The long-anticipated effective date of The Global Data Protection Regulation (“GDPR”) is upon us. On May 25, 2018, GDPR, a mandate for safeguarding the personal data of European citizens officially became effective. This article explores some of the implications GDPR has on U.S. based companies.
For companies based in the United States of America (“US”), where most of their business comes from customers in the US, it may be easy to assume that this “European” mandate does not apply. After all, what jurisdiction does an EU regulation have over a US Company? Jurisdiction is proper and regulation compliance issues face US companies like these because GDPR requires all companies who collect, store, or process the personal data of EU citizens to comply. And, the regulation defines “personal data” broadly to include direct contact information such as name, phone number, address, and e-mail address, in addition to other information that could be used to identify an individual, such as a username or IP address. Any US company that has an office in any EU country is subject to GDPR. But, there are many other, more subtle ways that US companies may be subject to the regulation. For example, the following companies would also have obligations to comply with GDPR: any US company that has a website that is accessible to EU citizens, that is accessible via any EU Country’s URL suffix, any US company whose website is provided in any of the official languages of the EU countries, and any US company whose website accepts payment in Euros.
ii. Why Should a US-based Company Care?
First, there is a private right of action, such that private individuals who believe their private information has been compromised may sue for damages. Second, fines for non-compliance with GDPR are significant, where penalties may be as high as 4% of the company’s annual revenue or $20 million, whichever is greater.
iii. What Steps Should a US-based Company Take?
US Companies that find themselves subject to GDPR may feel trepidation as to where to start in terms of establishing compliance. While this is not an exhaustive list, companies should first and foremost, have a privacy notice in place that is clear and transparent and addresses the following: what personal data is collected by the company, how it is stored and for how long, why it is collected, and with whom such data is shared. Companies should name all organizations that will have access to and/or process user personal data. The website should provide the user a means to consent to personal data collection and processing. Consent must be “opt-in” and not merely a pre-ticked box or other “opt-out” solution. Further, email marketing issues should be addressed. Pursuant to GDPR, companies should obtain new and affirmative consent from users who previously received email marketing messages, in order for the company to continue sending those emails to these users.
Finally, while the new regulation is not explicit in terms of how these issues should be addressed, companies must accommodate these rights of EU citizens:
- The Right to be Forgotten ( have their data deleted)
- The Right to Access and Right of Accountability (Users should be able to view the data that companies have on them and correct any inaccuracies)
- The Right for Breach Notification (Users are required to be notified within 72 hours if user data has been breached in a way that can cause “risk to the right and freedoms” of EU based data subjects)
- The Right to Data Portability: companies must supply users with the ability to virtually send the data that the company collects on them to a different business, trusted third party, or the user themselves when “technically feasible”
Companies should also update internal policies and organizational measures by having protocols in place for data management and responding to a potential security breach. And, vendor contracts should be updated. For example, if a vendor handles email marketing for Company A, Company A is the “Controller” of the data and is responsible for ensuring that their vendor has sufficient compliance practices in place. If the vendor fails to establish sufficient compliance, Company A may be found to be in violation of the regulation.
iv. Is It Too Late?
No. It is never “too late” to begin taking measures to comply. Technically, GDPR has no “grace period” and fines can be instituted at any time. However, in practice, regulatory bodies often look to what efforts are being made to comply as a means of mitigating fines and penalties. Thus, efforts for compliance continue, even for companies that initially never dreamed that an EU regulation such as GDPR could affect them.
If you have questions on GDPR or would like to take steps to become compliant, please contact:
312.368.0100 or email@example.com
Keeping your Trade Secrets Safe: The Runaway Employee
How can a business protect its critical information when an employee goes to work for a competitor? Many employers simply assume that if it considers information “confidential,” the law automatically protects it when an employee snatches it up and leaves to work for a competitor. That’s not necessarily the case. In order to protect its confidential information, such as intellectual property, information, systems, customer lists, pricing information and the like, an employer must take affirmative steps long before the rogue employee leaves to ensure that its information is protected. Such information can be protected from disclosure both under Illinois common law and pursuant to the Illinois Trade Secrets Act (“ITSA”).
An employer’s trade secrets, such as its customer lists, are a protectable interest. An employer has a clear and ascertainable right in protecting its trade secrets. To establish that an employer’s information is a trade secret under ITSA, an employer must meet two threshold requirements. First, it must show the information was sufficiently secret to provide the employer with a competitive advantage. Second, the employer must show that it took affirmative measures to stop others from acquiring or using the information. Examples of steps employers typically take to keep information confidential include keeping the information under lock and key, limiting computer access, requiring that employees sign confidentiality agreements, and other employer efforts to advise employees that the information imparted to them must be kept secret. Establishing this second prong is where employers typically fall short.
Where employers have invested substantial time, money, and effort to obtain a secret advantage, the secret should be protected from an employee who obtains it through improper means. Although employees may take general knowledge or information with them that they developed during their employment, they may not take confidential information, including trade secrets. The taking does not have to be a physical taking by actually copying a list. A trade secret can be misappropriated either by physical copying or by memorization. Using memorization to rebuild a trade secret does not transform the trade secret from confidential information into non-confidential information. A trade secret can also be obtained through reverse engineering
Whether and how an employer keeps information secret is one of the most important factors when determining whether information is a trade secret. When information is generally known or understood in an industry, even if it is unknown to the public at large, it does not constitute a trade secret. If a business fully discloses information throughout an industry through a catalog or other literature, it is not considered a trade secret. If the information can be readily duplicated without considerable time, effort, or expense, it is not considered a trade secret. If a customer list, for example, is generally available to all employees and the employees are not required to sign confidentiality agreements, the list is likely not considered a trade secret.
By far the most litigation in this area relates to whether an employer’s customer list is a confidential trade secret. Whether customer lists constitute trade secrets largely depends on the facts of each case. Customer lists and other customer information can be considered a protectable trade secret if the information has been developed by the employer over a number of years at great expense and kept under tight security. However, the same type of information is not protectable where it has not been treated as confidential by the employer, was generally available to other employees and known by persons in the trade, could be easily duplicated by reference to telephone directories or industry publications, and where the customers on such lists did business with more than one company or otherwise changed businesses frequently so that their identities were known to the employer’s competitors.
Illinois courts have found that customer lists do not constitute protectable trade secrets where, for example: a) the particular industry was competitive and customers often dealt with multiple companies; b) the employer had failed to produce sufficient evidence to demonstrate that the customer list was subject to reasonable efforts to protect its secrecy; and c) sufficient efforts had not been taken to maintain the list’s secrecy. To be a protectable trade secret, the employer must demonstrate the information it seeks to protect was sufficiently secret to provide it with a competitive advantage. However, for steps to be deemed sufficient to protect a trade secret, extensive steps must be taken to protect both the electronic and hard copies of the purported trade secret.
For more information regarding the protection of a company’s confidential information, please contact:
Howard Teplinsky at:
(312)368-0100 or firstname.lastname@example.org.