How to Shorten Your Job Search and Survive an “Unintentional Sabbatical”

Opportunity is equal parts luck and preparation.

Last year, I found myself unexpectedly looking for my next position. While being on what I’ve come to call my “unintentional sabbatical” was not a planned step in my career, I quickly realized that having a negative attitude was a near-certain way to ensure putting my career back on track would be a long haul. Instead, I focused on staying positive during my job search and working as hard as I could to find a new position, while at the same time finding ways to enjoy the break in my career that I hoped would be a unique opportunity to rest and recharge. Fortunately, I was able to land on my feet within six months in a new position which is a great industry, duties/responsibilities, and cultural fit at a company I hope to be with for a long, long time.

Finding my new position was the realization of one of my core mantras – “opportunity is equal parts luck and preparation.” While success in finding a new position can be a matter of being in the right place at the right time, it’s important to do the proactive work necessary so that you are prepared to take advantage of any leads or opportunities that come your way. By being proactive, you increase the odds that you’re prepared when opportunity strikes. I’d worked proactively for a long time in part to be prepared just in case an “unintentional sabbatical” happened, and it helped me shorten the time it took find a new position.

Here are some of the things I’ve done, and things I’ve learned, to help me successfully navigate and shorten the job hunting process:

Pause and think through what you want to do next.

Before you launch head-first into your job search, it’s worth taking a day to think carefully about what you want next in your career.  Is it a position like the one you left/are planning to leave?  There’s nothing worse than waking up in the morning and being ambivalent, or angry/depressed/anxious, at the thought of going into the office for another day. You spend the majority of your waking life at work with your colleagues – you have to like the people you work with, the company you work for, the work you do. Think back over your career to the positions where you were the happiest.  What are the common elements in them, or when you think back have you never been happy in any position you’ve had?  Do you want to be a manager or an individual contributor?  Do you have an industry you feel passionate about?  Use this thought exercise to either validate the direction you want to go for the next step in your career (knowing you’ve validated you’re pursuing the right course should give your job search a burst of energy), or rethink what will make you truly happy in the next phase of your career path.

Build and maintain your network before you need it.

The wrong time to build a network is when you find yourself starting a job search.  Take time to proactively build and maintain a good network. Connect with former co-workers, peers in your community, and people you meet in your personal life. Find industry groups and go to meetings and social events to meet people in your industry (make sure to mingle, not just hang out by yourself). When you’re reaching out to people you think will be valuable additions to your network, don’t just ask them for help – offer to be a help and resource as well. If you are sincere in your offer to assist them as a member of their network, they may be more likely to go out of their way to help you in your job search.

If you connect with someone you don’t know personally on LinkedIn, send them a note thanking them for connecting with you, introducing yourself and summarizing your areas of expertise/skill, and offer to be of assistance as a member of their network. Make sure you take time to periodically reach out to members of your network – you never know who may play a critical role in helping you land your next position. Schedule regular coffees, lunches, and drinks with members of your network; reach out to congratulate them and re-connect when they make an announcement, such as a new position or a work anniversary.

Treat your co-workers the way you’d like them to treat (or remember) you.

Over the course of your career, you interact with a large number of co-workers at many levels.  Remember the golden rule you learned in grade school – do unto others as you would have them do unto you.  In addition to being a good philosophy by which to live, your current co-workers’ view of you and your skills/competencies/style can make or break a future job search. I learned this through experience; I found out after the fact that one of the hiring decision-makers for a position I had applied for (and got) did not call the references I provided. Instead, he contacted a few people we had in common in our networks (former co-workers of mine) to ask them for their thoughts on me.  Today’s co-workers are often tomorrow’s friends who may be willing to go the extra mile to help you in your job search (or even help you land that job you’re hoping for).

Don’t try to connect with everyone at once – It’s OK to stack rank and space out your networking activities.

Remember, job hunting is almost always a marathon, not a sprint. If you have built a strong network, when starting to look for a new position your first instinct may be to immediately reach out to as many members of your network as possible.  However, in my opinion you need to balance networking with other priorities in your life.  My target was 3-5 networking meetings per week (coffees, breakfasts, lunches, drinks, etc.). Create a “networking matrix” of contacts in your network with whom you want to set up networking meetings, and stack rank them. It’s OK to organize them by networking potential (i.e., those with very good connections and contacts in your target industry, former managers/bosses, etc.). Keep track of who you network with and when. Approach a handful (4-6) per week by phone, text, email, LinkedIn message, etc.; hopefully they get back to you so you can maintain a steady cadence of weekly networking meetings. You can always reach out to more contacts on your list to maintain your schedule of networking meetings. While it’s OK to stack rank by networking potential, don’t discount anyone – you never know who knows someone (who may know someone) who can lead you to a great job opportunity.

Leverage your network to prepare for interviews and research companies.

If you apply for a job, search your contacts (e.g., using LinkedIn) to see who is connected to, or working for, the company to which you’ve applied. If you have former colleagues at the company, consider reaching out to let them know you’ve applied for a position with the company and that it would be great to work with them again. Some may be willing to be an internal reference for you, or even put in a good word with the hiring manager. You can also reach out to colleagues for background on the people with whom you will be interviewing.  Additionally, if you’re researching companies you may want to target in your job search, connect with members of your network at those companies, both to reconnect with them and to learn more about the position.  Even if they don’t have a current position that would be a good fit, they may let others at the organization know you’re on the market.

Find ways to keep your skills sharp.

If you’re on an “unintentional sabbatical” like I was, it’s important to find ways to keep your skills fresh.  Fortunately, there are many ways you can do this.  For example, you can volunteer with an organization that lets you practice the skills you use at work.  Participate in online discussion forums and e-groups relevant to your industry. Offer to be a speaker or panelist at online webinars or live conferences.  Write articles in publications and on LinkedIn. These are also great ways to meet people to expand your network.

Interviews are your chance to sell yourself through the answers you give and the questions you ask.

When you get that sometimes elusive interview, take the time to prepare for the questions you’ll receive. Whether or not you’re in Sales, the interview is your chance to sell yourself, your style, and your qualifications for the position. Develop your professional “elevator pitch” as to why you’re the right person for the position – sell yourself. Research the company, and your interviewers, thoroughly. It’s OK to work out talking points for questions you anticipate receiving during the interview.  For example, if you have something in your job history that may be difficult to explain, work out how you want to position it in advance, and practice it.  When coming up with questions to ask an interviewer, think of questions where the expected answer highlights the skills and qualifications you discussed during the interview which can help cement your status as a strong candidate.

Don’t forget to thank members of your network when your job search is over.

Once you find a position, after you’re settled into your new position carve some time to send short notes to those in your network who assisted you during your job search. The networking contacts you connected with was part of what led you to your new position. Show those who took time to help you that you appreciated their support, guidance and/or friendship, and let them know that you stand ready to assist them if there’s something you can do for them in the future.

Also, while your networking will necessarily slow down while you get up to speed in your new position, don’t let it fade back to zero – maintain an achievable and regular networking schedule. Remember how important your network was while you were job hunting, and work proactively to keep your network strong should you (or someone you know) have a need in the future.

Finally, don’t forget to take time for you while job hunting.

If you find yourself on an “unintentional sabbatical,” your instinct is often to work night and day to find another position. While finding a job is a full-time pursuit in and of itself, most people don’t get the chance to take a sabbatical (intentional or not) during their career.  If you do, lean into it.  Make time to do things that will make you a better person, a better spouse, a better parent, and/or a better future employee. Once you’ve landed your next position, you don’t want to go from one stressful situation (job hunting) to another (working). By spending some time focused on you, not just finding a new job, you’ll ensure you are ready to give your new job your all when time comes.

Eric Lambert is Commercial Counsel for the Transportation and Logistics division of Trimble Inc., an integrated technology and software provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a littlevoice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

Paralegal vs. Legal Assistant vs. Junior Attorney – Know the Differences and Pick the Right Professional Before Hiring or Contracting

It’s a good sign when the volume of legal work at a company increases to the point where another legal resource is needed, either permanently or temporarily. Most often a company will look for a generalist resource, such as a paralegal, a legal assistant, or a junior attorney, to handle a variety of tasks and free up time for senior attorneys and other specialists to focus on other work. However, many companies post a new position or reach out to a placement firm for a temporary resource without first thinking through which type of legal professional is best suited for the needs of the organization.

Paralegals and legal assistants are non-attorney legal professionals that can perform substantive legal work under the supervision of an attorney, and often form an integral part of an in-house legal department or law firm.  There are advantages and disadvantages to adding a paralegal, legal assistant, or junior attorney. Thinking through whether a paralegal, legal assistant, or junior attorney is the best role for your company’s needs can help maximize productivity for the person filling the role, and help ensure that the person is capable and ready for the work he or she will be tasked to perform. Just as important, understanding what attorney and non-attorney legal professionals can’t do, and how they should be classified from an employee perspective, can help protect your company (and any existing in-house attorneys) from ethical or business issues.

I’ll conclude with a note about contract managers, another role used by some companies to manage transactional work.

