Friday, November 15, 2019

USDA Issues Interim Final Rule Establishing Domestic Hemp Production Program: Next Steps in South Carolina

On October 28, 2019, the Agricultural Marketing Service of the United States Department of  Agriculture (USDA) issued an Interim Final Rule for the Establishment of a Domestic Hemp Production Program as required by the Agricultural Improvement Act of 2018 (2018 Farm Bill).

The Interim Rule went into effect October 31, 2019 and is effective through November 1, 2021. The USDA is accepting comments on the Interim Final Rule until December 30, 2019. The South Carolina Department of Agriculture indicates that it plans to submit comments to the USDA no later than December 16, 2019. Following the comment period, the SCDA may submit a plan to the USDA for approval. The Interim Final Rule requires the USDA to approve or disapprove a plan submitted by the SCDA no later than 60 days after its submission.

For more on the 2018 Farm Bill’s provisions related to commercial hemp and the South Carolina Hemp Farming Act enacted following the 2018 Farm Bill, click here.

The Interim Final Rule and South Carolina

State plans submitted to the USDA for approval must contain certain provisions set out in the Interim Final Rule, including licensing requirements, maintaining information on land used for production, testing procedures to determine THC concentration levels, procedures for disposing of non-compliant plants, and compliance and violation procedures. For those States and Indian Tribes without approved plans, the USDA will establish a hemp regulation plan.

Licensing. The South Carolina Hemp Farming Act contains various licensing requirements, which will undoubtedly be incorporated into the plan submitted by the SCDA to the USDA.

Information on Land Used to Produce Hemp. The SCDA will have to collect and maintain (for at least three years) information on hemp production sites, including a legal description of land and its geospatial location (given that many rural areas lack specific addresses). Licensed hemp producers must report hemp crop acreage to the USDA Farm Service Agency (FSA).

Sampling and Testing of THC. Cannabis with a concentration of no more than 0.3% THC is considered hemp, and not marijuana (a Schedule 1 drug and controlled substance). The Interim Rule requires hemp samples to be collected within 15 days before the anticipated harvest for THC concentration testing. Testing must be conducted by a “DEA-registered laboratory using a reliable methodology for testing the THC level.”

Because there is some uncertainty inherent in all testing, the “acceptable hemp THC level” extends to cover the distribution or range of uncertainty. (If a test has a range of uncertainty of +/- 0.05, then a measured THC level of 0.34% for a sample would be considered hemp).

Disposal of Non-Compliant Plants. Material exceeding the “acceptable hemp THC level” is considered marijuana, and must be disposed of consistent with the Controlled Substances Act and DEA regulations.

Compliance Procedures: “Reasonable Efforts,” “Negligent Violations,” and “Intentionally, Knowingly, or with Recklessness”. The Interim Rule requires the South Carolina plan to address procedures to identify and correct negligent acts, which include failing to provide a legal description of hemp production land, failure to obtain a required license or authorization, and producing plants exceeding the acceptable THC level. More particularly:
  • if a producer uses reasonable efforts to grow hemp, but produces plants exceeding the 0.3% THC threshold but having no more than 0.5% THC, then that producer does not commit a negligent violation;
  • a negligent violation requires a corrective action plan;
  • negligent violations are not subject to criminal enforcement action by local, Tribal, State, or Federal governmental authorities; and
  • intentional, knowing, or reckless acts must be reported immediately to the Attorney General and the chief law enforcement officer of the State or Tribe.
Because the production of cannabis exceeding the “acceptable hemp THC level” is considered a “negligent violation” under 7 CFR Section 990.6(b), and because 7 CFR Section 990.6(c)(3) specifies that a producer committing a “negligent violation” is not subject to any criminal enforcement action, the South Carolina Attorney General may be revisiting a June 10, 2019 Opinion on SC Hemp Farming Act.


The SC plan to implement the 2018 Farm Bill and the Interim Final Rule presumably will provide a more clear framework for licensed hemp operations in South Carolina.

