The Prinz Law Office has revamped its standard billing options for 2020 and dramatically increased the number of fixed rate options available for clients in 2020.  Starting on January 1st, 2020, clients will have the opportunity to elect as many as five different levels of standard fixed fee options for many routinely requested services, which will enable entrepreneurs, start-ups and small businesses with limited budgets to better choose a fixed fee plan that meets their needs.

The new fixed rate options will significantly expand the firm’s existing alternative billing arrangements.  The firm announced in early 2019 the launch of a new subscription and fixed hour billing program, which will continue to be offered in 2020.  For more information about the firm’s billing options, please contact us.

If your company is like many, you have known about the upcoming effective date of the California Consumer Privacy Act (“CCPA”), but are still making last minute preparations in advance of it going into effect.

If you are one of many procrastinators out there just starting to think about the law, here is a recap of some highlights for you:

• Your business is subject to the law, regardless of its location,  if any one of the following is true:
  • Your company has gross annual revenues in excess of $25 million.
  • Your company buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
  • Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

• The CCPA creates new rights for California consumers: (a) the right to know; (b) the right to delete; (c) the right to opt out; and (d) the right to non-discrimination.
• You must provide notice to consumers at or before the point of data collection of the personal information to be collected and the purposes it will be used.
• You must provide clear and conspicuous notice to consumers of the right to opt out of the sale of personal information, which includes providing a “Do Not Sell My Personal Information” link on the website or mobile application.
• You must respond to requests for consumers to know, delete, and opt-out within specified timeframes (generally 45 days).  Privacy settings to opt out must be treated as a validly submitted opt out request.
• You must verify the identity of consumers who make requests to know or to delete, regardless of any password-protected account settings with the business.
• You must disclose any financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how the value of the personal information is calculated, and explain how the incentive is permitted under the CCPA.
• You must make available to consumers at least two or more designated methods for submitting requests, including at a minimum a toll-free phone number, and if you maintain a website, a website address by which to submit requests.  However, a business that operates exclusively online and has a direct relationship with the consumer from who it collects personal information is only required to provide an email address.
• You must make your privacy policy accessible to consumers with disabilities, or to provide consumers with disabilities information on how they can access the policy in an alternative format.
• You must make your privacy policy available in a format where consumers can print it out in a separate document.
• You must ensure that the privacy policy explains how a consumer can designate an authorized agent to make a request on the consumer’s behalf.
• You must retain records of all requests and responses to requests for at least 24 months; provided that businesses that buy or sell personal information of more than 4 million consumers annually have additional reporting obligations.

Also, if your business qualifies as a “data broker” you are required to register with the Attorney General by January 1, 2020.  How do you know if your business is a “data broker”?  Your business knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.  Three categories of businesses are excluded from these obligations:  (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.

The CCPA, its amendments, and regulations define more compliance obligations that businesses should be familiar with, but this list is a good starting point in advance of the effective date.

Obviously, even if your business is not subject to these laws, these privacy requirements will now constitute the best practices for doing business in California, so all businesses should seriously consider incorporating these privacy practices into their standard privacy practices and procedures.

SaaS Lawyer Kristie Prinz will present an upcoming webinar for Tech Transfer Central on December 10, 2019 from 10 a.m. to 11 a.m. PST on “Drafting and Negotiating SaaS Agreements: Best Practices for University Tech Transfer Offices.”  To read more about this program or register, please check out the Tech Transfer Central website: https://techtransfercentral.com/marketplace/distance-learning/drafting-and-negotiating-saas-agreements/.

Software Lawyer Kristie Prinz presented a webinar on “Legal Developments in the Software Industry” on November 21, 2019.  A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/legal-developments-in-the-software-industry-2019.

SaaS and Software Lawyer Kristie Prinz to Present Webinar on November 21, 2019 on “Legal Developments Impacting the Software Industry 2019.”  The program will provide an overview of what software companies need to know about key legal developments in 2019 and practical steps that they should be taking in response to those developments.  At this webinar you will learn about:

• Key state law developments impacting the industry, including but not limited to the California Consumer Privacy Act, which goes into effect January 1, 2020;
• Federal regulatory activity impacting the software industry, particularly with respect to the Federal Trade Commission (“FTC”);
• Cases and trends in litigation impacting the software industry; and
• Best practices to navigate the current legal landscape.

The Prinz Law Office is sponsoring a webinar on November 21, 2019 on “Legal Developments Affecting the Software Industry.”  The program will provide an overview of what software companies need to know about key legal developments facing the software industry and steps they should be taking to respond to those legal developments.  For more information or to register for the event, please check out:https://prinzlawstore.com/2019/10/legal-developments-impacting-the-software-industry-2019/

SaaS Lawyer Kristie Prinz will be presenting a webinar on Tuesday, December 10, 2019 for Tech Transfer Central on “Drafting and Negotiating SaaS Agreements: Best Practices for University Tech Transfer Offices.  To register, please sign up at https://techtransfercentral.com/marketplace/distance-learning/drafting-and-negotiating-saas-agreements/.

SaaS companies in the business of brokering data are on notice: the state of California intends to keep you on a tight leash.

In anticipation of the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA”), California took yet another bold step to protecting the personal information of Californians when it passed  a new data broker law on October 11, 2019, which applies to anyone in the business of collecting and selling the personal information of consumers:  AB-1202 establishes a new compliance framework for data brokers.

