Brexit Multiplies Uncertainty Over EU Privacy Regulations and Shield

US companies doing business in the EU face a May 25, 2018 deadline to comply with its General Data Protection Regulation [GDRP], a 200+ page law. It is so riddled with questions it requires a new European Data Protection Board [EDPB] to give answers, guidelines, and recommend best practices.

Those answers will be influenced by what is called the EU-US Privacy Shield now being angrily negotiated. And something called the Article 29 Working Party [A29WP] with members from each EU member state is supposed to issue important opinions on data protection.

Clear as crystal. And there is much more. The Irish Data Protection Commissioner, for example, may ask Ireland’s High Court to rule on whether standard EU contract clauses on data protection are valid. That could put the issue in front of the EU’s Court of Justice.

And then the UK voted to leave the EU. To the cascade of speculation underway about what happens next, you can now add an uncertainty multiplier about what rules and best practices you must follow in handling the personal and business data of European residents.

The one certainty in all this is that no one knows what will happen or when. The EDPB and A29WP may give clear direction, but it could come in waves instead of one comprehensive set of do’s and don’t’s. The UK could go it alone and adopt its own laws and regulations. Privacy Shield negotiations and court decisions could change all the above. And no matter what legislators do, technology will keep pointing to new ways to protect and new ways to compromise personal and business data.

So how do you get ready to comply with whatever may be coming? By focusing on guiding principles that must be served no matter how the legal chaos resolves.

Active consent. The GDRP wants you to get active consent to use customer, employee, or vendor data. Think of it as contracts versus implied contracts, clicking “I Agree” instead of relying on unread Terms of Use saying continued access to a website is conditioned on agreeing to the terms.

To implement active consent, you must first know all the kinds of personal and business data you are collecting or already possess. You must take inventory of your data.

Right to Be Forgotten. This is a startling idea for Americans whose use of information is shaped by the First Amendment. Our closest legal recognition of it may be the limited laws allowing expungement of juvenile or adult arrest or conviction records. The right is a recent development in European law largely driven by a desire to have the power to require information, photos, and videos deleted so search engines can’t find them.

Unlike the goal of privacy which is preventing information from becoming public, the right to be forgotten aims to eradicate forever information that is already public. It is a right to disappear into the crowd without a trace.

Exercising the right requires a request, but once you are asked there will be limited time to comply and sanctions for failing.

Your first task is to understand whether you currently can, and if not what is need to, permanently delete the personal or business data you obtain. This is not business as usual for most companies which have nothing beyond an unsubscribe capability for their mailing lists.  The technical difficulties can be substantial.

Rapid Disclosure of Data Breaches. Indiana requires notification within 45 days after discovering a data breach. The GDRP will require notification to its Data Protection Authority in 72 hours ─ 3 days.

No matter how the regulations develop, you must first understand your capabilities for identifying a data breach. If you don’t actively monitor your networks and the personal devices accessing it, start investigating what it will take.

Long Arm Jurisdiction. As Google learned many times, EU member states will exert jurisdiction over any business dealing in the personal or business information of an EU individual resident or company. The determination to exert legal authority over those outside the EU is unlikely to change no matter how the UK separation or further withdrawal votes go.

Lawyers have a way of telling people to do this and that as each new challenge comes along. But here the GDRP has value as a prod to do what’s needed for your organization now. The good thing about the self-knowledge to implement whatever final requirements are imposed by the EU is that it will help with what you’re facing from cyber threats in the next 24 hours.

Posted in Uncategorized | Leave a comment

Something Old Becomes Something New and Makes Copyright Royalties Disappear

The Old is pre-1972 recordings not covered by federal copyright law. The New is remastered versions of the Old played on broadcast radio. The disappearing royalties are the ones supposed to be paid by radio to copyright owners after Flo & Eddie’s state copyright law victories in California and New York.


With the recorded music industry preoccupied by the question “who owes me?”, another answer came from Los Angeles federal court on Memorial Day when Judge Percy Anderson ruled that CBS Radio owed nothing for its stations playing pre-1972 recordings because they were not pre-1972 recordings. ABS Entertainment, Inc. v. CBS Corporation, et al. CV 15-6257 PA (AGRx) May 30, 2016.


