Mobile Applications: An Update

man-coffee-cup-pen.jpgIn 2013, we wrote an article regarding legal issues for mobile applications (Apps). Since then, the number of mobile application downloads have increased by over 400%, and their functionalities have grown tremendously. In fact, Apps have become an essential part of the every-day life of many consumers. As Apps continue to evolve, lawsuits and investigations regarding them have multiplied.

The discussion below provides an update on the legal issues discussed in our 2013 article. While privacy issues have emerged at the forefront and tend to make headlines, developers also need to be aware of other recent developments that affect their ability to secure their intellectual property rights in the App and limit their liabilities.

1. Use of Open Source Software 

Most App developers use open source software (OSS) to develop their Apps. The open source software is licensed to them under an open source software license model, such as Apache, General Public License (GPL) and its various version, etc. Each license model has unique requirements, such as attribution, rights over derivative works, commercial use, non-discrimination with respect to platform etc. The importance of understanding and managing OSS license terms in the App development process is hi-lighted by OSS based lawsuits.

For example, in Versata v. Ameriprise, Versata developed and licensed its proprietary software, Distribution Channel Management (DCM), to Ameriprise. Ameriprise passed it on to its subcontractors, who decompiled it and developed a competing product. Versata sued Ameriprise claiming a breach of their license, but Ameriprise countered that since Versata’s software had been developed based on XimpleWare, a software that was licensed to Ameriprise on terms of the GPLv2 license (which requires that the source code of all derivative works be made available under the GPL license terms, upon distribution of the modified OSS), Ameriprise or its subcontractor could decompile and modify the software at will. Versata had failed to recognize that an open source software had been used in developing DCM, and had not integrated the GPL license terms in its own license of DCM. Following this allegation, XimpleWare Inc. sued Versata and its clients for breach of its license terms. Though the cases were settled in 2015, it highlights the importance of managing vendors who might use open source software in App development, as well as understanding and integrating open source software license terms that are used in the App development process.

2. Enforcement of Terms of Service or End User License Agreement

The Terms of Service (Terms) of an App defines the rights and liabilities of the App developer, owner and users. Typically, the App developer includes robust disclaimers for liability and other clauses to protect itself. However, none of this language would matter if the Terms are not conspicuously displayed in a way that would provide the end user an opportunity to read them. In recent years, courts have handed down many decisions holding “browsewrap” agreements unenforceable.  “Browsewrap” agreements are those where the user is not required to take any action to agree to the Terms, but instead gets bound by the Apps’ Terms automatically upon the use of the app.

For example, In Re Zappos, Customer Data Security Breach Litigation, the court invalidated Zappos’ arbitration clause and deemed its Terms of Use unenforceable since it was inconspicuously buried in the bottom of every Zappos.com webpage among many other links. The website never directed its user to the Terms of Use, essentially forcing them into agreements unwillingly. Similarly, in Mayer v. Kalanick, an anti-trust lawsuit where Uber intervened in a lawsuit against its founder, the court held that Uber could not enforce its arbitration clause because a user did not need to affirmatively click any box saying that he agreed to Uber’s Terms of Service. On the contrary, a user could sign up for Uber by clicking on the “Register” button without explicitly indicating his assent to the terms and conditions that included the arbitration provision. An Uber user could access Uber’s services without visiting the page hosting the browsewrap agreement or even knowing that such a web page exists.

3. End User Privacy

In recent years, there has been an increase in privacy related lawsuits and investigations against App developers due to the expansion in App functionality and data collection efforts. Users and consumer protection agencies are starting to pay more attention to the data collected and shared by Apps in search for privacy violations. Famously, Niantic, the maker of Pokemon Go, was sanctioned by the Federation of German Consumer Organizations since the game violated Germany’s privacy laws by retaining and sharing user data — including players’ location, recent web history, search terms and user messages. Likewise, Yelp was sued for its “friends’ finder” feature in its mobile applications, whereby the app accessed and uploaded contacts information from users’ phones without their express consent to its server.

Given the increasing scrutiny of privacy practices of App developers, which causes monetary as well as reputation harm, it is important for App developers to integrate privacy protections into their app development process and consider the privacy ramifications of data collection and sharing in the App.

