Blockchain and Data Protection: What Happens When the Data Is Public?

Chances are you or your company use multiple software as a service or “SaaS” applications. They’re ubiquitous. This blog post was written using one — Google Docs. My firm uses one to keep its books and another to issue invoices.

One long running issue with these applications is what happens to the data in a SaaS platform.

Data, of course, is a hot commodity and most SaaS services want rights to as much of their customers’ data as possible. This allows them to use it to refine their offerings, repurpose it or, in some cases, monetize the data themselves.

In contrast, a SaaS user probably wants to retain as much control as possible over any data. There are many reasons for this. For example, to avoid privacy and compliance problems (especially in light of the GDPR, California’s Consumer Privacy Act, and similar laws that may be enacted in other states) and to protect the hard work and goodwill involved in gathering the data.

Thus, in negotiating SaaS contracts, one big sticking point is frequently who owns the data on a SaaS platform — the company who provided the data in the first place, or the SaaS vendor with the platform that analyzes, aggregates and/or alters it? While consumers might not have a lot of room for negotiation, where two companies are involved, there’s likely to be a lot of back and forth on this topic.

Generally speaking, these discussions are shaped by well-established principles governing the protection of trade secrets and, to a lesser extent, copyright law. The former focuses on what a database owner has done to protect its data from the outside world. The latter applies where the work to be protected is, to some degree, original. Because of this, copyright law is generally less important here because a database that is merely a collection of facts lacks the originality required for copyright protection.

The incorporation of data published on a public blockchain to any SaaS platform adds another wrinkle to any discussion about data ownership and protection. By way of background, a public blockchain is a blockchain network that is open to anyone. Bitcoin is one of the largest and best-known public blockchains. In contrast, as the name suggests, a private blockchain requires permission to publish information to it and, thus, limits who can publish and see information on the blockchain.

Obviously, publishing previously private information on a public blockchain changes the nature of the information when it makes the information public to the network. Probably the best example of this is cryptocurrency transactions. While it’s generally difficult to connect a transaction to a particular individual, the public blockchain for a cryptocurrency is a huge, publicly available collection of information that is open to anyone who wants to participate. This makes it difficult, if not impossible, to claim trade secret protection because publication of information on a public leger such as blockchain negates any claim that the information is secret.

Because of this there are limits to the degree to which anyone can claim ownership and — as a result — the right to control data on a public blockchain — there are still some issues that a user and SaaS vendor in this situation should discuss:

  • Particularly in light of the GDPR, California’s Consumer Privacy Act and other similar laws, does the data contain any personally identifying information? If so, who is responsible under those laws for protecting it?
  • What happens if there’s a data breach?
  • Who owns the data that is altered/aggregated by the SaaS platform? How about the output from the SaaS platform?
  • What can the SaaS vendor do (or not do) with the data it receives? Can the owner of the data license its use by the vendor?

Legal Issues With Remote Employees

In 1995, 9% of American workers said that they telecommuted at least some of the time. By 2016, that number had shot up to 43% (Gallup). The law is trying to keep up with this shift.

Specifically, as more people telecommute from more varied locations, the law needs to decide where disputes between employees and employers should be resolved. Can a remote employee in Vermont who violates a non-compete clause be sued in New York because her former employer is there? How should small businesses deal with disputes with far-flung employees?

The most straightforward answer is that companies should have employees (and independent contractors) sign an agreement with a clause (called a forum selection clause) specifying where disputes will be resolved. With that said, courts have reached conflicting conclusions about whether such a clause is enough.

A court in Florida recently held that a forum selection clause alone doesn’t mean an employee can be sued in the state set forth in his or her employment agreement. That ruling conflicts with a 2016 case that recommended a forum selection clause as the preferred method of dispelling ambiguity about jurisdiction. In that case, decided by a court in Pennsylvania, the employee agreements in question did not include a forum selection clause. The court, however, concluded that the remote employees’ ongoing relationship with headquarters were enough to establish jurisdiction over breach of contract claims. The court further noted that the benefits of remote work meant that it was not unreasonable for an employee to appear in a distant court for a limited period of time.