Differences at a Glance

At a high level, here are the differences between paralegals, legal assistants and junior attorneys:

Diving In

Let’s look at each of these roles in a little more detail.

Paralegals

Paralegals are non-attorney legal professionals with education, a certification, work experience, or other training which allows them to perform substantive legal work under an attorney’s guidance and supervision. Paralegal as a profession first appeared in the 1960s. Paralegals support the substantive work of attorneys by allowing attorneys to delegate work to them that attorneys would otherwise need to perform directly. Paralegals can play a critical role within legal departments given the breadth of work they can perform. Unless it involves the unauthorized practice of law (which I’ll address later in the article), paralegals can be delegated almost any project that an attorney would normally perform, as long as the paralegal is qualified to do it or willing to learn and the paralegal is supervised by an attorney. Paralegals at smaller departments may also handle administrative tasks for the legal team. There are a number of certification programs for paralegals, such as the National Federation of Paralegal Association (NFPA)’s Paralegal CORE Competency Exam (PCCE) and Paralegal Advanced Competency Exam (PACE) and the National Association of Legal Assistants (NALA)’s Certified Paralegal (CP) and Advanced Paralegal Certification (APC) credentials. There are also paralegal associate degree, bachelor degree, and master’s degree programs.

If a company needs a legal professional with the training, experience and ability to perform substantive legal work under the supervision of one of the company’s attorneys, and does not need an attorney for the role to provide legal advice/counsel or to represent the company, a paralegal may be a good option. For example, a paralegal may be best suited to help with a document review project, to draft and negotiate standard agreements, or to research a specific question or new law.

Legal Assistants

Legal assistants also perform substantive legal work under an attorney’s guidance and supervision. Legal assistants may be tasked with administrative activities such as filing, maintaining the legal calendar of important deadlines (e.g., trademark renewal deadlines), and managing legal department bills and expense reporting. Legal assistants may aspire to grow into a paralegal role. If a company needs a non-attorney legal professional who does not possess the training, education and experience of a paralegal but who has the ability to perform both substantive and administrative legal work under the supervision of an attorney, a legal assistant may be a good option. For example, a legal assistant may be best suited to help a small legal department which has administrative needs as well as other substantive work.

Many non-attorney legal professionals within corporations prefer the title “Paralegal” to “Legal Assistant,” as it is often perceived as a more professional and senior position than that of a legal assistant. Some in-house legal departments will use the title “Junior Paralegal” for a legal assistant who does not yet have the necessary experience, education, certification or training to be a full paralegal, but where the person or the company wants the individual contributor to have a paralegal title.

Paralegals and Legal Assistants as Non-Exempt Personnel

One very important note for US employers – the US Department of Labor (DOL) has stated that paralegals and legal assistants should be classified as non-exempt personnel in most circumstances. Under 29 CFR Part 541.301(e)(7), the Department of Labor stated that “paralegals and legal assistants generally do not qualify as exempt learned professionals because an advanced specialized academic degree is not a standard prerequisite for entry into the field.” The DOL has issued opinion letters, such as FLSA2005-54 and FLSA2006-27, supporting this position. However, do not interpret this as meaning that paralegals and legal assistants are not professionals – they are (just not from a Fair Labor Standards Act perspective according to the DOL). It’s also important to note that the DOJ’s webpage on the Overtime Final Rule added a note in January 2018 stating that the DOL is “undertaking rulemaking” to revise the Overtime Final Rule, so employers with paralegals and legal professionals should watch this carefully.

Why Paralegals and Legal Assistants are Different

Many view paralegals and legal assistants as interchangeable titles and roles. For example, the American Bar Association uses the same definition for both paralegals and legal assistants. Both paralegals and legal assistants can perform substantive legal work under an attorney’s supervision. However, I think it’s more accurate to view them as two different points on the spectrum of non-attorney legal professionals. Here are some of the key differences I see between the roles:

  • Paralegals often perform (and expect to be tasked with) more and higher-level substantive work than legal assistants.
  • Legal assistants are more likely to be tasked with administrative legal responsibilities than paralegals in the same department.
  • Paralegals are more likely to have completed a certification, education, or other training programs demonstrating a higher level of skill and experience to provide supporting substantive legal work, and are required to maintain paralegal certifications through continuing paralegal education.
  • Paralegals, especially those with a certification, tend to expect a higher compensation rate/salary than non-certified paralegals or legal assistants.

What Paralegals and Legal Assistants Can’t Do

Paralegals and legal assistants can do many things, but cannot provide legal advice or opinions, sign documents or pleadings, engage in other prohibited tasks such as establishing attorney-client relationships, or engage in the unauthorized practice of law. This is a critically important point – paralegals cannot, and should not be permitted to, perform substantive legal work except under an attorney’s supervision, and should not do anything (directly or indirectly) that could be considered the unauthorized practice of law. For in-house paralegals, this can be very tricky as others will undoubtedly come to the paralegal asking for an opinion or advice.  Rank-and-file employees often feel anyone in Legal should be able to give them an answer on a legal question. It’s up to the paralegal to let them know that they need to defer to the attorney on legal advice or opinions, and to ensure their work is being supervised by an attorney. The voluntary codes of paralegal ethics, such as the NALA Code of Ethics and Professional Responsibility and the NFPA Model Code of Ethics and Professional Responsibility and Guidelines for Enforcement, clearly state that paralegals cannot engage in the unauthorized practice of law, perform duties that only attorneys can perform, or take actions that only an attorney can take.

In Minnesota, like most US states, the unauthorized practice of law is illegal. Minn. Stat. § 481.02 prohibits a non-attorney from acting as an attorney or giving legal advice or services. In many states, the unauthorized practice of law is a felony. An attorney responsible for supervising the work of a paralegal or legal assistant who engages in the unauthorized practice of law will also find themselves in violation of Rule 5.5 of the Minnesota Rules of Professional Conduct which prohibits attorneys from assisting others from the unauthorized practice of law.

This is one of the reasons why the first in-house legal hire at most companies is an attorney. It is generally not recommended that a company’s first legal hire be a paralegal or legal assistant, as many of the substantive legal tasks to be performed by the first legal hire at a company require legal supervision, and outside counsel may not be willing to supervise the work of a non-attorney employed by the corporation due to ethical concerns. An attorney who fails to properly supervise the work of non-attorney legal professionals reporting to that attorney is putting his or her legal reputation, license to practice law, and company at risk.

Junior Attorneys

As licensed attorneys, junior attorneys offer a company the ability to do more than paralegals or legal assistants. Not only can they perform substantive work, but they can provide legal advice and opinions, represent the company in court, and otherwise engage in the practice of law. However, junior attorneys are usually considerably more expensive than either paralegals or legal assistants. If a company is hiring its first legal professional and does not need a more senior attorney as its first attorney (e.g., the company has a strong relationship with outside counsel that is acting in a quasi-General Counsel capacity), or needs a legal professional who can perform substantive legal work, provide legal advice and counsel and represent the company, and the company can afford the higher compensation an attorney typically requires, a junior attorney may be a good option.

Contract Managers

There is one other role used by some companies with respect to contracts – the contract manager. A contract manager is a person who is tasked with negotiating, administering and interpreting a company’s contracts (both standard and non-standard). Contract managers can be non-attorneys, or non-practicing attorneys. Contract managers often act in a project manager role to help ensure a company is meeting its requirements with respect to deliverables and other contractual obligations under its agreements. Like paralegals, there are professional associations governing contract managers, including the International Association for Contract & Commercial Management (IACCM) and the National Contract Management Association (NCMA), as well as contract manager certification programs including the NCMA’s Certified Federal Contract Manager (CFCM), Certified Commercial Contract Manager (CCCM), and Certified Professional Contract Manager (CPCM) designations which require a certain amount of continuing education. In some cases, a company’s procurement department will have contract managers who negotiate procurement and other agreements to take load off of the company’s legal team. Some companies choose to establish an in-house legal function by hiring a contract manager as their first legal professional.

Like other non-attorneys in the United States, contract managers cannot provide legal advice or opinions. However, it is an unsettled question whether a contract manager who does not have a legal degree and negotiates agreements, including risk management terms, on behalf of a company without attorney supervision is engaging in the unauthorized practice of law. Companies should consider whether to ensure contract managers are part of the Legal department and are supervised by attorneys just as paralegals must be, or alternatively require candidates for a contract manager position to hold a JD degree – the attorney would be acting not as an attorney for the corporation but in a “quasi-legal” role, and would remain subject to the Model Rules of Professional Responsibility governing attorneys, which would help avoid issues regarding the unauthorized practice of law.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The New Revenue Recognition Standards Are Coming – Will You Be Ready?