Friday, May 31, 2019

The SC Insurance Data Security Act: Ask Some Questions to Evaluate Your Security Program

The South Carolina Insurance Data Security Act (“Act”), fashioned after the NAIC Insurance Data Security Model Law (Model Law), went into effect on January 1, 2019. South Carolina was the first state in the nation to pass this legislation, and others (Ohio, Mississippi), have followed suit.

The Act requires that each South Carolina person licensed or authorized by the South Carolina Department of Insurance (DOI) a “Licensee” must implement, no later than July 1, 2019, a “comprehensive written information security program” (“Program”) designed to protect nonpublic information (NPI) and the security of the Licensee’s information system.

In addition, the Act requires a Licensee to report to the Director of the DOI within 72 hours following an actual or potential “cybersecurity event.” S.C. Code Section 38-99-40(A) (Section 6(A) of the Model Act).

While South Carolina Licensees (hopefully) are well down the path to meeting the Act’s requirements, the following may be useful for insurance businesses in other jurisdictions who may face compliance with a version of the Model Law in the future. More broadly, the questions that the Act forces insurance businesses to answer are useful for any business seeking to implement, evaluate, or improve its information security program. 

1.     Who is Responsible for Your Information Security Program?

The Act requires that each Licensee “designate one or more employees, an affiliate, or an outside vendor designated to act on behalf of the Licensee who is responsible for the information security program.” S.C. Code Section 38-99-20(C)(1) [Section 4(C)(1) of the Model Act].

More particularly, S.C. Code Section 38-99-40(B)(13) [Section 6(B)(13) of the Model Act] requires a Licensee, following a cybersecurity event, to provide the director of the DOI with “the name of a contact person who is both familiar with the cybersecurity event and authorized to act on behalf of the licensee.” 
Where Does the Security Buck Stop?

The Act, like many other statutory and regulatory provisions designed to protect sensitive information and information systems (for example the Gramm-Leach-Bliley Act Safeguards Rule and the New York State DFS Cybersecurity Requirements for Financial Services Companies) recognizes that no effective information security program happens without appropriate oversight and responsibility.

2.     Are You Conducting Ongoing Risk Assessments?

In order to develop the Program required by the Act, a Licensee must first determine those information risks (threats) it faces, and then choose those measures it will implement in order to address those risks.

In fact, the Act explicitly anticipates that a Licensee’s Program will be “based on the licensee’s risk assessment.” S.C. Code Ann. Section 38-99-20(A) [Section 4(A) of the Model Act]. The Act goes further, setting out some of the things that an appropriate risk assessment will address, including:
  • Identifying internal and external threats (including those faced by third-party service providers) that could compromise NPI;
  • Determining how likely and how potentially damaging those threats may be, in view of how sensitive the NPI is;
  • Evaluating how well your policies, procedures, information systems, and other protections work in managing these threats;
  • Detecting, preventing, and responding to attacks, intrusions, and other system failures; and
  • Implementing safeguards identified in an ongoing risk assessment, and revisiting those safeguards at least annually.

The Act does not require that an independent party conduct a risk assessment, but consider whether an “in-house” evaluation could be robust enough to provide meaningful feedback, or withstand scrutiny by a regulator.  

3.     What Nonpublic Information Do You Collect, Store, and Share?

The Act requires each Licensee create a Program for the “protection of” NPI. S.C. Code Section 38-99-20(A), [Model Act Section 4(B)]. Broad brush, the Act defines NPI as information that is not publicly available and that meets certain other characteristics. Of course, other applicable laws, and your own business interests may determine what your organization considers NPI or information worthy of protection.

If you do not know what NPI you store, where and how you store it, and who and what is responsible for protecting that NPI, then you cannot quickly or effectively respond when NPI goes missing or is compromised. More generally, you cannot make a plan to protect NPI unless and until you have answered these questions.

Have you created a written document that maps NPI and other sensitive information (visually and otherwise) by the places (servers, physical locations, etc.) where it is stored, inventories that information, identifies who is responsible for managing that information, and classifies the information based on how sensitive or important it is?