It remains to be seen whether that logic holds as full-time, remote work continues to grow. But one thing will likely remain unchanged: when an out-of-state employee objects to personal jurisdiction, the burden is on the employer to establish jurisdiction. As the most recent ruling has shown, this applies even if the employee’s contract contains a forum selection clause. So, if contractual provisions are not enough, what can companies do to solidify in-state jurisdiction for their out-of-state employees?

Documented, routine contact is important — frequent calls, meetings, and trainings with headquarters, whether virtual or in person, help build the case for the out-of-state employee’s connection to a specific location. Managing payroll, benefits, and IT servers in a central headquarters that matches the location stipulated in a forum selection clause may be helpful as well.

Of course, this is a developing area, so it’s always a good idea to speak with a lawyer.

Restrictive Covenants and Social Media

Restrictive covenants — the general term for non-solicitation and non-competition agreements — are supposed to protect a business when an employee leaves. But how do these work with platforms like LinkedIn, Facebook, and Instagram that have lengthened the reach of networking, blurred the line between business and personal communications, and made it possible for individuals to update their entire social circle on life events in an instant? In this landscape, what activities are a violation of an employee’s restrictive covenant? Does a former employee “friending” a former client on Facebook count as solicitation or competition? What about that employee “friending” a current employee at your company? What should you tell new hires to avoid a lawsuit or a nasty letter from their former employers?

In the past few years, there have been a handful of cases dealing with the implication of social media in this area but, as usual, technology is developing more quickly than the law. The bottom line from these cases is this: direct messages can cause legal issues, but status updates, profile posts and even blog posts are unlikely to cause legal problems. In other words, a new employee’s announcement that he or she has made a career change should not pose a problem. However, if that person directly targets specific people, the risk is much greater.

This makes sense. If an employee called former clients to let them know he or she had started a new company, this would likely be a violation of a restrictive covenant. Likewise, it would be a violation for an employee to direct message a former coworker a job posting at their new company. But an employee posting a job on his or her LinkedIn profile, where a former coworker may — or may not — see it is unlikely to cause problems.

Though targeted to a specific person, friend or connection requests follow the same principle. As long as the accompanying message doesn’t specifically solicit that person to take action beyond accepting the request to connect, it should not create problems. The recipient can choose whether to accept and develop the relationship further. In short, connections to former clients and coworkers through generally available information like the kind found in a LinkedIn profile are hard to limit.

So, how can you protect your business? If you have employees sign restrictive covenants, it’s a good practice to remind them of their obligations in an exit interview and to remind them that these agreements extend to what they do and say on social media. When hiring new employees, be sure to review their agreements with former employers and instruct them that social media updates should be limited to a general announcement of their new position and avoid any commentary about their former employer.  

Obviously, because the law is developing and situations can vary a lot, it is a good idea to also speak to a lawyer.

A Poler Legal Podcast!

I was recently interviewed by Forbes Books Radio. The podcast is avaliable here.



Potentially Offensive Trademarks Are OK

Until today, the United States Patent and Trademark Office  (“USPTO”)  could refuse to register trademarks (or cancel trademarks) on grounds that they were potentially disparaging or offensive. In 2014, the USPTO used this provision to cancel trademarks for the Washington Redskins find they were offensive to Native Americans.  It also relied on this provision to deny a trademark to a band called the Slants, a term the USPTO concluded was offensive to Asian-Americans, but which the Slants said was an effort to reclaim a previously derogatory term.  The Supreme Court today concluded: “Speech may not be banned on the ground that it expresses ideas that offend.”

If you’re curious, the decision is available here.


New York City Says Freelance Doesn’t Mean Free

Starting today, New York City requires freelancers and the businesses that hire to enter into a written agreement specifying how much the freelancer will be paid and the schedule for payment.  The law also prohibits retaliation against freelancers who try to enforce their rights under this law.

The written agreement can be as simple as an email, but it must include: the name and mailing address of the parties to the agreement; an itemized list of the services to be provided by the freelancer, the value of the services to be provided under the agreement, and the rate and method of determining the freelancer’s compensation.  It also must include a schedule for paying the freelancer or a method of determining when a freelancer will be paid.  If a schedule for payment isn’t included, the law says the freelancer must be paid by not later than 30 days after the freelancer completes the services under the agreement.  A template is available here. Both parties to the agreement are required to keep a copy of the agreement.

