Technology Related Topics

This article was first posted by Benjamin Streckert on the State Bar of Wisconsin Business Law Section blog and is being used here with the permission of the State Bar of Wisconsin and its author.


Benjamin Streckert, Minnesota 2017, is an attorney with Ruder Ware in Wausau, where he concentrates his practice on various business transactional matters.


Did you know that the “full and equal enjoyment” requirement of the Americans with Disabilities Act also applies to websites maintained by places of public accommodation? Benjamin Streckert discusses the issue and provides tips for websites to become more accessible to those with disabilities.

Did you know that the Americans with Disabilities Act (ADA) applies to the websites as well as the physical facilities of places of public accommodation​?

A review of court dockets around the country shows that plaintiffs are filing an increasing number of lawsuits against companies alleging that their websites are not “accessible” to individuals with disabilities as required by the ADA.

In 2017, plaintiffs filed 814 website accessibility lawsuits in federal court alone, according to the ADA Title III website. This trend is not only a national one – these types of lawsuits are being threatened in Wisconsin as well. Businesses would be well advised to get out ahead of the potential threat.

The Americans with Disabilities Act

According to the ADA, a disability includes “a physical or mental impairment that substantially limits one or more major life activities.” Title III of the ADA prohibits discrimination by a “place of public accommodation” against individuals with disabilities.

Although business owners and managers may want to consult with an attorney to determine if their business qualifies, hotels, restaurants, theaters, grocery stores, pharmacies, offices of health care providers, museums, golf courses, banks, and many other areas open to the community generally qualify as places of public accommodation. These places are required to provide “full and equal enjoyment of [their] goods, services, privileges, advantages or accommodations” to people with disabilities.

Application to Websites

The ADA mandates that brick and mortar locations have certain ramps, counter heights, and other accommodations, so as to ensure that individuals with disabilities have access to full and equal enjoyment of the facilities and the services offered inside of them.

However, many people are not aware that the “full and equal enjoyment” requirement also applies to websites maintained by places of public accommodation. An individual with a disability must be able to equally access a website or mobile application with the aid of a commonly used assistive technology.

A good example of this is that a visually impaired person must be able to navigate a website using a screen reader. Screen readers are software programs that allow users to read the text displayed on a computer screen with a speech synthesizer or braille display. Not all websites are conducive to, or compatible with, screen readers, however.

In fact, websites must have very specific characteristics in order to be compatible with screen readers and other tools used by those with various disabilities.

Legal Standard for Accessibility

Currently, there is no definitive standard for accessibility. But the World Wide Web Consortium’s Web Content Accessibility Guidelines Version 2.0 with AA (intermediate) success criteria (WCAG 2.0 AA) has become the presumptive standard.

Websites that conform with WCAG 2.0 AA are generally deemed ADA compliant. Although not an exclusive list, in order to conform to WCAG 2.0 AA, websites must have capabilities that include:

  • captions for any videos;
  • certain levels of color contrast and minimum font sizes;
  • clear labels and section headings;
  • audio descriptions for video content;
  • allowing keyboard-only navigation (i.e., navigation without a mouse);
  • using icons and buttons consistently; and
  • automatically suggesting fixes when users make input errors.

Maintaining a website that conforms to WCAG 2.0 AA requires periodic updates.

Consequences of a Non-ADA Compliant Website

If a place of public accommodation’s website does not conform to the above standards, both the United States Department of Justice and private citizens can bring suit.

The Department of Justice can obtain monetary damages, attorneys’ fees and costs, monetary penalties, and a court order requiring an institution to bring its website into compliance. An individual may not obtain money damages, but he or she can obtain a court order requiring the institution to bring its website into compliance and recover attorneys’ fees and costs. The costs to a noncompliant organization can be significant.

Action Steps

Given recent ADA litigation trends, and so as not to be an easy target for an accessibility suit, places of public accommodation should consider:

  • Engaging a consultant with experience in WCAG 2.0 AA when building a new website or modifying an existing website;
  • Posting an accessibility statement offering technical assistance for disabled customers on the website home page;
  • Ensuring that customer complaints regarding accessibility issues are addressed promptly;
  • Hiring a vendor with extensive knowledge of WCAG 2.0 AA to conduct a compliance audit of the organization’s current website;
  • Building WCAG 2.0 AA compliance provisions into agreements with website designers and web service providers; and
  • Scheduling periodic updates to make sure websites keep up with ever-changing standards and technological specifications.

