Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web."
Copyright 2013-2016, all rights reserved Lorenzo Law Firm, P.A.
Saturday, May 28, 2016
Internet account security and weak passwords are all too common when causes to cyber incidents are investigated. The ease of use of one’s birthdate, anniversary, and the incredibly savvy use of ‘admin’ or ‘password’, not to mention ‘12345,’ has gotten many in a serious predicament. Not following through on login processes and seeking shortcuts has also made vulnerability more pronounced in our media news about hacking incidents. The complication to this malady in our common use of the internet and internet of things is that users want to enjoy the technology and the access it gives, but the potential of access users are actually giving the would-be hacker is enormous.
Advising clients to keep different passwords for every account is received as if I am asking them to pull their own molar with a
plyer – though they may have imagined
that I suggested taking Tequila with the pull-out. The password is actually the
gateway to the internet user’s life. Think about it. To enhance
security and privacy online think of the following. Stronger the password
the more protection. The longer the character sequence the better.
The least predictable quip, statement, or just characters the better. The
silliest and most remote answers from your actual predictable mundane life will
make it tougher for hackers to depict from your profile; yes, and I do mean the
predictable, always updated profile many are proud of and social media sites
and advertisers love.
The life of the internet user has a profile that is continuously being built unbeknownst by the user. There is the profile that the user creates every time the internet user opens and online account or posts an update on social media. There is also the profile that is being created by law enforcement and government agencies, and of course by your garden variety hacker wanting to get into your bank account or seize control of your company’s trade secrets, or just employ the every so popular ransomware threat.
Having one password apply to a number of personal accounts is seriously not a smart thing to do. Having a hidden notebook with selected passwords that can be easily accessed is actually a smart thing to do. Storing passwords in your mobile device is also not bright. Keeping your passwords in an unprotected computer file is as well asking for problems. Labeling the file that has your passwords “Password File” is tantamount to leaving your automobile unlocked.
As users navigate the web daily for pleasure or work, communing with the unknown, sharing life’s joys, or being a participant in the online
place, please think! Use passwords and select them wisely. Be
creative with your verification questions and their answers. Remember
that there is more than one profile floating around the web and it may be what
you do not know about. The internet may show more about you than you care
to know about yourself.
Tuesday, May 24, 2016
Online contracts trip the line that draws on possible arguments for applying the choice of law principles. Platform terms of service, though frequently updated, may not be providing appropriate notice to inform the public user. Data collection practices of social media platforms for purposes of claimed efforts to provide enhanced services to the user public may be seen a violating user privacy and rights. Online contracts whose terms change under the conditions that they are effective as they are changed with the implied understanding and consent of the user, may run on thin ice. The element of affirmative consent is seen as absent from the equation in a recently filed case arguing among other points, privacy infringement.
An Illinois case involving Facebook’s face-scanning tag suggestion feature, raises these issues. The face tagging process has enhanced the popular platform’s features for interactivity among subscribers. It has garnered recognition data using biometrics. It could the largest conglomeration of such data on the Internet. The question of the purpose for such collection and its security linger. The suit filed against Facebook draws on issues of privacy and the absence of consent to the terms of an online contract.
According to the suit text, the plaintiffs claim that the photo-tagging process creates images of the users face and that this process is not consented to by the user. In Illinois where the case was filed, there is a provision that prohibits such process. The Illinois Biometric Information Privacy Act (BIPA) does not allow for the generation nor the collection of identifiers which include fingerprints and faceprints. Accordingly there must be consent for this process and also the process that involves retrieving DNA data of a user. Consent is paramount.
While this may be a matter of consent for executing a process that infringes on privacy, the case has turned on the choice of law issue whereby the social media platform has sought to dismiss the case arguing that California law is applicable and not Illinois. But with the parties moving the case to California, and California not having a similar provision, the social media company has argued that the claim is without merit. The wrinkle is that the court’s determination of the insufficiency of the social media company’s terms of service renders the Illinois provision applicable and it did not grant dismissal as requested by Facebook. Facebook argued in its motion to dismiss that BIPA is effective and that the users had consented to be bound by California law. Furthermore, in the absence of an applicable provision in California, the case is without merit. It stood on the principle that the tagging process was not governed by BIPA. The court found that Illinois law applies and that the plaintiffs have stated a claim under BIPA.
