Published on:

In recent years, with lawyers and their clients calling for alternate methods of dispute resolution, the discovery of electronic documents has become more difficult to manage.  In fact, this dilemma is due to the expansive nature of technology and related software and hardware platforms.  As such, it has increased the costs and burdens of litigation.

What is Arbitration?

Arbitration came about as an alternative method to resolve litigation. It exists as a way to provide a way for the parties to resolve their disputes before trial. An arbitrator is granted the authority to ask for electronic data to be presented in a case. Although, arbitration is cost effective, however, flaws exist regarding the scope of electronically-stored information that may be discovered during litigation. Due to the large amount of electronically stored information, arbitral institutions like the International Institute for Conflict Prevention and Resolution (“IICPR”) have proposed guidelines for discovery.

What do the protocols entail?

The IICPR’s guidelines include four modes to narrow focus and regulate costs. First, “Mode A” provides the narrowest scope. For example, it does not allow for any prehearing disclosures. Second, “Mode B” requires that both sides yield electronic documents that are maintained in limited numbers. None of the documents can come from forensic methods (e.g., backup servers). Third, “Mode C” requires the parties to allow for forensically-obtained documents to be used over a longer period. Lastly, “Mode D” allows any electronic information relevant to the parties to be presented. Of course, the limitations of privilege and confidentiality (e.g., attorney-client privilege) are still applicable. Other protocols also exist in order to assign guidelines to arbitration. For example, the Protocol for E-Disclosure in Arbitration allows for party deliberation as soon as possible regarding the preservation or disclosure of electronic documents. The International Centre for Dispute Resolution has also provided guidelines for the information exchanged between arbitrators to remain within narrow focus. These guidelines also maintain cost effectiveness.

How is arbitration effective during eDiscovery?

It is important that arbitration agreements are drafted carefully. This way, unwanted complications may be avoided. The parties are required to preserve evidence, including, but not limited to, electronic information. This will allow the parties to prepare for litigation and clearly define the issues. In the context of electronic information, the parties must be aware of and preserve metadata, which in essence, is the data about data (e.g., the file’s author or creation date). It is also important that discovery disputes be resolved as early as possible. This can be done by consulting the American Arbitration Association’s Optional Rules for Emergency Measures of Protection. Once the arbitrator renders his/her decision, then the parties should actively seek to enforce the decision. Any noncompliance with the arbitrator’s decision may lead to sanctions. Also, arbitration carries the risk of unfavorable results due to its unpredictable nature.  When dealing with eDiscovery, arbitrators must narrow the scope of information in order to review the relevant evidence.

At our firm, we assist clients with legal issues related to electronic discovery and arbitration. You may contact us to set up an initial consultation.

Published on:

In recent times, the concern over the distribution of, and access to, users’ data on the web continues due to rising cyber activity. This has lead to an increase in Internet-related class action lawsuits.

What are the different types of class action categories?

One category of class actions relates to the use of internet cookies, which are utilized by websites and applications to obtain information about users’ activities.  These files are saved on a user’s hard drive, so the host server gains access to certain information (e.g., user’s identity and recent transactions). “Zombie cookies” have become a concern leading to class action lawsuits, as they cannot be deleted and lead to online surveillance of users.  Online advertising has also become a source of class action lawsuits, as third-party advertisers have teamed up with websites to use cookies without consent.  As a result, online behavioral advertising is created based on a user’s browsing history in order to create relevant advertisements, which may violate privacy policies.  Another category of class action is brought when a company website violates its own terms of service or privacy policies, sometimes leading to breached databases. The last category has to do with information contained on social media platforms.  As a general matter, user profiles on social media platforms (e.g., LinkedIn, Facebook) yield a large quantity of information.  These social media platforms create user profiles that are shared with third parties such as advertising firms.

What are some recent class action cases?

These cases typically occur when, often without the knowledge of the company or website, an unauthorized third party steals user information due to inadequately-secured servers.  In April of 2015, Max Schrems’ Europe vs. Facebook involved 25,000 users who claimed that Facebook had illegally collected user data, invalidated privacy policies, and had been keeping users’ likes and apps under surveillance for behavioral advertising purposes. Facebook has also been accused of taking part in the NSA’s Prism Surveillance Program. In May of 2015, Yahoo also faced a class action lawsuit in California.  Yahoo was accused of using email as a way to boost its revenue via advertising to its 275 million mail subscribers, violating California’s Invasion of Privacy Act.  In these cases, class action lawsuits were used to simplify the process of a group to receive larger damages at a lower cost.