4.     How Do You Protect NPI When You Store It and Share It?

When you store NPI or send NPI outside your business, do you employ encryption technologies to secure that NPI?

The Act mentions a number of potential security measures that Licensees should consider and implement as appropriate. In particular, the Act recommends, “protecting by encryption or other appropriate means, all nonpublic information while being transmitted over an external network and all nonpublic information stored on a laptop computer or other portable computing or storage device or media.” S.C. Code Section 38-99-20(D)(2)(d), [Model Act Section 4(D)(2)(d)].

Notably, the Act excludes encrypted NPI from the definition of a “cybersecurity event” as long as the “encryption key” is not compromised. S.C. Code Section 38-99-10(3), [Model Act Section 3(D)].
Other regulatory frameworks provide similar “safe harbors” for properly encrypted NPI.

5.     How Do You Limit Access to NPI?

The Act recognizes that one potential threat to the security of NPI arises not from outside hackers, but from inside an organization.

Accordingly, the Act suggests “placing access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of nonpublic information.” S.C. Code Section 38-99-20(D)(2)(a), [Model Act Section 4(D)(2)(a)].

Access controls ensure the principle of least privilege — meaning an employee only has access to that information necessary for her to perform her job. Giving all employees access to NPI outside of their normal job function can create a potential cybersecurity event.

6.     With Whom Are You Sharing NPI?

The Act requires a Licensee to “exercise due diligence” selecting any third-party service provider that will have access to NPI, and further to require any such third-party service provider to implement appropriate measures to secure information systems and NPI. S.C. Code Section 38-99-20(F), [Model Act Section 4(F)].

A written agreement between a business and any third-party service provider handling NPI is necessary to set out appropriate obligations and remedies. For more on appropriate vendor management, click here.

7.     Do You Have an Incident Response Plan?

The Act requires a Licensee to “establish a written incident response plan” as part of its Program, (S.C. Code Section 38-99-20(H)(1)) [Model Act Section 4(H)] , and lists a number of elements that must be included in that plan, including:

  •         the process for responding to a cybersecurity event,
  •         the goals of an incident response plan,
  •         defining roles, responsibility, and decision-making authority during an event,
  •         identifying requirements for addressing weaknesses, and
  •         documenting and reporting cybersecurity events and incident response activities.
The Act recognizes that the mere act of creating an incident response plan in advance allows an organization to respond more effectively following a cybersecurity event.

As Nassim Nicholas Taleb notes,
“It is preferable to take risks one understands than understand risks one is taking.”

South Carolina insurance Licensees are complying with the Act because they have to. However, the requirements of the Act embody fundamental security concepts and controls that apply to any organization that stores and shares NPI.

Thursday, May 23, 2019

Legalized, But Regulated: Commercial Hemp in South Carolina

On December 20, 2018 the Agricultural Improvement Act of 2018 (the "2018 Farm Bill") became law.  Following closely on the heels of the 2018 Farm Bill, on March 28, 2019 the South Carolina Hemp Farming Act ("S.C. Hemp Farming Act") was signed into law. 

The following is a brief overview of the status of hemp (also called "commercial hemp" or "industrial hemp") farming and regulation in South Carolina in the wake of the 2018 Farm Bill and the S.C. Hemp Farming Act.


The terms "hemp" (which has non-drug connotations and uses) and "marijuana" (no further explanation necessary) describe the same plant genus: cannabis. The difference between the two is generally based on the relative amount of tetrahydrocannabinol (THC) contained in the plant. Hemp plants are cultivated to produce fiber and seeds and very little if any THC. Marijuana plants, on the other hand, are cultivated to produce more THC. THC, of course, is the main psychoactive part of the plant.

Historically, U.S. federal and state law has recognized no distinction between hemp and marijuana.  Beginning with the Marihuana Tax Act in 1937, and then under the terms of the 1970 Controlled Substances Act, all "cannabis" has been considered to be illegal. More particularly, cannabis is designated by the Drug Enforcement Administration (DEA) as a "Schedule 1" drug.  