What is California’s New Data Broker Law?

Under the new law, data brokers will be required to register with the Attorney General, pay a registration fee, and provide their name, physical address, email, and website address, which will be publicly displayed online.  Any data broker who fails to register will be (a) subject to injunction and liable for civil penalties, fees, and costs at a rate of $100 for each date that the data broker fails to register; (b) liable for an amount equal to the fees due during the period it failed to register; and (c) the expenses incurred by the Attorney General in the investigation and prosecution of the action.

What is a Data Broker under the California Law?

What businesses are defined as “data brokers” under the law?   The law defines “data broker” to mean a “business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”  The law specifically excludes three categories of businesses from the definition of “data broker”: (i) consumer reporting agencies to the extent they are covered by the Fair Reporting Act; (ii) financial institutions to the extent they are covered by the Gramm Leach Bliley Act; and (iii) entities covered by the Insurance Information and Privacy Protection Act.  “Personal information” is defined to have the meaning provided in subdivision (o) of Section 1798.140, so publicly available information may be excluded to the extent the data is used for a purpose that is compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained

California’s New Data Broker Law Applies to Companies Selling Data

So, if your company is in the business of selling data in any capacity, not only do you need to prepare for the January 1, 2020 launch of the CCPA, you also need to prepare to register with the state of California as a data broker.  Businesses will be required to register on or before January 31st following each year when your business meets the definition of a “data broker.”

News Update 10.22.19

In anticipation of the California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, California Governor Gavin Newsom has just signed into law seven amendments to the statute, and the California Department of Justice published the text of its new regulations to be adopted in furtherance of the CCPA.

The signed bills are as follows: AB 25, AB 874, AB 1146, AB 1355, AB 1564, and AB 1130.  The text of the published regulations are made available here.  The deadline to submit written comments is 5 p.m. on December 6, 2019.   California is accepting comments submitted in accordance with the instructions posted on this Office of the Attorney General website: https://www.oag.ca.gov/privacy/ccpa.

So now that there is a little more statutory and regulatory clarity on what exactly will be going into effect on January 1st, 2020, SaaS and tech companies are in a better position to start preparing for the law to take effect.

CCPA Compliance Requirements

So, what does your SaaS or tech company need to know about complying with the California law as of January 1, 2020, as the California privacy laws collectively stand today?

First of all, your business will be subject to the law if at least one of the following are true:

• Your company has gross annual revenues in excess of $25 million;
• Your company buys, receives, or sells the personal information of 50,000 or more consumers, households or devices;
• Your company derives 50 percent or more of its revenues from selling consumers’ personal information.

“Consumer” is currently defined as a natural person who is a California resident.  “Personal information” is currently defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirect, with a particular consumer or household” and includes not only name, address, and social security number, but also purchasing history or tendencies, biometric information, internet activity, geolocation data, employment information, and education information.  However, publicly available information and de-identified or aggregate consumer information is now specifically excluded from the definition.  “Business” is currently defined to include for-profit businesses as well as other legal entities.

CCPA Consumer Rights

Second all, California consumers are going to have certain new rights that your business will be responsible for ensuring:

• A Right to Know (a) the specific pieces of personal information the business has collected about the consumer; (b) the categories of personal information it has collected or sold about that consumer; (c) the purpose for which it collected or sold the categories of personal information; and (d) the categories of third parties to whom it sold the personal information.
• A Right to Delete personal information held by your business or by a service provider of your business; provided that, however, there will be some exceptions, where it is necessary for your business or service provider to do any of the following: (a) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’ ongoing business relationship with consumer, or otherwise perform a contract between the business and the consumer; (b) detect security incidents; protect against malicious, deceptive fraudulent, or illegal activity; or prosecute those responsible for that activity; (c) debug to identify and repair errors that impair existing functionality; (d) exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law; (e) comply with the California Electronic Communications Privacy Act; (e) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent; (f) to enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business; (g) to comply with a legal obligation; or (h) to otherwise use consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.  If you or your service provider does not delete consumer’s information upon request, you must inform the consumer as to why and notify the consumer of any rights he or she has to appeal the decision, and you must do it within the timeframe you would have had to delete the information.
• A Right to Opt Out of the Sale of personal information.  “Sale” is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other consideration. The proposed regulations provide more clarification on the practices businesses should follow to ensure this right to opt out of the sale.    In the case of children under the age of 16, your business cannot sell their personal information unless they have opted-in to the sale.  In the case of children under 13, a parent or guardian must opt-in on behalf of the child.  The proposed regulations further define the rules related to the protection of children.
• A Right of Non-Discrimination.  Your business will be prohibited from discriminating against a consumer for exercising his or her rights under the CCPA.  Discrimination will be defined to include denying goods or services to the consumer, charging different prices or rates for goods or services, providing a different level or quality of goods or services to the consumer, or suggesting that the consumer will receive a different price or quality of goods or services; provide that you will be able to charge a different price or rate, provide a different level or quality of goods or services, or offer financial incentives if the difference is reasonably related to the value provided to the business by the consumer’s personal data, so long as the business practice is not unjust unreasonable, coercive, or usurious in nature.  The proposed regulations further define how the right of non-discrimination will be implemented.

