Data Breaches and Legal Risks

You’ve probably heard in the news more and more stories all the time about information security breaches.  The latest high-profile breach of the retailer Target may have compromised information of 110 million consumers.  Neiman Marcus also reported a recent security breach.  With all of these breaches of major retailers in the news, you might wonder as a consumer whether your own accounts were affected.  Certainly, it is wise to watch your own credit card statements for signs of unauthorized transactions and to report any fraudulent purchases.

In addition, however, small and medium-sized businesses face their own data breach risk.  Hackers are not just targeting large businesses.  They also target small businesses, such as restaurants and other merchants.  Why?  Hackers see small businesses as easy targets.  Larger businesses are more sophisticated about their security practices and harder to attack.  Smaller businesses don’t have the security resources of larger businesses.

If a small business has a data breach, the breach may ruin the reputation of the business and scare away customers.  People are less likely to shop at a merchant that can’t protect customer information.  Ultimately, small businesses face many risks from data breaches.

One of those risks is legal liability.  Companies in California by law must notify consumers if they fall victim to a data breach affecting personal information of customers such as Social Security numbers, driver’s license numbers, and payment card information.  Failing to make the notification or delaying the notification may cause governmental investigations or customer lawsuits.  State and some federal laws also require companies to protect sensitive information in the first place.  Based on past history, I have to imaging that Target will spend over $100 million in responding to its recent breach, defending itself and paying settlements in the class action lawsuits filed against it.  Data breaches cost big dollars.

Securing your business’s sensitive information will reduce your legal and business risks.  How can you do that?  You should assess your information security risks, develop policies and procedures to secure sensitive information, and train your workers on data security.  Part of your preparation will include investigating on which information security laws will apply to your business and what kinds of security safeguards are required.  The time to look into upgrading your information security practices is now.  Preparing today can help prevent data breaches and liabilities tomorrow.

StevenSWu3

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

Read More

Why Have Written Contracts?

Let’s say that you are starting a new business.  Why should you have written agreements when you are providing your services or products?  In order to answer that question, it is important to understand what kinds of services or products you will be providing, the people and businesses you will interact with, the kinds of risks you face, and the applicable laws in your jurisdiction.  Sometimes, a written contract is not worth the trouble, such as when you go to the grocery.  You don’t sign a contract to pick up a carton of milk.  Nonetheless, for more serious transactions involving more money or more risk, it is helpful to have a written contract for your business.  This post covers three key reasons why it helps the business to have a written agreement for its customers.

Written contracts are useful, first, to set the expectations of the business and its customer.  What is the business promising to do?  What does the business want the customer to promise?  Most frequently, the business wants the customer to promise to pay the business.  There may be other customer obligations as well.  By plainly setting out the obligations of the parties, both the business and customer have clear expectations about what is to happen.

Second, a written contract helps the business to enforce its rights.  Sometimes businesses need to sue their customers, for example when customers fail to pay.  Even though the law will enforce oral contracts, a written contract is much easier to enforce.  A written contract helps the business to show that the customer had an obligation, for example to pay a defined amount.  Also, a written contract helps to deflect a customer’s claims that there was, in fact, no agreement, that the agreement was not definite enough to enforce, or that the agreement was not what the business says it was.  Oral agreement disputes often end up becoming “he said, she said” disputes in which the parties disagree about whether there was an agreement or if they acknowledge the agreement, they disagree about what they agreed to do.

Finally, a written contract allows the business to limit its potential liability.  Frequently, written agreements contain statements saying that the business will not be responsible for certain events.  For instance, Internet service agreements often say that they cannot guarantee that the Internet will always be up and available for use.  Also, written agreements often limit the kinds of damages a customer can recover or cap liability at a set amount, for example the amount of revenue the business received from the customer.  Limits of liability manage the business’s risk and help to ensure that for a relatively modest business transaction, the business does not face the prospect of paying the customer a huge damage award in a lawsuit.

It is important to give careful thought to what the business wants to say in its agreements based on what it is willing to promise, what it needs its customers to do, and how it can limit its liability.  Simply copying form agreements from the Internet or another business risks having the agreement not match the transaction, causing confusion, or failing to include key terms.  By thoughtfully developing a written agreement, your business can take an important step to managing its legal risk.

StevenSWu3

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

Read More

Why Have a Privacy Policy?

Privacy has been a hot legal issue for years, and the temperature is moving even higher.  Companies with websites and mobile applications are now targets for privacy compliance investigations.  Governmental enforcement actions and class action suits have become ever more common.  One common trigger is a data privacy or security breach.  Surprisingly, in 2013, another common trigger is the lack of a privacy policy.  Yes, there are some companies that create online services or Internet applications collecting personal information from consumers in 2013 and yet have no privacy policies.

California’s Online Privacy Protection Act (OPPA) of 2003 requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies.  “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual.  Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states.  Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.

OPPA not only says that operators of online services must have privacy policies, it also says that these privacy policies must cover certain topics.  A privacy policy must identify the categories of information collected by the operator, the categories of others with whom the operator may share the information, any means for the consumer to review and request changes to the information, the process to notify consumers of changes to the policy, and the effective date of the policy.

None of these requirements is new.   They are standard fare for privacy policies.  For instance, Federal Trade Commission has long published information about these topics in its guide to fair information practice principles.

