The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

You’ve met the dramatis personae on this blog over the past year or so: the Federal Trade Commission, which issued a staff report in February 2009 containing “self-regulatory” guidelines for online behavioral advertising and now is panting to go further; the State of California, one of several that requires the posting of a website privacy policy and use of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security regulation in the nation (201 CMR 17.00, which went into effect on March 1, 2010).

The patchwork is so befuddling that a reporter once barked at me in frustration: “You mean a business has to hire someone like you to keep track of all of this?” No offense meant, of course. None taken, I replied, but the answer was yes. In an indirect way, the FTC funds my Philly Beer Week expenditures.

Now the federal bear is beginning to growl. After reading the draft legislation unveiled by U.S. Representatives (D-VA) and Cliff Stearns (R-FL) on May 4 — which has attracted strong comments by the Direct Marketing Association, along with criticism from the Technology Liberation Front and others — I’m trying to decide whether things just got better or worse for my clients. Actually, scratch that. This bill needs to be rewritten, since it takes a top-down, process-heavy Gramm-Leach-Bliley type of approach and tries to plaster it onto the vast domain of cyberspace. (The Gramm-Leach-Bliley Act is the seminal 1999 financial privacy bill that requires financial institutions to provide initial and annual privacy notices to their customers and a way for them to opt out of having their personal information shared with unaffiliated marketers. No doubt you read every line of the GLBA privacy notice your bank sends you every year. Anyway, there is a real strong musty whiff of GLBA in the Boucher-Stearns draft.)

Cowpunk pioneer Dan Baird exercises his right to opt out of data-sharing. (Actually, this is from his 1991 album Love Songs for the Hearing Impaired).

On the plus side, the draft legislation would set a single national online privacy and data security standard that preempts (supersedes) state privacy and data security laws — one-stop shopping, unless you’re unfortunate enough to also be covered by GLBA, HIPAA, the CAN-SPAM Act or the Children’s Online Privacy Protection Act, in which case it’s unclear how the inconsistencies with the draft legislation would be resolved.

Data Security

The data security requirements generally follow those in the FTC Safeguards Rule promulgated under GLBA and are flexible and risk-based (appropriate administrative, technical and physical safeguards, as determined by the FTC, for protecting the security, confidentiality and integrity of covered information and preventing unauthorized loss, destruction, disclosure or misuse) as opposed to the one-size-fits-all prescriptive approach used by the encryption-happy legislature in Nevada. There is no notification requirement in the event of a data breach, although the safeguards must be sufficient to determine the scope of the breach and remediate its effects. The data security provision of the draft bill also contains a rather bizarre clause that, without any further explanation, requires a covered entity to establish reasonable measures to “assure the accuracy” of the information it collects.

Here’s the kicker, though: the Boucher-Stearns draft does not track state data security laws like Massachusetts’ in limiting its coverage to first and last name (or first initial and last name) combined with financial account number or government-issued identification number (e.g., Social Security number or driver’s license number). In fact, “covered information” as defined in the bill includes name, address or contact information. Practically speaking, then, this represents a potentially onerous expansion of existing data security regulation, even though the security requirements themselves resemble existing rules.

What information is “covered” by the bill?

Covered information includes any of the following: first name or initial together with last name; postal address; phone or fax number; e-mail address; unique biometric data; government-issued identification number; financial account number and any code or password necessary to permit access to the account; unique identifier (such as an IP address or customer number) if used to collect, store, or identify information about a specific individual or a computer, device or software application owned or used by a particular user or that is otherwise associated with a particular user; and “preference profile” (defined as “a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity”).

The draft bill therefore abandons the current regulatory focus on “personal” or “personally identifiable” information in favor of the FTC position that any data that is linkable to a specific web user or device requires protection.

Privacy: And Now for Something Completely Different

The privacy requirements of the draft legislation would drastically reshape the state of the world. Here’s a high-level overview:

The bill would generally preserve the current practice of providing notice of a site’s privacy practices and an ability to opt out prior to any collection, use or sharing of information online BUT would require affirmative express consent (that is, an opt-in) before covered information could be shared with unaffiliated third parties. These requirements would not apply to information collection, use and sharing for transactional or operational purposes (i.e, as necessary to effectuate a transaction between the site and an individual). Sharing of information with a service provider which assists the site to effectuate a “first-party transaction” with the individual is also permitted, subject to an opt-out consent requirement. Finally, the bill includes a behavioral advertising exception whereby information could be shared with online advertising networks without opt-in consent, but subject to certain notice and opt-out requirements, such as the prominent display of a notice or seal on the covered entity’s website and on or near targeted advertisements, along with a link to information about behavioral advertising and how consumers can opt out.