CCPA Business Obligations

Third, businesses will now have other new business obligations to consumers, including the following:

• Provide notice to consumers at or before the point of collection of the categories of personal information to be collected from them and the purposes they will be used.
• Provide clear and conspicuous notice to consumers of the right to opt-out of the sale of personal information in the form of a “Do Not Sell My Personal Information” link on their website or mobile application.
• Respond to requests from consumers to know, delete, and opt-out within the specified timeframe (generally 45 days).  The proposed regulations require businesses to treat privacy settings to opt out selected by a consumer as a validly submitted opt out request.
• Make available to consumers at least two or more designated methods for submitting requests for information, including at a minimum, a toll-free phone number, and also specify other business practices for handling requests by consumers.
• Verify the identity of any consumer making a request to know or delete.  Password protected account settings are not considered sufficient verification.  The proposed regulations require a business unable to verify a request to comply to the greatest extent it can even if it denies a request.
• Disclose financial incentives offered in exchange for the retention or sale of consumer’s personal information (as specified by the proposed regulations), including a short summary of the incentive, a description of the summary and the categories of personal information impacted, an explanation of how a consumer can opt-in to the incentive, a notice to consumer that he or she has the right to withdraw at any time and how he or she can exercise this right, and an explanation of why the incentive is permitted under California privacy law.
• Retain records of all requests and responses to those requests for at least 24 months; provided that businesses (alone or in combination) collecting, buying or selling the personal information of more than 4 million consumers annually are subject to extra  recordkeeping obligations.
• Disclose a privacy policy which describes consumer’s rights under California privacy law, how to submit requests to exercise rights under California privacy law, and information regarding their data collection and sharing practices.  The proposed regulations define additional requirements for the privacy policy, including that it must be accessible to consumers with disabilities or provide consumers with disabilities information on how they can access the policy in an alternative format;  that it must be in a format where consumers can print it out as a separate document; it must explain the right of a consumer not to receive discriminatory treatment; and it must explain how a consumer can designate an authorized agent to make a request on the consumer’s behalf under California privacy law.
• Train employees or contractors handling consumer requests on compliance with California privacy law and directing consumers to exercise their rights under California privacy law; provided that businesses collecting, buying or selling the personal information of more than 4 million consumers are subject to higher  training obligations.

CCPA Conflicts with GDPR

Fourth, businesses are now going to have to reconcile the requirements of the European Union’s General Data Protection Regulation (“GDPR”) with California’s privacy laws.  In particular, California’s Department of Justice has advised businesses to be wary of the following:

• Data inventory and mapping of data flows to demonstrate compliance with the GDPR may have to be re-worked to reflect the different requirements of California.
• Processes and/or systems set up to respond to individual requests for access to or erasure of personal information will need to be reviewed in order to apply different definitions of what constitutes personal information and different rules on verification of consumer requests.
• Contracts with service providers or data processors adopted to comply with the GDPR may need to be rewritten to reflect the requirements under California law.

Regardless of whether  your SaaS or tech company is going to meet the threshold to be subject to the new California law when it goes into effect,  it would be prudent to start incorporating these new requirements into your company’s privacy practices and procedures, since they will at the very least become the new best practices for businesses serving California consumers effective January 1, 2020.  It goes without saying that companies who will be subject to the law when it goes into effective need to take steps to become compliant immediately, as the law is set to go into effect in less than 75 days.

If you have questions regarding the CCPA and your company’s compliance obligations, schedule a consultation with today at this link.

News Update 10.17.19

SaaS Lawyer Kristie Prinz presented a webinar on “Best Practices for Negotiating SaaS Contracts & Managing Customer Relationships” on October 8, 2019.   A copy of the video recording is available for viewing at this link:  https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-saas-contracts-1

The Prinz Law Office will be sponsoring a webinar on October 8, 2019 on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships.” Firm Founder and SaaS attorney, Kristie Prinz, will be presenting this webinar, which will be intended not only for in-house counsel and other attorneys, but also for founders, businesspeople and CFOs dealing with SaaS agreements.

To register to attend, please sign up at The Prinz Law Store website at https://prinzlawstore.com/2019/08/saas-contracts/.

The Prinz Law Office will be sponsoring a webinar on October 8, 2019 on “Best Practices for Negotiating SaaS Contracts & Managing SaaS Customer Relationships.” The firm’s own Silicon Valley SaaS attorney, Kristie Prinz, will be presenting this webinar, which will address such issues as:

• What makes an effective SaaS customer contract?
• What are the essential terms in a well-drafted SaaS contract?
• What are the common issues that arise in SaaS negotiations? What are the best strategies to resolve them?
• What are the best practices to manage the customer relationship?

To register to attend, please sign up at The Prinz Law Store website at https://prinzlawstore.com/2019/08/saas-contracts/.

If you are in the software business, you likely recognize that you can be sued for materially breaching contracts, infringing third party IP, and data breaches but you may not realize the extent of your liability just for making the sale of a software product deemed to contain a security flaw in the first place, even if the security flaw was never exploited and only identified.

Increasingly, however, just the act of selling software later deemed to be “defective” due to security flaws  has resulted in liability to companies.

The Federal Trade Commision (the “FTC”) has recently imposed fines and put in place ongoing oversight on companies for this type of issue.

But as Cisco just discovered,  if the sales were made to a federal or state agency, the mere act of making the sale can also result in significant liability.  Cisco has agreed to pay $8.5 million to settle a case originally filed in New York Western District Court in 2011 involving the sale of video surveillance technology to a variety of government organizations, including but not limited to Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency.

