CSO

Unless you have been on an extended vacation, you likely know the Massachusetts Data Security Law (Standards for the Protection of Personal Information of Residents of the Commonwealth) goes into effect in less than a month on March 1, 2010. You may also know that preexisting, legacy vendor agreements are being grand fathered in, with compliance being deferred until March 1, 2012. It is with regard to those legacy contracts that I suggest businesses start work now. While two years seems like a long time, those two years can quickly run out when you are trying to address potentially dozens, even hundreds, of legacy agreements.

The threat of businesses becoming inadvertently bound by shrink-wrap and click-wrap agreements became even more significant when a federal court last year found that a company was bound by unfavorable terms in a click-wrap license agreement, even though an employee of the software vendor installed the software and click-accepted the license agreement. (Via Viente Taiwan LP v. United Parcel Service Inc., E.D. Tex., No. 08-301, 2/17/09). In that case, the court ruled the forum selection clause in the license agreement was enforceable, and the customer-licensee was required to litigate in the vendor’s preferred location of Atlanta, rather than Texas, where the customer brought the suit.

We have all seen them, confidentiality provisions that require a party “to treat Confidential Information as strictly confidential and to use the same care to prevent disclosure of such information as the party uses with respect to its own most confidential or proprietary information, but in no event less than a reasonable degree of care.” Similarly, we have seen warranties that require a party to protect personally identifiable information in accordance with all applicable laws and regulations. In some cases, the warranty may also be tied to “best industry practices.”

New FTC guidelines (http://www.ftc.gov/os/2009/10/091005revisedendorsementguides.pdf) that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.

What jobs are we talking about? Yours. That is, the trend in cloud computing continues, in general, to be service offerings provided under some of the most minimal service level protections ever seen. When those meager service levels are further diluted by numerous exceptions to and qualifications on performance and, in many cases, unlimited downtime for “scheduled maintenance” (i.e., as long as the vendor gives you a heads up, it can take the service down for as long as it wants without fear of a service level failure), you have a service that is being provided on more or less an as-is basis. While this approach may actually be considered in non-critical, low-risk engagements, it can be a “job-coster” for the business person who accepts these risks in the context of critical, high value engagements.

The Supreme Court has agreed to consider a case that may have wide-ranging implications. The case involves text messages sent by police officers in Ontario California. The electronic devices used to transmit the texts were supplied by the police department and the department had a written policy making clear officers had no expectation of privacy in their messages. The rub occurred when the department informally permitted officers to use the devices for personal messages and to pay the overage charges associated with those messages. The department’s conduct, it is alleged, led to an informal policy that personal messages would be considered private. The officers allege this conduct gave rise to an expectation of privacy that overrode the department’s formal written policy, which disclaimed any such expectation of privacy.

There has always been a concern about jurors improperly communicating information about their cases. It has been the standard practice in trial courts for judges to admonish jurors about making any communications concerning the case until after the trial is completed. Unfortunately, ready access to cell phones, particularly smart phones, is rapidly undermining this fundamental precept of our judicial system. Jurors are using their phones to communicate information about the case to friends, family, and other third parties. They are also using Web access on their phones to improperly research matters relating to the trial (e.g., Googling the parties, researching alternate theories, etc.). All of these actions are strictly forbidden by the courts.

The recent outage and potential irretrievable data loss in Microsoft’s Sidekick services highlights one of the fundamental flaws in much of what today is known as cloud computing. That is, not only is there the possibility of one’s data being inaccessible due to a service outage, but there is the very real possibility that data may be lost forever because of a failure of the service provider to adequately backup its systems. Ordinarily, these types of risks are easily mitigated by the inclusion of strict protections in your contract with the service provider ensuring data will be available when needed and backed-up to protect against catastrophic failures.

California recently joined approximately thirty other states in deciding to amend its Code of Civil Procedure to more directly address electronic evidence.