by Mike Oliver | Dec 19, 2019 | Firm Matters
I received my license to practice law 30 years ago to the day. I thought I would do a retrospective mainly on how the profession has changed in 30 years as it mostly relates to technology, but also a bit about my own career. This is a long article – to jump to my thoughts on the present day legal profession, click here.
The beginning – 1987-89.
The legal profession was just starting to go a bit crazy in the late 80’s when I was in law school. I always attributed a part of this to the very popular TV show LA Law, which first appeared in 1986 (I had already started law school at this point). Some examples of what I mean – my “summer associate” class at Whiteford Taylor & Preston (1988) was the largest they had ever had (14), and the starting class of lawyers that year was also the largest they had ever had (I recall 18 lawyers started in 1988). When I received my offer for a start in 1989, my salary was X, but when I actually started, because there was so much competition for young lawyers and salaries had increased at other large firms and for the new starting class of lawyers, my actual starting salary was bumped $5,000 – a significant bump back then. Indeed, this was the era of large NY and DC firms constantly one upping each other with what seemed then like crazy starting salaries (significantly more than mine).
At least for Whiteford, to my knowledge, this was the largest summer associate class and starting class to this day. Of course, within a year quite a few of the lawyers that started were gone, and only a handful of us from my summer associate class got offers or accepted them.
Side note – I have recently been shredding some of my really old papers – that I still had from back then for clients that followed me – my rate in the mid 90’s was $90 / hr, and that was a good rate – some partners that did insurance defense were billing at about the same range! (I worked in “Commercial Litigation” – where they could bill higher rates).
Technology – late 80’s and early 90’s.
Technology – one the driving forces in every industry and profession, and surely for lawyers, was still in its Jurassic period in the early 90’s as compared to today. We had a Wang “dumb” terminal but any real drafting was done either by our secretary, or the word processing department – which was a cubicle dense area where staff typed out documents, agreements and pleadings that were hand carried to them. All deliveries of anything significant were by hand or courier – and while you could fax, it was somewhat unreliable, and could take forever if the document was long. Anything that came by fax, FedEx or courier was to be opened and reviewed immediately – it had to be important because these were expensive methods of communication. We still wrote and sent letters – some lawyers felt they were art forms and spent and undue time composing and editing them.
Law Schools – most of them anyway, did not have specialized course tracks for intellectual property – but of course offered the main courses – patents, copyrights and trademarks. There was no commercial internet for most of my time at the big firm, which ended in 1995. However it was obvious the internet would drastically change legal practice. Our firm started a technology committee – which I sort of chaired when it started, with a designated partner. I had advocated for early email adoption, however, it was not until clients started essentially saying they were requiring us to have it, that we finally adopted it, and at the start only a select few lawyers were permitted to use it. A positive aspect for email in the early days – no concept of “spam” really existed. If you had an email account and received an email, it was almost assuredly work related (AOL email was internal to AOL and was only starting to expand to consumer use outside of AOL).
In this period, and really for many years to come, there was no way to work at home or remotely – so it was a 5 (or 6 or 7) day a week slog into the office. The side-benefit was that no one could send you an email at 7pm, and call you 1 minute later and expect you to have read the email and be ready to discuss it 😀.
Civility in the late 80’s and early 90’s?
As a law school graduate you are not really prepared to practice law – you need to learn how to practice from more experienced lawyers. I think lawyers who had 30 years of experience when I started would probably have said the profession was less civil in the early 90’s than when they were younger. I do know that how lawyers treated each other in some high profile litigation utterly shocked me as a young lawyer – the things they said in letters, and said and did in depositions – outside of the purview of the judges – it was eye opening. The lawyers I learned from at Whiteford did not engage in these practices – they were much more civil – but it was obvious that the legal profession was changing because clients more and more were demanding lawyers be “junkyard dogs” – and lawyers were giving them what they wanted. (this was an essential premise of the TV show LA Law after all . . . )
As competition for clients increased more and more lawyers were doing things the client wanted – it definitely eroded civility in litigation. Judges made some efforts to stop it, but Judges are a very limited resource – particularly in my case – almost everything I did was in federal court. You could threaten to “take it to the judge” but the reality is judges were too busy to micromanage petty lawyer infighting, and lawyers knew it.