Proactively taking the above action steps can help mitigate the risk of an ADA suit.

 

The EU’s new data privacy law, the General Data Protection Regulation, represents far-reaching changes that make it one of the strictest in the world. Randal Brotherhood discusses this new law and why U.S. businesses need to pay attention to it.


This post was originally posted on the “State Bar of Wisconsin Business Law Section Blog” and was written by Attorney Randal J. Brotherhood ,Washington University 1981, who is a shareholder in the Milwaukee law firm of Meissner Tierney Fisher & Nichols S.C., where he practices primarily in the areas of corporate law, representing both for-profit and tax-exempt entities, intellectual property, and securities law.


Virtually all U.S. businesses, nonprofit organizations, and other enterprises collect data from their customers or other individuals with whom they interact. All such enterprises should be aware of the European Union’s new General Data Protection Regulation, 2016/679, commonly known as the GDPR,1 which became effective on May 25, 2018.

The GDPR is a regulation under EU law pertaining to privacy and data protection for individuals within the EU and the European Economic Area. It is a sweeping legislative enactment generally considered to be the most far-reaching change in EU data protection law in many years, and possibly the strictest privacy law in the world.

The GDPR also governs the export of personal data outside the EU, and applies to parties – regardless of location – that collect personal data of individuals within the EU.

Because of this, businesses and other enterprises worldwide, and particularly in the U.S., have devoted considerable attention and resources to complying with the GDPR by the May 25 deadline, and still others are continuing to grapple with its requirements.

Applies Outside EU

The primary objective of the GDPR is to enhance the control individuals within the EU have over their personal data, and to simplify the regulatory environment for data collectors as to data privacy by establishing a single set of data privacy rules that apply throughout Europe.

It is noteworthy, however, that the GDPR has important implications for businesses and other enterprises well beyond the EU/EEA. This includes businesses in the United States, in that its provisions apply to enterprises located in the EU that process data of individuals residing in the EU, as well as any enterprise, regardless of location, that holds or processes personal data of an EU resident.2

Accordingly, any U.S. business that has individual EU customers or otherwise holds or processes transactions or data for individuals within the EU are subject to the GDPR’s requirements and its rigorous enforcement provisions.

Express Consent Required

For many businesses, the GDPR will change how data collectors approach the notion of data security, as evidenced by its requirement that an EU individual’s data, first, be stored only on systems designed and developed with a specific view toward data protection and, second, that such systems employ privacy settings set by default at the highest possible level of protection (these concepts being referred to in the GDPR as data protection “by design” and “by default,” respectively).3

The underlying notion is that an individual’s data are not to be publicly available (and cannot be used to identify the subject absent additional, separately stored information) without the express, opt-in consent of the individual data subject.4

Unless the individual has provided such express consent (rather than just a tacit failure to object) to the processing of his or her data for one or more specifically-stated purposes, the individual’s data may not be processed unless there is a specified legal basis for such processing and the purpose(s) of such data processing is disclosed to the individual.5 The data collector must be able to prove that it obtained such express consent from the data subject, who may revoke such consent at any time.6

Key GDPR Concepts

Although an exhaustive explanation of the GDPR is beyond the scope of this post, the following is a summary of some of its key concepts.

The GDPR Applies to Personal Data
The GDPR applies to the processing of “personal data” or any information relating to an “identifiable natural person”7 – that is, an individual who can be identified, directly or indirectly, by reference not just to common identifiers such as name, home address, telephone number, a photograph, or an email address, but also by less obvious identifiers such as bank or medical information, social networking posts, IP addresses, or any other data pertaining to location or to the physical, physiological, genetic, mental, economic, cultural, or social identity of such individual.8

These identifiers are considered to be personal data even if on their face they do not identify an individual, as long as they can be (or are capable of being) traced back to the subject individual without undue effort. It does not matter whether the individual’s personal data pertains to his or her personal or work-related capacities; if the data falls within the scope of “personal data,” regardless of whether it is personal, work-related or otherwise – it is subject to GDPR regulation.

