Launch to Thrive

Free Business & Legal Resources for Entrepreneurs and Startups

You are here: Home / Archives for All Resources

Startup Resources

Expand your knowledge with articles, interviews, and updates that offer perspectives on entrepreneurship and the issues that impact your business.

Crowdfunding Cybersecurity Entrepreneurship HR & Employment Immigration Innovation Insurance Intellectual Property International Media & Entertainment Securities

4 Types of IP Your Startup Must Protect

All Resources// Intellectual Property

Intellectual Property (IP) is often an early stage venture’s most valuable asset. But who really “owns” the IP a startup uses? In many cases the answer isn’t clear, and problems frequently aren’t identified until an investor or acquisition partner starts due diligence.

IP ownership problems can be easy to address at the outset by establishing the right procedures, but difficult (and expensive) to fix down the road. The first step is to recognize the four different kinds of IP, broadly categorized below, and the steps required to address ownership issues as to each.

1. Confidential Material

Examples include your business plan, development plans, and new product or service ideas. Generally, people and businesses cannot own ideas or items like price or customer lists. A company can own the physical documents on which they are recorded, but the abstract idea or information is generally not legally considered “property” that a business can own. Still, you can protect yourself. There are at least two ways to prevent others from taking your ideas and using them for themselves.

The first is to use non-disclosure agreements (NDAs). These are contracts under which you agree to disclose your secrets to someone who, in return, agrees to keep them private and not use them for their own purposes. NDAs are critical for startups, which must often disclose their valuable ideas to others early in their lifecycle. Startups should use NDAs religiously—with suppliers, customers, contractors, investors, employees, shareholders, and anyone else who receives your confidential information.

The second way is to treat ideas as trade secrets. To be a “trade secret,” information must meet two primary requirements. First, it must have economic value from not being known or readily discovered. Second, it must be subject to reasonable efforts to maintain its secrecy. If you take reasonable precautions to protect such information, the law provides a remedy if someone “misappropriates” it. Key factors that demonstrate you’ve taken reasonable precautions often include (a) having agreements in place making clear that the company owns the trade secret information and preventing its unauthorized use or disclosure; and (b) having procedures to ensure your confidential information is treated with a level of care and respect commensurate with its value to your venture.

2. Inventions

Inventions are more than ideas for new products, services, or ways of doing something. They must be “reduced to practiced,” meaning they must be fleshed out in enough detail that a typical person in your field could implement them without extensive testing and experimentation. Some inventions (e.g., Coca Cola’s formula) are maintained as trade secrets and protected in the same way as other confidential information (albeit with an even greater level of care). Others are protected through patents, which give the patent owner the right to prevent others from practicing the invention for a period of time without the owner’s consent.

Inventions are generally owned by the person (or persons) who first conceived of them. Many business owners mistakenly believe that if their employee or contractor conceives an invention while working for the company, the company owns the invention. This is generally not true. In reality, the inventor owns the invention and the company merely has a right to use it. To own the invention, a company must have a written agreement in place with the inventor stating that any inventions developed will be owned by the company, and assigning rights in those inventions to the company. This is true whether the inventor is an employee, contractor, founder, or owner.

Before beginning work, everyone involved in developing or refining IP should sign a written agreement that documents the understanding that all inventions will be owned by, and assigned to, the company. This is especially important given that key personnel sometimes leave the venture (voluntarily or otherwise) before a liquidity event. When that happens, it may be difficult, expensive, and/or impossible to get that person to retroactively assign their IP rights back to the company. It is much easier and cheaper to have good IP agreements in place at the start.

3. Works of Authorship

Works of authorship (“works”) include software code, website content, and marketing materials. Generally, works are owned by the author as of the moment they are created (written down or typed into a computer). But when the work is created by an employee within the scope of his or her duties, or in very limited circumstances, by a contractor with a special written agreement, the employer is deemed the “author” of the work from the outset. To avoid ownership problems related to works, ensure that you either (i) fit squarely into one of the exceptions under which the company is the author; or (ii) have a written agreement (yes, it must be written) assigning the rights to the company.

Many startups mistakenly think their founders or contractors fit within the exception, only to later learn that some legal formality was missing, making the exception inapplicable. So, wise entrepreneurs always have written agreements (that include an assignment) with their employees, founders, and contractors, that clearly state the company owns all works. They don’t simply assume that the “work for hire” exception applies.

Because many works incorporate third party materials, things can get even more complicated. For example, to get a jump start, a startup may use “open source software” or a developer may use code she created for a previous project, refining it to work for the new company. This extremely common practice can make it very difficult to determine after the fact which parts of individual works are owned by the company, and which are merely licensed. This issue would take a series of articles to cover. Here, it suffices to say entrepreneurs must do their best to make sure they know whether any pre-existing or third party content was used to create their IP and, if so, where it came from and how it was used.

