Digital Deep Dive

Sporadic issue with iPhones and iPads Improperly Syncing with Exchange Calendars

January 5th, 2012

Warning: trim() expects parameter 1 to be string, array given in /home/ebusine4/public_html/libraries/joomla/html/parameter.php on line 83

Warning: Parameter 2 to plg_ijseo_redirect() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentEmailCloak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentLoadModule() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

Warning: Parameter 2 to plgContentPagebreak() expected to be a reference, value given in /home/ebusine4/public_html/libraries/joomla/event/dispatcher.php on line 136

A contact of mine who is an IT professional for a law firm informed me that there is sporadic issue with iPhones and iPads not properly syncing with Exchange calendars, including appointments not syncing.

Apparently this problem stems from the most recent Apple IOS release, which may not be fixed until the next Apple IOS release.

My contact noted that he has researched the Apple and Microsoft support forums and this problem extends all the way up the ladder to “large firms,” which are also in the dark as to a solution.

And while not a solution, Microsoft is blaming Apple and Apple has yet to comment.

I’m told that it is expected that the issue will be fixed with the next release of Apple’s IOS, but Apple has not yet committed to a date.

For iPhone/iPad users, about the only thing you can do right now is to closely watch your calendar’s on the iPhone/iPad. Or switch to Blackberry or other devices phones, which have not reported having this problem.

Posted in Uncategorized | 8 Comments »

Is Your Business Ready for the Cloud? Thoughts on Small Businesses Using Cloud Services

December 18th, 2011

Over the weekend I read an interesting interview with security expert Jeremiah Grossman in MIT’s Technology Review “Being Smart About Cloud Security” (subscription required). The interview notes that “cloud computing” is often perceived to be a risky decision for many companies. Much of this perception has to do with storing customer and business information on third-party servers.

One point made in the interview, however, is that there are significant security advantages in using “cloud services” for businesses.

The average enterprise, whether you’re talking small, medium, or the largest of the large — they’re in their respective businesses. A bank isn’t in the business of technology. A retailer isn’t in the business of managing IT infrastructure … what you get from a cloud provider is the economies of scale — and somebody else to manage the problem [of security].

Based on my experience, I tend to agree with Mr. Grossman’s point that cloud computing services offer small to medium-size businesses significant security advantages. For example, a law firm where I formerly worked used a patchwork of security measures that were administered between an administrative assistant and a part-time third-party “everything-IT contractor,” e.g., web hosting, exchange server maintenance, IT sales, etc. To my knowledge, neither had any extensive training or experience in IT security.

Many small and medium-size businesses also rely on a similar IT security “solution.” The fact is, regardless of the IT security risks, most small and medium sized companies simply do not have the resources to dedicate to a full-time IT security expert.

Cloud Service Contracts and Legal Considerations

If your company is considering cloud computing services, either wholly to run the business or in part, there are numerous points that you should consider. A few are as follows:

Data Location, Location, Location: Knowing where your data is stored is critical. Where data is located will often determine legal obligations for both personal customer data and corporate information.
What Happens when the Lights Go Out: If your cloud service provider goes down, a business will lose access to its data. This often cuts into a company’s bottom line because the company will be unable to provide goods or services to their customers or lose productivity from employees. For this reason, it is important to learn about a cloud service provider’s reliability, service accessibility, and the overall performance. Cloud service contracts should also address when and to what extent a cloud user will be compensated for the loss of service.
What Data Should be Stored in the Cloud: It is also important for businesses to consider what data will be subject to a cloud hosting agreement. This is because regulations governing certain types of data, such as health information protected under the Health Insurance Portability and Accountability Act (HIPAA) place restrictions on the release of data to third parties. Additionally, many industries have regulatory obligations that require certain data, such as personally identifiable information, to be encrypted. A cloud service provider, however, may not permit a user to customize cloud storage encryption standards. Even if there are no requirements for data to be encrypted, it should be. One reason is because many data breach laws, including Michigan, contain specific exemptions and protections for businesses if there is a data breach of encrypted data.
Shifting Risks: Businesses that use cloud services are still responsible for their data, even after it is moved over to a cloud service provider. To the extent possible, it is important that businesses negotiate duties and responsibilities relating to service malfunctions or data breach notification duties. Even if there is no room to negotiate a cloud service contract, it is still important for businesses to understand their potential exposure for hosting data in the cloud.