Example: One particular instance I recall vividly. I was unable to get a lawyer to produce documents in a case in bankruptcy court – after incredible cordial efforts I was forced to file a motion to compel (I hated filing them . . . ). The judge scheduled a meeting in his chambers. We came in and he left us in his office and asked us to work it out. The other lawyer turned to me and said – he knew the judge would never enter the order and he would never produce the documents. Of course, I could never say what he said to the judge… This was one of a string of instances where it became apparent to me that litigation was more of a game than anything else.
Mid 90’s – technology firmly takes hold.
A short but meaningful recession occurred in 1990 to 1991. It had an impact on commercial real estate – some well established large Baltimore firms that were built primarily on real estate failed (e.g. Frank Bernstein). There was a lot of vacant office space and consumer spending was down. However, the internet was just about to be opened to full commercial use . . . and that triggered massive innovation and a major technology boom until the crash of 2001.
Transition to a new practice.
I left the large firm in 1995 and started at a 2 lawyer firm as the third lawyer. I had only been practicing 6 or so years. At this time I was almost exclusively doing patent or other intellectual property cases in federal court or occasionally in state court. But litigation was wearing more and more on me – I was never going to be a junkyard dog. I was more of the boy scout (though never actually one in real life) – always prepared. A partner I worked for at Whiteford referred to me as “triple check” – I always knew the facts and law cold. As we grew busier, we hired a new associate, and she came in one day and in not so many words said she wanted to take over the cases I was working on. I had already been transitioning to a corporate and transactional practice – this was my opportunity to leave litigation for good!
The rise of “internet law”.
At about the same time “internet law” was coming of age, so I decided to learn the technology side – I was already a programmer, so it was time to get back into learning the technical aspects of the internet. I taught myself all of the programming languages I could, and technologies – remember, these were the days of Netscape, cgi-bin, PERL – really rudimentary technology – javascript after all had not been created (it started in 1995). I taught seminars, read cases, published articles etc. and slowly built a practice. All the while, following technology as best as I could.
A great debate was started by Judge Easterbrook in his talk and article, Cyberspace and the Law of the Horse (http://www.law.upenn.edu/fac/pwagner/law619/f2001/week15/easterbrook.pdf ) to which a professor at Harvard (Lawrence Lessig) responded ( https://cyber.law.harvard.edu/works/lessig/finalhls.pdf). The debate pitted “old school” thinking – that all of the legal building blocks were there to learn internet law in their context – against the idea that there were such unique issues presented by this new technology that we needed new legal constructs – and to learn them as separate courses. In the end, the latter concept won out, at least at law school – as new courses on “Cyberspace law” began to be taught (including by yours truly).
But technology was accelerating way too fast – indeed, Congress could not even keep up, and had to address trademarks and domain names, defamation, free speech and many other issues – all as viewed through the lens of these new technologies. The USPTO could not even make up its mind, at first deeming any TLD as source identifying (e.g. while you could not get a trademark for GARDENING for a site that publishes information about gardening, but you could get a trademark for GARDENING.COM as long as it was also used as a mark) – but later reversing that position, and requiring a disclaimer of the TLD portion of the mark. As a side note, this issue still plagues the courts, for example the hotels.com and booking.com cases that have been litigated even as recently as this year – some 25 years after the debate started!
Toward the present…
This article is already too long and likely no one will make it to this point (I forgot how long a 30 year career is ) – but if you did make it to this point, here is a fast forward – technology law so to speak kept increasing in importance slowly from the mid 1990’s, survived a horrific market crash in 2001, and regrouped until 2007 – a watershed year in which three important things happened – the first iPhone launched, Facebook opened itself up to more than just college kids (this happened in late 2006) – ushering in the “social media era”, and the real estate market utterly crashed – wiping out a number of staid investment companies, hammering stock prices, and nearly killing the US auto industry.
The iPhone – a phone that could browse the internet and do many other so called smart things – was the “killer product” for sure – but it also needed some help from third parties to make the device more useful than just playing games and reading email – and that something was Facebook, which developed a site and later an app that worked for the iPhone.
The events of 2007 had and continue to have a lasting effect on the legal profession. Gone were the days that a client needed to call you, or mail a document, and physical deliveries of documents were clearly declining, and it was obvious this trend would only continue to accelerate.
