Rethinking the “Standard” Arbitration Clause in Cloud Agreements (Part II)

Cloud AgreementsPart I of this article included a little bit of history about how it came to be so common that modern technology agreements – including “cloud agreements” – often include a rather ubiquitous, sort of “standard” arbitration clause. The first article in this three-part series also put forth the question of whether some of the common assumptions about arbitration – namely, that arbitration is cheaper, faster and better than a traditional lawsuit – are true.

This middle article in the series aims to try to answer that question: Is arbitration truly “cheaper, faster or better?” A close examination of these common assumptions reveals that, while there are indeed some clear advantages to arbitration, some of the claimed advantages may be lost if parties simply agree to a “standard” arbitration clause, without giving the matter any considered thought on the front end of a transaction. This kind of inertia often leads to an arbitration proceeding that looks very much like a traditional lawsuit. The parties who agree to an arbitration provision without giving it any thought will find that arbitration is often just as expensive as a traditional lawsuit, that it may not be any faster, and that a “more rational result” does not necessarily work to every party’s advantage.


Rethinking the “Standard” Arbitration Clause in Cloud Agreements

Cloud TechnologyTwenty or so years ago, arbitration began to gain wide acceptance among lawyers as a viable alternative for the effective resolution of civil disputes.  Clients were beginning to view “alternative dispute resolution” (ADR) as the best hope for avoiding the expensive morass that litigation in court can sometimes be.  As a result, many trial lawyers began to jump on the bandwagon and tout their skills not only as trial lawyers, but also as experts in “all forms of dispute resolution.”  Certainly, very few lawyers ever attempted to talk their client out of inserting an arbitration clause into an agreement.  Indeed, many lawyers began to insert “standard” arbitration clauses into every agreement they drafted.  This is the first of a three-part article on why using a “standard” arbitration clause in all of your cloud agreements is not such a great idea.

Among many clients and lawyers, “ADR” – pretty soon after its advent – became almost synonymous with what is only one of its forms – arbitration.  Moreover, the “standard” arbitration clause has become more and more “plain vanilla” over the past twenty years.  As a result, ADR may have lost many of the attractive qualities that made it appear to so many two decades ago as a panacea.  The one advantage of ADR clauses in agreements is that they provide the opportunity for creativity and flexibility.  However, when drafting contracts these days, many lawyers and clients blindly insert into each new agreement the same arbitration clause they used in the last agreement.


Authenticating Purchases with Facial Recognition

Selfie PayFacial recognition technology has rapidly advanced in sophistication and accuracy over the years. Early use of the technology was focused on facial detection in security systems. Since 2014, the federal government has introduced facial recognition technology, along with collecting travelers’ fingerprints, in its U.S. Global Entry system in an effort to strengthen border security in major airports across the U.S. And perhaps the most widely known use of facial recognition technology today is the function of “tagging” in online social networks which allows users to identify friends in photos.

Recently, businesses have begun exploring facial recognition’s potential benefits for increasing the level of security in commercial transactions. Amazon recently proposed to implement a patented method (“Image Analysis for User Authentication”) for its customers to complete a transaction by performing an action in front of a camera, such as a smile or a wink to help confirm the person’s identity. Google has been testing its newly developed mobile payment app called “Hands Free,” which allows smartphone users to complete a transaction in the store without taking out their devices. Hands Free allows small businesses to confirm the identity of the shoppers at check out to complete the transaction by uploading a picture of them via an in-store camera that confirms their identity. Similarly, MasterCard is also planning to introduce a similar facial recognition technology called “Selfie Pay” in the U.S this summer.


