Header graphic for print

The Law Behind the Apple vs. FBI iPhone Unlocking Debate

By now, you have probably read about how the FBI is asking Apple to create software that would help the FBI unlock the iPhone of one of the deceased San Bernadino attackers. You have probably heard the talking heads scream about the privacy vs. security policy debate, but what law is at play?

The All Writs Act

You may have even heard the government is relying upon the All Writs of Act which was passed in 1789. Three years of law school and sixteen years of practice and I had not heard of the All Writs Act at 28 . § 165U.S.C.  Surprisingly, it is very short:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction. 

The purpose of the law is to fill in the gaps to give courts the power to enforce their orders and subpoenas.  Obviously, the use of the All Writs Acts has to be “agreeable to the usages and principles of law.”

How We Got Here

On February 16, 2016, the government received an ex parte order (which means without having anyone from Apple or anyone else arguing against the request) requiring Apple to provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data.” The order then lists what the court considers “reasonable technical assistance” including the oft-discussed decryption key that needs to be created to help unlock the phone. A copy of the order is here:  SB-Shooter-Order-Compelling-Apple-Asst-iPhone.

Apple’s Legal Argument

download (2)Apple primarily argues that Congress has already decided tech companies like Apple cannot be forced to provide access to encrypted devices. Apple’s brief is here. Specifically, Apple cites to the 1994 Communications Assistance for Law Enforcement Act at 47 U.S.C. § 1001, et seq.  CALEA, Apple argues,  specifically states that electronic communication service providers and mobile phone manufacturers cannot be forced to “implement any specific design of its equipment, facilities, services or system configuration” to unlock or decrypt phones.

Apple then argues that Congress has considered amendments to CALEA, but decided not to amend the 1994 law to require so-called back doors to encrypted devices or programs. According to the brief, “Congress, keenly aware of and focusing on the specific area of dispute here, thus opted not to provide authority to compel companies like Apple to assist law enforcement with respect to data stored on a smartphone the designed and manufactured.”

Case Law on the All Writs Act

The U.S. Supreme Court spelled out the test for whether the All Writs Act could be used in U.S. v. New York Telephone, 435 U.S. 159 (1977). In that case, the Court required the phone company to install a pin register device on two telephone lines.

The Court provided a three-part test:

(1) is the company so far removed from the controversey that its assistance could not be reasonably compelled?

(2) What is the burden on the company whose assistance is sought?

(3) Are there other alternatives?

In light of those factors, Apple argues:

(1) the company does not own or control or the phone or the data the government is seeking;

(2) It would be difficult for Apple to build the requested unlocking key and Apple does not want to for marketing and concerns about additional requests in the future.  Apple says it would take six to ten employees two to four weeks to develop it.

(3) The government made it more difficult when they changed the iCloud password and did not prove that the government exhausted all of the available digital forensics resources available to them.

Finally, Apple contends forcing them to create software would force them into compelled speech in violation of the First Amendment and would constitute an unlawful arbitrary action against Apple without due process in violation of the Fifth Amendment.

The Department of Justice’s Response

FBI-1In its response, the Government tried to shift the focus back to the specific facts of this case and this one phone in light of the three-part test and away from a greater policy argument.

The government says that just because Congress did not make any changes to CALEA does not mean the All Writs Act does not apply to fill in the gap as it has been used a number of times to require companies to unlock phones and other devices.

Regarding the three factors from the New York Telephone case,

(1) Apple purposefully licensed the operating system in the phone that allowed for encryption, so Apple’s involvement is sufficient.  Involvement does not mean a company participated or even specifically knew there was criminal conduct. It only requires that Apple be “closely connected” to the crime.

(2) While the burden to create the software might be burdensome on a small company, the Government says it would not be unreasonable for Apple which encrypted the software in the first place.  The Government would compensate Apple and work to minimize the burden.

(3) The FBI says it cannot unlock the phone without Apple because Apple built the code to prevent any access. They claim the fact that Apple cannot access it without building something new proves Apple is necessary.

Apple can file a response on March 15 and the hearing is scheduled for March 22.

Presentations This Week on Online Influencers, Start-Up Grind Houston and Social Media Law

You can attend any one of this events this week.