Sidebar. Though not discussed above, patenting computer technology took off in the same time frame starting in 1998 with the State Street case which allowed a patent on a method of managing mutual funds – but that case’s impact was reduced in scope in the mid 2000’s and then essentially was rejected in the 2014 Alice Corp. decision. In that time frame a lot of innovation in technology generated by interest in (and profits derived from) the internet created a very fast moving legal landscape.
Present day (future of the profession?).
These days I still work on contracts, do mergers and acquisitions (buying and selling companies), review and revise licenses – with more focus on privacy and data security. I have probably worked on 500 million to 750 million in transaction value over the last 20 years – the vast majority in technology based businesses.
I wonder what a brand new lawyer practicing technology law today would think of how I practice compared to how they will? Is this generation going to be more civil to each other, or less (if politics is a weather vane, the prospect of more civility is very, very unlikely)? I also wonder if lawyers wanting to go into this area realize – this is a highly dynamic practice – I have to read updates on a daily basis – I track cases, technology, and now worldwide events – I have to learn US law and significant European and other laws in data security and privacy. I have spent over 2,000 hours in the last few years taking online courses on computer programming, data security, policy, privacy, hacking, defensive strategy – all to keep up. Because our federal government has done almost nothing on privacy, I have had to track multiple state laws and regulations and manage client expectations about legal compliance efforts. Even to this day there are not great systems that put all of this data in a form a human can manage easily (firehose), review, and find later.
Technology has made some things in the practice much better – we probably could not have started our firm but for the availability of VOIP, cloud email, cloud storage and so forth. At least, that technology made starting our firm much, much easier. But technology has significant drawbacks – clients now expect to handle conversations very fast and sometimes over the simple text message channel. Text messages are hard to store permanently, are more insecure, and compress what can be a complex issue into such a short message that issues are easily missed. Speed generally is a negative here – clients view their ability to go fast and be “agile” as as selling point – and so do some lawyers, but that can to the detriment of the client in the long run.
I have really enjoyed my practice over the last 30 years and think that as technology matures, some kind of equilibrium between speed, comprehensiveness and quality will settle out, for everyone’s benefit.
by Mike Oliver | Nov 18, 2019 | Firm Matters
On November 12th, 2019, Oliver & Grimsley welcomed a new member to the trademark team – Associate Attorney Jennifer Mumm. Jennifer is coming to us after spending four years working at Stern & Eisenberg, PC. There, her focus was mainly on real estate law – supervising paralegals, corresponding with clients, and reviewing titles for properties.
As our firm grows, we hope to address our client’s needs proactively. Jennifer will be assisting with reviewing and filing trademark applications, providing legal insight to clients, and taking the necessary actions to ensure all client’s intellectual property rights.
We extend a very homely welcome to Jennifer and look forward to working with her.
by Mike Oliver | Oct 15, 2019 | Data Privacy, Internet, Technology and Privacy Law, Privacy
The title says it all – what should smaller companies do to comply with privacy laws?
California has now finalized the California Consumer Privacy Act (CCPA), Cal. Civ. Code §§ 1798.100 to 1798.199 – well, at least for now (please note that this link does not have all of the law changes in it as of the posting of this article). It goes into effect 1/1/2020. Regulations under it will not be issued until December at the earliest and are likely to change over time. While it is a net gain for California consumers, it is a complex law with many incidental effects and traps for the unwary business. How does a small business deal with this mess? Before we address that, let’s discuss some background:
Why is CCPA important?
The CCPA is important because so many businesses do business with California consumers that California law is the “highest common denominator” – meaning, instead of trying to comply with disparate laws in 50 states, a business could target compliance with the most onerous law (typically California law in the pro-consumer sense), and then hope for the best that such compliance will also comply with other laws. This does not always work – for example, Illinois has a much harsher bio-metric security law than California, and New York has very detailed personal information protection laws and rules as well, particularly in the financial/banking sector. So, a slight modification of the above strategy is to target the “top 3” laws (i.e. California, Illinois and New York) and again hope for the best in other states. And finally, there is the modified “top 3” strategy of adding compliance with the General Data Protection Regulation of the EU (GDPR).
What many larger companies have done is simply targeted compliance with the GDPR worldwide, assuming it is the most onerous pro-privacy law. However, the CCPA has provisions that differ from, and add to, the GDPR, for example, the regulations on businesses that sell personal information, and that broker those sales, does not really directly exist under GDPR.