For the required “notice,” every site that collects covered information would need to post clearly and conspicuously (and make accessible via a link on its home page) a privacy policy containing the mandatory disclosures. (The draft bill also contains privacy notice requirements for covered information collected offline, so if it is passed, businesses should consider adopting an integrated, holistic privacy policy covering all aspects of their operations.) Some of these disclosures are already standard practice, such as a description of the information collected, purposes for collecting and using the information, how the information is collected, categories of third parties with which the information may be shared, and how individuals may obtain access to their information. Other disclosure requirements break new ground, such as:

◊ how information may be merged, linked or combined with other information from unaffiliated sources
◊ how information is stored by the entity
◊ how long the information is retained in identifiable form
◊ how the entity disposes of (or renders anonymous) covered information after the end of the retention period
◊ a means to contact the entity with an inquiries or complaints about the handling of covered information
◊ consent mechanism as required by the bill

Notably the draft legislation would codify the FTC’s diktat that material changes in privacy practices cannot be applied retroactively (i.e., to information collected prior to their posting), and information cannot be shared for purposes previously undisclosed that an individual would not reasonably expect, unless the entity gets the individual’s opt-in.

Finally, in its February 2009 staff report on behavioral advertising, the FTC posited that certain information might warrant special protection due to the increased risk of harm or embarrassment to the individual. Sure enough, the draft legislation would also create a special category of “sensitive information” for which an opt-in is required prior to collection. “Sensitive information” includes, when associated with covered information of an individual, information about medical history or condition; information about financial accounts; information about sexual orientation, race, ethnicity or religious beliefs; and — interestingly — “precise geolocation information.”

Am I Gonna Get Hit by This?

If it passes, and if you collect covered information (which you probably do) either online or offline, then yes, unless you have a very small customer or user base or are a government agency. Excluded from the draft legislation’s reach are government agencies and entities that collect covered information from fewer than 5,000 individuals in any 12-month period. However, if you collect any sensitive information at all, you are covered even if your customer or user base is under 5,000.

Who Is Going to Come After Me If I Don’t Comply?

The primary enforcer would be the FTC, the big 900-pound gorilla in this draft legislation, since it would have the power to prosecute violations as unfair or deceptive acts or practices and would also acquire broad rulemaking authority to regulate online privacy and data security (although the draft bill prohibits the FTC from requiring specific technologies or software). Based on the FTC’s activity to date in these areas, the agency would not be shy about using this power. State attorney-generals and consumer protection agencies could also enforce the law. Private actors, however, have no right of action.

Undoubtedly the Boucher-Stearns draft legislation will be heavily changed before it is passed, if it is even passed. Significant problem areas, as pointed out by the DMA and other commenters, are the expansive definition of covered information (which would lump mere name and contact information into the same protected category as Social Security numbers) and the requirement of an opt-in to share covered information with unaffiliated marketers. This regime is even more restrictive than GLBA and is a huge departure from how business is currently conducted on the Internet. If the bill passes in anything resembling its current form, expect to be bathed in disclosure and to paddle through a profusion of annoying click-throughs.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.

To revisit briefly the tortured history of this regulation, the original version was highly prescriptive and mandated specific technological protections (such as 128-bit encryption) regardless of the size, nature and scope of the business and the risks involved. After wailing and lamentations from business groups, a near-final regulation (discussed in depth in this blog) was issued in August 2009 and shifted the regulatory standard to a more flexible, risk-based, technology-neutral approach. The final revisions were issued after a September 22 hearing, based on which the OCABR concluded that it had finally gotten it right.

The revisions are minimal and deal mostly with the compliance deadline for binding third-party service providers by contract. The final regulation makes it clear that existing contracts signed on or before March 1, 2010 do not have to contain the magic language requiring service providers to maintain appropriate security measures to protect personal information. However, this carve-out does not apply as of March 1, 2012; on that date, ALL contracts must be compliant.

Now that those damned Yankees have won the World Series, if you’re yearning to read the final regulation, you can get it here.