4. Brand

Your brand (e.g., trademarks, domain names, social media identifiers, etc.) is how your customers know a product or service comes from your company, and not from your competitors. Brands are generally protected by trademark law and can be among the most valuable assets of a new venture. Conveniently, rights in a “trademark” run to the company by default, and not to any individual. So, in this case, founder, contractor, and employee agreements, while still important, are not quite as critical.

However, you still must: (i) make sure your brand is distinctive enough that you can be its exclusive owner, (ii) be certain nobody else is already using anything confusingly similar to your unique brand, and (iii) be sure the company owns and controls all of the domain names and social media accounts that help your brand reach your customers.

A detailed explanation of the steps needed to ensure your brand doesn’t run afoul of these requirements is beyond the scope of this summary. But the following broadly outlines the steps entrepreneurs must take: (a) choose your brand wisely and avoid generic terms for your products or services (e.g., use something distinctive like Apple did when it chose “Apple” for its computers, not something generic like “Steve’s Computers”); (b) do a trademark search before investing in your brand and, once you are clear, register your trademarks so others can’t free-ride on their popularity after you have made them valuable; and (c) ensure that all domain name registration and social media accounts are opened in the company’s name, not those of individuals, and that you have the login and password information for the registrar accounts that control those registrations.

Conclusion

Ownership of IP, often a new venture’s most valuable asset, is unquestionably complicated. But if you start early, using  good NDAs, founder agreements, services agreements, and the like, you can avoid expensive complications down the road. Recognizing the different kinds of IP and the ownership issues related to each is the first step.

Companies Can Help Keep Cyber Insurance Prices Reasonable

All Resources// Cybersecurity// Insurance

In speaking to a cybersecurity conference in 2012, then FBI Director Robert Mueller told attendees that there are only two types of companies: those that have been hacked and those that will be. Sadly, with each passing day, those words seem more prophetic. As anyone who follows the news knows, even the federal government has not been immune from being hacked.

The list of large commercial companies that have been hacked reads like a who’s who of the business world. Companies such as Target, Anthem, Adobe Systems, Inc., Home Depot and Sony have suffered major cyber-attacks on personal data held by each company. Corporate counsel have also reported that they expect the next wave of class action lawsuits to be in data privacy due to increased hacker activity, more frequent internal protocol and security lapses and ongoing consumer and business sensitivity regarding data sharing and use. It is becoming more evident that cybersecurity breaches have emerged as one of the preeminent threats to commercial companies.

Read: Companies, Through Best Practices, Can Help Keep Cyber Insurance Prices Reasonable

Republished with permission by Bloomberg BNA’s Corporate Counsel Weekly.

How to Choose the Right Entertainment Industry Work Visa

All Resources// HR & Employment// Immigration// International// Media & Entertainment

As smartphone recording capabilities and the popularity of social media help entertainers reach wider audiences around the world, entertainers who wish to come to the United States to perform are, paradoxically, finding it increasingly difficult to meet stringent U.S. immigration requirements for temporary work visas. This makes it more important than ever to review the varied U.S. work visas in place for foreign talent, including crew members, writers, producers, editors, directors, makeup artists and costumers. It is also critical to understand the visa-approval process of the United States Citizenship and Immigration Services, the government agency responsible for reviewing work visa petitions; and the visa-stamping procedures of the overseas U.S. consulates, which dictate when visas will be issued to foreign entertainers seeking to enter the United States to entertain.

First, note that U.S. immigration rules make distinctions based on the media industry professional’s work purpose for entering the United States and the nature of their employer’s business. So, as discussed below, it is important to review the activities to be performed in the United States and assess the applicant’s employer or sponsor before applying for the work visa.

I Visa for Foreign Media Representatives

Permissible Activities for I Visa Applicants

The I visa is a temporary, nonimmigrant visa for print, radio, Internet and television journalists coming to the United States solely to work on news-gathering processes, (i.e., news shoots, informational or educational documentaries) with no intention of remaining indefinitely in the United States. Members of foreign production teams essential to the foreign media function, such as photojournalists, reporters, editors, film or technical crew, directors, producers and presenters also qualify for the I visa. Those indirectly involved in the news gathering function, like proofreaders, librarians or set designers, do not qualify for the I visa.

Typically, the I visa applicant must be engaged to work for a media organization based in a foreign country. Reporting on sports events qualifies as a “news gathering” activity pursuant to the I visa rules. Independent journalists under contract with a foreign media outlet coming to the United States to work on informational or news activities qualify for the I visa, as do foreign journalists of an American network, newspaper or other media outlet coming to the United States to report on news for a foreign audience.

Additionally, accredited representatives of tourist bureaus that are controlled, operated or subsidized completely or partly by a foreign government who come to the United States to disseminate factual tourist information about that country qualify for an I visa. Employees or accredited representatives of foreign trade promotional missions are not engaged in news reporting functions and so are not qualified for an I visa.

