditional insurance coverage:– Intentional acts excluded (GL)– Data is not tangible property (GL, Prop., Crime)– Property damage required to trigger (GL)– Theft or disclosure of intellectual property and 3d-
party info. often excluded (GL)– External hosting losses excluded (GL)– Only money, securities, tangibles covered (Crime)– Coverage restricted to acts U.S.– Sublimits or long wait periods for losses related to
viruses (Prop.)
52
6/16/2014
27
Evaluating cyber insurance
Cyber insurance coverage to consider:– First party:
• Crisis management• Forensics• Business interruption• Remediation (notifications, credit monitoring)• Litigation defense• PCI fines and assessments• Regulatory fines and penalties• Extortion costs
– Third Party• “Privacy and Security,” “Media Liability”
53
Evaluating cyber insurance
Exclusions to watch for:– Unencrypted data on portable devices;– Data not on insured’s system (cloud, others);– “Wild virus” exclusion;– Failure to maintain system or update software;– Short notice requirements;– Exclusion of employee data;– Prior acts insured “should have foreseen”; and– Physically stolen files excluded.
54
6/16/2014
28
Evaluating cyber insurance
Limits to watch for:– Narrow definition of “personal information”;– U.S. privacy statutes and regulations only;– Coverage limited by territory where cost incurred;– Voluntary costs excluded (coverage triggered by
legal liability);– Requirements to use specific vendors, counsel;– Inadequate sublimit for forensics;– Inadequate sublimit for business interruption;– Sublimit for number of records; – Deductibles, retentions, limits tied to “incident,” and– Restricted right to settle.
55
Evaluating cyber insurance
Enhancements to consider:– Choice of counsel– Prior acts– One retention for entire policy– 1st party coverage for insured’s negligence that
causes system interruption– Limit intentional acts exclusion to control group
to ensure rogue employee acts are covered– Ensure terrorism and “acts of war” exclusions do
not exclude state-sponsored thefts
56
6/16/2014
29
Evaluating cyber insurance
Factors that affect costs of coverage:– Industry, loss record, revenue, likelihood of loss,
number of records, number of employees, geography.
How much coverage is enough?− Benchmark to peer data for claims, considering
• Type of records (PCI, PHI, PII, IP), number of records, company’s public profile.
57
Questions?
Christin S. McMeley, Attorney, CIPP/US Davis Wright Tremaine LLP | D.C.
Jerry L. Cochran, CISSP, CISMMicrosoft | Seattle
Sean B. Hoar, Attorney, CIPP/USDavis Wright Tremaine LLP | Portland
58
1
1
BYOD = a dual use device
Explore key legal issues:
Privacy Wage & Hour Trade secrets National Labor Relations Act
Weigh advantages and disadvantages of allowing BYOD
Consider best practices for BYOD policies
Apply your knowledge
2
Rapid increase in the use of mobile devices byemployees
Mobile phones/Smart phones Tablets Laptops Non-company owned PCs USB sticks External hard drives Cloud-based storage (e.g., Drop Box) etc.
3
2
38% of companies will stop providing devices to workers by2016.
By 2017, half of employers will require employees to providetheir own devices.
Source:
http://www.gartner.com/newsroom/id/2466615
4
Result: “Dual-Use” Device
Both personal and company data accessed and stored
Dual activities
Handling personal matters while at work – more difficultto monitor
Handling work matters while on personal time – moredifficult to monitor
5
Upgrades: Too fast!
Lost Data
Rights affecting access andmonitoring Privacy NLRA Rights
Who owns data stored onpersonal devices? Corporate information and trade
secrets; Personal information of
employees or customers.
Duty to monitor employeeconduct?Malicious software attacks.
Compliance risks: HIPAA; Encryption (MA & NV); Client demands; e-Discovery.
Data breaches
Wage & Hour violations
6
3
Data lost – intentionally or unintentionally.
Lost or stolen devices.
Consultants use their own PCs to access your internalnetwork.
Employees upload sensitive data to document sharing sites
Sales teams copying customer lists to their USB before theyleave the company.
Employees email themselves, or others, company information.
Employees access company email on their own device.
Employees access “company webmail” from their home PC(downloading attachments).
Employees upgrade to a new device and discard the old
7
Legal /Compliance
- HIPAA
- FCRA- ADA/FMLA/GINA
- - State law
- Litigation- International
H.R.
- Information aboutemployees
* Hiring
* Testing
* Monitoring
* Record retention
- Ensuring compliance byemployees
- Smart phones- Social media- Email
8
- E-commerce- Vendors- Customers- Data breach
- Confidentiality- Trade secrets- Policies- Agreements- Whistle blowing
I.T.
- Passwords
- Access management
- Firewalls
-Malware
- Encryption
No currently broadly applicable federal privacy law
Piecemeal: HIPAA, FCRA, ECPA, SCA, CFAA, ADA, GINA,FMLA
States generally have one or more of the following:
Affirmative obligations to safeguard (e.g., MA, MD, CT, CA, TX,IL (biometric information))
Data breach notification (46 states plus some cities)
Various Social Security number protections
Data destruction requirements
9
4
Employee Privacy
Different throughout the world.
EU most restrictive.
The Remote Wipe
Accessing truly “personal” information/content
Multiple email accounts
GINA/Disability Information
10
Encryption.
Do you need to get possession of device?
Storage card.
Handling old devices—destruction.
Lower employee’s privacy expectation.
