Legal Issues in Cloud Computing (J. Haislmaier - IP Institute 2010)
Boulder/Denver Software Club Presentation: "All Things Data - Data Rights, Security and Privacy for Software Companies"
1. All Things Data
Data Privacy, Security, and Rights for Software Companies
January 18, 2012
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Copyright 2012 Bryan Cave HRO
2. This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenter(s) and do not necessarily reflect the official or unofficial thoughts or
opinions of their employers.
Open Source Software
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
Copyright 2012 Bryan Cave HRO
7. Data Rights
In General
• No specific comprehensive protection for data or databases in the US
• Protection of rights in data and databases typically handled through
other general areas of the law
– Intellectual property (IP) laws
– Contract laws
– Other theories as well (but generally limited)
• Protections for databases do exist outside of the US
– EU Data Protection Directive (1996)
• Protects non-original portions of databases not protected by copyright law
• Protection is based on the investment in obtaining, verifying, or presenting the
contents of the database
• Prevents extraction or re-utilization of all or a portion of the
contents of a database
– Limited examples of laws in other foreign countries as well
Copyright 2012 Bryan Cave HRO
8. Patents Trademarks
Ideas and Branding and
Inventions Identity
Copyrights
Trade Secrets
Creative
“Know-How”
Expressions
Copyright 2012 Bryan Cave HRO
9. Data Rights
Patents and Trademarks
• Patents
– Available to protect databases
• Structure
• Method of operation
• Business methods employing databases
– But the databases must meet the criteria for patent protection
– Less applicable in the case of unstructured data itself
• Trademarks
– Applicable in connection with the name or brand for a product or service
– Not applicable to data or databases themselves
Copyright 2012 Bryan Cave HRO
10. Data Rights
Copyright
• U.S. copyright law does not provide specific or express protection to
data or databases
• Copyright protection for data and databases is analyzed
like any other work
• The standard for obtaining a copyright is relatively low
– Original work of authorship
– Fixed in a tangible medium of expression
• But, data and databases are not always afforded protection
Copyright 2012 Bryan Cave HRO
11. Data Rights
“The vast majority of works make the grade quite easily,
as they possess some creative spark, no matter how
crude, humble or obvious. ”
Justice Sandra Day O’Connor
Feist Publications, Inc. v. Rural
Telephone Service Co.
499 U.S. 340 (1991)
Copyright 2012 Bryan Cave HRO
12. Data Rights
“No one may claim originality as to facts [. . .] facts do not
owe their origin to an act of authorship. The distinction is
one between creation and discovery. The first person to
find and report a particular fact has not created the fact; he
or she has merely discovered its existence.”
Justice O’Connor in Feist
Copyright 2012 Bryan Cave HRO
13. Data Rights
Copyright
• Copyright does not protect data in the form of facts
– Originality, not “sweat of the brow,” is the basis for copyright protection
– Facts are not originally authored or created through mere discovery
• Copyright can protect information or content in the form of original
expressions
– Information or content having some level of creativity
– Entertainment content, new media, UGC all generally meet this test
• This results in varied levels of protection for data and databases
– Unstructured raw data in the form of facts – no protection available
– Original information or content having some level of creativity – protection
available
– Structure, coordination, and arrangement of data – “thin” protection available
(for the compilation, but not for the underlying data)
Copyright 2012 Bryan Cave HRO
14. Data Rights
Trade Secret
• Trade secret protection is relatively easy to obtain
– Not generally known or readily available
– Independent economic value
– Reasonable efforts to maintain secrecy
• Trade secrets have broad potential applicability to data and databases
– Virtually any type of data or information
– In nearly any form or format
– Must establish and maintain secrecy
• Trade secrets are enforceable and transferrable like any other IP right
• Primary limitation is the requirement for secrecy - once the secrecy is
gone, the trade secret is gone
• Premium on establishing enforceable nondisclosure obligations through
NDAs and other contracts to maintain secrecy
Copyright 2012 Bryan Cave HRO
16. Data Rights
Contracts
• Emerging as what amounts to an additional form of IP protection for data
• Permit broad protection, even over data and databases not subject to
traditional IP protection
• Limited in that they provide protection only to the extent a party is bound
by the contract
• Even where traditional IP protection is available, contracts have become
critical to obtaining and clarifying rights in data
– Each form of IP has its own rules regarding ownership
– Left to applicable law, ownership is often (very) unclear
– At best this leaves the potential for confusion
– Assignments and licenses are preferred to clarify these rights
• Software industry expectations have risen with the rising value of data
– Contracts required to evidence adequate rights in transactions involving data
– Not unlike rights in software itself
Copyright 2012 Bryan Cave HRO
18. Data Responsibilities
In General
• Rapidly changing legal landscape
• No comprehensive federal data security or privacy legislation
• A patchwork of relevant laws at multiple levels
– State laws (e.g., data security breach and notification)
– Federal laws (e.g., FTC Act)
– Non-US laws (EU and elsewhere)
– Growing number of industry-specific laws
• Healthcare – HIPPA and HI-TECH
• Financial Services – Gramm-Leach-Bliley
• Children – COPPA
• Others – education, payment processing, etc.
