Business, legal, tech & more
It has become very costly to avoid data privacy compliance. While fines and penalties have existed for years in various amounts from multiple regulators, the European Union’s new General Data Protection Regulation (GDPR), effective May 25, 2018, raises the stakes. It specifies fines up to 20 million Euros or 4% of a company’s prior-year global revenue, whichever is higher, dependent on the “nature, gravity, and duration” of the violation and the “categories of personal data affected.”
Privacy is inherently important to all of us. Privacy is power – the power over self. Ever since the advent of the internet, most of our lives are purposefully conducted online, and that makes the concept of privacy even more important. The “special categories” created by GDPR’s Article 9 recognize the sensitivity of certain areas of our lives, which may have a greater impact if made public. These categories include race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, and data related to a person’s sex life or sexual orientation.
Global Privacy Trends
This concept is taking different shape quite differently around the globe. The E.U. is moving towards recognizing digital privacy as a fundamental human right, and other countries are following suit with local laws to provide similar protections. At this point, the U.S. is the lone holdout for general privacy rights, but even here, we’ve provided enhanced protections for personal health information (PHI) privacy through HIPAA since 1999.
For the first time, all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands now have breach notification laws. While these are often ignored, these laws typically require private entities to notify affected users and the attorney general of any security breach or unauthorized disclosure involving personally identifiable information (PII).
These laws are focused on data attributes like social security and driver’s license numbers, birth date and place, age, marital status, race, salary, phone number, and other demographic or financial information. Based on recent headlines and most individuals’ experiences handling the aftermath of persistent credit card and large-scale PII data breaches (e.g. Equifax), it is easy to understand the importance of keeping this private information out of the public eye.
The Cost of a Breach
Recent privacy breaches have led to executives being dragged before Congress, fines in the millions, and remediation and litigation costs in the hundreds of millions.
According to a 2017 study sponsored by IBM, the average costs of a data breach across businesses of all sizes globally is $3.62m or $141 per record. Recently the New Jersey Attorney General fined a medical practice $418,000 or about $260 per patient record when their third-party service provider actually caused a data breach. The Ponemon Institute, the firm that actually performed the IBM study, estimates that even one employee’s lost or stolen laptop may cost as much $50,000 after all the required legal notifications are made.
Every federal and state body with privacy enforcement authority imposes higher fines for willful and uncorrected violations. Some basic steps to prevent, identify, and mitigate a privacy compliance failure include:
What to do Next
While remediation and notification are costly, ignoring privacy compliance can be much more expensive. Prevention is more affordable than remediation, and preparation is better than litigation. The growing privacy compliance obligations can be burdensome to understand and difficult to implement. It is prudent to seek outside counsel when in doubt. Furthermore, establishing or administering information security and data privacy assessments through legal counsel may provide the defense of legal privilege if litigation is ever required.
You have a great new idea for what you hope is the next big app. You did your research and you could not find anything out there that is even remotely similar. You have brought together investors and are working with a team of developers and now you are wondering whether you can protect your idea by securing a patent. But is it patentable? Can you patent an idea for software?
The Old Way
Not too long ago, the question of whether an idea was eligible for a patent had a really simple answer: yes! It was often said that “anything under the sun that is made by man” is eligible to be protected by a patent.
United States patent law 35 USC § 101 defines what may be patented as “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.” This would seem to include software, and in the years since the app economy began, many U.S. patents have been granted for software.
A New Approach
The U.S. Supreme Court has intervened in recent years and has found many software inventions to be ineligible for patent protection.
Perhaps most significantly, in the case of Alice v. CLS Bank, 134 S. Ct. 2347 (2014), the Supreme Court ruled that inventions performed on computer systems could be seen as merely abstract ideas, and could therefore be ineligible for patent protection.
While this ruling, and the decisions that followed, do not completely bar software inventions from being patented, as a practical matter, it has become significantly more difficult to obtain patents for software inventions and those patents that have been granted for software inventions are significantly harder to enforce in court.
What Types of Software are Hardest to Patent?
If your idea is a business method or involves data processing, cost/price determination, e-commerce, or software used in finance, you will probably have a harder time pursuing patent protection. If your idea involves a method that uses generic (non-specialized) computer hardware in a manner in which generic computer hardware is normally used, you will probably have a tough road ahead of you.
What Types of Software are Easier to Patent?
If your idea involves specialized computer hardware that you have come up with, if your idea improves computer technology such that the manner in which the computer operates is made better, or if your idea allows computers to perform functions that, prior to your idea, computers could not perform, then you may have an easier time pursuing patent protection.
If My Idea is Patent Eligible, Will I Receive a Patent?
For software patents, establishing patent-eligibility is an important first step in obtaining your patent. However, your idea will still need to be deemed novel and non-obvious. Simply put, “novel” means your invention was not known until you invented it. “Non-obvious” generally means that each of the features of your invention cannot separately be found somewhere else.