Legal Issues Related to Online Marketing Influencers

First is the Houston Bar Association Sports & Entertainment Law Section CLE Luncheon.  It is later today (March 8) at 11:45:00-1:00 at McCormick & Schmick’s in Uptown Park.  The public is welcome to attend, but it would be helpful to rsvp here. The cost to non-members for the lunch is $30.

Although the topic is the Legal Issues Related to Online Marketing Influencers, I am more interested in learning from my co-presenters, the founders Blurbiz who will talk about the business side and demonstrate how they are helping connect brands to online influencers on SnapChat.

Start-Up Grind Houston

Start-Up GrindGray Reed & McGraw, P.C. is hosting Wednesday night’s Start-Up Grind Houston event with Brittany Bly, the founder of Pop Shop America. Brittany is one of Houston’s successful female startup entrepreneurs. As the creator of Pop Shop America, she organizes 600+ designers, artists, and craft entrepreneurs at events with 20,000+ attendees annually.  Drinks start at 6:00 at our office and the fireside chat begins at 7:00.  You can register and find out more information here.

Mastering Cyber Law, Social Media & Data Security CLE

On Thursday, March 10, 2016, I will be presenting with two others at a 90-minute Rossdale telephone CLE beginning at 11:00 a.m. Central.  From Rossdale, “The rapid proliferation of the internet, social media, data privacy & protection has quickly increased the demand for attorneys proficient in the latest tools in this rapidly developing area of law. Today, more than ever, cyber & data law require a mastering of the skills, techniques, and insights needed to successfully counsel clients in this hot, expanding practice. The nationally respected faculty on this Rossdale seminar will describe the current developments in information and network privacy, regulatory compliance, cyber risks, & latest court decisions. Our expert faculty will also cover online defamation, consumer reviews, indentifying sources of posted information and the most current legal developments involving social media. Registration includes course and reference materials that serve as a helpful guide to the numerous topics and techniques discussed in this convenient, telephonic seminar.”

You can find out more here.

Does My Website Need to Be ADA Compliant?

Your website looks good, is functional and provides a great user experience. But, can a disabled person use it? Can a visually-impaired person understand what your photos and other non-text aspects of your website are and do? If not, you may need to make some changes or you may receive a letter from lawyers threatening Americans with Disability Act, or ADA, claims.ADA

When most people think of the ADA, they think of wheelchair ramps and braille on signs to enhance access by impaired individuals. The law may also apply to your website. And, even if it does not apply under current law, the Department of Justice is looking to interpret the law so it applies to commercial websites in the near future.

Existing Basic ADA Law

To state a private claim under the ADA, a plaintiff must allege (1) that she is disabled within the meaning of the ADA, (2) that the defendant owns, leases, or operates a place of public accommodation, and (3) that the defendant discriminated against her by denying her a full and equal opportunity to enjoy the services the defendant provides.

The legal issue for websites is whether website operators are operating “a place of public accommodation.” The statute lists 12 different types of public accommodations including somewhat of a catchall that includes “other sales or rental establishment.” The list, created when the law was passed in 1988, conceivably covers most commercial establishments, but does not expressly include websites.

Courts have essentially taken three positions when approached with this issue. Some courts take the position that the ADA applies to all commercial sites because the law was meant to protect disabled individuals from having a more difficult time than able-bodied individuals from doing business. That is why the website Scribd was unable to get a case summarily dismissed and ended up settling.

The second approach holds that if website has a “nexus” or connection to a physical location (such as a store website), then the ADA applies. Facebook escaped liability in a 2011 California case on these grounds. Target and Home Depot did not.

The third approach simply holds that the ADA only applies to physical places.

What happens if you get a demand letter or are sued?

So right now, the law is somewhat murky on whether the ADA applies to your site and may depend on where you are sued. As explained below, that may change in the future. But, what do you do now?

The good news for potential defendants is that the only remedies available in private ADA suits are injunctions that force you to come into compliance and attorneys’ fees. If the Department of Justice gets involved, they can seek civil fines and penalties. Hence, you need to do the risk/benefit analysis as to whether it is worth challenging the claim or not. This report says the lawsuits are on the rise.