Conclusion

As with most things in life and business, there are benefits to be had and risks to be addressed in relation to cloud hosting services.

Businesses using cloud services must understand that moving mission critical business and customer information over to a cloud service poses both operational and legal risks that must be addressed. Additionally, there are many complicated issues under the cloud service provider’s hosting contract that businesses need to consider. Failing to address these issues may sacrifice or impair a business organization’s ability to conduct business under normal conditions, as well as complying with obligations under extraordinary conditions, such as data breach or other applicable laws and regulations. Thus, it’s essential for businesses using cloud computing services to understand the scope and limitations of the services they receive, and the terms under which these services will be provided.

Feel free to contact Jason Shinn for more information about cloud service contracts and legal issues pertaining to data privacy protection.

Tags: cloud computing, Cloud Services, e-commerce, identity theft, Information Protection, privacy protection, website
Posted in Cloud Services | 1 Comment »

Federal Data Breach and Notification Legislation Approved by House Subcommittee

October 30th, 2011

The House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic Data Act (“SAFE Data Act” or “Act”) On July 20, 2011 and it will now move to the full Energy and Commerce Committee for consideration.

The full text of the SAFE Data Act is available here. It applies to all persons and companies subject to the jurisdiction of the Federal Trade Commission (“FTC”) and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code. It does not, however, apply to entities covered by HIPAA and Gramm-Leach Bliley in certain circumstances.

A few other notable highlights of this data privacy and breach notification act are as follows:

The proposed SAFE Data Act applies to “personal information” which is defined as a consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).
The proposed legislation would preempt State and local laws that impose similar information security or breach notification requirements as to any covered entity and would preempt civil actions under State law for violation of information security or breach notification requirements unless brought by a State official.
The SAFE Data Act would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired as well as for notifying the FTC and law enforcement of a security breach.
Notification to the FTC is required within 48 hours of discovering an information breach, and notification to consumers “as promptly as possible” but not later than 45 days after discovery of such breach. Notification can be delayed by law enforcement, the National Security Agency, or the Homeland Security Agency if it is determined that such notification will threaten an investigation or national or homeland security. Interestingly, this notification requirement, however, may be circumvented if a covered entity make a “reasonable determination that the breach of security presents no reasonable risk of identity theft, fraud, or other unlawful conduct ….” In this regard, the bill creates a presumption that “no reasonable risk of identity theft, fraud, or other unlawful conduct exists” if the disclosed data is unusable, unreadable, or indecipherable due to encryption or other security technology.
Those covered by the proposal would be required to maintain policies and procedures concerning: (1) The collection, use, sale and other dissemination of data containing personal information, (2) A process for identifying reasonably foreseeable vulnerabilities through regular monitoring, (3) For taking preventive and corrective action; and (4) For properly disposing of data containing personal information in electronic and non-electronic form. Additionally, persons who own or possess data containing personal information must also establish a plan for minimizing the amount of personal information they keep.

For more information on this proposed Data Privacy and Breach notification legislation or on similar information security law, please contact Jason Shinn.

Tags: breach notification, data breach, identity theft, Information Protection, privacy protection
Posted in Data Breach Notification Law | 1 Comment »

Responding to Internet Disparagement: A Legal Response Is not Always the Best Option

October 20th, 2011

We are repeatedly contacted by businesses and professionals, especially doctors and lawyers, about responding to false and disparaging online postings. Such online attacks can be absolutely detrimental to one’s reputation. And certainly when a “gripe” or negative posting crosses the line and becomes false and defamatory statement, there are legal remedies.

For example, a victim of a false online statement may have a claim for defamation, which requires (i) a false and defamatory statement concerning the plaintiff; (ii) unprivileged publication of the statement to third parties; (iii) fault amounting to at least negligence on the part of the publisher; and (iv) either actionability of the statement regardless of whether there is special harm (defamation per se) or the existence of special harm caused by the publication (defamation per quod). A communication is defamatory if it tends to so harm a person’s reputation as to lower the person in the estimation of the community or to deter others from associating with the person.