11
Key Cases:
Stengart v. Loving Care Agency, Inc., 201 N.J. 300 (2010)
Did employee waive her attorney-client privilege bycommunicating with her counsel using her own private e-mailaccount, which was accessed via the employer’s system?
Held: The employee did not waive her privilege.
12
5
Aventa Learning, Inc. v. K12, Inc., 830 F. Supp. 2d1083 (W.D. Wash. 2011)
Plaintiff I’s failure to assert privilege in relinquished lap topover 1.5 years later waived privilege
Plaintiff II asserted privilege before relinquishing lap top.
Handbook’s Electronic Communications policy clearlystated "[e]lectronic communications are not private" andpolicy reserved the company's right "to access, search, . . .or disclose any file or stored communication."
13
Aventa Learning, Inc. v. K12, Inc., cont’d
Applied In re Asia Global, 322 B.R. 247, 257 (S.D.N.Y. 2005) factors:
(1) Does the company maintain a policy banning personal or otherobjectionable use,
(2) Does the company monitor the use of the employee's computer oremail,
(3) Do third parties have a right of access to the computer or emails,and
(4) Did the corporation notify the employee, or was the employeeaware, of the policy.
14
Aventa Learning, Inc. v. K12, Inc., cont’d
Held: Stengart rule does not apply
“Washington would also take a broader view of the waiver issuehere, and adopt a balanced approach and not a non-waiver ruleconcerning web-based personal email accounts that areaccessed through an employee's company computer or laptop.”
Held: (1) The policy was broad enough to cover personal emailsfrom their web-based personal email accounts on companylaptops or ' servers. (2) Any privilege that once may have appliedto these communications was waived.
15
6
Washington’s Social Media Privacy Law
Employer may NOT:
Ask for login information (including username or password) for an employee’s orapplicant’s personal social networkingaccount.
Engage in “shoulder surfing.”
Compel or coerce an employee or applicantto add a person, including the employer, asa friend or contact on the person’s socialnetworking account.
Request or require a person to alter settingsaffecting third party’s ability to view content.
16
Limited investigation exception
The law does NOT apply to an employer’s requestor requirement that an employer share content of apersonal networking account if ALL of thefollowing four conditions are met:
17
1. Employer’s request tied to a factual determination for aninvestigation.
2. Employer undertakes investigation to respond to reportedinformation about the employee’s activity on personal networkingaccount.
3. The purpose of the investigation is -
• To ensure compliance with applicable law or prohibitions againstwork-related employee misconduct; or
• To investigate an allegation of unauthorized transfer of anemployer’s proprietary information, confidential information orfinancial data to the employee’s social networking account
4. The employer does not request or require the employee to providehis or her login information.
18
7
All employees have the right to engage in “protected, concertedactivities” concerning wages, hours and other terms andconditions of employment.
“Concerted” = “engaged in, with, or on the authority of other employees, andnot solely by and on behalf of the employee himself.”
“Constructive” = A single employee “seeks to initiate, induce or prepare forgroup action” or raises “groups complaints to the attention of management.”
19
Can be a singleemployee
Can be a singlelistener
Expansive application of “concerted” protected activity
The “facebook” case involving one employee’s profane on-line statements about a supervisor made to “friends” whoresponded to such statements
Facebook = the virtual “water cooler”
20
Expansive application of “concerted” protected activity
In Register Guard, 351 NLRB 1110 (2007), the Board flatly statedthat “employees have no statutory right to use the[ir] Employer’s e-mail system for Section 7 purposes.”
Late last year, an ALJ applied Register Guard rule and upheld anemployer’s blanket prohibition against using its email system fornon-work-related purposes. Purple Communications, Inc. (Bogas,ALJ, Oct. 24, 2013).
BUT the General Counsel and the union have asked the Board tooverturn the Register Guard rule.
21
8
Safety: Mobile device use and driving.
The Need to Control Employee Conduct:
Discrimination, harassment, retaliation.
Negligent supervision: An employer may be held liable foran employee’s wrongful acts if the employer knew or hadreason to know of the risk the employment created.
22
Doe v. XYC Corp., 382 N.J. Super. 122 (2005)
Employee used work computer to send photos taken of step-daughter to child pornography sites
Employee's server logs revealed that he was visitingpornographic sites on his office computer
Employee was arrested on child pornography charges.
Mother sued on behalf of her child.
Held: Employer has an affirmative duty to investigate theemployee's activities and to take prompt and effectiveaction to stop the unauthorized activity, includingtermination of employment and a report to the police.
23
Negligent Hiring
24
9
Generally, no expectation of privacy in employer-ownedphone, but what about BYOD phone?
Tracking employees using GPS and/or phone trackingability:
Real-time updates.
Streamline travel.
Taking breaks?
Tracking time?
25
Tracking software/apps:
Find My iPhone:
• Features include tracking location, remote erase.
Android Lost App:
• Features include viewing SMS messages, erasing SDcard, taking remote pictures.
mSpy/Webwatcher/keylogging/spyware:
• Monitor calls, track messages, read emails, “bugging”,websites visited, keystrokes typed.
26
Employment Specific Statute: Conn. Gen. Stat. § 31-48d – Not limited to vehicles; must give
written notice; must post notice of practice
Criminal Statutes Cal. Penal Code § 637.7 – Not limited to vehicles; requires
consent
Tex. Penal Code Ann. §16.06 – Limited to vehicles; cannot trackwithout consent
Del. Code Ann 11 §1335(a)(8) – Limited to vehicles; cannot trackwithout consent
Minn. St. §626a.35 – Not limited to vehicles; requires consent
27
10
Case Law U.S. v. Jones 132 S. Ct. 945, 565 U.S. ___ (2012)
Held: Government’s installation of a GPS tracking device on asuspected drug trafficker's vehicle to monitor the vehicle'smovements constituted an unlawful search under the FourthAmendment
Police exceeded the warrant's scope in both geography andlength of time.