Most companies measure their financial performance by the revenues and other compensation they earn through their business operations, which in many cases means the sale of goods or provision of services. Knowing when to recognize the proceeds from a sale of good or provision of services as revenue is therefore critical to financial reporting. For many years, two different rules by two different standards organizations governed revenue recognition:

  1. The Financial Accounting Standards Board (“FASB“)’s Accounting Standards Codification (“ASC“) provide US generally accepted accounting principles (“GAAP“), including those governing revenue recognition. Under the current GAAP revenue recognition rule in ASC 605, revenue recognition varies by industry and in some cases by transaction, which makes revenue recognition a complex and difficult exercise in many situations.
  2. The International Accounting Standards Board (“IASB“)’s International Accounting Standards (“IAS“) provide an international standard for financial statements and accounting. Under the current international revenue recognition rule known as IAS 18, revenue recognition also varies by industry and transaction type, but IAS 18 provides less guidance than ASC 605 making it harder for companies to recognize revenue in a consistent fashion. The IASB is the successor to the International Accounting Standards Council (“IASC“) which originally promulgated the IAS.

Beginning in 2001, the IASB began replacing the IAS with new International Financial Reporting Standards (“IFRS“). In 2002, the FASB and IASB began collaborating on developing an improved. stronger, more robust, more useful, more consistent revenue recognition standard to make revenue recognition simpler and easier to consistently apply. This collaboration bore fruit 12 years later in May 2014, when the FASB and IASB released a converged revenue recognition standard titled Revenue from Contracts with Customers, codified as ASC 606by FASB and IFRS 15by IASB. Since 2014, there have been a few amendments (and implementation delays) by the FASB and IASB, and there have been a few small areas where the standards have diverged (e.g., the definition of what “probable” means). Despite this, for the most part the goal of a unified revenue recognition standard remains intact. These new standards will go into effect in December 2017 (for ASC 606) and January 2018 (for IFRS 15). All this background can be summarized in the following table:

A tabular representation of the history behind the ASC 606 / IFRS 15 revenue recognition standard.Here’s what you need to know about the new twin revenue recognition standards (for simplicity, this analysis is based on ASC 606):

How Revenue Recognition Works Under ASC 606/IFRS 15

To recognize revenue under the new standard, companies must do 5 things: (1) identify a customer contract, (2) identify the distinct performance obligations under that contract, (3) determine the transaction price (expected revenue),(4) allocate the expected revenue to the performance obligations,and (5) recognize allocated revenue when (or as) each performance obligation is satisfied.As stated in ASC 606, “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” As we go through each step, keep this visual representation in mind:

ASC 606 Revenue Recognition DiagramStep 1 – Identify the contract(s) with a customer. The first step of the revenue recognition process is to identify a contract, i.e., an agreement creating enforceable rights and obligations among two (or more) parties. A contract must be signed or otherwise approved by the parties, must have identifiable rights and payment terms, have commercial substance, and it must be probable that one party will receive the revenue or other consideration expected from the performance of its obligations (e.g., provision of goods or services). Remember that a contract does not have to be in writing to be considered a contract for revenue recognition purposes – oral or implied contracts may satisfy these requirements.

Step 2 – Identify the contract’s distinct performance obligations. For goods and services contracts, a “performance obligation” is promise to transfer a good or provide a service to another party. A “distinct” performance obligation is one that benefits the recipient alone or with other readily available resources (e.g., delivery of a computer that is usable with power and Internet access obtained separately) and can be identified separately from other obligations under the contract (e.g., a company is delivering 5 computers, delivery of all 5 computers should be combined into a single performance obligation). A series of distinct performance obligations that are substantially similar can still be treated as individual performance obligations (e.g., delivery of a new computer at the start of each quarter during a calendar year, 4 new computers total). In a services agreement such as a SaaS contract, implementation obligations and the provision of services may be separate obligations. A SaaS company may look at its distinct performance obligation as providing a service each day during the term of the Agreement, so each day would be a distinct performance obligation.

Step 3 – Determine the transaction price.The “transaction price” is the expected payment and other consideration to be paid/provided in return for satisfaction of the performance obligations. Financial consideration can usually be grouped into fixed (stated in the contract) vs. variable (contingent on the occurrence or non-occurrence of a future event). For variable consideration, companies should look at the expected value taking into account the potential for changes in the variable payment component. If compensation for a performance obligation will be deferred, and not paid contemporaneously with the satisfaction of the performance obligation, the present value of the deferred compensation should be considered. Non-cash compensation (e.g., bartered goods or services) should be measured at fair value, or if not available the standalone selling price. Other consideration such as coupons or vouchers may need to be deducted from the transaction price. For SaaS companies that use a tiered pricing structure and monthly or annual minimums, calculating the expected revenue can be tricky (e.g., by using a probability-weighted methodology).

Step 4 – Allocate the transaction price to the performance obligations. If your contract has one performance obligation, you’re already done with this step. If not, the next step is to allocate the transaction price among each distinct performance obligation, i.e., to separate the transaction price into each discrete “piece” of consideration a party expects to receive from satisfying the associated performance obligation. This can be done by allocating the standalone selling price (i.e., the price at which the good would be sold separately) to the performance obligation, or where that standalone price is not available, the selling entity should estimate it by utilizing as many observable data points as possible to come up with the best estimate possible. ASC 606 includes examples of estimation methods. If a company provides a discount, the discount should be allocated proportionally among the expected revenue for the performance obligations to which the discount applies.

Step 5 – Recognize allocated revenue when (or as) the performance obligations are satisfied. The final step is to recognize each allocation of the transaction price as each distinct performance obligation is satisfied (i.e., the promised good or service is transferred to the recipient). For physical assets, transfer occurs when the recipient obtains control of the asset. For services, a performance obligation is satisfied when the benefits from the provider’s performance are received and utilized, the provider’s performance creates and/or enhances an asset in the recipient’s control, or the provider’s performance creates a payment right without creating an asset with an alternative use to the recipient (e.g., a company is contractually restricted from using a provided service for other purposes). Performance obligations may be satisfied on a specific date (e.g., for delivery of goods) or over a specific time period (e.g., for delivery of services). If satisfied over a time period, revenue may be recognized based on the progress towards satisfying the performance obligation.

Get Prepared Now

While it may seem like there is plenty of time to prepare for the implementation of the new revenue recognition standard, there’s a lot of work that needs to be done to be ready, including the following:

  • Learn the details.It’s important to note that this article represents a very high-level summary of the new revenue recognition standard. Having a more in-depth understanding of the new standard and how it applies to your company and its costing models/contracts is critical. There is an abundance of articles, seminars, and other publicly-available materials available on ASC 606 and IFRS 15. Also, talk with your accounting firm on what they have done as a firm to prepare, and their recommended action plan for your business – they may have some great materials they can provide to get you and your company up to speed.
  • A lot of work be done proactively. Conduct a proactive review of existing contracts, contractual obligations, and other revenue sources that may be classified as a “contract” subject to the new revenue recognition standard. Analyze each to determine the distinct performance obligations, and determine the transaction price. Work with your accountants to allocate the transaction price among the performance obligations.
  • Review (and update if necessary) contract templates.Accounting should partner with Legal and Sales to review sales proposal templates and contract templates describing or creating performance obligations. Review all standard variations of pricing offered to clients to identify any issues under the new revenue recognition standards. Consider whether warranties, returns language, or other contractual terms create distinct performance obligations and how they can be satisfied. Make any updates as necessary to ensure your templates align with the new standards going forward.
  • Create a plan. Assign a resource to manage the process of preparing for the new standard. Consider creating a cross-departmental group to meet regularly to discuss progress and assign tasks. Consider what internal education will need to be done to prepare employees and groups for the new standard, what changes to internal or third party systems may be required, what additional disclosure requirements may be required, whether internal policies will need to be updated or created, and what changes may be needed to internal processes. Secure the support of executive sponsors, such as the CFO and CEO. If you have personnel who were involved in rolling out SOX compliance in the early 2000s, talk to them about lessons learned to avoid repeating the mistakes of the past.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The Wayback Machine: Portal to the Internet’s Past, and Essential Business and Legal Tool

 

The World Wide Web has revolutionized the world as an information communication medium, but it has one significant drawback – no long-term memory. Once a web page is updated or removed, it disappears as if it was never there. The Wayback Machine, named after Mr. Peabody’s WABAC machine from Rocky & Bullwinkle and located at http://www.archive.org/web, was conceived to give the Web a long-term memory. It is a tool for looking at previous versions of a web page by viewing different iterations captured over time. Internet enthusiasts can easily spend hours peering back in time to what web pages looked like “back in the day.” For example, Google’s November 1998 search page boasted about having 25 million indexed pages, “soon to be much bigger” – it’s likely even Google could not imagine how true that would be!

The Wayback Machine is operated by the Internet Archive, a non-profit organization created in 2001 for the purpose of building and maintaining a historical record of the Web. It has been “crawling” web pages and other Internet-accessible content for archiving purposes since 1996, serving as an “archaeological history” of websites. As of March 5, 2017, the archive contains 279 billion web pages, but not everything on the Web is preserved in the Wayback Machine. It visits web pages for archiving purposes on a periodic basis, ranging from weeks to hours depending on the website; it respects requests not to archive web pages if specified by the website owner (e.g., by using a “robots.txt” file); it also does not fully archive dynamically generated web pages, such as those with web forms or JavaScript; and it does not archive websites which require a login.

