Internet, Information Technology & e-Discovery Blog

Internet, Information Technology & e-Discovery Blog

Social changes brought about by the Internet & Technology

IoT Wearables Lawsuit! Jawbone Accuses Fitbit of Stealing Trade Secrets

Posted in eCommerce

Jawbone alleges that “beginning in early 2015, Fitbit recruiters contacted an estimated 30 percent of Jawbone’s workforce” and “Fitbit’s objective is to decimate Jawbone.” The New York Times reported that Jawbone is ‘…accusing its rival of “systematically plundering” confidential information by hiring Jawbone employees who improperly downloaded sensitive materials shortly before leaving.”

The May 27, 2015 Complaint filed in the Superior Court of San Francisco of Aliphcom, Inc. dba Jawbone v. Fitbit, Inc. et al includes these allegations:

…forensic analyses performed by Jawbone on its former employees’ computer devices revealed that a number of the departed employees used USB thumb drives in their last days of employment at Jawbone to steal proprietary company information, and in other cases forwarded confidential company information to personal email addresses for later use.

The stolen files are the informational equivalent of a gold mine for Fitbit, as they provide an intricate roadmap into the core of Jawbone’s business, including such information as Jawbone’s supply chain, gross margins, product lineup (both current and future), product target costs, vendor contract, product analysis, market trends and predictions, and the future direction of Fitbit’s main competitor.

The Complaint includes these causes of action:

  1. Misappropriation of Trade Secrets
  2. Breach of Contract
  3. Breach of Implied Covenant of Good Faith and Fair Dealing, and
  4. Unfair and Unlawful Business Practices (California Business & Professional Code §§ 17200 et seq)

Theft of trade secrets allegations are very old news in the technology market, but this lawsuit should be an eye opening case for all companies about recruiting employees from competitors.

Facebook Privacy Settings Challenged in the EU

Posted in Internet Privacy

Facebook complained that it “doesn’t make sense that 28 regulators should make different interpretations of the same law” reported by the New York Times, that “France, Germany, Spain, the Netherlands and Belgium — are investigating Facebook’s new privacy settings.”  The report went to say that Facebook “says it complies with Europe’s strict data protection rules” and that:

…it has been in contact with Ireland’s privacy regulator about the policy, because the company’s non-American activities are regulated from Dublin, the site of its international headquarters. The company contends that Europe’s other regulators do not have the jurisdiction to demand changes to how it uses people’s data.

The report also included these comments about Facebook’s choice of Ireland for its headquarters:

The debate is whether individuals’ privacy should be protected primarily by their domestic regulators or by the watchdog in the country where a company has its European headquarters. Reforms aimed at answering this question are expected by the end of the year, though domestic privacy regulators are eager to hold on to the power to police activities in their own countries.

All social media companies who do business in the EU since this investigation could “lead either to fines or to demands that Facebook alter its use of online information.”

Don’t Click “I Agree” for Cloud Services without Considering these Top 3 Cloud Contract Terms!

Posted in eCommerce

TexasBarToday_TopTen_Badge_Small (1)

Too many companies merely accept click agreements for Cloud services without considering what they are committing to, but there are at least 3 terms that cause major problems including “Access to Data, Privacy, and Audits” as I explain in my May 2015 monthly column at eCommerce Times entitled “The Cloud’s Threatening Legal Storm.” Here are the details on those terms:

Contract Term No. 1: Limit Access to Data

The customer’s data must not be used by the cloud provider, and the cloud contract needs to specifically state that limitation. Similarly, the cloud provider must provide the customer a means to verify that the customer data has not been compromised, and that means the contract needs to include the right to audit (discussed below). For instance, make sure that the cloud provider does not use the customer data for its own purposes for target marketing.

Contract Term No. 2: Privacy

Since there are so many different privacy laws around the world, it is critical that the cloud provider specifically specify in the cloud contract how the cloud provider will properly comply. For example, in the U.S., protection of patient records under HIPAA (Health Insurance Portability and Accountability Act) is mandatory, and any entity holding patient records must be sure that the cloud provider is HIPAA-compliant. Having cyberinsurance for possible HIPAA violations may not be enough to protect liability for failure to protect HIPAA data. Also, laws in the EU (1995 Data Directive), Canada, Japan, Australia, and many other places are significantly different than in the U.S., so the cloud provider must allow customers to understand where their data is stored, and be compliant with local requirements.

Contract Term No. 3: Customer Audits

Although audit rights may seem simple and reasonable, many cloud providers do not permit audits, or they create so many roadblocks that no meaningful audits can be conducted. It is critical that before agreeing to a cloud contract, the customer determine whether it has the right to audit — and if not, either negotiate that provision or select a different cloud provider.

