Technology Related Technology Related Policies and Policies and

Procedures: Procedures: Employee Policies, Document Employee Policies, Document

Retention, Privacy and Intellectual Retention, Privacy and Intellectual Property PoliciesProperty Policies

Stephanie L. Chandler, Esq.Jackson Walker L.L.P.

5th Annual Advanced In-House Counsel Course

Stephanie L. ChandlerStephanie L. Chandler• Business Transactions

and Technology

University of Nebraska University of Nebraska B.S.B.A. in FinanceB.S.B.A. in Finance

University of VirginiaUniversity of VirginiaJuris DoctorateJuris Doctorate

Articles Editor, Virginia Journal of Law and Technology

Community Involvement Highlights: Chair – Jackson Walker’s Technology Section, Texas State Bar Association Business Law Section Committee on eCommerce, San Antonio Technology Accelerator Initiative Board Member

Technology Impacts All Technology Impacts All Aspects of Your Role as Aspects of Your Role as

General Counsel General Counsel • Employees -- monitoring employee activities; performance enhancement

• Marketing -- SPAM, protecting your brand• Litigation Avoidance/Litigation

Expense -- data leaks, document retention• Intellectual Property -- controlling

dissemination of trade secrets, infringement (BSA, cutting and pasting)

Employees Use of Employees Use of Technology Technology

• 76% of Employers monitor web activity (blogging, chat and message boards, porn/gambling sites)

• 55% of Employers retain and review email messages

• 36% of Employers track content/keystrokes/ time spent at keyboard

Source: 2005 Electronic Monitoring & Surveillance Survey by American Management Association and The ePolicy institute

Employer-Employee Employer-Employee PoliciesPolicies

• Adopting a Policy is Key• Employers, especially after notice, are

free to broadly monitor internet usage (Smith v. Pillsbury Co.; McLaren v. Microsoft)

• Employers may monitor phones (Solely for business purpose; employee consent can be based on company policies; Watkins v. L.M. Berry & Co.)

• Employers may record calls where they are on the call (so can employees…)

• Employers can implement GPS trackingSection I-A

New Development – CFAA New Development – CFAA to protect Trade Secretsto protect Trade Secrets

• Computer Fraud and Abuse ActComputer Fraud and Abuse Act - law passed by the United States Congress in 1986 intended to reduce "hacking" of computer systems

• Employers filing civil claims against employees in federal court; alternative to misappropriation of trade secrets

• Yonkers v. Celebrations the Party and Seasonal Superstore, 428 F.3d

504 (Nov 2005) – used against employees who set up a competing store, alleged that using data obtained before and after they left the company

• International Airport Centers v. Citrin, 440 F.3d 418 (March 2006) – employer used against former employee who allegedly stole trade secrets then wiped his company’s laptop clean

Marketing Through the Marketing Through the Internet: Internet:

Don’t Unintentionally Become a SPAMMERDon’t Unintentionally Become a SPAMMER• No false or materially misleading header information.• No misleading subject headings.• Must contain a clear return address or other Internet-

based mechanism that functions for opt-out• No more messages 10 business days after the recipient

submitted a request to unsubscribe.• No selling mailing lists including people who have opted

out• No use of automated address generation means or a

third party who collected the addresses with misleading automated means, i.e., notification that the address would not be distributed. * Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" (the “CAN-SPAM Act").

• No registering for multiple e-mail accounts to send prohibited commercial e-mail messages.

• No relaying or re-transmitting prohibited commercial e-mail messages.

• Do not fail to take reasonable steps to prevent or report the transmission of such messages.

• Marketing that Works: – clear and conspicuous identification that the message is an

advertisement or solicitation (unless the recipient has given prior express consent to receive such messages)

– clear and conspicuous notice of the opportunity to opt-out of receiving messages from the sender

– valid physical postal address of the sender

* Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003" (the “CAN-SPAM Act").

Marketing Through the Marketing Through the Internet:Internet:

Don’t Unintentionally Become a Don’t Unintentionally Become a SPAMMERSPAMMER

Types of Intellectual Types of Intellectual PropertyProperty• Patents -- gives the inventor the right to

exclude others from making the invention• Trade Secrets/Know How -- protection by

virtue of secrecy• Trademarks/Service Marks -- identifies a

unique source of goods or services• Copyrights -- protects from copying of original

works (music, books, software code)

Marketing Through the Marketing Through the InternetInternet

“Employees Who Cut and Paste”“Employees Who Cut and Paste”

Example: Ownership of Site Example: Ownership of Site ContentContent

Avoiding Copyright Avoiding Copyright InfringementInfringement

• Myth: Pictures and text on the Internet are available for use since they have been made available on the Web

• Example: Use of Source Code from Websites

• Special Cases:– The content of a database is not protected by

copyright (U.S.)– Open source development: Linux, Apache,

Tomcat web server, Eclipse IDE, JBoss Application Server, etc.

Acquiring Intellectual Acquiring Intellectual PropertyProperty

• Work for Hire Doctrine (Copyright)– Employee works – owned by employer– Independent Contractor work – more

difficult

• Recommendation: Include “Assignment Clause” and “Work for Hire Clause”

Software Usage Software Usage PoliciesPolicies• The BSA* and SIIA** are not your friends

– May 2006 – Losses from piracy - $34B– 35% of all copies of PC software installed worldwide in

2005 pirated– They want their money!!!

