Articles Posted in Technology in Business

Open APISA jury recently issued a significant verdict in a legal fight between two major technology companies, although it might not resolve some questions brought up by the litigation. The two companies are fighting over protocols used in a wide range of software applications, known as application programming interfaces (APIs). The plaintiff sued for copyright infringement, alleging that the defendant unlawfully appropriated its APIs for use in its mobile device operating system. Oracle America, Inc. v. Google, Inc., No. 3:10-cv-03561, complaint (N.D. Cal., Aug. 12, 2010). APIs are essential tools for countless digital technologies, so the outcome of this case ought to be of great interest to anyone who regularly uses the web. A federal judge ruled in 2012 that APIs are not subject to copyright infringement, but an appellate court reversed that ruling. On remand, a jury found that Google breached Oracle’s copyright, but the breach was excused under the Fair Use Doctrine.

Copyright law protects “original works of authorship fixed in any tangible medium of expression.” 17 U.S.C. § 102(a). This includes books and other written works, musical recordings, video or film recordings, and software code. It does not, however, include “any idea, procedure, process, system, [or] method of operation.” Id. at § 102(b). A copyright can be a very valuable asset for a business, and copyright owners must take affirmative steps to protect their copyright interests. The Fair Use Doctrine holds that unauthorized use of a copyrighted work is not infringement under certain circumstances, including “criticism, comment, news reporting, teaching…, scholarship, or research,” provided that the use is “transformative.” Id. at § 107; Campbell v. Acuff-Rose Music, 510 U.S. 569, 579 (1994).

The Oracle case presented the question of whether APIs are subject to copyright protection, or whether they are non-copyrightable procedures or processes. An API, simply stated, allows one software application to communicate or interface with another application, acting as a sort of translator between different pieces of software. APIs are essential parts of many common digital technologies, allowing mobile devices to run a wide range of applications and allowing websites to interface with social media services like Facebook and Twitter, to name just two examples.

Continue Reading

By Larges111 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia CommonsBusinesses in New Jersey, New York, and around the country depend on computers, computer networks, and the internet to conduct their operations. Whether a company is engaged in e-commerce or other internet-based business activities, or it merely uses computer software to assist with inventory or payroll, that company is potentially vulnerable to cybersecurity breaches. Numerous resources are available to help business owners protect their data from threats, including both hackers and insiders. The federal government is also working to enhance its ability to investigate and prosecute cybercrime. Proposals from the White House and the U.S. Department of Justice (DOJ) in the past year have called on Congress to amend the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to address the misuse of company data by insiders. Critics of these proposals claim that they go too far and could result in criminalizing ordinary business internet activity.

The CFAA applies to unauthorized access to a computer, or use of a computer that exceeds one’s authority. The term “computer” includes machines commonly known as “computers” and any related “data storage…or communications facility.” 18 U.S.C. § 1030(e)(1). A “protected computer” may be one “used in or affecting interstate or foreign commerce or communication.” Id. at § 1030(e)(2)(B).

A provision of the CFAA relevant to small businesses prohibits knowingly accessing a protected computer without, or in excess of, authorization, “with intent to defraud,” and obtaining information worth at least $5,000. Id. at § 1030(a)(4). It also prohibits knowingly sending information, such as malicious computer code, that causes unauthorized damage to a protected computer. Id. at § 1030(a)(5). The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at 1030(e)(8). These provisions have enabled prosecutions of hackers and others outside of a company, but prosecutors claim that they have been less useful for going after insiders.

Continue Reading

geralt [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayCybersecurity is a critically important part of nearly every business operating today. Data breaches that compromise customers’ personal information, such as names, addresses, and credit card numbers, can result in huge losses due to identity theft and other types of fraud. If the Federal Trade Commission (FTC) concludes that a business failed to take adequate measures to protect its data, it can bring an enforcement action for “unfair or deceptive acts or practices in or affecting commerce” under Section 5 of the FTC Act, 15 U.S.C. § 45. The Third Circuit Court of Appeals recently ruled in the FTC’s favor in a case involving the theft of more than 619,000 customers’ credit card information by hackers. FTC v. Wyndham Worldwide Corp., No. 14-3514, slip op. (3rd Cir., Aug. 24, 2015). The court did not rule on the merits of the FTC’s claim. It merely found that the FTC has authority to pursue the claim under Section 5.