In the meantime, up your compliance game

Getting dragged through a lawsuit is never a pleasant experience, so you may want to come into compliance before you become a target. The Department of Justice, the agency in charge of enforcing the ADA, is working to interpret the ADA to include commercial websites. The DOJ has delayed its anticipated new rules until fiscal year 2018.

Every indication is that they are going to interpret the ADA to apply to commercial websites. They are already moving that way with regard to government websites (Title II as opposed to Title III of the ADA) and they are going to monitor that interpretation while they consider applying the same rules to private commercial sites.

So what is compliance?

There is not sure-fire checklist to ensure 100% compliance. The DOJ has hinted that websites should aim to conform to the Website Content Accessibility Guidelines (WCAG) 2.0, Levels A and AA. Most advocacy groups also encourage websites to satisfy those standards.

As these claims become more prevalent, the WCAG 2.0 or similar standards will become  just as familiar as including SEO elements into new sites. These standards include the use of “alt-text” features which allows screen reader technology to convert text to audio for the visually impaired.

If you are a website developer, you should start building sites following these WCAG 2.0 standards. If you operate a commercial website, you may want to give your web developer a call.

GUEST POST: David Lisch on the Basics of Intellectual Property Law for Start-Ups (Part 2-Patents)

Guest Post: Gray Reed intellectual property attorney David Lisch provides this two part Lisch_111x105series on Basics of Intellectual Property Law for Start-Ups. Part one focused on trademarks and entity formation. This part focuses on patent law.

Patent Protection

A patent protects “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof” 35 U.S.C. § 101. Unlike trademarks, which protect a brand name and recognition, a patent protects an invention, including functionality or design thereof. A patent gives the owner the exclusive right to manufacture products or employ processes covered by the patent for 20 years from the earliest priority date.

1. Do a Prior Art Search

Prior to filing a patent application, a business may elect to perform a prior art search to become informed of possible prior art which may be cited against the invention and/or preclude patentability. Moreover, it may assist the drafting attorney to craft claims which capture the invention but avoid overlapping with potential prior art, thus (hopefully) reducing the likelihood of the application being issued one or more office actions which will incur additional costs for the attorney to draft a response to.

2. Know your deadlines

The urgency of filing for a patent application wholly depends on when the first public disclosure, public use, or sale occurred. See 35 U.S.C. § 102. In the United States, there is a one-year grace period after such occurrence to file either a provisional or nonprovisional patent application. A provisional patent application may be filed to establish a “filing date,” and usually costs significantly less than a nonprovisional due to requiring less time to draft. Filing a provisional application will give the business one year to test the market and explore if filling a nonprovisional patent application is worthwhile. However, the follow-on nonprovisional patent application must be filed within that one year timeframe of filing the provisional application and claim benefit thereto, or the provisional application will become prior art to any future patent applications for the same invention.

3. Know what is not patentable

There are a few judicially created exceptions which preclude patentability, including if a claim is directed to a law of nature, a natural phenomenon, or an abstract idea. This last exception of being an abstract idea is particularly relevant to web based companies due to the likely desire of patenting search or coding algorithms and other software and/or business method related inventions. More specifically, these areas have received significant attention since June 19, 2014, when the Supreme Court decided Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 1247 (2014). This article (Wave Of USPTO Alice Rejections Has Cos. Tweaking Strategies) succinctly explains the current state of the U.S. Patent and Trademark Office, and the likelihood of obtaining a software or business method patent. A few quotable comments include:

“In recent months, USPTO patent examiners who handle applications in the area of e-commerce have been rejecting more than 90 percent of applications under Alice”

“It has become clear from the statistics that applications for patents on ways of performing business methods more efficiently using a computer face a difficult or nearly impossible path at the USPTO.”

While keeping this article to the fundamentals, it is worth noting some exceptions to the above may apply depending on the timeline of development of the part or invention being claimed, along with if any public uses were “experimental,” however that is beyond the scope of this article. Moreover, it is a best practice to not have to rely on these exceptions in the first place. Additionally, while the one-year grace period applies to the United States, such first disclosures may bar protection in other jurisdictions, such as Europe, Japan, and China, which employ a worldwide “absolute novelty” rule (any disclosure worldwide prior to filing the patent application, even a disclosure by the applicant, may be cited as prior art, thus possibly barring patentability).