Of course, cannabis' status as an illegal drug prevented farmers from growing it as a crop. Accordingly, interested parties also missed out on the significant benefits that the creators of agricultural commodities enjoy, such as farm subsidies, nutritional assistance, and crop insurance.

The 2014 Farm Bill and Hemp Pilot Programs

The 2014 Farm Bill created a little daylight between hemp and marijuana, recognizing that some cannabis is not in fact a psychoactive drug, and allowing a limited number of hemp "cultivators" to operate under various state hemp pilot programs. In particular, the 2014 Farm Bill limited these pilot programs to cannabis containing no more than 0.3% of THC, and put numerous limitations and conditions on the number of pilot program licensees, the allowable acreage for hemp cultivation, and the uses for which cultivated hemp could be employed.

Consistent with the 2014 Farm Bill, the South Carolina Department of Agriculture ("SCDA") instituted its  Hemp Pilot Program.   Following the most recent application process, the SCDA selected 40 growers from 161 applications:

The Effects of the 2018 Farm Bill and the Hemp Farming Act

The 2018 Farm Bill legalized hemp production nationwide, continuing the distinction between hemp and marijuana based on THC content established in the 2014 Farm Bill. The 2018 Farm Bill facilitates the interstate commerce of hemp by making clear that no state (or tribal government) can prohibit the transportation of hemp through its territory.

Significantly, the 2018 Farm Bill treats hemp like other agricultural crops, adding hemp to various crop and agricultural materials programs administered by the United States Department of Agriculture ("USDA").

However, while hemp production is now legal, that production (cultivation, handling, and processing) is subject to a very strict licensing and regulatory regime. Notably (and understandably), licensed persons must ensure that hemp does not become marijuana (very much still a Schedule 1 drug) by virtue of its THC content. The 2018 Farm Bill gives states like South Carolina the ability to submit a state hemp plan to the USDA for approval.

Accordingly, the Hemp Farming Act directs the SCDA to submit a state hemp plan to the USDA.

Similarly, hemp farming is is no longer limited to a pilot program, but the Hemp Farming Act makes any hemp production illegal unless an appropriate license is obtained from the SCDA.  Key to the regulatory scheme is determining what part of the production chain a particular person or organization occupies:


Any person involved with "planting, watering, growing, and harvesting a plant or a crop" (S.C. Code Section 46-55-10(4)) of hemp will be required to obtain a S.C. hemp license.  


"Handling' means possessing or storing hemp for any period of time. 'Handling' also includes possessing or storing hemp in a vehicle for any period of time other than during its actual transport from the premises of a licensed person to cultivate or process industrial hemp to the premises of another licensed person. 'Handling' does not mean possessing or storing finished hemp products." (S.C. Code Section 46-55-10(7)). 


This term means "converting an agricultural commodity into a marketable form." 
S.C. Code Section 46-55-10(12).


While hemp production is now legal in South Carolina, any person involved at any stage of its production must ensure that all provisions of the Hemp Farming Act are met. 

In particular, any person who touches hemp at any point during its production should ensure, through appropriate contractual and other due diligence actions, that all licenses have been obtained and that all applicable requirements are followed.

Sunday, May 12, 2019

It's All "Backup" Nowadays? Wrestling With the Stored Communications Act

Shoulda' Seen My Servers ....

Disputes of all kinds (between individuals, between businesses, between individuals and businesses, etc.) often highlight who said what to whom. In the information age, what better place to look for what has been said than in email communications? And as is often the case in litigation between jilted lovers and former business partners (acting like jilted lovers?), one party either has or can guess the email password of the other.

However, attorneys and their clients must be very careful in gaining access to email communications to which they are not a party. The Stored Communications Act (SCA), a 1986 federal statute  prohibiting unauthorized access to emails in certain circumstances, has been given very different readings by the South Carolina Supreme Court and the Fourth Circuit Court of Appeals.


