The “Internet of Things” is rapidly expanding, and most households have at least one physical object which automatically collects and exchanges data wirelessly. Manufacturers of smart devices need to ensure that security vulnerabilities and privacy concerns are rapidly addressed in order to escape the scrutiny of the Federal Trade Commission.

Law360 interviewed privacy experts, including our very own Mike Feldman, regarding ways for smart device makers to ensure that their information security and privacy practices meet industry standard practices. Mike recommended ensuring that employees have robust information security and privacy policies, are trained to identify risks, and are prepared to handle data breaches and other disasters. As Mike noted:

Small companies used to believe that hackers wouldn’t be interested in their customers’ data but reality has shown that is no longer the case, Feldman said.

“Now almost every industry has been hacked,” Feldman said. “The defense that ‘I thought it wouldn’t happen to me’ isn’t really a defense.”

Read the whole article: 3 Ways Internet Of Things Makers Can Avoid The FTC’s Ire (subscription may be required)

A company’s social media page, profile and accounts (and its followers and other connections) are generally considered to be valuable business assets. Recent court decisions illustrate the importance of clear policies and procedures to address ownership and appropriate use of business-related social media assets.

While most businesses recognize the importance of maintaining a minimum Internet presence, an increasing number of businesses are attempting to impact consumers where they congregate most: in social media. The benefits of maintaining an active social media presence include developing loyal relationships with customers, leveraging those relationships into quantifiable, networked campaigns, and refining your brand with niche audiences. Because of both the company resources spent developing these channels as well as their potential value/return, it is important to remember that social media accounts are company assets and should be protected accordingly through policies and procedures, as would any other company intellectual property.

While major brands often farm out social media management and content creation to marketing firms, small or medium sized business often do not have this financial flexibility. Accordingly, chances are a member of management of the employees, takes on this role. In that case, with both personal and business interests in the same sphere it is especially crucial set clear expectations and boundaries around social media responsibilities in the workplace and the ownership of your business’ accounts and content.

As a recent case in Texas (In re CTLI, LLC, 2015 Banker. LEXIS 1117 (Bankr. S.D. Tex. 2015)) makes clear, when it comes to social media, the line between personal and professional can be blurry and when companies fail, or when partnerships falter, ownership of social media accounts can result in costly litigation.

The dispute in CTLI centered on ownership of the Facebook account for a firearms business. The account was run by one of the business’ owners who posted a mixture of professional content promoting the business, and personal content reflecting his interests, activities and opinions. When the business filed for Chapter 11 protection, the social media-savvy former owner refused to relinquish control of the Facebook account, claiming that the amount of time, goodwill and his own personality that he had invested into developing the account entitled him to ownership. The U.S. Bankruptcy court ultimately disagreed and ruled that the account was property of the business but not before wading through the thorny issues of personal privacy, contract interpretation relating to Facebook’s terms and conditions, and the separation of personal and business assets.

Some important lessons for your business to keep in mind:

  • Have a written Technology Use and Social Media Policy in place for all of your employees to read and sign. These policies should include parameters for appropriate uses of company technology, guidelines on how to discuss your company online and in social media (even when your employees are using their own personal accounts), and clear definitions concerning who owns what when it comes to devices and accounts.
  • While interacting with consumers can be great for business consider prohibiting your social media managers from sending direct/private messages from your customer-facing business accounts. While you may permit employees to send personal emails from their work computers, this is very different than sending a personal message emanating from your company’s branded Facebook or Twitter account.
  • Social media marketing allows for a more nuanced line between personal and professional content. Something that you might consider to be a personal comment could be seen in court as an attempt to integrate your business’ brand with your target customers or your local community. Just because you are posting casual or personal items from your official business account does not mean that the accounts belong to you or your employees.
  • An effective social media manager may be able to generate hundreds or thousands of followers or fans for your business, but it is important for them to know that it is the business, and not the employee, who ultimately owns those accounts and the followers that go with it, no matter how much of themselves and their personality the employee has poured into developing the accounts.
  • Maintain a record of all of your social media account credentials like account names, user handles, and passwords. Employees should be prohibited from altering these credentials or using their own passwords. In the event that you need to remove an employee’s access this will help you avoid being in the position of demanding passwords which the employee may be also using for private, personal accounts.

If you need help drafting an effective Technology Use or Social Media Policy for your business or simply have questions about the benefits and risks of leveraging social media to help your business grow, contact OlenderFeldman LLP.

The biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies, media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.

Rapidly growing eCommerce and technology companies typically focus on creating viable products and services, adapting business models and responding to challenges, and using data in new ways to glean valuable insights and advantages. They often achieve success by disrupting existing industry norms and flouting convention in an attempt to do things better, faster and more cost-effectively. In the tech world, this strategy is often a blueprint for success.  At the same time, this strategy also often raises privacy concerns from regulators and investors.  In fact, three of the biggest privacy challenges affecting businesses today are regulatory scrutiny from government agencies (and potentially, personal liability arising from such scrutiny), media coverage with unintended consequences, and privacy risks that are discovered during corporate transactions.

Regulatory Scrutiny Of Privacy Practices

Government regulators, led by the Federal Trade Commission (“FTC”), have taken an activist role in enforcing privacy protections.  The FTC often does so by utilizing its powers under the FTC Act, which enables the FTC to investigate and prosecute companies and individuals for “unfair or deceptive acts and practices.” Some of the activities which the FTC considers to fall under the “unfair or deceptive” umbrella are: a company’s failure to enforce privacy promises; violations of consumers’ privacy rights; and failing to maintain reasonably adequate security for sensitive consumer information.

Though most of the FTC’s investigations are settled privately and non-publicly, those that do become public (usually, as a result of a company refusing to cooperate voluntarily or disagreeing with the FTC on the proper resolution) are often instructive. For example, the FTC recently settled charges against Snapchat, the developer of a popular mobile messaging app.  The FTC accused Snapchat of deceiving consumers with promises about the disappearing nature of messages sent through the service, the amount of personal data Snapchat collected, and the security measures taken to protect that data from misuse and unauthorized disclosure.  Similarly, when Facebook acquired WhatsApp, another cross-platform mobile messaging app, the FTC explicitly warned both Facebook and WhatsApp that WhatsApp had made clear privacy promises to consumers, and that WhatsApp would be obligated to continue its current privacy practices ― even if such policies differ from those of Facebook ― or face FTC charges. The takeaway from the FTC’s recent investigations and enforcement actions are clear: (1) businesses should be very careful about the privacy representations that they make to consumers; (2) businesses should comply with the representations they make; and (3) businesses should take adequate measures to ensure the privacy and security of the personal information and other sensitive data that they obtain from consumers.