Erin Andrews Jury Sends Hoteliers a $55 Million Dollar Reality Check

Erin Andrews Privacy Lawsuit“Privacy law” continues to evolve in the face of ever-advancing technology. Legislative bodies, administrative agencies, courts, tech companies, and a host of other interests are working to innovate, keep pace with, or catch up. Even the First Amendment, which has been interpreted by courts, lawyers, and scholars for hundreds of years, and, which stands as a counter-balance to the right of privacy, is being tested in new ways. But the recent trial involving Erin Andrews highlights that, sometimes, privacy issues are simple, and businesses need to implement common sense policies or face potentially costly outcomes.

A Nashville jury recently handed Ms. Andrews a $55 million verdict against a Nashville hotel franchise owned by West End Hotel Partners and operated by Windsor Capital Management. Michael David Barrett, a notorious stalker, modified a hotel peephole and filmed Ms. Andrew while she was changing, then uploaded the illegally recorded material onto the Internet. Mr. Barrett was ultimately captured by law enforcement; he pleaded guilty and was sentenced to 27 months in prison. In Ms. Andrews’s civil privacy case, she testified that she suffered severe emotional distress as a result of the incident. According to both sides, Barrett stalked and filmed at least 10 women in various hotels across the country. The jury in the Nashville case found that West End Hotel Partners and Windsor Capital Management were 49 percent to blame, and Barrett was 51 percent to blame.


Cyber Insurance: Make Sure You Understand Your Coverage

Cyber Insurance CoveragesToday, businesses are increasingly purchasing cyber-specific insurance in an effort to mitigate the financial impact of a breach or other cybercrime.  In terms of what might be covered in a cyber insurance policy, there are basically two types of coverage – “first party” coverage and “third-party” coverage.  First party coverage covers the types of losses that your company might suffer directly in the event of a data incident.  That may include losses, some of which may be covered and some not, such as data destruction, denial of service attacks, incident response, crisis management, public relations, forensic investigation, remediation, breach notifications, credit monitoring, data restoration, business interruption, lost intellectual property, theft and extortion, or damage to reputation. Third party coverage refers to coverage for claims that may be made by third parties against your company arising out of a data incident, such as data breach lawsuits, for example.

The cyber insurance market is set to triple, from 2014 annual sales of around $2.5 billion to $7.5 billion by 2020.  In some sense that news is not very surprising and the number not so high: news of large-scale hacking incidents involving the theft of millions of records seems alarmingly regular.  Given what is at stake for companies that possess and could lose large amounts of valuable data, buying insurance makes sense.  Cyber-related crime already costs the global economy $400 billion per year, and that number is expected to rise.

But key questions remain.  Are cyber risks covered by more general policies that are not cyber-specific?  If not, what should cyber insurance look like?  Looking at some recent cases involving the still nascent cyber insurance market is revealing.


The Internet of Things and the FTC – Don’t Be the Test Case

FTC and the Internet of ThingsKevin Ashton, an expert on digital innovation, stated 15 years ago that, “If we had computers that knew everything there was to know about things—using data they gathered without any help from us—we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best.”  We are a lot closer to that reality now than when Mr. Ashton first wrote those words.

As most people know by now, the Internet of Things is the ever-more-present future in which everyday objects like refrigerators and thermostats have network connectivity, allowing them to send and receive data to a source—whether you know it or not. Potentially helpful uses include things like smart meters that conserve energy in homes, saving natural resources as well as money for consumers. But not all uses are necessarily helpful. For example, what about health care insurance providers tracking measurable health information and making decisions on insurability based on such measures? And what happens if hackers take over networks where connected devices reside?


Apple’s DOJ Battle Scratches the Surface of Encryption Debate

Apple Data Encryption

By now you are likely aware of Apple’s ongoing battle with the Justice Department over the scope of the All Writs Act and its resistance of a federal court’s order compelling Apple to create special software that would unlock the iPhone used by Syed Rizwan Farook, one of the assailants in a mass shooting in San Bernardino, California. If you haven’t kept up with the story, an excellent walk through of where things stand may be found here.

