While Ashley Madison is hardly a pillar of the Fortune 500, or a traditional small market company for that matter, it should serve as a wake-up call to companies of all shapes and sizes.  The fact of the matter is, we are witnessing the destruction of a company and countless lives due to a data breach.  And the scary thing is, it can happen to any company.

The digital damage is staggering.  The Hackers targeted two categories of information released in subsequent online dumps.  The first data set included user account information including email addresses and user names.  The second dump consisted mainly of Ashley Madison internal emails regarding business conduct and strategy.  While not effecting consumers, this second data dump was just as devastating.  It revealed, among other things, that Ashley Madison charged its users $19 to delete all account information.  Apparently, this did not happen.  Second, internal emails among Ashley Madison reveal executives apparently planning to hack into the networks of its competitors.  Third, it turns out that Ashley Madison was full of fake female profiles likely created to entice new members and facilitate recurring charges.  That’s enough criminal and civil liability to keep armies of lawyers busy for decades.

Continue reading

Data Security and privacy lawyers around the country have been closely monitoring the matter of FTC v. Wyndham Worldwide Corp pending in the 3rd Circuit.  The case arose over multiple data breaches suffered by Wyndham and its customers in 2008 and 2009.  Over $10 million fraudulent charges were booked as a result.  Wyndham faced civil litigation from consumers and shareholders alike.  Additionally, the FTC brought an action under its broad authority to pursue civil damages and injunctive relief for unfair business practices.  While a generalized term, unfair business practices under the FTC Act requires harm to consumers.  The FTC has reasoned in recent years that lax cybersecurity meets this standard because data breaches cause consumer harm.

It is worthwhile to keep in mind the facts that gave rise to the FTC’s action against Wyndham.  The FTC alleged that the aforementioned breach was caused by Wyndham’s nonchalant cyber security policies.  For example, Wyndham did not adequately protect the passwords to its property management system.  Rather than using complex passwords including numbers and caps, Wyndham protected its system with easily guessed passwords.  Additional bad facts for Wyndham include its practice of storing consumer’s payment information in plain, readable, unencrypted text.  This is a big sin in the security world.  Finally, Wyndham failed to implement industry standard privacy protections such as firewalls and segmented data storage.

Continue reading

Data breach incidents are on the rise and here to stay.  It seems like every week there is a new, high profile breach regarding a government agency, movie studio, retailer or health care provider.  Let’s face it, data breaches are inevitable.  I know that sounds fatalistic but that’s the truth.  And there seems to be no conceivable way of reducing the number of breaches.

Previously, companies that experienced a breach had to deal with minimal financial downside aside from providing notice and identity theft protection to consumers.  Throw in attorney fees to guide the company through inquiries by state and federal agencies.  The big cost has arguably been bad publicity and eroding of consumer good will and confidence.

Continue reading

The big baseball news relates to the St. Louis Cardinals hacking of the Astros scouting database and not the latest deal for a high priced middle reliever.  As a data breach attorney and baseball fan, it is rare that two of my main interests collide.  I must confess to feeling some schadenfreude since I am a long suffering Brewers fan.

The New York Times has been all over this, reporting that the Cardinals had an acrimonious breakup with former GM Jeff Luhnow.  The hack was initiated by current Cardinals employees with an apparent ax to grind with Luhnow.  The motivation appears to have been to embarrass Luhnow by exposing his private conversations about talent.

Continue reading

Previously, we explored the merits of the summary judgment as a responsive pleading to a Complaint in trademark and copyright lawsuits.  Let’s look at the other side of the coin.  Why would you not file a summary judgment and instead opt for a rule 12b6 motion?  I think the main reason is if you have a client that is reticent about discovery.  However, even if that is the case, I could argue summary judgment is the way to go because a rule 56d request is tough and the plaintiff does not have a lot of time to put together such a motion.

Rule 56d provides in part that “if the non-moving party shows by declaration that, for specified reasons, it cannot present facts essential to justify its opposition, the court may: defer considering the motion or deny it; allow time to take discovery; or issue any other appropriate order.”