It should be noted, however, that the GDPR does not apply to processing data “for a purely personal or household activity and thus with no connection to a professional or commercial activity.”9

Controllers and Processors
The GDPR directs most of its requirements toward “data controllers” (businesses or organizations the collect the data) and “data processors” (organizations that process data on behalf of a data controller, such as a third-party software or other service that a business may use to process data on its behalf).10

Data controllers are required under the GDPR to utilize only those data processors that provide sufficient assurances that they will implement appropriate technical and organizational measures to meet the GDPR’s requirements and protect the rights of individual data subjects.11

Privacy Management
Both data controllers and data processors are required to implement programs to assure compliance and be able to demonstrate such compliance to data subjects and regulatory authorities.12

Overall, the GDPR calls for a risk-based approach, that is, the utilization of controls which correspond to the degree of risk associated with the data processing activities. To this end, businesses that are data controllers must, for instance, put in place procedures to prevent data from being processed unless necessary for a specified purpose.13

Further, such businesses must incorporate technological and organizational measures appropriate to the nature of the business to ensure the protection of individuals’ personal data,14 including:

  • pseudonymization and/or encryption of data so that it cannot be attributed to individual without use of additional information;
  • restoring the availability of data in a timely manner in the event of a loss of data; and
  • regularly testing and evaluating the effectiveness of security measures.

Data controllers must maintain records of their processing activities, although there is an exclusion for small businesses (less than 250 employees) where data processing is not a significant risk.15

Additionally, controller/processor relationships must be documented and managed with contracts that specifically set forth the parties’ privacy and data protection obligations.

Data Protection Officers
Businesses that are data controllers or data processers are required under the GDPR to appoint a “data protection officer” if their essential activities involve, on a large-scale, regular monitoring of personal data or processing of sensitive data.16

A data protection officer must have IT processing, data security, and business continuity competence in personal data processing.

Lawful Basis for Processing of Personal Data
Unless a subject individual has provided express, affirmative consent to the processing of his or her personal data for one or more stated purposes, such data may not be processed unless there is at least one specified legal basis to do so.17

If the individual’s consent has not been obtained, the subject’s personal data may be processed only:

  • to comply with a legal obligation;
  • to perform a contract with the data subject;
  • to protect vital interests of the data subject when he or she is unable to give consent;
  • for the performance of a task carried out in the public interest or the exercise of official authority; or
  • for the purposes of legitimate interests of the data controller or a third party (but subject to certain fundamental rights and freedoms).18

Consent
If the data subject’s consent is the basis for the processing of his or her data, such consent must consist of:

 

“any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her.”19

That is, such consent must be explicit for the data collected and for each purpose that the data are used, so that the controller can clearly show when and how the consent was obtained.

Accordingly, the purpose(s) for the individual’s data will be collected and used must be clearly and expressly disclosed to the data subject so that it is obvious what the data are going to be used for.

Consent must be demonstrable and freely given. A controller cannot require the disclosure of data as a prerequisite or condition of, for instance, the provision of services or the performance of a contract.20

Additionally, the data subject must be allowed to revoke consent in a manner no more burdensome than the manner in which consent was given.21

Information Provided at Data Collection
Individual data subjects have enhanced rights under the GDPR to access and obtain copies their data, as well as rights to require rectification or erasure of their personal data, to restrict further processing, and to lodge a complaint with a supervisory authority.22

Individuals must be informed of these rights and, in addition they must be given information about how their data will be processed.23

Breach and Notification
In the event a breach of security of an individual’s data in the hands of a data controller which gives rise to the destruction, loss, or unauthorized disclosure of such individual’s data, the data controller must notify the appropriate supervisory authority “without undue delay,” and “where feasible,” within 72 hours after having become aware of such breach.24 If such notification is not made within 72 hours, the data controller must provide a “reasoned justification” for the delay.25

Such notice is not required if the data breach is “unlikely to result in a risk for the rights and freedoms” of subject individuals,26 although how this exception is to be interpreted will likely require future clarification.

If the data controller determines that a personal data breach “is likely to result in a high risk to the rights and freedoms” of subject individuals, it must – subject to certain exceptions – also notify the individuals affected by the data breach “without undue delay.”27

In the event of a data breach by a data processor, it must notify the data controller,28 but the GDPR does not otherwise impose any other notification or reporting obligation on the data processer.