Investing for Social Impact

The following is an excerpt from Mark Phelps’ recent article in the King County Bar Bulletin:

What if donors could get a financial return on their gifts to charities? Would they donate more money? Would they become more involved in the nonprofit organizations they support? Would programs have better outcomes? These questions are being explored as local donors begin to learn about investing in “development impact bonds,” a fairly new financial instrument that weds financial returns to social impact and development.

These are becoming more common for international nonprofits working in the developing world. Their complex structure requires the involvement of attorneys for all parties taking part in negotiating and drafting the terms of the agreements.

To see the rest of the article click here.

 

Addressing Risks to Data in Vendor Agreements

pexels-photo-373543.jpegIn the now infamous Target data breach, hackers gained access to roughly 40 million customers’ data by hacking Target’s vendor- a refrigeration, heating and air conditioning provider. Target suffered $162 million in expenses directly related to the hack, a 46% percentage drop in profits in the 4th quarter of 2013, and finally settled for $18.5 million in damages in May of 2017.

As the number and frequency of data breaches multiply, sharing data with vendors has become even more risky. Some data privacy laws such as Health Information Portability and Accountability Act (HIPAA) and General Data Protection Regulation (the EU privacy regulation due to be implemented in 2018) require a certain level of vendor management and due diligence in contracting with vendors. However, even if a company is not required to comply with these laws, it is prudent for it to ensure that its vendors are taking adequate steps to protect data, so that it can minimize the risk to its reputation, revenues, and lawsuits.

The vendor agreement plays an important role in mitigating these risks. First, the vendor agreement helps mitigate risk of the occurrence of a data breach by including representations and warranties from vendors regarding their compliance with the relevant privacy laws and industry standards. Alternatively, or in addition, a company may require vendors to follow specific privacy and security procedures (which may exceed the compliance requirements). Security and procurement groups in the company should separately verify the vendor’s compline with such standards and procedures through tests or certifications. The vendor agreement should be carefully reviewed to ensure that there is no disclaimer against warranty as to security and privacy (unless those warranties are specifically provided in the representations and warranties section). Further, it may provide companies the right to regularly audit the privacy and security standards of vendors, and impose penalties for failure to comply, including contract termination.

Second, a vendor agreement helps mitigate the cost and expenses related to a data breach occurring through a vendor. Some tools to mitigate the cost and expense include (i) carving out direct and indirect losses related to data breaches from the vendor’s limitation of liability clause, or (ii) limiting vendor’s liability from a data breach to a higher amount for losses arising out of data breaches (since the typical limitation amount which is tied to the amount paid to vendor would not cover for the loss from data breaches), and (iii) carving out indemnification from the limitation of liability clause, i.e. in case of third party claims and lawsuits, there should be no limitation of liability, and the vendor should cover the cost of defense, damages, attorney fees, remedial measures, etc.

Another important aspect of addressing data security and privacy in vendor agreements is the vendor’s insurance policy. Every data lost costs around $188 to make whole, according to a recent Ponemon Institute survey. The cost of defending and remedying a large data breach can thus run into millions of dollars. Such costs cannot be met out of pocket by the vendors, and in case of a data breach, companies need to ensure that the vendor’s insurance would cover the vendor’s indemnification obligations. The question of whether general commercial liability insurance covers data breaches has been resolved differently by different courts, depending on the manner of breach and the language of insurance policy. Thus, requiring specific cyber-insurance coverage in vendor agreements is highly recommended.

Top Issues to Address in Software as a Service Agreements

IP photoSoftware as a Service (SaaS) is becoming an increasingly popular method of delivering services to businesses. According to Gartner, SaaS revenue is expected to increase 20.1% in 2017, reaching $46.3 Billion in total sales. This is more than a 3% increase from cloud market growth, according to Salesforce.

SaaS essentially refers to using software as a tool to deliver services. The software is developed, owned, and managed by a service provider, and accessed by the customer through a website, mobile app, or offline facilities. Customers use SaaS for various business processes such as sales, marketing, storing and processing customer data, etc. For example, Tableau helps visualize data; Dropbox helps sync and synchronize documents; and Hubspot helps centralize high quality content marketing.

