Privacy Policies to be Required by California on All Commercial Websites

California has done it again! The nation’s toughest anti-spam law, the first database security breach notification law, and now the first state to require commercial website owners and online service providers to adopt and communicate privacy policies, ensure policies satisfy certain minimum standards, and pay penalties if they fail to conform.

California’s Online Privacy Protection Act of 2003 becomes effective July 1, 2004, and applies to commercial website owners and online services that collect and maintain “personally identifiable information” from a “consumer” residing in California. This will likely apply to all businesses selling goods or services online in the United States. To comply, among other things, the privacy policy must identify the categories of information collected; third parties who have access; how a consumer may review and correct information; and how consumers will be notified of changes in the policy. The statute also requires website owners to “conspicuously post” a privacy policy on their websites. A website owner can satisfy the requirement by posting the policy on its home page or by providing a hyperlink from that page to the policy. The link must include the word “privacy” and meet certain case, type size, font, or contrasting colors or marking requirements that call attention to the link and the policy. Online service providers must use “reasonably accessible means” to make its policy available.

This act is a good reason for businesses to review existing privacy, website and online practices. Re-examine privacy promises and consider liability waivers. If you have not yet adopted a privacy policy, now is the time to do so!

The Buzz About Sourcing: Out, Near, Offshore, Strategic, Corporate, In…

Not a day goes by that outsourcing isn’t in the news. Not just news, but NEWS. The Wall Street Journal, Information Week, The New York Times, Financial Times, CIO Magazine, American Banker. “Press 1 for Delhi, 2 for Dallas,” “Prove It’s Secure: Legislators Want CIOs and Service Providers to Show that Customer Data Sent Overseas is as Safe as it is at Home,” “Global Talk Gets Cheaper—Outsourcing Abroad Becomes Even More Attractive as Cost of Fiber-Optic Links Drop,” “Offshore Outsourcing: How to Safeguard Your Data in a Dangerous World,” “Weighing the Benefits of Offshore Outsourcing,” “Big-Bank Perspectives on Offshore Outsourcing,” “Lesson in India: Not Every Job Translates Overseas,” “Business Coalition Battles Outsourcing Backlash,” “More Work is Outsourced to U.S., Than Away From It, Data Show,” “Offshoring Can Generate Jobs in the United States”—well, you get the picture. Senator Liz Figueroa (D-Calif.) is seeking legislation prohibiting consumer medical and financial data from being sent overseas without assurances of strong privacy safeguards (remember the U.S. position on the European personal data directive?). Even Alan Greenspan has weighed in, cautioning, “These alleged cures would make matters worse rather than better.”

Both providers and customers consistently articulate several key themes. Many third-party providers can do it cheaper, faster and at higher quality – processing is their business – not yours. Third-party providers survive by keeping up with technology, training personnel and responding to changes quickly and efficiently – often a secondary priority and a headache for other companies. Further, companies are recognizing that allowing a third-party to perform functions and assist in providing services rarely requires relinquishing control or responsibility – in fact, proper management increases, and almost always in a positive way.

Like it or not, outsourcing is likely to remain a significant weapon in management’s arsenal of choices in managing business—an alternative available for consideration as requirements change. Although perhaps obvious, an outsourcing transaction should take into account the following key issues:

  • All or Some?—Assess needs, evaluate priorities, costs and requirements, and understand which functions, process or operations should be outsourced and which retained. Outsourcing is a tool, not an end in itself.
  • Control, Flexibility & Cost—A delicate balance considering the difficulty and implications—especially when entrusted to a third party, or if you are a third-party provider. Agreements must address varying objectives, priorities, customers and suppliers—hardly a trivial exercise.
  • Human Resource—Outsourcing affects employees: seniority, pensions and benefits, decisions involving termination, changes in salary, and even relocation. Immigration issues arise when moving people around—even for temporary training or other assignments.
  • Performance Standards—Defining and prioritizing standards is difficult enough internally and fixing accountability in a contract even more so.
  • Corporate Compliance, Privacy & Security—These issues require careful examination. Functions can be outsourced, but rarely can the responsibility.
  • Relationship Management—Customer and provider must develop a solid working relationship—in operation and spirit. From shifting priorities to changing performance standards—there is no substitute for a strong, effective team approach.
  • International—Global outsourcing gives rise to issues relating to currency fluctuations, differing intellectual property protections, privacy and transborder data flow, surveillance and security, governing law, dispute resolution, and interpretation and enforcement of contracts in local courts; and
  • Insourcing—Sometimes forgotten, no decisions are permanent. Leave room to re-evaluate or move functions from one service provider to another in an amicable transition process. Businesses, operations, requirements and costs change—don’t lose flexibility.