The Flo & Eddie litigation is on appeal while major recording companies walked away with $210 million from a settlement with SiriusXM over pre-1972 recordings as reported last year. The core question in those cases was ─ do state laws actually create enforceable rights to fill the vacuum left by the federal Copyright Act not covering sound recordings made before February 15, 1972? 17 USC §301(c).


CBS asked a different core question in the lawsuit decided Monday, the kind of question so often overlooked in copyright disputes that many commentators found it shocking ─ what recordings was CBS playing?


Aristotle shocked his colleagues in the world of ancient Greek philosophy in much the same way. He ended centuries of debate about how many teeth a horse has by saying in effect “let’s stop arguing and go look.”


When they looked in the ABS Entertainment case, they saw that CBS radio was broadcasting remastered versions of old records, not the original recordings. CBS claimed they were what the Copyright Act calls derivative works. And the since the remastered versions were made after February, 1972, CBS argued they came under the Copyright Act which says radio can play the recordings without paying royalties to rights owners.


Judge Anderson told the parties to brief the question “whether a sound engineer’s remastering of a pre-1972 sound recording – through subjectively and artistically altering the work’s timbre, spatial imagery, sound balance, and loudness range, but otherwise leaving the work unedited – is entitled to federal copyright protection.” In other words, is the New a group of derivative works?


Both sides submitted expert testimony and the answer from the court last Monday was Yes, they are. To qualify as a derivative work under the Copyright Act, the differences between Old and New can’t be trivial mechanical changes and need to be enough for people to notice.

While any artist today knows the differences you hear can be huge depending on mastering, it’s also true people hear, or fail to hear, different things. So what impressed the court were results of forensic tests of timbre, spatial imagery, sound balance, and loudness range. The Old and New were very different.


The remastered recordings in the lawsuit by artists such as the Everly Brothers, Jackie Wilson and Mahalia Jackson were all authorized by the artists in license agreements permitting remastering. That’s important because the Copyright Act gives the owner of the original work the exclusive right to authorize a derivative work based on it.


So CBS won and ABS Entertainment will undoubtedly get in line for the Ninth Circuit appeals court to review the decision. Meanwhile, radio owners are breathing easier while record labels and artists have more cause to complain about the size of their share of the shrunken recorded music revenue pie.


Aristotle, however, would approve of the court looking at the horse’s mouth instead of having the lawyers debate how many teeth were there.


Posted in Uncategorized | 3 Comments

Making a Federal Case Out of Your Trade Secrets: DTSA Creates Federal Civil Action for Trade Secret Owners

Authored by Andrew McNeil

Want to make a federal case out of your trade secrets? It got easier to do just that after President Obama signed the Defend Trade Secrets Act of 2016 (“DTSA”) into law on May 11, 2016. Effective immediately, DTSA creates a federal civil action for the owner of a trade secret that “is related to a product or service used in, or intended for use in, interstate or foreign commerce.” In other words, if you have a trade secret, you probably have a trade secret protected by the DTSA.

In many ways, the DTSA is similar to the Uniform Trade Secrets Act (“UTSA”), which has been adopted or introduced for adoption in every state in the Union except for North Carolina. An early comer to the UTSA, Indiana passed it into law in 1982. The DTSA and the UTSA both provide for injunctive and monetary relief for the “misappropriation” of a “trade secret,” and both laws similarly define those and related concepts.

The DTSA adds some wrinkles, though, that are unique to it. While both state and federal law authorize courts to issue injunctions relating to the misappropriation of trade secrets, DTSA expressly authorizes a “seizure” process. Under this process, a party may ask the court, without a hearing, to direct the United States Marshals to seize the trade secret in issue and place it in the custody of the court while the parties litigate over the substantive claims. After ordering a seizure, the court is authorized to issue a wide array of orders, including ordering expedited proceedings, prohibiting any party (including the applicant) from accessing the trade secret, and requiring a bond in case the seizure turns out to be a mistake.