Sometimes officers and directors of businesses are named in a FTC action along with, or apart from, the company itself.  In such cases, the interests of the individuals and those of the companies often diverge as the various parties try to apportion blame internally.  In certain cases, companies and their officers are held jointly and severally liable for violations.  For example, the FTC sued Innovative Marketing Inc. and three of its owners/officers. A federal court found the business and the owners/officers to be jointly and severally liable for unfair and deceptive actions, and entered a verdict for $163 million against them all. The evolving world of regulatory enforcement actions reveals that traditional liability protections (i.e., acting through a corporate entity) do not necessarily shield owners, officers, and/or directors from personal liability when privacy violations are at issue. Officers and directors should keep in mind that knowledge of, or indifference to, an unfair or deceptive practice can put them squarely in the FTC’s crosshairs ― and that the “ostrich defense” of ignoring and avoiding such issues is unlikely to produce positive results.

Unintended Consequences of Publicity

Most businesses crave publicity as a means of building credibility and awareness for their products or services. However, businesses should keep in mind that being in the spotlight can also put the company on regulators’ radar screens, potentially resulting in additional scrutiny where none previously existed. One of our clients, for example, came out with an innovative service that allows consumers to utilize their personal information in unique ways, and received significant positive publicity as a result. Unfortunately, that publicity also caught the interest of a regulatory entity. It turns out that some of our client’s statements about their service were misunderstood by the government. Ultimately, we were able to clarify the service offered by our client for the government in an efficient and cost-effective manner, demonstrating that no wrongdoing had occurred, and the inquiry was resolved to our client’s (and the government’s) satisfaction.  Nonetheless, the process itself resulted in substantial aggravation for our client, who was forced to focus on an investigation rather than on its business activities. Ultimately, the misunderstanding could have been avoided if the client had checked with us first, before speaking with reporters, to ensure the client’s talking points were appropriate.

Another more public example occurred at Uber’s launch party in Chicago.   Uber, the car service company which allows users to hail a cab using a mobile app, allegedly demonstrated a “God View” function for its guests which allowed the partygoers (including several journalists) to see, among other information, the name and real-time location of some of its customers (including some well-known individuals) in New York City – information which those customers did not know was being projected onto a large screen at a private party. The resulting publicity backlash was overwhelming. Senator Al Franken wrote Uber a letter demanding an explanation of Uber’s data collection practices and policies and Uber was forced to retain a major law firm to independently audit its privacy practices, and implement changes to its policies, including limiting the availability and use of the “God View.”

Experience has shown us that contrary to the old mantra, all publicity is not necessarily good publicity when it comes to the world of privacy.  Before moving forward with publicity or marketing for your business, consider incorporating a legal review into the planning to avoid any potentially adverse impact of such publicity.

Privacy Concerns Arising During A Corporate Transaction

Perhaps most importantly to company owners, the failure to proactively address privacy issues in connection with corporate transactions can cause significant repercussions, potentially destroying an entire deal.  Most major corporate transactions involve some degree of due diligence.  That due diligence, if properly performed by knowledgeable attorneys and businesspeople, will uncover any existing privacy risks (i.e., violations of privacy-related laws, insufficient privacy security measures or compliance issues which become financially overwhelming).  If these issues were not already factored into the financial terms of the transaction or affirmatively addressed from the outset, the entire landscape of the transaction can change overnight once the issues are uncovered – with the worst case scenario being the collapse of the entire deal.  Therefore, it is critical that businesses contemplating a corporate transaction be prepared to address all relevant privacy issues upfront.  Such preparation should include an internal analysis of the business from a privacy-law perspective (i.e., determining which regulatory schemes apply, and whether the business is currently in compliance) and being prepared to provide quick responses to relevant inquiries, such historical policies and procedures related to privacy and data security, diagrams of network/data flow, lists of third-parties with whom data has been shared, representations and warranties made to data subjects, and descriptions of complaints, investigations, and litigation pertaining to privacy issues.

Privacy and data security issues can be particularly tricky depending on the nature of the data that is maintained by the company and the representations that the company has made with respect to such data.  Businesses are well-advised to prepare a due diligence checklist in preparation for any corporate transaction which should include an assessment of the business’ compliance with applicable information privacy and data security laws as well as any potential liabilities from deficiencies that are discovered.  Addressing these issues in a proactive manner will allow the business to be more prepared for the corporate transaction and mitigate any harm which otherwise might flow from any problems which arise.

Technology can impact the way we work, play, communicate and live, and “big data” analysis – the processing of large amounts of data in order to gain actionable insights – has the ability to radically alter society by identifying patterns and traits that would otherwise go undiscovered. This data, however, can raise significant privacy concerns in the context of a merger or acquisition.

Dunn and Bradstreet interviewed us regarding various Tips for Customer Data Management During a Merger or Acquisition. We thought the topic was so interesting, that we decided to expand a little bit more on the subject.

As background, it is important to consider that there are three types of M&A transactions affecting data: stock transactions, mergers, and sales of assets. In a stock transaction, there are no data issues, while the owners of a company sell stock to a new owner, the entity itself remains intact.  This means business as usual from the entity’s standpoint, and there are no data or confidentiality issues.

By contrast, in a merger (where the target is not the surviving entity) or in an asset transaction, the original entity itself goes away, which means all of the assets in that entity have to be transferred, and there is a change of legal title to those assets (including to any data) which can have legal implications. For example, if a party consents to the use of their data by OldCo, and OldCo sells all of its assets to NewCo, does that party’s consent to use data also transfer to NewCo?

In a merger, data needs to be appropriately assigned and transferred, which often has privacy implications. Companies generally have privacy policies explaining how they collect and use consumers’ personal information. These policies often contain language stating that the company will not give such information to any third-party without the consumer’s consent. In such situations, the transfer of data must be done in accordance with the written commitments and representations made by that company (which may vary if different representations were made to different categories of individuals), and may require providing notice or obtaining consent from consumers (which, depending on the scope of the notice or consent required, can be an arduous task).