Data breaches impose huge costs on businesses in terms of investigation, remediation, fraud losses, notification of affected individuals, replacement of accounts and reputational and customer-relations damage. Given the resources and sophistication of foreign criminal syndicates and other fraudsters, some data breaches are probably unavoidable. However, in the unfortunate event of a breach, you do not want to be seen as having fallen too far behind the state of the art in information security protection, or you could face statutory or regulatory fines and negligence liability. The FTC busted TJX, which ended up paying millions of dollars in fines to the FTC and the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business with Nevada customers), requires personal information stored on portable devices in motion or transmitted outside a business’ secure systems to be encrypted using technology approved by an “established standards setting body.”

And now, in the case of Shames-Yeakel v. Citizens Financial Bank, No. 07-C-5387 (N.D. Ill. Aug. 21, 2009), a federal district court in Illinois has denied Citizens Bank’s motion for summary judgment dismissing a data breach-related negligence claim where the bank allegedly had not moved promptly enough to implement multifactor authentication (i.e., secondary inputs beyond name and password, such as tokens, personal questions, etc.) to secure sensitive Internet transactions. (A 2005 regulatory guidance had criticized single-factor authentication, i.e., name and password alone, as being inadequate.)

There is a dialectic going on here: legislatures, regulators and courts are wary of imposing compliance requirements involving huge costs for new IT infrastructure at a time when the national unemployment rate is 9.8%. At the same time, given the mounting economic costs of data breaches, the public outcry over identity theft, and the connection between identity theft, organized crime and terrorism, legal and regulatory scrutiny of data security protections is increasing and will continue to do so. This dialectic was evident in Massachusetts this past August, when, at the urging of business groups, 201 CMR § 17.00, a highly prescriptive, technology-specific data security regulation that would have gone into effect in January 2010 (and would have required data in motion or stored on portable devices to be encrypted using 128-bit technology) was thoroughly revised to be risk-based and technology-neutral and to take into account the size, scope and type of business, the amount of resources available to the business, etc.

Don’t be an outlier. Learn what the state of the art is (the supporting and ancillary documents for the Payment Card Industry Data Security Standard are particularly useful here) and try to be in the general vicinity. If it’s too expensive, think about outsourcing the hosting or processing of personal information (but make sure you have done due diligence on the vendor and have a protective contract with them, as required by PCI DSS, HIPAA, federal banking regulations and state data security laws) or whether you even need to hold personal information in the first place. Amid the carnage and emotional trauma of a data breach, there’s no need to add legal fees, regulatory fines and tort damages to the heap of misery.

Our new offices in Old City

My biggest challenge in putting the presentation together was to connect all of these dots into some type of coherent pattern. At the beginning of the summer, it looked like we were moving to a much more “prescriptive,” technology-specific, top-down style of data security regulation in the former Massachusetts mold (rigorous computer system security and personnel access control requirements for all businesses owning or licensing personal information, 128-bit encryption, etc.). Then Massachusetts did an about-face, and other states failed to follow the Nevada and Massachusetts model of requiring encryption for personal information transmitted over open networks or stored on portable devices.

The two federal data security bills would set a national data breach standard and national standards for implementing data security safeguards, but are largely technology-neutral (Congressman Bobby Rush’s H.R. 2221 even goes so far as to prohibit the FTC from setting specific technological requirements!). At the end of the day, I told my largely California-based audience that their state data security statute (the original data breach notice legislation combined with a requirement to use reasonable data security safeguards appropriate to the nature of the data) would likely be the paradigm for national and other state data security legislation. California is the trend-setter for insanity in many areas of the law, but its regime seems relatively sane when compared, for example, with the earlier, anal-retentive version of Massachusetts’ 201 CMR 17.00.

While the breeze in San Francisco Bay was lovely, it’s good to be back in the City of Brotherly Love, and in new digs, too. More to come.

A radiant weekend in the Old City

1. Entity Formation. Choice of entity is key. Find some sort of limited liability structure that gives you pass-through federal tax treatment (i.e., the entity’s income passes through to your personal tax return rather than being separately and duplicatively taxed). Either an LLC or an S Corp. would qualify. And don’t think you have to incorporate in Delaware. Pennsylvania has made a conscious effort to compete with Delaware for incorporations, and it’s really cheap and easy to form and maintain an entity here. The Pennsylvania Department of State Corporation Bureau has a website which allows you to check the availability of your desired business name and obtain the forms needed to start the business. It costs $125 to incorporate an LLC or corporation in Pennsylvania. Personally, due to the minimal registration fees, taxes and paperwork involved, I like the Pennsylvania LLC, assuming the business is headquartered here.