Let me know what you think.

No “Publication” of IBM’s Lost Employee Data, So No Cyberinsurance Coverage

Posted in eCommerce

The Connecticut Supreme Court ruled that IBM was not entitled to insurance for magnetic tapes that fell off a truck since there was “no evidence that anyone ever accessed the information on the tapes or that their loss caused injury to any IBM employee.”  In the case of Recall Total Information Management Inc. et al. v. Federal Insurance Co. et al the court unanimously affirmed a lower court ruling that the Appellate Court:

…concluded that the loss of the computer tapes did not constitute a ‘‘personal injury’’ as defined by the policies because there had been no ‘‘publication’’ of the information stored on the tapes resulting in a violation of a person’s right to privacy.

Judy Greenwald reported for that a contractor for IBM:

…lost the computer tapes when they fell from its truck onto the roadside by a highway exit ramp in New York and were retrieved by an unknown individual in February 2007, according to court documents. The 130 computer data tapes, which contained personal information on more than 500,000 current and former IBM employees, were never recovered.

Another interesting case where cyberinsurance will not apply, but had the IBM employee data been published there would have been coverage.

Court Rules No Cyberinsurance Coverage

Posted in Cyber, IT Industry

TexasBarToday_TopTen_Badge_Small (1)

Although not related to any cyberintrusion, a recent ruling related to cyber coverage involved a claim filed was that the defendants “knowingly withheld this information and refused to turn it over” but the “policy covers errors, omissions, and negligent acts.”  On May 11, 2015 US District Judge Ted Stewart (Utah) denied a motion for partial summary judgment in the case of Travelers Property Casualty Co. of America et al. v. Federal Recovery Services Inc. et al. since there no errors, omissions, or negligent acts that “Travelers has no duty to defend” the defendants who refused to turn over data it held.  The defendants were:

….in the business of providing processing, storage, transmission, and other handling of electronic data for its customers.

This case was important since it is one of the first cases reviewing cyberinsurance coverage as pointed out by Judy Greenwald’s article “Insurer not liable for cyber policyholder’s defense

Phishing and Malware Cyberattacks are Directed at Law Firms (and Clients) – So it’s Time to Train Employees

Posted in eCommerce

No surprises about where cyberattacks are focused as reported recently that about 45% of IT security decision makers are worried about “phishing attacks, and employees clicking on links within email which download malware and email attachments which download malware.”  In April 2015 Osterman Research issued its “Best Practices for Dealing with Phishing and Next-Generation Malware” that started with these terrible stories about two law firms:

An attorney in the greater San Diego area opened an attachment in a phishing email that he thought was sent to him by the US Postal Service. The attachment installed malware on his computer, and shortly thereafter he found that $289,000 had been transferred from his firm’s account to a bank in China.

A law firm in Charlotte, NC transferred $387,000 to a bank in Virginia Beach, VA after it closed a deal. Shortly thereafter, cybercriminals transferred most of this amount to the law firm’s bank in Charlotte, which transferred the funds to a bank in New York and then to a bank in Moscow. The victim organization believes it had been infected with keystroke logging software from a phishing email that captured all of the critical information necessary to initiate the wire transfer.

Of course the advice in Osterman’s Report is not limited to lawyers, these phishing and malware scams affect all industries.  Here a 3 of the 8 key takeaways:

  • Cybercriminals are getting better, users are sharing more information through social media, and some anti-phishing solutions’ threat intelligence is not adequate. This makes organizations more vulnerable to phishing attacks and other threats.
  • Users should be considered the first line of defense in any security infrastructure, and so organizations should implement a robust training program that will heighten users’ sensitivity to phishing attempts and other exploits.
  • IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.

Without question these cyberattacks will not abate anytime soon, so every employer should be training employees continuously.

Are HIPAA Laws Effective? Must Not be Since Healthcare Cyberattacks Have Increased by 125% in the Past 5 Years!

Posted in Cyber, eCommerce, IT Industry

I have always thought HIPAA (Health Insurance Portability and Accountability Act of 1996)  was a huge waste of time, money, and resources which was confirmed by a May 2015 Survey which estimates “that data breaches could be costing the industry $6 billion” and more “than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years.”  The Ponemon Institute’s “Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data” got data from 90 HPAA covered entities and 88 Business Associates (BAs) and included these details:

For the first time, criminal attacks are the number one cause of data breaches in healthcare. Criminal attacks on healthcare organizations are up 125 percent compared to five years ago.  

In fact, 45 percent of healthcare organizations say the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider. In the case of BAs, 39 percent say a criminal attacker caused the breach and 10 percent say it was due to a malicious insider.