Companies also generally maintain employee data and client data in addition to consumer data. This information needs to be handled in accordance with contractual obligations, as well as legal obligations. National and foreign laws may also regulate the transfer of certain information. For example, in transborder transactions, or for transactions involving multinational companies, it is extremely important to ensure that any transfer of data complies with the data privacy and transborder transfer obligations applicable in all of the relevant jurisdictions.

Obligations may arise even during the contemplation of a merger, or during the due diligence process, where laws may impact the ability of companies to disclose certain information and documentation. For example, in the United States, financial companies are required to comply with the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, which govern the controls required to protect certain types of data, and companies in the health care and medical fields are often required to comply with the Health Insurance Portability and Accountability Act.

In the multinational / crossborder context, businesses may run into challenges posed by conflicting multi-jurisdictional data protection laws, which may prevent routine data flows (such as phone lists or other employee data) to countries that are deemed to have insufficient data protection laws, or require that centralized databases comply with the laws in multiple jurisdictions. Additionally, employee rights to access and amend data, as well as requirements to obtain consent before collection and limitations on maintenance of data may cause challenges as well.

So what should companies do when contemplating or navigating a merger or acquisition? First, companies should determine what information they have. Next, companies must ensure that they understand what information they have, including the circumstances under which the information was collected, and what rights and obligations they have relative to that information. Companies should determine what ability they have to transfer information, what consents or approvals are necessary to do so, and the potential impact of a transfer on the various stakeholders.

The bottom line? Any technology, and big data in particular, can be put to both good and bad uses. It is important that as companies gather data about individuals, that that information be used in accordance with existing laws and regulations governing data use, as well as in a way that respects the privacy of the individuals to which the data pertains.

Startup companies and entrepreneurs love to innovate. A good lawyer can help startups push the envelope while avoiding rookie mistakes.

While all resources are given a premium with a burgeoning company, NJ Tech Weekly polled some of New Jersey’s top professionals – including OlenderFeldman LLP partner Christian Jensen — for their thoughts on the one major mistake that startups make that can be avoided with the right professional advice.  Among the number of issues faced including entity choice, equity issues and privacy policy/terms and conditions, Chris spoke about the importance of delineating employee issues – both through classification and contract – at the outset of a business. Give the entire article a read here. You can also read more about common legal mistakes made by small businesses

Entrepreneurs often struggle with what they should and should not say to potential investors, especially given that investors often will refuse to sign a non-disclosure agreement (“N.D visit our website.A.”). Disclose too little information about your start-up or idea and you may fail to interest an investor. By the same token, disclose too much and you may expose yourself to an unacceptable level of risk.

Eileen Zimmerman wrote a fantastic article explaining why more start-ups are sharing ideas without legal protection, quoting OlenderFeldman’s Aaron Messing. While we highly recommend reading the whole article, we wanted to expand a bit on some of the topics Aaron spoke about in the article:

Even if a start-up manages to get a[ non-disclosure] agreement signed, it can be tough to enforce, said Aaron I. Messing, a lawyer with OlenderFeldman LLP in Summit, N.J. “It’s very hard to prove that you kept information confidential, and it was only disclosed under an N.D.A.,” said Mr. Messing, who represents both founders and investors. “And it can be expensive.”

One of the reasons why the N.D.A. disappeared in the context of start-up institutional capital is because an N.D.A. is only as valuable as a party’s willingness to enforce it. While it is true that institutional investors do not want to be bothered with keeping track of N.D.A.’s, its also equally true that most entrepreneurs are unwilling or unable to enforce a confidentiality agreement. In addition to the expense of litigation and difficulty of proving that the information was kept confidential, very few entrepreneurs want to be known as someone who sues institutional investors.

Companies will need to disclose significant proprietary information about themselves to get to the point where an investor will want to sign a term sheet, but that level of information will generally be insufficient to enable someone else to duplicate. However, if a company’s market or product has a low barrier to entry, proprietary information doesn’t matter as much as execution. Where there is a a barrier to entry regarding certain forms of technology or an invention, an N.D.A generally will be signed in connection with due diligence process, where the level of disclosure that is beyond what would ordinarily need be disclosed in order to explain what a company does.

One of the little known secrets about start-ups and investing is that, according to reputable studies, under 3% of early-stage start-ups receive investment from professional or institutional capital. The equation is simple: there are simply more ideas than good ideas, more good ideas than good businesses, and more good businesses than good investments. That equation also helps explain why investors

Auquel donner embaumé http://www.refugiadosct.org/xiq/quel-est-meilleur-site-pour-acheter-viagra envoya génois mois de kamagra pour femme carmin à http://4us-records.com/cialis-10mg-boite-de-4-prix sais part http://www.peng-eye.com/index.php?un-viagra-pour-les-femmes laissé n’avaient cialis ou viagra quel est le meilleur la temps leur les effets indesirables de cialis très-prudent secours la http://shakespearemyenglish.fr/fbq/levitra-combien-temps-avant/ moquait les des pénétré http://madeintravels.com/fra/combien-coute-le-viagra-pharmacie populaire, témoin peut on acheter cialis en pharmacie sans ordonnance peu Gênes conservée crues http://www.peng-eye.com/index.php?mon-mari-veut-prendre-du-viagra d’Espagne. Toiles le http://www.refugiadosct.org/xiq/par-quoi-remplacer-le-cialis de celui ils?

often will refuse to sign an N.D.A. Given the likelihood that your start-up will not receive professional investment, when pitching to institutional capital, great care should be taken to vet the investors and determine what specifics are appropriate to be disclosed.

Mr. Messing advised making sure an investor did not have potential conflicts or overlapping investments. Reputable investors, he said, “have much to lose by stealing your idea.”

It is true that if an investor is in the business of stealing ideas, that investor is not going to be in business for very long. However, even the fact that you are pitching to reputable investors doesn’t mean that they will not disclose information they’ve learned from you to someone else, whether intentionally or (more likely) unintentionally, as individuals often simply forget the context under which they originally heard information. This is why it is exceptionally important to share information appropriately, that is, disclosing sufficient information to convey what is unique and proprietary about the start-up, without disclosing such a level of information that would allow someone to replicate the idea. In short, entrepreneurs should attempt to maintain the barrier to entry, to the extent possible. In any event, when vetting a potential investor, referrals and word of mouth will often be the best indicators, as quality investors pay great attention to making sure they have referenceable contacts. Once a start-up has identified a suitable investor, they should typically reveal details over time so that they do not say too much too early. Start with a teaser, and work your way towards an elevator pitch, followed if appropriate by an executive summary, a pitch deck and business plan.