If you have or expect to admit partners into the business, you should have an LLC operating agreement addressing such issues as voting rights, management responsibilities, transferability of membership interests, allocation of income and losses, etc., but if it’s just you in the business for the time being, this is not critical. The bottom line is that for a small, relatively simple web startup, entity formation issues shouldn’t cost thousands of dollars in legal fees.

2. Trademarks. You or your attorney should do a quick trademark search in the searchable database on the U.S. Patent and Trademark Office website (go to www.uspto.gov and click on “Trademarks”) for the name of your business or website and any prominent catchphrase or slogan you plan to use on the site. What you are looking for are trademarks or applications for trademarks that are the same or similar to your mark and are used (or applied for) in connection with similar goods or services. This is a rough approximation of the legal standard for infringement of trademark rights (”likelihood of confusion” between two marks based on the two key factors cited above, as well as other factors like similarity of commercial impression, sophistication of target consumers, overlap of channels of trade, etc.). You should also run Google searches to identify similar terms and business names, since it is possible for another business to have “common law” trademark rights in a mark even if it isn’t federally registered.

The point of this exercise is to gain some comfort that you won’t be infringing someone else’s trademark, in which case you could be liable for damages (possibly treble damages and attorney’s fees for willful infringement) and would have to change your mark and/or domain name. The searches and analysis shouldn’t use more than a few hundred dollars of attorney time, unless the searches reveal a number of potentially problematic third-party marks and you want your attorney to investigate all of them in order to refine the risk assessment.

If a lot of money was being invested to develop a brand, you would want to perform a more rigorous (and expensive) search that would cover state trademark, business name and fictitious name registries, as well as additional “common law” sources like databases of publications, but this can cost thousands of dollars in attorney time and third-party search agency fees. A quick and dirty “knock-out” search of the type I have described should suffice for a small web startup without much seed capital.

You should also think about filing a trademark application to protect your rights in your mark against third party users, assuming that the searches of the USPTO trademark database and the Internet searches uncover no other marks that are confusingly similar, and that your mark is “distinctive,” i.e., is not a generic term for or descriptive of your goods or services. As of September 15, it will cost $375 to file a trademark application per class of goods or services ($325 if you file electronically), and each application should cost no more than $200 of attorney or paralegal time (excluding trademark search costs), unless you are applying for a lot of different goods or services. (To limit attorney and filing fees, talk to your attorney about what goods/services you should apply for now and what can wait.).

Of course, if the Trademark Office rejects your application, and you want your attorney to respond to their objections, this means more legal fees. If the Trademark Office is objecting to the mark itself (on descriptiveness or likelihood of confusion grounds, for example), rather than to some technical aspect of your application, the fees could run an extra grand or two, since your attorney will have to perform research and prepare a short brief. Having said that, you can always abandon the trademark application if it becomes too costly to proceed. Also, a good trademark attorney will be able to anticipate these types of objections at the search stage, so you should ask about your chances of actually obtaining a registration before you file the application.

You are not required to file a trademark application to use a trademark. You only need to do this if it’s important to scare off (by obtaining powerful legal remedies) third parties who may want to use the same or a similar mark. Investors will want you to register your key marks (such as your website name), but this is certainly not something that must be done prior to launch. If you decide to wait to file a trademark application, you should still make sure you place a TM (or SM for “service mark,” if you are offering services under the mark) superscript by the first prominent use of the mark on your homepage and in any marketing materials for the site.

3. Copyrights and Copyright Licenses. Website code, content and design are all copyrightable if they reflect a modicum of creativity and are not purely functional. Copyright comes into existence once a creative work is written down or recorded, i.e., you do not need to have a Copyright Office registration to own a copyright. Registration is necessary to exercise legal remedies against infringers, but again, this is something you don’t need to worry about right out of the gate.

What you do need to worry about right away is making sure you have the proper rights in all code and content used for your website. By “proper rights,” I mean owning the copyrights in materials designed or developed specifically for your site (HTML code, creative, look and feel, etc.), and suitably permissive license rights in third-party content (like clip art, stock photos and music) used on the site. With respect to the first category, specially created materials, keep in mind that the author (i.e., the programmer, web designer or web developer) owns the copyright unless he or she transfers it to you by written assignment. Therefore, without a signed development agreement or copyright assignment containing the necessary language, you get only a limited license to use developed materials, and the developer can do basically whatever they want with them or give them to someone else.

