Articles Posted in Technology in Business

Airbnb houseThe “sharing economy” has become a feature of daily life for millions of people around the country and in New Jersey. It primarily consists of technology companies that use mobile apps to allow people, at least in principle, to make certain exchanges. Two well-known types of sharing economy services are ride-sharing and home-sharing. These particular business models frequently conflict with established local businesses and local regulations. Ride-sharing companies like Uber and home-sharing companies like Airbnb have often resisted efforts by local governments to regulate them as taxi and hotel companies, respectively. A pair of bills pending in the New Jersey Legislature would impose regulations on home-sharing services. While not expressly classifying them as hotels, the bills would subject them to similar rules and taxes.

Home-sharing services allow homeowners to make their homes available for short-term rental. The home-sharing service acts as a sort of broker between users and homeowners. This type of service has managed to avoid many of the legal pitfalls that some ride-sharing companies have encountered, such as questions of whether drivers are independent contractors or employees. Where home-sharing companies have found trouble, however, is on the question of whether they should be regulated and taxed as hotels.

Hotels, motels, “bed & breakfast” operations, and other businesses providing overnight accommodations are subject to a variety of state and local regulations. New Jersey law imposes a seven percent State Occupancy Fee on rental rates charged by hotels and motels across the state. Most municipalities in New Jersey are also authorized to collect a Municipal Occupancy Tax of up to one percent of rental rates.

Continue Reading

contractNew Jersey businesses that provide online services, sell goods online, or otherwise interact with their customers via the internet should be aware of some recent developments involving New Jersey consumer protection law. Two pending consumer class actions are seeking a broad application of the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA), N.J. Rev. Stat. § 56:12-14, et seq. While neither case has produced a final ruling, they have the potential to significantly affect businesses with an online presence, specifically in relation to the terms and conditions of website user agreements. Specific provisions could cause a business to violate state law, even inadvertently. Exactly when and how this might happen depends on multiple factors, including the nature of the business and the goods or services it provides.

Businesses often include agreements on their websites as a means of clarifying the business relationship—if any—established when someone visits the site and limiting their liability in various circumstances. A good business attorney will tell you that presenting an agreement in this manner is generally a good idea, but the reality is that almost no one ever reads these agreements before agreeing to them. When a consumer is presented with a contract that they cannot negotiate, essentially on a “take it or leave it” basis, courts tend to scrutinize the terms of those contracts very closely. The TCCWNA provides additional protections for consumers in this situation.

Under the TCCWNA, businesses may not use consumer contracts containing any “provision that violates any clearly established legal right of a consumer,” nor may a contract omit any legal “responsibility of a seller, lessor, creditor, lender or bailee.” N.J. Rev. Stat. § 56-12-15. This is a highly ambiguous restriction. The general rule in New Jersey has been not to bother contractual clauses that have no impact beyond the parties themselves. “Exculpatory clauses in private agreements that do not adversely affect the public interest are generally sustained.” Kane v. U-Haul Int’l Inc., 218 Fed. Appx. 163, 165 (3d Cir. 2007). A few recent cases may have changed this principle somewhat.

Continue Reading

The internet offers seemingly infinite possibilities for businesses to connect with their customers and reach out to new ones. It also gives consumers nearly unlimited ways to communicate with businesses and also with other consumers about businesses. Websites like Yelp enable consumers to post reviews of businesses for the public to see. Many businesses take negative reviews as a sign that they need to reconsider some aspect of their operations. A few, however, have taken a more assertive stance by attempting to bar customers entirely from posting negative reviews. A law passed by Congress and signed by President Obama in late 2016, the Consumer Review Fairness Act (CRFA) of 2016, prohibits businesses from using form contracts that purport to restrict consumers’ ability to post negative or critical reviews, commonly known as “gag clauses” or “non-disparagement clauses.”