Fines and Enforcement
Businesses should note that, for GDPR violations, the GDPR provides for liability, including fines, for both data controllers and data processors as well as remedies for data subjects.

Regulators may impose penalties equal to the greater of €10 million or 2 percent of the violator’s worldwide revenue, for violations of record-keeping, security, and breach notification requirements.29

Violations of obligations related to legal basis for processing, consent requirements, data subject rights, and cross-border data transfers are subject to penalties up to the greater of €20 million or 4 percent of the violator’s worldwide revenue.30 EU member states may impose additional penalties, which may include criminal penalties.31

Data subjects have the right to make complaints with “data protection authorities” maintained by EU member states, as well as to initiate judicial proceedings.32

Additionally, data controllers and processors can be held responsible to compensate affected data subjects for damages resulting from a GDPR violation.33

Considerations and Recommendations

Although many U.S. businesses may be tempted to disregard the GDPR as a non-U.S. regulation relevant only to large multinational corporations, this approach could do great harm to such enterprise if it has European customers or otherwise collects data from European individuals.

No matter the size or nature of the business, if it collects any kind of personal data on EU residents, it is very likely subject to the GDPR and its requirements.

Given the substantial monetary and other penalties for noncompliance, businesses of all sizes should clearly understand whether and how the GDPR applies to them, and establish a game plan for GDPR compliance as necessary.

Establishing a Game Plan for GDPR Compliance

Businesses and their legal advisers should start by assessing the extent to which they have EU customers and/or collect data from EU residents, and acknowledging that they may have to alter current data handling procedures in light of the GDPR.

This assessment should include a review of the types of personal data the business collects and holds, what the data are used for, and whether the business is collecting more information than is reasonably necessary for its legitimate business purposes.

Further, businesses should assess the documents (whether in written or electronic format) they require customers to sign when purchasing or obtaining products or services. It is likely that such documents may need revision in light of GDPR requirements, to ensure that customers know how the business is processing their data and why. This may include development and implementation of new processes for obtaining and verifying express (rather than tacit) customer consent to data collection, and for the transfer and deletion of such data when requested.

Given the GDPR’s reach well beyond the boundaries of the European Union, and the substantial fines and other sanctions that can arise for GDPR violations, businesses and other enterprises collecting data from EU residents are well advised to have a clear understanding of the GDPR and its applicability to their operations.

For more information on the GDPR, see Keith Byron Daniels’s article, New European Privacy Law: Its Effect on Wisconsin Lawyers, in the July/August 2018 issue of Wisconsin Lawyer magazine.

Endnotes

1The GDPR is formally known as “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).”

2 GDPR, Article 3(3).

3 GDPR, Article 25 (Data protection by design and default).

4 GDPR, Article 6(1)(a).

5 GDPR, Article 6(1)(b)-(f).

6 GDPR, Article 7(3).

7 GDPR, Article (4)(1).

8 GDPR, Article 4(1).

9 GDPR, Article 2(2)(c).

10 GDPR, Article 24 (Responsibility of the controller) and Article 28 (Processor).

11 GDPR, Article 24(1).

12 GDPR, Articles 24, 28.

13 GDPR, Article 24(1).

14 GDPR, Article 24 (Responsibility of the Controller; Article 40 (Codes of Conduct).

15 GDPR, Article 30(1), (5).

16 GDPR, Article 37 (Designation of the data protection officer).

17 GDPR, Article 6 (Lawfulness of processing).

18 See Footnote 5, above.

19 GDPR, Article 4(11).

20 GDPR, Article 7 (Conditions for consent).

21 GDPR, Article 7(3).

22 GDPR, Article 15 (Right of access by the data subject).

23 GDPR, Article 7(2).

24 GDPR, 33(1); GDBR, Recital 85 (Notification obligation of breaches to the supervisory authority).

25 GDPR, Article 33(2).

26 GDPR, Article 33(1).

27 GDPR, Article 34(1) and (3); GDPR, Recital 86.

28 GDPR, Article 33(2).

29 GDPR, Article 83(4).

30 GDPR, Article 83(5).

31 GDPR Article 84 (Penalties); GDPR, Recital 149 (Penalties for infringements of national rules).

32 GDPR, Article 77(1).

33 GDPR, Article 82 (Right to compensation and liability).

​​

 

Effective March 14, 2017, consumers will have what is being called by some, a “Right to Yelp”. The Consumer Review Fairness Act of 2016 (“CRFA”) was enacted in December 2016, and prohibits businesses from inserting provisions into customer contracts that prohibit the customer from giving a derogatory online review about the business.