Do NOT, therefore, have someone design or develop a website for you without some sort of written contract. Investors will want to see that you own the copyrights in your site and have the documentation to prove it. The last thing you want to have happen, once your site becomes a success, is some third party come out of the woodwork claiming that they are entitled to royalties or demanding a right to consent to a planned sale, modification or exploitation of the site. An attorney can help you with this process. A simple copyright assignment should cost you $200 or less.

With respect to third-party content, make sure you read the license agreement to confirm that your planned use is within the scope of the license and there are no nasty surprises. (Of course, to do this you first need to make sure you HAVE the license agreement.) Don’t assume that because music or an image is lifted from a “stock” or “royalty free” source you can do whatever you want with it. For example, some “royalty free” licenses prohibit use of the licensed image for commercial websites or in promotional materials. You can take the first stab at looking at the agreement or agreements yourself, and bring in your attorney if you have questions. Make sure that any web developer or designer you use understands your concern about third-party licenses, and if you have a contract with them, the designer/developer should warrant that all content is either original or comes with license rights sufficient for you to operate and use the site for its intended purposes.

4. Other Contract Issues. Depending on how much you are willing to negotiate with your web developer or designer, you may also want to include additional safeguards in the contract such as business and functional requirements and specifications, acceptance criteria, milestones and deadlines, caps on fees, etc. If you are on a tight time schedule, think about negotiating a holdback of 1/3 or 1/2 of total fees until the website has been completed and you have verified there are no major outstanding issues. Again, this is not a legal requirement, just a good idea. A simple one or two page contract (which would include an assignment of copyrights) should not cost you more than a few hundred dollars in legal fees.

5. Website Terms of Use and Privacy Policy. If your website is in any way interactive, you should have legal terms of use and a privacy policy (indeed, the latter is required by the Federal Trade Commission and some states’ privacy laws if personally identifiable information such as name, address, e-mail address, Social Security or driver’s license number, and/or credit card or other account numbers are collected on the site). Contrary to popular opinion, not all terms of use and privacy policies are standard boilerplate.

With regard to terms of use, the legal risks and issues involved in a social networking site, a financial services site or an online store for power tools are going to differ from those for a passive site where users can coo adoringly over snapshots of puppies. In addition, a site that invites the submission of user content, such as blog posts, photos or videos, will need to have a Digital Millennium Copyright Act take-down policy to immunize the site operator from copyright infringement liability relating to content posted by third-party users. To be truly protective, the terms of use must be tailored to these risks and issues. Also, keep in mind that some legalese can scare website users (as Facebook learned to its chagrin earlier this year when its terms of use briefly stated that Facebook would own content that its users uploaded onto the site).

As for the privacy policy, you should think beforehand about (1) what types of personally identifiable information you will collect, (2) with what types of third parties (service providers, marketing partners?) this information may be shared, (3) what types of uses you foresee making of personally identifiable information, and (4) how, if at all, cookies, pixels and flash objects will be used on the site to collect information from users and how such information will be used and shared (e.g., will the information be shared with marketers or advertising networks for behavioral advertising?) Obviously, these decisions are partly cultural — how much comfort do you want to give your website users on privacy? If you have thought carefully about the specifics of your privacy regime (how information will be collected, used and shared) before having a conversation with your attorney, this will reduce your legal fees. If you plan to collect personally identifiable information from international users on your site, you should also bring this up with your attorney, since the European Union has much stricter privacy laws than the U.S.

Depending on the nature, features and complexity of your site, drafting the terms of use and privacy policy may mean spending anywhere from a few hundred to a few thousand dollars on legal fees. In my humble opinion — and I may be ducking rotten tomatoes from my fellow bar members for saying this! — it should not cost more than this, unless the site is extremely elaborate (Amazon) or the client extremely picayune. With that said, however, sites that offer highly regulated or controlled products or activities (such as online gambling, liquor, health supplements, contests or sweepstakes) or are targeted at children may also require additional disclosures (e.g., contest rules) or controls (e.g., a process to obtain parental consent for the collection of personal information from children under 13) beyond the terms of use and privacy policy, which, of course, will cost extra.