How does this affect small business?
Many small businesses may think they are not subject to these privacy laws because they do not “do business” in a particular state, or in the European Union. While those are interesting issues – either the ability of a state to constitutionally require a remote business to be liable under a privacy law when interacting solely electronically with a resident of that state – or whether the GDPR regulators can fine and enforce such fines against a small US business that has no offices, employees or other contacts in the EU, the problem is that many small businesses will contract with larger businesses that are subject to those laws and regulators and those contracts will require the small business to comply with those laws indirectly. This is particularly true in heavily regulated industries such as banking and health care, where regulators apparently force their member banks to impose liability on third party vendors.
In addition, when a small business goes to sell or merge – typically with a larger entity that may apply these rules and regulations in analyzing the level of data risk it has post transaction. If the small business has not thought about basic data privacy and data security, this can negatively impact the value of the business.
So, what should a small business do (and, what are the key provisions of CCPA)?
- First, do not ignore remote state laws like CCPA or the GDPR. Someone in the organization should be assigned the responsibility, and be given reasonable time, to make a true assessment of the data privacy and security risks of the company. Ideally that person would have a “C” designation (CIO, CTO, CPO etc) and be incentivized to diligently complete such tasks. The business should neither marginalize nor minimize such role.
- Second, do a data inventory – what data is the business collecting? Why? Does it really need it? Where is it collecting this data from? (the web, forms, manual entry, data harvesting/scraping, third party lists etc) What agreements are there with those data sources (this includes terms of service)? Is this information personal information? What type of personal information ? (i.e. is it sensitive personal information). Basically, this is a review of all inbound data flow . . .
- Third, determine where the collected data is being disclosed or shared? This can be the critical step – because if the information being collected is personal information, and particularly if it is sensitive information, this can have significant impacts if there is a data breach. Do adequate agreements cover that data exchange? Is the data encrypted? Should it be? Has any audit or review of the recipient been done to determine the adequacy of their data protection systems? Basically, this step involves tracing all outbound data flows, and determining the business need for the disclosure and the risk level such disclosure presents.
- Fourth, assess the computer systems used to capture, store, and transmit data, to determine weaknesses in security where a data breach can occur. Computer security is hard, period. It is way harder today when its not just your own computer security, but the security of every link in the data disclosure chain.
- Fifth, consider what tools to use to address risk. Do you throw technology at the issue, like better intrusion protection, detection systems, universal threat management devices, etc.? Do you hire experts, which may be costly? Both? Do you have proper agreements in place? Indemnity? Does the downstream recipient have insurance? Are you sure about that? Do you have insurance? Do contracts you have require insurance? Be especially careful with insurance – a good insurance broker will be up on all the various changes in insurance policies that claim to cover “cyber liability” (a generic term that is meaningless without specific context). You simply cannot determine what insurance you need if you have not performed steps 1-4 above.
- Sixth, engage in continuous review and management. Hackers are not static, they evolve – your systems must be maintained and modified to address new threats and issues, be updated and patched, and monitored for threats. See item 1 – it is why a dedicated C level person and/or team need to be in place to really address these issues.
The key provisions of CCPA as they relate to small businesses are below:
- It only applies to certain “businesses” – namely – a business that has annual gross revenues in excess of $25,000,000); or that alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or derives 50 percent or more of its annual revenues from selling consumers’ personal information.
- A consumer has a right to an accounting – essentially, a consumer can request that a business disclose to the consumer the categories and specific pieces of personal information the business has collected.
- A consumer has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer, subject to several exceptions.
- A consumer has the right to an accounting of personal information that has been transferred by the business to third parties, subject to several exceptions. These rights are enhanced if the business “sells” that personal information.
- A consumer has the right to terminate the sale of its personal information. It is important to note that the law does not force a business to offer a service to a consumer who makes such an opt out – in other words, a business can condition its service on the right to sell the information. However: (a) a business cannot sell personal information of consumers under 16 (if they know they are under 16) without express opt in, and for consumers under 13, the parent or guardian must opt in; and (b) a business cannot discriminate against a consumer who exercises any of their rights under the law.
- A business must provide two methods of contacting the business to exercise these rights – one of which is a toll free number, unless the business transacts business solely online and has a direct relationship to the consumer, in which case such online business need only provide an email address to send such requests. There are affirmative disclosure requirements for websites of businesses that are subject to the law. Businesses that sell personal information have additional affirmative disclosure requirements for their websites.
