Congratulations to Laura Arredondo-Santisteban, CIPP/US

We are pleased to announce that Laura Arredondo-Santisteban has become a Certified Information Privacy Professional/United States (CIPP/US) through the International Association of Privacy Professionals (IAPP).

The IAPP developed the first ever privacy certification for professionals.  It is the largest and most comprehensive global information privacy community and resource.  A CIPP/US certification indicates that the professional knows U.S. privacy laws and regulations and how to apply them. The CIPP credential means the professional has gained a foundational understanding of broad global concepts of privacy and data protection law and practice, including: jurisdictional laws, regulations, and enforcement models; essential privacy concepts and principles; legal requirements for handling and transferring data; and more.

Laura practices in the areas of telecommunications and technology, advertising/marketing, and privacy. Laura’s experience includes representing clients before the Federal Communications Commission,  Federal Trade Commission, state utility commissions and attorneys general, and assisting clients in matters involving legislation, regulations, and contracts, including developing and reviewing customer terms and conditions, privacy policies, advertising, labeling, and marketing materials.  Laura is fluent in Spanish and has assisted clients on these matters in both English and Spanish.

Laura may be reached at or at 770-399-9500. For more information on Laura, please click here .

Data Breach Notifications: Your Obligations Will Vary from State to State

Today, unfortunately, it seems that data breaches are more of a “when it happens to your company,” and not a question of “if it happens to your company.”  And it’s a virtual certainty that your business possesses personally-identifiable information of individual residents of different states – whether customers, employees, or third parties – that could be compromised if your business suffers a data breach.  Consequently, if your company finds itself as the victim of a data breach, a swift response will likely be required – including a quick assessment of your obligations under the data breach laws of various jurisdictions.

For the first time since states began enacting their own data breach notification laws, all 50 states have now enacted some form of legislation requiring private or governmental entities to notify individuals in such states of security breaches involving their personally identifiable information.  Alabama and South Dakota, the last holdouts, enacted their own data breach notification laws to go into effect June 2018 and July 2018, respectively.

In light of this milestone, we thought it would be helpful to re-familiarize our clients and friends with a few of the common elements of state data breach notification statutes, their differences, and why companies should constantly remain vigilant as states consider measures that would amend their existing data breach laws.  Here is what you need to be aware of if you collect, process, or store personally-identifiable information about residents of various states.

State data breach laws generally affect businesses that collect personal information from consumers in a particular state; however, each state may have a slightly (or substantially) different definition of what “personal information” or “personally identifiable information” is covered by that state’s data breach laws. (Since the various state statutes employ differing terminology to describe this personal information, this article will use the term “PII” as shorthand for protected personal information that is covered by a given state’s data breach laws.)

The variations in the state data breach statutes extend not only to the definition of what constitutes PII, but can also vary in: (1) what circumstances trigger obligations to notify that a data breach has occurred; (2) parties to whom notification is required; (3) what information should be included in the notification; and (4) enforcement rights afforded to the state and to individuals affected by the data breach.  These distinctions can make multi-state notifications of a data breach difficult, especially since no “generally-applicable” data breach notification law has been enacted at the federal level.

Also, be aware that, depending on the industry in which you operate, and also the types, sources, and location of the data involved in a breach, a data breach may also trigger specific obligations under U.S. federal law and perhaps even under the laws of other countries. A discussion of these federal and international data breach obligations is outside the scope of this article – but you should nonetheless keep them in mind and consult with your attorneys to determine whether they are applicable to your business.

State Data Breach Notification Statutes – What To Look Out For

1.  Notification Trigger: Determining whether you are obligated by a given state’s law to give notification of a data breach – whether to the affected individuals, to governmental authorities, or perhaps even to other third parties – depends on a careful comparison of the facts of the breach to the precise wording of the applicable statute. In short, you will need to ascertain – likely, very quickly – first, whether the breach is covered by the laws of the given state and, if so, whether the breach itself rises to the level that triggers notification obligations under the applicable statute.

a. Is the information that was breached covered by the laws of a given state? Coverage of such state laws usually applies to the PII of a resident of the subject state. Thus, if you have a data breach, one of the first steps you must take to understand your possible obligations under state data breach laws is to inventory the data to determine (1) to whom the data relates (i.e., which state’s laws may apply to a given individual whose data was breached), and (2) the types of data affected.  These are generally the two critical components in determining whether a given state’s data breach laws are implicated in a breach incident.

Once you have identified that a breach affects an individual resident of a given state, you must then assess whether the data that was breached is “PII” within the meaning of the relevant state statute. This second step can be tricky due to the statutes’ varying – and often broad – definitions for what constitutes PII.  All of the states, for example, define PII to include the combination of an individual’s name with some type of financial account information such as credit and debit card numbers.  However, some states – including Georgia – go farther, extending the scope of their data breach laws to include information that could be used to perform identity theft, even if the individual’s name was not part of the information that was breached.  Colorado, for example, recently enacted legislation that expands the current statute’s definition of PII to include: (1) usernames or email addresses, in combination with a password or security questions that would grant access to an online account; and (2) account numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to the associated account.

b. Does the breach trigger notification obligations under the applicable statute? State statutes differ as to the criteria for determining whether a company must notify an individual of a data breach. Some states’ laws apply to all businesses equally, while others only apply to certain specified industries.  Furthermore, a given statute may specify that the breach must rise to a certain level of severity – based on, for example, number of individuals affected, or likelihood of harm to affected individuals – before there is an obligation to notify others of the breach.  Some laws, such as South Dakota’s data breach statute, require reasonable belief that an individual’s PII has been actually acquired in order to trigger the statutory disclosure requirements, while other states, like Connecticut, require notification if there is reasonable belief of unauthorized access to an individual’s PII, even if it is not yet known whether a third party actually acquired the information or gained control of it.  In still other states, notification of a breach may not be required unless there is a finding that the breach creates a risk of misuse or harm to the individual.

2. Parties to Whom Notification is Required: If the facts of the data breach trigger notification obligations under a given state’s data breach laws, then you must pay close attention to the statute’s specific requirements regarding to whom notification must be given under the circumstances.  In addition to notifying affected individuals, some states require disclosure to the state attorney general and/or to the credit reporting agencies.  For example, Alabama’s statute requires providing written notice of the breach to the state Attorney General if the number of Alabama individuals affected by the breach exceeds 1,000.  Arizona recently amended its data breach statute to also require notification in writing to the “three largest nationwide consumer reporting agencies” and the attorney general if the breach requires notification to more than 1,000 individuals.  South Dakota, however, does not set a threshold for notification and requires that all national credit reporting agencies be notified “without unreasonable delay” if a company is obligated to notify any individuals (even just one) of a data breach.