When discussing a start-up, founders should walk a fine line, conveying sufficient information about what is unique and proprietary, but not disclosing information that would let someone replicate the business. For example, said Mr. Messing, an entrepreneur could disclose “what an algorithm can do, but not the algorithm itself.”

An entrepreneur that develops unique technology must find a way to keep that technology proprietary. In order to do so, the entrepreneur needs to understand the difference between patentable subject matter, trade secrets (e.g., the Coca-Cola formula) and things that are otherwise unprotectable but that have special marketing angles or specific go-to-market strategies that may give the start-up a unique first mover advantage. This is where it is most important for entrepreneurs to have qualified counsel, so that they know what type of intellectual property they have. It is rare that an entrepreneur will know what type of intellectual property they have, and understand what they can and cannot expose. We routinely advise our start-ups on how to compartmentalize intellectual property so they understand what is protectable and what is not, and to the extent the intellectual property is protectable, the best ways to do so.

Of course, an N.D.A. takes on more importance in the due diligence/term sheet context, prior to consummating an investment, where a company will often need to disclose significant proprietary information in a level of disclosure that is beyond what would ordinarily be disclosed to simply discuss what the company does. OlenderFeldman generally does not recommend entering into the due diligence process without an N.D.A., and has yet to hear of any situations where an institutional investor breached an N.D.A. in connection with a transaction (and certainly none that the Firm has dealt with).

John Hancock…Is That Really You?

All too often, documents such as contracts, wills or promissory notes, are contested based on allegations of fraudulent or forged signatures. Indeed, our office once handled a two-week arbitration based solely on the issue of authentication of a signature on a contract. Fortunately, a quick, simple and inexpensive solution to prevent this problem is to have the document notarized by a notary public (“Notary”). A notarization, or a notarial act, is the process whereby a Notary assures and documents that: (1) the signer of the document appeared before the Notary, (2) the Notary identified the signer as the individual whose signature appears, and (3) the signer provided his or her signature willingly and was not coerced or under duress. Generally speaking, the party whose signature is being notarized must identify himself/herself, provide valid personal identification (i.e., a driver’s license), attest that the contents of the document are true, and that the provisions of the document will take effect exactly as drafted. Finally, the document must be signed in the presence of the Notary.

Why is Notarization Important?

A primary reason to have a document notarized is to deter fraud by providing an additional layer of verification that the document was signed by the individual whose name appears. In most jurisdictions, notarized documents are self-authenticating. A Notary can also certify a copy of a document as being an authentic copy of the original. For more information, please see our previous blog post regarding the enforceability of duplicate contracts. Ultimately, this means that the signers do not need to testify in court to verify the authenticity of their signatures. Thus, if there is ever a dispute as to the authenticity of a signature, significant time and money can be saved by avoiding testimony – which also eliminates the potential of a dispute over witness credibility (i.e., he said, she said).

How are Notaries Regulated?

Each state individually regulates and governs the conduct of Notaries. For specifics on New Jersey law, see the New Jersey Notary Public Manual, and for New York’s law, see the New York Notary Public Law. In most cases, a Notary can be held personally liable for his or her intentional or negligent acts or misconduct during the notarization process. For example, a Notary could be liable for damages or criminal penalties if he or she notarizes a signature which was not provided in the Notary’s presence or which the Notary knows is not authentic. A Notary is generally charged with the responsibility of going through a document to make sure that there are no alterations or blank spaces in the document prior to the notarization. The strict regulation of Notaries provides additional recourse for the aggrieved party, as the Notary could be held responsible for damages a party suffers as a direct result of the failure of the Notary to perform his or her responsibilities.

The Future of Notarization

As with most areas of the law, notarization is attempting to catch up with technology. Some states have authorized eNotarization, which is essentially the same as a paper notarization except that the document being notarized is in digital form, and the Notary certifies with an electronic signature. Depending on the state, the information in a Notary’s seal may be placed on the electronic document as a graphic image. Nevertheless, the same basic elements of traditional paper notarization remain, including specifically, the requirement for the signer to physically appear before the Notary. Recently, Virginia has taken eNotarization a step further and authorized webcam notarization, which means that the document is being notarized electronically and the signer does not need to physically appear before the Notary. However, a few states, including New Jersey, have issued public statements expressly banning webcam notarization and still require signers to physically appear before a Notary.

The bottom line: parties should consider backing up their “John Hancock” by notarizing their important documents. The low cost, typical accessibility of an authorized Notary, and simplicity of the process may make it worth the extra effort.

Nathan D. Marinoff, Esq best collaboration tools. Joins the Firm

Nathan  specializes in corporate law and regularly advises domestic and international companies, Boards of Directors and investors in matters of corporate governance, public and private capital markets, venture capital and private equity investments, mergers and acquisitions, joint ventures, bank financings and commercial licensing and employment agreements.

Nathan began his legal career as a law clerk to a federal judge, following which he spent over seven years in private practice with Skadden, Arps, Slate, Meagher & Flom LLP and Morgan, Lewis & Bockius LLP.   Thereafter, he served as Deputy General Counsel at Virgin Mobile USA, overseeing the company’s initial public offering and its merger with Sprint Nextel, and as Senior Director, Legal at a New York private equity firm with over $8 billion in assets, providing counsel to the firm and legal oversight to over 30 portfolio companies. He is deeply involved in the community and serves as a member of the Board of Directors for two charities, The Jewish Education Project and Friends of Firefighters.

Nathan can be reached at: nmarinoff@olenderfeldman.com | 908-964-2432

For the second year in a row, Christian has been recognized by his peers in Super Lawyers as a Rising Star. This distinction is limited to less than 2.5 percent of attorneys in New Jersey.

OlenderFeldman is proud to congratulate Christian Jensen on being named one of Super Lawyers’ 2014 Rising Stars. The New Jersey Rising Stars list is limited to lawyers who are 40 years old or less or have been in practice for 10 years or less and is comprised of no more than 2.5% of the lawyers in the state.