Majority’s reasoning: By physically installing the GPS device onthe defendants car, the police had committed a trespass againstJones' "personal effects" – this trespass, in an attempt to obtaininformation, constituted a search per se.
Could an employer’ s tracking through employee’s personal cellphone constitute a common law trespass?
28
Unauthorized use of, or access to, records or data containingpersonal information.
Personal Information (PI) typically includes:
• First name or first initial and last name in combination with:
– Social Security Number
– Driver’s Licenses or State identification number
– Account number or credit or debit card number in combination with accessor security code
– Biometric Information (e.g. NC, NE, IA, WI)
– Medical Information (e.g. CA, VA)
PI typically maintained where?
– Human Resources-Applications, FMLA, Disability, etc.
– Accounting-Payroll documents.
– Benefits-Health, Vision, Dental.
29
Loss, theft, improper access, inadvertent disclosure:
The lost laptop/bag;
Inadvertent access;
Data inadvertently put in the “garbage;”
Theft/intentional acts;
Inadvertent email attachment;
Stressed software applications;
Rogue employees;
Remote access;
Wireless networks;
Peer to peer networks;
Vendors.30
11
Fines, Penalties, Settlements:
State Attorney Generals
• Varies By State
– Multipliers: Michigan permits civil fines of not more than $250 per failure(each person), with a maximum of $750,000.
– Length of notification delay: Florida imposes fines when notification is notprovided within the statute’s mandated time frame (45 days). Calculate thefine as $1,000 per day for the first 30 days, and $50,000 for each 30 dayperiod thereafter with a maximum fine of $500,000.
Health and Human Services
• Penalties and settlements in the millions of dollars
Private Cause of Action
14 states have some form of private action
31
State laws may have notice or other requirements
Washington, RCW 19.255.010 – 19.255.020
• Covers unencrypted computerized data containing “personalinformation”
• Duty to notify triggered at discovery of a breach or notification ofbreach
• Expedient written or electronic notice if consistent with 5 U.S.C. §7001.15
• Damages relate to actual costs re credit cards
See also e.g., California Civil Code §§ 1798.29, 1798.82
32
Data loss.
Financial loss.
Public relations.
Negative publicity.
Loss in customer confidence.
It happens!
Cisco Systems in their Whitepaper titled “Data Leakage Worldwide:Common Risks and Mistakes Employees Make:”
46 % of employees admitted to transferring files between work and personalcomputers when working from home.
13 % of those who work from home admit that they cannot connect to theircorporate networks, so they send business email to customers, partners, andco-workers via their personal email.
33
12
Have a strategy.
Proxy Servers to control access to file-sharing web sitesand personal email accounts.
Data encryption.
Anti-virus and spyware protection.
MDM (Mobile Device Management) software andenforcement.
34
Employee uses phone or tablet to receive and storeinformation
Employee uses phone or tablet to transmit or forwardinformation
Employee or visitor uses phone to capture information(including photographs or video)
35
Case Law:
United States v. Howley and Roberts, 2013 U.S. App. LEXIS 2397(6th Cir. Feb. 4, 2013)
Wyko had contract to build parts for Chinese company’s tireassembly machines; Wyko had not build such parts before
Goodyear had built such parts; Goodyear asked Wyko to repair someof its tire assembly machines
Senior engineers Howley & Roberts sent; reminded they could notuse cameras at the plant, but not cautioned about cell phones
Goodyear made Howley and Roberts sign confidentiality agreementsprohibiting their use or disclosure of Goodyear’s confidentialinformation and trade secrets.
36
13
United States v. Howley and Roberts, cont’d
Howley uses his cell-phone camera to take pictures of a Goodyearmachines
Howley sends photo to his Wyko email account and then Robertsforwards it to Wyko design team
Wyko’s IT manager discovers email and photo on server
IT manager sends it to Goodyear
Goodyear sends it to the FBI
Howley and Robert were eventually tried and convicted under theEconomic Espionage Act of stealing Goodyear’s trade secrets
37
United States v. Howley and Roberts, Cont’d.
Held: Although Goodyear did not confiscate Howley’s cell phone ordisable picture taking ability, its protection efforts were sufficient to showthat it took reasonable efforts to protect its trade secrets.
Goodyear’s Topeka plant was surrounded by a fence and all visitorshad to pass a security check point.
Visitors were required to get permission to enter the plant, to sign asecrecy agreement, and to agree not to take any pictures.
Take away? Employers that allow non-employees to access areas withconfidential business information may consider requiring visitors toplace an opaque sticker over the lens of their Smartphone camera orconfiscating them for the length of the visit.
38
To help defend cases:
Wage and Hour cases:
Determine worked time using data.
Use data to identify meal and rest breaks taken.
Could be used for credibility purposes.
Harassment, discrimination and retaliation cases:
• Photographs, texts and call history to refute claims.
39
14
Possible sources of liability:
Wage & Hour
• Off the clock work: Checking email and texting.
• Compensable time?
Invasion of privacy:
• Tracking employee whereabouts after hours.
• Apps that take pictures remotely.
Destruction of data and/or evidence:
• Remote access to company’s servers.
• Deletion of photos, texts or other evidence.