Finally, freelance media workers with a credential issued by a professional journalism organization who also have a contract with that organization to report on news abroad qualify for an I visa. In addition, I visas are available to employees in the U.S. offices of organizations that distribute technical industrial information.

I visas are issued for as little as six months, or for as long as the foreign media outlet can provide evidence of the news project’s duration. I visas cannot be used to take up U.S. residency. Further, I visas are company-specific, and do not allow their holders to perform freelance work while in the United States.

Impermissible Activities for I Visa Applicants

The I visa should not be used for those entering the United States to produce, make or report on commercial or entertainment programming that includes reality entertainment shows, scripted or contrived programs, the filming of staged or recreated events or documentary dramas. Foreign nationals coming to film or produce events for advertising purposes cannot use the I visa. Quiz show production crews are not entitled to the I visa either. Producing artistic media content will not qualify as I visa work and as such, the I visa is unavailable to those engaged in such productions.

O and P Visas for Entertainers or Personnel Associated with Entertainers

The USCIS has several different nonimmigrant visas available to entertainers, production team members, and those considered “essential support” for film or television productions.

O Visa for Entertainers in the Television and Film Industry

U.S. immigration rules allow foreign nationals to come to the United States under an O-1 temporary nonimmigrant work visa if they do so to work in motion picture and television productions; can demonstrate a record of “extraordinary achievement;” have a U.S. employer or sponsor; and if the length of the artistic event (i.e., the film or television production) can be verified. To meet the standard of “extraordinary achievement” in film or television, the person must be outstanding or noted. Typically, the O-1 is issued to accomplished members of a production team, such as the executive producer, lead actor or director. The threshold is high, requiring the applicant to show evidence such as newspaper clippings, awards, major award nominations (e.g., an Emmy or Academy Award), and a work history of prominent productions, commercial success, high salaries and testimonials of their achievements.

An O-2 visa is available to those in motion picture or television production who come to the United States to accompany and assist the O-1, and who are integral parts of the O-1’s actual performance. The O-2 must have skills and experience with the O-1 that are not general in nature and that are critical to the production’s successful completion. Their continuing participation must be essential. U.S. immigration rules recognize that the O-2 is critical because of a pre-existing, long-standing working relationship or, as to the specific production, because significant production (including pre- and post- production work) will occur both inside and outside the United States. As such, O-2 visas are issued to such television or motion picture production crew members. O-2s need not show a supporting role, but must prove they are an essential team member.

Both the O-1 and O-2 must include an advisory opinion from the appropriate union representing either the O-1’s or O-2’s occupational peers and a management organization in the area of either the O-1’s or O-2’s field.

P Visa for Individual Entertainers or Entertainment Groups

The P visa is for internationally recognized nonimmigrants seeking to enter the United States to perform either individually or as part of an entertainment group. Like the O visa, it requires a showing of a U.S. employer or sponsor. Further, the P visa applicant requires a contract detailing the length of the performance or entertainment event. For example, an entertainment event could include an entire performance season. A group of related activities will also be considered an event. The P-1 visa is for performers. The P-2 visa is for individuals who provide essential support — those who are highly skilled, essential personnel; and an integral part of the P-1’s performance because their support services cannot be readily performed by a U.S. worker and are essential to the P-1’s successful performance of services.

The standard of proof is lower than the one used in the O-1 context. Internationally recognized means a high level of achievement in a field as evidenced by a degree of skill and recognition substantially above what is ordinarily encountered, to the extent such achievement is renowned, leading or well-known in more than one country.

All the visas discussed above allow the spouse and children under 21 to come to the United States as dependents of the principal visa holder. The dependents cannot work in the United States, but they are allowed to study.

All these visas require advance planning, sound contracts showing how long the applicants are needed in the United States, and significant patience to gather the evidence needed to meet the visas’ standards. This is especially true for the O and P visas. Also, note that having the O and P visa petitions approved by the USCIS in the United States, will not always guarantee that the O and P visas will be issued by the U.S. Consulate officers. For this reason, it is critical to understand the process, find a sponsor or employer, and file the O and P petitions early, before arriving in the United States on the performance or production start date. Four months ahead of the event is recommended. The I visa is the only visa that can be presented directly at the U.S. Consulate without having a petition approval issued by the USCIS in the United States. However, the I visa application must be complete with evidence noted above.

To ensure a timely and successful outcome, it is always wise to consult an immigration attorney experienced in working with these visa types.

Republished with permission by Law360 (subscription required).