3. Notification Requirements – Content and Timing: Some states require that certain specific information be provided to the affected individual. Alabama, for example, requires that each notice include, at a minimum: (a) the date, estimated date, or estimated date range of the breach; (b) a description of the PII that was acquired by an unauthorized person as part of the breach; (c) a general description of the actions taken by the company to restore the security and confidentiality of the PII involved in the breach; (d) information as to how a consumer can protect herself from identity theft; and (e) the company’s contact information so that an individual may contact the company to inquire about the breach.

State laws also vary in the timing required for disclosing the breach to affected individuals.  Arizona recently amended its data breach statute to require disclosure to affected individuals within 45 days after determination that there was a security system breach, while Colorado recently amended its statute to require notice within 30 days. However, many states do not provide a specific timeframe for notification, which means that determining whether your notification of a breach is “prompt enough” may be at your own peril. Texas, for example, requires disclosure to be made “as quickly as possible” after discovery, while numerous other states impose a uniform – but vague – requirement that notification be given “in the most expedient time possible and without unreasonable delay.”

4. Parties’ Enforcement Rights: In the majority of states, only a state official can enforce the data breach notification laws. However, a small number of states provide affected individuals with a private right of action.  In such states, private parties can sue for violations of the state data breach notification laws.  California, for example, allows any person injured due to a violation of its data breach notification law to institute a civil action to recover damages, and allows affected individuals to recover a civil penalty of up to $3,000 per violation for any willful, intentional, or reckless violation of the statute.

Despite the fact that only a minority of states currently provide affected individuals with a private right of action, companies should nonetheless work to comply with such state statutes in a timely manner to avoid the risk of an enforcement action by not only the state attorney general, but also by the Federal Trade Commission (“FTC”).   Failure to comply with applicable state law – and the publicity associated with an enforcement action by the state – increases the likelihood that the FTC will take notice of the data breach.  The FTC has brought numerous enforcement actions against companies concerning poor security practices, alleging that such companies failed to adequately protect the security of individuals’ PII.  Such enforcement actions can result in civil penalties and onerous reporting requirements.

In summary: if your company finds that it has suffered a data breach, you will need to move quickly to determine the scope of your legal obligations under various state data breach laws.  The first line of attack to determine which states’ breach notification laws apply should be to analyze to whom the affected data relates and what type(s) of data was involved – and then work with your attorneys to ascertain whether a given state’s data breach laws apply and, if so, what your company will need to do to comply with them.  The facts and circumstances of every data breach are different, and not every breach will necessitate a multi-state response, however, we hope this article heightens your awareness of the issues you will need to consider, and the inquiries you will need to quickly undertake, in the unfortunate event that your company experiences a data breach.

If you have questions regarding state breach notification laws that may apply to your company, please contact Laura Arredondo-Santisteban at

It’s the New Year: Have You Checked Your Marks Lately?

The start of a new year provides a time to reflect on past successes and lessons learned. It’s also a time to chart the course ahead to achieve your goals. One important goal for any business is to protect the uniqueness and “brand identity” that distinguishes it from others. And, there is no more valuable asset of brand identity than a company’s trademarks and service marks.

Like any business asset, trademarks and service marks must be used properly in order to maintain and enhance their value. Failure to do so can result in your trademarks and service marks losing their value and, eventually, allowing copycats to “steal” value from your business.

So, here are a few New Year’s tips to 1. ensure that you know how to properly use (and, thereby, legally strengthen) your trademarks and service marks, and 2. keep from weakening (or even losing) your trademarks and service marks.

I.  First, Some Basics:

What Is a Mark? What Is Its Purpose?

In short, a “trademark” is a word or symbol (or a combination of both) used to identify a business’s products to distinguish them from similar products offered by others.  Conversely, a “service mark” is used to identify services (rather than products) offered by a business to distinguish those services from similar services offered by others.  (Unless stated otherwise, the rest of this article uses the term “Mark” to include both trademarks and service marks.)

Marks help customers differentiate between products or services offered by one business and products or services offered by another.  Customers rely extensively on Marks when making purchasing decisions between different brands of the same product. They purchase one product instead of another, more often than not, based on perceptions of the respective quality and reputation associated with a specific brand (the Mark)—often without ever sampling the actual product or service. (Who opens a Coca-Cola beverage to taste it before buying it over a generic labeled store brand?) The ability of Marks to distinguish competing products or services and drive buying decisions is what makes them so valuable.  Such value is worthy of protection. And protection starts with proper usage.

What Do We Mean by “Proper Usage” of Marks?

Proper usage of Marks is all about clearly and consistently presenting the Mark in a way that the consumer easily recognizes that the Mark indicates a specific source (or brand) of products or services. The antithesis of this is when a Mark is used in such a way that it is perceived as merely a generic name for a product or service. Proper Mark usage indicates a specific source or brand. (Think: “Buy a BMW automobile”.)  Improper usage allows the Mark itself to be mistaken for the generic name of a category of products or services. (Bad: “Hand me a Kleenex”; “Make me a Xerox”.)  As customers come to associate your Mark with the specific quality and reputation unique to your brand, properly presenting a Mark preserves—and, over time, strengthens—the Mark’s ability to distinguish your business’s products and services from those of another company in the minds of customers.

II.  Do a “Proper Usage” Check-Up: Some Things to Look For.

A.  Present Your Mark as an Adjective – Not as a Noun or a Verb. You should always use your Mark as an adjective followed by a noun (the generic name of your products or services). Never use your Mark as a standalone noun or verb, even as a “shorthand” description of the products or services.  Failure to consistently present your Mark as a modifier to differentiate your company as the source of products or services leads consumers to think that your Mark is merely a generic name (whether as a noun or verb) for the type of products or services you provide. If that happens, your Mark may no longer be “distinctive”—meaning that customers no longer view it as a basis for distinguishing between your products and services and similar products and services of others. Once your Mark is no longer distinctive, it can lose the legal protections accorded to a trademark or service mark. This includes the right to exclude others from using your Mark.

Here are some examples of correct and incorrect uses of a Mark in a sentence.

Correct:   “Use BUZZ cloud data services to manage your data.” (“BUZZ” modifies cloud data services—good!)

Incorrect: “Use BUZZ to manage your data.” (“BUZZ” used as a shorthand noun—bad.)

Incorrect: “BUZZ your data management!” (“BUZZ” used as a verb—bad.)

TIP – One way to determine whether you are using your Mark properly as an adjective is to delete the Mark from the sentence in which it appears.  If the sentence still makes sense after deletion, that’s a good sign that the Mark was being used properly in the sentence.

EXCEPTION:  Sometimes a business uses the same term as both a Mark (a brand name for its products and services – an adjective) and as a name for the business itself (a noun).  (Think “BMW”, which is used both as the name of the company and as a brand name for the automobiles offered by that company.) When the business is merely using the term to refer to itself as a company or corporate entity, it is permissible to use the term as a standalone noun—but the business should nonetheless remain vigilant to follow the rules of proper Mark usage when it is using that term as a brand name for the business’s products and services (an adjective).