Aside from letting people look back at their favorite website’s beginnings or remember what a favorite long-dead site was all about (I still love pets.com‘s slogan, “because pets can’t drive”), there are a number of practical business and legal uses for the Wayback Machine. These include:

Business Intelligence

  • Individuals and companies can use the Wayback Machine to search for information on persons, companies and products/services, especially where the companies, products or services no longer exist or the information sought about them is no longer available online. For example, if you are looking for information about a technology, product or program offered or licensed by your company years ago, and you can’t find information about in company records (the project manager has left the company, records have been purged under the records retention policy, the company that offers it is out of business, etc.) or want to supplement what you have located so far, the Wayback Machine may have an archived version of a page from your website with the information you’re looking for.
  • Similarly, if you are researching a prospective client, partner or acquisition target, looking at the client, partner or target’s historical websites through the Wayback Machine can yield valuable information, such as details on the history and development of the company and its products/services. This information can identify topics to ask about during due diligence, and can help you identify representations, warranties and covenants for inclusion in a sales, partnership or purchase agreement.
  • If you are researching a new potential executive or potential board member, use the Wayback Machine to look at historical bios on archived websites of his or her former companies as part of a thorough due diligence process or to verify information before including it on a company website or in a securities filing.

Contracts

  • The Wayback Machine can help in locating missing copies of license agreements, e.g., for previously licensed software such as a software program or font acquired years ago. If you can’t find the agreement and the company from which it was acquired no longer has it on their website or has gone out of business, the Wayback Machine may help you locate a copy of the agreement from the archived version of the website around or following the date on which you acquired the licensed material, enabling you to ensure you understand your or your company’s rights to the licensed materials.
  • The Wayback Machine can also help locate prior versions of online agreements, such as vendor agreements. For example, if you are renewing your agreement with a large vendor who sends you a new contract available on their corporate website, and you can’t find the old version of their contract you signed years ago, use the Wayback Machine to find the old version on an archived version of their website to generate a redline against the new agreement to facilitate your review of the new agreement.

Records Retention

  • If a company is reconstructing their historical records, the Wayback Machine is a great place to start. Companies often find that their historical records are spotty, especially in the time before a formal records retention process was put in place. Companies may not have a policy to archive and save information of historical or business value, which may be lost over time. Use the Wayback Machine to find and save historical versions of website policies such as Terms of Use, Privacy Policy, Terms of Sale, and other website disclosures, as well as historical information such as bios on former executives and directors and product information.

Intellectual Property and Litigation

  • The Wayback Machine can be an excellent source of information which may be valuable or essential to a party’s position in intellectual property disputes and litigation. For example, Wayback Machine pages can be used to establish or substantiate infringing activity by a person or entity. They have also been admitted in business litigation as far back as 2003 as evidence of a parties’ course of performance.
  • Pages from the Wayback Machine have been used in patent litigation as prior art, i.e., a printed publication describing an invention which publication is shared with a third party (e.g., made available to the public) prior to the date on which the “inventor” filed for patent protection for that invention, and have been used to establish a first date of use in commerce for trademark purposes. (It’s important to note that the Wayback Machine only shows the date on which a page was archived, not the date it was first made accessible online.)
  • The Wayback Machine is also an excellent source for strategic direction in discovery or when preparing a subpoena. Reviewing a discovery or subpoena recipient’s historical websites can help refine a company’s requests for production of documents, interrogatories or other discovery requests where the subject of the request is historical or aged information. It can also help identify potential witnesses who have knowledge as to facts central to the litigation, e.g., a former employee mentioned in a historical blog post.
  • Many federal courts have admitted Wayback Machine web pages in court, in some cases requiring an affidavit authenticating the archived web page, or in other cases where an employee of the company hosting the original web page attests to its authenticity as a true and accurate reproduction of the original page – the ideal person is the person who created the original page, or has first-hand knowledge of the original page. The Internet Archive can provide an affidavit authenticating Wayback Machine printouts for a fee as described on its website, but strongly recommends that a party first request judicial notice or ask the other party to stipulate to the authenticity of printouts from the Wayback Machine (this can be a good approach in arbitration). Note that seeking to admit Wayback Machine web pages can lead to evidentiary objections such as hearsay. Attorneys may want to consider asking their expert witnesses about their familiarity with the Wayback Machine and whether they have previous experience in testifying as to Wayback Machine pages.
  • A prominent example of the Wayback Machine’s value in litigation is the Kleargear.com case. Kleargear.com instituted a provision in its Terms of Use preventing a consumer from taking any action, including posting a review, that negatively impacts the company or its reputation, and imposing a $3,500 “fine” for Kleargear’s legal fees to sue the consumer for breach of the Terms of Use. John and Jen Palmer had a negative experience purchasing a product from Kleargear.com in 2008 and left a negative review. Years later in 2012, Kleargear.com demanded payment from the Palmers of the $3,500 fine if the negative review was not removed and turned the amount over to collections when it was not paid, resulting in an impacted credit rating for the Palmers. Aside the Palmers winning the inevitable litigation they filed against Kleargear.com, the lawsuit led to legislation in California in September 2014, and federal legislation in December 2016, prohibiting anti-disparagement clauses in consumer contracts. One of the key facts in the case and in press coverage was the fact that according to the Wayback Machine’s archived Kleargear.com site from 2008, the non-disparagement clause wasn’t even part of the Terms of Use at that time (it was added to the site later on).

Business Tools

  • The Internet Archive offers useful business tools. For example, consider the Wayback Machine’s 404 error page handler. The 404 error page handler enables a website to offer an archived version of a page from the Wayback Machine if a current page is not found and an archived version exists in the Wayback Machine. This can help reduce the impact of 404 errors for websites where content of web pages does not change too quickly, and where displaying an older page is better than no page.
  • The Internet Archive also offered an archiving service called “Archive-It” which companies can use to collect, catalog, manage, store, and provide 24/7 online search of and access to archived content collections. If your company or organization wants to preserve a collection of online content, consider using this service. Users include museums and art libraries, NGOs, colleges and universities, other private companies and non-profits.

Access the Wayback Machine at http://archive.org/web. Frequently-asked questions are located at https://archive.org/legal/faq.php. If you don’t find the Wayback Machine to be a useful business and legal tool, you can at least take a stroll down Internet memory lane.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The Augmented World — Legal and Privacy Perspectives on Augmented Reality (AR)

You’ve likely heard that Augmented Reality (AR) is the next technology that will transform our lives. You may not realize that AR has been here for years. You’ve seen it on NFL broadcasts when the first down line and down/yardage appear on the screen under players’ feet. You’ve seen it in the Haunted Mansion ride in Disneyland when ghosts seem to appear in the mirror riding with you in your cart. You’ve seen it in cars and fighter jets when speed and other data is superimposed onto the windshield through a heads-up display. You’re seeing it in the explosion of Pokémon Go around the world. AR will affect all sectors, much as the World Wide Web did in the mid-1990s. Any new technology such as AR brings with it questions on how it fits under the umbrella of existing legal and privacy laws, where it pushes the boundaries and requires adjustments to the size and shape of the legal and regulatory umbrella, and when a new technology leads to a fundamental shift in certain areas of law. This article will define augmented reality and the augmented world, and analyze its impact on the legal and privacy landscape.

What is “augmented reality” and the “augmented world?”

One of the hallmarks of an emerging technology is that it is not easily defined. Similar to the “Internet of Things,” AR means different things to different people, can exist as a group of related technologies instead of a single technology, and is still developing. However, there are certain common elements among existing AR technologies from which a basic definition can be distilled.

I would define “augmented reality” as “a process, technology, or device that presents a user with real-world information, commonly but not limited to audiovisual imagery,augmented with additional contextual data elements layered on top of the real-world information, by (1) collecting real-world audiovisual imagery, properties, and other data; (2) processing the real-world data via remote servers to identify elements, such as real-world objects, to augment with supplemental contextual data; and (3) presenting in real time supplemental contextual data overlaid on the real-world data.” The real world as augmented through various AR systems and platforms can be referred to as the “augmented world.” AR and the augmented world differs from “virtual reality” (VR) systems and platforms, such as the Oculus Rift and Google Cardboard, in that VR replaces the user’s view of the real world with a wholly digitally-created virtual world, where AR augments the user’s view of the real world with additional digital data.

“Passive” AR (what I call “first-generation AR”) is a fixed system — you receive augmented information but do not do so interactively, such as going through the Haunted Mansion ride or watching your television set. The next generation of AR is “active,” meaning that AR will be delivered in a changing environment, and the augmented world will be viewed, through a device you carry or wear. Google Glass and the forthcoming Microsoft HoloLens are examples of “active AR” systems with dedicated hardware; when worn, the world is augmented with digital data superimposed on the real-time view of the world. However, AR has found ways to use existing hardware — your smartphone. HP’s Aurasma platform is an early example of an active AR system that uses your smartphone’s camera and screen to create digital content superimposed on the real world. What AR has needed to go fully mainstream was a killer app that found a way for AR to appeal to the masses, and it now has one — Pokémon Go. Within days of its launch in early July, TechCrunch reported that Pokémon Go had an average daily user base of over 20 million users. Some declared it the biggest “stealth health” app of all time as it was getting users out and walking.