 

 

GUEST POST: David Lisch on the Basics of Intellectual Property Law for Start-Ups (Part 1)

Lisch_111x105Guest Post: Gray Reed intellectual property attorney David Lisch provides this two part series on Basics of Intellectual Property Law for Start-Ups. Part one focuses on trademarks and entity formation

Trademarks

At one point or another, all companies will be faced with the decision if, and how much, to invest in intellectual property protection. Let’s start with trademarks.

A trademark is a word, phrase, symbol, and/or design that identifies and distinguishes the source of the goods of one party from those of others. A “service” mark distinguishes the source of a service, rather than a good, but the two are typically simply referred to as a “trademark” or “mark”.

There are two typical methods of filing a trademark: 1) when the mark is in use, filing a “use-based” or “Section 1(a)” application; and 2) when the mark is not in use yet (e.g., prior to forming the company or selling finished product), filing an “intent-to-use” or “Section 1(b)” application. For the latter, an “extension of time” must be filed every 6 months (for up to a cumulative time of 3 years) until the trademark is in use, otherwise the application will expire and a new application must be filed. The policy behind this is to avoid people “squatting” on a trademark for extended periods of time. Once the trademark is in use, a “statement of use” is filed with a specimen (example) showing the mark as used in connection with the described goods or services.

One should file a trademark prior to, or near the conception of a business. A trademark is relatively inexpensive, typically costing $225 in USPTO fees plus some time for an attorney to do brief search for potentially conflicting marks, search for which “classes” the mark should be filed in, and actually filing the mark. It is advantageous for a business to file a trademark early in the business cycle to assure (to the extent possible) that their mark is not conflicting with another’s mark. If such a conflict does occur, it is substantially cheaper to change the company name and perform rebranding early on. Moreover, if there are no conflicting marks, the company assures others will be precluded from filing “confusingly similar” marks.

While possible to file a pro-se trademark application, it is highly recommended to hire an attorney due to inflexibility of the rules regarding trademarks. For example, importantly, in general, the trademark should be filed under the entity name, not an individual’s name. This is because, while an individual may be the sole owner, CEO, President, etc. of a company, it is the company which has an intent-to-use, or is currently using the trademark. Should the later occur, where the mark is filed in the name of an individual, the trademark may later be deemed void. 37 C.F.R. § 2.71(d); TMEP §§ 803.06, 1201.02(b) (“An application is void if it was filed in the name of a party who did not own, or was not entitled to use, the applied-for mark on the application filing date.”). Moreover, unfortunately, such an error cannot be cured by amendment or assignment. TMEP §§ 803.06, 1201.02(b). There are also rules limiting recourse and future actions after filing the above-mentioned statement of use and specimen which an attorney will be integrally familiar with.

In sum, it is highly advantageous to register for a trademark soon after formation of an entity or early in the business cycle to assure both availability and protection of the business name, logo, slogan or services.

P.S. We would be remiss by not mentioning that there are some common law and/or state law remedies available without filing a federal trademark, however those will be saved for another discussion.

Form an Entity First

As discussed above, but worth reiterating, it is advisable to form an entity prior to filing any intellectual property. With trademarks, the mark should be filed with the entity as the owner due to the law essentially prohibiting assignment or correction of an intent-to-use application. If filed incorrectly, the application may be deemed void, and all money and efforts are lost and a new trademark must be filed which can only claim a newer filing date, thus allowing a greater possibility of other preceding marks being conflicted.

A patent (further discussed in the next segment of this series) is slightly different in that the initial owner of the patent are the (joint) inventor(s). While a proper employment agreement will require the employee to assign rights to the company, such is not always the case, especially with startups who are likely focused on tackling other initial challenges when just opening shop. Even if this isn’t the case, assuming the inventors are still cordial and willing, the patent application (or granted patent) can be assigned to an entity at any point in time. It is advantageous to have this assignment executed earlier rather than later to assure the inventors are still on good-terms with each other and the company and will easily comply.

Lastly, having all intellectual property held by the entity enables a cleaner presentation to current and potential investors. The entity, or anyone representative thereof, can state there are no hurdles to owning the IP, and the IP can be easily transferred in a merger or acquisition of the entity.

In the next segment, David will provide the basics of patent law and its importance for a start-up.