What is the future of class action?

At this time, class action cases remain complicated, and time consuming, due to the vast networks and policies that exist in the cyber world.  Users should be cautious and monitor the information they provide online, as well as their security settings on third party and social media platforms.  The Federal Trade Commission insists that online platforms should designate a privacy staff in order to avoid future conflicts and liabilities when it comes to privacy violations. However, privacy policies remain complicated because personal information is also used to promote services for consumers.  With the largest companies in cyberspace constantly involved with class action privacy cases, it is difficult to determine the future of class action lawsuits.

At our law firm, we inform and protect clients regarding internet and cyberspace violations. You may contact us in order to setup an initial consultation

Published on:

During the course of history, the United States Constitution has been amended in order to achieve the best interests of the nation and citizens. However, technological advancements have posed as obstacles to the changes as internet and human rights have recently become issues.

What is the relation between the Internet and Human Rights?

As of now, approximately 40% of the world’s population has access to the Internet. Because of its extensive reach, the Internet has become a basic component of human life. It encompasses an individual’s freedom of expression, freedom of association, privacy, and other fundamental factors. Civil liberty and human right groups have expressed their concerns regarding the increase in government’s control and power. For example, on April 21, 2015, Senate Bill 1035 was introduced, which seeks to reauthorize Section 215 of the Patriot Act for five additional years. This means that there would be continued data collection and surveillance programs. As such, groups like Human Rights Watch have expressed their concern towards NSA’s violation of privacy rights.

Is expression via the Internet a human right?

Over a decade ago, the United Nations decided to take action towards universal access to information and communication systems leading to the WSIS Declaration of Principles to build a society around information and technology. However, the federal Constitution seeks to protect traditional mediums of expression (e.g., speech, assembly). With new outlets for expression (e.g., television, radio, web), the United States has faced continuous changes in regulation. With the rise of power within the private sector running parallel with online activity, human rights groups have begun to advocate encryption as a method to protect privacy. For example, super-intermediaries, like Google, hold much power comparable to the government and operate on a global scale. This is where tension between A2K (i.e., Access to Knowledge) and protecting the rights to use that knowledge as a freedom of expression arise. The lack of cooperation between A2K and human right efforts might be a catalyst in the ambiguity of online freedom and access.

Is restriction of information on intermediaries considered a violation of human rights?

Because communities have grasped the concept of power in the physical world, but not yet the technological world, it is difficult to assign legal responsibilities to such intermediaries that operate as government-like entities. A super intermediary, like YouTube, has the power to block or remove content, which raises the issue of whether corporations are subject to human right laws.  Although, western super intermediaries dominate cyberspace, they are still not state actors that are subject to all parts of human right laws.  In fact, the United Nations’ International Covenant on Civil and Political Rights does mention that the freedom of expression comes with certain responsibilities and restrictions.

The Global Network Initiative has attempted to create a formal framework of human rights intended for intermediaries in order to limit such problematic restrictions.  Nonetheless, international disagreements require a case-by-case analysis, as content censorship is still controversial.

At our law firm, we help inform clients regarding human rights protection on the web. You may contact us in order to setup an initial consultation.

Published on:

LastPass is a password management service that allows users to centralize all of their collective passwords under one master password. On June 15, 2015, LastPass announced that it was hacked and user data was compromised in the process.

What was stolen from the LastPass database?

LastPass officials released a statement following the attack proclaiming that the hackers did not steal master passwords, but instead gained access to authentication hashes and/or checksums. These are used in order to verify that the master password is correct upon trying to access an account. The attack also compromised cryptographic salts, password reminders, and user email addresses. Officials are confident that LastPass encryption measures ensure the protection of most users and their master passwords. However, it is also possible that fairly weak master passwords, or ones short in length, were also subject to the attack.

What danger does the hack pose?