Christian focuses his practice with OlenderFeldman in the areas of complex commercial litigation and intellectual property litigation, including business and consumer fraud, construction and employment law. For more information about Christian please click here.

The Original vs. The Copy – Does It Really Matter From An Evidentiary Perspective?

While there are many hurdles a business document needs to overcome in order to be admitted as evidence in court, there is one hurdle that many clients routinely inquire about – the legality and admissibility of digital image copies, in lieu of original documents. While lawyers recognize this as a best evidence issue, a legal doctrine that states an original piece of evidence is superior to a copy, for clients this is a matter of whether they need to retain an original signed contract or could they save space in their file cabinets and rely on a scanned copy on their hard drive. Although state laws concerning admissibility of evidence vary, states have generally adopted the language, in whole or part, of the Uniform Rules of Evidence (“URE”) and/or the Uniform Photographic Copies of Business and Public Records as Evidence Act (“UPA”). For the purpose of this article the differences between the URE and the UPA are not important or relevant. Accordingly there is a nationwide consensus that a digital image copy can generally overcome a best evidence challenge and be admitted as the original document.

The fundamental basis for states admission of digital duplicates can found in the URE, which allows copies that are established as business records to be admitted into evidence “to the same extent as the original.” Duplication is permitted by any technique that “accurately reproduces the original.” Similarly under the UPA, duplicate records are admissible as the original, in judicial or administrative proceedings, provided that the duplicate was generated by a “process which accurately reproduces the original.” The UPA permits the destruction of original documents, unless preservation is required by law (i.e. wills, negotiability documents and copyrights). Hence, the law permits the destruction of original documents subject to certain evidentiary requirements.

When read together and interpreted by the majority of states, the URE and the UPA allow duplicate copies to be given the same evidentiary weight as originals, so long as those copies are properly generated, maintained and authenticated. Therefore, clients are encouraged to adopt certain practices when copying their business documents:

  • The copies should be produced and relied upon during the regular course of business.
  • The business should have a written policy specifying the process of duplication, as well as where and how copies will be stored. This written policy should be made available to the business’s custodian(s) of records.
  • The business’s written policy should include a requirement that at least one witness be present at the time of duplication that would be available to testify under oath that the generated duplicate accurately and completely represents the original.
  • The business’s written policy should be subject to regular review in order to ensure the stated compliance procedures are satisfied.

Ultimately, clients should feel free to indulge their desire to “save the space” and dispose of an original contract, so as long as the above duplication practices are adhered to and all other relevant evidentiary and other legal requirements are satisfied. Clients should also be aware that since the medium for storing electronic records must meet certain legal standards, their choice of hardware is critical when it comes to admissibility of a duplicated record. Given the variety of legal and technological nuances that need to be taken into consideration, when in doubt it is always best to seek the guidance of a qualified and experienced attorney to avoid any potential legal pitfalls. The above article reflects the national trend in the United States and so to ensure that your business has complied with state and/or country specific regulations it is once again best to contact a qualified and experienced attorney who practices in your jurisdiction.

WARNING: Your Account Has Been Compromised – California Expands Existing Data Privacy Breach Law

By Angelina Bruno-Metzger

Governor Jerry Brown recently signed bill SB46 into law, which amends California’s data breach notification law by expanding the definition of “personal information.” The current law requires alerts to be sent to consumers when a database has been breached in a way that could expose a consumer’s social security number, driver license number, credit card number(s), or medical/health insurance information. Under this new amendment, website operators will be obligated to send out privacy notifications after the breach of a “user name or email address, in combination with a password or security question and answer that would permit access to an online account.” Additionally this law requires notifications, even when no other personal information has been breached, in cases when a breach of a user name or email address used in combination with a password or security question could permit access to an online account. Currently, as with the new “Do Not Track” law, California is the only state whose breach notification statute incorporates breaches solely by the loss of a user name or email address.

This law will go into effect on January 1, 2014 and a company’s notification obligations under this new law are different depending on the type of personal data that has been breached. When the security breach does not involve login credentials for an email account, the operator is allowed to notify affected customers through the use of a “security breach electronic form”. This form would direct the person whose personal information has been compromised to immediately change his/her password and security question(s) or answer(s) – as well as direct the user to take appropriate precautionary measures with all other virtual accounts that use the same user name or email address and password. However, when the security breach does involve login credentials for an email account the operator, logically, may not provide notification to that email address. Alternatively, the operator may provide “clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the person or business knows the resident customarily accesses the account.”

As with the other recently passed cyber laws, the implications of this new data privacy breach law will likely be felt nationally and internationally, as almost every company that offers online personalized services requires a consumer to create a username and password. While there remains some uncertainty about exactly what businesses must abide by this new regulation, as not all companies can readily, if at all, confirm affected users are California residents, since sharing of home addresses is often optional, it is best for businesses to abide by the old “better safe than sorry” adage. The two best ways companies can come into compliance with this regulation are to: (1) ensure that all usernames, passwords, security questions and answers are stored in an encrypted form, and (2) update existing protocols, or create new internal protocols that are consistent with this law’s reporting requirements.

See OlenderFeldman LLP’s predictions for what should happen in 2013 within the data privacy field and compare it with this new data privacy breach law in California.

Sharing is Caring, but Not Always in the Case of Cookies – CA Governor Signs the Country’s First “Do Not Track” Disclosure Bill

by Angelina Bruno-Metzger

On September 27, 2013, bill AB370, now known as the “Do Not Track” disclosure law (“DNT”), was officially signed into law by Governor Jerry Brown. This law will impose new and additional disclosure requirements on commercial websites and online services that collect personally identifiable information (“PII”) on users. “Do Not Track,” is an amendment to the California Online Privacy Protection Act (“CalOPPA”), which originally required that websites, as well as mobile applications, to explicitly and conspicuously post their privacy policies. This posted privacy policy must include what categories of PII are being collected and what third parties will also have access to that information. Under this latest amendment, website operators (or mobile applications) need to: (1) disclose and explain their privacy policies and how they respond to DNT signals, and (2) disclose applicable third-party data collection and use policies.

It should, however, be noted that this law does not explicitly prohibit tracking or affirmatively require a website operator to honor a consumer’s do not track request. It simply mandates that operators disclose their privacy policies. Additionally, the lack of a clear definition of “do not track” could be equally problematic when it comes to enforcement – since this new law does not define what it is regulating. A clear definition will most likely emerge through enforcement and adjudication of the law, as well as policy statements.