Did you know Rimon has significant experience in handling sourcing transactions—near, offshore, strategic and otherwise? Did you know Rimon may be the only law firm with attorneys here and abroad who have handled major international and multinational outsourcing transactions for financial institutions, airlines, health care providers, telecommunications and manufacturing companies, to name a few? Did you know Rimon lawyers are adept at looking at both the purely legal and contractual issues, as well as counseling clients for success and guiding clients through the process?

Whether understanding sensitivities of internal employee concerns, or preparing RFPs and negotiating and managing these complex contracts, Rimon lawyers understand and handle risks and issues new and unknown to many organizations—a host of human resource and performance issues, assignment, immigration and employment, warranty, insurance, indemnity and liability questions, growth, change control, customer service and termination issues. How to handle a migration plan? What about our people? What if I can’t get the service I need? What if my needs, my systems, my operations or my processes or my business changes?

The implications are large, the risks enormous and the complexity overwhelming—don’t skimp on retaining people with the right expertise, including lawyers. Want to know more? Want to schedule a customized in-house seminar? Contact Joe Rosenbaum in the U.S. at joseph.rosenbaum@rimonlaw.com and let us help you.

Avoiding a Legal Disaster: Déjà Vu All Over Again

In April 1995, Datapro Reports on Information Security published a Disaster Avoidance brief (IS38-200-101) entitled “Avoiding a Legal Disaster: Business Continuity Planning for Multinationals.” In that paper, the author analogizes a famous 1932 “technology” case decided by the Second Circuit Court of Appeals in the United States, to the growing potential liability of users in managing their technology and information security resources. Specifically, the article states that “In 1932, a famous case entitled The T.J. Hooper (60 F.2d 737; 2nd Circuit, 1932) held that the failure to take advantage of existing and available technology—even though it was not in widespread or common use—was not evidence that the defendant’s duty to take reasonable care had been fulfilled. By analogy, when a disaster occurs, it will not be a defense to argue that a recovery or security system or preventive measure is not commonly in use, especially if using it would have averted the disaster or minimized the loss.”

The article, which focuses on what organizations can do to minimize risk, goes on to note that, “The more reliant business and operations become on technology, the more available preventive and risk management tools become, the less excusable a failure to implement meaningful measures and exercise due diligence over company assets will become to government, employees, customers, suppliers, and shareholders—all potential plaintiffs.”

Now this fact and the author would probably be relegated to obscurity but for an interesting article on I.T. Litigation that has just appeared in the February 1, 2004 issue of CIO Magazine, entitled “Courts Make Users Liable for Security Glitches.” The author notes that an interesting turning point arose in the wake of 9/11 when, in October 2001, Hartford Insurance removed computer damages from its general commercial liability policy coverage. The article goes on to cite three recent cases which are beginning to look a lot like a legal trend in this area. First, a case in which Verizon asked a court to order the State of Maine to refund money because Verizon wasn’t using Maine’s network while Verizon was “down” because of the “Slammer” worm. Verizon had not implemented a Slammer patch and last April the Court ruled that while one may not be able to control a worm attack, they are foreseeable—no refund (Maine Public Utilities Commission v. Verizon).

In Cobell v. Norton, the U.S. Department of the Interior’s website and computer security became an issue in a case involving benefits allegedly and to American Indians. The Court was sufficiently irritated by the Department’s conduct related to security audits, that the Judge actually commenced contempt proceedings! Finally, in the last case cited by the article, the American Civil Liberties Union hoped to avoid liability for accidentally publishing donor information by pleading it had outsourced its security to a third-party vendor. Although the case settled, it is doubtful such a defense would have worked and it is almost certain regulated companies will not be able to escape accountability for compliance by outsourcing regulated activities—the responsibility will remain theirs!

There appears to be an increasing, and not-so-subtle, shift away from the notion that programming errors related to security breaches, computer viruses, worms, logic bombs and other malicious code or hacker and denial of service attacks are somehow equivalent to unpredictable natural disasters like earthquakes or fires—thus not subject to a “fault” analysis, but more appropriately covered by ‘accident’ insurance. Indeed, these and other cases arising in the courts treat breaches of security as fair game for negligence lawsuits—especially where damage has been done to a consumer (e.g., identity theft) or where the assets of a company—tangible or intellectual property—have been compromised. As noted in the 1995 article, liability for failure to implement available security is likely to increasingly hold both providers and users of technology liable where negligence can be shown—or even reckless disregard where safety or the protection of assets are concerned. You can read the CIO Magazine article here and, by the way, the obscure author of the 1995 Datapro article can be reached at joseph.rosenbaum@rimonlaw.com should anyone wish to see a copy or discuss the issues raised—then or now!

Got Indemnification!

