7 Tips for Implementing a Records Retention Policy Employees Will Follow

How long to hang on to corporate information and records (records retention) is a common source of conflict within companies. Those in the “keep it” camp believe companies should keep any business records that are needed to conduct business operations effectively, records that serve as a company’s “corporate memory,” records that must be kept for legal, accounting or other regulatory compliance purposes, or have other value to the company (such as protecting the company’s interests). Those in the “destroy it” camp believe companies must promptly destroy records when there is no longer a legitimate business need to retain them, in order (a) to ensure they are minimizing the amount of information that could potentially be exposed in the event of a security breach, inadvertent disclosure, legal disclosure requirement such as a subpoena, or during the discovery phase of litigation, (b) to comply with legal, accounting and other regulatory requirements to destroy information after a certain time, and (c) to reduce the costs of discovery and of storing corporate information. Which side is right?

The answer, of course, is that they’re both right. All of the reasons to keep corporate records, and all the reasons to destroy them, are legitimate. This is the “double-edged sword” of records retention.  For every argument that “we might need that piece of information somewhere down the line,” there’s a counterargument that “we could get in trouble someday if we still have that piece of information around.” The way to ensure your company is striking the right balance between these two extremes is to have a written records retention policy that balances the reasons to retain information against the reasons to destroy it, by setting appropriate “retention periods” for various categories of corporate records and requiring employees to destroy data once the retention period is ended in most cases. It is an essential component of a company’s incident response planning process to reducing the amount of information potentially exposable in the event of a security incident or breach. The policy must cover corporate records wherever located, including physical and electronic data wherever stored (in employee workstations, on intranets and network drives, in third party data centers, in cloud-based service providers’ systems, etc.)  It should list the categories of business records governed by the policy (I prefer a table format), and the records retention period for each category. It should clearly explain to employees what they need to do to comply with the policy, including how to ensure records are properly destroyed when the retention period ends.

It’s easy to argue why companies need a records retention policy. It’s much harder to actually draft and successfully implement one. Here are 7 drafting and implementation tips to help drive the success of your records retention policy.

1. Success is directly proportional to simplicity and communication.

The simpler you can make a records retention policy, the easier it will be for employees to follow it and the greater the likelihood that employees will take time to follow it. Policies that add significant process requirements into the life of rank-and-file employees who already feel like they are “doing more with less” and may be resistant to new ways of doing things are often met with skepticism at best, and outright rebellion at worst. It can be very difficult to successfully implement and administer a records retention policy if employees feel it is onerous and unnecessarily impeding their ability to do their job. If that happens, employees may simply ignore the policy in favor of their day-to-day business duties, or worse, use the records retention policy as a scapegoat if they fail to deliver on their projects and goals.

To solve this problem, ensure your policy is written as simply as possible, take into account the employee’s perspective, and have a communication plan to roll it out. Ensure your policy overview answers questions such as “Why is having a records retention policy important to me?”, “How hard will it be to follow the policy?”, and “What do I have to do under the policy?” Consider using a “frequently asked questions” format for the policy overview. Have a few employees whose opinion you value give you feedback on the policy. Develop a communication plan to roll out the policy to all employees, and leverage HR and Marketing for their input to make it as effective as possible. Ensure your senior leadership team endorses the policy so employees understand it has top-level visibility.

2. Set a “once per year” date for retention periods to expire.

One way to write a records retention policy is to have a fixed retention period for each business record run from the date the record was created. Under that approach, retention periods will be expiring throughout the year.  If the records retention policy requires employees to destroy records immediately upon expiration of the retention period, the policy may require employees to be managing document destruction on a daily or near-daily basis. This may make compliance seem like a daunting task to employees, even if your policy allows employees to destroy expired business records one per month or once per quarter.

As an alternative, consider having the expiration date for all retention periods expire on the same day during each calendar year by having your retention period be measured in full “retention years,” defined as a full calendar year or other 12-month measurement period. For example, if you set December 31 as your annual date for expiration of records retention periods, a presentation created on May 15, 2016 which must be kept for 3 “retention years” would be kept from May 15, 2016 through December 31, 2019 (3 full calendar years from the date of creation). While this approach does extend the retention period for some documents by a bit, that may be an acceptable trade-off to a simple, once-per-year obligation to destroy records under the records retention policy. Consider tying your annual records retention period expiration date into an “office clean-up days” event in partnership with HR where everyone pitches in to tidy up the office, clean up their workspaces, and destroy any documents for which retention periods have expired under the records retention period.

3. Right-size the departments and categories of corporate records listed in the policy.

In an effort to be as comprehensive as possible, some records retention policies include a significant number of categories of information subject to retention requirements. This can result from using an “all purpose” template such as a template obtained from a law firm, from a colleague, or from online searches. In others, a company may want to ensure they are not missing anything by including everything employees have today or could have in the future. One size does not fit all with respect to records retention categories. Consider having a “general” or “common business records” category as the first section of business records in your policy, covering items like business presentations, contracts and agreements (both current and expired); general and customer/vendor correspondence; material of historic value; software source code; etc. Then determine which departments have additional, specialized categories of business records (e.g., HR, IT, Finance, Marketing, Legal, etc.) that should be listed specifically in the policy. For each such department, learn which business records they have and use to create a first draft of your categories list and retention periods. Using a general/departments grouping of categories allows employees to find the information on records retention applicable to them a targeted and streamlined fashion. There will likely still be a significant number of categories of corporate records, but taking the time to think through the right categories for your company’s records retention policy will help ensure it is as easy as possible for employees to read, follow and use.

4. Use a limited number of retention periods, with “permanent” used as sparingly as possible.

Another common issue with records retention policies is the use of a large number of retention periods. Different departments may have different periods under which they currently retain documents, and they may put pressure to keep their own retention periods in an enterprise-wide policy. A policy with a large number of retention periods will make it harder for employees to follow, and harder for IT and others to operationalize. Remember, simplicity where possible is key to success. Consider using a limited number of retention periods (e.g., 1 year, 3 years, 5 years, 7 years, Permanent) which will simplify administration of, and compliance with, the policy. For departments with different existing retention periods, determine which of the next closest periods (longer or shorter) will work, and be prepared to explain to the head of that department why a limited number of periods is essential to the successful implementation of an enterprise-wide policy.

It can be tempting to put many things into a “permanent” bucket (those in the “keep it” camp are likely candidates to ask for this category). However, overuse of the “perpetual” category cuts against the reason for implementing the policy in the first place. While some documents may need to be kept perpetually, for example, information subject to a document preservation notice due to litigation, document categories should be assigned a “permanent” retention period very sparingly. Use it where it is legally necessaryto preserve a category of documents (e.g., it’s required for regulatory purposes), or where there is a compelling business interestin keeping it forever (e.g., prior art that may have value in defending against a future patent infringement claim). One way to find a “happy medium” with those in the “keep it” camp is to include in your policy a mechanism by which Legal and the CISO/CIO can approve an exception to the retention period on a case-by-case basis, but make clear that exceptions will be rarely very sparingly and only where legally necessary or where there is a compelling business interest.

5. Partner with department heads to solicit and incorporate their feedback, and to turn them into champions of an enterprise-wide policy.

One of the keys to the successful roll-out of a records retention policy is to have the support of senior management and department heads. Compliance with a records retention policy should be driven from the top down, not bottom up. It’s also important to consider that just because a company has not implemented an enterprise-wide records retention policy does not mean that some departments have not “gone it alone” and implemented their own limited retention and destruction schedule. Partnering with department heads to gain their support for an enterprise policy, and ensure their own efforts are leveraged as part of the broader policy, is essential.

Once a draft policy is prepared, set up one-on-one meetings with the leader of each department to let them know that you want the enterprise policy to be a collaborative (and not an imposed) effort on his/her department. If they have department-specific document categories or retention periods, leverage them to the greatest extent possible to minimize the impact the enterprise policy will have on that department. If they do not, walk them through the reasons why having a well-followed enterprise records retention policy will benefit the company as a whole. Walk the department head through the draft policy, and ensure they agree with the categories and retention periods applicable to their business unit. Try to incorporate their feedback wherever possible, and talk them through where you cannot (e.g., they ask for a non-standard retention period). Finally, ask for their help in rolling the policy out to their department, e.g., by sending a note to the department as a follow-up to the enterprise-wide policy announcement. By meeting with department heads, you will not only ensure the policy hews as closely as possible to the operational and compliance needs and practices of each department, but also establish a contact for future revisions/enhancements to the policy, and hopefully foster an internal champion to help drive the success of the policy.

6. Ensure the policy accounts for document preservation notices.

One critical element of any records retention policy is a very important exception — information subject to a litigation hold or other document preservation notice (such as in the event of litigation or anticipation of future litigation, where the company receives a subpoena, etc.) If employees follow the records retention policy and destroy business records that are relevant to a legal proceeding or subpoena, the company could face very significant fines and penalties. Ensure that the records retention policy makes it very clear that a document preservation notice supersedes the records retention periods, and that any documents and business records subject to a litigation hold or other document preservation notice must be kept for as long as the preservation notice is in effect regardless of the expiration of the retention period. It’s also important to communicate that once an employee is notified that a document preservation notice has been canceled, any documents subject to the notice should be destroyed at the next anniversary date. Ensure that any systems and processes used by the company to operationalize the records retention policy (e.g., automatic deletion of emails after a certain amount of time) account for the preservation of documents and business records subject to a preservation notice irrespective of the retention periods.

7. Partner with IT to implement technical safeguards to minimize policy “workarounds.”

Finally, partnering with IT will be critical to the success of the policy. In many cases, some document destruction processes can be automated (for example, emails can be deleted after a certain period, files older than a certain date can be automatically deleted from network shares, etc.) Work with your IT group to determine what technological solutions can be put in place to help operationalize the records retention policy. At the same time, some employees may believe that their needs trump the records preservation policy, and will try to work around it (e.g., by saving emails to a PST, printing them to a PDF and saving them on a network drive, “backdating” them by changing the system date before saving files, etc.) Partner with your IT team to put as many appropriate technical safeguards in place as possible to minimize employee workarounds to the records retention policy.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. He works primarily from his home office outside of Minneapolis, Minnesota. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles invoice-over work and implementing and integrating connected home technologies.

7 Tips to Avoid the Pitfalls on the Path to Marketing Success

Marketing in the 21st century encompasses a variety of printed marketing materials, online websites, blogs, case studies, text marketing, digital advertising, social media, and other digital, print and audiovisual materials. Its purpose includes providing information to current and potential customers, investors, and the public about your company, its vision, its goals, and its products/services; demonstrating thought leadership; building goodwill, credibility and trust with your target markets; and driving interest in your company and its offerings. It is a critical channel for generating new customers/clients, new revenue, and new value for investors and shareholders. Companies have a natural propensity to tout themselves and their products in the best possible light in their marketing, accentuating the positive and eliminating the negative. However, there are a number of common mistakes companies make in their marketing that inadvertently land them in hot water.