The challenges to this process have remarkable traction in the industry and cause some reflection to the aspects of online contracts. The online contractual constructs of clickwrap and browsewrap online agreements have been dealt with construing invalidity. The Second Circuit in Specht v. Netscape was not convinced in a browsewrap scenario that by the consumer clicking on a button to initiate a download it had manifested his or her consent to the terms. The court reasoned that without a clear notice to the consumer that by selecting the download icon it was actually expressing consent, that act did not suffice to construe that the consumer had consented to the terms and conditions. In this case, the Court determine that Facebook’s agreement was enforceable but did not include the choice of law provision in the decision, stating that the privacy interests of the citizens of Illinois could be jeopardized if the choice of law provision is enforced. It could not ignore Illinois’ BIPA provision and respected the legitimate state interest of Illinois. It is interesting to note that while this case may be seen as a matter contracting and choice of law heavily utilized by Internet and technology related businesses, it hinges on the prominence of user’s expressed consent to privacy infringing process and not bout restricting innovation.
 In re Facebook Biometric Information Privacy, (ND Cal. May 5, 2016)
Friday, May 20, 2016
Internet immunity has been a thorn to those who have been the subject of comments on the web. Cyberbullying,
on line harassment, and libel has had a long-lasting impact on those who have been the subject of the content posted. The purposes for the posts and what is stated online is varied. Some have a personal effect and driven by a relationship experience. Others could be attributed to a reaction for a service not provided to the liking of the customer. And there are some that are a form of anti-competition to ruin the reputation of a competitor. They are indeed varied. The manner in which the comments have been treated is as well varied with some commonality with regard to the distinction of the commenter from a medium in which the comments are displayed online.
Previously posted notions on this subject touched on the Anti-
Slapp action testing Florida’s provision in Roca Labs, Inc. v. Consumer Opinion Corp. In its original lawsuit, Roca Labs argued that the defendant’s consumer review website was fostering defamation, effectively causing tortuous interference, committing unfair competition. The defense argued immunity under Section 230 of the Communication Decency Act, formally known as Internet Freedom and Family Empowerment Act. The court determined that defendant’s posting of just excerpts of the post placed by the user were not actionable.
Previously posted notions on this subject touched on the Anti-
The issue of republication was as well discussed regarding a defamatory content of a commercial nature where a link was provided to another site that directed the reader to read defamatory content about the plaintiff. The court reasoned that linking to a site where the content about the plaintiff resided did not constitute republication. The Communications Decency Act, Section 230 has not applied to republications and under common law, linking defamatory content to a site is not deemed tantamount to “republication” in the context of defamation. As is found in some online defamation actions, the plaintiffs have had difficulty in providing support for their claim that the comments had anything to do with their business decline. Courts do weigh the evidence provided by plaintiffs and they determine those statements that just appear as an opinion from those stated not for a fact in nature.
The worry of many clients, aside from comments deemed just opinion and the anonymity of commenters, is the immunity granted to websites that serve as a platform along with the anonymity in which the statements can be made. The Communications Decency Act sets an immunity for these sites but it is based on qualifiers. Any chance of a suit along these lines to be successful will require the suit to be directed at the content provider and not the internet service provider (ISP). The only exception to this is if there is evidence that the ISP exerted some form of discretion is wording or selection of content. Providing the vehicle for which commenters can express their voice does not expose the service provider to liability by itself. Once the service provider exercises editorial discretion in determining the selection of submitted material or its content, the website immunity will be questioned as a publisher.
Cyberbullying and online harassment, and even commercially motivated comments seem to have an indelible mark on reputations in this digital realm of communications. Reputation management is a way to address the gaps that currently allow for privacy terms and conditions in user agreement to protect the identity of the commenter. It is fair to say the internet service providers and interactive internet providers are not the ones making the harmful comments and their exposure liability for the posted comments should be distinguished from the liability of the commenter, in the traditional sense of the speaker. The immunity granted on the web is a delicate concept loaded with qualifiers and the Communications Decency Act has a valid role to play in our online life against websites that foster disparaging comments. Online immunity is after all not a given fact.