4 Reasons Why Companies Can Ask Exempt Employees to Work for ‘Free’

All Resources// HR & Employment

The leaked Urban Outfitters memo asking salaried employees to volunteer one or more weekend shifts at an Urban Outfitters fulfillment center to pick, pack and ship merchandise is really no story at all, despite Internet shaming and sensational claims that Urban Outfitters is making management employees work for “free.”  The request of Urban Outfitters is not unusual; it is just unusual that the request was leaked to the media.  Employers regularly require exempt employees to go over and above a 40-hour work week without additional pay, and this approach is appropriate under wage-hour laws.

And, while some media commentators have dubbed this as “working for free,” the reality is that the employees are not working for free.  They have agreed to work all required hours in exchange for a certain salary.  After all, remember that there are salary requirements for exempt employees, so those who are being asked to “volunteer” are being compensated at a higher pay grade, at or above a salary set by our federal and state governments pursuant to public policy considerations.  Therefore, it is in fact “fair” to ask exempt employees for the extra work—it is an implicit (or explicit) requirement incorporated into their typically larger salaries (right now the pay threshold for exempt status is $455 a week, but if the amendments to the federal Fair Labor Standards Act(FLSA) are implemented as proposed, the minimum will more than double to $970 a week).  The increased responsibility and salary levels of exempt employees also means they likely have more bargaining power in the marketplace and freedom to leave an oppressive employer, so government is less concerned about extra “unpaid” work in their case.

As such, a request for “volunteer” work, like the one made by Urban Outfitters to its exempt staff, is both appropriate and lawful under wage-hour laws.

 1. Employees who are exempt can work over 40 hours without additional compensation.

Here’s why: the FLSA and state fair labor standards legislation requires employees who work more than 40 hours in any work week to be paid time-and-a-half for those hours.  There is an exemption for certain employees, such as white-collar employees like administrative and executive professionals.  Assuming those employees receive at least certain pre-determined salaries and have certain significant and responsible job duties (aka, are classified correctly), the employers can ask (or even require) the employees to work more than 40 hours a week and do not have to pay any sort of extra compensation.  Exempt employees take customers to dinner after hours without additional compensation.  They answer after-hour calls and emails without additional compensation.  This happens all the time.  And, it’s legal.  Of course, the employer should be sure the employee is actually exempt before requesting additional work so as not to inadvertently violate wage-hour law.

2. Volunteering for additional work does not change the employee’s primary duty.

Exempt employees who “volunteer” for  production type duties (e.g. pick, pack, and ship merchandise) do not have their jobs transformed into hourly non-exempt jobs as long as their primary duty remains exempt.  Primary duty means the employee’s main or most important duty.  For the administrative exemption, the primary duty is non-manual work related to management where the employee exercises discretion with respect to matters of significance.  For the executive exemption, the primary duty is management, where the employee directs the work of others, has input into subordinates’ employment status, and has discretionary authority.  Yes, the Urban Outfitters exempt employees who volunteer for warehouse duties will not be exercising their exempt responsibilities while working on the production line, but that does not mean their overall jobs become non-exempt.  A manager at a fast food restaurant does not become non-exempt simply because he flips burgers during busy periods.  His primary duty remains management – that is his most important job.

3. Production work doubles as leadership training for exempt workers.

In addition, non-exempt work, such as warehouse work, gives exempt workers an insight into what hourly employees do on a daily basis.  The exempt employees could very well be making decisions about non-exempt jobs.  Rolling up their sleeves to help might provide a real eye-opening education for how hard the hourly employees work and how decisions by exempt  personnel affect those hourly workers.  This could be valuable training for managers, administrators and professionals.  Also, isn’t rolling up your sleeves to perform “undesirable” tasks one definition of leadership?  Leaders should not be above any task, no matter how “menial.”

4. ‘Volunteer’ work can reduce overtime.

Reducing overtime of hourly workers by asking exempt employees to pitch in, as long as the company does it legally, is a perfectly legitimate business decision.  While adding white collar employees to production lines or requesting their assistance in warehouses may actually impede the pace of work, as the white collar employees might well require additional instruction and direction, a company could legally choose to ask for “volunteer” time even if the reason is to reduce the overtime costs associated with using hourly workers.  The employer would just need to be sure that it did not request so much “volunteer” non-exempt work so as to eviscerate an exemption, by turning production/warehouse work into a primary duty.

What Employers Must Know About Wage and Hour Law

All Resources// HR & Employment

This year, according to a recent Syracuse University study, federal courts are on track to handle a record number of wage-and-hour lawsuits stemming from violations of the Fair Labor Standards Act (FLSA), which establishes minimum wage, overtime pay, and other employment standards that impact workers. Two common types of FLSA lawsuits relate to overtime pay owed to non-exempt employees, and to employees who are misclassified as independent contractors. The Department of Labor (DOL) addressed these issues, respectively, with a June 30 proposed rule that recommends changes to the “white collar” exemptions from overtime requirements, and a July 15 guidance on how to identify employees who are misclassified as independent contractors.