Although, plain text versions of the master passwords were not obtained, there is fear that the attackers have all of the components to attack the master passwords at full force in the future. Since they have encoded versions of passwords, weak passwords are currently facing a higher risk. The hackers will also be able to use rented computer servers and powerful computing to figure out some of the stronger passwords. The hackers have access to password reminders, so with the help of public records, they might be able to decipher simple answers. This means that they could potentially gain access to bank accounts, social media accounts, records, files, and essentially much of the information that is meant to be protected by encryption.  In addition, back doors have been built into encrypted communications, increasing threats to common users. The accumulating threats have evoked strong reactions in cybersecurity experts and proposition has been made in order to protect consumers from impending threats.

What measures has LastPass taken since the attack?

Because the hackers did not reach the password vaults where encrypted data is stored on the company server, there is no need for users to change their passwords on individual online websites. However, master passwords should be changed and strengthened as a precautionary measure. LastPass has improved its rigorous hashing mechanism, increasing its authentication hash with “…a random salt and 10,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed on the client side. This…makes it difficult to attack the stolen hashes with any significant speed”, said Joe Siegrist in a statement released by the company. To prevent further attacks, LastPass is requiring all users attempting to log in from an unrecognized IP address or device to verify their account. This verification is done through email or text, unless multifactor authentication is enabled.

With end-user computers becoming increasingly easier to hack, it is difficult to pin down a safe database for the storage of personal data. The storage of many or all passwords in the cloud has been a long-time security concern. Vulnerability still exists in the storage environment of a database, such as LastPass, and vault contents are not yet completely safe.

At our law firm, we help inform clients regarding the rules and regulations which apply to cybercrime. You may contact us in order to setup an initial consultation.

Published on:

In general, harassing phone calls are distinguished from unwanted phone calls based on obscene or threatening language used to intimidate or scare the recipient. A phone call must hold malicious intentions in order to be classified as harassment punishable under California state laws.

What makes telephone calls a crime in California?

Under California Penal Code 653m, certain elements of a telephone call can lead to liability for criminal activity. The first element is the act of making a telephone call or electronic communication. This can be done via telephone, smartphone, computer, pager, or recorder, among other communication devices. This means that forms of electronic harassment could include text messages, phone calls, emails, faxes, picture messages, video messages, or voice recordings. A defendant can be accused of violating Penal Code 653m even if he/she was not the one to initiate the call. A violation may exist if he/she requested the electronic communication. The next element is the use of obscene language that is meant to threaten or injure the recipient, his/her family and/or property. This includes repeated calls or communication attempts, regardless of the content. The last element is the intent to harass or annoy a victim. There is no violation if the communication is made with the intention of legitimate business purposes, even though certain business calls might seem as nuisance.

What are the penalties for violation of Penal Code 653m?

Since harassing phone calls or communications are considered misdemeanors in California, a defendant is subject to certain penalties under state law. The maximum penalty is a fine of up to $1,000, up to six months in county jail, or both. The defendant might also be sentenced to misdemeanor probation, which incurs a sentence to receive and participate in a form of counseling. Often times, violation of Penal Code 653m occurs along with the violation of a restraining order, under California Penal Code 273.6, or can be classified under California Penal Code 646.9, which is stalking or cyberstalking. If a harassing phone call contains a collection of these offenses, the defendant will be charged for more than one offense with added convictions.

What are legal defenses against a violation of Penal Code 653m?

There are several legal defenses that can be brought against Penal Code 653m charges. The first is that the defendant did not have the intention of harassment. This would mean that defendant might have acted under mental incapacitation or business purposes without the intent to harass. The second defense is that the language or conduct cannot be classified as obscene.  Because of issues around violation of constitutional freedom of speech, obscene language has to be narrowed down to graphic or profane words. Other defenses could include pleading legal insanity of a defendant suffering from an emotional disorder/mental disability, or claiming that prosecution has fabricated harassment claims.

Though telephone companies offer privacy settings, unlawful call complaint centers, and blocking capabilities, it is difficult to tell when a communication is considered just an annoyance or a legitimate form of harassment.

At our law firm, we help inform clients regarding the laws and regulations that apply to telephone call harassment. You may contact us in order to setup an initial consultation.

Published on:

In general, computer crime is a term that covers a variety of crimes involving internet or computer use that may be prosecuted under state or federal laws. Because of the rise in computer crimes, California state laws include provisions that prohibit such crimes. In addition, other states have passed computer crime statutes in order to address this problem.