Notice that discovery under rule 56d is not mandatory.  The requesting party must show:  that it has set forth in affidavit form the specific facts it hopes to elicit from further discovery; the facts sought exist and the sought after facts are essential to oppose summary judgment.  Grant v. Unifund CCR Partners, 842 F.Supp.2d 1234, 1242 (C.D.Cal.2012) (citing State of Cal. v. Campbell, 138 F.3d 772, 779 (9th Cir.1998).  This is a pretty tough hurdle to overcome on a legally deficient complaint.  Even if discovery is allowed, it is likely to be very narrow and eliminate much of the typical motion to compel practice.

Continue reading

When representing a defendant responding to a Complaint in federal court, intellectual property attorneys are faced with many strategic choices.  For purposes of this post, we will assume that jurisdiction and venue are incontestable.  One tactic would be to simply file an Answer denying the allegations and engage in full blown discovery.  Another typical maneuver is to attack the pleadings by filing a motion to dismiss or Rule 12b6 as its known in the FRCP.  An often overlooked option is the summary judgment.

Of course, there is no one size fits all answer.  Assorted legal and factual scenarios call for different legal tools.  Every case has its own DNA.  That being said, I have found that the 12b6 motion tends to be overused while the summary judgment tends to be underused.  Many times, your defense clients are better served by a summary judgment motion rather than a 12b6 motion.

Continue reading

In trademark cases involving keyword advertising, the nominative use defense is often a powerful tool that leads to early success on summary judgment.  We recently had a case where we represented a payment processor review site.  At issue was whether or not a review site is able to advertise by purchasing trademarked terms on Google Adwords.  In this post, we will run through the analysis and ultimate answer.

Where a trademark claim arises from the use of a trademark as a reference to mark owner’s goods or services such as a review site, the case is among a “class of cases where the use of the trademark does not attempt to capitalize on consumer confusion or to appropriate the cachet of one product for a different one” and the plaintiff’s claims fall to the doctrine of “nominative use.”  New Kids on the Block v. News Am. Pub., Inc., 971 F.2d 302, 308 (9th Cir. 1992).

Continue reading

One issue that often faces small to medium sized companies is whether or not to buy cyber liability insurance policies.  The need and market for such policies is developing.  In this post, I will provide an overview of the product and why I recommend that our clients obtain this coverage.

First, with rare exception, today every company is a tech company.  Obviously, social networks and electronic marketplaces are run from an internet platform but the same can be said for the auto body shop that interacts with insurance carriers via web portals.  Just as tech companies have a significant brick and mortar presence, traditional brick and mortar companies transact large amounts of business online.  Because of this simple fact, I advise my clients, large to small, to obtain cyber liability coverage.

Continue reading

E-tail behemoth Amazon recently filed a lawsuit against Jay Gentile, a California resident offering positive Amazon reviews for a price, otherwise known as “astroturfing”.  Gentile offered his service via the domain name “buyazonreviews.com”, among others.  Here is how the operation worked in a nutshell:  Mom and pop widget company desires four and five star reviews in order to increase consumer confidence and sales; Gentile’s service provides the widget seller with canned 4 and 5 star reviews over a period of months, so that the reviews appear legitimate and avoid Amazon’s review screening filter; and the reviews cost mom and pop about $20 per review.  Gentile’s company even went so far as to allegedly orchestrate phony baloney sales in order to achieve “verified” review status.

Quite naturally, Amazon isn’t too happy about all of this.  Consequently, Amazon deployed one of its go to law firms to attack Gentile in Court.  The problem is, I’m not too sure that Amazon’s lawsuit is legally viable, however, it does have significant strategic and practical value.  Because of this, I think it is likely to serve as an astroturfing deterrent.

Continue reading

Businesses are constantly in danger of being defamed on the Internet.  Often, this defamation is anonymous.  Typically, it is committed by a competitor or a disgruntled former employee.  Because of this, it can be difficult for a business to combat the defamatory assertions.  Websites like Yelp (and blogging platforms like WordPress provide valuable consumer information, however, they can be misused for nefarious purposes.  For companies harmed by anonymous internet defamation, there is usually one goal – to remove the defamatory material.  In this post, we discuss the proper way to proceed.

Continue reading