But responding to online criticism with “legal guns blazing,” may not always be the most be the most strategic response. It also may not be an option if the disparaging comments – while negative – are not legally defamatory.

So what options do businesses and professionals have when their online reputation is on the line?

Scott Stratten, author of Unmarketing: Stop Marketing. Start Engaging (a great read so far), offers the following (paraphrased) insight:

Monitor social media channels for mentions of your name, business, etc., “If people are talking about your brand, you should be a part of the conversation.”
React and post in your blog or other medium your story. Explain your story and if appropriate, admit to the mistake.

See Stratten, Scott (2010). UnMarketing: Stop Marketing. Start Engaging. (p. 46). Wiley. Kindle Edition.

Another consideration: It is important to remain calm in the social media exchange. If you lose your cool, you may have thrown gasoline on a social media fire that goes viral.

By proactively responding on the social web, victims of negative online comments have a chance to win back disgruntled customers or, at least, make sure the online social public has both sides of the story. It is important, however, to consult with an experienced internet lawyers who understand defamation law and how it impacts your online reputation in determine what is the most strategic response to negative online comments.

Posted in Uncategorized | 1 Comment »

Michigan Lawmakers Introduce E-Commerce Tax Collection Statute

October 18th, 2011

Michigan lawmakers have introduced legislation that would require businesses selling items over the Internet to collect the state’s 6 percent sales tax. This bill is similar to a New York law that required remote vendors with any “affiliate” relationships in the state to collect sales taxes on all purchases made by residents of that state from the vendor. Essentially, laws like New York and Michigan’s proposed legislation target Amazon.com and similar stores by moving online-only retailers under the same sales tax collection laws under which brick-and-mortar businesses operate.

The Michigan Retailers Association has framed the need for this legislation as a way to prevent online retailers from using “legal loopholes” that allow them to avoid collecting state sales tax at the point of sale. The Michigan Retailers Association report that closing this “loophole” would:

Lead directly to the creation of as many as 1,600 new jobs;
Provide investment in Michigan’s economy in the form of sales at brick-and-mortar retail outlets, which would increase by as much as $126 million per year; and
Eliminate the loss of $141.5 million in the form of sales tax from electronic remote sales in 2012.

The preceding numbers are projections that may or may not prove to be accurate, especially the job creation estimate.

In contrast to these estimates, within hours of a law similar to Michigan’s proposed internet tax law passing in Illinois applying its 6.25% sales tax to Internet purchases made in Illinois, Amazon announced it would discontinue using any of its 9,000 Illinois small business affiliates to avoid having to collect the tax. Whether a similar pull-out would happen in Michigan remains to be seen. But it is hard to ignore such historical facts in favor of hoped for possibilities.

Closing Thoughts

Two issues to consider in regard to states seeking to impose their respective tax scheme on out-of-state, e-commerce retailers. First, such e-commerce retailers do not use state government services in the way that retailers do. Consider for example that Amazon’s Seattle offices will never be serviced by a Michigan fire department. It is, therefore, difficult to justify why an out-of-state retailer that is not benefiting from a state’s resources should now be subject to that state’s taxing authority.

Second, there is a real undue burden in telling a company, especially a “mom and pop” e-commerce business that it now must comply with 50 separate sales tax jurisdictions around the country. As an attorney that works with many online companies here in the U.S. and abroad, such compliance is definitely an expensive challenge.

For a great read offering more insight on imposing internet tax collection on e-commerce businesses, check out Adam Thierer’s article about alternatives to state Internet tax statutes.

Tags: e-commerce, e-commerce taxes, ecommerce, internet tax, internet taxes
Posted in e-commerce | 1 Comment »

Blogger Hit with $60,000 Jury Verdict for Blog Postings

September 2nd, 2011

A blogger in Minnesota got hit with a $60,000 jury for postings that lead to the firing of an ex-community leader. The most disturbing aspect of this verdict, however, is that according to the Star Tribune Paper, the blogger’s posting were true.