Copyright 2016, all rights reserved Lorenzo Law Firm, P.A.
Thursday, May 19, 2016
Internet of Things or “IoT,’ as commonly referred to, have proliferated our culture and will continue as they acquire growing attention with functionality and ease. Their attraction is in their usefulness engendering efficiency, productivity, and an expectation of enhancing one’s fitness and along with self-awareness. The idea of IoT has brought the attention of platform designers that has replaced the smaller developers who were focused on the utility of one product’s ability to sync with a network. This aspect of growing platforms causes policy and technical concerns for liability and protecting privacy and for securing the integrity of financial transactions. The rude awakening for the NTIA is that they will find out that their paradigm is changing faster than their efforts to grasp how to address consumer privacy protection issues and business data, i.e., trade secrets.
The notion of a variety of devices being connected to a shared network, of some sort, has prodded the National Telecommunications and Information Administration (NTIA) to seek advisory comments on a variety of aspects that are related to cyber security, potential threats, and liabilities. Last month, the NTIA did just that by issuing a request for public comment (RPC). The NTIA is seeking to know what varied perspectives and circumstances that must be accounted when considering the balance of the benefits of IoT along with the foreseen and unforeseen consequences, including the shared network structural and legal challenges. NTIA is also leaning towards determining what would be government’s best role in this internet realm of evolving technology.
As it already has commented, the weak link theory in life may very well apply to this phenomenon of the IoT plethora. As is rudimentarily described, it is the network syncing of varied devices, whether its computer, router, house alarm, streaming box, mobile phone, or your home security cameras, that draws concern to eventful weak link compromising the user’s personal confidential information. The Internet is the communications vehicle among people and their varied daily used devices sought to achieve their desired function. It only takes one device synced to the user’s home network or tablet, for example, and the cyber intruder has pierced through to take control, of say, the home alarm system while the user is at work or track the user's financial transactions.
Security of personal consumer information is a driving concern with the speed in which the technology and synchronization are actually taking place by way of cloud interface and communication. Yet the path of the industry’s evolution should raise concern for the security of commercial garnered data as well. The hopes of there being standards established are the NTIA’s expectation that IoT garnered data can be classified as consumer driven data and commercially driven data and how each should be protected. Real-time commercial data monitoring is here with scalable means for connecting items to the Internet and the ability to monitor with analytics. This will be an unexpected revelation amid the NTIA’s RPC results that will reveal the industry’s evolution embracing “IoT as a service” to the NTIA ultimately changing its paradigm.
Internet of Things as a service is the next generation of Cloud deployment and management involving interconnected network designers and device manufacturers whose input will be invaluable for logistics and policy NTIA considerations. What underscores this imperative is the direction of software IoT development evolving to enhance platforms and application program interfaces “APIs”. Together, the paradigm is certainly changing for all things considered magnifying the ability to connect devices and products to the Cloud. And so with the speed and breadth of connectivity, the NTIA will recognize inevitable increasing vulnerabilities and liabilities, swimming in the “cyber security justice” pool along with standard setting government involvement in a wave of piercing litigation.
Tuesday, May 17, 2016
Trade secrets are going to be dealt differently now that the President has signed into law the new Defend Trade Secrets Act (DTSA). Through the bipartisan efforts of Sen. Orrin Hatch, R-Utah, and Sen. Choons, D-Del., DTSA is meeting the desired measure that has long been sought by businesses to address the delicate nature of intellectual property protection at home and abroad. The importance cannot be overstated when the provision now allows federal civil claims for misappropriation of trade secrets. This step undoubtedly heightens the impact of filing lawsuits under the Federal Economic Espionage Act.
DTSA will be considered as other concepts and notions of the intellectual property realm are considered, i.e., patents, trademarks, and copyrights. By doing so, entities claiming trade secrets misappropriation will have more certainty in the process with the authoritative sphere now being a federal law. DTSA will apply to products and or services, regardless if they are in commerce or are intended to for use in commerce. The claimed pretext of use in commerce extends beyond interstate commerce into foreign commerce, availed by the Espionage Act.