 

There are a number of approaches to drafting SaaS agreements. Some attorneys consider it a service agreement at its core, while other consider it a license agreement with service components. The risk arising from both the service parameters and the software license need to be addressed in SaaS agreement. While each SaaS agreement should be structured based on the particular services, industry, customer, and type of data handled by the service provider, some of the main issues that all well drafted SaaS agreement address include:

 

  1. The Service Level Agreement (SLA). The SLA defines the extent of guarantee of service availability (uptime) or the remedies for unavailability or errors in service (downtime) of the service provider. The remedies typically include refunds, credits, promise to repair in a certain time period, or some combination of both. The idea is for the service provider to limit the remedy in case the services become unavailable because of excessive use or other issues.

 

  1. Privacy, Data Management, Data Breach. When the customer’s sensitive data is stored with and processed by the service provider, it is important to include one or multiple clauses regarding the service provider’s obligation to keep the data secure and confidential, in compliance with the applicable laws. Moreover, the SaaS agreement should require the service provider to properly return or destroy data at the end of engagement. It is also important preserve the customer’s right to seek damages in case of data breach or data loss. Thus, the typical clauses of confidentiality, representations and warranties, limitation of liability, and indemnification, need to be reviewed from the lens of the risk of data loss and its consequent damages.

 

  1. The Software License. Customers need to access the software to use the service provider’s services. Thus, the SaaS agreement should specifically define the services being provided and limit customer’s access to software to use of those services. Further, the license clause needs to specify other restrictions, such as- (a) number of users (customer’s whole organization, specific number of users, specific personnel, etc.), (b) ability to sublicense to agents or third parties (independent contractors, customer’s customers), (c) territory, (d) method of access (website, cloud, physical facilities), (e) non-exclusivity, and (e) restrictions on ability to modify, reverse engineer, introduce malware, etc.

 

  1. Terms, Renewals, and Payment Structures. Structuring the term of the SaaS agreement appropriately is crucial to its commercial viability. Many SaaS companies adopt a model of annual contract with the annual subscription payments due at the beginning of the term, automatic renewals, and no refunds for customers if they want to terminate services before the end of the contract term. These could create a number of legal issues.

 

Automatic renewals have been the subject the many lawsuits and investigations by the Federal Trade Commission. In fact The Restore Online Shoppers’ Confidence Act (ROSCA)in 2011, was specifically promulgated to generally prohibit companies from charging online consumers for goods or services through a “negative option feature” to an agreement, whereby the customer’s silence or failure to cancel the agreement is treated as acceptance of the offer. Thus, it is important to receive express consent before renewing subscriptions and to prominently display the automatic renewal notice before the charging the customer. Providing renewal notice 30-60 days in advance goes a long way in proving consent.  Similarly, the no refunds policy should be explicitly detailed in the SaaS agreement and prominently displayed at the time of payment of an annual fee to avoid disputes later.

TOP FIVE PRIVACY PRACTICES TO ADOPT BASED ON FTC’S SETTLEMENT WITH UBER

pexels-photo-417418On May 12, 2014, an intruder was able to access sensitive personal information belonging to over 100,000 Uber drivers including names, driver license numbers, social security numbers, and bank account information. Uber did not detect this major breach until September 2014 and failed to notify Uber users until February 2015.

While Uber’s Privacy Policy provided that it implemented reasonable security measures to protect the personal information of Uber Riders and Drivers, a complaint and investigation by the Federal Trade Commission (FTC) against Uber demonstrated that they needed to take serious precautionary measures to protect consumer information. FTC’s recent settlement with Uber, which imposes a requirement of third party privacy audits for 20-years and a fine of $20 million, hi-lights a number of important guidelines that corporations collecting personal data can follow to reduce the risk of a data breach. Below are the top five privacy practices to adopt based on the FTC’s settlement with Uber:

  1. Implement Two factor authentication for internal access to personal information

Prior to the complaint, Uber stored all of its data in an Amazon S3 Datastore, a scalable cloud storage device that could be used to store and retrieve large amounts of data. The S3 Datastore preserves information in “buckets,” small virtual containers in which individual access controls can be applied. However, Uber used a single access key (or password) that provided full administrative access to all data which made it significantly easier to hack. Using a two factor authentication for internal access helps control who can access certain types of information as well as making it more difficult for an intruder to access confidential data.

  1. Closely monitor and audit employee access to consumer data

Similarly, FTC’s complaint against Uber noted all Uber employees could access all of consumer (through the single access key), regardless of their job functions. This left Uber more open to potential data breaches. Limiting employee access to data based on job functions and requirement to access such data greatly improves security.