B.  Present Your Mark Consistently in Form and Format. Your Mark should always be presented consistently.  Consistent repetition of your Mark in the exact same form helps consumers recognize and remember it. This, in turn, strengthens consumers’ association of your Mark with the specific quality and reputation unique to your business. So:

  • Don’t vary the spelling or punctuation of your Mark; and
  • Avoid presenting your Mark in plural or possessive forms. (However, this does not apply if your Mark is actually plural (like “BUNCHES”) or a possessive (like “BOB’S”).)

C.  Make Your Mark Stand Out. Consider taking additional steps to make your Mark stand out as a unique identifier for your brand of products and services. For example, if your Mark is a word or a phrase (rather than a logo), differentiate the Mark visually from surrounding text.  Present your Mark in ALL CAPS or in a different color font.  Making your Mark stand out,  reinforces the word or phrase as a Mark instead of a generic reference.

D.  Use the Correct ®, TM, or SM Symbol and Use It Correctly.  Proper use of the correct ®, TM, or SM symbol is crucial to preserving rights in your Marks for several reasons.  It publicly reinforces that the word(s) or logo to which the symbol is affixed are being used as a Mark and not a generic name for goods or services, and it puts potential infringers on notice of your claim to rights in your Mark.  Furthermore, in some cases, it may eliminate certain defenses available to those infringing your Mark and affect the types of infringement damages you might recover for an infringement of your Mark.

Here are tips on how to determine which is the correct symbol to use with your Mark and how to use that symbol properly.

  • Use the ® symbol if your mark is registered with the USPTO in connection with the products and/or services on which the mark is being used in that particular instance.
  • Conversely, don’t use ®—and do use either the TM or SM symbol, as applicable—if you have not obtained a USPTO registration for your Mark or if you are not using the Mark, in that particular instance, with the particular products or services listed in your Mark’s USPTO registration.
    • Use the TM symbol when the Mark is being used in connection with products.
    • Use the SM symbol when the Mark is being used in connection with services.
  • Place the correct ®, TM, or SM symbol immediately following the Mark, not after the generic name of the product or service with which your Mark is associated. For example, for the Mark “BUZZ” registered with the USPTO for cloud data services, an example of appropriate usage would be “Use BUZZ®  cloud data services”—not “Use BUZZ cloud data services®”. (If there was no USPTO registration for “BUZZ” or if “BUZZ”, is not registered with respect to “cloud data services,” you would change the ® to a SM symbol.)

EXCEPTION: As noted, sometimes a business uses the same term as both a Mark and as a name for the business itself.  Trademark symbols should never be used where the business is merely referring to itself as a company or corporate entity (a noun), as opposed to a “brand name” for specific products or services (adjective).

ConclusionStart the new year off right by making sure your business is using and presenting its Marks properly. Appropriate presentation and use of your Marks will: strengthen customers’ association of your Mark with the particular products or services with which it is associated; help you protect your Mark against infringement; and increase the value of your business’s unique “brand identity.”

If you have questions regarding trademarks and service marks, including selection, proper usage, and protection of these valuable business assets, contact Mike Stewart at or (770) 399-9500 for more guidance.

Terms and Conditions May Not Apply – How to Make Sure Your Terms and Conditions Work for You

“Additional terms and conditions apply” is a phrase we have all heard from a voice-over on a late-night infomercial hawking vegetable juicers or subscriptions to a knife-of-the-month club. But just what are “terms and conditions” and how are they different from a normal contract? And what concern are they to businesses that occupy, shall we say, more reputable corners of the marketplace?

What are “terms and conditions”?

As an initial matter, every contract has “terms”. These are simply the various promises that the parties to a contract make to each other: WidgetCo shall provide Customer with 600 widgets. In return, Customer shall pay WidgetCo $1,000 per widget. These are both terms.

Terms can be conditional—if Customer pays within 30 days of delivery, WidgetCo will give Customer a 5% reduction off the quoted purchase price. But conditional terms are still terms and, legally, there is no meaningful distinction between terms and conditions. Like “cease and desist” or “will and testament”, “terms and conditions” is simply a stock phrase that has become a fossilized part of legal language.

As a practical matter, though, when we hear the phase “terms and conditions”, what is usually meant are contract terms that have two characteristics. First, they are boilerplate terms—that is, standardized terms that are ancillary to the “real” terms of the deal that have been hammered out between the two parties with respect to the transaction at hand (for example, quantity purchased, delivery dates and locations). Second, they are often contained in a document (often titled “Terms and Conditions”) that is separate from the primary “deal-specific” document (such as a purchase order or statement of work) that gives rise to a particular deal. Terms and conditions are often, but not always, dictated by the seller of the goods or services without negotiation. It is in this sense that we will use the phrase “terms and conditions” in this article.

Considerations in using separate “terms and conditions”:

It can be useful to structure a transaction so that there are separate terms and conditions, and it is a practice that is especially common in internet-based commerce. Nevertheless, if you choose to employ terms and conditions, there are several considerations you must account for. Otherwise, you may end up with a contract different from the one you thought you agreed to.

Do you have a meeting of the minds? The first challenge that terms and conditions present is that they have a funny way of never making it into the contract at all. Any lawyer can tell you that a commercial contract is a “meeting of the minds” – that is, an agreement – between the buyer and the seller. In short, terms that both parties agree to become a part of the contract. Those that haven’t been agreed to do not.

The legal burden is on the party seeking to enforce a term to prove that the term was agreed to by both parties to be part of their “deal”. And, generally, this requires proof that the other party (i) had notice of the additional terms and an opportunity to review them, and (ii) agreed to be bound by them.

A problem with separate terms and conditions is that one party may not be aware that they exist at all. (In fact, a cynic might conclude that one reason terms and conditions are so popular is they seem to allow one party to insert terms into a deal without bringing them to the other party’s attention.) But if one party isn’t aware of certain terms, that raises the possibility that there was no meeting of the minds as to those terms, and so they do not become a part of the parties’ contract.

  • Imagine, for example, WidgetCo sells widgets through its website, Within that website is a web page laying out the terms and conditions for purchases made through the website. However, a customer never has to visit that page to complete an order, nor is there a specific reference or link to the terms and conditions during the order process—so a customer can place an order without ever being exposed to the “other terms and conditions”. Instead, the website may contain just a general—and inconspicuous—statement that merely browsing or using the website binds the customer to the terms and conditions. This approach is often referred to as a “browse wrap” agreement. (The word “wrap” is an allusion to the earlier practice of selling software with terms and conditions included inside a box wrapped in shrink-wrap.)

In this situation, can we really say—or prove—the customer has knowingly agreed to those terms? Without something more, that is a very hard conclusion to reach, and courts usually agree. Browse wrap terms are often found to be unenforceable for the fundamental reason that they were never mutually agreed to—because the customer did not have adequate notice of the terms.