Still, for employers, the path to compliance isn’t always clear. To get a better understanding of how companies can avoid running afoul of the FLSA, I spoke with Carlton Fields labor and employment lawyer Cathleen Bell Bremmer.

What’s behind the increase in wage-and-hour lawsuits?

There are several possible reasons for the increase. These include changes in the way people work. For example, more people are working remotely and at all hours partly due to technology, and freelance and independent contractor work arrangements have become more common. The result is greater uncertainty about how the law applies. Additionally, the FLSA is almost a kind of strict liability statute in that the employer either does, or does not, classify workers properly. So, for plaintiffs’ attorneys, these lawsuits are easier to bring than employment bias suits. And, the Obama Administration has prioritized worker protection, as the DOL initiatives show.

How do worker misclassification claims arise?

There are a couple of different types. One is where a company improperly classifies employees as ‘exempt’ from the requirement that they be paid overtime for hours worked in excess of 40 per week. In these cases, the employer incorrectly considers the employees ‘exempt’ because their role is deemed to meet the regulations’ administrative, executive, professional, or highly compensated exemptions, or because the employers incorrectly classify outside sales or certain computer positions.

The other misclassification issue relates to employees who are improperly hired and paid as independent contractors. This issue gets lots of notice from the DOL because, when a worker is classified as an independent contractor, the employer pays no payroll taxes, and no social security or FICA contributions are made on the employee’s behalf. The loss of taxing revenue, in particular, is significant to government agencies.

What are the DOL’s proposed changes to the rule regarding exemptions from overtime requirements?

Currently, workers are exempt from overtime requirements if they otherwise meet the job duties specified in the regulations for the exemptions and

they make at least $455 per week—or an annualized salary of $23,660. The DOL wants to raise the minimum salary cap so that workers don’t become exempt unless they make at least $970 per week—or an annualized salary of $50,440. Basically, employers will have to pay overtime to any currently exempt employee who is not paid the proposed minimum salary, regardless of the employee’s job duties and responsibilities.

Do you expect any industries to be particularly hard hit by the change?

The retail and hospitality industries are expected to especially feel the impact. But regardless of industry, the change will generally affect mid-to-lower level supervisors, whose salaries don’t hit the DOL’s new ‘magic number.’

When is the rule expected to take effect?

Ambitiously, the DOL is looking at January 2016. Pursuant to the rulemaking process, the DOL’s wage and hour division proposed the rule, then opened it up for a 60-day notice and comment period, which closed in early September. Although proposed commenters petitioned for a longer period, the DOL refused to extend it. So now the DOL will review and consider—but not necessarily follow—all of the comments and issue a final rule. There’s an obvious push to get this done while the current Administration is still in office.

What kind of impact would this change have on employers?

It’s expected to affect some 4.6 million employees. So, for employers, that will mean increased wage costs as they will either have to increase the starting or minimum salary of their already-exempt employees, or employers will have to re-classify their employees as non-exempt if they decide, from a cost-benefit perspective, that it’s better to pay them on an hourly basis with overtime. There will also be increased record-keeping costs because employers will need to keep much more detailed records of the hours worked by non-exempt employees. On the other hand, the DOL said it expects related lawsuits to decrease because the increased salary level test will provide for less ambiguity as failure to meet the salary threshold will make any evaluation of the subjective duties requirements of the exemptions unnecessary.

Regarding the independent contractor issue, what does the DOL’s guidance deem important for employers to consider when classifying workers?

Independent contractors can be helpful for one-off or special projects that don’t relate to what your business does on a daily basis. For example, if you run a  computer programming or software design firm, you don’t hire independent contractors to do computer programming or software design. But if you are a catering company, you could hire a contractor to set up a billing system because  your business is preparing and delivering food, not billing. Overall, a key inquiry is whether the worker is economically dependent on the employer, and is therefore an employee, or is in business for him or herself, and therefore a contractor. There’s got to be a potential economic downside for the contractor, who could, conceivably lose money on the deal.

Which is a bigger issue for employers, exemptions from overtime requirements or the misclassification of employees as independent contractors?

It’s very employer-specific, and really depends on your workforce. For example, some employers don’t even use independent contractors, so they don’t have that issue. However, the Administration isn’t really doing anything new when it comes to independent contractors. That issue will always exist. But the proposed new salary test for overtime will create an objective change that affects 4.6 workers. That’s a big deal.

When it comes to FLSA lawsuits in general, are any types of companies especially vulnerable?

While any size company can get hit with these lawsuits—Halliburton recently agreed to pay $18 million in overtime for workers who were misclassified as exempt—startups and smaller-to-midsized companies often face particular challenges.

For example, in a startup, an employee may wear many hats, handling their area of specialty, plus HR. But they may not know or understand the intricacies of the labor laws, which can get them into trouble. Smaller companies are also more inclined to ‘try before they buy,’ bringing on workers as so-called independent contractors when they are really working side-by-side with employees and should be classified as such.