Active AR has the capacity to change how people interact with the world, and with each other. It is an immersive and engaging user experience. It has the capacity to change the worlds of shopping, education and training, law enforcement, maintenance, healthcare, and gaming, and others. Consider an AR system that shows reviews, product data, and comparative prices while looking at a shelf display; identifies an object or person approaching you and makes it glow, flash, or otherwise stand out to give you more time to avoid a collision; gives you information on an artist, or the ability to hear or see commentary, while looking at a painting or sculpture; identifies to a police officer in real time whether a weapon brandished by a suspect is real or fake; or shows you in real time how to repair a household item (or how to administer emergency aid) through images placed on that item or on a stricken individual. For some, the augmented world will be life-altering, such as a headset as assistive technology which reads road signs aloud to a blind person or announces that a vehicle is coming (and how far away it is) when the user looks in the vehicle’s direction. For others, the ability to collect, process and augment real-world data in real time could be viewed as a further invasion of privacy, or worse, technology that could be used for illegal or immoral purposes.

As with any new technology, there will be challenges from a legal and digital perspective. A well-known example of this is the Internet when the World Wide Web became mainstream in the mid-1990s. In some cases, existing laws were interpreted to apply to the online world, such as the application of libel and slander to online statements, the application of intellectual property laws to file sharing over peer-to-peer networks, and the application of contract law to online terms of use. In others, new laws such as the Digital Millennium Copyright Act were enacted to address shortcomings of the existing legal and regulatory landscape with respect to the online world. In some instances, the new technology led to a fundamental shift in a particular area of law, such as how privacy works in an online world and how to address online identity theft and breaches of personal information. AR’s collection of data, and presentation of augmented data in real time, creates similar challenges that will need to be addressed. Here are some of the legal and privacy challenges raised by AR.

  • Rethinking a “reasonable expectation of privacy.” A core privacy principle under US law is that persons have a reasonable expectation of privacy, i.e., a person can be held liable for unreasonably intruding on another’s interest in keeping his/her personal affairs private. However, what is a “reasonable expectation of privacy” in a GoPro world? CCTV/surveillance cameras, wearable cameras, and smart devices already collect more information about people than ever before. AR technology will continue this trend. As more and more information is collected, what keeping “personal affairs private” looks like will continue to evolve. If you know someone is wearing an AR device, and still do or say something you intend to keep private, do you still have a reasonable expectation of privacy?

What is a “reasonable expectation of privacy” in a GoPro world?

 

  • Existing Privacy Principles. Principles of notice, choice, and “privacy by design” apply to AR systems. Providers of AR systems must apply the same privacy principles to AR as they do to the collection of information through any other method. Users should be given notice of what information will be collected through the AR system, how long it will be kept, and how it will be used. Providers should collect only information needed for the business purpose, store and dispose of it securely, and keep it only as long as needed.

AR systems add an additional level of complexity — they are collecting information not just about the user, but also third parties. Unlike a cellphone camera, where the act of collecting information from third parties is initiated by the user, an AR system may collect information about third parties as part of its fundamental design. Privacy options for third parties should be an important consideration in, and element of, any AR system. For example, an AR system provider could ensure users have the ability to toggle the blocking of third party personal data from being collected or augmented, so personal information is only augmented when the user wants it to be. AR system providers may also consider an indicator on the outside of the device, such as an LED, to let third parties know that the AR system is actively collecting information.

Additionally, AR may create interesting issues from a free speech and recording of communications perspective. Some, but not all, court rulings have held that the freedom of speech guaranteed by the First Amendment extends to making recordings of matters of public interest. An AR system that is always collecting data will push the boundaries of this doctrine. Even if something is not in the public interest, many states require the consent of both parties to record a conversation between them. An AR system which persistently collects data, including conversations, may run afoul of these laws.

  • Children’s Privacy.It is worth a special note that AR creates an especially difficult challenge for children’s privacy, especially children under 13. The Children’s Online Privacy Protection Act (“COPPA”) requires operators of online services, including mobile apps, to obtain verifiable parental consent before collecting any personal information from children under 13. “Personal information” includes photos, videos, and audio of a child’s image or voice. As AR systems collect and process data in real time, the passive collection of a child’s image or voice (versus collection of children’s personal information provided to a company through an interface such as a web browser) is problematic under COPPA. AR operators will need to determine how to ensure they are not collecting personal information from children under 13. I expect the FTC will amend the COPPA FAQ to clarify their position on the intersection of AR and children’s privacy.
  • Intellectual Property. Aside from the inevitable patent wars that will occur over the early inventors of AR technologies, and patent holders who believe their patent claims cover certain aspects of AR technologies, AR will create some potentially interesting issues under intellectual property law. For example, an AR system that records (and stores) everything it sees will invariably capture some things that are protected by copyright or other IP laws. Will “fair use” be expanded in the augmented world, e.g., where an album cover is displayed to a user when a song from that is heard? Further, adding content to a copyrighted work in the augmented world may constitute a prohibited derivative work. From a trademark perspective, augmenting a common-law or registered trademark with additional data, or using a competitor’s name or logo to trigger an ad about your product overlaid on the competitor’s name or logo, could create issues under existing trademark law.
  • Discrimination.  AR systems make it easy to supplement real-world information by providing additional detail on a person, place or thing in real time. This supplemental data could intentionally or inadvertently be used to make real-time discriminatory decisions, e.g., using facial or name recognition to provide supplemental data about a person’s arrest history, status in a protected class, or other restricted information which is used in a hiring or rental decision. An AR system that may be used in a situation where data must be excluded from the decision-making process must include the ability to automatically exclude groups of data from the user’s augmented world.

The world of online digital marketing and advertising will expand to include digital marketing and advertising in the augmented world. Imagine a world where anything — and I mean anything — can be turned into a billboard or advertisement in real time. Contextual ads in the augmented world can be superimposed anytime a user sees a keyword. For example, if you see a house, imagine if an ad for a brand of paint appears because the paint manufacturer has bought contextual augmented ads to appear in an AR system whenever the user sees a house through the augmented world.

Existing laws will need to be applied to digital marketing and advertising in the augmented world. For example, when a marketing disclaimer appears in the online world, the user’s attention is on the ad. Will the disclaimer have the same effect in an augmented environment, or will it need to be presented in a way that calls attention to it? Could this have the unintended consequence of shifting the user’s attention away from something they are doing, such as walking, thereby increasing the risk of harm? There are also some interesting theoretical advertising applications of AR in a negative context. For example, “negative advertising” could be used to blur product or brand names and/or to make others more prominent in the augmented world.

  • The Right of Publicity.  The right of publicity — a person’s right to control the commercial use of his or her name, image, and likeness — is also likely to be challenged by digital marketing in the augmented world. Instead of actively using a person’s likeness to promote a product or service, a product or service could appear as augmented data next to a person’s name or likeness, improperly (and perhaps inadvertently) implying an endorsement or association. State laws governing the right of publicity will be reinterpreted when applied to the augmented world.
  • Negligence and Torts. AR has the capacity to both further exacerbate the problem of “distracted everything,” paying more attention to your AR device than your surroundings, as some users of Pokémon Go have discovered. Since AR augments the real world in real time, the additional information may cause a user to be distracted, or if the augmented data is erroneous could cause a user to cause harm to him/herself or to others. Many have heard the stories of a person dutifully following their GPS navigation system into a lake. Imagine an AR system identifying a mushroom as safe to eat when in fact it is highly poisonous. Just as distracted driving and distracted texting can be used as evidence of negligence, a distracted AR user can find him/herself facing a negligence claim for causing third party harm. Similarly, many tort claims that can arise through actions in the real world or online world, such as liable and slander, can occur in the augmented world. Additionally, if an AR system augments the real world in a way that makes someone think they are in danger, inflicts emotional distress, or causes something to become dangerous, the AR user, or system provider, could be legally responsible.
  • Contract liability. We will undoubtedly see providers of AR systems and platforms sued for damages suffered by their users. AR providers have and will shift liability to the user through contract terms. For example, Niantic, the company behind Pokémon Go, states in their Terms of Use that you must “be aware of your surroundings and play safely. You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services.” AR providers’ success at shifting liability will likely fall primarily to tried-and-tested principles such as whether an enforceable contract exists.

None of the above challenges are likely to prove insurmountable and are not expected to slow the significant growth of AR. What will be interesting to watch is how lawmakers choose to respond to AR, and how early hiccups are seized on by politicians and reported in the press. Consider automobile autopilot technology. The recent crash of a Tesla in Autopilot mode is providing bad press for Tesla, and fodder for those who believe the technology is dangerous and must be curtailed. Every new technology brings both benefits and potential risks. If the benefits outweigh the risks on the whole, the public interest is not served when the legal, regulatory and privacy pendulum swings too far in response. Creating a legal, regulatory and privacy landscape that fosters the growth of AR, while appropriately addressing the risks AR creates and exacerbates, is critical.

Are IP and MAC Addresses Personal Information?