Think of the execution of your marketing strategies as walking a path on a mountain ridge. To the left are the legal and regulatory pitfalls. These include deceptive, unfair or unlawful advertising practices under federal and state law; native advertising issues; false advertising, trademark, and unfair competition claims by competitors; and the like. To the right are the contractual and customer relationship pitfalls. These include claims for fraudulent inducement to contract or material misrepresentation in your marketing materials, and clients/customers asserting a right to rescind their contract or commence legal proceedings against you, affecting your company’s revenue and reputation.

There are ways to navigate this path safely. Here are 7 key tips to help stay on the path to happy clients/customers and increased revenue.

1) Be transparent, truthful, and clear.

The easiest way for a company to get into trouble over its marketing practices is to be untruthful, unclear and/or misleading. The FTC and state attorneys general rely heavily on federal and state laws prohibiting deceptive and unfair trade practices as their “multi-tool” for cracking down on companies for marketing violations. According to the FTC, an act or practice is considered “deceptive” if it contains a material misrepresentation or an omission of information that is likely to mislead a reasonable customer.

To avoid transparency issues, make sure your marketing collateral and messaging includes all material facts and disclosures that a reasonable person would expect to see. For example, there are disclosures required under federal and state laws around “negative options” such as an auto-renewing subscription offer; there are opt-out and other disclosures needed for certain commercial email messages; if there are dependencies for your call to action (e.g., you must purchase a support package if you purchase a license to your company’s software), disclose them.

To avoid truthfulness issues, verify or qualify any facts or assertions you are using in your marketing. Keep a folder with documentation backing up your marketing facts and assertions. If you don’t have or can’t find the supporting facts, consider adding qualifications to your marketing statement.

To avoid clarity issues, marketing should be well-organized and well-formatted, written in short sentences with simple words and an appropriate level of detail, so that the information you are trying to convey is easily understood. Write from the perspective of the reader – is your marketing message(s) clear to someone who does not know much (if anything) about your company and its products/services?

2) Ensure your marketing meets design and functionality requirements.

One of the biggest mistakes companies make is assuming they know how their target audience will respond to their marketing, or worse, not thinking about it in advance at all. Proactive testing of marketing strategies before launch has parallels to performing user acceptance testing (UAT) in the software world. UAT is the process by which a deliverable is tested by actual or simulated users to validate that the deliverable meets its design and functionality requirements. Just like software UAT, before releasing marketing collateral and messaging it is important to validate that (a) it includes all important details, meets all legal requirements, and contains all legally required disclosures (the “design requirements” equivalent), and (b) it clearly and effectively delivers the marketing message such as a value proposition and/or call to action to its intended audience, and generates the target return on investment (ROI) or return on ad spend (ROAS) (i.e., “functionality requirements” equivalent). Investing time and energy to test your marketing, and incorporating feedback to ensure it meets its design and functionality requirements, will help it deliver the best possible ROI/ROAS.

3) Be careful using images of people or copyrighted works of others.

It’s often easy to grab a picture from Google Images or other online websites for use in marketing and social media. But remember, just because something is available online does not mean it is in the public domain, free to use. Even if you were not the person who originally posted a picture or other copyrighted content online, you could be liable for your use of it. (Even if you have an “innocent infringer” defense, you may still have to prove that in court, costing you and your company time and money.) Consider acquiring images for marketing use from a reputable stock photo company such as Getty Images, and ensure people whose images you capture for marketing use have given you a signed release and right to use the image. In general, you can’t use someone’s name or likeness to state or imply they are endorsing or promoting a product without their permission. Also, remember that images you use should not imply endorsement of your company’s products or services by a person without that person’s consent. Duane Reade, a drugstore chain, learned this lesson the hard way recently when they were sued by Katherine Heigl for $6 million after they used an image of her in a tweet without her permission.

4) Avoid unsubstantiated superlatives and figures.

Companies sometimes fall off the marketing path by using superlatives and figures that they can’t substantiate. One of the bedrocks of FTC policy is the FTC Policy Statement Regarding Advertising Substantiation. Under this policy, objective product/service claims “represent explicitly or by implication that the advertiser has a reasonable basis supporting these claims.” A “reasonable basis” depends on factors including the product which is the subject of the claim, the type of advertising claim, the consequences of a false claim, and the benefits of a truthful claim. Failing to have support for your claims is a deceptive and unfair trade practice under §5 of the FTC Act. Watch out for figures and superlatives such as “the best,” “the quickest,” etc. Make sure you have a reasonable basis for your superlative and data to back up your figures. For superlatives you cannot back up with documented facts (e.g., “a leading” vs. “the leading”), consider whether a comparative would work better (e.g., “easier” vs. “easy”, “more cost-effectively” vs. “cost-effectively,” etc.) As noted earlier, if a specific number is cited, ensure you have documentation for that specific number. If not, qualify it or generalize it (e.g., “approximately X,” “more than Y,” “less than Z,” “A to B”).

5) Avoid quoting quotes.

Just like images, it can be easy to find great quotes, facts and figures through an Internet search. If you are under a deadline or have a limited marketing budget, it might be tempting to find an article which cited the study and then cite to that article. However, beware of “quoting the quoter.” Quotes and cited facts/figures should be substantiated by the source material, not an article quoting the source material. If you quote a quote and not the source material, you run the risk that the author of the quote changed or misquoted the source material in their article. For example, suppose you’re looking for a statistic that at least half of participants in a study believe that the demand for products in your market segment will double in the next two years. You find and quote an online article citing research that 50% of respondents stated exactly that. What you didn’t know is that the number is really 46%, and the author of the article you cited decided to round up to 50%.  This inaccurate quote could cause significant headaches if the inaccuracy proves material to your marketing message or value proposition.

6) Tread carefully when using product endorsers and native advertising.

Native advertising, as defined by the FTC, is “content that bears a similarity to the news, feature articles, product reviews, entertainment and other material that surrounds it online.” For example, a featured article on a website that looks like an objective article, but is in fact an advertisement for a product or service written by or for the product or service provider, is native advertising. Native advertising uses the appearance of authenticity to drive interest in a product or service. This is also its Achilles’ heel. If it is too difficult to distinguish native advertising from surrounding content, it may be considered deceptive; the FTC looks at the “net impression [an] ad conveys to consumers” in determining deceptiveness. If an ad misleads a consumer by stating or implying that it’s not advertising, it’s likely deceptive. Native advertising must be accompanied by clear and prominent disclosures as to the source and/or sponsorship of the advertising to avoid misleading consumers, such as “paid content” or “advertisement” or “sponsored” disclaimers next to native advertising content or links. The FTC’s Native Advertising Guide for Business contains clear guidance on how to avoid running afoul of native advertising traps.

Similar issues have arisen with respect to “product endorsers,” people who endorse a product, brand or company. While paid celebrity endorsements (think Michael Jordan for Nike and Hanes, William Shatner for Priceline) are clearly paid to do so, companies also use employees, and non-employees such as bloggers and online personalities, to promote and drive interest in their products. Companies also run contests and sweepstakes through social media to drive awareness and increase buzz for their products. But content posted by employee brand ambassadors, compensated non-employee endorsers, and participants in a promotion who fail to identify their content as sponsored or paid may be deceptive and misleading in the eyes of the FTC (as Cole Haan discovered when they ran a Pinterest campaign to drive interest in their Wandering Sole product) and state attorneys general. The FTC stated that a “material connection” between a marketer and an endorser must be disclosed “if the relationship is not otherwise apparent from the context of the communication that contains the endorsement.”

7) Avoid statements that are forward-looking or may trigger a Regulation FD disclosure requirement.

Finally, if you work for a public company, SEC laws and regulations impose additional restrictions on what you can and cannot say in your marketing communications. Watch out for “forward-looking statements,” statements of potential or projected future events as expectations or possibilities. Saying “we plan on adding a European office in 2019” or “we expect to double our manufacturing capacity in the next six months” are likely forward-looking statements. Forward looking statements can lead to securities litigation unless accompanied by cautionary language required by the statutory “safe harbor” for forward-looking statements by public companies. Additionally, it’s important to ensure any targeted marketing or social media posts do not inadvertently selectively disclose material, non-public information about your publicly-traded company, which is prohibited by SEC Regulation FD (Fair Disclosure). For example, if an employee posts a picture while on-site at a prospective major new client, and the client’s identity can be determined by a logo in the background the employee did not see, the potential relationship inadvertently disclosed by the social media post may trigger the need for a Regulation FD disclosure.

Eric Lambert is Assistant General Counsel and Privacy Officer atCommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles invoice-over work and implementing and integrating connected home technologies.

EU-US Privacy Shield Update – Roadworthy (For Now), But All Roads May Be Dead Ends

Last July, the new US-EU Privacy Shield framework became effective. The Privacy Shield replaced the International Safe Harbor Privacy Principles (commonly known as “Safe Harbor”) which had been in place since 2000. Under the EU Data Protection Directive, companies can only transfer data outside of the EU to a country deemed to have an “adequate” level of data protection, and the US (which takes a sectoral approach to data privacy and has no comprehensive national data privacy law) is not one of those countries. Given the importance of EU-US data transfer in the global economy, the Safe Harbor principles were developed as an entity-level, instead of country-level, adequacy mechanism, to allow a US company to achieve a level of adequacy (in the eyes of the EU) which allowed EU-US data transfers with that company to take place. Safe Harbor served as an alternative to two other entity-level adequacy mechanisms: standard contract clauses (SCCs, also known as model contract clauses), which are separately required for each EU company transferring data to a US entity making them difficult to scale, and binding corporate rules (BCRs), which require Board of Directors approval and significant time and resources and have only been implemented by very large multinational companies. (There is also an individual-leveladequacy mechanism – direct consent.)

Everything changed in October 2015, when the European Court of Justice (ECJ) released its decision in a case brought against Facebook brought by Austrian citizen Max Schrems. The ECJ held that the Safe Harbor framework did not provide adequate privacy protections to EU individuals, and was therefore invalid. Among other reasons for invalidation, the ECJ found broad US government powers to access data (including data of EU citizens) held by private US companies directly conflicted with the EU’s declaration of data protection as a fundamental human right. Given the importance of the Safe Harbor program in facilitating EU-US data transfers, its invalidation had a far-reaching impact. While the EU agreed to wait a few months before bringing any actions against companies in the Safe Harbor program which did not move to an alternative entity-level adequacy mechanism, US companies faced a difficult choice – switch to an alternative and more difficult/costly approach, such as standard contract clauses, or wait and see whether the EU and US could quickly agree on a Safe Harbor replacement before the EU’s enforcement deadline.