7 Things Startups Should Know About Intellectual Property Law

All Resources// Intellectual Property

1. Your primary asset is your intellectual property. Protect it before you do anything else.

Talk to an intellectual property attorney, a specialist who’ll be able to tell you what you have and how best to protect it (e.g., with patent, copyright, or trade secret law).

If you can’t afford an intellectual property attorney, look for firms that give seminars at university incubators, or those with startup-oriented practices. Find a law school with an intellectual property clinic.

Learn about and understand the various types of IP you have. Have an attorney search the patent office and trademark office records to determine whether you have the right to use your IP, and most importantly, protect it before you start engaging with third-parties. File your patent, trademark, and copyright applications; and establish an internal trade secret/confidential information protection program.

…the first things a potential investor wants to know is what IP you have and how is it protected.

Don’t make the mistake of failing to protect your IP because “the company” doesn’t have the money. Put your own money into it if you have to. But get those applications filed. You’ll regret it if you don’t, because the first things a potential investor wants to know is what IP you have and how is it protected.

2. Decide who owns the IP.

Presumably one or more of the members/shareholders developed the IP. The IP is originally owned by the inventor(s)/creator(s). If the company is going to own it, the inventor(s)/creator(s) need(s) to assign it to the company. If the inventor(s)/creator(s) will continue to own it, they need to grant a license (preferably exclusive) to the company. Your IP attorney can help you with this. Just remember, you’ll have a better chance of attracting investors if ownership is clearly addressed.

3. Make sure you have a good non-disclosure/confidentiality agreement in place…

…before you discuss your products with anyone outside your company, including prototype manufacturers, designers, independent contractor programmers, potential customers, interested investors, etc. Without one, you may unwittingly give away your intellectual property and confidential information. And there may be nothing you can do about it. See No. 1.

GET IN WRITING. GET IN WRITING. GET IT IN WRITING…

4. Make sure you own what you think you own.

Maintain your chain of title and ownership. If you hire independent contractors, get a written assignment. “Work for hire” is a term of art that does not equate to an assignment, and generally has no application to the tech industry (no pun intended). Whatever you do, GET IT IN WRITING. In fact, make that your mantra: GET IT IN WRITING. Make sure your employees sign intellectual property assignment agreements, or have such provisions in written employment agreements.

5. Don’t give away your IP.

Make sure you have good license agreements in place if you’re going to allow others to use your IP. Make sure you understand what the agreement says, and what you’re actually allowing the other guy to do. Make sure you retain control over the IP. GET IT IN WRITING.

6. Don’t forget about international IP protection.

If you’re going to be manufacturing overseas, or if your customers or licensees are located internationally, think about protecting your IP in those countries as well. Intellectual property protection is territorially limited and you’ll need to protect yourself on a country-by-country basis. There are exceptions to the rule, so again, be sure to retain a good IP lawyer who can help you with all of the nuances of foreign protection.

7. Have an exit strategy.

Plan upfront for the disposition of the IP in the event the company doesn’t work out. Will one person own it? Will more than one share ownership? With intellectual property ownership comes obligations and responsibilities, so again, see Rule No. 1.

Good Luck!

Originally published by JD Supra Perspectives.

9 Things Employees Should Do to Prevent Data Breaches

All Resources// Cybersecurity// HR & Employment

Businesses are facing increased financial burdens due to the rise in data breaches caused by malicious and criminal attacks. In addition to the obvious costs incurred to detect and fix the effects of a breach, lost business is potentially the most severe consequence. And lost business can translate into lost jobs. It is often said that it takes a village to defend against cyberattacks. Employees of every organization must realize that they are members of that village, and need to do their part to protect their employer. Avoiding employee mistakes that lead to inadvertent failures will free up valuable resources to fight the bad guys—and may save your job.

The sooner an incident response starts, the greater the chance of managing the incident successfully and minimizing any damage…

Employees should adopt the following “safe” practices to minimize their mistakes and help thwart criminals:

1. Avoid Password Re-Use

  • Use a different password for each system you access, and make it secure and complex—for example, don’t just increase a numeric value as you change systems.
  • Use a password manager (for example, LastPass, 1Password, or KeePass) to manage your passwords, and ensure you use a complex passphrase for the password manager.
  • Specifically, don’t use your work username/password combination for personal systems.

User awareness of the dangers of password re-use has evolved. For instance a 2003 report indicated 65 percent of users used the same password for different applications or services. By 2013, that figure reportedly fell to 55 percent. Password re-use is one of the single biggest threats to account security if two-factor authentication is not used. Consider the recent Ashley Madison data breach that allowed more than 11 million username and password combinations to be released into the wild. The threat, if those passwords and usernames were also used to access those users’ email, bank, or other system accounts, is obvious and far exceeds exposure and embarrassment.