To many, “personally identifiable information” (also “PII” or “personal information”) means information that can be used to identify an individual, such as a person’s name, address, email address, social security number/drivers’ license number, etc. However, in the US, there is no uniform definition of personal information. This is because the US takes a “sectoral” approach to data privacy. In the US, data privacy is governed by laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes). Companies, such as Google, often include their own definition of personal information in their privacy policy. Even though there is no uniform definition, however, it’s clear that that more and more information is falling under the PII/personal information umbrella.

One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.

  • An IP address is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary IP address is assigned each time a device connects to a network), or static (a permanent IP address is assigned to a network device which does not change if it disconnects and reconnects). There are two types of IP addresses – the original IPv4 (e.g., “210.43.92.4”), and the newer IPv6 (e.g., “2001:0db8:85a3:0000:0000:8a2e:0370:7334”).
  • MAC address is a unique identifier used to identify a networkable device, such as a computer/phone/tablet/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc. A MAC address is a 12-character hexadecimal (base 16) identifier, e.g., “30:0C:AA:2D:FB:22”. The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device. If a device needs to talk to other devices, it likely has a MAC address.
  • Why do devices need both? There are incredibly technical reasons for this, but at a very high level, MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit data packets between devices on that local network, and IP addresses are used to identify devices on the worldwide Internet to transmit data packets between devices connected directly to the Internet. Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network. Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route the traffic.
  • Think of a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345. The mailing address will tell the mail carrier what address to deliver it to, but the carrier won’t deliver it right to you personally. Suppose you are in Cube 324. Your mail room will look up your cube number, and deliver the letter to you. The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router — the router takes the inbound packet delivered by IP address and uses the local device’s MAC address to route the packet to the right device on the network.

Canada’s approach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner of Canada (OPCC) has released an interpretation making clear that this definition must be given a “broad and expansive interpretation,” and that it includes information that “relates to or concerns” a data subject. With respect to IP addresses, according to the OPCC an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual. (Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee’s work contact information is not personal information.)

The European approach.In Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define personal dataas “any information relating to an identified or identifiable natural person.” Individual EU member states differ on whether an IP address should be considered personal data. The European Court of Justice (ECJ) has held that IP addresses are protected personal information “because they allow … users to be precisely identified,” and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to identify the data subject. The same rules should apply to MAC addresses. The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture as to whether an IP address or MAC address should be considered personal information.

  • Specific laws. The one US statute that clearly states that IP and MAC addresses are personal information is the Children’s Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines “personal information” as “individually identifiable information about an individual collected online,” as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as “identifiers” that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.
  • The FTC’s view. In April, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, wrote on the FTC’s business blog about cross-device tracking. In her remarks, she restated the FTC’s long-held position that data is personally identifiable, “and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” She then specifically cited the FTC’s 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich’s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada — if it can be associated with an identifiable individual, it should be considered personal information.
  • Google’s View. It is also worth looking at Google’s definition from its privacy policy, given Google’s prominence as a collector and user of consumer personal information. Google defines personal information to include both information that personally identifies a person, as well “other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.” This is essentially the FTC’s view, with a reasonableness standard.

Given all this, what should US businesses do?

  • Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a thing, not a person, but can be linked to an individual depending on what information is collected or obtained about that individual. I call this information linkable information.
    If linkable information is, or reasonably can be, associated or linked with an identifiable individual in your records, it becomes personal information.
  • Think of your driver’s license and your license plate as things. Your drivers’ license has your name, photo, and other information, so it identifies you. Therefore, a copy of your license would be personal information. On the other hand, your license plate by itself identifies a thing (your vehicle), and therefore by itself is linkable information, but not personal information. However, if your license plate is contained in a list of names and associated license plates maintained by a company, the license plate is associated with you, and therefore the company should handle it as personal information. Similarly, your phone number identifies a thing (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with a recording an individual’s voice on a phone call), the phone number becomes personal information.
  • An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not personal information. However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person’s name, time/date stamp of acceptance, and IP address are collected, would be personal information.
  • If your company’s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do. Failing to comply with a stated privacy policy can give rise to an FTC investigation and/or complaint under §5 of the FTC Act, as well as state AG investigations/actions and private litigation.
  • If you collect information from European consumers, given the extra-territorial reach of the upcoming Regulation US companies should carefully watch how IP and MAC addresses fall into the EU’s definition of personal data, and determine whether it needs to comply with Europe’s approach.
  • If you collect IP address information from a child under 13 through a website or app governed by COPPA, by law it’s personal information.
  • Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.

The Rewards and Risks of Open-Source Software

Open-source software (or “OSS”) is computer software distributed under a license whose source code is available for modification or enhancement by anyone.  This is different than free (or public domain) software, which is not distributed under a license.  Free and open-source software are alternatives to “closed source,” or proprietary, software.

Companies use OSS for a variety of reasons.  In some cases, it’s used as part of a project deliverable, such as a DLL or a JavaScript library. In others, it’s used as a tool as part of the development process or production environment, such as a compiler, development environment, web server software, database software, etc.

The Rewards of OSS.  There are significant benefits to using open-source software in your business.  Here are some of the most significant:

  • Enhanced Security.Anyone can modify and enhance OSS, resulting in a larger developer base than proprietary software. This means that security holes are often found more quickly, and patched more quickly, than proprietary software.
  • Lower Cost. There is no license fee for open-source software.  (That does not mean it’s totally free – OSS is subject to license requirements.)
  • Dev Cycle Streamlining. Using OSS in a project cuts down development time by allowing developers to avoid “reinventing the wheel” on needed code if an OSS version of that code is available.
  • Perpetual Use. As long as you abide by the terms of the open-source software license, you can generally use it forever.  There are no annual renewal fees or license renegotiations for mission-critical software.
  • Adaptability/Customizability. Users of closed source software must find the software package that most closely aligns with the business’ needs, and adapt to it.  There’s no need to settle with OSS – since it can be customized and adapted, you can start with the existing code and modify it to fit your company’s exact needs.
  • Better Quality. Since there is a larger developer base, new and enhanced features and functionality are often rolled out, and usability bugs fixed, at a more rapid rate than in proprietary software.
  • Support Community. Many common closed source software packages require the purchase of a maintenance subscription along with a license.  Well-used OSS has a robust developer community that can help with questions.There are also companies that have sprung up around common OSS packages to provide support solutions.

Know Your OSS Licenses.The author of software code owns the copyright to that code.  If the author released software into the public domain, he/she is waiving his/her copyrights in that code, making it free for anyone to use.  However, if someone creates a derivative work of public domain code, the new portions of code are protected by copyright, and are not in the public domain.  In other words, by adding his/her own modifications, someone can take public domain software and make it proprietary.

That’s the primary difference between free software and OSS.  In most cases, when an author makes his/her software code open-source, that author is allowing use of his/her copyrighted code under an open-source software license, but is not relinquishing his/her copyright.  Under the OSS license, the author grants others a right to use the author’s copyrighted code to modify, copy and redistribute it, but only if they follow the terms of the open-source software license.  There are hundreds (or more) open-source licenses out there.  However, there are relatively few that are considered generally accepted with a strong developer community.  The Open Source Foundation (OSF) categorizes the most common OSS licenses here.  The most common are the GNU General Public License (GPL), the GNU Lesser General Public License (LGPL), the “New” BSD License, the “Simplified” BSD License, the MIT License, and the Apache License v2.  However, not all OSS licenses are the same.  There are many websites that can help you analyze the differences between OSS licenses, including tl;dr Legal and Wikipedia’s Comparison of Open-Source Software Licenses.

Many OSS licenses are “permissive” licenses, meaning that a work governed by that license (e.g., a BSD License) may be modified and redistributed under a different license as long as you comply with the requirements of the permissive license (e.g., attribution). Other OSS licenses are “copyleft” licenses.  A copyleft license is one under which a work may only be used, modified or distributed if the same license rights apply to anything derived from it.  The copyleft license will “infect” modifications and derivations of the source (some think of it as a “viral” license).  It’s a play on words as copyright and copyleft are converse terms: copyright gives exclusive rights to a work to one person, and copyleft gives non-exclusive rights to a work to everyone.  There are two types of copyleft licenses:

  • “Strong” copyleft licenses (e.g., the GNU GPL) state that if you modify code governed by a copyleft license, you must distribute the software as a whole under that copyleft license, or not distribute it at all.
  • “Weak” copyleft licenses (e.g., the GNU Lesser GPL) state that if you modify code governed by a copyleft license, portions of the software containing modifications (e.g., a software module or library) must be distributed under that copyleft license, but other portions may be distributed under a different license type.