The SCA provides a civil cause of action against anyone who “intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system[.]” 18 U.S.C. § 2701(a)(1).

The SCA defines "electronic storage" as:

(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication[.]
18 U.S.C. § 2510(17).

Email is unquestionably "an electronic communication," and the "temporary" storage described in 18 U.S.C. § 2510(17)(A) does not come into play (at least in the current prevailing view of the SCA), leaving courts to consider whether whether emails are in "electronic storage" for "purposes of backup protection."

South Carolina Supreme Court: Web-Based Emails Are Not "Backup"

In 2012, the South Carolina Supreme Court, in Jennings v. Jennings,  reviewed a decision of the S.C. Court of Appeals concluding that emails in Mr. Jennings' Yahoo! account were in "electronic storage," and that therefore the SCA had been violated when those emails were accessed. For more on the Court of Appeals' opinion, click here.

Justice Hearn rejected the rationale of the Court of Appeals that Mr. Jennings' single copies of previously opened Yahoo! emails were stored "for purposes of backup protection" pursuant to 18 U.S.C. § 2510(17)(B):  

"We decline to hold that retaining an opened e-mail constitutes storing it for backup protection under the Act."  

Employing the ordinary meaning of "backup" as "one that serves as a substitute or support," Justice Hearn reasoned that since Mr. Jennings left the only versions of these emails on the Yahoo! server, (and did not download them to a device or save them elsewhere), there were no "backup" copies of these messages (at least as far as Mr. Jennings was concerned). Therefore, the messages were not in "electronic storage," and there was no violation of the SCA. 

Notably, in concurrence with the result, Justices Toal and Pleicones offered different constructions of the SCA than Justice Hearn, underscoring the difficulty courts have making sense of a law originally enacted in 1986. For more on the S.C. Supreme Court's opinion, click here.

The 4th Circuit- Web-Based Emails Are "Backup"

On March 6, 2019, the 4th Circuit took a much broader view of "backup," concluding in Hately v. Watts that delivered and opened emails retained on a Gmail server were "stored for purposes of backup protection" and therefore subject to the SCA. Broad brush, there are numerous "backup" copies created of each web-based email message (and used for the "backup" purposes of both the user and the email provider), as web-based email platforms store messages until their users want to destroy them.  

More fundamentally, email messages don't really "substitute"or "support" any "original," so that framework (there has to be an original in order to have a "backup") loses its relevance (or resonance) when moving from analog to digital. (This is some of the same debate that takes place in the context of using electronic documents pursuant to the eSign Act or the South Carolina Uniform Electronic Transactions Act, or even more broadly the double-spend problem presented by digital currencies, but we can dive a little deeper into that another time). 

Well, They Were "Backup" For a Time - To a True Original

Conclusion: Know Your Court-- and Proceed With Caution

Decisions of the 4th Circuit Court of Appeals are only binding on South Carolina federal courts. and are not considered precedent in S.C. state courts. However, given the different constructions of the SCA provided by the South Carolina Court of Appeals, three justices of the South Carolina Supreme Court, and the 4th Circuit Court of Appeals, relying on one particular view of the SCA to support access to someone else's email is risky at best. 

Tuesday, May 7, 2019

Lamps Plus and Class Arbitration: A Journey Through Some South Carolina Past

But Bazzle Keeps Coming Back Up ....

Introduction: Class Arbitration Castles Burning ....


Years ago this platform discussed at some length how more than one United States Supreme Court (SCOTUS) decision has considered the South Carolina Supreme Court's decision in Bazzle: in the context of who decides issues of arbitrability, as well as whether arbitration agreements allow classwide arbitration.

(For that background, click here. For a broader survey of arbitration and class actions in the context of SCOTUS and South Carolina-- at least at that point in time-- click here).

SCOTUS recently took up the issue of class arbitration again, ruling in Lamps Plus that an ambiguous contract to arbitrate could not authorize class arbitration. Lamps Plus extended the rationale of Stolt-Nielsen, a 2010 SCOTUS decision concluding that an agreement that is "silent" on the question of class arbitration could not compel the parties to classwide arbitration.