The 2015 Verizon Data Breach Report, as quoted in an IT industry blog, said “… we find that most of the attacks make use of stolen credentials…” and “Over 95% of these incidents involve harvesting creds [sic] from customer devices, then logging in to web applications with them.”

2. Where Possible, Use Multi-Factor Authentication

Your employer may require this for your corporate systems, but increasingly it is also available for personal systems. Google Two-Step Verification is available for Android and Apple phones/tablets, and provides two-factor authentication to Google applications. For instance, increasingly, work and personal matters intermingle in electronic messages and documents. Multi-factor authentication provides another barrier against having one username and password provide access to multiple systems.

3. Don’t Click That Link!

Your bank will never email you a link that asks you to enter your name, social security number, and password into a form full of spelling mistakes. These requests are as suspect as pleas from Nigerian princes. In 2015, phishing, spear phishing, and ransomware attacks have been prevalent across all types of businesses and companies. Some look more real than ever.

Instead of following emailed instructions to call or click, you should generally go directly to your bank’s website or call from a number you have (perhaps found on the back of a credit or debit card). Phishing and spear phishing are used to collect data or propagate malware.

4. Change Your Passwords Regularly

Even with two-factor authentication, passwords remain the first line of defense. Use your password manager, and change your passwords every 90 days. Some password managers will automate this for you, going through all your saved sites and changing the current complex password to a new one, and storing that information for you in the password manager database. Why does this matter? Let’s consider the Ashley Madison breach again—the username and password combinations are available. The passwords are encrypted, but given enough time and computer power, they will be decrypted (more than 11 million have been so far, as noted earlier). If you use a complex password and change it regularly, you will ideally be using a new password by the time a breach occurs and your old password is broken.

5. Practice Safe Wi-Fi

If you use a computer, cellphone, or tablet on a public Wi-Fi, are you secure? Usually, perhaps. But cheap technology exists to create fake Wi-Fi hotspots that capture your network traffic, usernames, and passwords. Consider investing in a personal VPN, or ask your IS/IT department about access to a corporate one. This tool will encrypt your network traffic at its source, before pushing it out over an unencrypted, and potentially compromised, public Wi-Fi network. This guidance applies at coffee shops, train stations, airports, shopping malls, and anywhere else with “free” Wi-Fi. In these places, think carefully about transmitting a username and password without additional protection.

6. Keep Your Devices Close and Consider Their Contents

If you lose a cellphone, do you have the ability to wipe its contents? What if its data is compromised before you can do that? Always know the location of your phone, tablet, computer, etc. Know whether you’ve set up “Find My iPhone”—or a similar remote location tracking app or service—and how to use it. Your company may be able to lock or wipe your phone as well, you’ll have to ask. Similarly, while you probably do need to have all of your company contact details on your phone, consider whether you really need complete copies of all your corporate data. Perhaps you only need the information you’re currently working on. Consider using secure cloud storage services, or keeping your data on corporate servers, and accessing it remotely, rather than downloading it locally.

7. Patch Baby, Patch!

Your company is (hopefully) patching your computer regularly—you should do the same for your home computer(s)—and also do software updates for your cellphones and tablets. Undisclosed and uncorrected computer application vulnerabilities are an ever-present threat, and may involve additional patches out of sequence to the usual patch release cycle. This kind of threat is usually well publicized across the web. Turning on automatic updates and/or notifications on your computer and other devices may also help.

8. Remember the Physical World!

Walking away from your computer to get a cup of coffee? Lock the screen. Put a lock code on your cell phone. Don’t leave devices unattended in public spaces—you risk their physical theft, and exposing sensitive company information.

Bank statements? Credit card bills? Utility bills? If you’re not keeping them, don’t just throw them away, shred them. At your office, don’t throw away anything that includes company information, such as sales figures, contact information, and marketing plans. Shredding should be your default option. Harvesting information from improperly disposed of paper is one form of information gathering used for identity theft or systems breaching.

9. Notify Early

If you think a breach or other failure has occurred, talk to somebody, such as your computer security officer or CIO, or call your bank’s fraud hotline. The sooner an incident response starts, the greater the chance of managing the incident successfully and minimizing any damage. The Verizon DBIR mentioned earlier also notes that attackers who get into a system can be there for up to 205 days on average before their presence is known. That number can be brought down through vigilance and reporting anything that appears unusual. Perhaps your user account was locked out when you got to work today. It may, or may not, mean something.

So, talk to your security team.

We all love being able to access the Internet during the work day. But as attacks continue and losses increase, employers may be forced to limit such access in ways that most employees will find inconvenient. Therefore, employees should take seriously the importance of their efforts in “cyberhygiene.”

Originally published by JD Supra Perspectives.