According to The New York Times, the Cisco case was initiated by the Justice Department in the Federal District Court for the Western District of New York, and the allegations were based on violations of the False Claims Act, which addresses fraud and misconduct in federal government contracts.  Fifteen states and the District of Columbia joined in the suit.  As The New York Times reported, the argument made by the government was that the software had no value because if failed to serve its primary purpose of security enhancement.  According to The New York Times, the flaw was identified back in 2008 by a Cisco subcontractor, who brought it to the company’s attention at that time.  However, as The New York Times reported, the subcontractor was subsequently terminated, and when he realized two years later that the vulnerability was still not fixed, he contacted the FBI.  The New York Times reported that Cisco continued to sell the software with the flaw until July 2013, when if finally notified customers and fixed the flaw.

While the Cisco case applies only to sales made to government, a class action suit is pending right now on similar facts, where the sales were made to non-government consumers.  The class action lawsuit was initiated late last year against Symantec for critical defects in its security products under the Norton Brand.  It is not clear as to the status of that litigation.

The bottom line: if you are selling software that provides security functionality, you need to have internal systems in place to identify security flaws and quickly fix the flaws, particularly if the software is being sold to a government organization.  However, if you are selling to the general public, you may still be liable for sales of the software containing security flaws, whether liability is assessed through the FTC or through class action litigation, regardless of the terms of your contract for those sales.

When your company releases its next software update, you may want to consider the potential legal implications of the release.  There seems to be a new trend in class action litigation: suits over software updates.

As Reuters first reported, an owner of a Tesla vehicle has filed a lawsuit against Tesla, Inc. claiming that a software update fraudulently limited the battery range of older vehicles, which reduced the distance that they can travel without recharging the vehicles.  Reuters reported that the lawsuit was filed in a Northern California federal court and seeks class action status for owners of Model S and X vehicles around the world.

According to Reuters, the lawsuit claims that the software update was released with the intention of avoiding liability for defective batteries.

CNET reports that the affected owners claim to have lost some eight kilowatt hours of capacity after the software update, which occurred back in May, 2019, and that the affected cars are older model S and X vehicles, which have batteries that should still be covered under the eight (8) year warranty on the batteries.  InsideEvs explained the argument as Tesla “enter[ing] [owners’] garages and replac[ing] a 40-gallon tank for a 20-gallon tank.”

Tesla is not the first company to be sued for a software update and how the update affected the performance of a device.  Apple has also been the subject of numerous suits in the past few years on a similar issue.  This Business Insider article reports on the legal controversy involving Apple regarding an update affecting battery performance.  Class action suits were also filed against Microsoft over its Windows 10 upgrade strategy.  See this Consumeraffairs.com article.

While these cases all pertain to software that controlled performance of a device, whether batteries or computers, it seems clear that with the increasing reliance on software functionality across so many industries, lawsuits over software updates are likely to continue.

So, the next time your company contemplates a software update or upgrade, it may be prudent to to contemplate the legal implications of the release and whether or not it is likely to result in litigation.  You also may want to reconsider the sufficiency of your legal agreements in place with the parties to whom you are sharing the updates or upgrades before making available the new software.   Software companies are clearly on notice that they may be sued for updates or upgrades, if they are alleged to have a negative impact on customers or users after the release.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on August 9, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

The CARIN Alliance, which is a coalition of companies from the health and tech industries, has just announced the release of a new standard for sharing health claims data in conjunction with the Blue Button Developers Conference.  The announcement is linked here.

The newly released standard is linked here:  CARIN Blue Button Implementation Guide CI Build.

According to FierceHealthcare, the standard was developed by working group comprised of alliance members and includes more than 240 claim data elements.  FierceHealthcare reports that 20 organizations, including Apple, Anthem, Blue Cross Blue Shield, Cambia Health Solutions, Google, and Humana have agreed to test an application programming interface (“API”) employing the standard in anticipation of a product lunch of the standard next year.

CNBC reports that the significance of the news is that this is the first time that industry has agreed to standards for sharing claims data to third party developers, and the Alliance aspires not only to make the data available to consumers but also to provide fraud detection functionality and functionality to help consumers avoid paying bills with errors in them.

FierceHealthCare reports that the new standard “builds” on Blue Button 2.0, which was released by the Centers by Medicare and Medicaid Services (“CMS”) last year and is an API enabling Medicare beneficiaries to access to their Medicare claims data.   A web page dedicated to Blue Button 2.0 is linked here.  FierceHealthCare reported on the  Blue Button 2.0 initiative by CMS  here.

Obviously the development of new digital health standards is a victory for the digital health industry, which has arguably been slow to develop industry standards along the lines of what exist in the tech industry generally.

For more information on how to join The Carin Alliance, click here.  For a list of alliance members, please click here.

Silicon Valley Software Lawyer Kristie Prinz will be presenting an upcoming webinar with FieldFisher partner Laura Berton on “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for Strafford on Thursday, July 25th from 10 a.m. to 11:30 a.m. PST.   For more information on the program, please click here.

The Software Industry is closely following legislation in California that, if passed, could have a huge impact on Gig workers and the software companies that rely on them.

The legislation at issue is AB 5, which would codify and expand the California Supreme Court’s recent decision in Dynamex Operations v. Superior Court (2018) 4 Cal. 5th 903.  The text of the proposed legislation is available here.