40
E-discovery obligations with ESI
Day v. LSI Corp., No. 11-186, 2012 U.S. Dist. LEXIS180319 (D. Ariz.)
Discrimination case becomes spoliation case
Court awards monetary sanctions and partial default againstCompany, based on a finding that IHC inadequately superviseddiscovery efforts.
Conflicting testimony from IHC and the Company’s IT personnelregarding document retention activities.
Court concluded that IHC had a “culpable mind,” and that the failureto preserve evidence prejudiced plaintiff.
“Key documents” were lost, e.g., hiring manager’s notes41
A bill is being considered in Franceto require employees “to disconnectfrom remote communications tools.”
• http://www.nytimes.com/2014/04/12/world/europe/in-france-a-move-to-limit-off-the-clock-work-emails.html.
Under the Fair Labor Standards Act,non-exempt employees must be paidfor all time worked.
Work-related e-mails are work!
42
15
The safest legal answer:
No mobile devices for non-exempt employees
Block access by non-exempt employees to the work network
This may avoid legal risk. But it may be business blind!
Employers need to consider when there are compellingcircumstances for e-mail use by non-exempt employees outsideof regular working hours
43
Why allow it? You may not have a choice!
44
Expected in today’s fast paced and instant gratificationenvironment Tablets and Smartphones are replacing traditional PCs &
laptops
Cost savings?
Employee tracking and monitoring
Improves Employee Productivity and Availability Always reachable, employees are familiar with device functions
and capabilities
45
16
Mobility Work remotely: Home and on the road
Work/Life Balance Good technology survey:
• 80% of people continue working after theyleave the office;
• 76% of enterprises support BYOD;
• 7 extra hours/week = 365 hours/year;
• 50% check work email in bed;
• 38% at dinner table;
• 57% on family outings.
46
Personalization/Familiarity
Employees know their devices
Choice:
Eliminate the need for two devices.
Allow employees to choose own device.
47
Prevent data loss
Need to monitor v. privacy concerns
Protect trade secrets
Technical controls
Limit wage & hour violations
Consider technical controls
Enforce anti-harassment and anti-retaliation policies
48
17
Put employees on notice; consequences to employeeshould something happen.
Make decisions about which devices, platforms,networks can be used.
Clearly state company ownership of information.
Company ability to access and control that information.
Company ability to remove data from the device upondeparture.
Remote wipe/MDM (Mobile device management).
49
Eligibility
Authorized Use v. Unauthorized Use?
Reimbursement
Security
Monitoring
Support
Discipline
50
Eligibility:
Eligibility requirements.
Device support limitations.
Risk and responsibilities.
Access limitations:
Role/Title/Geography.
Applicability of other policies.
51
18
All other workplace conduct policies apply
Conditions for reimbursement:
Device purchase and/or replacement.
Plans.
Limitations (e.g. max amount).
Substantiation of expenses.
52
Security:
Prohibit:
• “Jail Breaking,” “Rooting,” or unlocking
• Modifications to device hardware or operating software beyondroutine updates.
Process and timing for reporting loss, theft, new device,unauthorized access, and cessation of employment:
• Remote Wipe.
Password and/or encryption requirements:
• Encryption required?
• Failed Login.
53
End-User (employee) support:
Define what devices are supported.
Define types of support provided:
Applications, services, scenarios.
“Self-service.”
How to request support.
54
19
Data:
Classify devices, users and data accessed.
Clarify ownership of apps and data.
Establish allowable apps and banned apps.
Employee exit procedure.
Monitoring:
Clearly communicate reasonable privacy expectations:
Reserve right to monitor.
Voluntary acceptance of program.
Explicit consent in writing.
Postings? (Walls, Login Screen, Homepage)
55
City of Ontario v. Quon, 130 S.Ct. 2619 (2010)
Search of text messages, sent or received on employerissued pager, was reasonable and did not violateemployee’s Fourth Amendment Rights (decided on thenarrower grounds of reasonableness of search and notprivacy expectations).
Employer policies concerning electroniccommunications… “shape the reasonable expectations”of privacy of their employees, especially to the extentsuch policies are clearly communicated
56
Gov’t alleged that Finazzo, a clothing retailer executvie,received illegal kickbacks from transactions between hisemployer and one of its vendors.
During an unrelated internal investigation, the employerdiscovered an email in his work account to his personalattorney, which contained a list of his personal assets, includingseveral companies he co-owned with the vendor from whom hereceived the illegal kickbacks.
Held: The company’s policy, and Finazzo's knowledge of it,disposed of any claim that the email exchange with thepersonal attorney was private and therefore privileged
57
U.S. v. Finazzo, 2013 U.S. Dist. LEXIS 22479 (E.D.N.Y.2/19/13)
20
58
U.S. v. Finazzo, (E.D.N.Y. 2/19/13), cont’dCompany Systems are provided to serve business purposes only and areconsidered assets of the Company. . .Except for limited and reasonablepersonal use (e.g., occasional personal phone calls or e-mails), CompanySystems should be used for Company business only. Any limited exceptions tothis rule must be approved through the IT department. Under no circumstancesmay Company Systems be used for personal gain or profit; solicitations forcommercial ventures; religious or political issues; or outside organizations.Company Systems may not be used to distribute chain letters or copyrighted orotherwise protected materials[.]
. . .You should have no expectation of privacy when using Company Systems. TheCompany may monitor, access, delete or disclose all use of the CompanySystems, including e-mail, web sites visited, material downloaded or uploadedand the amount of time spent on-line, at any time without notification or yourconsent.
