Still Too Big to Sue

November 4, 2013

 

Class Action suits are one avenue to harass Big Data over its ever expanding ways to violate consumers’ privacy. But the potential for a settlement that rivals our national debt is not out of the realm, when most of the suits have millions or even hundreds of millions of plaintiffs and are based upon violations of the Wire Tap Act which allow for statutory damages of $10,000 per illegal wire tap.

 

The cases usually end up being settled by the violators agreeing to a cy pres award: a fund to give to organizations that educate consumers on privacy.  Cy pres awards have been coming under fire as not being true to their name, which means “as close as possible”. In class actions, they are used to allow the court to make an award that promotes the interests of the class members instead of giving an award to the class itself – which means that the plaintiffs get maybe $10 and some (questionable?) organizations get millions. The US Supreme Court had the opportunity to review a recent Facebook class action settlement but declined it today. The court’s reasoning indicates they might still be interested in addressing the issue, but that this was bad case to use because it had such bad facts: the injured plaintiffs didn’t like that the organization getting $9 million is controlled by Facebook. What could be wrong with that? To read more, see Online Powerhouses – Too Big to Sue.

Advertisements

Wake Up US Cloud Computing Providers!

photo by Terry Robinson

August 8, 2013

The European press is eating your lunch! They are literally capitalizing on the PRISM scandal and they have no reason to be so smug. While a recent US based study by ITIF highlights that 10% of non-US residents had already cancelled a project with a US based cloud provider and that the US industry stands to lose up to $35 billion in the next three years, the Guardian and Irish Times are busily reporting on the secret surveillance programs in place abroad.

Yes, through its secret program, Tempora, the British are collecting telephone and online data from the 7 major telecoms running the undersea fiber-optics that form the backbone of the Internet. And as also highlighted in the study, most European governments can and do gather electronic data on their citizens without warrants. For more, please see The Dangers of European Clouds.

Arbitration in China Still in Flux – But Improving

Image

June 25, 2013

Arbitration is the favored approach to legal dispute resolution for foreign investors doing business in China. Until recently, the only arbitration tribunal available was CIETAC, the China International Economic and Trade Arbitration Commission. Without much fanfare, CIETAC adopted new rules just over a year ago. While the international legal community didn’t react too much (and they should have) the Shanghai and Shenzhen sub commissions revolted as a consequence and formed new organizations.

This wouldn’t be so revolutionary elsewhere, but in China, an arbitration tribunal must be established under municipal law, registered with the provincial justice bureau and if administering cases related to foreign interests, further established under the China Chamber of International Commerce. Otherwise, local courts don’t have to recognize their awards. And, why go through an arbitration process only to get an award that a court may or may not enforce?

The revolutions happened last August leaving another big question unanswered: how to interpret existing contract clauses that require CIETAC arbitration in one of the wayward cities. But, in the meantime, the new commissions, Shanghai International Economic and Trade Arbitration Commission (SHIAC) and Shenzhen Court of International Arbitration (SCIA) (also called South China International Economic and Trade Arbitration Commission (SCIETAC)) have issued rules, engaged panels of arbitrators and are working their way through the legal approvals. And CIETAC has opened new offices in Shanghai and Shenzhen. One issue is resolved: existing contract clauses using CIETAC in Shanghai and Shenzhen can be enforced. And new tribunals are coming on line.

So which is the best tribunal? All three, CIETAC, SCIA and SCIETAC, have adopted a rule that is good news for foreigners. The parties can now agree to use their own arbitration rules – as long as they are reasonable. Anyone who has experienced a CIETAC arbitration in the past would jump at the opportunity to use another tribunal’s set of rules. SCIA and SCIETAC didn’t like CIETAC’s modernization, so don’t look there.

Remember that a foreign investor is typically only going to choose CIETAC if it has to because it is a WFOE (Wholly Foreign-Owned Chinese Entity) and the other party is also a Chinese company. See my earlier post: Resolving Disputes in China. This new rule gives a foreign investor operating under a WFOE most of the same flexibility regarding arbitration proceedings as if it were a foreign company.

Adopting another tribunal’s rules, say the International Chamber of Commerce (ICC) or the Hong Kong International Arbitration Centre (HKIAC) rules, takes the dispute completely out of the restrictions of CIETAC concerning choice of arbitrators, venue, evidentiary hurdles, etc. Voila! An efficient, modern arbitration proceeding is now possible.

Granted, it may be difficult to convince a Chinese party to go that far. But even under the new CIETAC rules, the parties may agree to a venue outside of China as long as one party is foreign. So far CIETAC has only set up one arbitration center outside of China – in Hong Kong. The irony is rich, except Hong Kong has long been considered a friendlier place for foreigners and it has a well established legal and arbitration community of good reputation. If Hong Kong is agreeable as a venue, perhaps the Chinese company can be persuaded to accept some of the more modern HKIAC rules as well.

While reconsidering your standard arbitration clauses, remember that under Chinese law, an arbitration clause is not enforceable unless it defines the tribunal, rules and venue. That is why the absence of Shanghai and Shenzhen sub commissions of CIETAC was such a problem. CIETAC issued an interim rule stating parties in that situation should use their Beijing office, but a party seeking to avoid arbitration could use the situation to do so.

It remains to be seen how the commissions will interpret the new rules. What is considered reasonable? For example, if the parties can choose their own rules, does that extend to a rule about venue? Will the tribunals still insist the parties use their panels of arbitrators even if they are unfamiliar with other tribunals’ rules? And if a chosen venue or rule is invalidated, is the whole arbitration agreement unenforceable?