In a world increasingly dependent on information, technology and intellectual property rights, contract indemnities—especially if you are an innocent third party—can be critical. “Innocent” means you are a licensee or user of technology (e.g., software, database information) from a provider or licensor and a third party claims that your provider or licensor has wrongfully furnished you with intellectual property that belongs to them. While space doesn’t allow us to go into the finer points of contributory infringement, third-party claims and the distinctions between insurance, breach of representation, and warranty or contract claims and an indemnity, there is enough space to alert you to the fact that a third-party indemnity claim—even if you, the user/licensee, have not knowingly done anything wrong—is disruptive and unnerving at best and at worst can lead to damage claims. For example, the third-party, if successful, will require a new license agreement with you and new license fees (remember those license fees you already paid your current licensor/provider?). Caveat emptor (or, in this case, caveat licensor)!

CAN-SPAM: It’s Not Phat!

Federal Commercial E-Mail Legislation Takes Effect A major change in the law that affects privacy and commercial e-mail on the Internet took effect on January 1, 2004. The CAN-SPAM Act of 2003 doesn’t simply establish an “opt-out” framework for commercial e-mail, it completely pre-empts state law. Although an individual consumer doesn’t have the right to sue an offender under the Act, the Federal Trade Commission, along with the Attorneys General of each state, do. So what should you know?

First, the Act only applies to commercial e-mail—an e-mail whose primary purpose is promoting a commercial product or service. Although the FTC has not yet promulgated any regulations under the Act, simply because an e-mail has a URL link to a commercial website or refers to product or service doesn’t make it commercial e-mail. There are, of course, certain obvious exemptions built into the law. Product safety recall information or e-mails notifying you about changes or important notices concerning your subscriptions, memberships, purchase confirmations, accounts or e-mail related to your employment—all of these are so-called “transactional relationship messages” where the main purpose is communication related to a commercial transaction, rather than promotion or advertising.

Second, what does the law require. Starting January 1, 2004, all commercial e-mail (even if an existing business relationship exists and whether or not the e-mail was solicited or not) must contain a clear and conspicuous notice that a consumer can opt out of future e-mails and provide a web-based means to do so. A consumer’s request to opt out must be honored within 10 business days and marketers can’t sell or share the e-mail addresses of those who have opted out. The e-mail must also clearly identify itself as an advertisement—unless a consumer has specifically asked to receive commercial e-mail from a particular commercial entity. Third, the e-mail must contain a postal, physical address of the sender. Although it is not yet clear if a post office box is enough, the less-risky approach is to have a street address.

The Act has a number of other requirements related to labeling—for example, the subject (header) must accurately reflect the body or content of the message and the sender (the sponsor of the promotion) must be identified. Although the Act preempts state commercial e-mail laws, beware of the fact that state fraud, trespass and certain consumer protection laws can still apply.

Violations of the CAN-SPAM Act are criminal offenses and involve both fines and potential jail time upon conviction. As with most Federal crimes, aggravating factors increase the penalties and implementing good faith and reasonable measures to attempt to comply with the Act can lessen them. These penalties can be serious—jail-time of up to five years, $250 per e-mail up to $2 million in fines (which can be tripled up to $6 million if aggravating factors are present) and all computers and software used in the commission of the crime can be forfeit.

Although the primary purpose of Legal Bytes is to enlighten and inform you, it obviously does promote Rimon and encourages you to call us when you need legal support. Accordingly we will always give you the opportunity to opt out of receiving our publication by email and when we send you an e-mail, it will be clear as to what it is and who is sending it. This is not just the law, it’s good practice.

Instant Messaging – SEC Regulations Likely

According to the TowerGroup (Bank Technology News, January 2004), an estimated 15 percent of the securities industry in North America uses Instant Messaging for sharing market-related data with client. As we mentioned in our July 2003 issue, the NASD is already requiring member firms to retain records of instant messages for at least three years, and is requiring them to supervise the use of instant messaging technology by their employees. It is likely that
SEC regulations will emerge specifically on the subject this year or next year at the latest.

In the meantime, most securities dealers are choosing to be safe rather than sorry, and are attempting to apply the same rules they have for e-mails to instant messages as well—although the technology isn’t going to make that chore easy. Stay tuned.

For the Record

The best Court Order in recent years can be found in the Citizens Coal Council v. Babbitt case (Civil Action No. 00-0274 (D.D.C. May 2, 2001)):

The recent heated exchange between plaintiffs and intervenor on the subject of whether or not the [National Mining Association] should have filed a statement of material facts pursuant to Rule 56.1 or not, whether the Court has granted plaintiff’s motion for leave to file supplemental authority or not, whether the Court’s own previous order is “authority” or not, etc., betrays a startling lack of sense of humor, or sense of proportion, or both, especially since it appears to be agreed that the facts relevant to this case are all in the administrative record. It is…ORDERED that NMA’s Rule 56.1 statement is not “rejected,” that it will remain of record, and that it may remain as “context” for NMA’s arguments. And it is FURTHER ORDERED that the parties lighten up.