• Legal structure brings many challenges
Copyright 2012 Bryan Cave HRO
19. Data Responsibilities
Federal Trade Commission (FTC)
• FTC is increasingly active in enforcement actions involving electronically
stored data and information
– More than 25 actions to date
– Targeting security violations as well as privacy violations
• Legal authority comes from Section 5 of the FTC Act (15 U.S.C. §§ 41-58,
as amended)
– FTC Act does not contain specific privacy or security requirements
– Section 5 contains prohibitions on unfair and deceptive trade practices
– FTC asserts that failures to implement “reasonable and appropriate” data
security or privacy measures can constitute unfair or deceptive trade practices
Copyright 2012 Bryan Cave HRO
22. Enforcement
Twitter Complaint
• FTC File No. 092 3093
• First case against a “social network” under Section 5 of the FTC Act
• Alleges unfair and deceptive trade practices in violation of the FTC Act
– Inadequate steps to prevent unauthorized access to user accounts
– Misleading users by promising to adequately prevent unauthorized access to
user accounts in its privacy policy
• Not just a privacy action, multiple security lapses cited
– Gave employees the ability to exercise administrative control of Twitter (access
to nonpublic user information and ability to reset passwords)
– Enabled employees to access the administrative system through the same web
page as users
– Instructed employees to use personal email accounts for company business
(many not even issued company addresses)
– Hackers gained actual administrative control of Twitter on two occasions
Copyright 2012 Bryan Cave HRO
23. Enforcement
Twitter Complaint
• Twitter Privacy Policy claimed
– Twitter employs "administrative, physical, and electronic measures
designed to protect your information from unauthorized access"
– Twitter protects the privacy of nonpublic messages and information
– Twitter honors users' privacy choices
• FTC alleged that in reality, Twitter failed to:
– Require “hard-to-guess” administrative passwords
– Prohibit employees from storing administrative passwords in plain text in
personal email accounts
– Disable administrative passwords after unsuccessful login attempts
– Provide a non-public administrative login page
– Require periodic changes of administrative passwords
– Restrict employee access to administrative controls to only those
employees whose job duties required administrative access
Copyright 2012 Bryan Cave HRO
24. Enforcement
Twitter Settlement
• Consent Agreement
– Announced on June 24, 2010
– Finalized on March 11, 2011
• Key terms
– 20 year term
– Twitter barred from misrepresentations regarding security, privacy, and
confidentiality practices
– Twitter must establish a comprehensive information security program
– Biennial independent security assessments of security program for 10 years
– Multiple record-keeping requirements to allow FTC compliance monitoring
Copyright 2012 Bryan Cave HRO
25. Enforcement
Twitter Lessons
• Simple mistakes, some even understandable
• Real breaches, some very public
• Many years worth of consequences
• Focus on:
– Poor security practices leading to breaches, not breaches themselves
– Accuracy and adequacy of statements in privacy policies and online documents
– All non-public information, not just sensitive financial information or identity theft
• Settlement requirements are nothing new, FTC has developed these steps
in a series of security cases over the years
• Note the absence of a monetary penalty or admission of wrongdoing
• Case appears to signal increased scrutiny on security by the FTC
Copyright 2012 Bryan Cave HRO
27. Enforcement
Google Complaint
• FTC File No. 102 3136
• Action relating to the Google Buzz social networking service
• Alleges unfair and deceptive trade practices in violation of the FTC Act
– Ineffective, confusing and difficult procedures for opting-out of Google Buzz
– Violations of Google privacy policy by failing to adequately disclose privacy
practices and obtain consent for new uses of previously collected user
information
– Violations of U.S.-EU Safe Harbor for compliance with the EU Data Protection
Directive
Copyright 2012 Bryan Cave HRO
28. Enforcement
Google Complaint
• Multiple privacy lapses alleged
• No actual security breaches
• For example:
– Users who chose to opt-out of Buzz were still enrolled in certain Google
Buzz features
– Google failed to inform users who did not opt-out that Buzz would reveal
the identity of their most e-mailed contacts by default
– Google represented that information from users signing up for Gmail would
only be used to provide a “web-based email service,” but used that
information to populate accounts on Buzz
– Google violated the U.S.-EU Safe Harbor by failing to provide notice and
choice before using consumer data for a purpose other than for which it
was collected
Copyright 2012 Bryan Cave HRO
29. Enforcement
Google Settlement
• Consent Agreement
– Announced on March 30, 2011
– Finalized on October 24, 2011
• Multiple firsts
– First time a comprehensive privacy program (not security program) was
required by FTC
– First FTC enforcement of the US-EU Safe Harbor Principles
Copyright 2012 Bryan Cave HRO
30. Enforcement
Google Settlement
• 20 year term
• Google barred from misrepresenting:
– Extent to which Google maintains the privacy or confidentiality of personal
information of users
– Compliance with the EU-U.S. Safe Harbor requirements
Copyright 2012 Bryan Cave HRO
31. Enforcement
Google Settlement
• 20 year term
• Google barred from misrepresenting:
– Extent to which Google maintains the privacy or confidentiality of personal
information of users
– Compliance with the EU-U.S. Safe Harbor requirements
• Google must:
– Implement “opt-in” requirements before introducing new services involving
public disclosure of user information
– Obtain “opt-in” consent from users prior to using or sharing information with
third parties in a way not covered by previous consents
– Establish and maintain comprehensive privacy program - “privacy by design”
• Conduct biannual audits by an independent third parties to assess privacy
and data protection practices for 20 years
• No monetary penalty or admission of wrongdoing
Copyright 2012 Bryan Cave HRO
32. Enforcement
Google Settlement
• “Opt-in” requirements
• Applicable to:
– New services implemented by Google
– New sharing with third parties
Copyright 2012 Bryan Cave HRO
33. Enforcement
Google Settlement
• Comprehensive privacy program must:
– Address privacy risks related to both new and existing products and services
– Protect the privacy of user information
• Under the program, Google must:
– Appoint employees to coordinate and be accountable for privacy program
– Identify reasonably foreseeable material internal and external privacy risks
– Assess the sufficiency of any safeguards in place to control these risks
– Design and implement reasonable privacy controls and procedures
– Regularly test, monitor, and assess the safeguards
– Implement employee training and monitoring
– Develop reasonable steps to select service providers capable of protecting the
privacy of user information
– Contractually require service providers to implement and maintain appropriate
privacy protections
– Evaluate and adjust the program in light of changes to Google’s operations
Copyright 2012 Bryan Cave HRO
34. Enforcement
Google Settlement
• Scope of information covered by the settlement
• Broadly defined
• Not limited to traditional personal information (name and address)
• No mention of financially sensitive information or identity theft
Copyright 2012 Bryan Cave HRO
35. Enforcement
Google Lessons
• Relatively simple mistakes can bring many years of consequences
• Settlement requirements structured similarly to Twitter, but with
a focus on privacy
• No actual security breach required for FTC action
• Broad scope of personal information covered (not limited to
sensitive information)
• New products constitute new uses of data
– Compliance with existing privacy-related promises to users
– Affirmative “opt-in” consent for changes to privacy policies before applying the
changes retroactively (i.e., to previously collected information)
• Focus on clear and conspicuous disclosure of material privacy practices
and changes to those practices
• Enforcement of U.S.-EU Safe Harbor certification compliance
• Initial enforcement on “privacy by design” framework
Copyright 2012 Bryan Cave HRO
37. Enforcement
Facebook Complaint
• FTC File No. 092 3184
• Action relates to privacy of user data collected and shared by Facebook
within the Facebook platform and with third parties
• Alleges unfair and deceptive trade practices in violation of the FTC Act
– Unfairly allowing user information to be shared and made public through
Facebook after telling users they could elect to keep it private
– Altering or enhancing the Facebook service in a manner that deceptively
expanded the sharing of user data, without obtaining user consent
Copyright 2012 Bryan Cave HRO
38. Enforcement
Facebook Complaint
• Multiple privacy lapses, no security breaches
• For example:
– Modifications allowed certain information designated by users as private
(e.g., friends list) to be made public, without notice or advanced approval
– Indicated that Facebook apps would have access only to user information
required to work, when the apps could access far more data
– Indicated that users could restrict sharing of personal information to limited
audiences (e.g., friends only), but did not actually prevent information from
being shared with third-party applications used by friends
– Indicated that "Verified Apps" program certified the security and compliance
of Facebook apps when it did neither
– Shared personal information with advertisers despite promises not to do so
– Continued to make user photos and videos accessible even after account
deletion or deactivation, despite statements to the contrary
– Claimed compliance with the U.S.-EU Safe Harbor certification, but violated
the “Notice” and “Choice” principles required for certification
Copyright 2012 Bryan Cave HRO
39. Enforcement
Facebook Settlement
• Consent Agreement
– Announced on November 29, 2011
– Not yet finalized (comment period closed on December 30, 2011)
• Key terms
– 20 year term
– Facebook barred from misrepresentations regarding privacy of user information
• User ability to control of privacy of information
• Availability of user information to third parties
• Accessibility of user information by third parties after account termination
– Facebook must
• Obtain “opt-in” before sharing information beyond user-selected privacy settings
• Ensure user information is not shared after deletion or termination of an account
• Implement and maintain a comprehensive privacy program – “privacy by design”
– Multiple record-keeping requirements to allow FTC compliance monitoring
– No monetary penalty or admission of wrongdoing
Copyright 2012 Bryan Cave HRO
40. Enforcement
“Facebook is obligated to keep the
promises about privacy that it makes to its
hundreds of millions of users.”