As described in the posts linked above, Justice Alito's opinion in Stolt-Nielsen discussed the SCOTUS Bazzle opinion in some detail. And Chief Justice Roberts cited Bazzle in Lamps Plus as well.

Reading the Hidden Note: Silence and Ambiguity in Arbitration Contracts

A close reader may wonder what the difference between "silent" and "ambiguous" might be. After all, "silence" (the absence of a term) can often result in a contract being "ambiguous." As the South Carolina Court of Appeals has noted, where a contract is silent as to a particular matter, and ambiguity thereby arises, parol evidence may be admitted to supply the deficiency and establish the true intent.”Columbia East v. Bi-Lo

Stolt-Nielsen presented a unique instance of "silence," as the parties actually stipulated that their arbitration agreement did not speak to the question of class arbitration. In other words, that arbitration agreement was not susceptible to more than one interpretation on the issue of class arbitration because the parties agreed that the agreement was not susceptible of any interpretation on that point.

Lamps Plus: Everybody Knows Class Arbitration is Nowhere

Of note in Lamps Plus, the Opinion of the Court rejected the claim that the doctrine of contra preferentum, according to which a contractual ambiguity is construed against its drafter, could apply to compel class (rather than bilateral) arbitration. Previous SCOTUS opinions discussing the differences between bilateral and classwide arbitration (Concepcion, Epic Systems)  call into question whether there could ever be mutual consent to conduct classwide arbitration. Accordingly, because Lamps Plus could not have intended to consent to class arbitration, the fact that it may have drafted the arbitration agreement could not weigh in the balance. Chief Justice Roberts also characterized the canon as furthering public policy interests as opposed to discerning the parties' intent.  

This approach may strike South Carolina practitioners as passing strange, as we generally come to understand that 1) as described above, when an ambiguity arises in a contract, courts have the opportunity to determine the intent of the parties based in part upon the drafter of the contract; 2) if you are drafting a contract you get to put what you want in it; and 3) if you don't put a term (e.g. "no class arbitration") in a contract you're drafting, then whatever resulting ambiguity is on you.

That rationale certainly underscored the S.C. Supreme Court's decision in Bazzle:
Generally, if the terms of a contract are clear and unambiguous, this Court must enforce the contract according to its terms regardless of its wisdom or folly. Ambiguous language in a contract, however, should be construed liberally and interpreted strongly in favor of the non-drafting party. After all, the drafting party has the greater opportunity to prevent mistakes in meaning.  It is responsible for any ambiguity and should be the one to suffer from its shortcomings." (citations omitted).

Conclusion: When You're On the Losing End ...

Of course, SCOTUS vacated the S.C. Supreme Court's Bazzle decision, determining that the arbitrator (and not a court) should have determined whether class arbitration was warranted under the arbitration agreement. And the Lamps Plus rationale might foreclose class arbitration were Bazzle before a court today. 

Similarly, I am still trying to wrap my head around how the current SCOTUS would address Herron in the event that case arrived there under the right circumstances. Maybe I will try to work through that in a subsequent post.   

Tuesday, May 13, 2014

It’s Like Déjà Vu All Over Again: Yogi Berra On Information Security

 It is Spring again, and the national pastime is in full swing. This year Spring also brought knowledge of the Heartbleed Bug – another threat to the security of information stored and transmitted online.  And just as baseball is a fixture of the American landscape, so too unfortunately are data breaches and other information security threats.

As of April 29, 2014, the Identify Theft Resource Center (ITRC) has identified 260 breaches (affecting over 8 million records) that have taken place in 2014 alone. Likewise, the ITRC recorded 614 breaches in 2013, a 30% increase over the 470 breaches it reported in 2012.  Each new major data breach (think Target) is reminiscent of those that have come before it (Citibank, Sony, Heartland, Countrywide, etc.). 