 

Top Posts of 2015

In descending order, here were the top posts from 2015.

#7 Will Net Neutrality Kill the Internet 3.0?

In February, the FCC passed the net neutrality rules. This seems like one of those issues, like most, that seemed to be of epic importance at the time but resulted in much ado about nothing. That may be a result of the relatively even-handed approach taken by the FCC.

#6 Why You Care the E.U. Struck Down Safe Harbor Data Protection and What to Do About It

On the other end of the spectrum is a story that deservedly got the attention of data security geeks, but probably deserves more. Companies are still dealing with the uncertainty left in the wake of the E.U. decision’s to determine the U.S. does not take data security and privacy serious enough even when companies followed the Safe Harbor mechanism. Will recent events in Europe change their outlook on internet privacy?

#5 To Fire or Not to Fire for Employee’s Social Media Posts

This topic has been a popular one for a number of years now.  For more, take a look at what I wrote about firing employees for their social media content in 2012.

# 4 Texas Anti-SLAPP Law: The Expanding Scope of the Texas Citizen’s Participation Act

This was a five-part series (average popularity). The bottom line – The TCPA is broader than you think.

#3 Getting Pictures Off the Internet – Not Easy to Do

The headline is self-explanatory. Despite the difficulty, the post provides several suggestions you might want to consider.

#2 The Cards Hack the Astros – So What Law Applies?

Hot news always plays well. This story has somewhat quietly gone away. According to this November 4, 2015 report from the Houston Chronicle, the FBI is continuing to investigate which means the teams and Major League baseball are staying mum. The Cardinals did fire their director of scouting back in the summer.

#1 Mizzou: A Personal Note on Racism, Firings and a Free Press

Sticking with the hot news theme, this post received the most views. As a Mizzou alum and fan, ideally the school will make some reasonable changes and the story will fade into history. Just yesterday, I had to respond to a joke about how Mizzou is a racist campus. Short version – Mizzou is nothing more than a reflection of society as a whole as we deal with racism, student protests, free speech and political correctness. With a 2016 presidential election, I don’t think these themes will go away.  Hopefully, they won’t have to be associated so heavily with Mizzou in the new year.

Related – a look back at the most popular posts of 2014.

PiNG Podcast Interview on Protecting Your Content

CaptureMy friend Rachel Parker of Resonance Content Marketing interviewed me for her PiNG Blog and podcast.  For bloggers and other online content creators, we cover some do’s and don’ts on when you can borrow and what to do when someone has borrowed a little too much from you.  You can listen here.

Mizzou: A Personal Note on Racism, Firings and a Free Press

I have been watching the events at my alma mater that led to the resignation of MU System President Tim Wolfe and Chancellor R. Bowen Loftin from afar. While I had heard inklings of discontent, I had no idea it was at this point until the football team got involved.

73741_1401374325373_749181_nOn many levels, I am trying my best to understand all the nuance involved, but am having difficulty. I haven’t been back to campus for five years to, of course, watch a football game.

Do I believe there is racism in Columbia, Missouri? Probably. Just like there probably is anywhere else in society. As a white male, I am probably not in a position to fully understand.

From the published reports, the protesters’ complaints appear to be isolated events that were handled poorly by the school administration or without enough concern. Part of the students’ concerns centered on how their protest at the Homecoming Parade was handled which you can watch here.  Things also did not go well when Wolfe was confronted in Kansas City a few weeks later.

Another complaint centers on racist taunts by unknown passersby to the African American young man who was elected student body president and homecoming king. Painting an entire school as racist, a school that elects a gay African American student to be president and homecoming king, is unfair. You can read about the events that led to the resignations here.

Should the administration have handled it better? Obviously. Letting it get to the point where the football team threatened not to play means it wasn’t handled the right way and probably left the school with few options.

Were the protestors’ demands unreasonable? Probably. Asking the system president to write a handwritten apology to the Concerned Student 1950 demonstrators and hold a press conference reading the letter while acknowledging his “white male privilege” and admitting to “gross negligence” takes away from the otherwise legitimate concerns raised. To throw in some law in the discussion, demanding racial quotas for the faculty and staff (“We demand that by the academic year 2017/2018, the University of Missouri increases the percentage of black faculty and staff campuswide to 10%) is probably unconstitutional.