According to the court’s ruling, the FTC began enforcing Section 5 “against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers” in 2005. Id. at 6. The defendant, which manages hotels directly and franchises its brand to independent hotels, experienced three cybersecurity breaches in 2008 and 2009. The theft of customer financial data resulted in fraudulent credit card charges exceeding $10.6 million. The defendant uses a “property management system” to process customer information, including names, addresses, and credit card information. Id. at 7. It requires franchisees to use the same system, configured to certain specifications.

The FTC’s lawsuit alleged numerous deficiencies in the defendant’s cybersecurity measures, including inadequate supervision of franchisees’ use of the property management system; use of “easily guessed passwords [by franchisees] to access the property management systems,” id. at 8; lack of firewalls and other common cybersecurity tools; failure to restrict access to its network by third-party vendors; the ability of franchisees to connect their networks to its central network without security; and failure to monitor its networks for intrusions, even after the first and second breaches. These acts and omissions, the FTC claimed, constituted “unfair” practices under the FTC Act. 15 U.S.C. § 45(a)(1).

Continue Reading

Identify the image source as Compliance and Safety LLC and include a working hyperlink to http://complianceandsafety.com on the same page that uses this image. [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsCybersecurity, the process of protecting a company’s digital assets from theft and other harm, is an important issue for every business, regardless of size or complexity. Almost every business now relies on computers to some extent, and criminals are constantly developing ways to access business computer systems to steal customer information or company financial information, or even just to cause damage. Hackers may be able to penetrate a company’s computer security remotely, but many high-profile data breaches are accomplished by stealing laptop computers, hard drives, and other hardware. A company’s legal liability for a data breach is still a developing area of law, and few answers are certain in that area. Avoiding legal liability, however, is far from the only reason to take precautions against data breaches.

Recent data breaches have led to lawsuits against the affected companies by customers and shareholders, and a data breach could also result in administrative fines or penalties in some circumstances. Few statutes directly address a company’s liabilities with regard to cybersecurity, but numerous legal claims are possible:

– Negligence:  One or more customers whose personal information was compromised in a data breach could claim that the company breached a duty of care to safeguard that information, and that this caused them financial damage.

Continue Reading

QWERTY_keyboard.jpgA lawsuit against a New Jersey insurance company sought damages for a November 2013 data breach that reportedly resulted in the theft of personal information of hundreds of thousands of policyholders. The plaintiffs sought to certify the suit as a class action on behalf of other policyholders whose information was compromised. They asserted causes of action for breach of contract, negligence, and violations of the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., and the New Jersey Consumer Fraud Act (CFA), N.J. Rev. Stat. § 56:8-1 et seq. In March 2015, however, the district court dismissed the lawsuit, holding that the plaintiffs lacked standing to sue under the FCRA. In re Horizon Healthcare Services Inc. Data Breach Litigation, No. 2:13-cv-07418, opinion (D.N.J., Mar. 31, 2015).

The defendant is a New Jersey-based health insurance company that provides services to about 3.7 million individuals. At some point over the weekend of November 1-3, 2013, an unknown individual stole two laptop computers from the defendant’s office in Newark. The laptops, which were protected by passwords, contained the personal information of over 839,000 policyholders, including names, dates of birth, member numbers, and addresses. The computers also contained Social Security numbers and clinical information for some policyholders.