Fortunately, The European Commission and the US government quickly accelerated existing talks on resolving shortcomings of the Safe Harbor principles, leading to the announcement of the Privacy Shield program in February 2016. The European Commission quickly issued a draft adequacy decision for the Privacy Shield program, and despite some misgivings about the program from certain groups the European Union gave its final approval on July 12, 2016. The Privacy Shield program is made up of 7 core principles and 15 supplemental principles. Like Safe Harbor before it, it is a self-certification program, and there are a number of the principles common to both Safe Harbor and Privacy Shield. The Privacy Shield program seeks to address a number of the perceived shortcomings of the Safe Harbor principles, including protection for onward transfer of information by US companies to third parties such as their service providers, multiple ways for individuals to make a compliant about a Privacy Shield-certified company, stronger enforcement mechanisms, and an annual review mechanism. Its intent is to be a replacement entity-level mechanism which addresses the concerns around Safe Harbor cited by the ECJ in the Schrems decision, complies with EU laws, and respects EU citizens’ fundamental rights to privacy and data protection.

Challenges and Headwinds

Since the Privacy Shield program went live in July, over a thousand companies (1,234 as of December 10, 2016, according to the Privacy Shield List) have self-certified under the program. However, the Privacy Shield program, and EU-US data transfers in general, continue to face challenges and headwinds.

  • Legal challenges – déjà vu all over again?After the Privacy Shield program was announced in February 2016, some groups and individuals expressed concerns about the program. When Privacy Shield was approved in July 2016, Max Schrems went on record stating his belief that the Privacy Shield framework was fundamentally flawed and could not survive a legal challenge. As the first legal challenges against Privacy Shield have been filed, we will find out how prescient Mr. Schrems’ comments are. In September, the digital rights advocacy group Digital Rights Ireland filed an action in the EU courts arguing that the EU’s finding of adequacy for the Privacy Shield should be annulled on the basis that the Privacy Shield program’s privacy safeguards are not adequate. In November, a similar challenge was brought by La Quadrature du Net, a French privacy advocacy group. The results of these challenges may result in the Privacy Shield program being very short-lived. Additionally, the ECJ is considering another challenge against Facebook referred to it by the Irish Data Protection Commissioner, this time to standard contract clauses. The proponents in that case are arguing that the same concerns behind the ECJ’s Safe Harbor decision should apply to standard contract clauses. The forthcoming decision in this challenge has the potential to create a precedent that could bring down the Privacy Shield program as well.
  • Other public and private actions may erode Privacy Shield’s validity. On December 1, 2016, a change to Rule 41 of the Federal Rules of Criminal Procedure became effective. The change was intended to give investigators more power to obtain warrants against cyber criminals using botnets or otherwise masking their identity, such as through secure web browsers or virtual private networks. Under the amended rule, law enforcement seeking to use remote access to search media and obtain electronically stored information can obtain a warrant from a magistrate judge located in a district where “activities related to a crime may have occurred” if the actual location of the media or information has been “concealed through technological means.” Since this rule is not limited on its face to servers in the US, without further clarification of the scope of this rule it is possible for it to be used by law enforcement to have a US magistrate judge issue a warrant to search and seize information from servers located in the EU. This global reach would likely be found in direct conflict with the concepts of privacy and data protection as a fundamental human right under the EU’s Charter of Fundamental Rights. Additionally, in early October, reports surfaced that Yahoo! had secretly scanned the email accounts of all of its users at the request of US government officials, which if true would likely be inconsistent with the terms of the Privacy Shield agreement. Opponents of Privacy Shield could use actions such as these as ammunition in their efforts to invalidate the program. In fact, there have already been calls for the European Commission and the EU’s Article 29 Working Party to investigate the Yahoo! scanning allegations, and according to a European Commission spokesperson statement on November 11, 2016, the EC has “contacted the U.S. authorities to ask for a number of clarifications.”
  • Canany EU-US framework be adequate? The legal challenges and public/private actions cited above all lead to one fundamental question that many parties involved in the Privacy Shield program have been hesitant to ask – is there a fundamental, irreconcilable conflict between (1) the United States’ approach to privacy and (2) the EU’s commitment to privacy and data protection as fundamental human rights? If yes, the US’s sectoral approach to data privacy legislation and powers for law enforcement to obtain information from privacy companies and servers may mean that no entity-level mechanism to facilitate EU-US data transfers is “adequate” in the eyes of the EU, meaning that EU-US data transfers are approaching a dead end. While the US government has imposed restrictions on its surveillance activities in the post-Snowden world, it remains very unclear whether anything short of concrete legislation protecting the rights of EU citizens (which would run counter to US counter-terrorism activities), or a modification of the EU’s principles, would be sufficient. I suspect there may be a difference between the view of those in the EU seeking a pragmatic approach (those that believe that the importance of EU-US data transfers, including economic and geopolitical benefits, necessitate some compromise), and those seeking an absolute approach (those that believe that the EU’s belief that data protection is a fundamental human right must trump any other interests). The forthcoming decisions in the challenges to standard contract clauses and the Privacy Shield program will likely help shed light on whether this fundamental conflict is fatal to any entity-level mechanism.
  • Compliance, not certification, with the Privacy Shield principles is what matters.A number of US companies have chosen to tout their Privacy Shield self-certification via blog posting or press release (for examples, see here, here and here). While a press release on Privacy Shield certification can be a useful to demonstrate its global presence and commitment to data privacy, remember that it’s a self-certification process (although some companies are using third-party services such as TrustE to help them achieve compliance). A company’s certification of compliance with the Privacy Shield principles is less important than the processes and procedures they have put in place to manage their compliance. If you need to determine if a company is self-certified under the Privacy Shield program, you can search the database of certified companies at http://www.privacyshield.gov/list, and check their website privacy policy which should contain disclosures affirming and relating to their commitment to the Privacy Shield principles. If you’re a company certified under the Privacy Shield, be prepared to answer questions from EU companies on how you comply with the Privacy Shield principles – you may be asked.

So, what does all this mean?At the moment, Privacy Shield may be a bit rickety, but unless your company can effectively use standard contractual clauses or binding corporate rules, short of direct consent it’s the only game in town for US companies which need to receive data from their EU client, customers and business partners. Even SCCs may be a short-lived solution, meaning many companies may not want to invest the time, effort and expense required to adopt that entity-level approach. Due to the current state of Privacy Shield and EU-US data transfers in general, US companies may want to consider the wisdom of the “Herd on the African Savanna” approach to compliance – the safest place to be in a herd on the African savanna is in the center. It’s almost always the ones on the outside which get picked off, not the ones in the center. Unless there is a compelling business reason to be on the outside of the herd (desire to be viewed as a market leader, willingness to risk doing nothing until clearer direction is available, etc.), the safest place from a compliance perspective is to stick with the pack. While that approach is not for everyone, many companies may feel that being in the center of the herd of US companies dealing with EU-US data transfers is the safest approach while the fate of the Privacy Shield, and EU-US data transfers in general, plays out.

Practical Tips for Managing Risks in Vendor, Supplier, and other Partner/Provider Relationships

The best place to stop a snowball from rolling the wrong way is the top of the hill.

When it comes to managing risk in business, there are two fundamental principles:

  1. You can’t disarm all of the land mines. A risk is like a land mine – it will detonate sooner or later once the right factors occur. Part of risk management is having enough information to know (or make an educated guess) at which risk “land mines” are more likely to go off than others, so you can stack rank and disarm the land mines in the right order. That way, hopefully you’ll disarm each one in time, and if one does goes off before you can disarm it it will cause minimal damage.
  2. You don’t have to stop every factor from occurring; you have to stopat least one factor from occurring. If a risk “land mine” detonates, a number of things all went wrong at the same time. Think of it as the lock on Pandora’s Box – for the lock to open (the land mine going off), the pins in the cylinder (the environmental factors) must align perfectly with the key (the catalyst). As long as one of the pins are misaligned, the lock won’t open. If you don’t have the resources or ability to ensure all pins are misaligned, try to ensure at least one pin is misaligned so the land mine can’t go off. (If more than one is misaligned, that’s even better.)

To manage a risk, a business must first mitigate and shiftthe risk to reduce the chance of the land mine detonating to the greatest extent possible, and then accept or rejectthe residual risk to the business. (For more on this, please see my earlier LinkedIn article on Revisiting Risk Management).

When it comes to your relationships with your key vendors, suppliers and other partners/providers, risk management principles should be applied to both existing partners/providers, prospective partners/providers, and “inherited” partners/providers (e.g., through acquisition). There are a number of ways to mitigate and shift risk in these relationships:

Mitigating the Risks

  • Do due diligence on your partners and providers.Perform research to see if the partner/provider has had security or privacy problems in the past. If they are public, look at the risk factors in their securities filings. Look at the partner/provider’s privacy policy to see if they make any claims they likely cannot live up to, or are overly broad in what they can do with your company’s data. Watch out for unrealistic marketing statements regarding privacy, security or their ability to perform the obligations you are contracting for. Use RFPs to gather information on prospective partners/providers up front (and keep it in case you need to refer to it later on if something they told in you in RFP proves not to be true).
  • Don’t automatically disqualify companies that have had past problems. If an RFP reveals that a partner/provider has had a past issue, focus on what steps they have taken to remediate the issue and protect against a recurrence. The result may be that they have a more robust security and risk management program than their peers.
  • Ask them what they do.Consider adding privacy and security questions to your RFP to gather information on current practices and past problems/remediation efforts (and to make them put it in writing). Watch out for answers that are too generic or just point you to their privacy policy.
  • Set online alerts, such as Google Alerts, to stay up-to-date on the news relating to your prospective or current partner/provider during the course of your negotiations and relationship, and escalate any alerts appropriately. If the partner/provider is public, set an alert for any spikes (up or down) in stock price.
  • Plan for the inevitable. Inevitably, your business relationship will end at some point. It could end when you’re ready for and expecting it, but you can’t count on that. If your partner/provider is mission-critical, develop an “expected” and “unexpected” transition plan and confirm that the partner/provider can locate and provide you the data you need to execute on that plan. For example, ensure you have all information and data you may need if the partner/provider ceases operations (for example, routinely download reports and data sets from their portal, or set up an automated feed). Alternatively, consider ways to ensure that if a partner/provider creates and stores mission-critical information (e.g., order or personal information, critical reports or data, etc.), it’s mirrored securely to a location in your control on a regular basis so that if there’s a problem, you have a secure and current data set to work from. This may be required or important under your company’s business continuity plan, and your contractual commitments to your clients.
  • Know your alternatives. Keep abreast of alternative partners/providers, do initial vetting from a security perspective, and maintain relationships with them. If a problem occurs, the company may have to switch partners/providers quickly. If you have taken the time to cultivate a “rainy day” relationship, that partner/provider may be happy to go out of their way to help you onboard quickly should a problem with your existing partner/provider occur (in the hopes that your company may reward their help with a long-term relationship).
  • Know what you have to do to avoid a problem. Once negotiated, contracts often go in the drawer, and the parties just “go about their business.” Make sure you know what your and your partner/provider’s contractual obligations are, and follow them. If they have “outs” under the contract, ensure you know what you need to do in order to ensure they cannot exercise them. If terms of use or an Acceptable Use Policy (AUP) or other partner/provider policies apply, make sure the right groups at your company are familiar with your obligations, and ensure they are being checked regularly in case they are updated or changed. If possible, minimize the number of “outs” during the negotiation. For existing or inherited partners/providers, consider preparing a list of the provisions you want to try to remove from their agreements so you can try to address them when the opportunity arises in the future (e.g., in connection with a renewal negotiation).
  • Put contractual provisions in place. Sales and Procurement should partner with IT and Legal to ensure that the right risk mitigation provisions are included in partner/provider agreements on an as-needed basis. Consider adding a standard privacy and security addendum to your agreements, whether on their paper or yours. Common provisions to consider include a security safeguards requirement; obligation to protect your network credentials in their possession; obligation to provide security awareness training (including anti-phishing) to their employees (consider asking for the right to test their employees with manufactured phishing emails, or getting an obligation that they will do so); requiring partners/providers to maintain industry standard certifications such as ISO 27001 certification, PCI certification, SOC 2 Type 2 obligations, etc.; obligation to encrypt sensitive personal information in their possession; obligations to carry insurance covering certain types of risks (ensure your company is named as an additional insured, and try to obtain a waiver of the right of subrogation); rights to perform penetration testing (or an obligation for them to do so); a obligation to comply with all applicable laws, rules and regulations); an obligation to complete an information security questionnaire and participate in an audit; language addressing what happens in the event of a security breach; and termination rights in the event the partner is not living up to their obligations. Not all of these provisions make sense for every partner/provider. Another approach to consider is to add appropriate provisions to a supplier/vendor code of conduct incorporated by reference into your partner/provider agreements (ensure conflicts are resolved in favor of the code of conduct).

Shifting the Risks

  • Use contractual indemnities. An indemnity is a contractual risk-shifting term through which one party agrees to bear the costs and expenses arising from, resulting from or related to certain claims or losses suffered by another party. Consider whether to include in your partner/provider agreement an indemnity obligation for breaches of representations/warranties/covenants, breach of material obligations, breach of confidentiality/security, etc. Consider whether to ask for a first party indemnity (essentially insurance, much harder to get) vs. a third party indemnity (insulation from third party lawsuits). Remember that an indemnity is only as good as the company standing behind it. Also, pay close attention to the limitation of liability and disclaimer of warranties/damages clauses in the agreement to ensure they are broad enough for your company.
  • Request a Parental Guaranty. If the contracting party isn’t fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a performance and payment/indemnification guaranty to ensure you can pursue the parent if the subsidiary you are contracting with fails to comply with its contractual obligations.
  • Acquire insurance. Finally, consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance, and consider asking your broker walk you through your coverage on an annual basis.

The Augmented World — Legal and Privacy Perspectives on Augmented Reality (AR)

You’ve likely heard that Augmented Reality (AR) is the next technology that will transform our lives. You may not realize that AR has been here for years. You’ve seen it on NFL broadcasts when the first down line and down/yardage appear on the screen under players’ feet. You’ve seen it in the Haunted Mansion ride in Disneyland when ghosts seem to appear in the mirror riding with you in your cart. You’ve seen it in cars and fighter jets when speed and other data is superimposed onto the windshield through a heads-up display. You’re seeing it in the explosion of Pokémon Go around the world. AR will affect all sectors, much as the World Wide Web did in the mid-1990s. Any new technology such as AR brings with it questions on how it fits under the umbrella of existing legal and privacy laws, where it pushes the boundaries and requires adjustments to the size and shape of the legal and regulatory umbrella, and when a new technology leads to a fundamental shift in certain areas of law. This article will define augmented reality and the augmented world, and analyze its impact on the legal and privacy landscape.

What is “augmented reality” and the “augmented world?”

One of the hallmarks of an emerging technology is that it is not easily defined. Similar to the “Internet of Things,” AR means different things to different people, can exist as a group of related technologies instead of a single technology, and is still developing. However, there are certain common elements among existing AR technologies from which a basic definition can be distilled.

I would define “augmented reality” as “a process, technology, or device that presents a user with real-world information, commonly but not limited to audiovisual imagery,augmented with additional contextual data elements layered on top of the real-world information, by (1) collecting real-world audiovisual imagery, properties, and other data; (2) processing the real-world data via remote servers to identify elements, such as real-world objects, to augment with supplemental contextual data; and (3) presenting in real time supplemental contextual data overlaid on the real-world data.” The real world as augmented through various AR systems and platforms can be referred to as the “augmented world.” AR and the augmented world differs from “virtual reality” (VR) systems and platforms, such as the Oculus Rift and Google Cardboard, in that VR replaces the user’s view of the real world with a wholly digitally-created virtual world, where AR augments the user’s view of the real world with additional digital data.

“Passive” AR (what I call “first-generation AR”) is a fixed system — you receive augmented information but do not do so interactively, such as going through the Haunted Mansion ride or watching your television set. The next generation of AR is “active,” meaning that AR will be delivered in a changing environment, and the augmented world will be viewed, through a device you carry or wear. Google Glass and the forthcoming Microsoft HoloLens are examples of “active AR” systems with dedicated hardware; when worn, the world is augmented with digital data superimposed on the real-time view of the world. However, AR has found ways to use existing hardware — your smartphone. HP’s Aurasma platform is an early example of an active AR system that uses your smartphone’s camera and screen to create digital content superimposed on the real world. What AR has needed to go fully mainstream was a killer app that found a way for AR to appeal to the masses, and it now has one — Pokémon Go. Within days of its launch in early July, TechCrunch reported that Pokémon Go had an average daily user base of over 20 million users. Some declared it the biggest “stealth health” app of all time as it was getting users out and walking.

Active AR has the capacity to change how people interact with the world, and with each other. It is an immersive and engaging user experience. It has the capacity to change the worlds of shopping, education and training, law enforcement, maintenance, healthcare, and gaming, and others. Consider an AR system that shows reviews, product data, and comparative prices while looking at a shelf display; identifies an object or person approaching you and makes it glow, flash, or otherwise stand out to give you more time to avoid a collision; gives you information on an artist, or the ability to hear or see commentary, while looking at a painting or sculpture; identifies to a police officer in real time whether a weapon brandished by a suspect is real or fake; or shows you in real time how to repair a household item (or how to administer emergency aid) through images placed on that item or on a stricken individual. For some, the augmented world will be life-altering, such as a headset as assistive technology which reads road signs aloud to a blind person or announces that a vehicle is coming (and how far away it is) when the user looks in the vehicle’s direction. For others, the ability to collect, process and augment real-world data in real time could be viewed as a further invasion of privacy, or worse, technology that could be used for illegal or immoral purposes.

As with any new technology, there will be challenges from a legal and digital perspective. A well-known example of this is the Internet when the World Wide Web became mainstream in the mid-1990s. In some cases, existing laws were interpreted to apply to the online world, such as the application of libel and slander to online statements, the application of intellectual property laws to file sharing over peer-to-peer networks, and the application of contract law to online terms of use. In others, new laws such as the Digital Millennium Copyright Act were enacted to address shortcomings of the existing legal and regulatory landscape with respect to the online world. In some instances, the new technology led to a fundamental shift in a particular area of law, such as how privacy works in an online world and how to address online identity theft and breaches of personal information. AR’s collection of data, and presentation of augmented data in real time, creates similar challenges that will need to be addressed. Here are some of the legal and privacy challenges raised by AR.

  • Rethinking a “reasonable expectation of privacy.” A core privacy principle under US law is that persons have a reasonable expectation of privacy, i.e., a person can be held liable for unreasonably intruding on another’s interest in keeping his/her personal affairs private. However, what is a “reasonable expectation of privacy” in a GoPro world? CCTV/surveillance cameras, wearable cameras, and smart devices already collect more information about people than ever before. AR technology will continue this trend. As more and more information is collected, what keeping “personal affairs private” looks like will continue to evolve. If you know someone is wearing an AR device, and still do or say something you intend to keep private, do you still have a reasonable expectation of privacy?

What is a “reasonable expectation of privacy” in a GoPro world?

 

  • Existing Privacy Principles. Principles of notice, choice, and “privacy by design” apply to AR systems. Providers of AR systems must apply the same privacy principles to AR as they do to the collection of information through any other method. Users should be given notice of what information will be collected through the AR system, how long it will be kept, and how it will be used. Providers should collect only information needed for the business purpose, store and dispose of it securely, and keep it only as long as needed.

AR systems add an additional level of complexity — they are collecting information not just about the user, but also third parties. Unlike a cellphone camera, where the act of collecting information from third parties is initiated by the user, an AR system may collect information about third parties as part of its fundamental design. Privacy options for third parties should be an important consideration in, and element of, any AR system. For example, an AR system provider could ensure users have the ability to toggle the blocking of third party personal data from being collected or augmented, so personal information is only augmented when the user wants it to be. AR system providers may also consider an indicator on the outside of the device, such as an LED, to let third parties know that the AR system is actively collecting information.

Additionally, AR may create interesting issues from a free speech and recording of communications perspective. Some, but not all, court rulings have held that the freedom of speech guaranteed by the First Amendment extends to making recordings of matters of public interest. An AR system that is always collecting data will push the boundaries of this doctrine. Even if something is not in the public interest, many states require the consent of both parties to record a conversation between them. An AR system which persistently collects data, including conversations, may run afoul of these laws.