Protecting Trade Secrets and Confidential Information Include trade secret protection in BYOD policies Consider BYOD implications in confidentiality/non-disclosure
agreements.
Limitations? Some employees may not be appropriate for BYOD- Research Scientists- Executives- Sales
Termination procedures: Remote Wipe Inspect phone Signed acknowledgement for return of property
59
GPS Tracking :
Include in policy.
No expectation of privacy in employer-owned property.
Only monitor during work hours.
Focus only on relevant information:
Impact on job performance?
Interferes with job performance?
Ignore personal information
60
21
Policy Violations:
Clear on consequences:
• “Up to and including termination.”
May need to notify business partners.
Guidelines on device configuration.
Safety (e.g. vehicle use).
Plan for breach.
Develop process for litigation preservation, data deletion,device and security updates.
Training. 61
Safety (e.g. vehicle use).
Plan for a data breach.
Develop process for
Litigation preservation (electronic form)
Data deletion
Device and security updates.
62
Address wage & hour issues for non-exempts:
Create parameters for limited use
Monitor employees to make sure they use mobile devicesor access the network only within such parameters
Establish protocol for employees to record time worked
Pay for all time recorded as worked
Pay also if management has actual or constructiveknowledge of off the clock e-mail work.
Give reasonable discipline for off the clock work
63
22
Training – not just the written policy!
Who is affected?
Legal
Human Resources
Finance
Communication/Employee Relations
Information Technology
Exempt/Non-exempts
Everyone!
64
Two-Step Legal Analytic Framework:
1. Unlawful if explicitly restricts Section 7protected activities
2. If not explicit restriction, still Section 8(a)(1)violation if:
– Employees would reasonably construeto restrict Section 7 rights (perception)
– Rule promulgated in response to unionactivity (improper motivation)
– Rule has been applied to restrict Section 7activity (application)
65
Develop a specific, written policy:
Establish information systems are the property of the employer – BE SPECIFIC
Consider additional steps – desktop statement, posting in common area,written consent/acknowledgement . . .
Reserve the right to monitor
Prohibit inappropriate use
Include penalties for policy violations
Train/educate employees and others – temps, I/Cs, etc.
Keep the monitoring work-related
Permit reasonable personal use
66
23
67
TECH monitors break room activities daily. The recording device is visible.
Cindy restocks the company-supplied coffee beans. One morning, she finds allbeans are gone even though she had restocked everything the night before.
TECH HR reviews the tapes and notes Sally, Fred, and Francine taking varioussealed bags of beans out of the break room.
TECH IT pulls Internet history from each employee’s Smartphone, which theyalso use for work. The company pays the monthly data fee for the phone.
TECH HR discovers Sally has been selling beans on eBay > 6 months.
TECH HR accesses Sally’s Facebook page by asking a co-worker Harry, who isher FB friend, to share his password.
Sally has a one-week old posting that reads, “Beans, beans, beans, the magicalfruit! On sale now.”
Sally’s FB shows she is a member of the Unicorn & Rainbow Lovers Brigade,which is a political action group in Seattle.
68
Francine is an hourly employee.
TECH IT uses the find iPhone app for Francine’s phone.
IT discovers Francine’s phone is at a competitor’s office, ANTI-TECH, inanother city, outside of business hours.
When TECH asks Francine for her phone (they are unable to do aremote download), she claims that she does not want to give themaccess because she has been emailing Fred about starting a union atTECH and has personal text messages to her girlfriend Cindy.
IT TECH continues to try the remote download and eventually issuccessful. IT discovers customer lists, sales figures, and proprietarysales tracking software in Francine’s work email account.
HR reports to TECH Legal.
69
24
Craft policies to reduce all privacy expectations
Communicate that personal texting, emailing, etc. shouldnot interfere with job duties
Bar off the clock emails for non-exempts
Review technical controls
70
Encourage responsible use of devices and the Internetwhen discussing the company or its employees
Actually monitor on a consistent basis
Be aware of changing laws and audit policies routinely
71
72
25
73
If you’d like to receive workplace law updates and invitations to localseminars, please leave us a copy of your business card or sign-up online atwww.jacksonlewis.com. Thank you!
74
1
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 1
Top 10 Intellectual Property Mistakes and Pitfalls
Ed Cavazos, PartnerErin Hennessy, PartnerBracewell & Giuliani LLP
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 2
Top 10 Intellectual Property Mistakes and Pitfalls
1. Overlooking Hidden Risks in Non‐disclosure Agreements
2. Neglecting to Spend Some Time and Effort on Trademark Clearance
3. Believing the Open Source Software Myths
4. Failing to Properly Police Trademarks
5. Not Carefully Considering the Best Approach in Trademark Enforcement
6. Taking the “Joint Ownership” Shortcut in Negotiations
7. Agreeing to Partial or Incomplete IP Indemnity
8. Failing to Secure IP Ownership from Contractors
9. Entering into “Half‐Baked” IP Agreements
10. Not Fully Leveraging Your Domain Name Portfolio
2
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 3
#1. Overlooking Hidden Risks in Non‐disclosure Agreements
• Beware of the mutual NDA
• Risks to avoid when client is primarily a discloser:
• Short Terms
• Exceptions too broad
• Residuals clauses
• Strict marking requirements
• Risks to avoid when client is primarily a recipient:
• Unintended non‐compete
• No exclusion for or acknowledgement of independent development
• NDA creates Implication of significance
• Inflexible use restrictions
• Keep track of NDAs that have been signed and revisit them to keep them current in light of current state of the relationship
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 4
#2. Neglecting to Spend Some Time and Effort on Trademark Clearance
• Conduct trademark clearance before you launch the product.