These provisions have been termed anti-derogatory provisions, and are used to give a business a contractually based legal right  to remove a negative consumer review that the business believes could damage its reputation. Typically these contractual provisions are buried in form contracts (defined by the CRFA as contracts where the customer had no opportunity to meaningfully negotiate the terms). Examples of these types of agreements are the terms of use of almost every business’ website, or even your Apple service agreement. The CRFA now prohibits businesses from using anti-derogatory provisions, and provides for penalties for businesses that do so.

What This Means for You

From the consumer standpoint, the CRFA encourages an organic and free-flowing information marketplace in regards to customer reviews, and allows the public as a whole to have the most accurate picture of a business’ services. In the “Google” age, consumers have come to rely upon the accuracy of reviews on sites and mobile phone apps like Yelp, YP, Facebook, and the Better Business Bureau. Consumers use these sites to determine which professional service to use, what restaurant at which to eat, and which products to buy. The CRFA ensures that these review sites are able show the full picture to consumers.

On the other hand, the CRFA limits a business’ legal options in protecting their business’ reputation. Businesses can now only remove reviews that are slanderous, libelous, or defamatory, and, for the most part, must go to court to do so. With the law prohibiting businesses from creating a contractual right to remove negative reviews, the business is forced to prove in court that the statement was actually defamatory, a much taller task than a breach of contract action.

How to Manage Negative Reviews

In light of the fact that many sites like Yelp and BBB are already flagging businesses using these anti-derogatory review provisions in their contracts, many businesses may have stopped using these provisions already. However, the question still persists: how do you get rid of the negative reviews without resorting to litigation?

Here are a few suggestions:

Many sites have options for you as a business owner to claim your business on their site so you can publicly respond to reviewers. In the event of a negative review, you have the opportunity to respond, clarify the situation, as well as take an opportunity to publicly show your commitment to customer service. This then puts it on the reviewer to give you a reasonable response. Hopefully this interaction will either diffuse the situation, lead the reviewer to remove his/her post, or result in the reviewer responding inappropriately, thereby ruining his/her credibility. Make sure you’ve claimed your business on these sites so you can do this!

If the negative review lingers, how can you make that review an anomaly? First, learn from it, and strive to prevent whatever caused the negative review. This should lead to a higher rating over time. Second, encourage (and that doesn’t mean bribe) your customers to leave you a review at the end of your customer relationship so you can gain a higher rating. One interesting method I’ve seen for those businesses interacting with customers electronically, is that the businesses ask their customers about their experience through electronic communication. This gives them the option to answer whether their experience was positive and negative. If it was negative, the business links the customer to a private feedback page where they can make their comment to you privately. If they select positive, link them to a page asking them to review you on whatever review site you suggest. Though it doesn’t stop the negative reviewers from then taking their frustrations to Yelp, or the like, you may reduce the risk of a negative review by allowing an unsatisfied customer to blow off some steam.

If the comment is actually personally derogatory or defamatory, there are options on most sites that allow you to flag the comment to the site administrator to get the review removed.

The business attorneys at Schober Schober & Mitchell, S.C. stay updated on new legal issues affecting Wisconsin businesses. To ensure your business is complying with this new law, or for any questions you may have, email me at jmk@schoberlaw.com.

Social MediaIt’s incredible how much time we spend online. I recently read an article that the average person has close to 100 online accounts; whether it be social media accounts like Facebook, Twitter, or Instagram, other applications like Gmail and Amazon, online bank accounts, and yes, even the Pokemon Go app. Generally, posts, emails and other content contained on these accounts are considered to be a user’s “digital property.” Yet, what happens to these accounts when the user passes away or becomes disabled? Do they just disappear? Typically, website account providers require that users “sign” a user agreement upon creating an account, many of which are so long and dense most people don’t even take the time to read them. Often contained in these agreements is a provision that restricts access to the accounts to only the original user. In that case, if the user dies or becomes permanently disabled, the account may continue to exist and remain dormant without anyone having the ability to manage it. Because of the restriction to the original user, the account could not be accessed even if a loved one requested access from the website provider as a personal representative of the user’s estate or as the user’s power of attorney.

