Is Your Company Subject to Laws Regulating Safe Destruction of Documents?

Many companies have document retention policies – in other words, policies determining how long they will keep certain kinds of documentation.  These policies also frequently cover when documents may be destroyed in the normal course of business.  (Assuming, of course, that no litigation is pending and that there is no other reason why the company would be legally obligated to keep these documents.)  It’s almost a business necessity these days given the cost of document storage.

It is also a fairly safe bet that by now, most people have heard about the potential risks associated with data breaches, or at the very least, have heard about the Target data breach during the holiday season in 2013.

However, did you know that many states regulate how personal information can be destroyed?  Or, more specifically, how documents and records that contain such personal information may be discarded?  To date, at least thirty-one states have enacted laws like this (the link attached omits the Delaware law that was just enacted).

Continue reading

Recent Presentations and Articles

More articles on IP and privacy issues will be posted here soon, but in the meantime, here are several recent articles that have published in other media:

  • Participated in a panel discussion on Shutting Down Rogue Websites:  International and Domestic Solutions, before the ABA Section of Intellectual Property Law’s 29th Annual IP Conference, on April 3, 2014.  An article previewing the session was published by our law student reporter, Anna Oakes, who live-tweeted during the presentation (in accordance with the law student reporter program).  I re-tweeted relevant posts about our session that she and other law student reporters tweeted (see @PaTmLawyer).   An article and presentation slides were published in connection with this session, but they are only available to meeting attendees.
  • Interviewed by Smart Business Magazine, How to protect data security and customers’ trust, published on March 31, 2014.  This article briefly describes ways that companies can begin to plan ahead for potential breaches so that their response(s) to breaches can be carefully considered and (hopefully) well-executed.

In addition, on May 9, I will be presenting during the DRI’s Intellectual Property Litigation Seminar on the ability to recover attorney fees in copyright and trademark cases.  The article and presentation slides developed on this topic will be available to meeting attendees.

Following these presentations, more blog posts will begin to appear again.  What can I say?  It’s been a busy spring.

Stay tuned – more soon.

Senate Judiciary Committee Hearing Tomorrow on IPEC Oversight


The Senate Judiciary Committee has scheduled a hearing tomorrow entitled, “Oversight of Intellectual Property Law Enforcement Efforts” beginning at 10:00am in the Dirksen Senate Office Building.

The witness list includes: 

  • The Honorable Victoria A. Espinel, Intellectual Property Enforcement Coordinator, Office of Management and Budget
     
  • Jason Weinstein, Deputy Assistant Attorney General, Criminal Division,U.S. Department of Justice
     
  • Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation
     
  • Allen Gina, Assistant Commissioner, Office of International Trade, U.S. Customs and Border Protection
     
  • Erik Barnett, Assistant Deputy Director, U.S. Immigration and Customs Enforcement 

The session is scheduled to be webcast, with a link to the broadcast available in the Committee’s hearing notice.

New Law in Utah Prohibits Certain Internet Crimes

On March 26, 2010, the governor of Utah signed into law the Utah E-Commerce Integrity Act (S.B. 26), which prohibits certain Internet-related conduct, including phishing, pharming, spyware and cybersquatting that involves “a computer, software, or an advertisement located in, sent to, or displayed in” Utah. (Legislative history of the bill, and alternate text versions can be found here.)

Essentially, the bill provides the following:

  • Prohibits the facilitation of “certain types of fraud and injury through use of electronic communications;”
  • “Allows for the removal of domain names and online content by an Internet registrar or [ISP] under certain circumstances;”
  • “Forbids the use of various types of software, commonly called spyware, if used for certain purposes;”
  • “Provides exceptions from spyware provisions for various types of communications and interactions, including authorized diagnostics;”
  • “Prohibits the registration of domain names under certain circumstances, commonly referred to as cybersquatting;” and
  • “Provides civil penalties for a violation of cybersquatting provisions”.

It also prohibits the passage of contrary laws by subdivisions of the state and makes other technical changes.

Key among the provisions are definitions of what activities constitute phishing, pharming, spyware and cybersquatting. Notably, the statute only applies to activities that occur after July 1, 2010 (although for cybersquatting and infringement, the effective date is May 11, 2010).