How a Monthly Lunch Can Protect Your Company in a Data Breach

All Resources// Cybersecurity// HR & Employment

After hackers steal customers’ credit card numbers or a company’s trade secrets, it is far too late for the corporate chiefs of public relations and information technology to learn one another’s names and responsibilities.

That’s why, based on our experience as legal counsel to companies in crisis, we recommend that a company’s senior PR person should have regular monthly lunches with its head of IT security.

Here, we explain why the IT-PR relationship is critical for an effective media response to a data breach.

A Careful Strategy

Without a careful PR strategy, even a routine data breach can morph into a consumer class action, a regulatory investigation and a two-hour CNN special. During a crisis, if the corporate spokesperson lacks a basic IT vocabulary or if IT staffers speak to the press without preparation from the PR department, then a company’s public statements will be uninformed, rambling or rogue — rather than accurate, on-message and approved. Soon, even a breach that a company’s IT professionals have already detected, assessed and remediated can morph into a disaster for the corporate reputation. And the PR department would bear the blame.

One example is the December 2013 data breach at Target, in which hackers accessed the credit card information of 40 million customers and the data files of 70 million customers during the holiday season by infiltrating checkout machines with malware.

Target, exhibiting signs of a brushfire mentality, had to correct various initial statements regarding the breach’s scope, duration and data types. In particular, Target did not clarify that different types of information were accessed for individual consumers over a period of time. Within six months, both the CEO and the chief information officer had resigned, and litigation had increased.

Home Depot disclosed a similar “point-of-sale” data breach in September 2014. The hack was similar in size and scope to Target’s, but lasted longer. Unlike Target, Home Depot initially disclosed limited information about the breach, by announcing that the company was investigating a data breach. Home Depot exhibited greater press discipline and didn’t make any outside communications until the company had a coordinated message. And when Home Depot updated the press on its investigation, it only announced solid information. This example reinforces the idea that waiting to say something meaningful beats  saying something wrong nine times out of 10.

A Focus on Education

One culprit behind poor data breach responses is a lack of effective communication between a company’s PR experts and its IT department. Their résumés, backgrounds and cultures differ. Public relations works with wire services, buzzing phones and need-it-yesterday requests for quotes. IT works with systems updates, multiple monitors and all-night coding sessions. But when a data breach engulfs a company, silos don’t serve anyone.

For these reasons, a company’s senior PR person — the person designated as communications lead during a data breach — should regularly connect with its head of IT security. Monthly lunches provide a great environment for these meetings, where there are several goals to keep in mind.

Educate the spokesperson about:

  • What data the company maintains
  • What steps the IT team has taken to safeguard against data loss
  • What the most likely threats are to that data and how the company would learn of an attack, if it occurred

Educate the IT chief about:

  • The responsibilities of the company’s PR professionals and the impact of the company’s public messaging on its bottom line
  • The types of media that cover the company
  • The company’s media strategy related to data breaches, how to direct media inquiries, who from IT will interface with PR and vice versa, and whether the company will use an outside agency

The paramount goal is to build “top-to-top” trust and rapport between the two departments.

An Improved Relationship

There are also several benefits of this improved relationship:

  • Avoids a situation where the IT head has to contain a data breach in real time, while explaining the company’s sensitive network infrastructure to a stranger, who must then transform that explanation into an educated public message
  • Allows the spokesperson to ask follow-up questions in a non-crisis environment, translate the tech language into effective sound bites and draft a better PR strategy for data-loss events
  • Ensures that IT deploys its finite budget to protect against the types of data breaches that would most impact the company’s reputation
  • Builds a confident, knowledgeable spokesperson — arguably one of the most effective ways to fortify the confidence of a company’s customers and investors after a data loss, and reverses or blunts a negative news cycle

Mindful planning cannot stop a breach, but it can result in a well-managed one. The short-term impact of an individual company’s media response to a data breach can make the difference in consumers’ confidence in that company in the long term.

Copyright 2015 by Public Relations Tactics. Reprinted with permission from the Public Relations Society of America (PRSA.org).

Forming Joint Ventures and the Treatment of Intellectual Property Assets: A Checklist

All Resources// Intellectual Property

This checklist is for use when drafting a joint venture agreement. It highlights issues regarding the formation of a JV and the parties’ obligations as to its operation and management. It contemplates a scenario where one or more of the parties owns intellectual property that is licensed for the JV’s use.

Download Article PDF
Forming Joint Ventures and the Treatment of Intellectual Property Assets: A Checklist

Download (PDF, Unknown)

Joint Ventures and Intellectual Property Assets

All Resources// Intellectual Property

Companies may seek to collaborate with other companies to enhance their intellectual property assets. Typically, this involves forming some type of joint venture. This article highlights key issues related to JVs and IP assets, including, contribution of assets to the JV, IP ownership and licensing, common exit strategies, and bankruptcy.

Download Article PDF
Joint Ventures and Intellectual Property Assets

Download (PDF, Unknown)