This law applies where the freelancer is providing services worth $800 or more either alone or when combined with other work done by the same freelancer for the hiring party within the prior 120 days.  The law applies to both individuals and corporate entities (for example, corporations, limited liability companies) where the entity is made up of a single person.

What Is Indemnification Anyway?

If you own a business, chances are you’ve signed an agreement with a vendor or are yourself a vendor.  And chances are that agreement says something about indemnification.

So, what is indemnification? Indemnification is where one party is responsible for reimbursing another party for any damages or costs.  This can happen either because the parties agree to it (preferably in writing) or because the parties have a relationship where the law assumes that indemnification makes sense.  So, for example, you might enter into a contract that contains an indemnification clause requiring you to reimburse the company you’re supplying services to if one of their employees is injured by your employees or equipment.  Alternatively, even without an agreement, if your accountant screws up your tax returns and you have to pay a fine to the IRS, the law might assume that your accountant should be responsible for that fine.

Why should you care?  One word: money.  If you agree to indemnify someone else, you’re potentially on the hook for any damages they face.  If you’re asking someone to indemnify you, you’re making them responsible for damages you might have.

What should you look for? As with anything you sign, you want to understand what you are agreeing to and make sure that the agreement covers what you want it to and does not cover other things.  Specifically, you want to understand what is covered by the obligation to indemnify.  For example, does the obligation to indemnify cover any damages or only damages to property? Is the party that is absorbing the costs (usually called the indemnitor) agreeing to pick up the other party’s legal fees? Are both (or all) parties to the agreement agreeing to indemnify one another or is only one party responsible for indemnification?

What can you do? Make sure you understand what you are agreeing to, that the language is clear and negotiate, negotiate, negotiate.  If you’re a small business entering a contract with a big company, you might not have that much leverage, but it never hurts to ask.


Preventing Co-Founder Fights

One of the most common, if not the most common, issue I’ve dealt with as a lawyer is what happens when the owners of a business stop being able to work together.  This can happen in any form of small business – a corporation, a partnership or a limited liability company.  It doesn’t matter.  I’ve seen numerous variations on this, but the basic idea and problem is the same: people start a business together and either don’t write down their understanding about how they will operate or, they write an agreement, stick it in a drawer and never think about whether it needs to be updated.

Why does this happen? In my experience, there are two basic reasons: either everyone is so focused on making the business a success and working super hard that there’s just no bandwidth left to think about an agreement governing the relationship between the owners, or there’s already some conflict lurking that no one really wants to talk about.  Sometimes, it’s a combination of both.

In either case, the lack of any governing document or an accurate governing document becomes a big problem when there’s a problem.  This can happen when an owner dies, wants to retire or is arrested.  (Yes, that happens.)  It can happen when the person who has always been considered the “junior partner,” is suddenly bringing in the most business and wants a bigger share of the business’ profits or when a partner is no longer contributing at a level commensurate with his compensation.  It can happen when the owners reach an impasse over a big personnel decision or how to move the business to the next level.

What happens? At some point, the issue comes to a head.  There’s a good deal of frustration and hard feelings between the owners who end up having to hire attorneys to work out the issues.  Not an ideal situation.  If you didn’t have the bandwidth to deal with these issues when you were starting a business, this isn’t any better.  f there was something no one wanted to talk about, you’re definitely going to have to talk about now, and it’s probably going to be even less pleasant because there’s been months or years of frustration and hard feelings added to the conflict.  Even worse, the owners can’t work out their issues and are stuck running a business together.  Obviously, that’s not good for the owners, employee morale, or the company’s bottom line.

If, having read this, you’re thinking that an agreement governing your business might be a good idea, what should you do?  Start by thinking about how you want your business and your relationship with the other owner(s) to work.  Ask yourself and the other owner(s) some questions:  Do all owners have an equal say in the management of the business? Do all owners receive an equal share of the profits (or losses) of the business? Could this change? Are there certain decisions that can be delegated to a subset of the owners and, if so, what are those issues? What’s the mechanism for resolving disputes?  How can a new person come into the business? What happens if you raise money? How does someone exit the business? What about if that person doesn’t want to leave?

Once you’ve done this, talk to a lawyer.