Neff Law Firm announces new attorney: Kathryn (Kate) Gregg Larkin

nefflawadmin — Wed, 25 Apr 2012 03:11:57 +0000

Kathryn Gregg Larkin is Of Counsel to Neff Law Firm where her practice focuses on digital media, internet and ecommerce matters, social networks, policy matters, and she assists Richard Neff with a wide array of legal matters generally. Click here … Continue reading →

Data Breach Notification: “Uh oh! The personal data in our database has been hacked”

nefflawadmin — Mon, 19 Mar 2012 22:00:34 +0000

There is so much in the news about cyber-security. Much of the focus is on cyber war as a new and inevitable weapon, Stuxnet and the vulnerability of our national infrastructure. Some of the news is about use of computers to steal US technology and trade secrets, with culprits—if traceable—often located in China or Russia. It is definitely scary stuff, we all fear the prospect of several weeks without power, or endless gas lines should the oil pipeline infrastructure take a hit.

However, companies face a much more mundane and growing risk: personal information in their possession is being stolen by cyberattacks much more frequently than before. This is a form of cybercrime, not a new method of waging war, and the goal is generally identity theft, often an attempt to obtain credit (and debit) card numbers. All companies are vulnerable, but in the absence of required corporate standards, except in certain sectors (e.g., financial services/banking), some companies have done little to protect their personnel and customers from such hacker attacks. Moreover, these crimes are very difficult to prosecute; most originate from users in other countries. In the realm of data breaches and identity theft, we are truly One World.

Over the past two months, an important client of mine, a music technology manufacturer, called with a problem: part of its customer database had been hacked. The names of approximately 1,000 individual customers from its mailing list had been posted on a website in an Asian country. The database itself has nearly 1 million names. It seemed that only name and address/contact information, but no credit card information or social security numbers, had been obtained and posted. Indeed, the database did not contain personally sensitive information. Still, the customer database is password protected, and obviously this hacker succeeded in breaching its security.

My client wanted to be proactive and do the right thing. They acted quickly. I helped them identify the apparent owner of the website where the illegally obtained personal information had been posted, through a Whois search. Once that was established, we were able to find the webhost in that Asian country (a local GoDaddy or Hostgator), which ultimately took the website down at my client’s request. So the problem was mitigated. But what about all the customers whose personal information was hacked?

First, I reviewed California’s very recent law governing security breach notification, which just took effect in January, and requires that any business or entity conducting business in California notify California residents whose unencrypted “personal information” was or is believed to have been acquired by an unauthorized person through a security breach. California led the nation with its original data breach law, but our legislators thought it needed updating. The new law, which amends California Civil Code Sections 1798.29 and 1798.82, sets out when a notice to a business’ victims must be sent, what form the notice must take (physical notice or email) and what the notice must contain. The incident must be described, the timing of the incident disclosed, and contact information given for the business/entity. The type of personal information hacked must be disclosed, and if the breach exposed a social security number or driver’s license number, toll free numbers of the major credit-reporting agencies must be provided. If the breach affects 500 or more California residents, the state attorney general must be notified (with an exception for certain health information/HIPPA-compliant companies).

Fortunately, the California law did NOT apply to the information hacked from my client’s website, precisely because no personally sensitive information was compromised: no social security number, driver’s license number, account number or credit or debit card number, medical information or health insurance information. However, I also reviewed the new SEC Guidance on cyber incidents and FTC guidelines. The latter urge any business that has been the victim of a data security breach to inform law enforcement immediately, whether local police or the local FBI office.

My client’s instincts to be proactive coincided with my advice based on my review of various federal Guidelines. We agreed on the need to inform all of the mailing list victims about what had happened. This was done very quickly. After giving the matter due consideration, my client also decided to incur the expense of informing all of the other nearly 1 million members of the mailing list about what had transpired. At a minimum, we wanted them to change their passwords, and consider changing their passwords on other websites if they used the same password. I also advised my client that to the extent possible, despite the absence of national standards outside certain financial, health and credit card sectors, it is best to encrypt personal database data going forward.

The incident ended without any apparent harm having been done, but was a good preparedness exercise for a more serious cyberattack or data security breach, should it occur in the future.

Neff Law Firm represented European seller of B2B iGaming platform to Bally

nefflawadmin — Fri, 24 Feb 2012 08:06:58 +0000

Neff Law Firm represented Alexandre Dreyfus and several of his companies, located on Malta and elsewhere, in an asset sale to Bally Technologies, particularly the sale of its B2B online iGaming platform to the casino giant. As John Connelly, VP of Business Development at Bally Technologies, Inc. stated: “This acquisition provides an open, cloud-based platform for Bally Technologies to offer an integrated traditional and online casino solution to operators worldwide. Equally as important, Bally Technologies has also obtained an experienced team of industry veterans from within the online gaming industry…”

To read more from John Connelly at the Bally Technologies website, click here.

See writeup in ACQ Magazine.

Neff Law Firm represented Sellers of top App Zombie Smash in acquisition by Zynga

nefflawadmin — Sat, 11 Feb 2012 04:24:43 +0000

Neff Law Firm has been representing a steady stream of international clients in the sale of their assets or businesses to large US companies, as it ramps up its mergers and acquisitions practice. It represented its client Gamedoctors, a German App/game development company, and the creators of the Number 2 grossing App on the Apple App Store, Zombie Smash, in the sale of the company’s Apps and assets to Zynga. The owners and leading developers also took jobs with Zynga. Zynga announced the acquisition in January 2012. Neff Law Firm is now representing French interests selling certain online assets and software to a major US public company.

Neff is Producer/Panelist of Technology Council’s Program, “The Digital Data Revolution.”

nefflawadmin — Sat, 11 Feb 2012 04:09:54 +0000

Richard Neff as Co-chair of the Digital Media Society of the Technology Council of Southern California, produced a successful program on January 31, 2012, in Culver City on the rapid expansion and use of data in the digital world, and the benefits and privacy risks that entails, and he appeared with officers of Google, Nielsen, Experian and Share Magnet as a panelist. The Program was moderated by Ned Sherman, CEO of Digital Media Wire.

TCOSC Digital Data Revolution Program