Specifically, the paper notes that blogger John Hoff told the truth when he linked ex-community leader Jerry Moore to a high-profile mortgage fraud and this post lead to Moore’s firing. The paper notes:

District Judge Denise Reilly threw out four of the five statements, saying they were either opinion or the comments of others on the blog. With respect to the remaining statement, the jury agreed with Clark’s claim that Hoff had committed “tortious interference” by meddling with Moore’s employment. Clark pointed out to the jury that Hoff, in a later blog post, took partial credit for Moore’s firing.

Under Michigan law, a “communication is defamatory if, under all the circumstances, it tends to so harm the reputation of any individual that it lowers the individual’s reputation in the community or deters others from associating or dealing with the individual.” Kefgen v Davidson, 241 Mich App 611, 617, 617 NW2d 351 (2000). One of the defenses, however, to a defamation claim is that the defamatory statement was true or substantially true.

Because Mr. Hoff’s statements were reportedly true, the plaintiff used another legal theory – tortious interference – to hold the blogger liable.

Generally, a tortious interference claim involves a plaintiff and a third party who have entered into a contract or an advantageous business relationship. The defendant (in this case the blogger) is not a party to the contract or business relationship, but intentionally commits some improper act that (1) causes a breach of the contract or disruption of the business relationship between the plaintiff and the third party and (2) results in damage to the plaintiff.

My Thoughts

My problem with verdict against Mr. Hoff are twofold:

First, you have a plaintiff who cannot make a claim for defamation apparently because the non-opinion statements were truthful, i.e., a complete defense to defamation. So to get around this issue, another legal claim is used. That legal maneuvering, however, comes at the expense of the First Amendment protections afforded to speech.

Second, in looking at the tortious interference claim, I cannot identify what the “improper act” that was taken. Without an “improper act” you don’t have a claim for tortious inteference. And while the “truth” may hurt, since when has telling the truth ever been improper?

I think this is a legally absurd result that (hopefully) will be reversed on appeal. Feel free to contact me with any questions or share similar experiences. Thanks.

Tags: blogging, defamation, first amendment, free speech, tortious interference
Posted in blogging | 43 Comments »

Court Ruling that Fourth Amendment Protection Extends to Email – What this Means for Cloud Services

April 4th, 2011

There are a number of questions that should be answered before a business moves to the cloud, i.e., storing data on remote computer servers and sharing and transmitting such information over the Internet. But recently an important question concerning privacy was answered from an unlikely source: A conviction of the former pitch man, “Bob” for the male enhancement product Enzyte.

Specifically, Warshak a/k/a “Bob,” was “living large” from the sales of Enzyte, which claimed to offer “natural” male enhancement. But these claims were false and Warshak and his mother (she worked at the company – you can’t make this stuff up) were convicted on various fraud charges. Warshak received a 25 year prison sentence.

Warshak appealed his prison sentence, which resulted in the significant ruling for cloud service providers and users of such services.

Specifically, the Sixth Circuit Court of Appeals (the Federal Circuit that includes Michigan, Ohio, Kentucky, and Tennessee) ruled in United States v. Warshack that e-mail stored with commercial Internet service providers (ISP) has the same Fourth Amendment protection and expectation of privacy as letters transmitted through the US Postal Service and phone calls. This portion of the decision arose from the government investigators’ actions in secretly subpoenaing the ISP that stored Warshak’s e-mail. With the subpoena, the government gained access to 27,000 of Warshak’s e-mails without his knowledge.

In other words, the Warshak decision unequivocally says e-mail may be private and constitutionally privileged. Given the routine use of e-mail in everyday life, this conclusion may seem absurdly obvious. But the law does not always keep pace with technology. In this regard, the court noted:

“[T]he Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will wither and perish.”

In reaching this decision, the court ruled a portion of the Stored Communications Act unconstitutional. The unconstitutional provision of this Act provided that the government can access ISP stored e-mails older than 180 days with just an administrative subpoena or court order.