  • Now imagine WidgetCo uses a printed order form that contains the statement “WidgetCo’s standard Terms and Conditions apply”. This is better, because WidgetCo’s customer should at least be on notice that there are other terms out there that it needs to be aware of. But does WidgetCo’s customer really know the substance of the terms it’s agreeing to when it submits the order form? Can it find out what it’s agreeing to? If not, whose fault is that—WidgetCo’s or the customer’s? In this case, it would be WidgetCo’s fault—while WidgetCo has notified the customer that additional terms apply, it has not given the customer any opportunity to review those terms. As such, the customer cannot be said to have agreed to terms that it could not review.

To avoid these questions, the best practice would be for WidgetCo to include a copy of its separate terms and conditions with the primary contract document and to get some affirmative manifestation that the customer agrees to those terms, such as a signature on the terms and conditions document.

But that is not always possible. So, at a minimum, WidgetCo needs to include a provision in the main document that clearly and unambiguously

  • incorporates the additional terms into the parties’ agreement; and
  • provides clear direction on how the customer can find those terms to review them.

So long as the terms and condition of a contract have been made available for review by a party, the law will usually presume that the party read them and understood their contents—even if the party chose (for whatever reason) to not actually review the terms.

A useful provision could look something like this:

This transaction is subject to WidgetCo’s standard Terms and Conditions, last modified August 1, 2015. WidgetCo’s full Terms and Conditions are available to Customer on WidgetCo’s website at 

In an e-commerce context, the same thing can be accomplished by having the buyer/user click a box signaling that he or she agrees to the seller’s terms and conditions, with the actual terms and conditions being available for review via a conspicuous hyperlink. (This is commonly referred to as a “click wrap” agreement, as distinguished from browse wrap.)  Where the terms are available for review by clicking on a conspicuous hyperlink, courts again generally presume that the buyer/user has read them and understood their contents before checking the “I agree” box—even if the buyer/user later admits that they chose to not click on the hyperlink or to actually review the terms.

Can you prove what  terms and conditions the parties agreed to? At this point, we do know the customer has agreed to a set of terms and conditions. But, we still may not necessarily be able to prove what those terms and conditions are. That brings us to our next issue.

In this case, the terms and conditions are almost certainly for WidgetCo’s benefit, so it is likely WidgetCo that is going to want to assert the rights and protections they provide if the deal falls apart. That means the burden will be on WidgetCo to prove the content of the terms and conditions to a court. Experience has shown that that can be harder than it sounds.

Let’s assume WidgetCo’s customer has clearly and unambiguously signaled its consent to be bound by WidgetCo’s  terms and conditions that were in effect on the date their deal was struck. If the terms and conditions were reproduced in full on a document that the customer signed, it’s easy to prove what terms and conditions were agreed to.  But if he has signed a printed document containing a provision like the one in the section above, or he has checked a box on WidgetCo’s website showing his assent—i.e., in both cases, where the terms were made available to the customer through a hyperlink or web address—what now?  Especially if WidgetCo has since revised the terms and conditions found on its website?

Almost by their nature, terms and conditions change over time (a point we will discuss further below). More than once, a business has appeared in court ready to prove how their current terms and conditions appear on their website, only to be told that their current terms and conditions are irrelevant. What matters, of course, are the terms and conditions that were in place at the time this contract was formed with this customer. If the business has not maintained the entire history of its terms and conditions in a structured way—and many businesses do not—it may find itself unable to prove what earlier terms and conditions were in place on the date that this customer entered into the contract.

Therefore, if a business intends to rely on separate terms and conditions, it is essential that it maintain records of its various terms and conditions in such a way that it can prove the contents of the terms and conditions that every individual customer has actually agreed to. To do this will require the business to:

  1. Maintain all prior versions of its terms and conditions in a repository;
  2. Make sure that the repository uses a system that will show not only the version that was in effect on a given day, but also that the customer could have accessed them or did in fact access them (for example, the website containing the terms was not “down” or unavailable at the time; a record showing that the customer clicked the link or “checked the box” (if applicable)); and
  3. Make sure that the repository system is designed so that future employees will be able to testify with certainty about what terms and conditions were in effect on a given date. (Murphy’s Law dictates that all the employees from the time of the sale will be long gone, years later, when the terms actually become relevant to a dispute.)

Are the terms and condition “subject to change”? A common characteristic of standard terms-and-conditions forms is a provision that the terms and conditions themselves are subject to change, usually at the sole discretion of the party that drafted them and often without notice to the other party. The terms may then go on to say that any such change automatically becomes binding on the other party as soon as the change is made. These types of provisions would obviously be useful to the drafting party if they were enforceable. The problem is, they often aren’t.

Again, a contract is an agreement by two parties to a common set of promises. Imagine WidgetCo’s terms and conditions contain the following language:

All invoices shall be paid within 30 days. All invoices that remain unpaid after 30 days shall incur interest at the rate of 4 percent per annum.

If WidgetCo can retain the right to change any term at any time and in its sole discretion, what’s to stop WidgetCo from amending its terms and conditions to require payment within 14 days? Or 4 days for that matter? Why couldn’t it raise the interest rate to 12% and disavow any warranties at the same time? In fact, while it was at it, why couldn’t WidgetCo change its terms and conditions to say that a customer representative had to come to the home of WidgetCo’s president and mow her lawn every Sunday until the balance is paid?

These scenarios may seem absurd, but they illustrate the fundamental unfairness that a unilateral “subject-to-change at will” clause presents. The law recognizes this unfairness and so, generally, renders “subject-to-change at will” provisions unenforceable.  In some cases, courts have gone even further to find that the mere presence of a “subject-to-change at will” provision makes the entire contract unenforceable from the outset.

To make changes to your terms and conditions binding on the other party, you need to comply with the same fundamental requirements as were needed to form the initial contract. That generally means:

  1. Giving the customer actual notice of the new terms;
  2. Getting the customer’s consent to the new terms (which can be express or implied, depending on the circumstances); and
  3. Giving some new promise or performance—or giving up an existing right—in return for the customer’s agreement to make changes to the existing deal.

The last of these is probably the least intuitive for non-lawyers. That is because to be a legally enforceable contract, an agreement cannot be just a meeting of the minds. To be enforceable, an agreement also has to have “consideration” given by each party to the other.  Without new consideration, changes to terms and conditions will generally be found to be an unenforceable attempt to unilaterally modify the terms agreed to by the parties.

Consideration is a legal term of art that refers to the thing that each party agrees to, or gives up, as its part of the deal. For example, in a commercial transaction, the seller promises to give up goods or services, and the buyer gives up his money. These promises are consideration. When the terms of an agreement are changed, the customer’s agreement to proceed under the new, changed terms is usually the necessary consideration given on the part of the customer—but the seller must give something in return as well. It could be a promise to accept future orders from the customer (if the seller would otherwise have the right to refuse such orders), a relaxing of payment terms, or something else.   Depending on the facts and the type of business at hand, the possibilities are potentially limitless—so long as the seller gives something in exchange for the customer’s agreement to accept the changed terms.