  1. Encrypt Personal Information

In the complaint against Uber, as well as in the FTC’s settlement, one of the biggest critiques was that Uber stored all of the personal data in the S3 buckets in plain language, meaning that once a potential intruder got into the data storage the sensitive information of Uber riders and drivers was readily available to them. One of the easiest fixes is for Uber and other companies storing sensitive data to begin encrypting any personal information they receive when they place it in data storage, adding another layer of security protecting their customers.

  1. Implement and update internal privacy and security programs

Having a well-documented security program which identifies and addresses foreseeable risks, defines employee authorization to access data, and details strict authentication mechanisms, is important for companies to protect the risk to the data in their possession. Compliance with this policy needs to be continuously evaluated as companies innovate and launch new products, add employees, expand to new regions, reorganize internal processes, or even as new threats get detected.  Providing security training to employees is an important component of implementing the privacy policy. Up until the Uber decision, Uber employees received little to no training with regards to protecting client data and best industry security practices.

Prior to the complaint, Uber did not have a strong documented policy, nor did it have monitoring or evaluation of its privacy practices. Thus, a major part of the Uber settlement was the requirement that Uber undertake regular third-party evaluation to determine if it had successfully implemented effective safeguards for consumer data. For companies looking to take lessons from Uber, it is essential to be aware of the need for neutral evaluation and continual upkeep to reinforce privacy policy.

  1. Ensure your Privacy Policy is accurate

Between July 13 and July 15th, 2015 Uber disseminated a privacy policy that contained statements about using “standard, industry wide security practices… for protecting your information.” This overstatement of Uber’s security policies was part of a systemic issue in which Uber’s rhetoric and practices were not aligned. In response to these issues, Uber should have closely examined its privacy policies to make sure that the statements within them were accurate and if not, to adjust its own policies.

Similarly, in the months prior to the decision against Uber, the company continually misrepresented the scope of its privacy practices trying to assure its customers that their data was safe. Since Uber did not enforce the privacy standards it claimed to, this meant that a large part of the FTC’s settlement focused on evaluation and recordkeeping.  Corporations should align their statements with their actual privacy practices in order to both protect the privacy of their customers and remain compliant with the FTC.

Foreign Nationals Need Wills

love-old-people-the-heart-of-pension-160936.jpeg

It may come as a surprise to foreign nationals living in Washington State that they should consider drafting a will and other estate planning documents here in the United States. This is especially important for anyone who has a bank account, home or brokerage account here —and especially those whose children are living with them in this country. You may ask,“I have a will in my home country. Why would I need one here?” You might not need a new one, but you need to have that will with you. Washington state generally recognizes a “foreign” will (one created in another state or country) if that will is considered valid in the home state or country. If you do have a foreign will, it is better to keep it with you while you are in Washington. If you don’t have a will at all and plan to spend sometime in Washington State, you might want to consider drafting a will while here.

Probate in Washington State
Probate:
•is the process of gathering the assets and paying the debts of a person who has died, under court supervision;
•includes the court’s determination of the validity of that person’s last will and testament, or the court’s determination that no will exists.

For a foreign national who dies owning Washington personal property of a certain value, or real property located in Washington State, opening a probate estate in Washington usually is necessary to distribute that property to the proper heirs or beneficiaries. Additionally, if the foreign national dies while in Washington, the person’s home country may require that probate (the legal process to establish the validity of a will and to appoint someone to manage a dead person’s estate) be initiated in Washington because that is where he or she most recently lived.

Benefits of Having a Proper Will

If you are a foreign national in Washington for more than a few weeks, having a will while here( whether drafted here or in the home country) makes it more likely that your wishes will be known and carried out if you were to die here.Regarding such assets as institutional financial accounts—if beneficiaries are designated properly on these assets, those beneficiary designations usually will be recognized. However, if no beneficiaries are named, or if a named beneficiary is no longer living,that asset probably would go to the person’s estate. At that point,the financial institution may require that probate be opened for the dead person’s beneficiaries or heirs to access the money.

Benefits of Having a Proper Will

A valid and properly drafted will:
•May make distribution of your assets easier and faster;
•Helps to ensure that your wishes are known, and respected;
•May protect your minor children from being in the care of strangers;
•Generally allows the probate process to be easier and less costly

It is particularly important for a foreign national staying in Washington state with his or her minor children to have a will. If that person dies without a will designating a guardian for the children after his or her death, and the children have no relatives in the state of Washington, the children might end up in foster care after the parent’s death,at least temporarily until a legal guardian is appointed by the court. If,on the other hand, an easily located will exists that designates a guardian (with the nominated guardian’s correct contact information), the guardian could be contacted more quickly and the minor children might endure a little less trauma.