One of the students then began a public hunger strike until the demands were met. Then, the football team got involved and refused to play until the hunger strike ended.  Head coach Gary Pinkel supported his players. Was this the right move? It certainly moved the needle, but I worry about whether a handful of players and then the team, as a whole, were leveraged. It is both encouraging, and somewhat alarming, to see young men take their position of prestige as SEC college football players and use it to get involved. Will this set a precedent and where is the line? Reading Tigerboard (admittedly not a place for cool-headed, well-reasoned analysis), the fan reaction was certainly mixed.

LoftinAbout 24 hours after the football team’s actions became public, the president resigned followed by the chancellor. Although the chancellor’s resignation becomes effective at the end of the year and may have had more to do with issues other than the handling the student protests. Ironically, the football team may be worse off with a new chancellor less supportive of the athletics department.

In response, Mizzou has promised to implement changes within the next 90 days which include:

  • The creation of a new position for a Chief Diversity, Inclusion and Equity Officer within the UM System which has already been filled on an interim basis
  • A review of UM System policies regarding staff and student conduct
  • Additional support for students, faculty and staff who have “experienced discrimination and disparate treatment”
  • Additional support for the hiring and retention of diverse faculty and staff
  • the creation of system-wide and campus-based diversity, inclusion and equity task forces
  • an education training program for holders of the university’s top leadership positions

Had the administration taken these steps prior to the football team’s involvement, would there have been two resignations? We may never know because we don’t know what would have happened with the hunger strike and what would the reaction have been had the administration gone 90% of the way but not conceded to all of the demands (which they could have never done). It may have gone a long way to assuage opinion of the public and maybe, more importantly, the football team.

Yes, this story does speak to better crisis communication techniques and the importance of getting in front of a controversy. The number one lesson for crisis communications is to be prepared and to have a plan. Once the controversy began, the school should have had a singular unified message.

If bombarded off campus (or even during the Homecoming Parade), the proper response would have been a polite refusal to engage at that time as it was not the appropriate time and place. There could have been a somewhat prepared “holding statement” such as “we take these issues seriously and are taking steps to ensure that every student is provided the best environment we can provide. This is not the time or place to get into the specifics, but we will be providing more details soon and invite continued discussions on the topic in the near future.” It would not have placated the protesters at the time, but it would not have added more fuel to the fire. A flagship state university is a much different animal than a private business, but the same basic tenets apply.

But, I justify this longer than usual and personal musing based on what happened next. Watch this:

As my wife gets tired of hearing, the University of Missouri is home of the best journalism school in the world. (I linked to something so it has to be true!) The student journalist handled this situation perfectly. The protestors — not so much.

Here are some basics about the First Amendment. The protesters have a right protest in the public parts of campus. And, yes, the very same First Amendment gives the journalists the right to cover the story from public property.

For the legal wonks, the Carnahan Quadrangle is very likely a limited or designated public forum being that it is on a university campus. Content-based speech restrictions are therefore subject to strict scrutiny. The school, however, can put reasonable time, place and manner restrictions as long as the restrictions serve an important governmental interest and the restrictions are narrowly tailored to serve that important governmental interest.

No one kept the protestors from doing their thing. Instead, the protestors tried to keep the media from doing theirs – covering the protest, which ironically is normally what protestors want.  It is true that journalists have no greater rights than non-journalists when it comes to accessing public property, but when you engage in a protest on public property, you can’t claim some of the public property as your own. The journalists had a right to be anywhere on the public grounds to cover the story.

The photographer handled the situation well making the Mizzou Mafia proud. You can read some perspectives of the journalists covering the story here and here.

More troubling, however, was the conduct of some of the Mizzou faculty who, in my opinion, mistreated the journalist and should have known better. For example, near the end of the video, a Mizzou professor of mass media (with the School of Communications and not the School of Journalism) tried to grab the camera and then yelled, “Who wants to help me get this reporter out of here? I need some muscle over here.” Ironically (a repeated theme to this story), this same professor had asked for media attention a few days prior. Unfortunately, this strange treatment of journalists is detracting from the protester’s efforts to further their true cause.