In the end, terms and conditions are a fixture of modern commerce, especially online commerce, but they present issues that must be addressed before they can be effective. If you have any questions about your business’s terms and conditions, please contact Ben Byrd at or (770) 399-9500 to discuss further.

The Consumer Review Fairness Act – Outlawing Consumer Gag Clauses In Your Customer Contracts

Does your company use form service agreements, purchase contracts, or online terms to conduct its business with customers? If so, you should review those documents immediately to make sure you are compliant with the new Consumer Review Fairness Act of 2016 (CRFA), which makes it unlawful in many cases to use your “standard terms” to control what your customer says about you, your products, or services.

The rise of social media and online review sites have provided consumers with an expansive ability to obtain instantaneous evaluations (good and bad) from others regarding a product or service.  This feedback can be great for businesses that receive good reviews posted online. But, as often is the case, there is nothing like a disgruntled customer to lead to a poor review being posted online.

As such, some businesses have attempted to restrict customers’ ability to publish negative reviews by inserting non-disparagement or “gag” clauses in their form contracts and online terms of service. These gag clauses limit consumers’ ability to post negative reviews by giving the company an express right to take legal action (and sometimes to recover money damages or specified penalties) against customers who post negative reviews or who complain to the Better Business Bureau. Some companies even attempted to exert control over consumer commentary by requiring that the consumers transfer copyrights in their reviews or other “feedback” about the products and services to the company.

The inclusion of these clauses, and companies’ attempts to enforce them, not only gained media attention, but also caught the attention of regulators at the state and federal levels.  In 2015, the Federal Trade Commission (FTC) filed a complaint against Roca Labs, Inc. and its principals for taking or threatening to take legal action against consumers who purportedly violated certain non-disparagement provisions that were included in their website’s “Terms and Conditions.” Under Roca Labs’ terms, purchasers allegedly agreed to not “speak, publish, cause to be published, print, review, blog, or otherwise write negatively about [Roca Labs], or its products or employees in any way.” These efforts by Roca Labs, the FTC alleged, constituted unfair acts or practices in violation of Section 5 of the Federal Trade Commission Act.

The Consumer Review Fairness Act of 2016 – Things to Do Now

As of March 2017, the CRFA makes certain clauses in “form contracts” void and unenforceable if the clause: prohibits or restricts an individual from sharing reviews of a seller’s goods, services, or conduct; imposes a penalty or fee against an individual who writes a review; or purports to transfer intellectual property in review or feedback content.  Furthermore, the CRFA makes it unlawful to even offer a form contract containing such a gag clause (meaning that it may be an illegal “unfair or deceptive trade practice” to continue to have such provisions in your contracts, even if you have no intention of enforcing them).

The CRFA broadly defines “form contracts” as any contract “imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized terms,” and includes a website’s terms and conditions, as well as a company’s “standard terms” for purchasing products or services (whether in paper or electronic form). (The term “form contract” does not, however, include employer-employee or independent contractor contracts.)

More specifics about the CRFA are provided below – but your company should be taking steps immediately to review its form contracts – including any online terms and conditions – and to remove provisions that:

  • restrict individuals from sharing their honest reviews about you, your products, or services, or penalizes those who do; or
  • claim copyright in an individual’s reviews or feedback about you, your products, or services.

What Specific Conduct Does the CRFA Prohibit?

Specifically, under the CRFA a provision in a form contract is void if it:

  • prohibits or restricts an individual who is a party to such a contract from engaging in written, oral, or pictorial reviews, or performance assessments or analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is a party to a form contract;
  • imposes penalties or fees against individuals who engage in such communications; or
  • transfers or requires the individual to transfer intellectual property rights in review or feedback content.

Furthermore, the mere presence of one of these prohibited terms in a form contract constitutes a violation of the CRFA – even if you never try to enforce the provision.

There Are Limits to the CRFA – Not All Customer Commentary is Protected.

The CRFA does not require businesses to permit people to post reviews on their company’s website. However, if a business does solicit and allow consumers to provide feedback on its website, then it should keep in mind that the CRFA does not safeguard all content contained in consumers’ reviews.

In essence, the CRFA seeks to prevent companies from including provisions in their form contracts that threaten or penalize people for posting honest reviews about a company’s products, services, or conduct.  However, the CRFA does not protect defamatory or obscene posts. In addition, a business may still include provisions in its form contracts that prohibit postings that: breach confidentiality obligations imposed by law; reveal confidential information or trade secrets; contain personnel, medical, or law enforcement information; or contain computer viruses or malware.

Websites that permit consumer reviews also retain the right to remove or refuse to display content if it is unrelated to the goods or services offered, or is clearly false or misleading. However, the FTC cautions businesses that it is “unlikely that a consumer’s assessment or opinion with which you disagree meets the ‘clearly false or misleading’ standard.” Finally, businesses may also continue including “feedback clauses” in their agreements with consumers, which give the company certain rights to use feedback provided by customers, as long as such clauses take the form of a non-exclusive license (rather than requiring the consumer to transfer ownership of the feedback).

What Are the Penalties for Violating the Consumer Review Fairness Act?

Violations of the CRFA will be treated the same as violating a FTC rule that defines an unfair or deceptive trade practice. The FTC and state attorneys general have authority to enforce the CRFA. Enforcement will begin on December 14, 2017, and will apply to contracts with clauses in effect on or after that date.

Companies that violate the act by including prohibited gag clauses in their form contracts could be subject to steep financial penalties, as well as a federal court order. While the CRFA does not include a private right of action, individuals may still be able to sue under various states’ deceptive trade practice statutes (or “mini-FTC acts”), if those statutes provide for a private right of action. The CRFA specifically states that it shall not “be construed to affect any cause of action brought by a person that exists or may exist under State law.”

For Further Guidance:

If you have questions regarding complying with the CRFA or how to effectively respond to a negative review left for your business, contact Laura Arredondo-Santisteban at or (770) 399-9500 for more guidance.

Limiting Your Liability for Copyright Infringement Caused by Others: Important Steps You Need to Take Soon

If you are running a technology business that deals with content provided by users or other third parties—or even if your business simply has an interactive web presence that allows users to post their own comments or photos or contains links to other websites—there are important changes you need to know about to limit your liability for copyright infringement caused by your users and other third parties. Here’s what you need to know.

Since 1998, the Digital Millennium Copyright Act (DMCA) has provided certain “safe harbors” that limit a “service provider’s” liability for copyright infringements caused by content provided by users or other third parties.  If the service provider meets the requirements of a particular safe harbor, it will have no liability for monetary damages or (almost all) injunctive relief for copyright infringement arising out of content provided by third parties.