The Take away for Businesses

First, for businesses relying on cloud services to manage their operations, e.g. e-mail, CRM, etc. this case should offer a measure of comfort in that it will be harder for the government to go directly to a third-party service provider and gain access to company information without a search warrant. In fact, it levels the playing field between companies that have the resources to keep IT services in-house and those that must outsource to third party services, like Google Apps, gmail, Salesforce.com.

Second, for companies offering cloud services, they will need to carefully consider how they will respond to government requests for information. Certainly in the Sixth Circuit, cloud service providers should consider the potential privacy protections that clients have under the Warshak opinion before turning over data to the government. Prudent cloud service providers should hold out for a valid search warrant to support the request rather than turning it over in response to a subpoena. Of course, such decisions should be made with the advice and assistance of competent legal counsel.

Tags: cloud computing, Cloud Services, privacy protection
Posted in Cloud Services, workplace privacy | 7 Comments »

Facebook Changes its Privacy Policy to Make it Easier to Understand and What this Should Mean for Your Business

February 26th, 2011

Recently, Facebook revised its Privacy Policy to make it more easily understood. What I find remarkable is that the revisions are generating buzz despite the fact that none of the terms of the privacy policy actually changed. Instead, the revised policy is noteworthy because it was rewritten and reorganized in a way that makes it easier to read and understand. Or as some writers, have explained, Facebook’s new privacy policy is written so that non-lawyers can understand it.

As a fan and aficionado of website terms of use and privacy policies (as you can imagine – I’m the life of most parties), there are many privacy policies and website terms of use that I’ve found to range from clear and effective to confusing and even incomprehensible. This disparity is unfortunate, especially when one considers that at their core, website terms and conditions and privacy policies are a means to communicate with your most important listeners – customers. With this in mind, I few thoughts from an anti-legalese lawyer for drafting effective website policies that do double-duty in regards to customer relationships.

Know the law and your business goals when drafting Privacy Policies and Terms of Use. First, draft your e-commerce policies to address any legal or regulatory requirements applicable to your e-commerce business and how it conducts on-line business. There are numerous examples of Internet specific statutes and requirements that businesses need to consider.

Use your website terms of use and privacy policy to eliminate or reduce risks. Let’s face it: we are often sheep. I’m guilty of it. And so are the website owners who want terms of use or a privacy policy simply because other similar sites have these policies. But instead of following the herd, consider drafting your e-commerce policies and procedures to eliminate or, at least, minimize legal risks specific to your online presence. It makes little sense to copy Facebook’s policies for an intensely user-dependent online experience if your site is at the other end of the spectrum in that you are not collecting visitor information and users cannot contribute or otherwise submit content to your site.

Know your audience and write for them. In drafting your policy to meet the preceding goals, don’t forget your audience’s perspective, i.e., how will your customers view doing business with you? In today’s search-dominated world, your website is essentially the store-front to your business. So it makes little sense to showcase your website as one thing – perhaps user friendly or a place for customers to develop a relationship with you – but then frame that showcase with a mile-long list of draconian, formalistic, incomprehensible legalese for users to accept or not. Instead, customers, web or otherwise, will more likely appreciate plain, easily understandable language explaining how you intend to meet legal and regulatory requirements, what is expected from the customer in exchange for using your website, and what they can expect from you.

If you go to our Facebook page and sign up (I hate asking people to “like” us), we’ll provide you with an example introductory paragraph for a website terms of use that has actually resulted in a positive dialogue between customers and the site owner. In the interest of full disclosure, this “secret language” is really common-sense, but just not commonly used.

Conclusion

I’m not suggesting that your website terms and conditions or privacy policy will ever win a Pulitzer. But there is no requirement that they must use dry, confusing, and lifeless language to accomplish your goals. Humor is ok. Sarcasm is not illegal. All I’m saying is that website owners should expect their terms of use and privacy policies to be more effective in terms of clarity and achievement and to do more in terms of developing customer relationships. At the end of the day, these policies are just another form of communication. So what is your website communicating through its policies?