Painful as the legal fees may be, terms of use and privacy policies fall within the old adage, “An ounce of prevention is worth a pound of cure.” They are necessary shields against legal and regulatory liability. Additionally, with the FTC, in particular, sounding off on how certain behavioral tracking disclosures (among other things) should not be buried in legalese and also getting cranky about ways websites should notify their users about material changes in terms of use and privacy policies, you need to have these documents drafted by a pro.

6. Web Copy Review. Your attorney, who is probably thirsting for billable hours in these grim times, would love nothing better than to take a red pen to your site copy and etch out every conceivable source of risk. For most sites that are launched with little seed capital and do not feature heavily regulated or high-risk products or activities (gambling, liquor, financial services, sweepstakes or contests, material targeted to children, etc.), this is probably overkill. Having said that, it is a good idea to have a business lawyer with some experience in online promotions do a quick, high-level pass through the site to see if there are any major issues. For example, if you use certain terms like “Free” or “Guaranteed,” these carry with them special legal obligations and disclosure requirements. You also want your terms of use and privacy policy to be legally binding on your site users, so it is worthwhile to have an attorney eyeball the process or flow by which these documents are presented to and accepted by users.

To give yourself a reasonable degree of comfort, ask your attorney to spend an hour (but no more) clicking through the test site, and then see what he or she comes back with.

No doubt this quick checklist will provoke howls of outrage from some business lawyers who will note scores of issues that I have either glossed over (business structure and governance issues) or omitted entirely (patents, vesting of equity for partners who make service contributions). They are correct — this is not a comprehensive blueprint for launching a new business. If you have the legal budget for that, please give me a call. Please. My point is that if you’re just a small entrepreneur without angel investors or a powerful VC sugar daddy behind you and and you only have a couple of thousand dollars or less to spend on a lawyer, you need to know where you can get the most legal bang for your buck now, and what you can defer for a few months until the business starts to generate revenue.

Which is why I’ve discussed copyrights and trademarks (which are relatively cheap and are also easy for a web business to infringe unknowingly) but not patents (which, now that the golden age of business method patents is definitely over, are less relevant to ordinary web businesses; if you feel you’ve invented something really novel and useful, definitely raise the patenting issue with your attorney, but know that it can cost tens of thousands of dollars in legal and filing fees to apply for a patent, and, in any case, you have up to a year from your first public disclosure or commercialization of the invention to file your patent application). I could give you other examples, but you get the picture.

One additional disclaimer (of course, we love disclaimers!): the figures and ranges I have given above for attorney fees represent my opinion of what these various services should cost, not necessarily what an actual firm will charge you. They are ballpark estimates to help you decide what services are most important to you and fit within your budget. Hopefully they will also facilitate a fruitful conversation with your attorney about managing costs. If you do not have this conversation at the outset, do not be surprised if you do end up getting charged a lot more.

Consulting a good business and e-commerce lawyer is a necessary part of launching a web business. Like any other professional, we have a suite of services we want to sell you. All are useful, but they need to be prioritized. A good business lawyer will do this for you, but sometimes you have to ask.

First, the new version reflects an abandonment of the “prescriptive” (i.e., top-down, technology-specific) regulatory approach that characterized the previous version of 201 CMR 17.00 issued in February 2009. To put it bluntly, that version scared the living hell out of recession-battered small businesses with its insistence on using 128-bit encryption to safeguard personal information stored on portable devices or transmitted wirelessly or across public networks, and a host of other computer security fiats that could have required the addition of costly IT infrastructure. 201 CMR 17.00 would have been the most stringent data security regulation in the country and would have affected millions of businesses and organizations outside Massachusetts, indeed, anyone who owned or licensed personal information about a Massachusetts resident.

As the OCABR proudly explained when it unveiled the redraft, the new, mellower 201 CMR 17.00 more emphatically adopts the flexible risk-based approach used by federal law, such as the FTC’s Safeguards Rule implementing the security requirements of the federal Gramm-Leach-Bliley Act (GLBA). Organizations other than Massachusetts governmental entities that own or license personal information (first name or first initial and last name, together with Social Security, driver’s license or state ID card number, or financial account, credit or debit card number) relating to a Massachusetts resident must still implement a comprehensive written information security program containing administrative, technical and physical safeguards, but it is clear now that the appropriateness of the safeguards will depend on the size, scope and type of business, the amount of resources available to the business, the amount of stored data, and the need for security and confidentiality of consumer and employee information.