According to The Intercept, the bill was sponsored by Lorena Gonzalez, a Democratic assemblywoman from San Diego.  The Intercept reports that that California is losing an estimated $7 billion in payroll tax annually due to the misclassification of employees as independent contractors, so the state is eager to close the loophole.

Obviously, Uber and Lyft, directly oppose the legislation, since it would directly impact their current Gig worker business model.  In fact,  The Los Angeles Times has reported that Uber and Lyft have actually paid drivers to organize protests against the legislation.

For Uber and Lyft, the obvious concern is that the passage of AB-5 in California could prompt other states to pass their own versions of the legislation, or even, that similar legislation could be passed at the federal level, which could potentially expand the impact of the legislation far beyond the borders of California.

Both The Intercept and  The Los Angeles Times are reporting that Uber and Lyft have each warned investors of this potential risk in recent regulatory filings.  Indeed, an investment publication,  Investorplace, warns that the passage of the bill will have a very detrimental impact on both companies.

The bottom line is that software companies who have built business models around the Gig worker model may soon be forced to either cease operations in California or, alternatively, to change their models for the state, if AB-5 is passed and signed into law, so if your company has been developed around this model or you are building a company relying on this model, you will want to follow this legislation closely as it moves through the California legislature.

News Update 7.17.19

Multiple media outlets are reporting today that the Federal Trade Commission has agreed to settle its case against Facebook on its privacy  practices for $5 Billion.

The Wall Street Journal reports that the vote by FTC commissioners was 3-2 in favor of accepting the agreement and split along party lines with the Republican majority favoring the settlement.  According to The Wall Street Journal, the matter next goes the the Justice Department’s civil division for final review.

According to the Mercury News, assuming reports are correct, this will be the largest fine imposed to date by the U.S. government on a tech company.  The Washington Post reports that the fine is more than 200 times higher than any previous fine.

Interestingly enough, The Wall Street Journal is reporting that the fine obtained by the FTC exceeds what the European Union could have obtained under its privacy laws.

The Washington Post predicts that the settlement will impose serious consequences on Facebook that go far beyond just a $5 billion fine.  However, The Washington Post acknowledges that the dissenting commissioners opposed the settlement because they wanted some assessment of personal liability against CEO Mark Zuckenberg; commissioners reportedly decided to accept a settlement without any such assessment in order to ensure that the matter did not end up in litigation.

While controversial, the FTC’s enforcement action in this matter still sets a significant precedent for the software industry with respect to the consequences of not protecting data uploaded to or generated by  software.  Software companies are on notice: the FTC is closely following your privacy practices and may assess fines in the billions of dollars against you if you fail to take sufficient steps to protect user data.

As The New York Times and The Washington Post recently reported, facial recognition software is being heavily utilized by government agencies, who are using the software to search state driver’s license databases, despite the fact that most of the photos in the databases are of citizens who have never committed a crime and have never given any sort of consent to the searches.  The reports have raised concerns about the lack of regulation and oversight currently with respect to the use of facial recognition software by law enforcement.

According to a report by The New York Times, since 2011, the FBI has run nearly 400,000 facial recognition searches  of federal and local databases, including DMV records.   The Washington Post reports that the FBI is currently running about 4000 searches per month.

Moreover, The New York Times and The Washington Post are reporting that in states offering driver licenses to undocumented immigrants, Immigration and Customs Enforcement (“ICE”) is  using the software to conduct searches on undocumented immigrants.

The Washington Post reports that twenty-one (21) states and the District of Columbia allow federal investigators to scan driver’s license photos, and that those searches generally require no more than an email request to conduct the search.

A number of lawmakers in Washington are raising concerns about the recent revelations, and two cities, San Francisco and Somerville, MA, have now imposed a ban preventing police and public agencies from using the software.  The Washington Post reports that a privacy coalition has petitioned the Homeland Security Committee for the Department of Homeland Security (“DHS”) to stop using the technology.

What are the arguments being raised in favor of greater regulation of law enforcement’s use of the technology?

First and foremost, proponents for greater regulation argue that running facial recognition searches against photos of law-abiding citizens is a huge privacy violation.  Secondly, they argue the scope of it use by law enforcement is too broad, since it has been used not only for the identification of criminal suspects but also to find witnesses, victims, and bystanders. Third, they argue its use often constitutes a breach of trust, since states encourage undocumented immigrants to submit their information to the databases and then proceed to to tun it over to ICE.  Fourth, they argue that use of the software heightens the risk of misidentification and false arrest due to inaccuracies with how certain facial features are detected.

All in all, it is clear that law enforcement considers facial recognition software to be a valuable investigative tool.  However, there are clearly some valid concerns with how the software is being used that warrant further consideration.  Should law enforcement really be able to conduct these types of searches without a warrant?  Should ICE be able to conduct searches of undocumented immigrants who have been encouraged to submit information for inclusion in a database? What kind of checks should be in place on law enforcement’s use of software that that has inherent inaccuracies?

Clear Law Press Release 7.5.19

Strafford Press Release 7.5.19

Internet of Things (“IoT”) companies  are on notice: the FTC is concerned about the the security of software installed to IoT and smart home products and is prepared to take enforcement action against companies to ensure that consumers are protected.

The FTC has just announced the proposed settlement of its case against D-Link filed in January, 2017, which mandates that D-Link put in place and maintain a comprehensive software security program for the next 20 years that incorporates certain specified requirements, including a “secure software development process” that incorporates specified software development safeguards to ensure the security of its devices.

