Published on: | by

On June 4, 2015, four million current and former federal employees were informed that China-based hackers were suspected of gaining access to and compromising their personally identifiable information (PII) via a breach of government computer networks. The scope of the attack has allowed it to be described as one of the largest governmental data thefts.

What actions have been taken since the attack?

Directly after the attack, the administration decided to expand the National Security Agency’s internet traffic surveillance, especially in regards to international hackers.  The FBI is currently investigating the attack by looking into the threats posed to the public and private sectors. The Office of Personnel Management (OPM) reported that federal employees will be appropriately notified and given access to credit reports, credit monitoring, identity theft insurance, and recovery services. The OPM is responsible for collecting and processing security clearance forms, which were accessed in the breach. It is possible that the hackers have access to the personal and professional references of the victims. Because of the breadth of the data held by the OPM, the agency is telling individuals to monitor and report unusual activities.

Continue Reading ›

Published on: | by

On May 26, 2015, the Internal Revenue Service (“IRS”) announced that criminals illegally accessed data to retrieve the past tax returns of approximately 100,000 individuals through the IRS website. The criminals managed to use social security numbers, birth dates, street addresses, and “out of wallet” data (e.g., person’s first car, high school mascot.)

How was the personal information accessed?

During the months of February to May, attackers attempted to get access to tax information over 200,000 times through the IRS “Get Transcript” online application, which allows for viewing information from previous returns. The criminals managed to go through many steps of an authentication process to view these previous returns, exploiting data from breaches in the past. Recent breaches of companies like Target, Home Depot, JP Morgan Chase, Sony, and Anthem have allowed for personal information to be easily accessible to hackers. In addition, it is possible for identity thieves to get basic answers to security questions from individuals’ social media accounts and search databases. The IRS proceeded to send $50 million in refunds before detecting the criminal activity.

Continue Reading ›

Published on: | by

As of March 25, 2015, the Securities and Exchange Commission (“SEC”) adopted new rules to update and expand Regulation A. Regulation A+ will allow companies to gain access to funds through crowdfunding. These new rules are mandated by Title IV of the Jumpstart Our Business Startups (JOBS) Act.

What will the new rules do?

The update and expansion of Regulation A to Regulation A+ will allow smaller companies to sell up to $50 million of securities in a 12-month period.  These exemptions, however, are subject to eligibility, disclosure, and reporting requirements. The new rules have created a more effective way to raise capital while attracting and protecting investors. Non-accredited investors will be allowed to annually invest up to ten percent of their income or net worth, depending on which amount is greater. Before the new rules came out, only accredited investors were able to invest in startups through equity crowdfunding. The final rules are referred to as Regulation A+ and are provided in two tiers of offerings based on amount of security offerings over a 12-month period. Both are subject to the same basic requirements and eligibility limits, but differ in registration and qualification offerings.

Continue Reading ›

Published on: | by

The modern day business model is shifting towards cloud computing and Software-as-a-Service (“SaaS”) agreements. This new trend allows customers to treat licensing costs as expenses that can be paid over time. SaaS also provides a solution to bug fixes, glitches, and the updating of licenses simultaneously. With the shift to cloud computing, developers are no longer required to provide a platform on which their own application runs.  However, confusion exists about the differences between software licensing and SaaS agreements.

What is the difference between software licensing and SaaS?

A software-licensing model involves the software company to offer a software program in the form of an electronic download or CD-Rom. This software then must be downloaded, installed, run, and operated on hardware before being used by one or more users. This software may be installed on hardware.  It often offers services like training, maintenance, and technical support. On the contrary, in the SaaS model, the company does not make a physical product. It only makes the product accessible through “the cloud” which acts as a hosting platform. One or more users can still access the product, but it must be done through cloud computing services.  As such, external services are not provided because they are expected to be included as part of the hosting platform’s service and support experience. As a result, SaaS acts as a service subscription model and not a physical product.

Continue Reading ›

Published on: | by

Since October of 2013, the Internet Corporation for Assigned Names and Numbers (ICANN) has made a transition towards the expansion of top-level names. This action has sparked concern in Internet stakeholders in regards to security concerns. ICANN was previously responsible for managing 22 domain names, including, “.com,” “.gov,” and others. With plans to rapidly rollout more names, government entities, businesses, consumers, and internet users have recognized a number of the associated security concerns. Today, there are 322 new top-level domains (TLDs) that have been granted by ICANN.

What are the resulting security threats?

Phishers and scammers have grown in number since the growth of TLDs, hijacking domains shortly after registration. There have also been instances of malware and phishing pages registered under specific and popular TLDs, transferring risks to users. The lack of preparation and security that exists in the Internet ecosystem is a perfect environment for criminals to display malicious activity. Domain name collisions are occurring due to TLDs colliding with old and unresolved names that have been embedded in the global root. The result of such collisions is server delay, outages, and data theft that leave consumer information exposed. Malware and cybersquatting have also been exhibited in the top 35 most trafficked new TLD sites. TLDs continue to cause confusion and lack of security, with 36 being permitted to have singular and plural versions [e.g., .car(s), .work(s)], and 44 possessing close alternatives, such as .finance/.financial and .engineer(ing).