What is a computer crime?

An individual who accesses a computer, computer system or computer network and alters, destroys, or disrupts any of its parts is considered a perpetrator of computer crime. The charge is selected based upon the intention of unlawful access. Hacking is the breaking into a computer, computer system, or computer network with the purpose of modifying the existing settings under malicious intentions. Unlawful or unauthorized access means that there is trespassing, storing, retrieving, changing, or intercepting computer resources without consent. Viruses, or other contaminants, include, computer code that modify, damage, or destruct electronic information without the owner’s permission. This often disrupts the operations of a computer, computer system, or network. As such, Congress enacted the Computer Fraud and Abuse Act in order to regulate computer fraud and to expand laws against it.

Who handles internet crimes?

The Internet Crime Complaint Center (IC3) was formed as an intermediary between the Federal Bureau of Investigation (FBI), National White Collar Crime Center (NW3C), and Bureau of Justice Assistance (BJA).  In practical terms, IC3 intends to act as a unit that receives, develops, and refers criminal computer crime complaints to appropriate local, state, federal, or international law enforcement agencies. Once the complaint reaches the hands of the law enforcement agency, appropriate administrative, criminal, or civil action can be taken to resolve the complications. Further, the California Comprehensive Computer Data Access and Fraud Act was created to make cybercrime punishable in California. One of its main components is the ban on hacking.

What are the charges for computer crime?

California Penal Code § 502, expands the protection of individuals, businesses, and governmental agencies from tampering, interference, damages, and unauthorized access to lawfully created computer data and computer systems. As discussed above, hacking is classified as knowingly accessing and taking data from another computer, computer system, or computer network. Therefore, hacking may be prosecuted as a misdemeanor or a felony. In California, a computer crime is considered a misdemeanor for the first violation if it does not result in injury and the value of the used services does not exceed $950. A misdemeanor is punishable by a fine up to $5,000 and up to one year in county jail. If the value of the computer service used exceeds $950, the crime is charged as a felony with a fine up to $10,000 and up to 3 years in county jail.

At our law firm, we help inform clients regarding the laws and regulations that apply to cybercrime. You may contact us in order to setup an initial consultation.

Published on:

On June 1, 2015, the Supreme Court of the United States ruled in favor of Anthony Elonis in Elonis v. United States, regarding free speech limitations as implemented via social media platforms. This ruling was the first time the Supreme Court raised implications of free speech related to social media.

Under what circumstances was Elonis indicted?

Anthony Elonis was convicted on four separate counts for postings on social media, specifically Facebook. The federal statute he was convicted under, 18 U.S.C. § 875(c), states as follows: “Whoever transmits…any communication containing…any threat to injure the person of another, shall be fined under this title or imprisoned not more than five years, or both.” Elonis sparked concern after posting graphic threats involving the rape and murder of his ex-wife, detonation of bombs in the presence of law enforcement, and shooting up an elementary school, all under an alias. Elonis did not dispute that the statements were posted, but declared that they were merely expressions of his frustration. He claimed that the trial court incorrectly instructed the jury on the standard of a “true threat” in which the expressions were interpreted as more serious under the context.

What does this case mean in the context of the First Amendment?

Elonis argued that a negligence standard, which regulates free speech, is contrary to the First Amendment. Although, the First Amendment protects freedom of speech, it does not include “true threats.” The government claimed that if a reasonable individual could regard his statements as threats, then they were unprotected by the First Amendment. This was justified by the rationale of law in most federal circuits that fear is intrinsically harmful. Further, society has an interest in protecting individuals from fear, which could be induced by frightening or threatening language, even if such language is unintentional. This objective standard goes further to say that as long as the statements are transmitted within interstate commerce, the statute must not have the “…intention to inflict bodily injury or take the life of an individual.” Statements made on the web, may be read by, or communicated to, an array of people that the speaker does not necessarily know to be present. This means that law enforcement personnel could monitor the communications and could become the recipients. Hence, online posts may lead to prosecution if the communication is interpreted as a threat, regardless of the target’s awareness of the post.

Why was this case heard by the Supreme Court?