1 starsAt first glance, a contract prohibiting someone from posting negative reviews to a site like Yelp, while possibly allowing positive reviews, might seem to violate the free speech guarantee of the First Amendment. This is not entirely accurate, though, since the prohibition comes from a contract between two private parties—a business and its customer. The First Amendment, simply stated, only prohibits the government from imposing content-based restrictions on speech. A private party, such as a restaurant or retail store, is legally permitted to eject a customer for almost any reason, including offensive speech.

One exception to the First Amendment’s free speech protection is defamatory speech. This is a statement made to the public that is false, that causes harm to the subject of the statement, and that the person making the statement knows or should know is false. A spoken defamatory statement is known as slander, and a written one is called libel. A customer who posts a negative review of a business that contains false information could be liable to the business for damages in a defamation lawsuit. The CRPA does not concern itself with this type of situation but instead with contractual clauses that prohibit both truthful and false negative reviews.

Continue Reading

HackCybersecurity is a critically important concern for businesses of all sizes and in all sectors of the economy. The growth of various electronic data systems, not to mention the internet, has brought almost countless new risks from hackers and others, who use new technologies to perpetrate traditional crimes like theft. Businesses that collect and maintain consumers’ personal information must be particularly careful, since cybersecurity breaches can affect their customers’ financial interests as well as their own. The New York State Department of Financial Services (DFS) announced new proposed cybersecurity regulations several months ago for businesses in the financial sector. The proposed regulations, which are reportedly the first of their kind in the country, would require covered businesses to undertake extensive measures to safeguard their data.

New York law currently requires state agencies and private businesses to notify the state’s attorney general of any cybersecurity breaches that result in the release of “private information” to unauthorized persons. “Private information” includes information that may be used to identify a particular individual and that includes details like a Social Security number, a driver’s license or other identification number, or information that could enable access to a credit card or another financial account. N.Y. State Tech. L. § 208, N.Y. Gen. Bus. L. § 899-AA. State law does not currently impose affirmative obligations on businesses to protect private information or to guard against cybersecurity breaches.

The governor announced the proposed DFS regulation in mid-September 2016. The regulation, which will be codified in Title 23 of the New York Codes, Rules, and Regulations (NYCRR), applies to any business or organization under the jurisdiction of the New York Banking Law, Insurance Law, or Financial Services Law. 23 NYCRR § 500.01(c) (proposed). It requires “covered entities” to perform a risk assessment on a periodic basis, initially to identify cybersecurity needs and vulnerabilities, and subsequently “to respond to technological developments and evolving threats.” Id. at § 500.09.

Continue Reading

penguinDigital technology enables businesses to store information electronically, without the need for expansive file cabinets and storage facilities, and to transmit data quickly and efficiently. It also exposes businesses to the risk of data breaches, which expose consumers to risks like identity theft. The Federal Trade Commission (FTC) recently issued guidelines regarding compliance with two major federal statutes that protect consumers and their privacy:  the Health Insurance Portability and Accountability Act (HIPAA) of 1996, Pub. L. 104-191, 110 Stat. 1936 (Aug. 21, 1996); and the Federal Trade Commission Act (FTC Act) of 1914, 15 U.S.C. § 41 et seq.

HIPAA is a comprehensive law dealing with various aspects of health insurance, but it is perhaps best known to the public for its provisions regarding medical information privacy. The statute directed the Department of Health and Human Services (HHS) to present “detailed recommendations on standards with respect to the privacy of individually identifiable health information” to several Congressional committees. Pub. L. 104-191 § 264, 110 Stat. 2033. HHS developed a set of standards and procedures from this, commonly known as the Privacy Rule, found at 45 C.F.R. Part 164.

In a very general sense, the Privacy Rule only applies to health care providers, insurers, and related businesses, described as “covered entities.” 45 C.F.R. 160.103. The Rule also applies, however, to “business associates,” defined to include any “subcontractor that creates, receives, maintains, or transmits” PHI. Id. This definition can apply to many types of businesses besides medical professionals and health care providers.