MLB Hall of Fame catcher Yogi Berra, during his more than 50 years as a Major League player, manager and coach, offered (unwittingly or otherwise) baseball and its reading and listening public a great deal of wit and wisdom. In the spirit of the season, several of Berra’s “Yogi-isms” also offer guidance for businesses facing the challenges of protecting information.

“You can observe a lot by watching.” (Know Your Information and How and Where You Store It and Send It)

Information is an asset. You cannot protect information or use it effectively until you can locate and identify it, categorize it (determine its value), and track it:

  • Where is information stored in your organization, and where does it go within the company and beyond?
  • What information do you collect and store that is considered sensitive (at risk) and worthy of protection?
  • Who has access to sensitive information?
  • How is information currently being protected?
Mapping and assessing current information practices is a necessary step in creating an effective information security program.

“If you don’t know where you are going, you might end up somewhere else.” (Take Responsibility and Plan for Information Risks)

Every business needs to be prepared to respond to an event that could compromise its information or information systems (computers and computer networks):

  • Recognize that information security touches every part of the organization;
  • Designate one or more individuals with authority, responsibility, and accountability for managing and securing information;
  • Create, implement, and update policies and procedures to manage information risk, including but not limited to:

  • An incident response plan;
  • Business continuity arrangements;
  • Information retention and destruction policies consistent with corporate needs, legal responsibilities, and business risk.
  • Consider insurance policies particular to information risk; and
  • Deploy appropriate computer technology to prevent, detect, and manage threats.

“Never answer an anonymous letter.” (Train Your Employees to Detect Phishing Emails and Other Security Threats)

The threat to computer networks caused by “phishing” -- attempts to acquire sensitive information by pretending to be a reputable entity in an email -- is significant.  According to the latest Verizon Business Data Breach Report, over 95% of targeted attacks start with a phishing email.  The same Verizon Report makes a more startling observation: a phishing campaign that sends 20 emails has almost a 100% probability of getting at least one click.

All organizations must train their employees to be skeptical of suspicious emails, and to report suspected phishing messages. Employee training and awareness is a necessary component of an information security program, as are “layered security” or “defense-in-depth” mechanisms that may prevent or limit a system compromise brought about by clicking on a phishing email.

“If people don’t want to come to the ballpark, nobody’s going to stop them.” (Protecting Information is Good Business)

The damage that results when sensitive information is disclosed without authorization can take several forms. In addition to the financial and regulatory losses and burdens a company faces in the wake of a breach, the damage to its reputation may be the most significant and lasting. Losing a customer’s information compromises trust, a very valuable asset in a competitive market. Protecting information assets protects the value of the company.

Conclusion: “The future ain’t what it used to be.”

Effective information security is a moving target and an ongoing process that requires a combination of people, processes, and technology.  As the last several years have demonstrated over and over again, hackers and other threat actors continue to become more sophisticated and pervasive. As a result, standing still is not an option, and instead an organization must evaluate and update its security policies, training, and technology on a regular basis.

Friday, May 9, 2014

South Carolina Looks to Follow Vermont's Lead in Fighting Patent Trolls- Using State Law

A bill pending in the South Carolina General Assembly that would make "bad faith assertions of patent infringement" an "unfair trade practice" under South Carolina law got a "jurisdictional boost" from a recent Opinion and Order issued by a Vermont Federal Court judge.


The actions of patent-assertion entities (PAEs) that purportedly own patents and use litigation and the threat of litigation to enforce them are well-documented.  (For a brief description of the topic and some additional resources, click here). PAEs are referred to by their detractors as "patent trolls."

As a general proposition, patent law is exclusively federal in nature.  Congress has given the U.S. district courts original and exclusive jurisdiction, pursuant to 28 U.S. Section 1338, over any civil action related to patents. As a result, litigation involving the validity, infringement, and enforcement of patents must take place in federal district court.

Vermont's Efforts to Combat PAEs 

Despite the federal nature of patent law, the State of Vermont decided to try to use state law (on two fronts) to fight back against certain practices that take place prior to the initiation of patent infringement litigation.