These FTC imposed requirements include the following:

• Specifying in writing how functionality and features secure the devices;
• Engaging in threat modeling to identify potential security risks;
• Reviewing every planned release of code with automated static analysis tools;
• Performing pre-release vulnerability testing on each planned release of code;
• Performing ongoing code maintenance to address vulnerabilities as they are identified;
• Adopting remediation processes to address identified security flaws at any stage of the development process;
• Monitoring research on possible vulnerabilities to devices;
• Setting up a process for receiving and validating vulnerability reports from security researchers;
• Making automatic firmware updates to devices;
• Notifying customers at least 60 days in advance of any decision to stop making security updates to a devices; and
• Providing biennial security training for personnel and any vendors involved with the device software.

In addition to imposing the above requirements on D-LInk, the order gives the FTC the power of oversight to ensure ongoing compliance, and requires D-Link to obtain routine third party assessments by a professional with credentials specified by the FTC to perform in-depth reviews of D-Link’s security practices.  The FTC specifically mandates that the assessment meet an approved standard as defined by the FTC: the International Electrotechnical Commission (“IEC”) standard for the secure product development life cycle.   The FTC announcement is attached here and its order is attached here.

What prompted the FTC case against D-Link?  The FTC complaint filed against D-Link alleged a failure by D-Link to take “reasonable” steps to secure software constituting “unfair acts or practices in or affecting commerce, in violation of Section 5 of the FTC Act, 15 U.S.C. Sections 45(a) and 45 (n)” and misrepresentations regarding D-Link’s security practices constituting a “defective act or practice, in or affecting commerce in violation of Section 5(a) of the FTC Act, 15 U.S. C. Section 45(a).”  The FTC Complaint against D-Link is attached here.

What do companies engaged in IoT software development need to take away from this enforcement action?  First of all, companies need to be aware that the FTC is applying its regulatory powers against companies to ensure that they are securing software in accordance with any representations made to consumers.  Second of all, companies need to be aware that the FTC is looking to certain published standards by the IEC to provide the industry standards for software in this space, so IEC compliance certification may provide the measure of a company’s compliance with its security obligations.  Third, the FTC has provided some suggested guidelines for companies to follow in the following publications: Careful Connections: Building Security in the Internet of Things and  Start With Security: Lessons Learned from FTC Cases. 

The Federal Trade Commission (“FTC”) has put software companies and software service providers on notice it intends to interpret the Gramm-Leach-Bliley Act’s Safeguards Rule broadly to apply to businesses which make available software or services that serve financial, payroll, and accounting purposes and collect sensitive data on consumers and their employees.

The FTC recently announced its settlement of a complaint filed against LightYear Dealer Technologies, LLC which does business as Dealerbuilt, which required Dealerbuilt as condition of the settlement to develop, implement and maintain an information security program that incorporates the minimum requirements specified by the FTC and submit to third party compliance assessments and annual certifications over a period of the next 20 years.

The FTC’s specified minimum requirements for Dealerbuilt’s information security program  included the following:

• Develop, implement, maintain and record in writing an Information Security Program;
• Make available the written program, evaluations of the program, and updates on the program, to the company’s board of directors or governing body, or if none exists, the senior officer responsible for the program at least once per annual period and after any data breach;
• Identify an employee or employees responsible for the coordination of the program;
• Provide written assessment annually and after any data breach of any potential data breach risks;
• Develop written safeguards to ensure data security including the following:
  • Training of all employees at least once every annual period on how to protect personal information;
  • Technical measures monitoring networks, systems to identify attempted data breaches;
  • Access controls on databases containing personal information, which (a) restrict the ability to connect to only approved IP addresses; (b) require authentication to access the databases; and (c) limit the access of employees to only those databases as necessary to perform their duties;
  • Encrypt all social security numbers and financial account information;
  • Implement policies and procedures for secure installation and inventory on an annual basis
• Perform assessment annually and after any data breach of the sufficiency of safeguards and modify the program as necessary;
• Conduct test annually and after any data breach of effectiveness of safeguards, which shall include vulnerability testing every four months and after a data breach, and annual penetration testing, as well as after any data breach;
• Ensuring that contracts with any service providers ensure compliance with safeguards; and
• Evaluate and make adjustments to program upon any changes to operations or business or in event of any data breach. or on an annual basis.

The FTC Order also mandates that an information security assessment be conducted initially and biennially by a third party professional approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the FTC, and that the assessor will be required to provide the documents relevant to the assessment to the FTC for review within 10 days following the completion of the initial review and then on demand.  Furthermore, the Order requires the senior corporate manager or senior officer of Dealerbuilt to submit annual written certifications to the FTC, and that within a reasonable time following any discovery of a data breach, or at least 10 days following the provision of first notice of any data breach, Dealerbuilt must send a report to the FTC of any data breach, which meets certain specified requirements.  Also, the Order permanently enjoins  all individuals affiliated with Dealerbuilt from violating any provisions of the Safeguards Rule, and makes the Order applicable to all businesses connected to Dealerbuilt, which Dealerbuilt is to be broadly interpreted and Dealerbuilt is required to identify in detail via compliance reports, accompanied by sworn affidavits.

The FTC also imposes broad recordkeeping requirements on Dealerbuilt through the Order, requiring Dealerbuilt to create and retain for the next 20 years accounting records of all revenues collected, personnel records, consumer complaint records and responses to those records, and any documents relied upon to prepare mandate assessments and to demonstrate full compliance with the order.