- A consumer whose personal information has been breached now has an affirmative damage remedy. Previously there was uncertainty in the law as to whether actual damage or harm would have to be shown to recover, or just the risk of future harm. In general the cases have held that actual harm is required, but vary in what they view as “actual harm.”
- Significant daily penalties can be assessed for non compliance after a 30 day notice period.
The above is only a general overview. However, some of those rights, for example, the right to onward transfer accounting, the right to delete information, and the right to opt out, present not only legal compliance issues, but significant technical hurdles. For many small businesses, their systems were not designed this way, and/or, they have so many disparate systems where data is duplicated, that it might hard or near impossible to comply. If a small business runs through the above checklist and gets a handle on the who, what, where, when and why questions, it will be easier to then assess the “how hard to comply” question.
For more information or assistance in data security and privacy law compliance, please contact Mike Oliver
by Mike Oliver | Jul 22, 2019 | Data Privacy, Privacy Law
Question: How do cost your company £80,000 with one relatively small computer error?
(Short) Answer: You misconfigure an FTP (file transfer protocol) server . . . and forget and leave it running.
This was the lesson Life at Parliament View Limited recently learned when the Information Commissioner’s Office (https://ico.org.uk) fined it £80,000 for violating the 7th principle of the Data Protection Act 1998 (“DPA”). See https://ico.org.uk/media/action-weve-taken/mpns/2615396/mpn-life-at-parliament-view-limited-20190717.pdf. ICO could have fined it £500,000 (the maximum under that act) – but chose to only implement 16% of the maximum fine.
What happened? Life at Parliament needed to mass transfer personal data – though not particularly sensitive data (note1) – to a data processor, and chose to use an FTP server. They intended to use a feature of this server to require a username and password, but the technicians misunderstood the server documentation from Microsoft, and ended up putting the server in Anonymous Authentication mode. In addition, “The FTP server was further misconfigured in that whilst approved data transfers were encrypted, personal data transmitted to non-approved parties was not. As such, transfers of personal data over FTP to non- approved parties had the potential to be compromised or intercepted in transit.” (Though not explained in the opinion, this was likely a fallback setting that allowed the server to transmit over a non encrypted channel if the receiving party did not have a secure channel available). The server was left in this condition for just shy of 2 years. Computer logs showed over 500,000 anonymous data requests. Eventually a hacker (well, really a person with ordinary computer skill who located the open FTP server) who had obtained the data, began extorting Life at Parliament.
While the failure of basic computer security is plain in this case, it is noteworthy that ICO also found the following violations:
- Post configuration of the server, LVPL failed to monitor access logs, conduct penetration testing or implement any system to alert LPVL of downloads from the FTP server, which would have facilitated early detection and containment of the breach;
- Failure to provide staff with adequate and timely training, policies or guidance either in relation to setting up the FTP server, or information handling and security generally.
ICO has been very active in the general data protection space and issuing fines, and this decision – while an easy one in light of the poor computer security practices – is telling because ICO found secondary violations in post implementation failures to detect and train.
The same tendency is happening in the US – the FTC and State Attorney Generals are increasing their oversight of data protection, and several states (e.g. California’s CCPA) are enacting new data protection and data oversight requirements. While the FTC has had some wins (see a recent order against a car dealer, no fine but consent order, where unencrypted data was exposed for 10 days – https://www.ftc.gov/news-events/press-releases/2019/06/auto-dealer-software-provider-settles-ftc-data-security), and at least one major set back in its efforts against LabMD (http://media.ca11.uscourts.gov/opinions/pub/files/201616270.pdf), it is likely that the government regulators will start going after companies that have engaged in less egregious data security violations, but nevertheless have lax training or monitoring set up, and probably also pursue smaller businesses who may not have the resources to have a robust security system and training.
For more information on our data security and privacy practice contact Mike Oliver.
_______________________
(note 1): The data consisted of “The types of personal data potentially compromised included names, phone numbers, e-mail addresses, postal addresses (current and previous), dates of birth, income/salary, employer details (position, company, salary, payroll number start date, employer address & contact details), accountant’s details (name, email address & phone number). It also contained images of passports, bank statements, tax details, utility bills and driving licences of both tenants and landlords.”