Many activist groups saw the Third Circuit’s objective standard of “true threats” as a risk towards free speech itself. However, the high court was concerned that the subjective standard would encourage speakers to threaten others without bounds. The subjective standard makes it so that only a jury can consider a writer’s motive with no guaranteed acquittal. It is possible that the subjective standard would have prevented Elonis from being convicted for threat to an FBI agent, but declaration of such threats by an objective standard would likely violate the First Amendment. For this reason, the Supreme Court said that it was not enough to convict Elonis based only on the idea that a reasonable person would interpret his communications as a “threat.” However, the legal standard of conviction is still unclear, raising questions about what constitutes a subjective intent to threaten. With the rise in social media expressions, this case raises questions about individual online safety, both as a contributor or a reader of posts.

At our law firm, we assist clients with issues related to online speech and constitutional parameters. You may contact us to speak to an attorney about how your social media use is affected by this decision.

Published on:

On June 4, 2015, four million current and former federal employees were informed that China-based hackers were suspected of gaining access to and compromising their personally identifiable information (PII) via a breach of government computer networks. The scope of the attack has allowed it to be described as one of the largest governmental data thefts.

What actions have been taken since the attack?

Directly after the attack, the administration decided to expand the National Security Agency’s internet traffic surveillance, especially in regards to international hackers.  The FBI is currently investigating the attack by looking into the threats posed to the public and private sectors. The Office of Personnel Management (OPM) reported that federal employees will be appropriately notified and given access to credit reports, credit monitoring, identity theft insurance, and recovery services. The OPM is responsible for collecting and processing security clearance forms, which were accessed in the breach. It is possible that the hackers have access to the personal and professional references of the victims. Because of the breadth of the data held by the OPM, the agency is telling individuals to monitor and report unusual activities.

Why have the culprits not been prosecuted?

American officials claim that the hackers have links to the Chinese government, which complicates prosecution and leads to limited solutions. Officials speculate that the attack on federal employee records is part of a larger scheme to gain access to healthcare records and contractor information. Because cyberattacks conducted from other countries are even harder to track, there has been controversy over the speculated blame.  A spokesman for the Chinese Embassy has dubbed the accusations irresponsible and has expressed that China’s laws prohibit cybercrimes. On April 1, 2015, President Obama, via an executive order, responded to another unidentified attack on computer networks with a sanctions program against foreign individuals.  Since then, there has been focus on new surveillance measures and building a stronger security infrastructure.

How does this affect the American public?

Concern for the cyberattacks is especially heightened because of the targeting of governmental data. The U.S. government is thought to possess state-of-the-art technologies for protection against cybersecurity attacks. With all of the expenditure towards cybersecurity, and the recent breaches, the average American is bound to feel a lack of trust.  In May 2011, the White House commissioned the International Strategy for Cyberspace report, stating that the United States has the right to “self defense that may be triggered by certain aggressive acts in cyberspace that is consistent with the United Nations Charter.” However, cyberspace remains a new arena and it is challenging to prosecute international cyberattackers. Although, current and former federal employees were the targets of the attack, the information obtained could lead access to other people’s information. The OPM will notify the victims, but it is difficult to trace them if the information leads to individuals who are not federal employees. As such, it may result in the rise of civil lawsuits related to cybersecurity and identity theft.

At our law firm, we assist clients in legal issues related to cybersecurity breaches and data protection. You may contact us in order to set up an initial consultation.

Published on:

On May 26, 2015, the Internal Revenue Service (“IRS”) announced that criminals illegally accessed data to retrieve the past tax returns of approximately 100,000 individuals through the IRS website. The criminals managed to use social security numbers, birth dates, street addresses, and “out of wallet” data (e.g., person’s first car, high school mascot.)

How was the personal information accessed?

During the months of February to May, attackers attempted to get access to tax information over 200,000 times through the IRS “Get Transcript” online application, which allows for viewing information from previous returns. The criminals managed to go through many steps of an authentication process to view these previous returns, exploiting data from breaches in the past. Recent breaches of companies like Target, Home Depot, JP Morgan Chase, Sony, and Anthem have allowed for personal information to be easily accessible to hackers. In addition, it is possible for identity thieves to get basic answers to security questions from individuals’ social media accounts and search databases. The IRS proceeded to send $50 million in refunds before detecting the criminal activity.