Finally, within 10 days of any request by the FTC, Dealerbuilt is required to furnish compliance reports to the FTC or other requested information accompanied by sworn affidavits.

The FTC announcement is attached here and the Order attached here.

What prompted this broad enforcement action by the FTC against DealerBuilt? According to the FTC Complaint, a series of security failures resulted in the breach of a backup database through a storage device beginning in late October 2016, which resulted in the breach of personal information of nearly Seventy Thousand consumers, which included full names and addresses, telephone numbers, social security numbers, drivers license numbers, and birthdates of consumers as well as wage and financial account information of dealership employees.  The FTC Complaint further alleges that Dealerbuilt failed to detect the breach and only learned of it after a customer called its chief technology officer demanding to know why customer data was publicly available on the Internet.

The FTC Complaint alleged that Dealerbuilt was a financial institution as defined by Section 509(3)(A) of the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6809(3)(A) as a result of being “significantly engaged in data processing for its customers, auto dealerships that extend credit to customers.”  The Complaint alleged that the “failure to employ measures to protect personal information” constituted an “unfair act or practice” and that the failures to (a) “develop, implement, and maintain a written information security program”; (b) identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information” and “assess the sufficiency of any safeguards in place to control those risks”; and (c) to design and implement basic safeguards and to regularly test or otherwise monitor the effectiveness of such safeguards” constituted a violation of the Safeguards Rule and an unfair or deceptive act or practice in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.

What should software companies and service providers take away from this FTC enforcement action?  First and foremost, the FTC is making a definitive statement that if you are in the business of providing software or software services that have any sort of financial or accounting function to them, you are a financial institution for purposes of Gramm-Leach-Bliley and the Safeguards Rule is going to be deemed to apply to your business.  Second, the FTC considers service providers accountable for the protection of any personal data they collect or store.  Third, the FTC expects businesses using third party software or providers to have contracts in place with those software companies or service providers imposing security requirements, monitoring requirements, and explicitly requiring them to follow websites reporting on known vulnerabilities.  Fourth, the FTC expects businesses to train and supervise employees on how to ensure the security of the company.  The FTC specifically points businesses in its announcement to comply with its publication, Start with Security: Lessons Learned from FTC Cases.FTC Puts Software Companies and Service Providers on Notice of Broad Enforcement Powers Under Gramm-Leach-Bliley Act Safeguards Rule

Two app developers have filed suit against Apple, Inc. over its App Store practices, following the recent decision by the U.S. Supreme Court in favor of consumers allowing a class action suit on similar issues to proceed.  The case was filed in the U.S. District Court for the Northern District of California (San Jose).

According to Bloomberg, the developers’ suit is also a class action suit on behalf of developers nationwide whose products are sold through the App Store.  Bloomberg  reports that the developers claims are on antitrust grounds and also allege violations of California’s Unfair Competition Law, and that they are represented by a law firm based in Seattle, Hagens Berman, which previously won a $650 million settlement against Apple and other e-book publishing companies on  similar claims in 2016.

The U.S. Supreme Court case which just ruled in favor of consumers, presented a legal question as to whether consumers had standing to sue Apple, since developers, rather than consumers, have the direct, contractual relationship with Apple.  However, the U.S. Supreme Court decision did not decide on the merits of the case and only decided whether the class action suit could proceed.  Clearly, the developers would be presumed to have standing to bring a class action suit and the same legal question would not be relevant.

The timing of these suits coincides with increasing calls in Washington for greater regulation at the federal level of Apple as well as its fellow tech giants Amazon, Facebook, and Google, particularly with respect to federal antitrust law and the handling of consumer data.  The New York Times is reporting that the four companies are in the process of assembling an “army of lobbyists” to defend them in Washington, spending a combined total of $55 million in lobbying last year.

Needless to say, the tech industry is under fire for many of its business practices, and it seems likely that some changes are on the horizon, regardless of its best efforts to maintain the status quo.

Do you have legal questions related to the App store?  Schedule a consultation today to discuss your concerns at this link.

Two app developers have filed suit against Apple, Inc. over its App Store practices, following the recent decision by the U.S. Supreme Court in favor of consumers allowing a class action suit on similar issues to proceed.  The case was filed in the U.S. District Court for the Northern District of California (San Jose).

According to Bloomberg, the developers’ suit is also a class action suit on behalf of developers nationwide whose products are sold through the App Store.  Bloomberg  reports that the developers claims are on antitrust grounds and also allege violations of California’s Unfair Competition Law, and that they are represented by a law firm based in Seattle, Hagens Berman, which previously won a $650 million settlement against Apple and other e-book publishing companies on  similar claims in 2016.

The U.S. Supreme Court case which just ruled in favor of consumers, presented a legal question as to whether consumers had standing to sue Apple, since developers, rather than consumers, have the direct, contractual relationship with Apple.  However, the U.S. Supreme Court decision did not decide on the merits of the case and only decided whether the class action suit could proceed.  Clearly, the developers would be presumed to have standing to bring a class action suit and the same legal question would not be relevant.

The timing of these suits coincides with increasing calls in Washington for greater regulation at the federal level of Apple as well as its fellow tech giants Amazon, Facebook, and Google, particularly with respect to federal antitrust law and the handling of consumer data.  The New York Times is reporting that the four companies are in the process of assembling an “army of lobbyists” to defend them in Washington, spending a combined total of $55 million in lobbying last year.