The Risks of OSS.  Due to its benefits and rewards, most companies use open-source software, whether the management and Legal teams know it or not. Quite often, developers rely on OSS to deliver software development projects on time and within budget. The bigger question is whether developers are using OSS in a way that exposes the company to risk.  Unless your company has a well-defined OSS policy that has been well-communicated to the developers at your company, you’re “flying blind” when it comes to OSS usage. Here are some of the risks and considerations for companies using OSS:

  1. OSS makes more sense for “utility layer” software needs than for “competitive/proprietary layer” software needs.Think of the software used in business as two layers. The first is software at the “utility layer” – software packages that go to the general operation of the business and its IT infrastructure, and do not give the business a competitive advantage based on the code itself. Examples are web server software, database software, and standard APIs.  Above that is the software at the “competitive/proprietary layer” – software that gives your company a competitive advantage you’re your competition, or provides significant offensive or defensive IP protection. Examples are custom functionality on your website and specialized software applications. OSS makes a lot of sense at the utility layer – you don’t need something better than everyone else, just something that works and works well. Introducing OSS at the competitive/proprietary layer can be problematic as you may want to ensure the entire solution is proprietary.
  1. You can’t get IP warranties or indemnification for OSS.When you negotiate a software license agreement for proprietary closed source proprietary code, in most cases the software licensor will provide warranties and/or indemnification against claims of IP infringement. With OSS, there is no IP warranty or indemnity. If someone introduced proprietary code into the OSS earlier in its life, you bear the risk of infringement if you use it.
  1. Some OSS license types can snuff out IP rights to your own developed code (and even expose it). The type of OSS license governing OSS used in your business, and how you use OSS software, can directly affect your IP rights to your own developed code. If you use OSS governed by a strong copyleft license to enhance your own codebase, your entire codebase could potentially become governed by a copyleft license.  This means that a savvy competitor or customer that suspected or learned of OSS in your code could send you a letter demanding a copy of your source code under the copyleft license, or just decompile it and modify it, putting you on the defensive as to why your software license should override the copyleft open source license.
  1. If you don’t follow the license terms, you can be sued.Open source software is licensed. That means there are license terms you must follow.  If you don’t, you may face litigation from competitors or others.  There has been a recent upswing in litigation for breach of the terms of open source licenses, and that trend is expected to continue.  For example, VMware was sued in March 2015 alleging that it violated the GNU GPL v2 license by not releasing the source code for VMware software that used OSS subject to the copyleft license.

Implement a Company-Appropriate OSS Policy.  To mitigate the risks associated with OSS, all companies should implement an open-source software policy governing the when, why and how of using open-source software in the company’s codebase.  Here are some important considerations:

  • Ensure there is alignment on the goal of the OSS policy at the outset.Different stakeholders may have different views on the goal of an OSS policy.  To Legal, it make be to protect the company’s intellectual property; to IT, it may be to leverage OSS to reduce costs; to developers, it could be to ensure they are free to keep using the OSS they need to meet goals and deadlines.  One thing stakeholders cannot do is go in with the mindset that OSS is bad for business or that they can keep it out of their code.  OSS in business is a reality that can either be ignored or accepted.  The policy’s goal should be to ensure OSS is being used effectively to advance the company’s business objectives while protecting its IP and living within its risk profile.
  • An OSS policy must balance the practical needs of developers with risk management.OSS is the domain of the developer, not the Legal department.  While the risks are something lawyers consider, a policy written and imposed by non-developers on your developer corps will likely face an uphill battle, or worse, be viewed as “out of sync with the goals of the business” and just ignored.  The attorneys’ role in creating an OSS policy is to provide guidance on the risks of OSS to the company as a whole, provide “best practices” guidance in OSS policies, and to draft the actual policy from the outline in plain English (remember, developers, not other attorneys, are the audience).  IT management’s role is to provide guidance on the outside contours of the policy.  Developers need to be directly involved in developing the policy itself as they are the ones using OSS in their daily work.  Developers, Legal and IT should develop the company’s OSS strategy, and its OSS policy, as equal stakeholders.
    • Ensure senior management buys into the policy before it is finalized; it’s important that management understand how OSS is used in the business.
    • Ensure the policy covers key topics, e.g., sourcing OSS; selecting OSS code for use at the utility layer and the competitive/proprietary layer; the OSS approval process; support and maintenance requirements; redistribution; tracking OSS usage; and audits/training.
    • Ensure the policy covers independent contractor developers as well as employees.
  • OSS code review and approval must be a streamlined process.If the review and approval process is complicated, developers will be more likely to just skip it.  Make approval easy.  Provide a “pre-approved list” of OSS – certain combinations of license types, utility level software categories, and/or specific code packages that only need notification of usage for tracking purposes.
    • Have a simple process for vetting other usage requests, asking the critical questions (e.g., What is the name and version number of the software package for which use is requested? What license type applies? Where was the code sourced from? Will the code be modified? What is the support plan?  Will the code be distributed or used internally?  What is the expected usage lifetime of the code? Are there closed source alternatives? Etc.) so that the legal and business risks can be measured and balanced against the benefits of usage.
    • Determine who will do the first review and escalated review (IT, Legal).
    • Turn requests quickly as delays can impact development timeframes.
  • Keep a database of all used OSS, including where is it used and what license type applies.Knowing what OSS you’re using is critical to avoid introducing code that has a bad reputation or is governed by an OSS license your company is not comfortable with (e.g., a strong copyleft license). IT should maintain a database of OSS used by the company, including the license type for each OSS.  This database is also helpful when responding to security questionnaires and is often needed in M&A due diligence.
  • Other Considerations.Consider conducting quarterly or semi-annual reviews of OSS usage, e.g., questionnaires to developers.  Consider having developers acknowledge the OSS policy at hire, and on an annual basis.  Consider conducting OSS training if your company’s learning management system (LMS) has an available course module on OSS.  And most importantly, review the OSS policy no less than once a year with all stakeholders to ensure it is evolves as the world of OSS, and the company’s own needs, change over time.

The Fourth Age of the Internet – the Internet of Things

We are now in what I call the “Fourth Age” of the Internet.  The First Age was the original interconnected network (or “Internet”) of computers using the TCP/IP protocol, with “killer apps” such as e-mail, telnet, FTP, and Gopher mostly used by the US government and educational organizations. The Second Age began with the creation of the HTTP protocol in 1990 and the original static World Wide Web (Web 1.0). The birth of the consumer internet, the advent of e-commerce, and 90’s dot-com boom (and bust in the early 2000’s) occurred during the Second Age. The Third Age began in the 2000’s with the rise of user-generated content, dynamic web pages, and web-based applications (Web 2.0). The Third Age has seen the advent of cloud computing, mobile and embedded commerce, complex e-marketing, viral online content, real-time Internet communication, and Internet and Web access through smartphones and tablets. The Fourth Age is the explosion of Internet-connected devices, and the corresponding explosion of data generated by these devices – the “Internet of Things” through which the Internet further moves from something we use actively to something our devices use actively, and we use passively. The Internet of Things has the potential to dramatically alter how we live and work.

As we move deeper into the Fourth Age, there are three things which need to be considered and addressed by businesses, consumers and others invested in the consumer Internet of Things:

  • The terms consumers associate with the Internet of Things, e.g., “smart devices,” should be defined before “smart device” and “Internet of Things device” become synonymous in the minds of consumers.  As more companies, retailers, manufacturers, and others jump on the “connected world” bandwagon, more and more devices are being labeled as “smart devices.”  We have smart TVs, smart toasters, smart fitness trackers, smart watches, smart luggage tags, and more (computers, smartphones and tables belong in a separate category). But what does “smart” mean?  To me, a “smart device” is one that has the ability not only to collect and process data and take general actions based on the data (e.g., sound an alarm), but can be configured to take user-configured actions (e.g., send a text alert to a specified email address) and/or can share information with another device (e.g., a monitoring unit which connects wirelessly to a base station). But does a “smart device” automatically mean one connected to the Internet of Things?  I would argue that it does not.

Throughout its Ages, the Internet has connected different types of devices using a common protocol, e.g., TCP/IP for computers and servers, HTTP for web-enabled devices. A smart device must do something similar to be connected to the Internet of Things. However, there is no single standard communications protocol or method for IoT devices. If a smart device uses one of the emerging IoT communications protocols such as Zigbee or Z-Wave (“IoT Protocols”), or has an open API to allow other devices and device ecosystems such as SmartThings, Wink or IFTTT to connect to it (“IoT APIs”), it’s an IoT-connected smart device, or “IoT device.” If a device doesn’t use IoT Protocols or support IoT APIs, it may be a smart device, but it’s not an IoT device. For example, a water leak monitor that sounds a loud alarm if it detects water is a device.  A water leak monitor that sends an alert to a smartphone app via a central hub, but cannot connect to other devices or device ecosystems, is a smart device.  Only if that device uses an IoT Protocol or support IoT APIs to allow it to interconnect with other devices or device ecosystems is an IoT device.

“Organic” began as a term to define natural methods of farming.  However, over time it became overused and synonymous with “healthy.”  Players in the consumer IoT space should be careful not to let key IoT terminology suffer the same fate. Defining what makes a smart device part of the Internet of Things will be essential as smart devices continue to proliferate.

  • Smart devices and IoT devices exacerbate network and device security issues. Consumers embracing the Internet of Things and connected homes may not realize that adding smart devices and IoT devices to a home network can create new security issues and headaches. For example, a wearable device with a Bluetooth security vulnerability could be infected with malware while you’re using it, and infect your home network once you return and sync it with your home computer or device.  While there are proposals for a common set of security and privacy controls for IoT devices such as the IoT Trust Framework, nothing has been adopted by the industry as of yet.