Under new regulations that became effective December 1, 2016, the U.S. Copyright Office imposed new, detailed registration and renewal requirements that a service provider must meet in order to qualify for—and maintain—the limitations on liability afforded under the DMCA.   Furthermore, the regulations signal the U.S. Copyright Office’s intent to extend the new registration requirements to service providers who were not clearly required to comply with these requirements under the DMCA previously—meaning that certain businesses who may have believed since 1998 that they were exempt from these registration requirements must now comply with the new regulations—or risk losing important protections against liability for copyright infringement.


Section 512 of the U.S. Copyright Act defines a “service provider” broadly to mean any “provider of online services or network access, or the operator of facilities therefor.”  As such, your business is likely a “service provider” within the meaning of the DMCA if you, for example:

  • Operate a website or app that does any of the following:
    • has “social” or “sharing” functionalities (for example, that allow users to provide comments or reviews, participate in discussions or user forums, or upload photos or other materials);
    • contains or publishes material submitted by third parties (such as product photos or descriptions in an online marketplace);
    • contains links to other websites or online materials;
    • helps users locate information (for example, a tool to search for and compare product or pricing information from various sources); or
    • has messaging functionalities where messages are stored—temporarily or permanently—on your servers (such as an “Inbox” where the user can exchange messages with your business or with other recipients); or
  • Provide a data service where the data consists—in whole or in part—of information provided at the direction of users or other third parties;
  • Operate servers, cloud services, hosting services or “software-as-a-service” offerings that allow users to submit, store, or publish content; or
  • Provide network services whereby material transmitted by users is temporarily stored (“cached”) in your system as an incidental function of your service.


Under U.S. copyright law, simply creating a copy of someone else’s copyrightable subject matter without permission is a copyright infringement—even if that copy was created automatically through a technological process initiated at the direction of someone else. (For example, a user’s submission of materials to your website may result in a copy of these materials being automatically created on the website servers.)  Similarly, merely linking to infringing materials can give rise to a copyright infringement—even if you had no reason to know that the linked material was infringing.

Because automated copying and linking of online content are both inherently necessary to the operation of the Internet, Congress recognized that holding website operators and other service providers strictly liable for these activities in all cases could hinder the growth of the Internet and the advancement of related technologies (including networking and e-commerce).  As a result, when enacting the DMCA in 1998, Congress specifically provided certain “safe harbors” to protect service providers against claims of copyright infringement arising out of temporary or permanent storage of user-provided materials or linking to infringing materials.

Though each safe harbor has differing requirements (based on the activity of the service provider that is alleged to cause an infringement), the “notice and takedown” component is common to almost all DMCA safe harbors.  Under the “notice and takedown” component, a service provider can immunize itself from monetary liability to a copyright claimant by: (i) appointing an agent to receive notices of copyright infringement occurring via its service and (ii) upon receiving notice of an infringement, acting expeditiously to remove or block access to (“take down”) the infringing material.

Appointment of an Agent to Receive Copyright Notices—Required Steps.

As written, the DMCA provided specific instructions for appointing an agent for only one of the safe harbors—albeit the one with potentially the greatest applicability to most businesses, namely, the safe harbor against liability for information uploaded to or stored on websites or servers by users.  Under this safe harbor, the service provider must do both of the following for the appointment of an agent to be valid and meet the requirements for the safe harbor:

  1. Publish required contact information for the designated agent on a publicly-accessible page on the service provider’s website; and
  1. Provide the required contact information for the designated agent to the U.S. Copyright Office for inclusion in a public directory of such agents.


Since 1998, the Copyright Office has required that a service provider use a paper form to appoint its designated agent, which was then scanned into an electronic format and made available to the public via an online directory (there was also a fairly hefty filing fee of $135.00 per filing).  In addition to being cumbersome and non-searchable, over time much of the information contained in the directory became outdated (due to businesses not updating their contact information) and cluttered with defunct service providers.  Given this, effective December 1, 2016, the U.S. Copyright Office implemented a mandatory online mechanism for service providers to provide the required contact information for their designated agent.  This new mechanism places the burden on service providers to keep their information accurate and up-to-date or risk losing the protection of the DMCA safe harbors.

Key Points of the New Regulation:

1.  Mandatory Electronic Filing with the Copyright Office to Appoint an Agent. Starting December 1, 2016, all service providers seeking the protections of the safe harbor must use the U.S. Copyright Office’s online registration mechanism to appoint an agent to receive notices of copyright infringement.  Paper filings will no longer be accepted by the Copyright Office.

Note – The Notice on Your Website is Still Required. Be aware that the new mandatory electronic filing procedure does not eliminate the separate legal requirement that the service provider also publish the contact information for the appointed agent in a publicly-accessible page on the service provider’s website.  Failure to do so will mean that the service provider will not get the benefit of the safe harbor, even if the service provider has made the required filing with the Copyright Office.

2.  You Need to File under the New System Even if You Previously Appointed an Agent with the Copyright Office. As noted, the Copyright Office has maintained a directory of appointed agents since 1998, and you (or your attorney) may have already filed an appointment of copyright agent under the old system.  However, in an effort to clear out the outdated information that has accumulated in that time, on December 31, 2017, all appointments filed before November 30, 2016 will become invalid.  In short, even if you filed under the old system, you need to make a new filing under the new system if you wish to preserve the limitations on liability under the DMCA safe harbor beyond 2017.

3.  Service Providers Must Renew the Appointment of Their Agent At Least Every Three (3) Years. Once filed, each appointment will expire and become invalid three (3) years after the appointment is made, unless the service provider makes a filing with the Copyright Office to renew the appointment.  Failure to renew the appointment  will mean that the service provider loses the limitation on liability afforded by the safe harbor.

Note – There is a nuance to this “three (3) year rule”: to encourage service providers to keep their agents’ contact information current, the new regulations provide that the “three 3 year clock” is reset each time the service provider changes their appointment information (for example to change the name or address of their appointed agent).  In this case, the three (3) year clock starts running anew from the date the service provider updates its appointment with the Copyright Office.

Example:      Service Provider files with the Copyright Office to appoint an agent on March 1, 2017.  That appointment will expire three (3) years later (March 1, 2020) unless validly renewed.

However, if Service Provider makes a subsequent filing on June 1, 2017 to update its appointment, the three (3) year clock is reset from the date of the “update” filing (June 1, 2017), and will not expire until June 1 2020.

4.  The New Filing Requirement Applies to the “System Caching” and “Linking/Search Tool” Safe Harbors As Well. While several of the DMCA safe harbors require the service provider to act promptly to remove (or disable access to) allegedly infringing information once its appointed agent is notified, only one safe harbor—the one for “information stored by others”—specifically states that the agent must be appointed by a filing with the Copyright Office coupled with public notice on the service provider’s website. However, the explanatory comments to the new regulations make clear that this filing requirement—as well as the requirement of a public notice on the service provider’s website—are required to qualify for the DMCA safe harbors for “system caching” and “linking/search tool” activities as well.