The DTSA also tackles the “inevitable disclosure” theory. Under that theory, plaintiff employers argue that their former employees cannot work for a competitor because the former employees are so imbued with the former employers’ trade secrets and would inevitably disclose those trade secrets in the course of working for a new employer. The DTSA expressly provides that any injunction prohibiting the actual or threatened misappropriation of a trade secret cannot prevent a person from entering into an employment relationship and that any conditions placed on such employment must be based on evidence of threatened misappropriation, not merely on the information the person knows.

Lest one assume that the DTSA is just for lawyers, all employers with trade secrets have some work to do, too. The DTSA contains a two-fold “immunity” provision for whistleblowers. First, the DTSA provides that an individual who discloses a trade secret in confidence to a federal, state, or local government official or to an attorney solely for the purpose of reporting or investigating a suspected violation of the law is immune from liability under the DTSA for that disclosure. Second, the DTSA authorizes an employee who files a lawsuit for retaliation by an employer for reporting a suspected violation of law to disclose the trade secret in those court proceedings without liability, provided the disclosure is made under seal.

Now comes the practical part for employers. The DTSA requires all employers, regardless of size, to provide employees notice of the immunity provisions of the DTSA “in any contract or agreement with an employee that governs the use of a trade secret or other confidential information.” The contract provision must also cross-reference the employer’s policy document “that sets forth the employer’s reporting policy for a suspected violation of law.” If an employer does not comply with this notice requirement, “the employer may not be awarded exemplary damages or attorney fees . . . against an employee to whom notice was not provided.”

As with many new federal laws, it is time to review your contracts and policy documents to ensure they comply with DTSA. It is also a good time to review all matters related to the development and preservation of the company’s intellectual property—patents, trademarks, copyrights and trade secrets. They often overlap or work together, and for the first time they are all covered by federal law.

If you have any questions on your contract and policy documents please contact your Bose McKinney & Evans LLP attorney.

Posted in Copyright, Intellectual Property, Patents, Trademarks | Tagged , , | Leave a comment

Low-Cost Low-Tech Foolproof Cyber Defense: A Phone Call

The FBI warned again Monday about the dangers of “business email compromise.” A posting on its Phoenix bureau website says known losses from these scams exceeded $2.3 billion from October 2013 through February this year. The Bureau has documented cases involving 17,642 businesses of all sizes in 79 countries around the world. The average loss in Arizona was $25 to $75 thousand. My personal experience in Indiana has usually involved cases above the high end.

This post is about protecting your cash, but the same schemes are used to get information like Wall Street law firm files on pending transactions to use for insider trading. The scam is also called “spear phishing,” a more pointed and dangerous form of phishing.

The steps in the scam follow a simple pattern. First, the hackers get access to a personal email account and read your emails. Second, they set up an email account with an address so similar that people don’t notice the slight difference between it and your real account.

If I’m the target, they might open a “” account which looks like “” Try reading them at a glance in 8pt. Arial font on the From line.

Last, they email someone I correspond with who handles accounting at my firm. They have a good idea who that is because they invest the time to read my email traffic. The phony email says an amount of money must be transferred urgently to a person outside the firm I also correspond with, and gives wire transfer instructions. If questions are fired back, the hacker will give fast responses and stress the urgency of the transfer.

People believing they are doing their job authorize wire transfers to thieves every minute of the day because they think they know who is requesting the transfer and where it is going. The transfer is actually going to make three or more jumps to different financial institutions before heading to its ultimate destination. That could be in the United States or outside. If the money stays in the US, it will go to an account opened for the scam with false credentials, it will be withdrawn immediately, and the account abandoned.

You can and should train everyone in your organization on how to spot incoming scams. There are software solutions you may have in place to identify and hold suspicious emails until released. But people get tired or distracted and the software is only as good as the person deciding what emails to let through.

The one foolproof defense is a simple rule: always call the person requesting the transfer. You can already hear the conversation. “I’m calling about that wire transfer to Ms. Jones.” “What wire transfer?” And your funds will stay where they belong every time.