  • Children’s Privacy.It is worth a special note that AR creates an especially difficult challenge for children’s privacy, especially children under 13. The Children’s Online Privacy Protection Act (“COPPA”) requires operators of online services, including mobile apps, to obtain verifiable parental consent before collecting any personal information from children under 13. “Personal information” includes photos, videos, and audio of a child’s image or voice. As AR systems collect and process data in real time, the passive collection of a child’s image or voice (versus collection of children’s personal information provided to a company through an interface such as a web browser) is problematic under COPPA. AR operators will need to determine how to ensure they are not collecting personal information from children under 13. I expect the FTC will amend the COPPA FAQ to clarify their position on the intersection of AR and children’s privacy.
  • Intellectual Property. Aside from the inevitable patent wars that will occur over the early inventors of AR technologies, and patent holders who believe their patent claims cover certain aspects of AR technologies, AR will create some potentially interesting issues under intellectual property law. For example, an AR system that records (and stores) everything it sees will invariably capture some things that are protected by copyright or other IP laws. Will “fair use” be expanded in the augmented world, e.g., where an album cover is displayed to a user when a song from that is heard? Further, adding content to a copyrighted work in the augmented world may constitute a prohibited derivative work. From a trademark perspective, augmenting a common-law or registered trademark with additional data, or using a competitor’s name or logo to trigger an ad about your product overlaid on the competitor’s name or logo, could create issues under existing trademark law.
  • Discrimination.  AR systems make it easy to supplement real-world information by providing additional detail on a person, place or thing in real time. This supplemental data could intentionally or inadvertently be used to make real-time discriminatory decisions, e.g., using facial or name recognition to provide supplemental data about a person’s arrest history, status in a protected class, or other restricted information which is used in a hiring or rental decision. An AR system that may be used in a situation where data must be excluded from the decision-making process must include the ability to automatically exclude groups of data from the user’s augmented world.

The world of online digital marketing and advertising will expand to include digital marketing and advertising in the augmented world. Imagine a world where anything — and I mean anything — can be turned into a billboard or advertisement in real time. Contextual ads in the augmented world can be superimposed anytime a user sees a keyword. For example, if you see a house, imagine if an ad for a brand of paint appears because the paint manufacturer has bought contextual augmented ads to appear in an AR system whenever the user sees a house through the augmented world.

Existing laws will need to be applied to digital marketing and advertising in the augmented world. For example, when a marketing disclaimer appears in the online world, the user’s attention is on the ad. Will the disclaimer have the same effect in an augmented environment, or will it need to be presented in a way that calls attention to it? Could this have the unintended consequence of shifting the user’s attention away from something they are doing, such as walking, thereby increasing the risk of harm? There are also some interesting theoretical advertising applications of AR in a negative context. For example, “negative advertising” could be used to blur product or brand names and/or to make others more prominent in the augmented world.

  • The Right of Publicity.  The right of publicity — a person’s right to control the commercial use of his or her name, image, and likeness — is also likely to be challenged by digital marketing in the augmented world. Instead of actively using a person’s likeness to promote a product or service, a product or service could appear as augmented data next to a person’s name or likeness, improperly (and perhaps inadvertently) implying an endorsement or association. State laws governing the right of publicity will be reinterpreted when applied to the augmented world.
  • Negligence and Torts. AR has the capacity to both further exacerbate the problem of “distracted everything,” paying more attention to your AR device than your surroundings, as some users of Pokémon Go have discovered. Since AR augments the real world in real time, the additional information may cause a user to be distracted, or if the augmented data is erroneous could cause a user to cause harm to him/herself or to others. Many have heard the stories of a person dutifully following their GPS navigation system into a lake. Imagine an AR system identifying a mushroom as safe to eat when in fact it is highly poisonous. Just as distracted driving and distracted texting can be used as evidence of negligence, a distracted AR user can find him/herself facing a negligence claim for causing third party harm. Similarly, many tort claims that can arise through actions in the real world or online world, such as liable and slander, can occur in the augmented world. Additionally, if an AR system augments the real world in a way that makes someone think they are in danger, inflicts emotional distress, or causes something to become dangerous, the AR user, or system provider, could be legally responsible.
  • Contract liability. We will undoubtedly see providers of AR systems and platforms sued for damages suffered by their users. AR providers have and will shift liability to the user through contract terms. For example, Niantic, the company behind Pokémon Go, states in their Terms of Use that you must “be aware of your surroundings and play safely. You agree that your use of the App and play of the game is at your own risk, and it is your responsibility to maintain such health, liability, hazard, personal injury, medical, life, and other insurance policies as you deem reasonably necessary for any injuries that you may incur while using the Services.” AR providers’ success at shifting liability will likely fall primarily to tried-and-tested principles such as whether an enforceable contract exists.

None of the above challenges are likely to prove insurmountable and are not expected to slow the significant growth of AR. What will be interesting to watch is how lawmakers choose to respond to AR, and how early hiccups are seized on by politicians and reported in the press. Consider automobile autopilot technology. The recent crash of a Tesla in Autopilot mode is providing bad press for Tesla, and fodder for those who believe the technology is dangerous and must be curtailed. Every new technology brings both benefits and potential risks. If the benefits outweigh the risks on the whole, the public interest is not served when the legal, regulatory and privacy pendulum swings too far in response. Creating a legal, regulatory and privacy landscape that fosters the growth of AR, while appropriately addressing the risks AR creates and exacerbates, is critical.

Are IP and MAC Addresses Personal Information?

To many, “personally identifiable information” (also “PII” or “personal information”) means information that can be used to identify an individual, such as a person’s name, address, email address, social security number/drivers’ license number, etc. However, in the US, there is no uniform definition of personal information. This is because the US takes a “sectoral” approach to data privacy. In the US, data privacy is governed by laws, rules and regulations specific to market sectors such as banking, healthcare, payment processing, and the like, as well as state laws such as breach notification statutes). Companies, such as Google, often include their own definition of personal information in their privacy policy. Even though there is no uniform definition, however, it’s clear that that more and more information is falling under the PII/personal information umbrella.

One category of data with potentially significant implications to US businesses if classified as PII are Internet Protocol (IP) and Media Access Control (MAC) addresses.

  • An IP address is a unique numerical or hexadecimal identifier used by computing devices such as computers, smartphones and tablets to identify themselves on a local network or the Internet, and to communicate with other devices. IP addresses can be dynamic (a temporary IP address is assigned each time a device connects to a network), or static (a permanent IP address is assigned to a network device which does not change if it disconnects and reconnects). There are two types of IP addresses – the original IPv4 (e.g., “210.43.92.4”), and the newer IPv6 (e.g., “2001:0db8:85a3:0000:0000:8a2e:0370:7334”).
  • MAC address is a unique identifier used to identify a networkable device, such as a computer/phone/tablet/smartwatch, as well as other connected devices such as smart home technologies, printers, TVs, game consoles, etc. A MAC address is a 12-character hexadecimal (base 16) identifier, e.g., “30:0C:AA:2D:FB:22”. The first half of the address identifies the device manufacturer, and the second half is a unique identifier for a specific device. If a device needs to talk to other devices, it likely has a MAC address.
  • Why do devices need both? There are incredibly technical reasons for this, but at a very high level, MAC addresses are used to identify devices on a local wired or wireless network (e.g., your home network) to transmit data packets between devices on that local network, and IP addresses are used to identify devices on the worldwide Internet to transmit data packets between devices connected directly to the Internet. Your router has an IP address assigned by your ISP, as well as a MAC address which identifies it to other devices on the local network. Your router assigns a local IP address (e.g., 192.168.1.2-192.168.1.50) to connected devices by MAC address. Network traffic comes to your router via IP address, and the router determines what MAC device on the network to which to route the traffic.
  • Think of a letter mailed to your attention at your corporate office address of 1234 Anyplace Street, Suite 1500, Anytown, US 12345. The mailing address will tell the mail carrier what address to deliver it to, but the carrier won’t deliver it right to you personally. Suppose you are in Cube 324. Your mail room will look up your cube number, and deliver the letter to you. The letter is like an online data packet, the mailing address is like an IP address, the cube number is like a MAC address, and the mail room is like a router — the router takes the inbound packet delivered by IP address and uses the local device’s MAC address to route the packet to the right device on the network.

Canada’s approach. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) defines “personal information” as “information about an identifiable individual.” The Office of the Privacy Commissioner of Canada (OPCC) has released an interpretation making clear that this definition must be given a “broad and expansive interpretation,” and that it includes information that “relates to or concerns” a data subject. With respect to IP addresses, according to the OPCC an Internet Protocol (IP) address is personal information if it can be associated with an identifiable individual. (Note that in Canada, business contact information is not considered personal information, which implies that an IP or MAC address of a work computing device associated with an employee’s work contact information is not personal information.)

The European approach.In Europe, the current Data Protection Directive and the proposed Data Protection Regulation both define personal dataas “any information relating to an identified or identifiable natural person.” Individual EU member states differ on whether an IP address should be considered personal data. The European Court of Justice (ECJ) has held that IP addresses are protected personal information “because they allow … users to be precisely identified,” and is considering whether to adopt an even stronger position that dynamic IP addresses collected by a website operator are personal information even if though the Internet service provider, and not the website operator, has the data needed to identify the data subject. The same rules should apply to MAC addresses. The new Data Protection Regulation, which will override member state implementations of the Directive, states in its findings that “[n]atural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In the US, the sectoral and state-by-state approach to data privacy does not paint a clear picture as to whether an IP address or MAC address should be considered personal information.

  • Specific laws. The one US statute that clearly states that IP and MAC addresses are personal information is the Children’s Online Privacy Protection Act (COPPA). In 2013, the FTC revised the COPPA Rule, which defines “personal information” as “individually identifiable information about an individual collected online,” as specifically including IP addresses, MAC addresses, and other unique device identifiers. The Health Insurance Portability and Accessibility Act (HIPAA) includes device identifiers (such as MAC addresses) and IP addresses as “identifiers” that must be removed in order to de-identify protected health information. State security breach notification laws define personal information, but those laws do not include IP address, MAC address, or other device identifier as PII.
  • The FTC’s view. In April, Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, wrote on the FTC’s business blog about cross-device tracking. In her remarks, she restated the FTC’s long-held position that data is personally identifiable, “and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” She then specifically cited the FTC’s 2013 amendments to the COPPA Rule as an example of this in practice. Director Rich’s comments signal that the FTC views IP and MAC addresses, and other unique device identifiers, in a similar manner as the Office of the Privacy Commissioner of Canada — if it can be associated with an identifiable individual, it should be considered personal information.
  • Google’s View. It is also worth looking at Google’s definition from its privacy policy, given Google’s prominence as a collector and user of consumer personal information. Google defines personal information to include both information that personally identifies a person, as well “other data which can be reasonably linked to such information by Google, such as information we associate with your Google account.” This is essentially the FTC’s view, with a reasonableness standard.

Given all this, what should US businesses do?

