Massachusetts Court Holds DTSA Does Not Apply to the Government

As we’ve discussed here before, there is tension and confusion at the intersection of trade secrets law and public contracting/public disclosure law. Contractors dealing with public entities need to be especially alert to the danger of their confidential and trade secret information entering the public domain. That danger was illustrated again by a recent case out of Massachusetts.

Although Massachusetts recently adopted the Uniform Trade Secrets Act, it did not do so in time to potentially protect the trade secrets of Fast Enterprises, LLC from disclosure. Instead, faced with a public records request from its competitors and the press seeking to have the Massachusetts Department of Transportation release Fast Enterprises’ bid proposal for replacement of a core computer system, Fast Enterprises instead sued in federal court under the Federal Defend Trade Secrets Act. Unfortunately for Fast Enterprises, the DTSA exempts “any otherwise lawful activity conducted by a governmental entity of . . . a State.” 18 U.S.C. s. 1833(a)(1). Although the federal district court initially enjoined the disclosure, the district court eventually reversed course, found it had no jurisdiction and dissolved the injunction. And while the district court was sympathetic to Fast Enterprises’ plight, ultimately its hands were tied: “Although the Court fully sympathizes with FAST and cannot help but wonder why the state would require disclosure of proprietary bid information given the impact that it could have on future bid solicitations, it is constrained by the applicable statutes. Ultimately, the federal statute does not provide for a cause of action in these circumstances, the issue must be resolved by the state courts or the state legislature.”

When dealing with the government, different rules apply, so make sure you know those before you submit your information. And if you don’t know what the rules are, we are here to help!

California Enacts First Law Regulating Internet Of Things Devices

California has enacted the nation’s first law regulating Internet of Things (IoT) devices, which was signed by Governor Jerry Brown on September 28, 2018. IoT refers to the rapidly-expanding world of internet-connected objects such as home security systems, video monitors, enterprise devices that track packages and vehicles, health monitors, connected cars, smart city devices that manage traffic congestion, and smart meters for utilities.

IoT devices promise to bring efficiencies to a broad range of industries and improve lives. But these devices also collect vast troves of information, and this raises data security and privacy concerns. In 2016, a distributed denial of service (DDoS) attack on the internet infrastructure company Dyn was powered by millions of hacked IoT devices such as web cameras and connected refrigerators. Hackers have used baby monitors to view inside homes, with a prominent recent example being the widely-deployed Mi-Cam baby monitor. If hackers are able to get into critical IoT systems in first responder networks, then there could be public safety risks.

The most obvious vulnerabilities with IoT devices used by consumers are easily-guessed default passwords and weak authentication. Consumers rarely change default passwords because they do not know how to or because the user interface is confusing or hard to access.  Continue Reading

Copyright Office Red Cards UEFA Trophy Application

Last month, the Copyright Office’s Review Board denied for the second time the application of the Union des associations européennes de Football (UEFA) for copyright registration in UEFA’s EURO Trophy. The Trophy is shown below:

According to the Board, the Trophy’s overall shape is no different than standard Greek amphora, and thus “as a whole, does not rise to the level of creativity required by the Copyright Act” and is only “a de minimis standard design based on classical and common works of art.”

Bet that makes the loser of the UEFA cup feel much better…

U. S. Supreme Court Will Decide What It Means to “Register” a Copyright

In this 2018-19 term, the United States Supreme Court will hear arguments on an issue that has long divided copyright attorneys and the courts that hear their cases. Under the Copyright Law, Section 411(a), a copyright owner may not bring an infringement lawsuit until the copyright owner has registered the copyright with the U.S. Copyright Office. In Fourth Estate Public Benefit Corporation v., LLC, the Court of Appeals for the 11th Circuit affirmed a lower court’s dismissal of a copyright infringement suit on grounds that the Copyright Office had not yet granted registration to the copyright in question, whose application was still pending.

This was consistent with the way in which both the 10th and 11th Circuits have treated this issue. However, the 5th and 9th Circuits have held for some years now that having filed an application to register one’s copyright is sufficient to enable the copyright owner to bring an action and a federal court to exercise subject-matter jurisdiction. The Supreme Court will resolve this circuit split during the new term, and copyright practitioners are already laying bets on how the court will rule. Meanwhile, the American Bar Association last month filed an Amicus brief with the Supreme Court that raises issues and eyebrows by urging affirmation of the “Application approach” adopted by the 5th and 9th Circuits. Continue Reading

And Away We Go…UK Information Commissioner’s Office Issues First Formal Notice Under the GDPR

Since the EU’s General Data Protection Regulation (GDPR) went into effect, we have been anxiously awaiting enforcement activities that would indicate regulator priorities. The waiting is over. It was recently reported that the UK Information Commissioner’s Office (ICO) issued an Enforcement Notice to AggregateIQ Data Services (AIQ) on July 6, 2018. Although the Enforcement Notice was issued in July, it only recently came to light.

AIQ is a Canadian analytics firm that was involved with political advertising during the Brexit vote in the UK. The ICO alleges that AIQ received personal data including names and email addresses of people in the UK from political organizations, including Vote Leave and others. AIQ used this personal data to target individuals with political advertising on social media without their knowledge or consent. AIQ also confirmed in writing to the ICO that a third party had unauthorized access to that personal data, which AIQ kept in a code repository. AIQ gathered this information before GDPR went into effect on May 25, 2018, but the ICO stated ongoing concerns that AIQ continued to possess and process personal data after that date. Continue Reading