Wisconsin’s Digital Property Act

To address this problem, in mid-2016, Wisconsin passed the “Wisconsin Digital Property Act,” (codified in Wisconsin Statutes Chapter 711). The act empowers individuals to decide how their online accounts will be administered by their personal representative or power of attorney upon their death or disability.

One of the most important aspects of the new law is its provision allowing an individual to “opt-in” to have the law govern the individual’s digital property. The law creates a three tiered system for designating who may have access to the user’s digital property contained on the account. First, an individual can elect to use an “online tool.” An online tool is a setting established by a website or app provider like Facebook or Google that allows the user, right from their online account settings, to designate the person who they want to have access to their account in the event of their death of disability. Second, if the website does not have an “online tool”, an individual can designate who can access their account in an estate planning document such as a will or trust. If you opt-in to the law through either option, the website provider must grant your designated person access to the account to manage your digital property. Otherwise, the usually restrictive user agreement governs whether others can access your accounts to manage your digital property.

How the Act Affects You

I checked out Facebook’s online tool, one of the few sites that even has one. They call it a “Legacy Contact.” You can access it by going to Settings>Security>Legacy Contact. There is an option to designate someone to access your account, or alternatively, to have Facebook delete your account upon your death. For other sites that don’t offer such an option, the designation must be done in a will or trust.

The Wisconsin Digital Property Act is another example of the law adapting to our changing society.  Especially for people with many online accounts (Millennials, that’s you), this new law means it might be time to think about starting (or updating) your estate plan. If you have any questions about how to take advantage of the Wisconsin Digital Property Act, consult an attorney at Schober Schober & Mitchell, S.C. We’d be happy to help.

I read an article noted on the ABA Journal Weekly Newsletter entitled, “Feds say 1789 law requires Apple to help government get encrypted smartphone data.” I’ve always been a proponent of individual liberty (and privacy), and I wanted to see what the government was arguing to support its case that they are entitled to snoop on everything we say or do on our smartphones.

The above article cites two further articles, one from Ars Technica’s Law & Disorder, and the other from Wall Street journal’s Digits.

In essence, the government is saying that a court can order anyone to cooperate with the government to get at data the government needs to enforce laws. The 1789 law, as amended, now reads:

28 U.S. Code § 1651 – Writs

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction.

The article points out that the real purpose may be to stop technology companies from making smartphones or other devices that the government cannot get into.

The comments following the blog are outstanding. As is usually the case, many say that if the government wins this case, the “bad guys” will be the only ones left with good encryption, and the rest of us well face constant government surveillance, harassment, arrest and prosecution for things that shouldn’t be anyone else’s business. While I agree, I’ll let you decide.

We learned this morning about another data breach, this time relating to the widely used Cloud Service called Dropbox.

Steve Kovach, of BusinessInsider.com reported yesterday that over 7 million Dropbox passwords have been compromised.

After the Target, Home Depot and other recent breaches, this isn’t a big surprise. However, since many lawyers use dropbox to share confidential information with their clients, it may certainly startle many.

If you haven’t considered encrypting the messages you send, now may be the time.

We thank our friends at Abacus Data Systems, Inc. for getting us word of the above news!

Wisconsin’s equity crowdfunding law, which was unanimously passed by the legislature and signed by Gov. Walker last November, officially took effect on June 1, 2014.  Wisconsin is one of 11 states that has “taken matters into its own hands” by passing its own crowdfunding laws while the federal rules are still pending.

President Obama signed the JOBS Act back in April of 2012, which was intended to make it easier for small businesses to raise capital.  One provision required the SEC to implement rules for a new crowdfunding exemption from the SEC requirements by the end of 2012.  Despite this requirement, no federal rules have been issued yet.