Think of your home network, and your connected devices, like landscaping.  You can install a little or a lot, all at one or over time.  Often, you have a professional do it to ensure it is done right. Once it’s installed, you can’t just forget about it — you have to care for it, through watering, trimming, etc. Occasionally, you may need to apply treatments to avoid diseases. If you don’t care for your landscaping, it will get overgrown; weeds, invasive plants (some poisonous) and diseases may find their way in; and you ultimately have a bigger, harder, more expensive mess to clean up later on.

You need to tend your home network like landscaping, only if you don’t tend your home network the consequences can be much worse than overgrown shrubbery. Many consumers are less comfortable tinkering with computers than they are tinkering with landscaping.  Router and smart device manufacturers periodically update the embedded software (or “firmware”) that runs those devices to fix bugs and to address security vulnerabilities. Software and app developers similarly periodically release updated software. Consumers need to monitor for updates to firmware and software regularly, and apply them promptly once available.  If a device manufacturer goes out of business or stops supporting a device, consider replacing it as it will no longer receive security updates. Routers need to be properly configured, with usernames and strong passwords set, encryption enabled, network names (SSID) configured, etc.  Consumers with a connected home setup should consider a high-speed router with sufficient bandwidth such as 802.11ac or 802.11n.

The third party managed IT services industry has existed since the Second Age. As connected homes proliferate resulting in complex connected home infrastructure, there is an opportunity for “managed home IT” to become a viable business model.  I expect companies currently offering consumer-focused computer repair and home networking services will look hard at adding connected home management services (installation, monitoring, penetration testing, etc.) as a new subscription-based service.

  • Smart device companies need to think of what they can/can’t, and should/shouldn’t, do with data generated from their devices.  IoT devices and smart devices, and connected home technologies and gateways, generate a lot of data.  Smart/IoT device manufacturers and connected home providers need to think about how to store, process and dispose of this data.  Prior to the Internet of Things, behavioral data was gathered through the websites you viewed, the searches you ran, the links you clicked – “online behavioral data.”  The IoT is a game-changer. Now, what users do in the real world with their connected devices can translate to a new class of behavioral data – “device behavioral data.” Smart/IoT device manufacturers, and connected home providers, will need to understand what legal boundaries govern their use of device behavioral data, and how existing laws (e.g., COPPA) apply to the collection and use of data through new technologies. Additionally, companies must look at what industry best practices, industry guidelines and rules, consumer expectations and sentiment, and other non-legal contours shape what companies should and should not do with the data, even if the use is legal.  Companies must consider how long to keep data, and how to ensure it’s purged out of their systems once the retention period ends.

IoT and smart device companies, and connected home service and technology providers, should build privacy and data management compliance into the design of their devices and their systems by adopting a “security by design” and “privacy by design” mindset. Consumers expect that personal data about them will be kept secure and not misused. They must ensure their own privacy policies clearly say what they do with device behavioral data, and not do anything outside the boundaries of their privacy policy (“say what you do, do what you say”). Consider contextual disclosures making sure the consumer clearly understands what you do with device behavioral data.  Each new Age of the Internet has seen the FTC, state Attorneys General, and other consumer regulatory bodies look at how companies are using consumer data, and make examples of those they believe are misusing it. The Fourth Age will be no different. Companies seeking to monetize device behavioral data must make sure that they have a focus on data compliance.

How to stop (or start) Word redlines changing to “Author” on document save

You’ve probably noticed that in certain documents, as soon as you click “Save” all of your Word redlines change color and switch from your name to “Author.”  If you’re like me, when negotiating or commenting up a document with others I prefer to “layer” redlines in different colors so everyone knows whose comments and redlines are whose. This can help avoid confusion and keep the negotiation process running as efficiently as possible. There’s nothing more frustrating than redlining a document only to find your edits changed to Author the second you save your draft. (I’ve had situations where my business team commented on a draft assuming the “Author” redlines in an agreement were my redlines, when they were really from the other side.) This author information for redlines is one example of the “metadata” that Microsoft Word saves with your document.

On the flip side, there are times you may want to remove all of the personal information in a document regarding authors (e.g., when releasing a policy or document that had multiple authors, and you don’t want to show who worked on what parts).  Word includes an option in the Trust Center which lets you remove all personal information from a document upon save.  If this option is selected, metadata (including names of redline owners) is stripped out of the document when it is saved.  If your redlines are changing to “Author” on save, it’s because this option is turned on in your document.  This is a document setting, not a global setting, so changing it for a given document changes it for that document only.

To turn on or off the removal of personal information from a document upon save in Office 2010 or 2013, follow these steps:

  1. Click on “File,” then “Options.” Image1new
  2. In the “Options” box, select “Trust Center” at the bottom of the left-hand menu.
  3. In the “Trust Center” dialog box, click the “Trust Center Settings” button. 
  4. The Trust Center should open on “Privacy Options” (if not, select it).  You’ll find what you are looking for under “Document-Specific Settings” – it’s the option “Remove personal information from file properties on save.”
  5. If it’s turned on, it will look like this. To turn it off, uncheck the box, click “OK,” and close Word Options. Your redlines should now stay as-is when you save the document.Image4checked
  6. If the checkbox and option is turned off and grayed out like in the image below, you will have to do one thing before you can turn it on, you need to first run Document Inspector by pressing the button on this screen and manually remove all metadata under “Comments, Revisions, Versions and Annotations.”   (You can run Document Inspector at any time to manually remove metadata from a Word document.)Image4uncheckedgreyedoutInspectorInspectorIsRun

Don’t get Hooked by Phishing or Spear Phishing

Cyber attacks such as the Anthem breach, the Home Depot breach, and the Target breach are becoming almost commonplace.  Major cyber attacks compromising information about millions of people often start not with a bang, but a whisper – a “phishing” or “spear phishing” email through which an attacker tries to acquire login credentials that can be used to launch a sophisticated and crippling attack. Over 90% of cyber attacks take the form of, or start with, a spear phishing attack, and phishing attacks are also very common. These attacks happen both in the office and at home. Phishing and spear phishing attacks can happen at any time, and can target any person or employee.

What is “Phishing?In a “phishing” attack, an attacker uses an email sent to a broad group of recipients (and not targeted to a specific group) to impersonate a company or business in an effort to get you to reveal personal information or login IDs/passwords, or to install malware or exploit a security hole on your computer.  It generally uses an official-looking email and website to gather information, and often contains the logo(s) of the company it is impersonating.

What is “Spear Phishing?In a “spear phishing” attack, an attacker uses an email tailored for a specific group of recipients (e.g., a group of employees at a specific business), often impersonating an individual such as someone from your own company or business, in an effort to get you to reveal personal information, login IDs/passwords, to steal money or data, or to install malware or exploit a security hole on your computer.

How do I spot a phishing or spear phishing email?Look for one or more of these key indicators that an email in your inbox is actually a phishing or spear phishing attack.

  • The email has spelling or grammatical errors. A phishing or spear phishing email often contains spelling or grammatical errors, and does not appear to be written by a business professional.
  • You do not recognize the sender’s email address. If you get an email asking you to click on a link or open an attachment, look carefully at the email address of the sender.  Be especially alert for email addresses that are similar to, but not the same as, your company’s email address (e.g., “joe.johnson@microsoft.co” instead of “joe.johnson@microsoft.com”).
  • The email contains links that don’t go where they say they do. Before you click on a link in an email you don’t recognize, “hover” your mouse cursor over the link. A pop-up will appear showing you where the link will go.  If they don’t match, it’s probably a phishing or spear phishing attempt.  In this example, this innocuous-looking link actually goes to a malicious website:

Bad link sample

  • The email asks you to open an attachment you don’t recognize. Many spear phishing emails ask you to open an attachment or click on a link.  If an email you don’t recognize asks you to open an attachment you weren’t expecting or that doesn’t look familiar, or to click on a link you don’t recognize, don’t click on it or open it, and check with your IT or Security department if you want to know for sure.
  • The email seems to be a security-related email, or asks you to take immediate action. Watch out for emails that state that your account will be suspended; ask you to reset, validate or verify your password, account information or personal information, or otherwise ask you to take immediate action to prevent something from happening.
  • The email relates to a current news event. Many phishing emails use a current news event, such as a natural disaster or security breach, to get you to provide information, click a link or open an attachment.
  • The email contains information from your social media accounts or other public information. Spear phishing attackers will often look at your public social media accounts (e.g., your Facebook feed, LinkedIn profile, tweets, etc.) and other public sources (e.g., Google searches) and use information about you or your friends to make a spear phishing email seem authentic.  If an email contains personal information about you other than your name and email address, take a close look to ensure it’s not a spear phishing attempt.

If you think an email you received is a phishing or spear phishing attempt, (1) do NOT click or open any links or attachments in the email, (2) if you are at work, immediately contact your Security or IT department to report it, especially if you clicked on an attachment or link or otherwise took action before you realized this (failing to report it will be much worse, so don’t be embarrassed); and (3) delete the email immediately.