Apple’s case is generating a great deal of public debate over the amount of privacy a person may come to expect when using their phone and the scope to which the government may intrude on that privacy. This debate, however, only scratches the surface of the ongoing encryption battle being waged in the United States.


Responsibility Shifting for Cyber Attacks?

cyberliabilityWhen a company’s protected data is compromised, potential litigants generally look to the company itself as the target for damages claims. The list of recent cases filed against the company suffering the data breach is long and, by now, familiar. In addition to potential damages claims, the breached company also must sustain the cost of remediation and attorneys’ fees, both in regard to its “first party” costs and with regard to third party claims. In very large breaches, it’s not uncommon for the company’s cost to far outstrip its insurance coverage, even if it has very good coverage. Historically, the breached entity has had nowhere else to look to try to further defray its costs.

This dynamic is potentially changing, however. In a recently filed case in the United States District Court for the District of Nevada, Affinity Gaming has brought suit against its previous cybersecurity consulting firm, Trustwave, alleging that Trustwave failed to contain a data breach Affinity hired Trustwave to remediate. Affinity alleges that, in 2014, it was the victim of a breach that compromised the sensitive financial information of more than 300,000 customers. Affinity hired Trustwave to investigate, diagnose, and remedy this data breach. Trustwave subsequently concluded its investigation, allegedly represented to Affinity that its data breach was contained, and purportedly provided recommendations to “fend off future attacks.”


The Case of the Monkey Selfie

copyright-lawscopyright-law2 Here’s the story: back in 2011, this monkey gets hold of a photographer’s camera (there are multiple versions of how the monkey actually got the camera, so we will just state the fact we do know for certain – it ended up with the camera) and starts snapping pics of itself. The owner of the camera, David Slater, claims a copyright in the resulting photos and demands that Wikipedia take them down. So, who owns the pic? The owner of the camera, or the photographer (regardless of species) who actually took the picture?

Copyright 101 – the creator of the work owns the work. Period. By definition, this means the owner of the camera, Slater, can’t own the photos because he didn’t take them himself. In the case of the monkey selfie, that seems absurd at first, but there are several analogous examples in the business context where this analysis makes perfect sense. The more challenging question, let’s call it Copyright 801, is does the monkey own the pictures? How would that work? That is a much more difficult question, but despite Slater’s argument that “the monkey was my little assistant,” it was ultimately resolved by the U.S. Copyright Office. The bottom line: an animal, it seems, can’t own a copyright. In fact, for clarity, only a work created by a human is subject to copyright. So, in the monkey selfie case, no one owns these photos out right, and therefore ‘the public domain’ owns them. It’s unfortunate for David Slater. The monkey probably couldn’t care less.


Bitcoin and the Changing Legal Landscape


If your business is contemplating doing something with digital currencies (meaning virtual currencies, like Bitcoin, Ripple, Ethereum, etc.), you need a plan. First, consider how and where your business will use digital currencies. Second, know what laws and regulations apply. Third, implement a compliance plan to ensure your business doesn’t run afoul of the law. Fourth, stick to your plan.

This fourth step can be difficult to follow, particularly if your business is a startup trying to quickly establish itself and gain a foothold in the fast-paced, evolving online marketplace. You may think implementing a compliance plan will cost you precious time. If you are an entrepreneurial firm, your business may be a moving target, constantly reinventing itself, in which case what you do today may not be what you do tomorrow. That makes planning and staying with a plan challenging. Regardless, take a cue from the privacy world.

Myriad enforcement actions and lawsuits have arisen against companies that collect personally identifiable information, not necessarily because they collect personal information, but because they don’t disclose what information they collect, or what they do with it, or because they say one thing, but do another. A dozen years ago, not many people paid much attention to this, so companies faced less scrutiny, and thus fewer impediments, in running their business. But that’s all changed. Cybersecurity and privacy are hot button issues, both commercially and politically. Because the spotlight is so bright, companies must be diligent and have a compliance plan to protect themselves against increased scrutiny.