The percentage of criminal-based security incidents is even higher; for instance, web-borne malware attacks caused security incidents for 78 percent of healthcare organizations and 82 percent for BAs.  

Despite the changing threat environment, however, organizations are not changing their behavior—only 40 percent of healthcare organizations and 35 percent of BAs are concerned about cyber attackers.

What a mess! And unlikely to get any better!

Oh No! Your Lawyer’s Been Hacked (Probably You Too!) – 11 Sure Signs of Hacking and What to do!

Posted in Cyber, eCommerce

TexasBarToday_TopTen_Badge_Small (1)

InfoWorld’s recently reported that no one is safe, neither lawyers nor clients because in “today’s threatscape, antivirus software provides little piece of mind,…and hackers still reach us on a regular basis.”   The recent Infoworld Deep Dive Report is entitled “11 signs you’ve been hacked — and how to fight back” which gives specific advice about how to fix each of these 11 sure signs of system compromise:

  1. Fake antivirus messages
  2. Unwanted browser toolbars
  3. Redirect Internet searches
  4. Frequent random popups
  5. Your friends receive fake emails from your email account
  6. Your online passwords suddenly change
  7. Unexpected software installs
  8. Your mouse moves between programs and makes correct selection
  9. Your antimalware software, Task Manager, or Registry Editor is disabled and can’t be restarted
  10. Your bank account is missing money
  11. You get calls from stores about nonpayment of shipped goods

Raise your hand if any of these hack signs have ever affected you or your lawyer, business, family, or friends! Wow everyone reading this blog has been affected by hacks!!!!!!

Disruptive Innovation in Law and “The Future of Legal Education: Preparing Law Students to Be Great Lawyers”

Posted in Cyber, eCommerce

On April 24, 2015 I gave a Keynote speech about “Ethical Concerns about Cyber Threats and the Internet” at the Oregon Law Review Symposium on Disruptive Innovation in Law and Technology.  The same day my Oregon Law Review article was published and I encourage you to read “The Future of Legal Education: Preparing Law Students to Be Great Lawyers.”

The Symposium was hosted in the by US District Judge Ann Aiken in the Portland federal court house, and other 5 excellent Keynote speakers at the Symposium were:

Dan Harris – Celebrated international lawyer and a leading authority on legal matters related to doing business in China and in other emerging economies in Asia, founder of Harris Moure, and co-author of the China Law Blog.

Daniel Martin Katz - Internationally recognized legal informatics and legal technology scholar, author, and inventor, pushing the boundaries of legal innovation within Michigan State University’s ReInvent Law Laboratory.

Michael Callier - International lawyer and Legal Process Strategist inside of Davis Wright Tremaine’s research and development department. Researching and developing innovations to increase client value.

Achim Reeb –Management consultant at PROsys LLC and draws upon 18 years of pharmaceutical consulting experience in R&D, Sales, Production, IT and Regulatory Affairs. His experience spans engagements with over a dozen global medical device and pharmaceutical companies to achieve better business performance.

Kelly Reynolds – A law reference librarian at the University of Oregon School of Law.

Many thanks to the Symposium Chair Thomas Mehaffy (graduating this month) who hosted a very thought provoking event.

Can the DoD Really Provide Cybersecurity?

Posted in Cyber, eCommerce

Given the scale of cyberattacks from foreign governments and criminals one may really wonder if the DoD (Department of Defense) can really protect the US,  but with The DoD Cyber Strategy report issued in April 2015 we now have a better idea about what the DoD is doing.  The report includes these statements:

We are vulnerable in this wired world. Today our reliance on the confidentiality, availability, and integrity of data stands in stark contrast to the inadequacy of our cybersecurity.

The Internet was not originally designed with security in mind, but as an open system to allow scientists and researchers to send data to one another quickly.

Without strong investments in cybersecurity and cyber defenses, data systems remain open and susceptible to rudimentary and dangerous forms of exploitation and attack.

Malicious actors use cyberspace to steal data and intellectual property for their own economic or political goals.

DoD set the following “five strategic goals for its cyberspace missions”:

  1. Build and maintain ready forces and capabilities to conduct cyberspace operations;
  2. Defend the DoD information network, secure DoD data, and mitigate risks to DoD missions;
  3. Be prepared to defend the U.S. homeland and U.S. vital interests from disruptive or destructive cyberattacks of significant consequence;
  4. Build and maintain viable cyber options and plan to use those options to control conflict escalation and to shape the conflict environment at all stages;
  5. Build and maintain robust international alliances and partnerships to deter shared threats and increase international security and stability.

Time will tell if the DoD can really protect the US from cyberattacks.