This “Do Not Track” law mandates that all companies have a complete technical understanding of their websites, as well as the third parties that are allowed to operate on the site, so that each company can fully disclose its data collection practices. While technically speaking this law would only require companies to make the disclosures to California residents, it will likely have a national, if not international, effect, as most companies usually do not craft different policies for specific states, and cannot know whether a user is a California resident. This new law will go into effect on January 1, 2014, and any operator that fails to provide the required disclosures will be given a warning and 30 days to comply or else be found in violation of the new law. Failure to comply, whether that failure is knowing and willful or negligent and material, could result in a $2,500 fine under California’s Unfair Competition Law.

Recently California has been boldly breaking ground in the nation in the area of online data privacy, and the “Do Not Track” law is no exception; it is the first of its kind in the country. For a more complete understanding of what online tracking is and how it works, please see our previous post Behavioral Advertising and “Do Not Track” Navigating the Privacy Minefield

The consequences of failing to develop employment-hiring materials can be devastating. So why do many employers fail to develop a basic set of documents governing the employment relationship with new hires?

Howard Matalon notes that although employment documents can be developed in a very cost-effective manner, many employers fail to give consideration to such documents until it is too late.  and no employer can afford to build a business without them. “Employers must reprioritize the importance of employment hiring practices and make them an actual part of their business model,” says Matalon.   Compliance as an afterthought has become an extremely expensive prospect for the unfortunate employers who ignore their human resource obligations.”

For these reasons, all employers must take a methodical approach to their hiring practices and procedures and treat these processes as seriously as they would every other critical aspect of their business. Read the full article regarding employment hiring practices.

In this age of social media and ubiquitous photography, what are your rights as a photographer? What privacy laws do you need to be concerned with?

OlenderFeldman LLP was interviewed by Dave Johnson of Techhive.com about the rights and obligations of photographers, especially concerning privacy:

First, the good news: Most people, most of the time, can simply take pictures and not worry about what is legal and what isn’t. As a general rule, you can use a camera to take photos in public—on streets, on sidewalks, and in public parks—without restriction. As Aaron Messing, an attorney at OlenderFeldman LLP, puts it, “What can be seen from public can be photographed.”

[However,] [e]ven in the United States, Messing notes, photography can be prohibited around military locations and sensitive energy installations. And it gets more complicated from there. Remember that you can’t shoot on private property with the same impunity as in public. And sometimes it’s not easy to tell.

Read the whole article over at Techhive.

If your password looks something like “123456,” you might want to change it.

By Alice Cheng

Late Wednesday evening, hackers successfully breached Yahoo! security published a list of unencrypted emails and passwords. The list exposed the login information of more than 450,000 Yahoo! users. The hackers, who call themselves the D33D Company, explained that they obtained the passwords by using an SQL injection vulnerability—a technique that is often used to make online databases cough up information. The familiar method has been employed in other high-profile hacks, including of Sony and, more recently, LinkedIn.

However, unlike other malicious attacks, the D33D hackers claim that they only had good intentions: “We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.”

The attempted wake-up call is apparently much needed, though often ignored. An analysis of the exposed Yahoo! passwords revealed that a large number were incredibly weak— popular passwords in the set ranged from sequential numbers to being merely “password.”

In a statement, Yahoo! apologized and stated that notifications will be sent out to all affected users. The company also urged users to change their passwords regularly.

 If you are a Yahoo! user, you may want to change your account password, as well as any accounts with similar login credentials. It will also be well worth your time to heed to the wake-up call and incorporate better password practices. Use a different password for each site, and create long passwords that include a mix of upper- and lower- case letters, numbers, and symbols. To help keep things simple, password management software (such as LastPass and KeePass) is also available to help keep track of the complex passwords you create.

Protect Against Data Breaches

Protect Against Data Breaches

All companies, big and small, are at risk for data breaches. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession.  Information privacy and security is essential to  protect your business, safeguard your customers’ privacy, and secure your company’s vital information.

 

Recently, hackers gained access to Yahoo’s databases, exposing over 450,000 usernames and passwords to Yahoo, Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com accounts. This breach comes on the heels of a breach of over 6.5 million LinkedIn user passwords. With these embarrassing breaches, and the widespread revelation of their inadequate information security practices, Yahoo and LinkedIn were added to the rapidly growing list of large companies who have suffered massive data breaches in recent years.

While breaches at large companies like Yahoo and LinkedIn make the headlines, small businesses are equally at risk, and must take appropriate measures to keep their information safe. Aaron Messing, an information privacy attorney with OlenderFeldman LLP, notes that most businesses networks are accessible from any computer in the world and, therefore, potentially vulnerable to threats from individuals who do not require physical access to it.A recent report by Verizon found that nearly three-quarters of breaches in the last year involved small businesses. In fact, small business owners may be the most vulnerable to data breaches, as they are able to devote the least amount of resources to information security and privacy measures. Studies have found that the average cost of small business breaches is $194 per record breached, a figure that includes various expenses such as detecting and reporting the breach, notifying and assisting affected customers, and reimbursing customers for actual losses. Notably, these expenses did not include the cost of potential lawsuits, public embarrassment, and loss of customer goodwill, which are common consequences of weak information security and poorly managed data breaches. For a large business, a data breach might be painful. For a small business, it can be a death sentence.

LinkedIn presents a good example of these additional costs. It is currently facing a $5 million class action lawsuit related to the data breach. The lawsuit does not allege any specific breaches of cybersecurity laws, but instead alleges that LinkedIn violated its own stated privacy policy. Businesses of all sizes should be very careful about the representations they make on their websites, as what is written in a website terms of use or privacy policy could have serious legal implications.

Proactive security and privacy planning is always better than reactive measures. “While there is no sure-fire way to completely avoid the risk of data breaches,” says Aaron Messing, an information privacy lawyer with OlenderFeldman LLP, “steps can be taken, both before and after a breach, to minimize risk and expense.” To preserve confidential communications and to obtain advice on possible legal issues related to your company, consulting with privacy attorneys about your specific requirements is recommended. OlenderFeldman recommends the following general principles as a first step towards securing your business.