Tags: facebook, privacy policy, privacy protection, social media, terms of use, website
Posted in Facebook, Internet, Uncategorized, e-commerce, privacy protection, social media, terms of use | 1 Comment »

Avoiding Microsoft’s Inadvertent Website Disclosure Mistake – A Lesson for Company Websites

February 5th, 2011

The Wall Street Journal reported this past week that Microsoft Corp.’s earnings release was inadvertently made available through the company’s website. The Journal reports that Microsoft’s second-quarter earnings release was available more than an hour before Microsoft’s expected release time.

This incident is not at all uncommon when it comes to business websites. This incident is also a good reminder for decision-makers and business owners to make sure what is being presented on the company website is appropriate for your operations and complies with any applicable regulations. For example, as a publicly traded company, Microsoft’s “early” release of earnings caused it to consult Nasdaq officials and could bring into play obligations under the Securities and Exchange Commission regulations.

While not every company will have to worry about reporting to Nasdaq or Securities and Exchange Commission officials when it comes to website content, every company does have to worry about its online image, its own operations, and a patchwork of state and federal laws specific to Internet operations. In that regard it is important to establish procedures to prescreen all new web content and to periodically review existing content.

Website Audit Checklist

The following (in no particular order) is a good check list for both:

Content
- Is it accurate and up to date?
- Are any links broken or otherwise up to date?
- Does it inadvertently disclose confidential, proprietary, or otherwise sensitive company or employee information?
Intellectual Property
- Are appropriate copyright notices in place?
- Is there website content that may Infringe upon others’ intellectual property?
- Should you include a Digital Millennium Copyright Act Notice and designate an agent with the U.S. Copyright Office to receive notifications of claimed infringement?
Are website visitors required to agree to Terms of Use? If so have you taken the appropriate steps to protect your company with Terms of Use that will likely be enforced and that will favorably protect your company? Areas to consider include:
- How are users asked to agree to the Terms of Use? Is agreement optional or mandatory. If mandatory, how do visitors consent to the Terms of Use?
- When terms will be updated and how will such updates be communicated to visitors.
- Do the Terms of Use cover:
  - Warranties and limitations of warranties;
  - Limitation of liability;
  - Choice of law;
  - Exclusive jurisdiction and venue (In other words, do the Terms of Use reduce the risks that the company will be sued in multiple jurisdictions?);
  - Alternative dispute resolution; and
  - Integration clause.

As a best practice, it is a good idea to at least require all visitors to your website to affirmatively represent their agreement with your Terms of Use before allowing significant activities to take place, such as making an online purchase, posting content, or joining a group. And if your site allows user to post content, there is a number of other conditions you will want to discuss with your attorney about putting in place, including incorporating a Digital Millennium Copyright Act Notice and designation with the U.S. Copyright Office.

In regard to privacy and data collection, the following areas should be considered:

If applicable, is your website security appropriate and up to date? This is especially important if your site allows for conducting online transactions.
Does the site collect visitor information? Is it personally identifiable information? If so, does the website have a posted Privacy Policy covering the following:
- Are visitors advised of what information is collected and how user information will be treated?
- Where is the privacy statement posted?
- How user information is treated?
- How user information is share?
- How does the website address personal information of children under 13?
- When terms are updated how are such updates communicated to visitors?

It is critical that your actual Privacy Policy accurately reflect your company’s actual practices in handing user information. Otherwise your company may violate various privacy laws and regulations, including Federal Trade Commission regulations, Gramm-Leach-Bliley, HIPAA, COPPA and other applicable state privacy laws.

Ideally, the preceding areas will be jointly addressed with your legal counsel and your IT/Webmaster.

Conclusion

The preceding points to consider should not be considered legal advice. But it is good business advice because conducting such an audit is an important component of an effective Internet risk management program that will – if done properly – contribute to your company’s overall bottom-line by reducing legal and business risks for your Internet operations.

Tags: cybersquating, Digital Millennium Copyright Act, DMCA, e-commerce, identity theft, Information Protection, internet jurisdiction, privacy protection, website
Posted in Digital Millennium Copyright Act, Infringement, business resources, copyright, e-commerce, online contracts, privacy protection, terms of service, terms of use, trade mark | 3 Comments »

Data Security Breach of Patient Health Records in West Bloomfield Michigan Highlights Risks for Businesses and Consumers

January 29th, 2011

A doctor’s office in West Bloomfield Michigan recently experienced a data security breach involving patient health records. According to the West Bloomfield Beacon that originally reported on this incident, the data breach occurred on January 7, 2011 when a laptop containing medical records was stolen out of the office. No information was provided as to how many patients may be affected, how many health records were stored on the laptop, or whether the records were protected in any manner, i.e., encrypted or password protected.