While all information security programs must still meet some general requirements (such as designating employees responsible for their maintenance, risk assessment and evaluation of current safeguards, reasonable restrictions on physical access to records containing personal information, oversight of service providers through an appropriate selection process and contracting, developing employee security policies for the storage, access and transportation of personal information outside of business premises, preventing terminated employees from accessing personal information, documenting responses to data breach incidents, etc.), gone are the more onerous requirements, such as identifying all systems and storage media containing personal information and imposing a rigorous system of limiting the extent and duration of access by personnel to personal information. (These former requirements will now be used as guidance only.)

Another notable change is that the computer system security requirements in the regulation will now apply only to the extent technically feasible for the business. In its FAQ’s, the OCABR defines “technically feasible” as indicating the existence of “a reasonable means through technology to accomplish a required result.” This qualifier has enormous significance for the requirement to encrypt personal information stored on portable devices or transmitted wirelessly or across public networks. For example, while encryption of backup tapes on a going-forward basis is required, a business may not be required to encrypt a tape being transferred from current storage (although it should consider alternate protections depending on the amount and sensitivity of the information). Likewise, the OCABR has indicated that it may not enforce the encryption requirement for Blackberries, iPhones and similar devices, since there is currently no generally accepted encryption technology, but will for laptops.

Not only is the encryption requirement now subject to technical feasibility, but it is also technology neutral. No longer will businesses be required to use an encryption standard of 128-bit or higher.

There have also been some changes to the requirement to oversee service providers with whom personal information is shared. First, as the statute has become less onerous, the requirement to select service providers capable of compliance has become correspondingly lighter. Secondly, the regulation is now in conformance with the FTC’s Safeguards Rule under GLBA; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them to do so by contract. (However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.)

Finally, the date by which businesses must be compliant with 201 CMR 17.00 has been pushed back to March 1, 2010 (from January 1, 2010), another concession to the jitters experienced by small and medium-sized businesses (SMB’s) since the inception of this regulation in late 2008. (It is even possible that the regulation will be further amended, since the OCABR has invited public comment and will hold a hearing in Boston on September 22.)

Is 201 CMR 17.00 less scary now? Yes, but how much depends on whom you ask. For regulated financial services companies or businesses used to complying with the Payment Card Industry Data Security Standard (PCI DSS), HIPAA or GLBA, the amended Massachusetts regulation requires little or nothing that they are not already doing. However, it is still more stringent and formalistic in terms of administrative process than any other state’s data security law (including even California’s!) and will represent a major cultural shock for SMB’s who up to now have not had to think systematically about security (and may not have a CTO or information security officer on staff). Furthermore, based on my own experience, some managers who are used to purchasing IT services quickly, based on lowest available pricing, may chafe at the service provider due diligence and contracting requirements, although these requirements can actually be satisfied fairly easily.

With March 1, 2010 rapidly approaching, businesses will need to take a good hard look at themselves, assess the risk and the resources available to mitigate it, and determine whether their need to store and transmit personal information is great enough to justify the extra costs of compliance.

I will discuss the changes more fully in an upcoming post, but overall they respond to concerns from recession-racked businesses about the stringent encryption and other technical and computer security requirements of the regulation, which would have applied across the board to businesses regardless of their size and resources and the technical feasibility of implementation.

So, for example, the amended regulation now only requires that personal information stored on portable devices or transmitted over the Internet must be encrypted “to the extent technically feasible.” Furthermore, it drops the requirement of a 128-bit or higher encryption standard. More generally, businesses’ information security programs now only must contains safeguards that are appropriate to the size, scope and type of business and the amount of resources available to the business. The third-party service provider oversight provision has also been modified to be consistent with the FTC’s Safeguards Rule implementing the information security requirements of the Gramm-Leach-Bliley Act; businesses must take “reasonable steps” to select service providers capable of maintaining appropriate security measures for personal information and must require them by contract to do so. However, any contract entered into prior to March 1, 2012 will not be considered non-compliant even if it lacks these provisions, as long as it was entered into prior to March 1, 2010.

More to follow soon.