Posted in Cybersecurity | Tagged | Leave a comment

Flo & Eddie’s California Dreams Still Alive

I’ve been writing since 2014 about the quest by Flo & Eddie, the former Turtles, to win copyright royalties under state law for their pre-1972 records which federal copyright law doesn’t protect. The latest chapter ended yesterday when Judge Gutierrez in California denied Sirius XM’s motion to stay Flo & Eddie’s certified class action there. Sirius wants the lawsuit frozen until the Ninth Circuit court of appeals decides Pandora’s appeal of Flo & Eddie’s victory against them.

Sirius asked for the stay last November arguing the Pandora appeal involved the same “class members, the same claims, the same law, and even the same pre-1972 recordings.” After Judge Gutierrez certified Flo & Eddie’s class action last year, however, Sirius was turned down by the Ninth Circuit in August on a request to review the certification.

An effort to get all the judges of the Ninth Circuit to review the class action certification failed in November. The Sirius stay motion denied yesterday was their next move. When a federal class action is certified, you’re off to the races of costly and time-consuming discovery.

Sirius emphasized all the judicial turbulence involving the questions of whether three state’s laws gave pre-1972 sound recording rights. They beat Flo & Eddie in Florida and that case is on appeal to the Eleventh Circuit. Sirius lost in New York, and that appeal to the Second Circuit has oral argument set for February 2. Sirius also cited nine Flo & Eddie copycat cases filed in California federal courts alone.

One of Sirius’ main arguments was that freezing the class action until a ruling possibly this year in the Pandora appeal would conserve judicial resources. Class actions can impose a great deal of work on a federal judge. A stay would also protect Sirius from the legal expense and disruption of the class action which could be a total loss if the Ninth Circuit rules in Pandora’s favor on the merits.

Flo & Eddie’s response early this month makes Sirius sound like an army using a ceasefire to quietly take back territory. They argued the stay request came from “SiriusXM’s desire for an unsupervised playing field upon which to continue its campaign of crippling the certified class by engaging in improper communications with class members and entering into piecemeal settlements outside of the purview of class counsel and the Court.”

Sirius wasn’t pleased, but its response doesn’t exactly deny they were talking to class members. They stressed there have been no improper communications and that record company licensors, apparently the people they’ve been talking to, are sophisticated businesses who know what they’re doing.

The court’s order yesterday says nothing beyond the stay motion is denied. The opportunity to conserve judicial resources wasn’t seized, but the court’s reasoning is a mystery. Sirius may try again for Ninth Circuit help while the Pandora case is pending.

But one event may have helped persuade the court to keep the class action moving ahead. Last June, Sirius filed a report with the Securities Exchange Commission saying it was paying $210 million to the three major record companies and ABKO records to settle their me-too Flo & Eddie lawsuit against it and get pre-1972 song rights to their catalogs.

I wrote at the time the “SiriusXM deal may mean that Flo & Eddie won’t try to settle and instead go for a jury trial on the amount of damages their class members are entitled to.” That seems to be playing out. And it’s not the worst place for Flo & Eddie to be. They’re in the judicial district where a jury awarded Marvin Gaye’s heirs $7.3 million against Pharrell Williams and Robin Thicke for “Blurred Lines.”



Posted in Copyright, Sound Recordings | Tagged | 2 Comments

NIST Releases Important Update on Cybersecurity for Industrial Control Systems

Updated link to NIST Guide to Industrial Control SystemsMost of us have heard the alarms about cyber threats and the vulnerabilities of US factories, electric utilities, the petroleum industry and other vital parts of our infrastructure. If you’re concerned or working on this issue, you may want to look at an update to the Guide to Industrial Control Systems [ICS] Security issued this afternoon by the Commerce Department’s National Institute of Standards and Technology.  

The report makes an important distinction about cybersecurity when it comes to ICS. The biggest difference is what can happen. While our focus always must be on IT security, industrial control systems pose unique issues not faced in most IT environments. If responses to an ICS attack fail to address it in real-time and almost immediately, people can be injured or killed and the environment can suffer extreme harm.  