Needless to say, the tech industry is under fire for many of its business practices, and it seems likely that some changes are on the horizon, regardless of its best efforts to maintain the status quo.

Silicon Valley Software Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on August 9, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

Press Release 5.1.19

Silicon Valley Software Attorney Kristie Prinz will be presenting an upcoming webinar with FieldFisher partner Laura Berton on “Drafting Software Hosting Agreements: Service Availability, Performance, Data Security, Other Key Provisions” for Strafford on Thursday, July 25th from 10 a.m. to 11:30 a.m. PST.   For more information on the program, please click here.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on May 6, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

The Prinz Law Office is pleased to announce the opening of its new San Francisco office. To read the press release announcing the opening, please click on the link:  Press Release.

Silicon Valley Software Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on May 6, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute.  To register, please sign up at https://clearlawinstitute.com/.

Tech Lawyer Kristie Prinz Presented on “Best Practices for Drafting MSAs” on March 8, 2019.  A copy of the video recording is available for viewing at this link: https://theprinzlawoffice.vhx.tv/products/best-practices-for-negotiating-msas.

Silicon Valley Tech Transactions Lawyer Kristie Prinz will be presenting a webinar on “Drafting Master Service Agreements & Managing the Service Relationship” on Friday, March 8, 2019 at 10 a.m. PST/1 p.m. PST. The Prinz Law Office will be sponsoring the event. To register, please sign up here:http://prinzlawstore.com/2019/01/best-practices-for-drafting-master-service-agreements-managing-the-service-relationship/

SaaS Lawyer Kristie Prinz presented “Best Practices for Drafting SaaS Contracts & Managing SaaS Relationships” in February, 2019.

A copy of the video recording of the full webinar is available for viewing at this link: https://theprinzlawoffice.vhx.tv/products/negotiating-saas-contracts-feb-2019.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships” on February 19th from 10-11 a.m. PST. The program will be sponsored by The Prinz Law Office and is intended for lawyers as well as businesspeople. To register, please sign up at: http://prinzlawstore.com/2019/01/drafting-saas-contracts-managing-saas-customer-relationships/.

Silicon Valley SaaS Lawyer Kristie Prinz will present a webinar on “Negotiating SaaS Agreements: Drafting Key Contract Provisions, Protecting Customer and Vendor Interests” on February 8, 2019 at 10:00 a.m. PST/1 p.m. EST.  The program will be sponsored by Virginia-based Clear Law Institute, which is making available a 35% discount off the registration fee if you use the discount code KPrinz148075.  To register, please sign up here:   https://clearlawinstitute.com/shop/webinars/negotiating-saas-agreements-drafting-key-contract-provisions-protecting-customer-and-vendor-interests-020819/. 

Press Release 2.1.19

Press Release Best SaaS Practices 1.31.19

Silicon Valley Tech Transactions attorney Kristie Prinz will present a webinar on “Best Practices for Drafting Master Service Agreements & Managing the Service Relationship” on Friday, March 8th from 10 a.m to 11 a.m. PST. The Prinz Law Office will be sponsoring the event, which will be intended for lawyers as well as businesspeople. To register, please sign up at http://prinzlawstore.com/2019/01/best-practices-for-drafting-master-service-agreements-managing-the-service-relationship/.

Silicon Valley software attorney Kristie Prinz will be presenting a webinar on February 19, 2019 at 10 a.m. PST/1 p.m. PST on “Best Practices for Drafting SaaS Contracts & Managing SaaS Customer Relationships.” The program will be sponsored by The Prinz Law Office, and is intended for lawyers as well as businesspeople. To register to attend the program, please sign up at http://prinzlawstore.com/2019/01/drafting-saas-contracts-managing-saas-customer-relationships/.

I was pleased to join Santa Clara Law School Professor Eric Goldman and other privacy experts in urging California to make revisions to the California Consumer Privacy Act (“CCPA”):

https://blog.ericgoldman.org/archives/2019/01/41-california-privacy-experts-urge-major-changes-to-the-california-consumer-privacy-act.htm

Press Release 1.14.19

The Prinz Law Office is pleased to announce the opening of its new Palo Alto office. To read the press release announcing the opening, please click on the link: Press Release 1.14.19.

• A purchase, lease, or concession by or to a foreign person of real estate located in proximity to sensitive government facilities.
• “Other Investments” by a foreign person in any unaffiliated U.S. business that owns, operates, manufactures, supplies, or services critical infrastructure; produces, designs, tests, manufactures, fabricates, or develops one or more critical technologies; or maintains or collects sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Other investments” is defined to mean an investment that affords a foreign person access to material, nonpublic technical information in possession of the U.S. business, membership or observer rights on the board of directors or equivalent governing body of the U.S. business, or the right to nominate an individual to a position on the board of directors or equivalent voting body, or any involvement other than the voting of shares in the substantive decisionmaking of the U.S. business; the use, development, acquisition, safekeeping, or release of sensitive personal data of U.S. citizens maintained or collected by the U.S. business; the use, development, acquisition or release of critical technologies; and the management, operation, manufacture, or supply of critical infrastructure.
• Any change in rights that results in foreign control of a U.S. business or an “other investment” as defined above.
• Any transaction, transfer, agreement, or arrangement, the structure of which is intended to evade the review of the Committee.

News Update 1.8.19