Any ISP that is “adversely affected by the violation”; “an owner of a web page, computer server or trademark that is used without authorization by the violation;” or 3) the attorney general may file suit to recover damages for phishing or pharming activities. Either actual damages or “a civil penalty not to exceed $150,000” per violation can be awarded.

In the case of spyware, not only are the ISP, attorney general and trademark owner whose mark was used to deceive others able to file suit, but the owner of “a software company that expends resources in good faith assisting authorized users harmed by a violation” of this provision can also sue. The damages awarded in these instances can be actual and liquidated damages of between $1,000 and $1,00,000 as well as attorneys fees and costs. There are certain exceptions to the damages thresholds, depending on the circumstances.

The cybersquatting provisions are structured similarly to the AntiCybersquatting Consumer Protection Act (15 USC § 1125(d)), and permit the transfer of an affected domain name in the case of a successful judgment against the defendant, but also differ in certain ways from the federal provisions. Specifically, they allow personal names to be included in the scope of protection under the act and exempt domain name registrars from legal action except in cases of bad faith or reckless disregard. There are other differences as well, but these were the most obvious.

Two New Privacy Lawsuits Filed — Part One, Facebook

Within the last few weeks, two major companies have been sued for alleged violations of privacy laws – one filed before the Federal Trade Commission seeking an investigation into Facebook’s privacy settings and the other filed in federal court, styled as a class action against Netflix. (The Netflix suit will be analyzed separately, in Part 2 of this topic.)

Facebook Complaint

On December 17, 2009, privacy advocates filed a complaint with the Federal Trade Commission, requesting that “the FTC open an investigation into Facebook’s revised privacy settings.” In the Matter of Facebook, Inc., Docket Number —- (FTC); see also EPIC’s Press Release, “EPIC Defends Privacy of Facebook Users: Files Complaint with the Federal Trade Commission,” Dec. 17, 2009.

Facebook announced its privacy policy revisions in a December 9 Press Release, “Facebook Asks More Than 350 Million Users Around the World To Personalize Their Privacy; Service Gives Users New Tools to Control Their Information” – which suggested that the changes would actually benefit users, and help them protect their information. In fact, however, these changes potentially undo the restrictive settings that users may have applied to keep their profiles closely guarded and viewable only by “friends.”

A copy of the Complaint, Request for Investigation, Injunction and Other Relief can be found on EPIC’s site, but EPIC is not the only plaintiff. Nine other consumer protection organizations have joined, namely the American Library Association (see also their privacy resources), The Center for Digital Democracy (see also a Dec. 17 blog post that explains CDD’s reasons for joining the complaint), Consumer Federation of America, FoolProof Financial Education, Patient Privacy Rights (see also their Dec. 11 criticism of Facebook’s privacy policy changes and their Feb. 18 analysis of the Complaint Almost Filed Against Facebook), Privacy Activism, Privacy Rights Now Coalition, The Privacy Rights Clearinghouse and the U.S. Bill of Rights Foundation. (If the organization name is not hyperlinked, it’s because I could not find an updated web site for the organization. If you find one, please post it in the Comments section below.)

Other Information about Facebook’s Privacy Policies

* EPIC has also developed an “In Re Facebook” page, on which it summarizes all of the actions it has taken to date relating to privacy issues faced by Facebook participants, provides a background to the debate, and chronicles various articles that have been written about the complaint. (Last updated on Dec. 30, although it appears to be kept current, so keep checking back.)

* The Electronic Frontier Foundation (EFF) has also posted (Dec. 21) an interesting article on its Deep Links Blog entitled, “Who Knows Who Your Facebook Friends Are?”, discussing how Facebook’s changes to its privacy policies have exposed users’ list of friends – thus causing real problems for political activists operating under oppressive regimes. Another EFF article worth reviewing in detail is “Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly” (Dec. 9).

* The New York Times’s Brad Stone blogged about the lawsuit in an article entitled “Privacy Group Files Complaint on Facebook Changes,” (Dec. 17) which has been updated to include Facebook’s response to the Complaint. The response notes that Facebook “discussed” the revisions to its privacy policies with regulators, including the FTC.