  • Consider using a term to define IP addresses, MAC addresses, and other user device identifiers which identify a thing, not a person, but can be linked to an individual depending on what information is collected or obtained about that individual. I call this information linkable information.
    If linkable information is, or reasonably can be, associated or linked with an identifiable individual in your records, it becomes personal information.
  • Think of your driver’s license and your license plate as things. Your drivers’ license has your name, photo, and other information, so it identifies you. Therefore, a copy of your license would be personal information. On the other hand, your license plate by itself identifies a thing (your vehicle), and therefore by itself is linkable information, but not personal information. However, if your license plate is contained in a list of names and associated license plates maintained by a company, the license plate is associated with you, and therefore the company should handle it as personal information. Similarly, your phone number identifies a thing (your phone, not you, as you can let anyone use your phone) and therefore is linkable information; if your number is linked with an identifiable individual (e.g., the number is associated with a recording an individual’s voice on a phone call), the phone number becomes personal information.
  • An IP address in a server log, by itself, is linkable information not linked or associated with an individual, and therefore not personal information. However, an IP address as part of an electronic signature record, where the IP address is collected and stored with a person’s name, time/date stamp of acceptance, and IP address are collected, would be personal information.
  • If your company’s privacy policy defines personal information to include device identifiers such as IP addresses and MAC addresses, or defines when device identifiers would be considered personal information, ensure you are doing what your privacy policy says you will do. Failing to comply with a stated privacy policy can give rise to an FTC investigation and/or complaint under §5 of the FTC Act, as well as state AG investigations/actions and private litigation.
  • If you collect information from European consumers, given the extra-territorial reach of the upcoming Regulation US companies should carefully watch how IP and MAC addresses fall into the EU’s definition of personal data, and determine whether it needs to comply with Europe’s approach.
  • If you collect IP address information from a child under 13 through a website or app governed by COPPA, by law it’s personal information.
  • Talk to your IT group about whether you collect any device information, such as IP or MAC addresses, that could be linkable information, and analyze whether that data is linked or associated with personal information in your systems.

Are Your Website and App Legal Disclosures Saying Enough (Or Too Much)?

Almost every business has an online presence of some form. Many have a website which serves as anything from an online company brochure to a fully-featured online store or customer/vendor/user portal. Some have apps available through Google Play Store, the Apple App Store, or other app stores. A number of companies spend significant sums on their websites and apps to design robust features and content delivered through a compelling user experience. But if there’s one place website and app operators miss the mark, it’s ensuring the right legal disclosures are in place, and that the ones that are in place are saying the right things.

When most people think of a website or app disclosure, they think of a privacy policy and terms of use. These are definitely important. However, There are a number of other disclosures required or recommended under federal and state law that companies should consider to manage risk and avoid potentially distracting and costly litigation.  At the same time, saying too much in disclosures such as your privacy policy can expose your company to unnecessary risk.

There are four core rules that should apply to all website disclosures:

  1. Write them in plain English.
  2. Avoid using undefined technical jargon and using marketing bluster.
  3. Make them easy to understand and use.
  4. Make them 100% accurate and truthful.

Consider having your company’s User Experience group review your disclosures and policies to ensure they are as easy to read and navigate as possible. Consider using design elements such as progressive reduction and progressive disclosure (you can see my earlier blog post on this topic by clicking here.) The goal is to ensure consumers easily understand your disclosures. If you ever have an issue with a term or provision in your disclosures, being able to argue that the content and design were optimized for easy reading and navigation can pay dividends.

Here are some website and app disclosures to consider:

  • The Privacy Policy.States such as California have laws requiring companies to have online privacy policy. Since almost every website is accessed by users in California, it’s safe to say you are legally required by state law to have a privacy policy. Companies in certain industries or sectors such as in the healthcare sector (HIPAA) and financial sector (Gramm-Leach-Bliley) have specific requirements for their privacy policies. A privacy policy is also required by law in some states on an information category basis, such as Connecticut’s requirement that anyone collecting Social Security Numbers have a publicly displayed privacy policy with certain required disclosures. Certain laws also mandate that you cover certain topics in your privacy policy (e.g., California’s requirement to disclose how you handle “do-not-track” headers, and California’s requirement to provide information on how minors who are your registered website users can request that you remove their personal information). Don’t forget that your privacy policy needs to apply to, and be displayed on, your company’s apps as well.

    A company’s privacy policy obligations can be summarized simply: say what you do, and do what you say. “Say what you do” means ensure your privacy policy fully describes how you collect, use, and share information (both personally identifiable information, such as your name and address, and non-personally identifiable information such as behavioral data) collected from or about your customers. “Do what you say” means ensuring your day-to-day business activities with respect to information collected from consumers falls within the boundaries of what you say you do in your privacy policy. Two important rules to follow are, (1) if you want to change how you collect, use or share information from consumers, make sure your privacy policy allows it first, and give prior notice to website users that your privacy policy is changing; and (2) if you want to change how you use information you’ve already collected from consumers, you’ll need permission from the consumers first. Always include an effective date on your privacy policy (again, a state law requirement).

    Look for a more detailed post on privacy policies coming soon.

  • Terms of Use/Terms of Service. Your terms of use (sometimes also referred to as “terms of service”) should describe the rights and obligations applicable to both your company’s website/app/online service users and to your company itself with respect to the operation and/or use of an online website, app, and/or online service. It should cover topics such as ownership of the website and company-provided content on it (including your copyrights, trademarks and licensed trademarks), and associated restrictions (e.g., no screen scraping website content); disclaimers of third party content, such as third party ad networks on your site, and language to prevent use of your company’s trademarks other content to create the appearance of sponsorship by or affiliation with a third party; whether or not you collect information from children under 13 (if you do, ensure you are complying with the Children’s Online Privacy Protection Act or “COPPA”); an obligation to report lost or stolen passwords and change passwords regularly; what you can do with user-generated content uploaded or shared to the website (e.g., a broad right and license to use it), and related terms (e.g., it’s provided royalty-free and with no license costs, that it doesn’t infringe anyone else’s rights, etc.); a feedback provision if users may provide feedback or comments; links to third party content; and important legal terms such as jurisdiction, choice of law, indemnification, and the like. Many website operators include an acceptable use policy as part of their Terms of Use/Terms of Service; some have a separate policy on their website.
  • DMCA Notice. If your website collects, displays, or otherwise uses or shares user-generated content, consider a copyright notice (also called a “DMCA notice”). The Digital Millennium Copyright Act creates a “safe harbor” from copyright infringement for websites operators who honor takedown requests and display on their website information for their designated “copyright agent” to which takedown requests can be sent. There’s more to the statute than that, so if you need a DMCA notice please review one of the multitude of articles out then on crafting a proper DMCA notice. Don’t forget that you need to register your designated copyright agent with the US Copyright Office by filing a “Designation of Copyright Agent” form.
  • California “Shine the Light” Notice. In 2005, California enacted the “Shine the Light” law as part of its Consumer Records Act. The law requires businesses to provide disclosures to California consumers of the types of customer information they share with third parties for the third party’s direct marketing purposes during the immediately preceding calendar year. If your business shares collected personal information with third parties for the third party’s direct marketing purposes and does business in California, with a few exceptions this law applies to you. Businesses are required to let customers know how to submit requests for this information. While there are a few options, the simplest for most businesses is to include a link on the company’s homepage to “Your California Privacy Rights” or “Your Privacy Rights” to a page describing customer’s rights under the “Shine the Light” law and the email/physical address to which requests should be sent. There has been an uptick in class action litigation recently against companies which do not have a “Shine the Light” disclosure on their website.
  • Terms of Sale. If you sell products through your website, consider using a Terms of Sale to govern the sales transaction. Terms of Sale typically include provisions such as placing an order; when it is accepted by the company; delivery and fulfillment terms; the return/cancellation policy; information on prices (e.g., subject to change without notice, not required to honor incorrect pricing); license rights to software; etc.
  • Warranties. One policy you may want to consider adding to your website are product warranties. Last year Congress passed, and President Obama signed, the E-Warranty Act of 2015. This law amended the 1975 Magnuson-Moss Warranty Act to allow companies to put their warranties online instead of including them on or in product packaging. The product documentation or packaging would need to include a link to the online warranty, instead of the warranty terms themselves. Companies that sell products that come with warranties should consider reviewing and taking advantage of the E-Warranty Act.
  • Supply Chains Notice.In 2010, California enacted the Transparency in Supply Chains Act. The law requires large retailers doing business in California (over $100 million in annual revenue identifying itself as a retail seller or manufacturer on their CA tax return) to post disclosures on their websites on their “efforts to eradicate slavery and human trafficking from their [direct] supply chain for tangible goods offered for sale” in five specific areas: verification, audits, certification, internal accountability, and training. It requires the disclosures be accessible through the company’s homepage via a “conspicuous and easily understood” link.
  • Be careful your disclosures aren’t saying too much. While having the right disclosures for your websites and apps is important, avoid saying too much. Remember, when it comes to disclosures, what you say can hurt you. Website disclosures are not the place for marketing puffery. If you make a statement such as “100% guaranteed,” “we encrypt all data,” or “we use best-in-the-industry [whatever],” and it turns out to be false or inaccurate, you can expect state AGs and the FTC (and class action counsel) may come knocking. Generally, one of the roles of the Federal Trade Commission is to ensure that companies are not engaging in unfair or deceptive trade practices. This extends to ensuring that companies are making accurate and truthful disclosures on their websites. Some states, such as Pennsylvania, have expressly included false and misleading privacy policy statements as a deceptive or fraudulent business practice.
  • At the extreme end of this, consider what has been happening in New Jersey. Class action counsel have been using an extremely broad interpretation of NJ’s largely-ignored-until-recently Truth in Consumer Contract, Warranty and Notice Act to go after companies operating business-to-consumer (B2C) websites. The law prohibits sellers from providing notices, terms, or contracts with provisions that violate “any clearly established legal right of a consumer or responsibility of a seller” under federal or state law (whether or not the consumer is happy with the purchase). Class action counsel are bringing suit under this statute stating that just displaying a website notice with a general limitation of liability, broad disclaimers of warranty, statements that certain terms such as warranty disclaimers may not apply to particular consumers without specifying whether NJ consumers are affected, or other limitations on a consumer’s rights is a violation of the statute. Most of these cases are settling before trial, but like other nuisance lawsuits they can end up costing your business considerable time and lost productivity if you end up facing one.

Most companies place their website disclosures at the bottom of the page in a footer. Do not bury them or make them hard to find.  Your policies should be accessible through no more than 2-3 clicks via a logical navigation path. While putting your disclosures in the footer makes sense and is very common, consumers may argue that they simply never saw the disclosures because they never scrolled down to the bottom. Consider also making website disclosures “contextual,” i.e., place policy and disclosure links in close proximity to the related usage. For example, on pages where you are actively collecting information, consider putting a link to the privacy policy right next to the “submit” button, or before a consumer places an order on your e-commerce website, add language verifying they have read and agree to your terms of sale and privacy policy. Consider providing a welcome message, with notice of your privacy policy and terms of use, to consumers visiting your website as a disappearing pop-up, e.g., one that appears for 3-4 seconds at the top of the webpage then fades out, similar to “cookie disclosures” on many EU-based websites.