This means that, even if you do not allow users to store information on your website or system, you should still make a filing under the new system if you wish to limit your liability for websites or business activities that involve:

  • providing links to third party information;
  • providing tools or functionality to locate third party information; or
  • automatic, temporary “caching” of third-party information (for example, as part of transmitting content from one user to another).


Obviously, the ability to avoid all monetary liability for certain copyright infringement claims is a prime motivator for service providers to obtain—and maintain—protection under the DMCA safe harbors.  But there are two additional benefits available to a service provider under the DMCA that are often overlooked.

  • First, if a service provider has validly designated an agent to receive notices of copyright infringement as required under the safe harbors, copyright claims that are made against the service provider—but are not sent to the service provider’s designated agent—generally do not count as putting the service provider “on notice” of the infringement, and do not trigger the obligation to remove (or disable access to) the material.
  • Second, a service provider who “takes down” allegedly infringing materials to protect itself against liability to a copyright claimant could inadvertently expose itself to liability to another party—namely, the party who originally provided the allegedly infringing content. (For example, disabling access to a customer’s content because of a copyright claim could be a breach of the service provider’s contract with that customer.)  To address this concern, the DMCA provides that a service provider will have no liability to any person for “taking down” material that is claimed to be infringing (though, in certain situations, the service provider must also notify the party who originally provided the allegedly infringing content and give them an opportunity to contest the “takedown” in order to take advantage of this additional protection against liability).

While the new regulations described above have a significant impact on the “notice and takedown” component of the DMCA safe harbors, bear in mind that complying with these new regulations is not the only thing you need to do to qualify for the benefits of the safe harbors. There are numerous safe harbors that may apply to your business activities, and each has additional specific requirements and conditions that must also be met before you can claim protection under an applicable safe harbor. If you have questions regarding the DMCA safe harbors or how to structure or protect your online business operations, contact Mike Stewart at or (770) 399-9500 for more guidance.

IoT and Connected Devices: Before Rushing In, Be Mindful of the Risks

If your business manufactures or uses a connected device or simply collects and stores user data, it may be exposed to legal liability.  Despite the transformative effects of such Internet of Things (“IoT”) technologies, the reality is that IoT will increase your business risk – know its sources and manage it.

What is IoT?

IoT is a concept that has existed for decades.  However, due to deep declines in the cost of sensors, computing and related technologies, IoT is now influencing the physical world in transformative ways.  To start, IoT describes a ubiquitous connection of devices or objects (“things”) that can be monitored, controlled or interacted with by Internet-connected electronic devices, allowing people to interact seamlessly with both the digital and physical world.  IoT centers on machine-to-machine communications and the idea that more information (i.e., data) leads to a deeper understanding of the physical world.  In turn, this deeper understanding creates greater value for the end-user.  On a small scale, IoT includes wearable technologies that, in real-time, allow a user to track how far she has run and to share this information with friends.  IoT technology also includes an array of conveniences in home automation and security.  For example, when a homeowner pulls into his driveway, IoT can automatically open the garage door, turn on lights inside the home, and disable the home security system.  On a much larger scale, IoT will maximize efficiencies in the way that cities consume power, manage traffic, and prepare for natural disasters.  Experts at Cisco and Ericsson estimate that there will be 50 billion connected devices by 2020.  Moreover, the McKinsey Global Institute values the IoT market somewhere between $3.9 trillion and $11 trillion by 2025.

Despite the countless opportunities that IoT presents, businesses should be wary of its major legal concerns: the capture and use of consumer data, and cybersecurity threats.  Further, businesses should have actionable plans for the governance and protection of consumers’ personally identifiable information.

Whose Data is it?

When things are always on – as is the case with IoT – data is continuously shared.  And although IoT creates new opportunities to solve existing problems, it raises new issues between private citizens and businesses operating in the digital space.  At present, there is much debate over the ownership of data that consumers disclose while using products and services: Do consumers retain ownership over their personal data or do businesses take ownership over such disclosures?  Consumer disclosures are often a necessary component of the utility of products and services.  These disclosures also aid the improvement to such products and services, thereby creating long-term benefits for the consumer.  Businesses that take care in drafting their terms and conditions contract for rights in these consumer disclosures.

Still, businesses must consider consumer privacy laws and the ethical concerns of collecting and storing consumers’ personal data.  Broadly, the FTC enforces consumer protection laws that protect consumers against unfair methods of competition or deceptive acts or practices.  But businesses should also be cognizant of the applicable regulatory frameworks for the industries in which they operate.  For instance, the Communications Act, as amended, and the FCC impose additional requirements for telecommunications carriers’ use of consumer information.  In addition, state laws and regulations may impose added responsibilities.  Also, U.S. companies that engage in cross-border data flows should be aware of additional data transfer laws and data sovereignty issues.  Similarly, ethical concerns for data privacy often arise out of the representations that businesses make concerning their use of data or the overbroad bulk collection of data, where either instance exceeds consumers’ reasonable expectations.  In recent proceedings, the FTC has brought enforcement actions against technology companies like Snapchat, Yelp, Google, and Facebook for violating their user privacy agreements.  There, the FTC found the companies to have deceived consumers over the amount of personal data the companies collected and made misrepresentations on how certain products or product features actually worked.

Businesses should always provide notice and obtain consent before collecting consumer information, and they must market truthfully and ensure their public commitments match actual practices for the collection, scope, retention, expressed purpose, and confidentiality of data.  Further, businesses should also be aware that private actions concerning the ownership of consumer data could arise in a number of ways – privacy, contract, or tort.

Legal Effects Remain Uncertain

Although connected products and services may amplify products liability concerns, cybersecurity must also be addressed.  It is clear that product and service providers who do not meet reasonable expectations in the cybersecurity of their product and service offerings will face liability.  But these requirements are still imprecise, as regulators have abstained from creating formal rules and have instead decided matters on a case-by-case basis.  For example, in separate proceedings, the FTC brought enforcement actions against Wyndham Hotels and Resorts and IP-camera maker Trendnet, alleging that the companies engaged in deceptive and unfair acts because of their failure to take reasonable security measures.  In both cases, the FTC alleged, among other things, that the companies unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft, because they stored personally identifiable consumer data in clear readable text and failed to use readily available security measures, like firewalls or software that would secure data transmissions.  Further, the FTC alleged that neither company regularly tested or monitored the security of its network.  Both cases carry twenty year settlement obligations.  In another case, the FCC held companies YourTel and TerraCom jointly and severally liable for fines totaling $10 million due to poor data security practices, where the companies stored personally identifiable consumer data online, without firewalls, encryption or password protection.  More recently, the Consumer Financial Protection Bureau fined financial-technology firm Dwolla for misrepresentations made concerning its data security practices.  Notably, in this case no data breach actually occurred.

Still, the effect of law becomes even more unpredictable when we begin to use existing technologies in disruptive ways that touch multiple industries.  For example, the advent of a “digital wallet” has created gaps, overlaps and ambiguities in applicable payments laws.     In the face of such ambiguity, many businesses unwittingly take on extreme risk as they add connectivity to products, introducing poorly designed, vulnerable hardware or software to the marketplace.