While DTSA has now a federal platform, the potential claimants of trade secrets misappropriation will have a choice to either proceed in federal court or proceed in state court. It is the discretion of the litigant to determine the most fruitful avenues considering potential protections and how foreseen motions would be handled. Yet, with the federal option available, there will be at least a more settled approach going forward. The damage award aspect of DTSA for the wrongful taking of a trade secret is accompanied with the seizure provision that will allow claimants to a seek seizure of their stolen trade secrets. This mechanism has certain underpinnings.
The underpinnings of the seizure provision are based on demonstrating extraordinary circumstances that will require certain steps. There is a requirement of filing an
exparte application with an accompanying affidavit or verified complaint. The litigant, overall, claiming misappropriation will be able to avail itself of a remedy heretofore not seen at the state level. The initial requirement of demonstrating the inadequacy of the equitable relief under Rule 65 of the Federal Rules of Civil is required, however. Additionally, the litigant must demonstrate irreparable injury with an outweighing balance of any legitimate interest of the possessor, with a demonstration of the nature of the misappropriation and a description of the trade secret, and showing that if notice was provided to the possessor the trade secrets would be made in any way inaccessible or otherwise destroyed. The acquired trade secret will then be in the court’s custody, and if need be, the litigant can request that it be encrypted.
Thursday, May 12, 2016
Internet technology and the internet of things pervasive expansion in our everyday lives has become a crazy, a thing to do, and something to use by employers. The risks of privacy are overlooked as well as liabilities when an employer goes too far. The application of technological uses to keep track of employees, staying in touch with their work progress, whether in town or out, does place challenges. We all hear about notice requirements given to employees allowing for express consent, but that may not be enough when we consider the extensive reach and ability of what is being given to employees under the rubric of wellness, company productivity, and operational efficiency. Needless to say, employers desire ‘healthy’ employees who have ‘healthy’ lifestyles. Conversely, if an employee is in the private sector, the limits imposed upon by the U.S. Constitutions 4th and 14th Amendments do not assail the employer, except for privacy considerations.
The legal considerations for the use of internet of things tracking means of employees run into work related and non-work related aspects. Technology allows through employers given cell phones, wearables, work identification cards that house transmitters, and RFID tags (radio frequency identification), to monitor employees whereabouts during work hours and beyond. Where should the line be drawn? If an employer is utilizing artificial intelligence technology to monitor its employees even outside of work, in Florida, it could be considered a tort of intrusion upon seclusion, based on the employees demonstrating that its solitude or private affairs and concerns were intruded upon by the employers’ technological use.
Aside from internet technology tracking whereabouts, the devices companies offer employees to allow the employers to know their employee activities to the extent of knowing their heart rate, activity frequency duration, and time, to name some details that comprise an employees’ biometric data profile. On this point attention must be drawn to the prohibition placed on employers by the Genetic Information Nondiscrimination Act of 2008 (“GINA”) prohibiting them from using genetically acquired information for employment and insurance. Furthermore, we must note the prohibition imposed upon employers by the Health Information Portability and Accountability Act (“HIPPA”) not allowing employers to acquire employee health information.
Yet, as the technology continues to advance and its use becomes commonplace and pervasive in all aspects of life, the laws are not up to speed to address the fine lines of privacy, the tort of intrusion upon seclusion, and employers’ wellness programs and their employees’ participation. Monitoring laws are taking shape throughout the country but until there is a clear stance of where they are headed, employers and employee should be mindful of several considerations. For instance, employees should be the only ones able to see the generated biometric data profile and not the employer. Any video surveillance in the workplace is prohibited in restrooms where an employee has a reasonable expectation of privacy in restrooms. Employees have no reasonable expectation of privacy in emails going through employer’s server, so email monitoring is permissible. Some states have imposed notice requirements on employers who use monitoring technology whether in its emails, the internet, and their phones. Some states recognize an employee’s privacy interest allowing them to claim invasion of privacy where they have a reasonable privacy expectation. So, as employees play with their gadgets, emails and work phone lines are monitored, work cell phone use serves a way for our employer to know we are hard at work, and our wearables log how hard at play we truly are, we need to 'exercise' [pun intended] caution and be aware of rights and restrictions, whether you are an employer or an employee.
 Benn v. Florida E. Coast Ry. Co., (S.D. Fla. 1999).
 Sec. 810.145, Fla. Stat.