First, consider drafting a detailed information security policy and a privacy policy tailored to your company’s specific needs and threats which will to guide the implementation of appropriate security measures. A privacy policy is complementary to the information security policy, and sets the standards for collection, processing, storing, use and disclosure of confidential or personal information about individuals or entities, as well as prevention of unauthorized access, use or disclosure. Your policies should plan for proactive crisis management in the event of a security incident, which will enable coordinated execution of remedial actions. Most companies have legal obligations with respect to the integrity and confidentiality of certain information in its possession. Your company should have and enforce policies that reflect the philosophy and strategy of its management regarding information security.

Second, although external breaches from hackers gain the most publicity, the vast majority of data breaches are internal. Accordingly, physical security is one of the most important concerns for small businesses.  Informal or non-existent business attitudes and practices with regards to security often create temptations and a relatively safe environment for an opportunist within to gain improper or unauthorized access to your company’s sensitive information. Mitigating this risk requires limiting access to company resources on a need to know/access basis and restricting access to those who do not need the access. Theft or damage of the system hardware or paper files presents a great risk of business interruption and loss of confidential or personal information. Similarly, unauthorized access, use, or disclosure, whether intentional or unintentional, puts individuals at risk for identity theft, which may cause monetary liability and reputational damage to your company.

Third, be vigilant about protecting your information. Even if your company develops a secure network, failure to properly monitor logs and processes or weak auditing allows new vulnerabilities and unauthorized use to evolve and proliferate. As a result, your company may not realize that a serious loss had occurred or was ongoing.  Develop a mobile device policy to minimize the security and privacy risks to your company. Ensure that your technology resources (such as photocopy machines, scanners, printers, laptops and smartphones) are securely erased before it is otherwise recycled or disposed. Most business owners are not aware that technology resources generally store and retain copies of documents that have been printed, scanned, faxed, and emailed on their internal hard drives. For example, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of that photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Finally, in the event of a breach, consult a privacy lawyer to determine your obligations. After a breach has been discovered, there should be a forensic investigation to determine what information was accessed and whether that information is still accessible to unauthorized users.  Your business may be legally obligated to notify customers or the authorities of the breach. Currently, there are no federal laws regulating notification, but 46 states and the District of Columbia have enacted data breach notification laws, which mandate various breach reporting times, and to various authorities.

 

Login / Logout

Login / LogoutA New Jersey court recently held that a teacher who accessed and printed a co-worker’s personal email after the coworker left the computer  without signing out of her account was not guilty of a crime.

By Alice Cheng

In Marcus v. Rogers, 2012 WL 2428046 (N.J.Super.A.D. June 28, 2012), a New Jersey court held that a defendant was not in violation of any laws when he snooped through the emails of a coworker who had forgotten to sign out of a shared computer.

The defendant, a teacher who was involved in a salary dispute with the school district he worked for, sat down to use a computer in the school’s computer room when he accidentally bumped the mouse of the computer next to him. The screen of the adjacent computer came alive to show the Yahoo! email inbox of a member of the education association he was in dispute with, which included two emails that clearly mentioned him. He then clicked on the emails, printed them out, and used them at a meeting with the education association as evidence that they had not bargained in good faith.

The individuals who were  copied on the email conversations filed suit, claiming that the defendant had violated New Jersey’s version of the Stored Communications Act (N.J.S.A. 2A:156A-27), which reads in pertinent part:

A person is guilty . . . if he (1) knowingly accesses without authorization a facility through which an electronic communication service is provided or exceeds an authorization to access that facility, and (2) thereby obtains, alters, or prevents authorized access to a wire or [an] electronic communication while that communication is in electronic storage.

The court found that the defendant did not “knowingly access [the facility] without authorization” as it was the previous user who had logged into the account. The judge then let the jury decide whether or not he “exceed[ed] an authorization to access that facility” when she failed to close her inbox and log out of her account. The jury found that did not, as he had “tacit authorization” to access the account. On appeal, the court affirmed.

While there is no clear answer to the question of whether snooping emails is illegal (as always, it depends), always remember to log out of public computers. Similarly, all mobile devices, such as smartphones or laptops, should be password protected. As for the email snoopers, be forewarned that snooping may nevertheless carry major consequences, if hacking or unauthorized access is found.

The Federal Communications Commission (FCC) is seeking for public comment on the privacy and security of personal information on mobile devices.

By Alice Cheng

The Federal Communications Commission (FCC) recently released a request for public comment on the privacy and security of personal information on mobile devices. The Commission, which regulates interstate and international radio, television, wire, satellite, and cable communications, had solicited public input on this subject five years ago, but acknowledges the vast changes in technologies and business practices since then.

Section 222 of the Communications Act of 1934 addresses customer privacy, and establishes that all telecommunications carriers have the duty, with limited exceptions, to protect the confidentiality of proprietary information of and relating to customers. All carriers must also protect “customer proprietary network information” (CPNI), such as time, date, and duration of a call, which the carrier receives and obtains.  They may use, disclose, and allow access of such information only in limited circumstances.

The FCC enforces these obligations, and is seeking comments to better understand the practices of mobile wireless service providers, and the types of customer information that is stored on mobile devices.

This request for public comment appears to come in light of the Carrier IQ controversy of late 2011. The Federal Trade Commission (FTC) brought legal action against analytics company Carrier IQ after it was discovered that the software, installed on over 140 million mobile devices, was capable of detailed logging of user keystrokes, recording of calls, storing text messages, tracking location, and more. The detailed tracking was intended to provide phone usage information that would be helpful to improve device performance. However, the widespread collection and difficulty in opting out attracted nationwide attention and a slew of lawsuits.

In addition to the request for public comments, the FCC has also recently released a report on location-based services (LBS), focusing on “mobile services that combine information about a user’s physical location with online connectivity.” While the report acknowledges the benefits of these services (ease of transacting business, for social networking purposes, etc.), they also address concerns of creating highly accurate and personal user profiles through LBS data—specifically, “how, when and by whom this information can and should be used.”

Congress has displayed a growing interest in privacy as well—several privacy and information security-related bills have been introduced and hearings on the issues have been held.

Five years after their initial inquiry into the matter, the FCC hopes to obtain an updated understanding of these mobile information security and privacy issues. Comments are due by July 13, and reply comments are due by July 30.