Last year ICANN embarked on a major initiative to authorize potentially hundreds of new generic top-level domains (gTLDs) starting in 2010. In addition to the 21 current gTLDs (which include the ubiquitous .com, .net and .org), you could soon see domain names ending in .paris, .food, .google and other terms. ICANN believes that gTLD expansion will add choice and flexibility to the Internet address system; however, wary trademark owners, especially financial institutions and financial services associations (including Bank of America Corp. and the American Bankers Association), have objected to its plans, anticipating an explosion in cybersquatting, typosquatting and phishing incidents and a spike in trademark abuse prevention and defensive domain name registration costs (millions of new domain names mean millions more that could end up in the hands of baddies).

In response to these objections, ICANN convened the Implementation Recommendation Team (IRT), a group of intellectual property experts, in March 2009 to examine the problem. On May 29, 2009 the IRT published its Final Report on Trademark Protection in new gTLDs for public comment. If you enjoy the sensation of being repeatedly slammed in the head with a large brick, I invite you to read the report. If you enjoy the sensation of being slammed in the head once or twice with a brick of more middling size, you can check out an article I wrote www.revenews.com summarizing the high points (such as they are) of the Final Report.

A couple of key issues bear mentioning here. First, the report calls for the creation of both (1) an IP Clearinghouse to serve as a repository of data about asserted trademark rights (both registered and unregistered trademarks) throughout the world and a validator of these rights where trademark claims impact domain name registrations, and (2) a Globally Protected Marks List (GPML) of select trademarks which have a large number of registrations in numerous countries and, accordingly, are targeted for the highest levels of abuse. Third-party applications for top-level domains that match or are confusingly similar to trademarks in the GPML (such as, hypothetically speaking, .apple) would initially be blocked, as would third-party applications for second-level domains that are identical to marks on the list (apple.computer, again hypothetically speaking).

Applicants to be domain name registry operators for the new gTLDs would also be encouraged to offer a Pre-Launch IP Claims Service, whereby, if a third party attempts to register a second-level domain that matches a trademark contained and validated in the IP Clearinghouse (and that is not a Globally Protected Mark subject to blocking), the registry would notify both the trademark owner and the registrant. The registrant receiving the notice would not be blocked from registering the domain name, provided that it makes certain contractual representations and warranties – i.e., it has a right or legitimate interest in the domain name, will not use it in bad faith and (under penalty of cancellation of the domain name) has provided accurate contact information.

Finally, the IRT report also recommends that all gTLD registries be required to participate in a new Uniform Rapid Suspension System (URS), sort of a cheaper, fast-track, limited-purpose version of ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP) for super-bad cybersquatters. In clear-cut cases where there is no “genuine contestable issue” about the registrant’s bad-faith registration and use of an abusive domain name, the trademark owner could have the registration frozen for its natural life, and Internet users attempting to access that domain name would see a specific error webpage. Complaints would be submitted (by e-mail, if the complainant chooses) to a third party selected by ICANN, which would retain a qualified legal expert to render a decision. Fees would be assessed by the third party on a cost-recovery basis. All in all, the process would be more streamlined and less formal than under the UDRP.

All of these trademark rights protection mechanisms will provide a much needed supplement to the wheezing and expensive UDRP (mandatory arbitration that costs thousands of dollars in legal and filing fees per squatter). Nevertheless, with a huge increase in the number of potentially problematic domain names, brand protection and trademark abuse prevention will remain an administratively complex and costly process.

One idea I had is that trademark owners could effectively deputize their online marketing affiliates by license agreement to snap up domain names on their behalf and point these URLs to approved ad copy. Affiliates could be paid a premium commission for clicks or transactions resulting from Internet traffic visiting the new domain names, to compensate the affiliate for both its initiative in opening up new real estate and the mitigation of trademark risk to the merchant from having the domain name in “friendly” hands. The affiliate contract/license agreement could even contain a buyout clause giving the trademark owner the option to purchase the domain name registration from the affiliate at a designated price (the affiliate’s out-of-pocket costs plus some kind of premium). For the trademark owner, in addition to increased Internet traffic, this arrangement would mean lowering its trademark abuse and brand protection costs – fewer domain name registrations to acquire and maintain, fewer disputes to pursue under either the URS or UDRP.

Well, that’s enough for one afternoon (blogging, not work). At the risk of sounding like a philistine, for today’s happy hour recommendation, try the roof of TGI Friday’s on the Ben Franklin Parkway between 17th and 18th Streets. It’s certainly no gastropub, just fun in the sun. (In these hazy, languid days of August, I’m very low-maintenance!)