Wednesday, May 11, 2016
Copyright protection standard for clothing articulated as conceptual separability will now be entertained by the U.S. Supreme Court amid the background of disparate circuit court views. Copyright protection applies to the features pertaining to design, of say, articles, and pictures. The garment sector items fall into the dichotomy of use or utility, as the design varyingly is construed to not be separate from its utility by a variety of courts. However, according to utility concept, described in section 101 of the Copyright Act of 1976, there has to be an independent existence of the article item. The notion is that there has to be a separability regarding the design and its use, i.e., utility. This concern is before the U.S. Supreme Court in Star Athletica LLC v. VarsityBrands, Inc. What the Court will struggle with as other courts have previously, is to construe the independence of the design from its use or the items’ function, with the purpose of delineating when copyright protection can inure to it.
The garment maker, Varsity Brands argued, in its suit in the U.S. District for the Western District Court of Tennessee, against Star Athletica, copyright infringement on certain garments designed for cheerleading. Star Athletica argued for the absence of any copyright infringement because of the utility of the garments in its intended use which rendered it not copyrightable. The District court agreed with Star Athletica in that the garment had a functional aspect to it in that the individual wearing the garment would be construed to be a cheerleader. This was based on identity sake of item usage. Hence, the court in granting summary judgment stated that ‘the designs at issue were functional because they identified …the ideal of ‘cheerleading-uniform-ness’, and therefore useful. The usefulness rendered it not copyrightable.
The 6th Circuit disagreed in that it determined that graphic features of Varsity’s designs had a conceptual value. By having a conceptual value, there would be a separation between the conceptual design of the garment and its use. The use or function of the garment, in this case, was for cheerleading which can be construed separately from the garment’s design. It seems the court held a position followed by the 7th Circuit which emphasizes the designer’s judgment in balance with function and design. Of interest would be the emphasis the Supreme Court would give to the physical aspects of the item’s usage and design as the Fourth Circuit struggled with along with the Fifth Circuit’s analysis regarding the marketability of the item in question. As it balances the varied circuit views, the test for conceptual separability between the design and the usefulness of the garment is not without its apparent application in other sectors of which involve household goods, furnishings, etc. The bottom point of analysis is where the balance will be drawn on identifying the design characteristics of the garment or item in question from its useful purpose. The result will change the direction of copyright enforcement regarding the utility of an item whether seen together or separate from its design.
 Star Athletica, L.L.C. v. Varsity Brands, Inc., 84 USLW 3407, US, May 2, 2016 (No. 15-866).
 Pivot Point Int'l, Inc. v. Charlene Prods., Inc., 372 F.3d 913 (7th Cir. 2004).
 Universal Furniture Int'l, Inc. v. Collezione Europa USA, Inc., 618 F.3d 417(4th Cir. 2010).
 Galiano v. Harrah's Operating Co., 416 F.3d 411(5th Cir. 2005).
Tuesday, May 10, 2016
Data security and the insecurity of electronically stored information (ESI) is ephemeral and any anticipation of its occurrence or origin is absolutely unpredictable. All attention is always on the external incidents but little is focused on the internally sourced infraction. Seldom do entities envision the internally sourced incident. The risk from internal unauthorized access to trade secrets leading to misappropriation is realistic. This is not to spawn an environment of distrust in the workplace. Of course, it is difficult to swallow that employees would pilfer company knowledge, designs, formulas, or even the companies R&D new software specs for self-gain. Word to the wise, swallow it fast and be ready.
The imminent vulnerability is through personnel and their mishaps, forgetfulness, or deliberate sabotage. Always the employee with the increasing frequent absences draws a cause for concern and some form of a query, especially an employee who has access to critical company information. This concern is so realistic that it has motivated states to promulgate their own version of a uniform rendition on trade secrets and provisions addressing computer crimes. Some promulgations allow for civil and monetary remedies when business data is compromised as a result of someone exerting unauthorized access either internally or externally sourced.
With the ease of ESI transmission, unauthorized access becomes all too prevalent for the business insurance companies to fathom the risk. This reality is augmented by the anonymous activity through shadow bots, exchanges and other means that leave the business owner holding client data, innovative plans, beta testing new processes, without protective leverage. Backdoor access is always a possibility especially among those of trust who have a mutual gain in the prosperity of the enterprise. Worst case events are what gave rise to FUTSA and CADRA in Florida and many other states that appreciated the seriousness.