Act No. 44

On May 22, 2013, Vermont enacted Act. No. 44 creating a private right of action and giving the attorney general civil enforcement action authority in the event of "bad faith assertions of patent infringement." Vermont was the first state to enact such a law, and several states have followed suit.

Act No. 44 does not define "bad faith assertions," but instead provides a court with a number of factors to be considered as evidence: a demand letter lacking the number of the held patent or factual allegations regarding the specific areas in which the demand letter recipient (the "target") infringes the patent; failure to conduct a due diligence comparison of the patent with the target's products, services, or technology; the demands in the letter are unreasonable; or the assertions made in the letter are meritless or deceptive.  The Act also lists a number of factors to be considered in order to determine that a holder has not made a bad faith assertion of patent infringement.

Vermont v. MPHJ Technology Investments, LLC

On the same day, the Vermont Attorney general served a company called MPHJ Technology Investments, LLC (MPHJ) with a Complaint filed in Vermont state court and alleging violations of the Vermont Consumer Protection Act. Of note, the lawsuit did not allege a violation of the statutory provisions created by Act. No. 44. 

As described more fully in the Complaint, MPHJ  and its subsidiaries sent a series of letters to various Vermont businesses regarding ownership of certain email scanning patents and demanding that the recipients purchase licenses or face infringement lawsuits.

The Complaint alleged that these letters were "false, deceptive and misleading" because (among other things): 1) MPHJ did no due diligence to determine whether "the recipients were likely infringers"; 2) small businesses in commercial fields unrelated to patent law were targeted; 3) contrary to its letters, MPHJ did not actually receive "a positive response regarding its licensing programs";  4) very few recipients had purchased licenses (not "many" or "most" as claimed in the letters); and 5) MPHJ had not filed a single lawsuit to enforce its patents.

MPHJ removed the case to Federal Court, based on federal question and diversity jurisdiction. Judge Sessions found no basis for federal court jurisdiction, and remanded the case to state court. First, Vermont's VCPA claim did not arise under federal patent law or create a substantial federal question. Broad brush, the claim that MPHJ acted in bad faith doesn't depend on any determination of federal law, but "is about consumer protection, not about patents."

With respect to diversity (which requires an action between "citizens of different states"), the State of Vermont is not considered a "citizen" for purposes of 28 U.S.C. Section 1332, and the Court rejected MPHJ's argument that the citizens of Vermont (not the State) were the "real parties in interest" in the case.  (For more on recent U.S. Supreme Court jurisprudence addressing "real party in interest" allegations, click here).

The case will now proceed toward a decision on the merits in state court. For a more complete description of the Vermont district court decision, please see this Corporate Counsel article.

South Carolina's Proposed Law

In December of last year, Representative Kirkman Finlay prefiled  H4371.  This legislation, which has been passed by the House, is currently being considered by the South Carolina Senate.  (The legislation underwent substantial revision in subcommittee, and in its current form is quite different from the version posted online).

H4371, entitled the "Bad Faith Assertion of Patent Infringement Act," makes sending a demand letter "alleging patent infringement in bad faith" an "unfair trade practice" under Section 39-5-20 of the South Carolina Unfair Trade Practices Act, and provides the remedies that exist currently in the SCUTPA. Like the Vermont law, the legislation gives the Attorney General the ability to bring actions to enforce the Act and provides both a number of factors for a court to consider as evidence that a "bad faith assertion of patent infringement" has taken place, as well as those factors tending to demonstrate that a person has not made such a bad faith assertion.


Should H4371 become law, plaintiffs in those state court actions filed to enforce its provisions will undoubtedly rely in part on the reasoning employed by Judge Sessions in challenging removal. One question that has not been addressed yet is whether the "bad faith" standard established by or applied according to a state law like Act No. 44 or H 4371 would be preempted by federal patent law.  See Globetrotter Software, Inc. v. Elan Computer Group, Inc.