Other Estate Planning Documents

In addition, foreign nationals are encouraged to have several other estate planning documents while in Washington State.

•Durable Power of Attorney

A durable power of attorney names an individual or professional fiduciary to make decisions and have the powers outlined in the document for actions on behalf of the document’s creator. If no durable power of attorney addressing healthcare for an incapacitated individual exists, health care organizations generally turn to the next of kin, such as a spouse, children, parents or siblings, to make critical decisions for that individual. A power of attorney is often springing, meaning that it becomes effective only after the person who created it is unable to make his or her own decisions, as determined by one or more doctors.
•Health Care Directive
A health care directive outlines a person’s wishes for health care provisions when he or she is unable to make his or her own decisions. It allows individuals to decide ahead of time on the nutrition, hydration, pain medications and other interventions they would want at the end of life if they are unable to answer those questions for themselves.

Bottom line? Foreign nationals living in the State of Washington should have valid, properly drafted estate planning documents that will be recognized in the State of Washington. This is especially important if they have minor children.”

Strategic Philanthropy – Why? From Guest Blogger: Heather Tuininga – 10|10 Strategies

As I continue to have the privilege of walking alongside families and companies in their journeys of generosity, I find myself asking this question: why do I think “strategic philanthropy” is so important?  Is it because I like to be intentional about things in life and so I want to do my giving that way too?  Is it because I think giving with a vision or passion is better than giving just because it’s good for the cause and for me?  Is it because I believe we only make a difference if we give strategically?

All of these possibilities are partially true, but a deeper analysis of the costs and benefits of strategic philanthropy are in order.  To understand what I mean, we’ll pose strategic philanthropy against what I call “random charity” and see how things shake out.

  Strategic Philanthropy Random Charity
Definition Deciding/knowing what you’re passionate about and investing in organizations that are doing good work in those areas. Giving to anything that passes by, whether you care about the cause or know if the organization is effective.
Example Giving $5,000/year to three organizations that fight breast cancer because your sister fought that battle and lost, and you don’t want your daughter’s generation to face death as the only option if they get breast cancer. Sending $10 to every appeal you get in the mail – from the salvation army to the world wildlife fund to the local symphony.
Impact on the cause A cause you care about gets furthered because you invested more heavily into it vs. spreading your funds around, and you’re more likely to see a return on your philanthropic investment. Many causes get a nice little donation, (which might help them take another, more serious donor out to coffee), and you’ll probably never know what your funds were used for.
Impact on you You get more joy because you know what your funds are being used for, and have invested in something that makes your heart beat. You get some joy knowing that you got to support a lot of organizations, even if it was just a little bit.
Impact on your giving When we have issues we care about and want to make a difference in, we often give more because we are more deeply engaged/interested. When we don’t have specific causes we care about or support, we often give less because we know they won’t really miss our $10 anyway.
Impact on the charitable sector If all givers were strategic, the charitable sector would undergo a sorting out, and the organizations doing the best work would likely rise to the top and keep making a difference because donors are investing in good work. If all givers gave randomly, any organization that put together a glossy mailer would get funds, whether they do good work or not.
Impact on the world If breast cancer research pays off because you and a bunch of other folks invested strategically, your daughter (and all of the young women in world who come after her) may know how to avoid getting it or if she does get it, she won’t have to fear dying like her aunt did. If the art museum gets $10 and the boys & girls club gets $10, and the xyz charity gets $10, the world might move a bit closer to bettering people’s lives who are served by those organizations.

 

As you can see, my bias is toward strategic philanthropy, but both paths can produce beautiful generosity that changes the world in some way.

 

One last note: there is the possibility of being too strategic, which can result in not being able to meet a more immediate need because it falls outside your focus areas (i.e., a natural disaster in a part of the world that you don’t focus on).  However, that can be easily solved with some great tools that allow you to move the needle on what you care about all the while maintaining flexibility to give as needs move your heart when they arise.

 

 

 

If these thoughts resonate with you and you’d like to get more strategic

about your personal or corporate giving, I’d love to hear from you.

Drop me a note at: heather@1010strategies.com