• Trademark Clearance = Risk Management
3
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 5
#2. Neglecting to Spend Some Time and Effort on Trademark Clearance
• Consider life‐cycle of product or service
• Not one size fits all
• Cost control
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 6
#2. Neglecting to Spend Some Time and Effort on Trademark Clearance
• Teaming Up with Marketing
• Training on Quick “Knock‐Out” Searches
• How can you turn a “no” into a “yes”?
4
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 7
#3. Believing the Open Source Software Myths
• The Phrase “Open Source License” Is Meaningful
“The Developers Understand All This So I Don’t Have to”
• Open Source technologies are in the public domain
“Open Source licensing is not consistent with IP ownership”
• Contributors to open source development projects have the necessary right to contribute
“The SCO lawsuit proves the liability risk is all made up”
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 8
#3. Believing the Open Source Software Myths
• OSS is “viral” and can change proprietary code to “free” code
“You can inadvertently give away your proprietary software with bad OSS compliance”
• The GPL is a well‐written document
“Millions of adopters can’t be wrong”
• Lawyers can answer the tough questions if they spend enough time on them
“A $30,000 memo on ‘linking’ or ‘derivative works’ is a good idea”
5
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 9
#4. Failing to Properly Police Trademarks
• The Problem:
• Trademark owners have a duty to police trademarks or run the risk of giving infringers a strong defense
• Must police against:
• Confusing / competitive uses
• Uses that risk turning the mark generic (“Zipper” or “Escalator”)
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 10
#4. Failing to Properly Police Trademarks
• Practice Tips:
• Search the web periodically for improper uses
• Searching the USPTO’s online TESS database of federal trademark applications and registrations
• Using Google Alerts to spot internet uses of the mark
• Following up on customer complaints or communications that are misdirected because of confusing marks
• Using a third‐party watch service
• Monitor social media
• Once issues are identified, carefully consider enforcement strategy….
6
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 11
#5. Not Carefully Considering the Best Approach in Trademark Enforcement
• The Problem:
• Notwithstanding, the “duty to enforce”, trademark owners are not obligated to enforce against all unauthorized uses that might conflict
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 12
#6. Taking the “Joint Ownership” Shortcut in Negotiations
• Business people and contract negotiators often default to “joint ownership” when relationships become complex
• What is often carelessly characterized as “jointly owned”?
• Improvements
• New inventions resulting from working together
• Derivative works
• Inventions resulting from jointly funded work
7
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 13
#6. Taking the “Joint Ownership” Shortcut in Negotiations
• The Problem: Joint Ownership is a messy concept
• Patents: “In the absence of any agreement to the contrary, each of the joint owners of a patent may make, use, offer to sell, or sell the patented invention within the United States, or import the patented invention into the United States, without the consent of and without accounting to the other owners.”
• Copyrighted Works: each co‐owner of a copyright has an independent right, without obtaining the consent of the other co‐owners, to exploit the copyright but must share in proceeds
• This is often 100% different that the intent of the parties
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 14
#6. Taking the “Joint Ownership” Shortcut in Negotiations
• The solution is to thoroughly address joint ownership issues in the agreement
• Start from scratch re: respective rights of joint owners
» Freedom to use and commercialize?
» Accounting to one another?
» Approvals on who can get a license?
• Who prosecutes the patent or future inventions? Who pays? Who makes key decisions?
• Who enforces the IP rights against infringers? Who collects judgments? Can / should the joint‐owner be involved and to what extent?
8
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 15
#7. Agreeing to Partial or Incomplete IP Indemnity
• The Problem:
• In‐bound technology licenses or product purchases agreements need to have a stout indemnity against IP infringement
• Licensors / Vendors have a variety of tricks to weaken their obligations. Indemnity exclusions to be wary of:
• knowledge qualified exclusions;
• combination exclusion;
• exclusions for technology requested by or approved by licensor/purchaser;
• Cumbersome notice / timeliness requirements
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 16
#7. Agreeing to Partial or Incomplete IP Indemnity
• Practice Tips:
• Assess actual risk, back your assessment with data and use that in negotiations
• Don’t fall for mutuality‐based arguments
• Bridge gaps with IP infringement insurance
9
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 17
#8. Failing to Secure IP Ownership from Contractors
• The Problem:
• Many service agreements (development arrangements, outsourcing deals, consulting agreements, etc.) leave ownership unaddressed
• When addressed, many agreements have the contractor provider retaining certain “ownership” rights in all or some of work product, leaving only license rights to the hiring party
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 18
#8. Failing to Secure IP Ownership from Contractors
• Practice Tips:
• Clarify ownership issues carefully; “work‐for‐hire”
• Beware of joint inventorship issues (need full assignments)
• Don’t be lulled into false sense of security by:
• Confidentiality provisions that allegedly protect client
• Industry exclusivity purporting to restrict developer’s use of materials to non‐competitors
10
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 19
#9. Entering into “Half‐Baked” IP Agreements
• Defined: An agreement that purports to create a binding obligation, but falls short because of indefinite or open material terms
• Examples:
• Letters of Intent that are never finalized
• License Language that only indicate intent:
• “Licensor will grant…” or “Licensor shall grant.”
