The symbol of copyright protection. Seal and imprintAs of December 1, 2016, the Copyright Office requires that each online service provider designate an agent to receive notifications of claimed infringement as required under the Digital Millennium Copyright Act (“DMCA”) by the Office’s new online system, located here: https://dmca.copyright.gov/osp/p1.html. This online registration system and corresponding electronically generated directory replace the Office’s old paper-based system and directory. As a result, the Office will no longer accept paper designations, and service providers that appointed agents under the old paper-based system must submit a new designation under the new online system by December 31, 2017 in order to maintain its safe harbor1 from copyright infringement.

The DMCA includes provisions directed to copyright infringement on the Internet, notice and takedown procedures for copyright owners to report claimed infringement and safe harbors from copyright infringement liability for online service providers. Generally, online service providers are considered to be any provider of online services or network access, such as, Internet service providers, websites, hosting companies, mobile app publishers, others that allow users to post or store material on their systems, and search engines, directories, and other information location tools, etc.
Continue Reading Online Service Providers – Important Update – Copyright Safe Harbor

I. Overview

While the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (the TCCWNA) has been around for over 30 years, there has been a recent surge in the filing of class action lawsuits under the statute against businesses engaged in e-commerce. The statute was enacted in 1981 to regulate “consumer contracts, warranties, notices and signs contain[ing] provisions which clearly violate the rights of consumers.” Although such provisions are legally unenforceable, the legislature reasoned that “their very inclusion in a contract, warranty, notice or sign deceives a consumer into thinking that they are enforceable and for this reason the consumer often fails to enforce his rights.”

Initially, the statute was not used very much and remained dormant during the first 30 years following its enactment. Recently, however, the plaintiffs’ bar has resurrected the statute, targeting the website terms and conditions of businesses engaged in e-commerce. This resurrection began in 2013 as a result of the New Jersey Supreme Court holding that certificates issued by restaurants and offered for purchase by an Internet marketer are subject to TCCWNA rules1, and it has continued for a few reasons. First, plaintiffs are asserting that the TCCWNA is very broad in scope. Indeed, plaintiffs’ lawyers contend that it applies to consumers who suffered no actual injury. Additionally, the statute provides for statutory damages of $100 per customer as well as attorney’s fees and costs, which creates the potential for very large monetary awards. Finally, while more guidance is necessary to determine how courts will treat e-commerce TCCWNA claims, there have been several plaintiff-friendly TCCWNA decisions in New Jersey.
Continue Reading New Jersey Consumer Statute Presents Trap for Unwary Retailers Engaged in E-Commerce

This is the first in a series of blog articles relating to the topics to be discussed at the 30th Annual Media and the Law Seminar in Kansas City, Missouri on May 4-5, 2017. Blaine C. Kimrey and Bryan K. Clark of Vedder Price are on the planning committee for the conference. In this article, we explore recent developments related to “champerty,” which involves the funding of a lawsuit by a person with no direct interest in the case. The topic of revenge and retaliation against the media through litigation funding will be one of the topics at the 2017 seminar.

Earlier this month, Hulk Hogan settled his lawsuit against what remains of Gawker Media for $31 million, bringing to an end years of litigation that resulted in a stunning $140 million verdict that rocked the media defense bar. But the lasting implications of the case that ultimately shuttered Gawker.com remain unclear. For lawyers who defend media entities, the Gawker case is viewed as a cautionary tale of bad facts making bad law and the dangers of going against an adversary funded by an enemy with deep pockets. But not everyone agrees with this perspective. Speaking recently to the National Press Club, Peter Thiel (the billionaire who funded Hogan’s litigation) seemed to suggest that it was Hogan, rather than Gawker, who was unable to get fair treatment in the courts. “One of the striking things is if you are middle class, upper middle class, a single-digit millionaire like Hulk Hogan, you have no effective access to our legal system,” Thiel said. “It costs too much.”
Continue Reading What Hath Hulk Wrought – Media Girds for Battle vs. Billionaires

After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify


Continue Reading Time to Raise Your Shield: The New EU-U.S. Framework Is Here

It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
Continue Reading OCR: Ransomware Attack Often Is a Data Breach

As published in State Bar of Michigan Health Care Law Section

“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth

On April 5, 2016, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released an Enforcement Plan and Guidance (the “Plan”) regarding the Foreign Corrupt Practices Act (“FCPA”). The Plan contains three components designed to enhance the DOJ’s ability to detect and prosecute violations of the FCPA:  (1) a substantial increase in law enforcement resources; (2) increased coordination with foreign jurisdictions; and (3) implementation of a pilot program (the “Pilot Program”) offering substantial cooperation credit to companies that meet certain specified standards for “(1) voluntary self-disclosure of criminality, (2) full cooperation, and (3) remediation.”

One of the enumerated requirements for companies to achieve “full cooperation” (and thus earn maximum cooperation credit) under the Pilot Program is that companies must effectuate “[d]islcosure of overseas documents, the location in which such documents were found, and who found the documents.” This requirement comes with an exception for situations in which “such disclosure is impossible due to foreign law, including but not limited to foreign data privacy laws.”  The requirement and exception are followed by a note stating that:

Where a company claims that disclosure is prohibited, the burden is on the company to establish the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.

Thus, companies seeking to avail themselves of the cooperation credit offered under the Pilot Program may find themselves trying to strike a delicate balance between compliance with foreign data privacy laws, such as those in the European Union that restrict the transfer of personal data, and compliance with the DOJ’s “full cooperation” requirement.
Continue Reading The Intersection of the Foreign Corrupt Practices Act and Data Privacy

Audit. A simple enough word, which basically means “to count.” Yet few words can evoke fear as much as this one word. No one asks their love “How do I love thee? Let me audit the ways,” nor do we tell our children to “Audit your blessings.” And while audits are not inherently unreasonable, their use should be reasonable and relevant. And due to the negative connotation of the word, many IT vendors are even couching their audit notices in “kinder” terms, characterizing the reviews as customer-benefitting and the like. But just as Shakespeare noted about misnamed flowers, an audit by any other name doesn’t change anything, and still holds risk.

Software audits are on the rise, and with most users reporting some under-licensing situations (and the requisite payment of additional license and support fees), this upward trend will only continue as more IT providers focus on this “low hanging fruit” revenue source. An increasing number of IT solutions providers are asking (or sometimes just telling) their customers to submit to an audit, albeit many times called by a different name, and taking increasingly aggressive approaches. The IT industry and the industries of its customers are taking notice, as in many cases, what is portrayed as a simple review will end up with tens or hundreds of thousands of dollars of exposure in the form of license and maintenance fees.
Continue Reading Software Audits: A Rose by any Other Name…

Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution

In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.

With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.

Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.  
Continue Reading SEC Speaks: How the SEC Decides Whether to Investigate Breached Entities