Finally, consider working with IT to create simple shortcuts for your most common policies (e.g., “privacy.company.com” or “www.company.com/privacy” for your privacy policy) so you have a short and simple URL you can use where you need to direct consumers to your online disclosures.

Imitation is the Sincerest Form of Copyright Infringement

The Internet is a vast repository of knowledge and information. Fortunately, there are a number of search engines, websites and tools (including Google, Bing, Yahoo, Ask.com, Wikipedia, and GitHub) to help navigate the waters. When you are looking for something personally or professionally — a picture, audio clip, or video clip for a presentation, a font for a poster, a great article on a topic you want to share with your friends, samples of others’ software code to get past a development issue, song lyrics, etc. — in many cases what you are looking for is just a few clicks and/or searches away. But once you’ve found it online, can you use it? To answer that question, let’s start by debunking a couple of myths.

Myth #1 – If it’s on the Internet, it’s free for anyone to use. Many people think “public domain” and “free to use” is synonymous with “on the Internet.” It’s not. The Internet is an incredible tool for communicating and sharing information. However, the Internet does not negate or trump intellectual property ownership rights. Just because someone posted content online does not automatically mean it’s actually free for anyone to copy and use it for any purpose. In almost all cases, posting something online does not automatically cancel any intellectual property rights held by the owner of the content, including copyright and rights of publicity. The Recording Industry Association of America’s war on consumer music file sharing through peer-to-peer file sharing networks (remember the original Napster?) is a great reminder that people who copy and reuse the copyrighted works of others may be held liable for doing so.

Myth #2 – If I don’t see a copyright notice, it’s not protected by copyright.Under the Berne Convention, an international agreement governing copyright, copyright protections apply once something is created physically or digitally and saved (“fixed in a tangible medium of expression” is the formal term), even if there’s no copyright notice on the protected work. (Registering a copyright with the US Copyright Office and including a copyright attribution, e.g., “© 2016 Eric Lambert,” gives you additional rights such as the potential for significant statutory damages.) Copyright protections include the exclusive right to control copying, public performance, or many other use the work by third parties. If someone re-posts copyrighted content without any ownership notice or attribution, it is still protected by copyright and that poster would likely be liable for copyright infringement. However, if you use that content, even without knowledge that it was copyrighted, you could find yourself receiving a cease-and-desist letter or lawsuit for using it too, and your claim that you didn’t know your use was infringing may not save you from liability.

Now that we’ve debunked the myths, let’s talk about how and when you can use online content. Online content can be grouped into 3 categories:

  1. Copyrighted or Otherwise Protected Content. The first category is content that is clearly covered by copyright or other intellectual property protections like rights of publicity. This category includes things like content with a copyright notice on it; content used under a license (“used with permission”); content on a site with terms of use or another disclaimer restricting the ability to copy or reuse content without permission; pictures of celebrities; famous cartoon characters; and so on. If you want to use copyrighted or otherwise protected content, you need the permission of the copyright owner, i.e., a license to use it.
  2. “Fair Use” exception.  There is one important exception — the “fair use” exception — that provides a limited right to use copyrighted content for purposes such as commentary, criticism, scholarly research, news reporting, public classroom education, parody, or other “transformative” purposes (new meaning, added value, or a different manner of expression) without the copyright owner’s permission. The exception recognizes that in some cases, the benefit to society to allow use of a work outweighs the copyright holder’s rights to control use of the work. If it’s fair use, it’s not copyright infringement. However, there’s no definitive rule as to what is and is not fair use. Instead, courts look at four factors to determine fair use – (1) the purpose and character of the use(i.e., is it transformative, is it commercial or non-commercial, etc.), (2) the nature of the copyrighted work, (3) the amount and substantiality of the copyrighted work that is used(i.e., is it more than a “de minimis” portion of the work), and (4) the effect of the use on the potential market for, and value of, the copyrighted work).
  3. Open Source and “Public Licensed” Content.The second category of content is “open source” and “public licensed” content. “Open source” refers primarily to software — its computer software distributed under a license whose source code is available for modification or enhancement by anyone as long as the requirements of the license are followed. For more on open-source software, please see my earlier post on the topic.  You can use open source software you find online as long as you comply with the terms of the open source license.
  4. “Public licensed” content is content distributed under a similar license. It grants anyone certain rights to use the content in a way that would normally be prohibited under copyright law, as long as the use is within the boundaries of the license. These public licenses preserve the owner’s copyright in the content, but cede certain rights to anyone who wants to use the content. The most common public licenses are the six Creative Commons licenses. Creative Commons licenses give anyone the right to use content for noncommercial purposes with attribution to the content owner, and depending on the type of license, may additionally be able to use the content commercially, create derivative works from the content, and/or share the content with others under the same license (“share-alike”). You can use public licensed content as long as you comply with the terms of the public license.
  5. Everything Else – “Murky Content”. The third category is everything else — anything not clearly subject to copyright or other IP protection, and not clearly open source or public licensed (let’s call it “murky content”). This is the content that causes the most trouble, because Internet users may have no way to know whether something they find online that looks like it’s free to use is actually subject to copyright or other intellectual property protection, or is governed by a public or open source license. In this case, you need to make a judgment/risk call whether to use murky content.  Generally, using murky content for commercial purposes carries the most risk, and using it non-commercially carries the least. Most people don’t create and freely share content for the fun of it — they derive value from it. If murky content looks like something someone would want to monetize, it’s likely protected content requiring some form of license to use. There’s no sure way to gauge the risk of using murky content — the only way you’ll ever know for use is if you get in trouble for using it, and by then it’s too late.
  6. Some argue there is an “implied license” to use online content which protects users of online content. They argue that if a content owner posts content on their website or makes it available through Google, promotes links to the content through methods such as social media buttons, and does not restrict the ability to copy the content (e.g., no disabling of the ability to save or “screen scrape” content), the content owner is implying that it’s OK to reuse it. The biggest issue with the “implied license” argument is that like fair use there’s no easy way to know if it applies or not — you have to make a judgment call. It’s also important to note that the implied license argument assumes that the content was posted by the content owner.  Courts may be very hesitant to embrace this concept as it would mean significantly watering down copyright protection for online content.

Don’t forget photos may bring up not just copyright issues, but rights of publicity as well. If you use someone’s picture found online to promote your product or service, not only could you face a copyright suit from the copyright owner of the photo, the subject of the photo could have a claim against you using their name or likeness in a commercial manner without their consent. It’s also worth noting that using images of a cartoon or corporate logo grabbed from the Internet could also create trademark infringement or trademark dilution issues.

Finally, as you navigate the world of online content, keep these simple rules in mind:

  • Check the applicable terms and policies before using web-based content. If you find content you want to reuse on a website or online service, check the Terms of Use, Applicable Use Policy, or similar terms or policy for ownership, license, or usage rights language that could give you the right, or restrict your right, to use the content.
  • Use license filters when searching images. If you’re searching for images on Bing Images or Google Images, you can filter your search by license type (e.g., in Google Images, if you click “Search Tools” you can search by “Usage Rights” such as “Labeled for reuse with modification,” “Labeled for reuse,” “Labeled for noncommercial reuse with modification,” and “Labeled for noncommercial use.” Keep in mind that license information may be wrong, but you’ll have an argument that you relied on the license type filter.
  • If it looks professionally done, it probably is. If you find content online that looks like it was made by a pro, it probably was. If there’s no license associated with professional-looking content, there’s a reasonable chance that someone else redistributed it without the ownership or copyright attribution. Also, if you can’t easily save content (e.g., the “save as” in the right-click context menu or the “copy” function for the browser is disabled on that website), it’s likely because the content owner does not want people capturing or “screen scraping” their content.
  • Just because it’s protected doesn’t mean you can’t use it. Finally, don’t forget that many copyright owners are willing to grant a license to use their work if you ask them. Some may just want the exposure and ask for an attribution; some may want a license fee. A little internet sleuthing can uncover the owner’s email address or other contact information for contact purposes. If you like the content and are willing to obtain a license to use it, make sure the license you receive is broad enough for the way you intend to use the content or work, both today and in the foreseeable future.

Don’t Overlook These 6 Important Contract Clauses

Managing the review and negotiation of contracts involves regular stack ranking of projects. With many agreements to review and other job responsibilities for both in-house counsel and business counterparts alike, the value or strategic importance of the agreement often determines the amount of attention it receives. Given this, attorneys and their business counterparts generally do not have time for a “deep dive” into every nook and cranny of an agreement under negotiation. They focus their available resources on the big-ticket items — obligations of the parties, termination rights, ownership, confidentiality, indemnification/limitation of liability, and the like — and may only have time for a cursory review (at best) of other contract terms that appear in most agreements, called the “legal boilerplate.”

If you have a little extra time to spend on an agreement, here are six clauses that are worth a closer review. Why these? If worded improperly, each of these clauses can have a significant adverse impact on your company in the event of an issue or dispute involving that clause.

(1) the Notices clause.Failure to provide timely notice can case major issues. So can failing to receive a notice that was properly served. If mail can take some time to be routed internally, consider avoiding certified or first-class mail as a method of service. Personal delivery and nationally or internationally recognized express courier service (FedEx, UPS, DHL, etc.) with signature required on delivery are always good choices. Notice by confirmed fax or by email to a role address (e.g., “legal@abc.com”) are also options to consider, either as a primary method of notice or as a required courtesy copy of the official notice. Use a role and not a named person in the ATTN: line – if the named person leaves, routing of the notice may be delayed. Consider requiring that a copy of every notice be sent to your legal counsel. Consider whether to make notice effective on delivery, versus effective a fixed number of days after sending (whether or not actually received). It is also worth considering making notice effective on a refused delivery attempt – the other side should not be able to refuse a package to avoid being served with notice. Ensure delivery is established by the delivery receipt or supporting records.

(2) the Dispute Resolution clause. Ensure the agreement’s dispute resolution mechanism (litigation vs. arbitration), and any dispute escalation language, is right for your company given the potential claims and damages that could come into play if you have a dispute. Make sure you’re OK with the state whose law governs the agreement (and ensure it applies without regard to or application of its conflicts-of-laws provisions). If neither home state law is acceptable, consider a “neutral” jurisdiction with well-developed common law governing contracts e.g., New York. Ensure you’re OK with the venue — consider whether it is non-exclusive (claims can be brought there) or exclusive (claims can only be brought there), and whether a “defendant’s home court” clause might be appropriate (a proceeding must be brought in the defendant’s venue). Finally, ensure the parties’ rights to seek injunctive relief — an order to stop doing something, such as a temporary restraining order or injunction, or an order to compel someone to do something — are not too easy or hard to obtain. In some cases, whether a party needs to prove actual damages or post a bond in order to obtain an injunction can play a critical role.