Copyright 2012 Bryan Cave HRO
41. Enforcement
“Innovation does not have to come at the
expense of consumer privacy.”
Copyright 2012 Bryan Cave HRO
42. Enforcement
Facebook Lessons
• A tale of broken “promises”
• As with Google, no actual security breach required
• Reinforcement of precedents set in the Google settlement
– Broad scope of personal information (not just sensitive information)
– Compliance with privacy-related “promises” made to users
– Affirmative “opt-in” consent for changes to privacy policies before applying
the changes retroactively (i.e., to previously collected information)
– Clear and conspicuous disclosure of privacy practices and material changes
to those practices
– Continued emphasis on U.S.-EU Safe Harbor certification compliance
– Enforcement of FTC “privacy by design” framework
• Along with Google and Twitter settlements, the Facebook settlement
defines a new “template” for FTC privacy settlement agreements
Copyright 2012 Bryan Cave HRO
44. FTC Draft Report
Background
• Based on a yearlong series of privacy roundtables held by the FTC
• Sets out a proposed framework for the protection of consumer privacy
• Applicable to both traditional (offline) and online businesses
• Covers a broad range of information
– Personally identifiable information
– Information that can be “reasonably linked” to a specific individual,
computer or other device
• Provides insight into the intentions of the FTC
• Leaves many specific questions unanswered
Copyright 2012 Bryan Cave HRO
45. FTC Draft Report
Privacy Framework
• Proposed framework includes several primary elements
– “Privacy by design”
– Simplified consumer choice
– Greater transparency
Copyright 2012 Bryan Cave HRO
46. FTC Draft Report
Privacy Framework
• Proposed framework includes several primary elements
– “Privacy by design”
– Simplified consumer choice
– Greater transparency
Copyright 2012 Bryan Cave HRO
47. FTC Draft Report
Privacy Framework
• Proposed framework includes several primary elements
– “Privacy by design”
– Simplified consumer choice
– Greater transparency
Copyright 2012 Bryan Cave HRO
48. FTC Draft Report
Privacy by Design
• Report has not yet been finalized
• Inclusion in Google and Facebook settlements signals that the FTC
believes business should adopt privacy by design as a requirement
• Inclusion in future settlements will continue to move privacy by design
toward becoming a legal requirement
– FTC is affectively treating privacy by design as a de facto legal requirement
– Beginning to influence and define industry expectations, particularly online
– Likely to serve as guidance for courts and lawmakers
Copyright 2012 Bryan Cave HRO
52. Closing Thoughts
Remain Vigilant
• We are in an era of increasing data value
• This bring with it an environment of increasing enforcement
• Learn from the growing list of lessons
• Understand the obligations and expectations placed on your business
– Legal obligations
– Business reality
• Your “enforcement” issue may come from a potential customer,
financing source, or acquirer rather than the FTC
• Take steps now to meet the evolving standards
– Governmental and legal
– Business and practical
• Make privacy and security a consideration in the design and evolution
of your software or platform
Copyright 2012 Bryan Cave HRO
53. Thank You.
Jason D. Haislmaier
jason.haislmaier@bryancave.com
@haislmaier
Copyright 2012 Bryan Cave HRO
54. This presentation is intended for general informational purposes only and should not
be construed as legal advice or legal opinion on any specific facts or circumstances,
nor is it intended to address specific legal compliance issues that may arise in
particular circumstances. Please consult counsel concerning your own situation and
any specific legal questions you may have.
The thoughts and opinions expressed in this presentation are those of the individual
presenter(s) and do not necessarily reflect the official or unofficial thoughts or
opinions of their employers.
Open Source Software
For further information regarding this presentation, please contact the presenter(s)
listed in the presentation.
Unless otherwise noted, all original content in this presentation is licensed under the
Creative Commons Creative Commons Attribution-Share Alike 3.0 United States
License available at: http://creativecommons.org/licenses/by-sa/3.0/us.
Copyright 2012 Bryan Cave HRO