What makes the breach so dangerous?

In general, security and protection are crucial since every company counts on the IRS to protect its confidential information. The issue of privacy has been dealt with by state and federal courts. However, the guidelines are not uniform on every level. The recent breach has been traced to criminals from inside and outside of the country, attacking both private actors and business owners. So, jurisdictional issues will arise since the crimes were committed in a different nation. In addition, both courts and victims face the inevitable fact that the leaked data could be used for many years. So, the victims must protect themselves against current and future risks.

What efforts are being made to protect against breaches?

The breach may cause the White House to make efforts to increase the IRS’s budget. The budget has been cut 18% since 2010 to adjust for inflation. Many representatives think it is important for Congress to work with the IRS to ensure that taxpayers are offered free credit monitoring. In the past, keeping data breaches secret from consumers was a corporate strategy. Today, state regulators have begun to demand disclosure, which is why all but three states now have disclosure laws. There is new legislation pending in Congress, which includes HR 1770  a/k/a the Data Security and Breach Notification Act of 2015.  This legislation addresses consumer notification, but at the same time might weaken state-level laws. It brings into question what data privacy practices should be in place to prevent the breaches in the first place, and the appropriate penalties for breaches. With crossroads of commerce, access between nations, and difficulty of prioritizing data-protection concerns, consumers and businesses alike are at risk when it comes to protecting their confidential information.

At our law firm, we assist clients in legal issues related to cyber security, cyber attacks, and data breaches. You may contact us in order to setup an initial consultation.

Published on:

As of March 25, 2015, the Securities and Exchange Commission (“SEC”) adopted new rules to update and expand Regulation A. Regulation A+ will allow companies to gain access to funds through crowdfunding. These new rules are mandated by Title IV of the Jumpstart Our Business Startups (JOBS) Act.

What will the new rules do?

The update and expansion of Regulation A to Regulation A+ will allow smaller companies to sell up to $50 million of securities in a 12-month period.  These exemptions, however, are subject to eligibility, disclosure, and reporting requirements. The new rules have created a more effective way to raise capital while attracting and protecting investors. Non-accredited investors will be allowed to annually invest up to ten percent of their income or net worth, depending on which amount is greater. Before the new rules came out, only accredited investors were able to invest in startups through equity crowdfunding. The final rules are referred to as Regulation A+ and are provided in two tiers of offerings based on amount of security offerings over a 12-month period. Both are subject to the same basic requirements and eligibility limits, but differ in registration and qualification offerings.

What are the main differences between the Tier 1 and Tier 2?

Under Title IV of the JOBS Act, the offerings are as follows: Tier 1 consists of security offerings of up to $20 million over a 12-month period, with no more than $6 million of these offers coming from selling security holders that are affiliates of the issuer. Tier 2 consists of securities up to $50 million in a 12-month period, with no more than $15 million of these offers coming from selling security holders that are affiliates of the issuer. Up until $20 million of offerings, the issuer can choose to proceed under Tier 1 or Tier 2. These include, but are not limited to, review by SEC’s staff, permits, and eligibility limits. The companies that conduct their offerings under Tier 2 are subject to additional requirements. These requirements are to provide audited financial statements, file annual, semi-annual, and current event reports, and the placement of limitations on the amount of securities that non-accredited investors can purchase under this tier. In addition, within 5 years of the adoption of Regulation A+, there must be a report submitted to the SEC regarding impact of both Tiers on capital formation and investor protection.

How does the offering process work?

Issuers are required to file an offering statement on Form 1-A with the SEC using the EDGAR System. Form 1-A consists of Part I—Notification, Part II—Offering Circular, and Part III—Exhibits. Issuers can submit offering statements to be reviewed by the staff of the Division of Corporation Finance before filing any documents. This non-public submission must take place no later than 21 days before the qualification. In addition, both Tier 1 and Tier 2 issuers are required to file balance sheets and other financial statements from recent fiscal years. These statements must be in accordance with the Generally Accepted Accounting Procedures (GAAP).

At our law firm, we assist clients in legal issues related to crowdfunding, Regulation A+, and Tier I and Tier II offerings.  You may contact us in order to setup an initial consultation.