This incident is certainly not an isolated instance as data security breaches repeatedly litter the headlines. And while there a number of criminal statutes available to organizations who are victims of a data breach (click here for a summary of Michigan’s Amended Data Breach Law), this type of data breach highlights three important issues facing businesses and consumers.

The Costs of Data Breaches to Businesses

First, a data breach is a risk that every business – regardless of size – must prepare for. But companies – regardless of size – do not always have the resources to adequately prevent or prepare for such a contingency. Failing to properly prepare against a data breach, however, is increasingly no longer an option. Consider that the cost of a data breach increased in 2009 to $204 per compromised customer record, with the average total cost of a data breach rising from $6.65 million in 2008 to $6.75 million in 2009 according to the Ponemon Institute’s annual study. This costs includes the cost of lost business because of security breach incident, legal fees, disclosure expenses related to customer contact and public response, consulting help, and remediation expenses such as technology and training. Ponemon Institute’s Study.

Business Best Practices and Data Breaches

So for any business, but especially small and medium businesses (SMBs), a data breach can be analogized to a nuclear event: You can get things right 98% of the time, but failure in the remaining two percent can have catastrophic consequences. But rather than raise the white flag and surrender to the fringe future possibilities, there are meaningful best practices to apply to present certainties, even for business organizations with limited resources. Take for example that it was reported that the January 7, West Bloomfield breach is believed to have occurred because a laptop was left unattended in an area where there was an issue with the entry way not locking. Further, there was no surveillance in this area. This data breach appears to be consistent with a common theme in most data breaches in that the root cause can be traced back to human error – not technology. Further, there are many low costs or even free, open source software security solutions to protect data, which is another important brick businesses should add to their wall of data protection.

Data Breaches and Individuals

Second, consumers whose personal information may have been stolen are often disappointed and frustrated to learn there may be little recourse or otherwise unsatisfying remedies available to them. A recent court opinion out of the Ninth Circuit Court of Appeals (this circuit includes California, Washington, Oregon, and other Western states) highlights this point. In that case, the Court concluded that the threat of identity theft arising from stolen personal information about current and former Starbucks’ employees contained on a company laptop computer was enough of an injury to establish the plaintiffs’ standing to sue the company in federal court.

But this victory was essentially rendered meaningless because the Court went on to conclude that — consistent with many other courts deciding security breach notification cases — the plaintiffs had not pleaded and could not prove that Starbucks’ actions caused them any cognizable harm under state tort or contract law. Specifically, even if the plaintiffs’ allegations were true, they would not support a claim under state tort or contract law because “[t]he mere danger of future harm, unaccompanied by present damage,” is insufficient to support a negligence claim.

Turning back to the January 7, West Bloomfield breach, potential victims would likely have an even more challenging legal standard to meet. This is because the Sixth Circuit (the circuit that includes Michigan) has concluded an even higher burden than that applied in the Starbucks decision must be met to state a claim arising out of a data breach of personally identifiable information.

The Take-away

Business organizations must consider the costs associated with a data breach, which certainly includes attorneys’ fees, litigation, and credit monitoring costs. And these costs are likely to continue to rise. Additionally, these costs do not factor in the damage to your businesses’ reputation, loss of customer confidence, lost of productivity due to allocating staff and resources to responding and potentially defending against litigation. For these reasons, the potential for incurring such costs should create a strong incentive to mitigate the potential risk of a security breach by proactively implementing safeguards for employee data now. In this regard, we would welcome the opportunity to listen to your current situation and discuss whether our insight and experience with data security laws would prove to be beneficial to your organization.

Posted in Uncategorized | 3 Comments »

E-Business Counsel, PLC

Focusing on building the legal foundation to protect and achieve your goals