I don’t believe MU System President Tim Wolfe, or Chancellor R. Bowin Loftin, or Mizzou itself, is, in any way, racist. They could have handled the situation better and reacted quicker. Their downfall is a result of that failure. But, shouldn’t we hold the protesters, or at least the faculty that joins the protesters, to the same standard? The faculty member could have handled it better and, perhaps there should be some repercussions, on her end. The School of Journalism has already started distancing themselves from the faculty member and released this statement in support of the journalists. (Here’s another perspective from a law professor at Mizzou and more from one my former instructors at the J-SchoolStacey Woelfel).

The bad news is that it looks like two men who worked hard and wanted the best for the university lost their jobs. Another person who appeared to be a well-liked professor may lose hers, too. The whole thing is a circus.

The good news is the hunger strike is over, there may be some changes to redress the situation, and hopefully both the administration and the protesters can learn from this.

For the rest of us, life will go on and I will continue to support my alma mater from afar. After all, there is a football game to played on Saturday.

Update: The professor in the video has apologized and resigned from her “courtesy appointment” with the J-School.

Title III Crowdfunding is Coming – Is It Right For You?

SECOn Friday, the SEC approved equity crowdfunding for non-accredited investors in a 3-1 vote. This is the true equity crowdfunding from the JOBS Act of 2012 known as Title III. Given it has been more than three years to get the final rules approved, I wasn’t sure this would ever happen.

The new rules go into effect in 180 days, so there will be time to fully digest them, but here is a primer that may help you decide whether Title III equity crowdfunding is right for you.

The Basics

Before the SEC approved the rules, crowdfunding was allowed when targeted to accredited investors; or in certain states, like Texas, that approved intrastate crowdfunding; or when giving away rewards as opposed to equity in the company.  Now, companies can seek funds in exchange for equity from all investors regardless of whether they are accredited.

The Rules

To know whether it makes sense for you, take a look at the rules.

  • A company can raise up to $1 million  in a 12-month period;
  • Individuals can invest up to the greater of  $2,000 or the lesser of 5% of the individual’s annual income or net worth;
  • If the individual’s income or net worth exceed $100,000, then the investor can provide 10% of the lesser of their annual income or net worth;
  • No individual can invest more than $100,000 in crowdfunding platforms during a 12-month period.
  • Securities purchased in a crowdfunding transaction generally cannot be resold for one year.
  • All sales have to go through a broker-dealer or a funding portal.

The primary hurdle may be the disclosure requirements that companies will have to make. They include:

  • The price of the securities or the method for determining the price, the target offering amount, the deadline to reach the target offering amount, and whether the company will accept investments in excess of the target offering amount;
  • A discussion of the company’s financial condition.
  • Financial statements which, depending on the amount offered, may include information from the tax returns, reviewed by an independent public accountant, or audited by an independent auditor.
  • If a company is raising more than $500,000 but not more than $1 million, a company can provide reviewed rather than audited financial statements, unless financial statements of the company are available that have been audited by an independent auditor.
  • A description of the business and the use of proceeds from the offering.
  • Information about officers and directors as well as owners of 20 percent or more of the company.
  • Certain related-party transactions.
  • Annual reports.

To see what exactly these disclosure requirements mean, you have to review the full approved rules available here. Full Title III Crowdfunding Rules. Warning, the pdf is over 600 pages.

Is it right for me?

So, why would a company live with these rules to raise money? In most situations, if you can raise money the old-fashioned way (through accredited investors preferably) or even use debt rather than equity, then we generally recommend you go that route. But, if you are a consumer/retail business, crowdfunding may be the best avenue for expansion. With equity crowdfunding, your customers become vested stakeholders in your business.  They become brand ambassadors and referral sources. If you want hundreds of your customers to do that, then consider the crowdfunding route that will be available to you in six months.

Why You Care The E.U. Struck Down Safe Harbor Data Protection And What to Do About it [Updated]

Hungary 461Earlier this month the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor Framework which previously provided U.S. companies comfort in that they could follow the framework and know they were not violating the more strenuous E.U. personal data privacy laws. The scrapping of the Safe Harbor is a result of recent Snowden revelations about the U.S. data collection efforts in the E.U.

Created in 2000, the Framework allowed for the lawful transfer of European citizens’ personal data to the U.S.  Without it, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995.   The U.S. is not on that list. For a good description of the ruling, go here.