The defendant issued a press release several days after the theft describing the extent of the data breach. It stated that it was not clear if the thief or thieves would be able to break the password protection to access the information on the laptops. It individually notified the policyholders whose information was contained on the laptops, and it offered free identity theft protection and credit monitoring services to policyholders whose Social Security numbers might have been compromised.
Continue Reading

10939979096_cab7741637_z.jpgTitle III of the Americans with Disabilities Act (ADA) of 1990, 42 U.S.C. § 12181 et seq., prohibits businesses classified as “public accommodations” from discriminating against individuals with disabilities, and it may require them to make modifications to their facilities and services to allow reasonable access. The definition of “public accommodation” has been a matter of dispute for all 25 years of the law’s existence. Several recent court cases have addressed whether businesses that provide services exclusively via the internet may be considered “public accommodations” within the meaning of Title III. Federal courts have reached different conclusions, so the dispute is likely to continue.

“Public accommodation” is broadly defined by Title III to include hotels, restaurants, theaters, public meeting spaces, retail stores, service establishments, train and bus stations, museums, parks, and schools, to name but a few. 42 U.S.C. § 12181(7). A common Title III claim might involve the alleged inaccessibility of a business’ physical location, such as due to a lack of wheelchair ramps. What about businesses that provide all their services online, with no physical facilities for customers? Claims against this type of business have included claims that video-streaming services do not accommodate deaf customers, and that websites do not accommodate blind customers.

Whether a web-based business meets the definition of a “public accommodation” is still a matter of dispute in the federal court system. The Third Circuit Court of Appeals, which has jurisdiction over New Jersey, has ruled that Title III only applies to physical locations. Ford v. Schering-Plough Corp., 145 F.3d 601, 613 (3rd Cir. 1998). That case involved loss of access to insurance benefits, not services offered by a web-based company, but the decision could apply to that sort of business. The court based its ruling on the definition of “public accommodation” found in Title II of the Civil Rights Act of 1964, which is limited to “places.” Id., citing 42 U.S.C. § 2000a(a).
Continue Reading

US-DeptOfCommerce-Seal.svg.pngThe U.S. Department of Commerce (DOC) recently released a digital tool to help businesses engaged in the export of goods abroad. Federal export laws require a substantial amount of due diligence regarding the intended recipients and end users of export shipments. The DOC may hold an export business liable for violations of these requirements. The White House has enacted a policy of reforming controls on exports. Part of this initiative involves streamlining the screening process with the Consolidated Screening List (CSL), a collection of “watch lists” from various federal agencies. In November 2014, the DOC announced the release of an application program interface (API) that allows export businesses to search the CSL much more efficiently.

Under the Export Administration Act (EAA) of 1979, 50 U.S.C. App. § 2401 et seq., the U.S. President has the authority to regulate U.S. exports for national security and other reasons. Congress has placed restrictions on exports directly through laws like the Arms Export Control Act (AECA) of 1976, 22 U.S.C. § 2751 et seq. Exports may also be restricted by sanctions against specific countries and laws or regulations related to terrorism and other international criminal matters.

In 2013, the DOC’s Bureau of Industry and Security (BIS) charged the University of Massachusetts at Lowell with violations of the Export Administration Regulations (EAR) for shipping atmospheric testing equipment to an entity in Pakistan on the BIS Entity List, 15 C.F.R. Supp. 4. This list identifies entities that the federal government believes may have indirect connections to weapons of mass destruction (WMD) programs. The BIS claimed that the university violated the EAR by shipping the equipment without a required license. 15 C.F.R. §§ 734.3(c), 744.11, 764.2(a); 63 Fed. Reg. 64322 (Nov. 19, 1998). In this case, the equipment itself was not a controlled item, but the recipient was subject to government restrictions. The university agreed to a $100,000 civil penalty, suspended for two years. See also United States v. Roth, 642 F.Supp.2d 796 (E.D. Tenn. 2009), 628 F.3d 827 (6th Cir. 2011).
Continue Reading

-Miracle_Cure!-_Health_Fraud_Scams_(8528312890).jpgThe Federal Trade Commission (FTC) has filed a lawsuit against a Nevada company and its affiliates for a variety of alleged deceptive practices in the sale of products online. FTC v. Health Formulas, LLC, et al, No. 2:14-cv-01649, complaint (D. Nev., Oct. 7, 2014). The lawsuit is the first one brought by the agency under the Restore Online Shoppers’ Confidence Act (ROSCA), 15 U.S.C. § 8401 et seq., which Congress passed in 2010. ROSCA requires online sellers to disclose the details of transactions known as “negative options” to consumers up front. The FTC claims that the defendants violated ROSCA and several other federal statutes in their marketing and sales activities. It obtained a temporary restraining order (TRO) and a preliminary injunction (PI) against the defendants, and it is seeking a permanent injunction.