Insecurity of data security, unfortunately, is by the nature of storing ESI and transmitting ESI in our day-to-day business endeavors. Customer information, as well as business assets, are at play in the realm of cyber insecurity. Security is only as secure as the weakest link in the chain of transmission. As vulnerability is realized in its present state, the urgency then is to focus not only on firewalls and other aspects but on internal employee training, policies, non-disclosure agreements, vendor contracts, cyber insurance policies and their coverage reviews, and vetting vendors’ cyber liability coverage before inking a deal. Can a business claim safeguarding its data assets to engender public confidence in the security of ongoing credit card transactions, storage of its personal account information, the transfer of its customers’ medical records, or the updating of financial records? The qualified claim itself draws also the risk of misrepresentation before the regulatory eyes of the Federal Trade Commission. ESI is business as usual and the role of risk management is to realize not only the external aspect of cyber intrusion but to also balance that attention with internal constructs in order to anticipate the unpredictable.
 Florida Uniform Trade Secrets Act (FUTSA), Chapter 688, Florida Statutes; Sec. 812.081, Florida Statutes; Computer Abuse and Data Recovery Act, Sec. 668.801, Florida Statutes (“CADRA”).
Self-Modification by social media platforms has struggled to ensure that the Internet is acceptable to all cultures, religions, political persuasion, and to all values of countries. This exercise in Internet Governance is tall and detailed and comes under criticism for being too heavy handed towards exercising censorship. Though easy to say, it becomes difficult to fathom when realizing complexities across borders. It is also complex when the business of platforms is to solicit the participation of content submittal for all to see and be exposed to. Such solicitation opens platforms to host content that will at some point cross an unacceptable line. The underlying aspect is that the role of Internet Governance is put forth by hidden unelected individuals having a say on what is right and wrong in the public domain. Nevertheless, biases and interests could translate into the decisions of what to allow on the platforms.
The issues run across many sensitivities considering objectionable content. The regard for decency and respect, but still allow for freedom of expression has certainly been tested. The responsibility has primarily rested on the platforms efforts to self-police the flow of content applying a form of “content modification.” Posting of violent incidents or committed acts of violence draws one to question the purpose of showing videos of a beheading, animal cruelty, a child being mutilated, a public flogging, or a child’s circumcision. Easier to accept has been public political demonstrations with incidents of restrictions in certain regions of the world.
The argument for free speech is not a free for all as some would imagine when it comes to implementing content policy. With over hundreds of millions of videos uploaded daily, the task is monumental. It is an internationally impactful role that impinges on political interests and national policy interests. The major social platforms are employing and institutionalizing global content review teams setting policies. A violent event could be deemed to have political and news value. A comedic video could be deemed socially acceptable to some and objectionable to others along the lines of being sexually offensive. In a sense, the global content policy initiative by the social media platforms are functioning as the eyes and ears of the user public trying to discern right from wrong without a definitive line but working with a moving value target.
The implementation of self-modification by YouTube, Facebook, and Google, begs the need to set requirements to define lines of acceptability. The distinctions fall under categories of journalist value, political interest, cultural value information, educational, social creativity and expression; and this is just to name a possible few. The power of what is allowed to be posted by them on the Internet could have endless political significance for a country trying to keep suppressing its citizens, for a social or issue driven cause prior to an election, or for promoting a war or an invasion. The result of exercising discretion over what is allowed to be posted could drive the direction of politics, social development, development of new laws, increasing government control, eroded national borders, or even blur the legal definitions of freedom, defamation, invasion of privacy, and human decency in the public domain. The startling realization is that the self-modification effort is done by entities and their employees who social media users did not elect to tell them right from wrong in the public domain.
Because of the concern for addressing Internet Governance groups have been organized. Many of these groups work in group associations such as the Global Network Initiative, Anti-Cyberhate Working Group, Safety Advisory Board (Facebook), and Truth and Safety Council (Twitter). While their stated goals may be lauded, their lack of transparency with their closed meetings causes to concern and engenders a distrust and doubt for their accountability to civil society and everyone’s use of the public domain.