• See Massachusetts Eye and Ear Infirmary v. QLT Phototherapeutics,412 F. 3d 215 (1st Cir. 2005)
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 20
#9. Entering into “Half‐Baked” IP Agreements
• Practice Tips:
• Beware of LOI as a shortcut
• Draft definite language “Licensor hereby grants…”
• Beware of other “open” terms such as “a to‐be‐definedroyalty…”
• Where business terms are not finalized, add a procedure that ensures finalization or spells out what happens if never accomplished
11
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 21
#10. Not Fully Leveraging Your Domain Name Portfolio
• Are all domain names pointing to home site?
• Monetization?
• Can legal be a revenue stream?
• Are you tracking launch of new gTLDs?
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 22
#10. Not Fully Leveraging Your Domain Name Portfolio
• Practice Tips:
• Conduct an audit of domain name portfolio
• Work with IT to ensure you are fully leveraging domain name assets
• Analyze the list of new gtlds on ICANN’s website ‐gtldresult.icann.org
• Work with company stakeholders – IT, Marketing and Legal –to determine strategy for new gtlds
• Consider your budget and develop a measured enforcement strategy
• Register key marks with the Trademark Clearinghouse
12
www.bgllp.com | Houston Austin Dallas Connecticut New York San Antonio Washington, D.C. Seattle Dubai London 23
THANK YOU!
Questions?
6/16/2014
1
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 1
Trial Practice in Active Patent Dockets: A Primer on Practice in E.D. Texas and D. Del.
Panelists:
• Susan Brye, Director, Corporate Counsel, Starbucks Corporation
• John Barr, Partner, Bracewell & Giuliani LLP
• Michael Chibib, Partner, Bracewell & Giuliani LLP
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 2
Patent Litigation in E.D. Tex. and D. Del.• Remains two of the most popular jurisdictions for patent suits
• Reputations as “plaintiff‐friendly” jurisdictions
• Success rate; time to trial; damage awards; jury pool (1995‐2012)
Source: PwC 2013 Patent Litigation Study, available at http://www.pwc.com/en_us/us/forensic‐services/publications/assets/2013‐patent‐litigation‐study.pdf
District Overall Success Rate
NPE Success Rate
Time to Trial Median Damages Award
E.D. Tex. 57.5% 46.7% 2.19 yrs $10 MM
D. Del. 42.2% 41.2% 1.94 yrs $20.75 MM
Nat’l Average 32.4% 24.3% 2.35 yrs $5.5 MM
6/16/2014
2
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 3
Patent Litigation in E.D. Tex. and D. Del.
• Recent defense verdicts indicate change . . . at trial
• For example, in 2013, E.D. Tex. juries returned “take nothing” defense verdicts in 11 of 15 patent suits tried
• However, E.D. Tex. and D. Del remain among the most active patent litigation dockets
• And approximately 97% of patent suits are settled pre‐trial
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 4
E.D. Tex. Gen. Order No. 14‐3: “Track B” Patent Schedule • Applicability
• Joint election of the parties• Sua sponte
• Accelerated Case Schedule• Within 14 days of answer – P.R. 3‐1 infringement contentions; P.R. 3‐
2 document production; all licenses and settlements*• Within 30 days – initial disclosures; sales data for accused product*• Within 14 days – Good faith estimate of damages*• Within 14 days – P.R. 3‐3 invalidity contentions; P.R. 3‐4 document
production• Within 5 days – Notice of readiness for CMC
*Additional requirements to standard “Track A” schedule
6/16/2014
3
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 5
Judge Robinson’s Overhauled Patent Schedule • Beginning to look like E.D. Tex./N.D. Cal. Rules
• May be a sign of things to come
• Requiring certain disclosures prior to a status conference with the assigned magistrate judge
• Plaintiffs ‐ (1) identification of accused products; (2) damages model; and (3) identification of patents the accused products are alleged to infringe
• Defendants ‐ (1) core technical documents demonstrating how the accused products work and (2) sales figures for accused products
• Submitting the following to magistrate• (1) discovery disputes; (2) overall management of discovery; (3)
motions to dismiss; (4) motions to amend; and (5) motions to transfer
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 6
Judge Robinson’s Overhauled Patent Schedule • Specific provisions for preliminary and final
infringement and invalidity contentions
• Markman hearing and decision before expert discovery• Aspirational goal for decision 30 days after hearing
• Post‐Markman conference with the Court to discuss scope of case and narrowing of expert discovery
• Eliminating motions in limine, instead addressing evidentiary issues at the pretrial conference and during trial
• Only two patents will be presented to jury at a time
6/16/2014
4
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 7
Techniques for E.D. Tex. and D. Del. Patent Trials• Judges in E.D. Tex often place strict time limits on patent trials
• Average patent jury trial is about 6 days in E.D. Tex.; 8 days in D. Del.; compared to national avg. of about 8.5 days
• Bench trials in D. Del are about 5 days and many more bench trials occur in D. Del. than other districts due to generic pharmaceutical patent cases
Source: Mark Lemley, Jamie Kendall, & Clint Martin, Rush to Judgment?, Trial Length and Outcomes in Patent Cases, AIPLA Q. J., v. 41, no. 2, pp. 169‐204 (Spring 2013)
• Recent trial in E.D. Tex. ‐ 3 unrelated patents, 4 unrelated defendants, 6 corporate reps, and 6 experts• Each side 13 hours total to present case, including cross examination
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 8
E.D. Tex. Gen. Order No. 13‐20: Limiting Asserted Claims and Prior Art
• Adopting Model Order Focusing Patent Claims and Prior Art
• By completion of claim construction discovery, Plaintiff must limit to 10 asserted claims per patent, 32 claims total*
• Within 14 days, Defendant must limit to 12 asserted prior art references per patent, 40 references total
• No later than 28 days prior to expert reports, Plaintiff must limit to 5 asserted claims per patent, 16 claims total
• By initial expert report, Defendant must limit to 6 asserted prior art references per patent, 20 references total
• No such limitations officially in effect in Delaware* All limits increased by 50% if only one patent is asserted
6/16/2014
5
www.bgllp.com | Texas New York Washington, D.C. Connecticut Seattle Dubai London 9
Trial Practice in Active Patent Dockets: A Primer on Practice in E.D. Texas and D. Del.