• Gartner: – 40 percent of all medium-to-large U.S. businesses will

face an external software audit by the end of 2006– less than 25 percent of public companies have mature

software asset management processes

• What to do: This is a Legal Matter, not an IT matter; Educate your C-levels

*BSA: Business Software Alliance (Membership Examples: Microsoft, Cisco, Symantec)

**SIIA: Software and Information Industry Association (Membership Examples: Adobe, Intuit, McAfee )

Software Usage Software Usage PoliciesPolicies

• Adopt a Software Usage Policy (see Appendix I) • Periodically audit internal compliance• Develop a Records System – all receipts indicating the

included software (even in hardware purchases)• In rare circumstances employee PC ownership may be an

answer

• Federal Rule of Evidence 408* governs the admissibility of the audit results – Have an Agreement prior to producing the audit materials

• Settlement:– Enter and inspect the company’s facilities/officers certification – Release based on officer’s certifications

* http://www.law.cornell.edu/rules/fre/ACRule408.htm

Document Retention Document Retention PoliciesPolicies• Why????

– Save valuable computer and physical storage space

– Reduces volume of stored documents and data– Avoiding spoliation claims

• In re Prudential Ins. Co. of Am. Sales Practices Litigation: Prudential had “no record of any written manual that would evidence that Prudential possesses a clear and unequivocal document preservation policy capable of retention by Prudential employees and available for easy reference.”

• Linnen v. A.H. Robins: The Defendant sent emails and voicemails to all of its employees advising them to save all relevant documents. The Defendant, however, failed to stop its back-up tapes from being recycled or taped-over. Jury instructed to assume smoking gun.

• Default or dismissal possible.– Lowering Litigation Costs – be sure your policies address

both Hard Copy and Electronic Files

Document Retention Document Retention PoliciesPolicies• Why????

– Removing “Smoking Guns” • Prior to Litigation:Prior to Litigation: Arthur Anderson LLP v. U.S.,

544 U.S. 696 (2005): that “under ordinary circumstances, it is not wrongful for a manager to instruct his employees to comply with a valid document retention policy, even though the policy, in part, is created to keep certain information from others, including the govt.”

• After Litigation Filed:After Litigation Filed: Zubulake v. UBS Warburg LLC: Counsel failed to warn its client to not delete or recycle back-up dates of technological data. The Court ordered the Defendant to bear the substantial cost of restoring the back-up tapes.

– Fines - $2.75M – Philip Morris USA

Document Retention Document Retention PoliciesPolicies• What Should be Included:

– Lewy v. Remington Arms Co. • whether the policy is reasonable considering

the facts and circumstances surrounding the relevant documents

• whether the destroyed documents are relevant to pending or probable lawsuits; and

• whether the policy was instituted in bad faith

• Consistency is the Key• Company wide – this is not just an

accounting or legal department issue

Document Retention Document Retention PoliciesPolicies• Review all applicable law [See Appendix V]

• Take into account statute of limitations• Clearly describe the class of documents to

which the policy will apply (i.e. drafts, finals; backup tapes)

• Specify the retention period for each class of documents

• Create procedures detailing how the program will be implemented and enforced

• Identify the staffer responsible for policing and maintaining the program; Train them

Document Retention Document Retention Policies: Policies: When Litigation ArisesWhen Litigation Arises

• Allow alternatives to, or even suspension of, document-destruction procedures when a duty to preserve arises

• The “Litigation Hold”– Prevent Your System from Automatically Deleting Data– Stop the Automatic Recycling of Backup Tapes– Stop the Automatic Recycling of Personal Computers

• Reissue the “Litigation Hold” – New Employees!• Identify Key Players/Employees – Special Notice• Consider Forensic Images of PC’s• Designate one IT person who will be your Companies

Federal Rule of Civil Procedure 30(b)(6) deposition witness (document preservation, chain of custody, etc.)

Appendix IV of Article:Appendix IV of Article:Document Retention Document Retention

PoliciesPoliciesMy example

ABA - form of Document Retention Policy available at http://www.abanet.org/lpm/lpt/ articles/sampledocretentionpolicy.pdf

Arthur Andersen Document Retention Policy

Privacy PoliciesPrivacy Policies

Review Posted Privacy Policies – Are they accurate?

Be aware of legal requirements (i.e. GLB, HIPAA, COPPA)

Ooops …. We had a leak June 2006 - Veterans Administration loss of 26.5 million

personal records of veterans lawsuit - seeks $1,000 in damages for each person, a payout that could reach $26.5 billion

Comply with state law requirements (Article – III.C.)

Privacy PoliciesPrivacy Policies

Limit the data you retain

Secure personal data (Consider: Mobile devices)

Train your employees (Consider: Background checks)

Train your vendors (Consider: NDA’s, policy intro)

Test your systems (Consider: Social Engineering)

Plan for breaches

Stephanie L. Chandler, Esq. Stephanie L. Chandler, Esq. Jackson Walker L.L.P.Jackson Walker L.L.P.

210.978.7704schandler@jw.com

112 E. Pecan Street, Suite 2400San Antonio, Texas 78205

www.jw.comSign up for eAlerts at http://www.jw.com/site/jsp/subscribe.jsp

Questions?Questions?