In sum, online services that collect personally identifiable information from California consumers and have no privacy policy are violating OPPA and are risking lawsuits and governmental enforcement actions.  Even if a service has a privacy policy, if it is inaccurate, the service may be violating laws against unfair and deceptive trade practices.  Areas of greater risk include companies that collect certain kinds of information, such as geolocation information, without notifying the user first.  Also, companies that share information with third parties, but do not warn the user, are at risk.  The bottom line is that online services should review their privacy practices, write a privacy policy if they don’t already have one, update their privacy policies to match changes in law and their circumstances, and make sure their policies match their information practices.

StevenSWu3

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

 

 

Read More

Email Reminders for Corporate and LLC Statements of Information

One of the things our firm does for our clients is help them maintain their company documentation on an ongoing basis. One of the recurring tasks is to file Statements of Information with the Secretary of State after the first statement filed in connection with organization of the entity. Domestic stock corporations must file them annually. Limited liability companies must file them every other year.

Before a corporation or LLC must file a Statement of Information, the Secretary of State sends it a renewal notice. Under existing law, the Secretary sends the renewal notice to the mailing address of record. Last year, however, new legislation, AB 657, gives corporations and LLCs the option to receive renewal notices by electronic mail.

AB 657 says that corporations choosing to receive renewal notices and any other notifications from the Secretary by email instead of US mail must provide a valid email address for the corporation or its designee to receive those notices. After such an election, the Secretary will send renewal notices to the last email address of record with the Secretary.

AB 657 affords the same option to limited liability companies. Likewise, it also permits email renewal notices for foreign corporations, nonprofit public benefit corporations, nonprofit mutual benefit corporations, consumer cooperative corporations, and state credit unions. Renewal notices to these entities are also sent to the last email address of record.

Designating an email address may provide a convenience for some clients. Nonetheless, receiving renewals by email entails risk, since clients may frequently change domain names, email addresses, and personnel designated to receive emails. Accordingly, clients wishing to designate an email address may want to designate a role-based email alias for receiving renewal notices, rather than an individual’s email address.

Stephen S. Wu, JD

Stephen S. Wu

 

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in
downtown Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

 

 

Read More

Starting Your Own Business – 5 Key Decisions

Our law firm helps numerous businesses incorporate or organize limited liability companies.  Many of our clients ask, as their first question, “What information do you need to start organizing our new business?”  In this article, I will lay out the top decisions you will need to make and the kinds of information I ask for when organizing a new business.  These decisions relate to the process of organizing the business from a legal perspective, and are in addition to the many business decisions the new business must make.  Most frequently, our firm sets up corporations and limited liability companies (LLCs) for our clients, and the terminology I use here applies to them, but the answers to these questions also apply to partnerships, including limited partnerships and limited liability partnerships.

First, new businesses need to decide who will participate in the new business.  Participants in the new business include owners and managers.  Owners own the equity in the company, either stock for a corporation and membership interests in LLCs.  Owners own the company, can sell their equity for profit, are entitled to profits from the company, and can vote their interests to choose the people managing the company.  Managers run the business.  For example, the shareholder owners of a corporation choose a board of directors to oversee the corporation, and the board chooses corporate officers to manage the corporation’s everyday management affairs.  LLCs can be managed by the owner members, or the members can choose a person or business to manage the LLC’s affairs.  Managers may, but need not be, owners of the equity in the new business.  In any case, when you start a new business, you will need to decide who are the owners, and who will manage the business.

Second, new businesses need to know what roles the participants will play.  For a new corporation, at a minimum, the founders need to decide who will be on the board of directors, who will be the president, who will run the finances of the corporation as treasurer, and who will be in charge of the corporation’s records as secretary.  The business can also designate additional vice president roles.  It is possible to start a one-person corporation, with a single individual holding all these roles.  LLCs will need to decide whether the owner members will manage the LLC, or whether an outside manager will do so.

Third, new businesses need to decide how much money to put into the new business upon its organization.  There is no minimum amount or formula to answer this question.  Nonetheless, the failure to put in enough capital places the business at risk for failure, from a business perspective.  Undercapitalization also places the business at risk for creditors seeking to ignore the corporation and seeking to take the personal assets of the founders to pay the debts and liabilities of the business.  A key reason for having a corporation is to limit the liability of the owners and managers.  Thus, undercapitalization may defeat the purpose for organizing a corporation in the first place.  Accordingly, the business should have sufficient funds to cover its debts and liabilities for a sufficient period of time until they can be covered by the revenue of the corporation or further funding.

Fourth, new businesses need to decide how to divide ownership and control.  For instance, many businesses have equal owners, each having an equal share of the profits, and each having a single vote in management affairs.  Nonetheless, ownership and control need not be shared equally.  Sometimes, a founder contributing more to the business than others has a larger percentage of the equity than others.  Also, the percentage of ownership and voting rights may even be different from each other.

Finally, new businesses need to decide on a name for the business.  Choosing a name is a critical decision from a branding perspective and from a trademark law perspective.  See my other article about choosing a name for more guidance about this choice.

In sum, when our law firm organizes a business, we ask who will participate in a new business, what roles will they have, how much money will the founders put into the company, how will the participants divide ownership and control, and what will be the name of the new business.  We recommend that founders consider these questions when starting a new business, and if you are thinking of organizing a new business, the time to think about them is now.

StevenSWu3

 

Attorney Stephen Wu is a partner in the law firm of Cooke Kobrick & Wu LLP in downtown
Los Altos.  He can be reached at (650) 917-8045 or at swu@ckwlaw.com.

 

Read More