I’m not Facebook or a cloud storage company, so why do I care?

Data transfers have not come to an immediate hault. Likewise, trans-Atlantic trade has not stopped. But, you may not realize you transfer the personal data of E.U. citizens and need to be prepared. Certainly, if you previously relied upon the safe harbor, you need to make some changes.

Do you take orders from E.U. customers?  Do you have subsidiaries in the E.U., but process the H.R. functions here? Do you host the company email here that includes email accounts of E.U. citizens?  Do you store information from E.U. citizens? You can see how easily you can become susceptible to possible data transfers of personal information of E.U. citizens.

So what do I do?

Because the ruling is so new, a lot of people are still trying to figure out what exactly this means.  Some suggested actions include:

1. Update the Privacy Policy

Many privacy policies provide that the company follows the Safe Harbor guidelines. This should be updated and the policy should go into greater detail about what “adequate protections” you use to protect data.

2. Get consent for transfers of data outside the E.U.

Under the E.U. Directive, you can legally transfer personal data with the subject’s consent.  This is based on one of the derogations to the EU Data Protection Directive. This may help with the occasional customer, but when it comes to your employees in the E.U., many of the authorities have found that you cannot get real consent from employees because of the lack of leverage for the employee to say no.

If you are dealing with consumers, you would need to document and obtain actual consent.  Having a statement in a privacy policy hidden on your website is not sufficient.  You must make the E.U. citizen actually consents through a click-wrap agreement and document their consent.  It may not be enough to simply have them agree that you may transfer their data to other countries with less rigorous data protection laws, but you may have to notify them that their data may be transferred to a jurisdiction where their data may be subject disclosure pursuant to a court order or other governmental action.

3. Use one of the alternative mechanisms

The options other than Safe Harbor that were available before the ruling are still possibilities. These include the Binding Corporate Rules and Standard Contractual Clauses.

The Standard Contractual Clauses can provide an efficient short-term fix.  They can be used to transfer data within one company (the H.R. or email server issues) or between a company and a vendor. The magic involved here is in describing what and how data is collected, stored and protected in the appendices of the SCCs.

The Binding Corporate Rules may be an alternative, but it may take time to get them approved because they require approval from the data protection authorities in each country of the E.U. from where you would transfer data. This process can also be expensive to implement. Some jurisdictions are tougher than others. The U.K. is less restrictive than Germany, for example. Therefore, it may depend on in which jurisdictions you have operations.

4. Segregate E.U. Data

To the extent you store data, you can segregate it and keep from transferring the data on E.U. citizens out of the E.U. This may not be practical for most people, but if it is an option, it may be the better one than trying to navigate through this morass.

5. Stay Classy San Diego

ron-burgundy-2 (1)While you can no longer rely upon on Safe Harbor to avoid problems, you should maintain those safeguards in place because you promised to do it. Showing that you are taking best practice precautions may save you from any harsh penalties if anyone ever complains.

The likely outcome is that E.U. and U.S. officials will create a new framework that addresses some of the concerns set out in the order to allow for transfer of data. The good news is some European officials have already stated they plan on proposing new guidelines and do not plan to aggressively enforce any data transfers in the near term that satisfied the Safe Harbor.

In the meantime, stay calm and consider the options. Watch to see if the European authorities issue guidelines you can live with. Check in here for guidelines that may be forthcoming. Individual countries may also provide their own guidelines.

No, the world is not ending, but a change will have to be made. We will monitor the situation and provide updates as available.

UPDATE: 10-15-15

This morning, I participated in a conference call with our international partners in our First Law Institute Data Protection/Retention Group.  The general consensus was that SCCs are the way to go in the interim, but they are not foolproof for all situations and entering into the agreements does not really address the policy concerns raised in the court’s ruling.

During the esoteric part of the conversation, some of the European partners conceded that other countries engage in surveillance and if you applied the policy behind the ruling, there should be no data transfers outside of the E.U. to almost any other country that engages in any form of cyber surveillance. No matter what measures a company puts in place, the ruling focused on the government surveillance rules which would trump whatever the contractual arrangements are in the SCCs.

The good news is that our European partners believe new guidelines, or a Safe Harbor 2.0, will emerge soon.