Some drafting tips include:

  • When designating an alternative tribunal’s rules, be clear that all the rules, including those on venue, choice of arbitrators and any others of concern apply;
  • State that the parties consider all the alternate rules to be reasonable. The commission has the final word, but it can’t hurt to state that the parties think so.
  • Include a severability clause that requires the arbitrator or commission to reform an unenforceable clause to an enforceable one which most closely reflects the intent of the parties.

NSA Surveillance – All Perfectly Legal

Image by Setreset

Image by Setreset

June 18, 2013

Does anyone really think they know what the NSA is doing with all the data they can access? We only know what they feel is appropriate to tell us. But regardless of your comfort with the current state of secret government surveillance, it’s nothing new. In fact, FISA, the Foreign Intelligence Surveillance Act, officially hit middle age turning 35 years old this year. And managing government requests for customer information is a regular issue for cloud providers, telephone companies and ISPs. How do they get away with it? See Government Intrusion into the Cloud

Director Nightmare #2: Cybersecurity

Image

May 31, 2013

It’s no wonder cybersecurity is the #2 issue that keeps corporate directors up at night. The news abounds with stories about Chinese cyber espionage, overzealous Department of Justice probes, multi-million dollar ATM thefts, crippling denial of service attacks and leaks from social media and “rogue” employees. In some respects the public is numb to all this (unless that was your credit card number that was broadcast). But directors are and should be worried. The Internet can be a risky place.

The threats may seem overwhelming. How can a company avoid the global spread of malware? Don’t the Patriot Act and FISA allow the feds access to a company’s records without its knowledge anyway? Won’t overseas companies copy your products somehow no matter what? What is Twitter about?

The reality is that cyber risks can be thwarted and mitigated with good security risk management programs and IP protection programs. These programs aren’t just about having the latest technology. Proper use of technology and company data by people is the key. In fact, employees, not bad technology, are the source of 56% of data breaches, according to a hospital survey. Breathe: employees are trainable.

Changes in technology are a factor, however. The cloud, smartphones and social media are new avenues for company data delivery, access and storage. A company’s internal IT security protocols are important but becoming less relevant as more data moves to the cloud. Yet, another survey showed that only 50% of company IT security professionals reviewed the security practices of the cloud and SaaS providers that their company uses. Like employees, cloud providers have varying levels of sophistication and attention to data security. That’s a lot of unassessed risk.

Next, more employees use their own smartphones and tablets to access the company systems, creating zillions of copies of company data on uncontrolled devices. Well, uncontrolled at 76% of companies’ since only 24% report having BYOD (bring your own device) policies. Even company issued devices don’t necessarily come with security guidelines.

Social media, meaning Facebook, Twitter, Pinterest and the like, are the electronic versions of newspapers and press releases – except that they are used by lots of employees, reach many more people and are instantaneous. Directors who are used to all company statements being carefully crafted through the PR department may find their company’s use of social media frightening. And, if the company doesn’t have a policy for social media use, it may be at risk for leaks about company strategies or misinformation about products, not to mention embarrassments like photos of drunken staff parties. Social media is a very easy way for employees and customers to spread information which represents the company. It is a great marketing and advertising tool but needs management to avoid damaging a company’s brand or worse.

Net, if a company’s internet use or email policies were written in the nineties, it’s time to give them a fresh look. And policies alone don’t fix things. A full compliance program which includes education, auditing and enforcement is required.

Ultimately all cyberthreats cannot be prevented. Directors sleep better if they know the company is prepared to manage a data security breach. While 63% of the directors surveyed felt comfortable that their company could manage a data security breach, they weren’t so happy with their companies’ crisis management plans. Those plans encompass such catastrophes as cyberattacks and natural disasters that shut down operations and corporate disgraces like tainted products, oil spills or executive fraud. 57% of board members said that they had reviewed their company’s crisis management plan within the last year, but only 34% said that they were very comfortable with the plan. 30% said they were not at all comfortable with the plan, the company had no plan, or they didn’t know if the company had a plan.

Corporate boards aren’t responsible for the day to day risk management of the company. But, when they hear about the cyber theft and cyber crises around the globe, they must know their company is prepared. A modern data security program, IP protection program and crisis management plan can significantly reduce threats from lazy or malicious employees, unsafe devices and rogue cloud installations.

Directors should be leading the charge when it comes to acknowledging cybersecurity.  Regardless of their technical backgrounds, Directors should be asking the right questions of their leadership to ensure key company threats are addressed.  If the company isn’t able to address these issues internally then it needs to bring in resources to take an objective look and implement best practices in the industry.  Proactive risk management should result in a boring outcome, meaning, there are no cybersecurity crises.  It definitely beats the alternative.

Silly Contracts Impede Adoption of Cloud Computing

Image

May 8, 2013

I love British understatement. In a recent article on British cloud blog, V3.co.uk, a CIO pronounces cloud contracts “silly” when they don’t address customers’ requirements around privacy and compliance. Terms that overreach on limitations of liability and give providers rights to mine customer data are also deemed “silly”. His point isn’t silly though. Those silly terms keep customers from buying. My interpretation is more direct. I think they’re scary. See my Cloud Tweaks article on the issue: 5 Reasons Why Cloud Contracts Should Scare You