Continue Reading ›

Published on: | by

Many startups, entrepreneurs, and business owners will consider registering a corporation instead of remaining a partnership or a limited liability company. To become incorporated, an incorporator must file the company’s articles of incorporation with the state of choice, which provides information including the company’s official name. However, the status of being a corporation under California is not guaranteed to last indefinitely unless all the requirements are met. The lack of compliance may lead to the corporation being suspended or forfeited.

What is a suspended corporation?

A suspended or forfeited corporation does not stop being an association, but it loses all the rights and privileges of a corporation and cannot legally act as a corporation while suspended. The Secretary of State’s office or the Franchise Tax Board, which have the authority to suspend a corporation, use this power to sanction a company. Suspension occurs when the company fails to file its tax return under Revenue & Taxation Code § 23301, fails to pay taxes, or fails to file its “Statement by Domestic Nonprofit Corporation” or “Statement by Common Interest Association.”   The inconveniences of filing these documents or paying taxes are greatly outweighed by the consequences of not filing or paying what is required.

Continue Reading ›

Published on: | by

In the past few months, more domestic and foreign regulations of digital currencies are being proposed. However, New York is at the forefront of establishing new Bitcoin regulations, and California not far behind. By the end of May, it is likely that the updated BitLicense bill regulatory framework will be released and used as an example for other states.

What are the New York and California Proposed Regulations?

Benjamin Lawsky, New York’s first Superintendent of Financial Services, announced the parameters of the bill this year. The BitLicense bill will stipulate that businesses will need a license if they handle (i.e., store, transfer) Bitcoin for customers, cover or issue digital currency, exchange Bitcoin for other currency, or buy and sell digital currency to or from a customer. Merchants that only accept digital currency for purchases will not need a license. Any licensed company will have to maintain a certain amount of capital, which will be assessed using an assortment of factors. State officials say that feedback is still welcome and that the bill is a work in progress. The goal in the end, however, is that the new regulations would protect consumers who use digital currency by establishing rules and guidelines.

Continue Reading ›

Published on: | by

In recent times, the non-consensual publishing of private images online has been a topic of debate among lawmakers. Since our last article discussing revenge porn, there have been new laws passed and proposed that show state governments’ increasing pushback against posters of revenge porn and their facilitators. More and more states are passing laws that address cyberstalking, cyberharassment, and similar offenses leading to a wide array of people prosecuted for revenge porn.

What is the new California law?

On October 1, 2013, Senate Bill 255 (“SB 255”) took effect and was codified in California Penal Code § 647(j)(4). On January 1, 2015, a new amendment to this section went into effect specifying that a defendant is liable if he/she should have known that the subject of the photo did not consent to having his/her picture published online. An amendment to California Civil Code § 1708.85, also came into effect recently in order to allow victims of revenge porn to sue for civil damages. Now, revenge porn posters and hosts may be held liable, both criminally and civilly, in California. In fact, a recent California case caused quite a stir when the operator of a website, who allowed third-party posting of revenge porn, was sentenced to 18 years in prison for identity theft and extortion. So, with the new civil code amendment, this form of prosecution should be more available to victims.

Continue Reading ›

Published on: | by

The CAN-SPAM Act is the federal act that preempts state anti-spam laws. In response to this federal statute, California, and many other states have passed similar anti-spam laws. Do you have a new company that needs to market to a broader community? Will your company create an email list to reach out to new users, customers, or clients? Then you should be aware of the federal and state laws and how they can create liability.

What is the CAN-SPAM Act?

The CAN-SPAM Act mostly focuses on unsolicited commercial email. It stands for Controlling the Assault of Non-Solicited Pornography and Marketing. This federal law prohibits any commercial email that is fraudulent or deceptive and requires all email messages to include an opt-out option for the recipients. Although, the law is focused on companies that disguise the source or purpose of the email, the impetus for passing the bill was the growing cost problem for those receiving mass amounts of emails such as non-profit companies, educational facilities, and other businesses with limited server space. However, this law “only provides a private cause of action to internet service providers that have been adversely affected by prohibited commercial e-mails, and does not extend a cause of action to the recipients of such e-mails.” See Hypertouch, Inc. v. ValueClick, Inc., 192 Cal. App. 4th 805, 123 Cal. Rptr. 3d 8 (2011). Therefore, it is up to the states to determine whether individual recipients of spam can bring suit against companies or individuals.

Continue Reading ›

Published on: | by

There has been a surge of new laws and regulations passed by governments to implement security and privacy measures for companies storing information in the cloud. This surge is due to recent security breaches and the realization of how much information can be compromised. Information stored in the cloud ranges from personal information to confidential government intelligence. Although, the most publicized breaches may be of celebrity’s compromising photographs, many other breaches of medical insurance companies and credit card accounts have affected the public. It is only natural that a set of new privacy and security laws are drafted both internationally and domestically as the use of cloud computing technology expands.

What are some of the international laws?

In general, each country has been forming its own laws governing privacy and security of information. For example, Australia, Canada, Japan, and Korea have comprehensive privacy regimes without onerous registration requirements. Also, organizations, such as the Cloud Security Alliance (CSA) and Information Technology & Innovation Foundation (ITIF) are trying to assist in finding a clear set of widely-accepted security procedures that will lead to a more consistent set of policies for companies to follow when storing information. Until this is accomplished, companies have to assess the laws and regulations of countries that may affect them. Companies then have to decide the best security and privacy measures to protect them from liability.

Continue Reading ›