(3) the Order of Precedence clause.If your agreement has multiple components (e.g., a master services agreement, separate Terms and Conditions, incorporated policies from a web site, service exhibits or addenda, statements of work, project specifications, change orders, etc.), which piece controls over another can become critically important if there is a conflict between the two (e.g., liability is capped in Terms and Conditions, but unlimited in a Statement of Work). Ensure the order of precedence works for you. Consider whether to allow an override of the order of precedence if expressly and mutually agreed to in an otherwise non-controlling contract component. Don’t forget about purchase orders — they often have standard terms which can conflict with or override the contract terms unless they are specifically excluded. If you are negotiating a SaaS agreement, consider how acceptable use policies, terms of use, and other online policies may relate to the agreement. Watch out for other agreements/terms incorporated by reference, or on the other hand, consider incorporating your standard terms and having them control in the event of conflicting terms.

(4) the Assignment/Change of Control clause. If consent to assignment or a change of control is required, the clause can create significant headaches and delays during an M&A closing process or during a corporate reorganization. A client or vendor with “veto power” could leverage that power to get out of the contract, or to obtain concessions/renegotiated terms. Consider whether to include appropriate exclusions from consent in the event of a reorganization or change of control, but keep a notice requirement. Consider whether a parental guaranty is an appropriate trade-off for waiving consent. Also consider whether consent is needed in a transaction where the party continues to do business in the same manner it did before (e.g., change of control of a parent company only).

(5) the Subcontractor clause. Ensure you have approval rights over subcontractors where necessary and appropriate, especially if they are performing material obligations under the agreement or will have access to customer data or your systems. A service provider may not be willing or able to give an approval right to a subcontractor providing services across multiple clients, but may be OK with approval of a subcontractor providing services exclusively or substantially for your company. Include the ability to do due diligence on the subcontractor; remember that subcontractors can be an attack route for hackers seeking to compromise a company’s network. Ensure a party is fully liable for all acts and omissions of the contractor. Consider pushing security obligations through to the subcontractor. Require subcontractors to provide phishing training.  Consider limitations on what obligations of the other party can be subcontracted.

(6) the Non-Solicitation clause. Consider limiting a non-solicitation clause to those employees key to each party’s performance under the agreement, and other named personnel such as executive sponsors or corporate officers. Most often, neither party can live up to a clause that covers every employee at the company. Ensure there are appropriate exclusions for responses to job postings, recruiter introductions, and contact initiated by the covered party. Consider whether the clause prevents soliciting an employee as well as hiring them, and whether you want to restrict one or both.

Refresh your Contract Templates for Shorter Negotiations and Happier Clients/Customers

The old adage “if it isn’t broke, don’t fix it” was never meant for contract templates.  Businesses and business processes are always changing and evolving, and contracts need to change and evolve along with them. Over time, your contract will diverge from your marketing materials and sales proposals, the current operational reality of your business, and/or your company’s current risk profile.  When that happens, the contract may slow down a fast-moving customer sale by prolonging the negotiation cycle as you work through the inconsistencies or outdated commitments, or worse, a client or customer may look to hold your company to perform obligations you can’t satisfy as written.  Refreshing your contract template helps ensure you are keeping the negotiation cycle as short as possible and ensuring what you commit to contractually aligns with your actual performance under the agreement, which contributes to a positive client/customer relationship.

Setting Refresh Goals.  The first thing to do when starting a contract refresh cycle is to ensure the business and legal teams are aligned on the goals of the contract refresh.  In most cases, the goals include:

  • To ensure the contract template accurately reflects the operational reality of the business;
  • To shorten and clarify the contract template;
  • To make contract negotiations go more quickly and smoothly;
  • To remove as many ambiguous terms from the contract template as possible; and
  • To ensure the contract template is as fair and balanced as possible while protecting your company’s interests.

Once your goals are set, the following steps can help you get the most out of your contract refresh.  Keep your refresh goals in mind as you go through each of these steps.

  1. Re-evaluate (and if needed, optimize) the contract model.Take a look at the core model of your contract.  Is it a Master Services Agreement with Statements of Work, Project Assignments or Service Orders?  One single contract containing terms for all products and services offered by the company with a checklist and pricing to select the products and services to be provided? The first step in a contract refresh is to ensure the contract model is the best one for your business and the business offering. The contract model should present the terms for your product or service in the simplest way possible, while allowing for flexibility of adding on services if needed. Your current model may be the right one for your business, but it’s important to ask the question.  For example, if your clients/customers consistently try to push their own paper on you with a different contracting model, think about whether their model (or elements of it) might make sense for your business.While you want to ensure your agreement anticipates how you’ll do business generally for the next 12-24 months, be careful trying to “future-proof” your contract by adding terms for service offerings you plan to roll out in the future.  You don’t want to make the agreement longer than it needs to be, and until the service offering is finalized the terms relating to it may change, meaning the terms you put into the contract will need to be changed anyway.  In this case, design your template with add-on services in mind so they can be added later.  Also, consider whether on-line terms, or an online policy such as an acceptable use policy referenced in and incorporated by reference into the Agreement, may help streamline the contract and allow for greater flexibility in changing those terms to reflect changes in your business.The appearance and readability of your contract matters just as much as the content and model. Ensure the contract is readable — use a common font and a readable font size.  Be sure to use headers and footers with page numbers and a confidentiality legend if appropriate. If you don’t use version numbers on your templates, consider adding version numbers to make sure you can easily track different versions of your contract templates (e.g., v2016.02.24 for the version released on February 24, 2016).  Consider running your template by your marketing department for their suggestions on making it look good.
  2. Confirm alignment with the sales proposal and marketing collateral. It’s a good idea to compare the contract template against the sales proposal and your company’s corporate website and marketing collateral. While there is always marketing fluff in sales proposals and marketing, ensure that the contract accurately reflects the proposal terms and commitments in marketing materials. If there are inconsistencies, ensure they are resolved.  Few things will cause a contract negotiation to bog down right out of the gate than the other side thinking the terms in the contract don’t match the terms in the proposal or the company’s marketing collateral that led them to want to do business with your company.Consider gathering all of the pricing and key business terms into one section or appendix.  Having pricing and key business terms scattered throughout an agreement can be very confusing.  The pricing and key business terms in the contract should match up to those in your sales proposal or deal term sheet, and where possible should follow a consistent format, structure and layout.  That way, when the other side receives your contract and compares the contract terms to the proposal or term sheet, they’ll see a 1:1 match which can help keep positive momentum going.
  3. Review previous redlines, look at previous business disputes, and talk to sales personnel.Quite often, there are standard compromise or fallback positions that become commonly used in negotiation as the contract template diverges from the operational reality and/or company risk profile.  Go back through previous redlines to identify compromises or fallback provisions that are agreed to on a regular basis. Consider whether that fallback provision should become the new standard provision in the agreement to remove it as a common negotiating point. Also, look at any business disputes you’ve had with your clients/customers that arose from or related to an ambiguity or issue in the contract, and look at any resulting operational changes that were made. Consider whether revisions to the contract would help avoid similar disputes in the future or better reflect the revised operational process.Talk to sales personnel involved in the negotiation of agreements based on the template, either individually or as a group, for their input on what sections are most frequently negotiated.  Identify terms or provisions in the agreement that are regularly negotiated – e.g., the non-solicitation provision, press release language, security and data breach language, termination for convenience language, indemnities, limitation of liability, etc.  Look at those terms/provisions to see if there is an alternative provision, or alternative wording, that works for your company and will eliminate the need to negotiate that point every time.  For example, if your contractual payment terms are net 15 but most parties ask for net 30, and you don’t really charge interest on late payments until they are at least 30 days past due (45 days from invoice date), it may be worth changing the payment terms to net 30 in the contract to eliminate this negotiation point.
  4. Streamline and simplify the template. Review the contract template to streamline and simplify it as much as possible. Don’t say something in three sentences that can be said in one.  Use a defined term to avoid having to repeat a lengthy phrase throughout the agreement.  Avoid including fluff in the agreement, such as a full page of WHEREAS clauses, unless there’s a compelling need for it. Ask people at your company who don’t normally read contracts to read it and highlight any language that seems confusing, and see if clarifying revisions make sense.  Avoid legalese wherever possible. Ensuring your contract is as clear as possible helps avoid disputes with your clients/customers by minimizing the chance that an ambiguous term is interpreted differently by the parties (or worse, that a party relies on that interpretation to take a particular course of action that can’t easily be undone).
  5. Validate the pricing and terms/obligations with stakeholders.Obtain (or make) a list of all of the department heads and business owners in your company whose team/group/division has operational responsibility for terms in the agreement (for simplicity, we’ll call these department heads and business owners “stakeholders”).  The review should include not only the business terms with business stakeholders, but also the legal and risk allocation terms (e.g., representations/warranties, indemnifications, disclaimer of warranties, limitation of liability, etc.) with legal and compliance stakeholders.Mark up a copy of the template to identify which pricing and business terms and obligations are tied to which stakeholders.  Circulate the draft to each stakeholder, and set up a meeting with each to review, modify and obtain sign-off on contract language and provisions related to that stakeholder.  If you’ve already identified potential changes to streamline the contract (such as in #3 or #4 above), review those with the stakeholder to obtain buy-in, and ask the stakeholder if they have any additional suggestions on ways to streamline and simplify the agreement terms relevant to that Stakeholder. If a stakeholder indicates that your company doesn’t really do what a particular contract provision says, either remove the obligation from the agreement or ensure the stakeholder commits to the company’s performance of that obligation.

A few closing thoughts:

  • Once the contract refresh is complete, determine who needs to sign off on the new template before it’s introduced for use, and obtain their approval to start using the new template.
  • Consider using communication plan to introduce the refreshed template to personnel involved in negotiating the agreement such as your sales and Finance teams.  Also consider whether the creation of a companion explanatory document such as a contract FAQ, or embedded comments in the draft itself, would help your clients/customers better understand your agreement and further shorten the negotiation cycle.
  • If you are updating a set of online terms or an online agreement where the changes will automatically apply, ensure you follow any notice requirements for amendments or changes to the agreement.
  • Make sure you archive a copy of the contract template being refreshed.  You may need to refer to it later, e.g., if there is a client/customer dispute involving the older template.
  • Finally, set a regular review cycle (ideally no less than once a quarter) to check with Stakeholders and ensure there have been no major changes from a business or legal perspective that require changes to the agreement template.