Most cybersecurity damage comes in the forms of loss of privacy or cash. We usually face complex tasks of analyzing what happened, what agencies and third parties must be notified, what protections to implement, and how to defend litigation. They are serious enough, but what can happen when ICS is attacked is another order of magnitude.

 Industrial control systems last far longer than most IT. ICS often involves legacy systems lacking password protection, error logs, and can’t be encrypted. They frequently are proprietary systems understood only by skilled specialists who work on particular industry control systems and nothing else.

One of the major additions in this update is a new ICS overlay for utilities, chemical companies, food manufacturers, and automakers. An executive overview introduces the full 247 report titled NIST Special Publication 800-82 Revision 2. Public comment periods are set and feedback is requested.  

Living in an era of constant threats, it makes sense to have someone invest time in this update at most organizations with substantial industrial control systems. As soon as the report was released I sent it to my son who is a chemical engineer and has worked on control systems at refineries around the world. He knows how fast and how bad things can get. If you read this far, you probably do too.




NIST Guide to Industrial Control Systems

Posted in Uncategorized | Leave a comment

Second Circuit Protects Artist Copyright Termination Rights by Reading the Contracts

Santa Claus is Comin’ to Town was written in the 1930’s and recordings of it are playing on radio stations and in stores and restaurants right now. I’ve written often about the complex sections of the Copyright Act that are supposed to allow artists and their heirs to regain the copyrights they signed away decades in the past.

In Baldwin v. EMI Feist Catalog, the Second Circuit this fall gave a lesson about the barriers thrown up in the music industry to stop termination rights from working as intended—and how federal courts can allow artists a chance to jump the barriers.

Fred Coots and Haven Gillespie signed their rights away to Leo Feist, Inc. in 1934 and the company promptly got a copyright registration for the song. Feist was one of the largest music publishing companies in the world at the time and MGM bought a controlling interest in it a year later. Control of the Feist catalog continued to change hands after that, and there were new contracts with the composers in 1951 and 1981.

The Baldwin decision traces the many attempts to give copyright termination notices under the two sections of the Copyright Act which have different rules depending on when the “grant” of rights was made. Note they don’t depend on when a song was written or recorded. What counts is the date of the contracts.

If an author grants or licenses rights before January 1, 1978, there is a 56 year waiting period before the author or her heirs can get the rights back through termination. 17 U.S.C. §304(c). But if the agreement being terminated was signed on or after January 1, 1978, the wait is only 35 years for termination. 17 U.S.C. §203(a). Yes, it’s counterintuitive.

Musical compositions and recordings still making money decades after their debut are not happily turned over to artists or their heirs by the publishing and recording companies who have been enjoying the lucrative longevity of the music. These are often companies with vast catalogs, deep pockets, and excellent lawyers. You can guess which side of the dispute thought the heirs should wait 56 years instead of 35 years.

Artists and their heirs rarely can match the resources they face, and they must be prepared to run a legal marathon. The Coots heirs lost at the district court but kept going. The Second Circuit reversed the district court and a year from now they will regain the rights their ancestor signed away.

The Second Circuit’s decision is forty pages long but not packed with citations to legal precedent. That is because most of the opinion is Judge Livingston’s painstaking analysis of what the 1951 and 1981 contracts actually say and mean under  New York state rules for contract interpretation.

Each copyright termination story has its own unique combination of events and agreements. Although the drafters of the 1976 Copyright Act who gave us the termination provisions presumably wanted to create simple and virtually automatic procedures, they did little to insure that would be the reality starting decades after the Act became law. And the complexity of applying the knotty termination sections to a unique set of facts gives those opposing a termination of rights much raw material for creative arguments.

Lawyers are prone to focus on mastering the details of the Act and relying on the small body of legal precedents on copyright termination to argue that termination is or is not appropriate. They often generalize about how copyright law applies to a situation when the real question is what the operative contracts say and how the court should interpret them. It is surprising how often both sides in the dispute throw caselaw at each other when they should focus on a few words in an agreement. Congratulations to the Second Circuit for going past the generalizations and looking at the deals themselves.

Posted in Uncategorized | Leave a comment