Continue Reading

phishingA vast array of cybersecurity threats costs businesses billions of dollars each year. In early 2016, the FBI issued a warning to American businesses about “business email compromise” (BEC) scams, also known as “CEO fraud.” It stated that the number of incidents involving this type of scam, along with the amount of associated losses, has quickly increased in the past few years. New York and New Jersey business owners should be aware of what this type of scam involves, and their potential liability should they be the victims of such a scam.

A typical BEC scam involves the use of a company’s own email network, or an email address made to look like an internal company email, to pose as the CEO or another high-level executive. The scammer, commonly known as the “imposter,” contacts a lower-level executive or employee and directs them to take certain actions, such as wiring money to an account that the imposter controls. By the time the company becomes aware of the scam, the imposter has usually withdrawn the money and closed the account. The BEC scam is similar to scams known as “phishing,” in which a scammer solicits personal information from people through emails made to look like they come from a bank or another legitimate entity.

A business could face various types of liability if it is the victim of a BEC scam, depending on the nature of the scam and the resulting loss. If the scam somehow compromises secure business information, such as customers’ payment information, the business could be liable to those customers for their damages from the identity theft and other misuse of that information. Guarding against BEC scams should be part of every company’s cybersecurity strategy.

Continue Reading

Open APISA jury recently issued a significant verdict in a legal fight between two major technology companies, although it might not resolve some questions brought up by the litigation. The two companies are fighting over protocols used in a wide range of software applications, known as application programming interfaces (APIs). The plaintiff sued for copyright infringement, alleging that the defendant unlawfully appropriated its APIs for use in its mobile device operating system. Oracle America, Inc. v. Google, Inc., No. 3:10-cv-03561, complaint (N.D. Cal., Aug. 12, 2010). APIs are essential tools for countless digital technologies, so the outcome of this case ought to be of great interest to anyone who regularly uses the web. A federal judge ruled in 2012 that APIs are not subject to copyright infringement, but an appellate court reversed that ruling. On remand, a jury found that Google breached Oracle’s copyright, but the breach was excused under the Fair Use Doctrine.

Copyright law protects “original works of authorship fixed in any tangible medium of expression.” 17 U.S.C. § 102(a). This includes books and other written works, musical recordings, video or film recordings, and software code. It does not, however, include “any idea, procedure, process, system, [or] method of operation.” Id. at § 102(b). A copyright can be a very valuable asset for a business, and copyright owners must take affirmative steps to protect their copyright interests. The Fair Use Doctrine holds that unauthorized use of a copyrighted work is not infringement under certain circumstances, including “criticism, comment, news reporting, teaching…, scholarship, or research,” provided that the use is “transformative.” Id. at § 107; Campbell v. Acuff-Rose Music, 510 U.S. 569, 579 (1994).

The Oracle case presented the question of whether APIs are subject to copyright protection, or whether they are non-copyrightable procedures or processes. An API, simply stated, allows one software application to communicate or interface with another application, acting as a sort of translator between different pieces of software. APIs are essential parts of many common digital technologies, allowing mobile devices to run a wide range of applications and allowing websites to interface with social media services like Facebook and Twitter, to name just two examples.

Continue Reading

By Larges111 (Own work) [CC BY-SA 4.0 (http://creativecommons.org/licenses/by-sa/4.0)], via Wikimedia CommonsBusinesses in New Jersey, New York, and around the country depend on computers, computer networks, and the internet to conduct their operations. Whether a company is engaged in e-commerce or other internet-based business activities, or it merely uses computer software to assist with inventory or payroll, that company is potentially vulnerable to cybersecurity breaches. Numerous resources are available to help business owners protect their data from threats, including both hackers and insiders. The federal government is also working to enhance its ability to investigate and prosecute cybercrime. Proposals from the White House and the U.S. Department of Justice (DOJ) in the past year have called on Congress to amend the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to address the misuse of company data by insiders. Critics of these proposals claim that they go too far and could result in criminalizing ordinary business internet activity.