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy Concerns

New Jersey Law Requires Photocopiers and Scanners To Be Erased Because Of Privacy ConcernsNJ Assembly Bill A-1238 requires the destruction of records stored on digital copy machines under certain circumstances in order to prevent identity theft

By Alice Cheng

Last week, the New Jersey Assembly passed Bill-A1238 in an attempt to prevent identity theft. This bill requires that information stored on photocopy machines and scanners to be destroyed before devices change hands (e.g., when resold or returned at the end of a lease agreement).

Under the bill, owners of such devices are responsible for the destruction, or arranging for the destruction, of all records stored on the machines. Most consumers are not aware that digital photocopy machines and scanners store and retain copies of documents that have been printed, scanned, faxed, and emailed on their hard drives. That is, when a document is photocopied, the copier’s hard drive often keeps an image of that document. Thus, anyone with possession of the photocopier (i.e., when it is sold or returned) can obtain copies of all documents that were copied or scanned on the machine. This compilation of documents and potentially sensitive information poses serious threats of identity theft.

Any willful or knowing violation of the bill’s provisions may result in a fine of up to $2,500 for the first offense and $5,000 for subsequent offenses. Identity theft victims may also bring legal action against offenders.

In order for businesses to avoid facing these consequences, they should be mindful of the type of information stored, and to ensure that any data is erased before reselling or returning such devices. Of course, business owners should be especially mindful, as digital copy machines  may also contain trade secrets and other sensitive business information as well.

Check Cloud Contracts for Provisions Related to Privacy, Data Security and Regulatory Concerns

Check Cloud Contracts for Provisions Related to Privacy, Data Security and Regulatory Concerns“Cloud” Technology Offers Flexibility, Reduced Costs, Ease of Access to Information, But Presents Security, Privacy and Regulatory Concerns

With the recent introduction of Google Drive, cloud computing services are garnering increased attention from entities looking to more efficiently store data. Specifically, using the “cloud” is attractive due to its reduced cost, ease of use, mobility and flexibility, each of which can offer tremendous competitive benefits to businesses. Cloud computing refers to the practice of storing data on remote servers, as opposed to on local computers, and is used for everything from personal webmail to hosted solutions where all of a company’s files and other resources are stored remotely. As convenient as cloud computing is, it is important to remember that these benefits may come with significant legal risk, given the privacy and data protection issues inherent in the use of cloud computing. Accordingly, it is important to check your cloud computing contracts carefully to ensure that your legal exposure is minimized in the event of a data breach or other security incident.

Cloud computing allows companies convenient, remote access to their networks, servers and other technology resources, regardless of location, thereby creating “virtual offices” which allow employees remote access to their files and data which is identical in scope the access which they have in the office. The cloud offers companies flexibility and scalability, enabling them to pool and allocate information technology resources as needed, by using the minimum amount of physical IT resources necessary to service demand. These hosted solutions enable users to easily add or remove additional storage or processing capacity as needed to accommodate fluctuating business needs. By utilizing only the resources necessary at any given point, cloud computing can provide significant cost savings, which makes the model especially attractive to small and medium-sized businesses. However, the rush to use cloud computing services due to its various efficiencies often comes at the expense of data privacy and security concerns.

The laws that govern cloud computing are (perhaps somewhat counterintuitively) geographically based on the physical location of the cloud provider’s servers, rather than the location of the company whose information is being stored. American state and federal laws concerning data privacy and security tend to vary while servers in Europe are subject to more comprehensive (and often more stringent) privacy laws. However, this may change, as the Federal Trade Commission (FTC) has been investigating the privacy and security implications of cloud computing as well.

In addition to location-based considerations, companies expose themselves to potentially significant liability depending on the types of information stored in the cloud. Federal, state and international laws all govern the storage, use and protection of certain types of personally identifiable information and protected health information. For example, the Massachusetts Data Security Regulations require all entities that own or license personal information of Massachusetts residents to ensure appropriate physical, administrative and technical safeguards for their personal information (regardless of where the companies are physically located), with fines of up to $5,000 per incident of non-compliance. That means that the companies are directly responsible for the actions of their cloud computing service provider. OlenderFeldman LLP notes that some information is inappropriate for storage in the cloud without proper precautions. “We strongly recommend against storing any type of personally identifiable information, such as birth dates or social security numbers in the cloud. Similarly, sensitive information such as financial records, medical records and confidential legal files should not be stored in the cloud where possible,” he says, “unless it is encrypted or otherwise protected.” In fact, even a data breach related to non-sensitive information can have serious adverse effects on a company’s bottom line and, perhaps more distressing, its public perception.

Additionally, the information your company stores in the cloud will also be affected by the rules set forth in the privacy policies and terms of service of your cloud provider. Although these terms may seem like legal boilerplate, they may very well form a binding contract which you are presumed to have read and consented to. Accordingly, it is extremely important to have a grasp of what is permitted and required by your cloud provider’s privacy policies and terms of service. For example, the privacy policies and terms of service will dictate whether your cloud service provider is a data processing agent, which will only process data on your behalf or a data controller, which has the right to use the data for its own purposes as well. Notwithstanding the terms of your agreement, if the service is being provided for free, you can safely presume that the cloud provider is a data controller who will analyze and process the data for its own benefit, such as to serve you ads.

Regardless, when sharing data with cloud service providers (or any other third party service providers)), it is important to obligate third parties to process data in accordance with applicable law, as well as your company’s specific instructions — especially when the information is personally identifiable or sensitive in nature. This is particularly important because in addition to the loss of goodwill, most data privacy and security laws hold companies, rather than service providers, responsible for compliance with those laws. That means that your company needs to ensure the data’s security, regardless of whether it’s in a third party’s (the cloud providers) control. It is important for a company to agree with the cloud provider as to the appropriate level of security for the data being hosted. Christian Jensen, a litigation attorney at OlenderFeldman LLP, recommends contractually binding third parties to comply with applicable data protection laws, especially where the law places the ultimate liability on you. “Determine what security measures your vendor employs to protect data,” suggests Jensen. “Ensure that access to data is properly restricted to the appropriate users.” Jensen notes that since data protection laws generally do not specify the levels of commercial liability, it is important to ensure that your contract with your service providers allocates risk via indemnification clauses, limitation of liabilities and warranties. Businesses should reserve the right to audit the cloud service provider’s data security and information privacy compliance measures as well in order to verify that the third party providers are adhering to its stated privacy policies and terms of service. Such audits can be carried out by an independent third party auditor, where necessary.