Friday, June 12, 2009

Could You be Sued if Your Customer Database is Breached?

In the age of computer hacking and identity theft, more and more attention is being focused on the obligation of businesses to protect the security of personally identifiable information stored on its computers and in its databases.

Most businesses retain electronic records containing personal information about employees, vendors, and customers. Does holding that personal information and data create a duty to conceal and protect that information from others on behalf of the person about whom the data relates? Most courts have held that no implied duty exist. If you properly obtain non-confidential data from your employees, customers or vendors, you have the right to use it. The fact that you know your customer's home address and phone number, for example, does not create a duty to keep that information secure. Indeed, the customer's name, address and phone number may be known to many individuals and businesses.

But some employee, customer and vendor information is more sensitive, and may be delivered to your business under confidentiality agreements or under circumstances sufficient to imply a duty to protect the information from disclosure. For example, social security numbers, bank account information, personal health information provided for insurance purposes, and other sensitive data could be used by others for improper purposes. If it is foreseeable that damages could result from the public disclosure of sensitive personal, financial or health information, a business is wise to protect that information to the greatest extent possible.
  • Encrypt. Current laws generally apply only to "unencrypted personal information." All computer data containing sensitive information should be encrypted and opened only with a password to prevent unauthorized access.
  • Limit. Business policies and practices should limit access to sensitive data to those individuals with a need to use the particular data in the course of their job duties.
  • Train. Train employees on the need to secure and protect sensitive data from unauthorized access, including personal information as well as company information, such as marketing plans and strategies, product designs, and manufacturing processes. Additionally, train employees on how to spot unauthorized access to sensitive data so that your company can be vigilant in identifying data theft and complying with laws that require prompt notice to impacted individuals. Evidence of employee training can help the company avoid a punitive damages award in the event of unauthorized access.
  • Monitor. Today's network technologies can help you identify unauthorized data access attempts, such as multiple erroneous password entries, access to the database from an IP address or location outside the company, file modifications that evidence copying or emailing of sensitive data, or after-hours access to a secure database.
If your database is ever breached, the worst thing you can do is ignore the breach and hope that no one will find out or nothing will be used improperly. Be warned that there are state and federal laws that require businesses to take specific actions to promptly notify affected individuals and assist those individuals with protecting their financial records and credit rating.

Each case a business may face is unique and may require legal advice. Please consult an attorney about specific concerns in this area. For more information, contact Bradley P. Hartman at or 602.262.5842.

Thursday, June 11, 2009

Use of Celebrity Images in Advertising Has Risks

Clothing retailer American Apparel has agreed to pay Actor/Director Woody Allen $5 million to settle a lawsuit brought by Allen when he was featured in an American Apparel billboard campaign dressed as a Hasidic rabbi from his classic 1997 comedy, "Annie Hall." American Apparel defended the use of Allen's image as a satiric and social statement on a public figure, protected as free speech by the First Amendment to the U.S. Constitution. American Apparel said the billboards were designed to inspire dialogue, not to sell clothing.

Allen's attorneys disagreed, claiming there was no protected speech involved, but rather pure commercial advertisement rooted in the unauthorized use of Allen's image to promote American Apparel. Even though the American Apparel billboards came down within a week of Allen's initial complaint, Allen claimed that was long enough to falsely imply that Allen sponsored, endorsed, or was otherwise associated with American Apparel or its products.

The right of publicity is a person's exclusive right to use, and to prevent the unauthorized use of, his or her name, likeness, or other aspect of his or her persona for commercial gain. To use it without permission allows that celebrity (or any person) to file a claim against the business. The line between commercial speech and free speech may be fuzzy, but the American Apparel billboards seem to have been firmly planted on the commercial side of the line. If you would like to use celebrity images in your own advertising - even the images of deceased celebrities or celebrities lesser known than Woody Allen - it is best to obtain advance and unequivocal permission from the celebrity or the holder of his or her publicity rights. A business owner also would be wise to avoid using in advertisements words, logos, or designs that can be associated with other companies or products, which may raise claims under the federal Lanham Act.

Whether or not American Apparel would have succeeded with its defense will never be known. But we do know that American Apparel learned an expensive lesson: Using celebrities to endorse a product without their permission is going to get a business owner into trouble.

Each case a business may face is unique and may require legal advice. Please consult an attorney about specific concerns in this area. For more information, contact Bradley P. Hartman at or 602.262.5842.

Act Quickly: Facebook is Creating New Opportunities and Challenges for Businesses, Individuals and Trademark Owners

This Friday night at 12:01 a.m. Eastern Time (9:01 p.m. Phoenix Time), Facebook will be releasing "vanity URLs" to registered Facebook users, in what is sure to be a landrush for businesses and individuals to adopt a unique, easy to remember URL for their Facebook profile and home page.

Until now, Facebook profiles have been identified on the Internet with a long series of nonsensical numbers (e.g., Beginning Friday evening, users will be able to obtain an easy-to-remember name for their Facebook pages, issued on a first-come, first-served basis (e.g., User names must be at least five characters in length and can only include alphanumeric characters (A to Z, 0-9) or periods. Generic words will not be available. To obtain a vanity URL, the Facebook account for your brand, product or organization must have been live on Facebook prior to May 31, 2009, and have a minimum of 1,000 fans.

Trademark holders interested in preventing their trademarks from being registered as usernames can submit their information to Facebook. Owners are required to submit a registration number for the trademark to be protected, and owners of multiple marks must submit a separate form for each mark to be protected.Doing so will help prevent your valuable intellectual property from being registered and associated with a Facebook user. As they say, an ounce of prevention is worth a pound of cure.

Act quickly - the landrush begins Friday, June 12th at 9:01pm PDT.

Each case a business may face is unique and may require legal advice. Please consult an attorney about specific concerns in this area. For more information, contact Bradley P. Hartman at or 602.262.5842.