While securities law is normally a federal issue, the SEC has a longstanding “intrastate offering exemption” that allows companies to sell securities within their home state without registering the offering with the SEC.  States, like Wisconsin, have used this exemption to make their own crowdfunding laws ahead of the federal rules.  However, these state crowdfunding laws apply only to intrastate offerings.  This means that Wisconsin’s crowdfunding law can only permit companies formed in Wisconsin to solicit Wisconsin investors.  Interstate investments, such as an Illinois resident investing in a Wisconsin company, are still governed by federal law and thus are impermissible until the federal rules are released.

The SEC’s Compliance and Disclosure Interpretations from April 11, 2014 (“CDIs”) highlights some of the challenges of intrastate offerings.  For one, the intrastate exemption requires that securities are only offered and sold to in-state residents.  The CDIs note that it would likely be a violation of the intrastate exemption to use the company’s home website or social media sites, such as Facebook and Twitter, to advertise the offering, since these mediums will almost certainly reach residents of other states, and thus be an “offer” to an out-of-state resident.  Eliminating free modes of advertising such as Twitter and Facebook for intrastate offerings could lessen the appeal of crowdfunding until the federal rules are released (and thus interstate investments are permissible) since the primary purpose of crowdfunding is to eliminate the expense of raising capital.

So, at present, crowdfunding puts those who use it at high risk of violating laws until the SEC issues some additional rules.

This article was prepared with the help of Kelsey O’Gorman.

Maybe its time for Americans to start taking sides on the issue of what their government ought to be spying on. While I have been no fan of Edward Snowden, I have also become no fan of the NSA. The longer this matter drags out, the more the NSA looks like it has become even more of a “big brother” than George Orwell imagined in his book,1984.

I have an iPhone, as I’m sure many of our readers have. If I misuse my iPhone to break laws, I would expect my government to have some right to get at what is on my iPhone to prove a case, presuming they have probable cause that a crime has been committed and that I was probably the criminal. But what if I’m not doing anything illegal? Should the government still have the right to follow me around, read my emails and voicemails, turn on my camera and microphone and record things? Such sci-fi activities certainly could not have been contemplated by our forefathers, but the concepts protecting an individual from such scrutiny were.

According to an article by Stephen Lawson for PCWorld’s “Best of PCWorld,” “the U.S. National Security Agency was developing in 2008 a software implant for Apple iPhones that allowed the agency to take almost total control of the device, including retrieving text messages and voicemail and remotely turning on its microphone and camera, according to a report by the German magazine Der Spiegel.

The article goes on to say: “The implant, code-named DROPOUTJEEP, was “in development” and initially intended for ‘close access’ installation on a phone, with remote installation being planned for a future release, according to an alleged NSA document with the date October 1, 2008, that Der Spiegel included in a graphic with its recent NSA report. DROPOUTJEEP’s other capabilities included remotely pushing and pulling files from an iPhone, retrieving the phone’s contact list and identifying the device’s location and the location of the nearest cell tower, the document said. The implant could do all this without the phone user’s knowledge, over SMS (Short Message Service) or a GPRS (General Packet Radio Service) data connection. All the software implant’s communications would be “covert and encrypted,” the document said.” See some interesting things Der Speigel says come directly from NSA’s own materials.

If iPhone hacking isn’t enough, the article then goes on to say, “The alleged NSA document describing DROPOUTJEEP was included in an interactive graphic published alongside a December 30 Der Spiegel report on a special hacking unit of the agency, which reportedly intercepts deliveries of computer equipment and installs spyware on it before it’s delivered to the recipients. The report cited internal NSA documents that Der Spiegel said it had viewed. The graphic included links to numerous documents about technologies that the hacking unit developed for infiltrating servers, firewalls, routers, wireless LANs, PCs, peripherals and cellphone networks.”

OK. So where does this all lead us? Should our government be able to put bugs into our computing devices before we start using them? Should they be able to enter into our networks to see what we’re doing? If they can plant files on someone’s computing device (and a smart phone is a computer!), then can incriminating evidence be planted? Will the government monitor the advice lawyers give their clients, such as tax advice?

I’d love to get a discussion going on this. I’d love to hear your thoughts. I personally don’t know exactly where the line should be drawn, but I certainly have some fears about people in positions of power being able to get rid of people they don’t like. Isn’t that what Kim Jong Un just did to his uncle in North Korea?