Businesses should build products with safety in mind to address cybersecurity concerns, designing their products or services around the possibility of hacks or breaks in the communication chain.  They should regularly monitor and update the security of their products and services as needed.  One of the greatest benefits of IoT is that updates, or patches, can be pushed from the manufacturer directly to the consumer without consumer involvement, which is not only convenient for the consumer, but also limits the business’s prolonged exposure to liability.  Even if a business does not offer ongoing support, it should notify consumers of security risks and available updates.  Larger businesses may want to implement bug bounty programs, which provide recognition or compensation to individuals that report bugs or find system vulnerabilities.

Take Time to Contract Thoroughly with Corporate Partners

Does your business collect or share data with corporate partners absent a formal contract?  Businesses should appreciate the danger for potential liability as the number of stakeholders who play a part in the value chain increases.  The Target and Home Depot data breaches occurring in December 2013 and September 2014, respectively, provide retail examples of the importance of security practices among corporate partners and finding a balance in the amount of access afforded to vendors.  In both instances, point-of-sale systems were compromised when third-party vendor credentials were stolen for back office systems.

Along with internal security measures, businesses should look to standardize security across the many stakeholders involved in their distribution chain.  If security cannot be standardized, businesses should work only with service providers who are capable of maintaining adequate security over the data for which they are responsible.  When contracting with corporate partners, a business should implement strong indemnity provisions that protect it against damages caused by the other party.  Further, businesses should maintain licensing and supply agreements between them and their corporate partners that clearly define: the scope of the data collected; the ownership of such data; the custodian of the data; the acceptable uses for the data; whether any third-parties will have access to the data; how to determine liability in the event of a breach; the side of the point of demarcation on which responsibilities lie; and how compliance will be verified.

Plan for a Breach before It Occurs

Lastly, businesses should have actionable plans for the governance and protection of data that contains consumers’ personally identifiable information.  Many companies maintain information of a wide scope under a false impression that more data is always more valuable.  But collecting and retaining large stores of information can actually make it more difficult for companies to realize a breach has occurred.

Businesses should follow these tips: limit the scope of data collected; do not retain data for longer than needed; anonymize data where possible; and be reasonable in the disposal of confidential documents.  Further, businesses that are custodians of large amounts of data that contain personally identifiable information should maintain cyber risk insurance.  Cyber risk insurance policies generally indemnify first party and third party losses that result from disruption to the company’s own network, data breaches of personally identifiable information, cyber extortion, and media liability.  (For a more in depth discussion on insurance coverage, be sure to read Michael Stewart’s post, “Insurance for Technology Businesses: Are You Covered?”)

Managing the Risks

As businesses release innovative products and services, they are faced with policymakers’ unclear expectations for security practices and uncertain applications of existing legal standards.  Businesses can reduce their legal exposure by marketing truthfully; knowing the consumer protection and data security laws and regulations that govern their industry; creating comprehensive data security programs that are verified through regularly scheduled audits; using reasonable security measures and addressing failures or opportunities for breach before a system is compromised; and having a plan in place to deal with a breach, including knowledge of the requirements for reporting it.

Friend, Hudak & Harris, LLP is at the forefront of inspecting and assessing the potential impact of IoT across a number of industries. This leaves us well positioned to guide clients through varied complexities, helping them to avoid or reduce technology related risks.

FH2 Alert – New Federal Trade Secret Law Requires Changes to Your Form Agreements

On May 11, 2016, President Obama signed the Defend Trade Secrets Act of 2016 (the “DTSA”) into law.  The DTSA—which went into effect immediately after being signed—creates a new right for trade secret owners to sue under federal law when their trade secrets are misappropriated, and also provides the trade secret owner with significant remedies for misappropriation (including seizure, injunctive relief, damages, and, in certain cases, double damages and attorneys’ fees).  But the DTSA also provides individuals with immunity for certain permitted disclosures of a trade secret—and requires an employer to notify its employees (including contractors and consultants) of these immunities in any contract or agreement with the employee that governs the use of trade secrets or other confidential information.

We will provide more in-depth guidance on the DTSA soon.  However, you need to know now that compliance with the DTSA necessitates immediate changes to certain of your form agreements with employees and individual independent contractors and consultants to incorporate the notices mandated by the DTSA.

Specifically, starting May 12, 2016, the DTSA requires all employers to include a new notice “in any contract or agreement with an employee that governs the use of a trade secret or other confidential information” if that contract or agreement is either entered into or updated after May 11, 2016.  This required notice must inform the employee about certain immunities from liability under federal or state trade secret law for disclosing a trade secret in connection with “whistleblower” activities or in legal documents filed under seal.

Some important points on this new notice requirement:

  • Applies to More than Just Your “W-2 employees”:  Under the DTSA, an “employee” for whom you must include the required notice includes not only your W-2 employees, but also any individual performing work for your business as a contractor or consultant.
  • Applies to “Any Contract or Agreement that Governs the Use of a Trade Secret or Other Confidential Information”:  Depending on your business, this could implicate revising multiple forms of contract documents that your business currently uses with its employees, contractors and consultants, such as employment agreements, invention assignment or “work made for hire agreements”, independent contractor agreements and confidentiality/non-disclosure agreements.
  • Noncompliance Also Limits Remedies under the DTSA:  Failure to include this notice when required also means that the employer cannot recover double damages or attorneys’ fees under the DTSA when bringing a claim for trade secret misappropriation against that employee.
  • Be Mindful of Existing Agreements:  The notice requirement applies to “contracts and agreements that are entered into or updated after” May 11, 2016. So, while the DTSA does not require you to amend agreements you executed before May 12, 2016 solely to add the new notice, it does require you to add the notices to those agreements if you amend or update them for other reasons after May 11, 2016.

Note—The DTSA provides that the mandatory notice requirement may also be satisfied by including in your agreement a reference to a “policy document” (for example, a handbook) that is provided to the employee and sets forth your reporting policy for a suspected violation of law. However, even then, your agreements may still need to be updated to include such a reference, and the associated “policy document” should be reviewed to ensure it complies with the DTSA.

If you would like assistance with revising your agreements to comply with the new requirements under the DTSA, or if you have questions about the DTSA or protecting your trade secrets generally, contact Mike Stewart at Friend, Hudak & Harris, LLP.

FH2’s Mike Stewart Wins Client Choice Award for Third Time

FH2’s Mike Stewart was named the exclusive 2016 Winner of the  International Law Office’s Client Choice Award for the IT & Internet category for Georgia.  This marks the third time Mr. Stewart has won the Client Choice Award since 2013. Established in 2005, the Client Choice Awards recognize those partners around the world that stand apart for the excellent client service they provide.  For more information on Mike, his practice and his accomplishments, Click Here.