Crowdfunding 101

“Crowdfunding” offers an option to startups and small businesses to raise capital, although it is a greatly misunderstood and misused term. It refers to the pooling of money from a crowd for the funding of a project or venture, whether utilizing a donation model, reward model, royalty model, debt model or equity model. Securities laws apply when equity or debt securities are offered.

In regard to crowdfunding, Congress amended the Securities Act to allow for an exemption from the registration of such securities if the issuer complies with certain rules and restrictions. To implement this amendment, federal crowdfunding rules were enacted by the SEC.

The federal rules, which apply when securities are sold in interstate transactions, provide that (i) the offering must be an “all-or-none” offering (meaning that the entire amount offered must be raised or else the raise “fails” and all subscriptions must be returned to investors), (ii) the aggregate amount sold by an issuer to all investors in any 12-month period may not exceed $1,000,000, (iii) offering activities must occur through a registered broker-dealer or a new type of platform that must also be registered with the SEC and known as a “funding portal”, and (iv) issuers may only communicate with investors through communication channels provided by the funding portal or a broker-dealer. Investors in the offering do not have to be accredited investors; however, the maximum amount any one investor can invest in crowdfunding offerings in any 12-month period cannot exceed the following:


Despite Equifax Breach Causes, Social Engineering Still Biggest Threat to Data Security

It’s now been widely reported that the cause of the recent Equifax data breach, which compromised the personal data of perhaps as many as 143 million people, was the result of the company’s alleged failure to apply a patch to fix a known security hole in some open source software (OSS), known as Apache Struts.  But there is now some controversy about whether those reports are accurate or reliable, and some of the early reports have since been retracted.  There is technical complexity about security holes in OSS and application of patches that have led to conflicting viewpoints on how likely it is that the source of the vulnerability exploited by the Equifax hackers was Struts.

All of this technical hub-bub prompts an important reminder, which is that most security breaches are not the result of sophisticated technical hacks.  The fact is that social engineering is the top method of gaining access to corporate computer systems and the sensitive data they hold, according to a survey conducted in 2016. 


A TCPA Slam Dunk in the Ninth Circuit?

The fight is not over yet, but the insurance industry just had a significant victory in the United States Court of Appeals for the Ninth Circuit.

The scenario is likely familiar to most. You’re invited to send a text and get something in return—maybe news updates, maybe a chance to win concert tickets. In this case it was the promise of having your sent text posted at a basketball game. Someone sent a text hoping to see their message on a big screen at a Lakers game, and then shortly thereafter got a text back reading something along the lines of: “Thnx! Got your txt. If you want more texts from us, respond with ‘yes,’ if not respond with ‘stop.’” About five weeks after he received such a text while at a Lakers game, and apparently received other texts at subsequent times, David Emanuel sued the Los Angeles Lakers, Inc., proposing a class action based on two alleged violations of the Telephone Consumer Protection Act.


Autonomous Vehicles: Job Killer?

According to the 2014 Census data, more than 4.4 million Americans work as drivers. Will autonomous vehicles kill most of these driver required jobs? With the growth and advancement in autonomous vehicle technologies, many Americans are in danger of losing their job or taking significant cuts in their income because a new and convenient technology is taking their place. Autonomous vehicles are expected to reduce labor cost, fuel cost and accidents. The potential savings will outweigh the human cost, especially as companies fight for profit margins. While companies plot to save money in the future through using this new tech innovation, some individuals will lose money and be left with limited job options in their field.

Take truck driving for instance. According to Census Bureau occupational data, almost two percent of Americans working as drivers are truck drivers. Truck driving is one of the most common jobs around the country and this industry has already displayed hints of being affected by autonomous vehicles. Last year, the Colorado Department of Transportation agreed to let an autonomous truck from Otto, a company recently acquired by Uber, deliver 51,744 cans of Budweiser with no one in the driver’s seat. (There was still a driver present in the truck for safety purposes.) This year, Uber plans to have thousands of trucks equipped with autonomous technology.


Autonomous Vehicles and All That Data

In an earlier post, we discussed the potential ownership models for autonomous vehicles, also known as driverless cars (“AVs”). Models range from true traditional ownership as we understand it today, to licensed-based models (vehicles owned by someone else but you can use them on an exclusive or non-exclusive basis), to service-based models (you do not own the vehicle, but you can call it when you want it, e.g. cab, Uber).  In this post we will explore the data-intensiveness of autonomous vehicles, the impending data “land grab,” and who will own and control all of the data generated by AVs.

An AV can be thought of as a massive, always-on computer.  Sensors in the AV interface with sensors in the environment.  Data from satellite navigation systems is also in play.  Who owns all that data?  Is it the owner of the AV, the ‘driver’ of the AV (e.g. the licensee of a leased AV), or the party collecting the data? 


Autonomous Vehicles: A Regulatory Perspective

The coming innovation of autonomous vehicles (i.e. self-driving cars) has been covered pretty widely in the news over the past 18-24 months.  Not long ago, the reality of autonomous vehicles was unknown to most Americans.  But it is now creeping into the consciousness of more and more Americans.  As the certainty of this new technology approaches, it is becoming clearer that it will cause massive disruption in an area of American life that is intensely regulated at every level.  If you think about it, the manufacture, distribution, sale, ownership, and operation of cars are all regulated by federal, state and local government.  When autonomous vehicles come into the commercial marketplace (as they soon will), the revolutionary transformation they will bring will include significant regulatory changes.