“Crowdfunding” is a relatively new word. You may have heard of the concept, but may not yet know the word. Crowdfunding is a method by which money is raised to put capital into a business. Usually, this is done through an internet site, such as Indiegogo, Razoo, Upstart or a host of others. I am not linking to any of these, because I personally don’t know the operators of any such sites and cannot vouch for them. What happens is this:  an entrepreneur sets up an arrangement with such a website to raise small amounts of money from a very large number of prospective investors. If the offering is successful, the entrepreneur gets the capital he or she needs for the business, and the investors get a small stake in the venture.

I am concerned about such funding. When America suffered the Great Crash of the markets in 1929, it was determined that we needed significant regulation to be sure investors were protected. The result was the Security Acts of 1933 and 1934, both of which put into place many of the basic regulations we still live with today. What has happened in the past 80 years? America has become the largest, most successful economy in the world. Why change something that is working?

Crowdfunding didn’t start in Wisconsin. It started on the internet. The federal government responded in 2012 with the JOBS Act, which allowed certain websites to sell certain securities to certain investors, if they met certain requirements. Those requirements seem to fit into 3 categories: 1. how the investor is categorized; 2. what information is disclosed; and 3. whether the website may have to be registered. Wisconsin passed its Crowdfunding law as 2013 Wisconsin Act 52.

These are all very complicated issues in a new law that itself is very complicated. This comment is not intended, nor could it within the confines of such a short piece, address all the issues and complexities of the new law. Anyone intending to get involved with crowdfunding should certainly hire an attorney with securities experience that may show them the way.

Federal law governs offerings that cross state lines. Wisconsin law only covers offerings that take place entirely within the State of Wisconsin. The federal law already had a term, “accredited investor” or “AI.” An accredited investor is someone of wealth and sophistication that is expected to know the risks involved with certain financial investments and be more able to sustain losses on such investments without being destroyed. That person generally has to have an annual income of at least $200,000 for two years in a row ($300,000 including spouses), or a combined net worth of at least $1,000,000.  Wisconsin has created a new classification of “certified investor” or “CI,”  who only has to have $100,000 annual income($150,000 including spouse) or $750,000 net worth.

There are also limits on how much can be raised. The feds limit the amount to $1 Million, with certified financial statements ($500,000, if not) and Wisconsin doubles those amounts. Likewise, there are limits as to how much an investor may invest. The feds limit Non-AI investors to $2,000 or 5% of income or net worth, if under $100,000 of  income or net worth, and 10%, if above $100,000. Wisconsin just sets the limit at $10,000. Neither limits AI’s or CI’s (for Wisconsin). That means a much less wealthy person can invest a lot of money in Wisconsin.

The following table may help:

 

Federal AI

Federal non-AI

 Wisconsin CI

Wisconsin – non CI

Accredited Investor (AI) 2 year annual income at least $200,000 ($300,000 with spouse) or $1,000,000 net worth N/A Same as Federal N/A
Certified Investor (CI) N/A N/A 2 year annual income at least $100,000 ($150,000 with spouse) or $750,000 net worth N/A
Limit on Investment by an Investor with income or net worth <$100,000 None $2,000 or 5% of net worth or net income None $10,000
Limit on Investment by an Investor with income or net worth >$100,000 None 10%, up to $100,000 investment None $10,000
Maximum Amount Entrepreneur may Raise with Certified Financials $1,000,000 $1,000,000 $2,000,000 $2,000,000
Maximum Amount Entrepreneur may Raise without Certified Financials $500,000 $500,000 $1,000,000 $1,000,000

 

Now, my thoughts: I think this new system takes away all the protections we have in place for small investors. I think many shady people will hide behind these legitimate offerings and gather money and it will be gone before the investors can know what happened. And since the amount they have put at risk is relatively small, no prosecutor will be interested in going after the wrongdoers. This scheme makes no sense under any circumstances, because even if investors only put in $10 each, if the crook getting all the money gets a million or two, it won’t make any difference, it will just hurt a lot of people a little bit, instead of a few people a lot. This is just a very bad idea!

As most of my listeners know, I love to keep up with what’s going on in technology, and even more so, if it’s legal technology. While I couldn’t be at LegalTech New York this week, I am watching the posts, tweets and articles written by the myriad of people who are attending. On such blog post discusses cloud computing and why we aren’t quite "there" yet:

Continue Reading Cloud Computing at LegalTech New York