A “negative option” is defined as a transaction in which the consumer’s failure to reject goods or services through some affirmative act constitutes acceptance of the seller’s offer. 16 C.F.R. § 310.2(u). To put it another way, the customer accepts the goods or services and becomes obligated to pay for them by doing nothing. Negative option billing is common in online or mail-order clubs like Columbia House, which periodically send customers a CD or DVD and allow them a period of time to return it, after which they are billed for it.

Consumers have generally not been successful challenging negative option billing provisions in court if the contract clearly discloses the nature of the transaction, but many negative options are not so clearly explained. ROSCA requires online sellers to “clearly and conspicuously disclose[]…all material terms of the transaction” to the consumers before obtaining their billing information in online sales and marketing. 15 U.S.C. §§ 8402, 8403.
Continue Reading

Bitcoin_ATM_Plate.jpgThe New York Department of Financial Services (DFS) recently issued proposed regulations for businesses that deal with “virtual currencies,” defined by the U.S. Department of the Treasury as a medium of exchange that operates much like traditional currency, but only in some environments. Virtual currencies are gaining in prominence as an alternative to fiat currencies like the dollar and the euro, although they have been highly controversial. New York appears to be one of the first states to take serious steps towards regulating businesses that perform virtual currency transactions for customers.

Bitcoin is probably the most famous virtual currency, but it is far from the only one. The currency only exists in the online world, having no physical representation like actual coins or bills. The process by which new Bitcoins are created, known as “mining,” involves performing increasingly complex computer calculations. Bitcoin has grown as a form of payment for goods and services online, but it is also the subject of scrutiny based on allegations that it is used for illegal online purchases, such as drugs and identity theft information.

Bitcoin is treated somewhat like a commodity by some people, as suggested by the fact that the value of one Bitcoin is typically expressed in terms of U.S. dollars. Online exchanges allow people to exchange various other currencies for Bitcoins. As of mid-November 2014, one Bitcoin is worth about $400. One presumably happy Norwegian man discovered in late 2013 that the $27 worth of Bitcoins he purchased in 2009 had appreciated in value to about $886,000.
Continue Reading

2711081060_ba91f69796.jpgInformation technology (IT) is widely recognized as a critical component of business operations, but the security of a company’s IT often does not receive as much attention. Breaches of a company’s cybersecurity can result in serious losses, not only due to direct theft, but also through potential liability to regulators and customers. Despite some highly-publicized cybersecurity breaches, a recent survey of top-level corporate executives found that nearly three-fourths of those surveyed did not think the Chief Information Security Officers (CISOs) merit a place at a corporation’s “leadership table.” Nearly half of them see the role of a CISO as someone to take the fall if a breach occurs. Businesses, including small businesses and entrepreneurs, should seriously consider allocating resources to protect their IT.

The technology industry publication SearchSecurity defines a CISO as the executive “responsible for aligning security initiatives with enterprise programs and business objectives,” and with “ensuring that information assets and technologies are adequately protected. This includes maintaining oversight of a company’s entire system of computers and computer networks, which can be a colossal task in a large organization. A CISO must keep a company’s hardware, software, and data safe from intrusion by both outsiders and insiders, while allowing business operations to run unhindered.

The role of the CISO has grown in importance recently, particularly after several large and highly-publicized cybersecurity breaches at major retail chains like Target and Home Depot, which exposed the personal financial information of millions of consumers. Target announced that it hired a CISO about six months after its breach. Since information is vulnerable from both cyberattacks via the internet or another network and physical intrusions on a company’s hardware, some corporations merge a CISO’s role with that of a chief security officer (CSO), commonly responsible for the security of a business’ physical assets.
Continue Reading