The federal government is embracing the movement from traditional vehicles to autonomous vehicles. In 2015, the White House announced the Smart City initiative which promoted the connectivity of the autonomous vehicle and the environment (e.g. roads, buildings etc.). The White House released a statement pledging an investment of $160 million in federal research and technology collaborations to improve the technologies in cities. In addition, the government proposed about $4 billion in the federal budget for autonomous vehicle research and development over ten years. The government is taking active steps to prepare the country for the change that autonomous vehicles are going to bring, including regulatory change.


Cyber Security and Social Engineering: A Big Low Tech Problem

Headline-grabbing cyber hacks of email accounts belonging to celebrities, corporations, government officials and political campaigns are becoming the norm.  Cybersecurity intended to guard against these acts brings to mind high tech computer hardware and software fixes delivered by knowledgeable IT professionals, who are expected to prevent network intrusions, stolen passwords, viruses, ransomware attacks and other hacks.

But the most recent notable cyber hacks were not caused by high tech espionage.  Rather, they were the product of low tech social engineering – the use of deception to manipulate users into divulging confidential passwords and other personal information.  This kind of hack takes many forms – examples include security alerts from what appear to be trusted websites to update passwords and phishing emails from what appear to be known, trusted contacts asking to download files or click on provided links.


The Anthem Breach – A Retrospective (Part II)

We published Part I of our “Anthem Breach Retrospective” in January 2017.  Coincidentally, at around the same time several plaintiffs in one of the earliest filed cases arising out of the Anthem data breach voluntarily asked a judge in the Northern District of California to dismiss their lawsuits. The requests for dismissal came after Judge Cousins ordered select plaintiffs to comply with a discovery request by Anthem, requiring them to submit their computers to an independent forensic examiner to determine whether malware caused data or credentials to be stolen from the plaintiffs’ computers even before the breach of Anthem’s systems. In other words, Anthem wanted to know whether someone else caused the plaintiffs’ alleged injuries.

Legally, it isn’t surprising that Anthem should be entitled to this kind of information through discovery because it pertains to the issue of causation. Anthem wanted to know if the plaintiffs’ personal information was compromised under circumstances having nothing to do with Anthem, months before the Anthem breach. In discovery, it was fair game for Anthem to seek to compel these plaintiffs to comply with its request – even if it requires the disclosure of confidential information. But, it appears that at least one of these plaintiffs dropped out of the suit because he did not wish to disclose possibly confidential information in a lawsuit where he is suing because of alleged negligence with respect to confidential information.


ISO’s Privacy Standard for Cloud Service Providers

In July 2014, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) issued a new security standard – ISO 27018 – which attempts to outline best practices for public cloud service providers on how to better protect personally identifiable information.  Although the standard expressly only applies to public cloud providers, it’s instructive to any cloud provider –public or private.

Like all ISO standards, compliance with ISO 27018 is voluntary, and certification under the standard is not required by any law. However, over time, more and more cloud service contracts are requiring compliance with or certification to this standard. Adhering to the ISO 27018 standard can help build a foundation of trust between a cloud provider and its customers. During the contract negotiation stage, the standard can serve as a very beneficial framework for providing assurances that most customers can understand and rely on. Customers moving to the cloud are giving up control of their sensitive data and relying on the cloud provider to maintain adequate safeguards to protect it. New cloud adopters may be nervous, and the cloud provider will likely need to provide assurances and manage their customer’s qualms in order to get the customer under contract.


Key HIPAA Settlement Agreements by HHS’s Office for Civil Rights in 2015 & 2016

The last time this blog presented an overview of key HIPAA settlement agreements at the Office for Civil Rights in the U.S. Department of Health and Human Services was a review of 2014.  The number of complaints that year had spiked up compared to 2013: around a 25% increase.  This post will examine key cases from 2015 and 2016.  While the number of complaints in 2015 was relatively steady with 2014, it appears, based on preliminary numbers, that 2016 was the busiest year ever for the Office.

HHS has data through November 2016 currently posted on its website, but no data for December 2016.  There it notes that, from April 14, 2003 through November 2016, it has received 144,662 complaints.  Elsewhere, the agency has the number of complaints received by year, from 2003 through 2015: 125,641.  Thus, even without the data for December 2016, it appears that in 2016 the Office received 19,021 complaints.  The previous highest year, 2014, saw 18,015 complaints.

Here’s a brief summary of some key agreements from 2015 and 2016:

Cancer Care Group, P.C. is 13-doctor radiation oncology practice in Indiana.  In September 2015, Cancer Care agreed to a $750,000 settlement with OCR.  This grew out of, initially, the discovery that a laptop was stolen from a Cancer Care employee’s car.  The laptop contained unencrypted names, dates of birth, SSNs, insurance information, and clinical information on around 55,000 current and former Cancer Care patients.  A subsequent investigation revealed that Cancer Care “was in widespread non-compliance with the HIPAA Security Rule.”  Proper encryption must be a part of an organization’s approach to data management.