The CFAA applies to unauthorized access to a computer, or use of a computer that exceeds one’s authority. The term “computer” includes machines commonly known as “computers” and any related “data storage…or communications facility.” 18 U.S.C. § 1030(e)(1). A “protected computer” may be one “used in or affecting interstate or foreign commerce or communication.” Id. at § 1030(e)(2)(B).

A provision of the CFAA relevant to small businesses prohibits knowingly accessing a protected computer without, or in excess of, authorization, “with intent to defraud,” and obtaining information worth at least $5,000. Id. at § 1030(a)(4). It also prohibits knowingly sending information, such as malicious computer code, that causes unauthorized damage to a protected computer. Id. at § 1030(a)(5). The CFAA defines “damage” as “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at 1030(e)(8). These provisions have enabled prosecutions of hackers and others outside of a company, but prosecutors claim that they have been less useful for going after insiders.

Continue Reading

geralt [Public domain, CC0 1.0 (https://creativecommons.org/publicdomain/zero/1.0/deed.en)], via PixabayCybersecurity is a critically important part of nearly every business operating today. Data breaches that compromise customers’ personal information, such as names, addresses, and credit card numbers, can result in huge losses due to identity theft and other types of fraud. If the Federal Trade Commission (FTC) concludes that a business failed to take adequate measures to protect its data, it can bring an enforcement action for “unfair or deceptive acts or practices in or affecting commerce” under Section 5 of the FTC Act, 15 U.S.C. § 45. The Third Circuit Court of Appeals recently ruled in the FTC’s favor in a case involving the theft of more than 619,000 customers’ credit card information by hackers. FTC v. Wyndham Worldwide Corp., No. 14-3514, slip op. (3rd Cir., Aug. 24, 2015). The court did not rule on the merits of the FTC’s claim. It merely found that the FTC has authority to pursue the claim under Section 5.

According to the court’s ruling, the FTC began enforcing Section 5 “against companies with allegedly deficient cybersecurity that failed to protect consumer data against hackers” in 2005. Id. at 6. The defendant, which manages hotels directly and franchises its brand to independent hotels, experienced three cybersecurity breaches in 2008 and 2009. The theft of customer financial data resulted in fraudulent credit card charges exceeding $10.6 million. The defendant uses a “property management system” to process customer information, including names, addresses, and credit card information. Id. at 7. It requires franchisees to use the same system, configured to certain specifications.

The FTC’s lawsuit alleged numerous deficiencies in the defendant’s cybersecurity measures, including inadequate supervision of franchisees’ use of the property management system; use of “easily guessed passwords [by franchisees] to access the property management systems,” id. at 8; lack of firewalls and other common cybersecurity tools; failure to restrict access to its network by third-party vendors; the ability of franchisees to connect their networks to its central network without security; and failure to monitor its networks for intrusions, even after the first and second breaches. These acts and omissions, the FTC claimed, constituted “unfair” practices under the FTC Act. 15 U.S.C. § 45(a)(1).

Continue Reading

Identify the image source as Compliance and Safety LLC and include a working hyperlink to http://complianceandsafety.com on the same page that uses this image. [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia CommonsCybersecurity, the process of protecting a company’s digital assets from theft and other harm, is an important issue for every business, regardless of size or complexity. Almost every business now relies on computers to some extent, and criminals are constantly developing ways to access business computer systems to steal customer information or company financial information, or even just to cause damage. Hackers may be able to penetrate a company’s computer security remotely, but many high-profile data breaches are accomplished by stealing laptop computers, hard drives, and other hardware. A company’s legal liability for a data breach is still a developing area of law, and few answers are certain in that area. Avoiding legal liability, however, is far from the only reason to take precautions against data breaches.

Recent data breaches have led to lawsuits against the affected companies by customers and shareholders, and a data breach could also result in administrative fines or penalties in some circumstances. Few statutes directly address a company’s liabilities with regard to cybersecurity, but numerous legal claims are possible:

– Negligence:  One or more customers whose personal information was compromised in a data breach could claim that the company breached a duty of care to safeguard that information, and that this caused them financial damage.

Continue Reading