Panelists:
• Susan Brye, Director, Corporate Counsel, Starbucks Corporation
• John Barr, Partner, Bracewell & Giuliani LLP
• Michael Chibib, Partner, Bracewell & Giuliani LLP
Pitfalls and Potential of Emerging Payments
Presented by:
Ryan J. Straus, Riddell Williams P.S.
Shata L. Stucky, Riddell Williams P.S.
Patrick Murck, The Bitcoin Foundation
Riddell Williams P.S.
Association of Corporate Counsel – Washington Chapter Technology Summit
June 3, 2014
2
• Definition of Payment
• Monetary Objects vs. Monetary Value
• Payment Mechanisms
• Paymaster
• Scope of Emerging Payments
• Money Transmission
Critical Concepts
3
Definition of Payment
A payment is “an act that discharges a monetary obligation”
A monetary obligation is…
an obligation to pay money
Introduction to Payments
discharged by the transfer of money
4
In modern usage, the concept of “money” includes both:
claims to monetary objects held by 3rd party
• $ in monetary value
Introduction to Payments
Definition of Payment #2
A payment is the “transfer of money that discharges a monetary obligation”
monetary objects
monetary value
5
$5 worth of monetary objects
Introduction to Payments
Illustration:
What does it mean to say that someone has $5?
right to $5 held by another person
6
How does the transfer of money occur?
How does the transfer of money occur online? Can monetary objects be delivered virtually?
Introduction to Payments
What is a payment?
A payment is the “transfer of money that discharges a monetary obligation”
monetary objects = physical delivery
monetary value = payment mechanism
7
A payment mechanism is: • an instruction to a third party (the paymaster)
• to transfer “monetary value”
• from one party to another
The Payment Mechanism
A payment mechanism facilitates the transfer of claims to monetary objects
8
• held by third party
The Payment Mechanism Illustrated
Debt Discharged/Credit Extended
Paymaster
Payer Payee Monetary Obligation Owed (+delivery)
Instruction
Monetary Value or Monetary Objects
9
4. Interbank Clearing and Settlement
Core Payment Mechanisms (check, ach, wire, card)
3. Debit Account
Paymaster = Payer’s Bank
Payer Payee
1. Monetary Obligation Owed (+ delivery)
2. Payment Order
Payee’s Bank
5. Credit Account (+ confirm)
6. Discharge Monetary Obligation
10
• New Third Parties
– Paymasters other than the payer’s bank • Nontraditional Financial Institutions
• New Money
Emerging Payments
11
E-commerce almost always involves at least one third party
Implications? irreversible transactions impossible
New Third Parties
micropayments not feasible
privacy issues
12
4. Interbank Clearing and Settlement
Traditional Model = Bank Dependent
3. Debit Account
Paymaster = Payer’s Bank
Payer Payee
1. Monetary Obligation Owed (+ delivery)
2. Payment Order
Payee’s Bank
5. Credit Account (+ confirm)
6. Discharge Monetary Obligation
13
4. Interbank Clearing and Settlement
On Us Transactions = Cheaper
3. Debit Account
Paymaster = Payer’s Bank
Payer Payee
1. Monetary Obligation Owed (+ delivery)
2. Payment Order
Payee’s Bank = Paymaster
5. Credit Account (+ confirm)
6. Discharge Monetary Obligation
14
Nonbank Paymasters
Debit Monetary Value
Paymaster
Payer Payee Monetary Obligation Owed (+delivery)
Instruction
Credit Monetary Value
For this to work, both parties must have accounts with paymaster.
15
The Basics
You might be a money transmitter if:
You take funds/value from A and agree to pay them to B
AND/OR
You take funds/value from A and stores it so that A can:
make purchases from third parties
OR
withdraw funds at a later date
Money Transmitters?
16
• held by third party
Money Transmission?
Debit Account/Extend Credit
Paymaster
Payer Payee Monetary Obligation Owed (+delivery)
Instruction
Monetary Value or Monetary Objects
17
Regulatory Regimes
Consumer Financial Protection Bureau
States
FTC
Anti-Money Laundering/Terrorist
Financing
Financial Crimes Enforcement Network
Consumer Protection
Regulation of Money Transmitters
18
E-commerce almost always involves at least one third party
Implications? irreversible transactions impossible
Problems Solved?
micropayments not feasible
privacy issues
19
Federal Trade Commission
FTC Act Unfair
Practices
Deceptive Practices
20
State Consumer Protection Statutes
Yunker v. Pandora, No. 11-CV-03113 JSW
(N.D. Cal. Mar. 10, 2014)
21
State Consumer Protection Statutes
Adopted in more than 14 states Prohibit the collection of personal information “as a condition of”
accepting the credit card
Questions? Please contact us any time with additional questions.
Ryan J. Straus Riddell Williams P.S. 206.389.1566 [email protected]
Shata L. Stucky Riddell Williams P.S. 206.389.1786 [email protected]