A Sampling of What’s Happening with Online Wine Buying and Shipping[1. This article first appeared in the September 2008 issue of e-Commerce Law & Strategy.] By Cary S. Wiggins[2. Cary S. Wiggins is a Member of Cook, Youngelson & Wiggins in Atlanta, and serves as chair of the American Bar Association’s Beverage Alcohol Practice Committee. He is also the author of Meeting the Sin Laws, an award-winning blawg accessible from the firm’s Web site: www.cywlaw.com. Mr. Wiggins can reached at cary@cywlaw.com.]

Now can I ship wine to out-of-state consumers? That’s what people at wineries, and even retailers, have been asking ecommerce counsel since the Supreme Court decided Granholm v. Heald, 544 U.S. 460 (2005), which struck down wine-shipping regulations in Michigan and New York as discriminatory under the Dormant Commerce Clause. There are at least 50 answers to the question.

THE SCORECARD

But before we tackle that sprawling question, a quick review of the players is appropriate. Most states use a three-tier system to regulate their internal alcohol distribution markets. [quote1] Under this system, manufacturers of alcoholic beverages sell to wholesalers (first tier), who sell to retailers (second tier), who then sell to consumers (third tier). This erects a wall between manufacturer and consumer. As a practical result, the wholesalers are middlemen who mark up and then sell alcohol to retailers. Incidentally, California, Oregon and Washington, which produce 93% of the country’s wine, use two-tier systems in which retailers buy from producers.

Like any tale worth telling, the three-tier system’s evolution has ironic contours. The tiers concept came from a 1933 study-turned-book, Toward Liquor Control, commissioned just before Prohibition was repealed by the Twenty-First Amendment. The study’s authors had a primary goal in mind: eliminating “profit motive” from the distribution and sale of alcoholic beverages. See, R.B. Fosdick & A.L. Scott, Toward Liquor Control, 57 (Harper & Bros. Publishers 1st ed. 1933). The layered-distribution format is a post-Prohibition throwback, designed (they say) to reduce organized crime’s hold on the liquor trade, to collect taxes and to prevent sales to underage consumers. Whatever the case, the three-tier system has survived because of profit motive.

THE WINE CASE: GRANHOLM

Fast-forward 70 years. Small wineries have mushroomed; more than 4,000 wineries exist, and no state is without one. In the e-commerce era, out-of-state wineries possess the marketing and distribution means to get their product to non-resident consumers, but they lack the states’ permission to do so. They must go through instate wholesalers, and these wholesalers are not always inclined to carry the out-of-state winery’s label. The problem, as Alan Wiseman and Jerry Ellig posited in their 2004 study, Market and Nonmarket Barriers to Internet Wine Sale: The Case of Virginia, is that since the 1960s, the number of wineries had increased six-fold, while the number of wholesalers had decreased to one-sixth of 1960s’ level. Fluid e-commerce markets were pushing rigid three-tier systems to a breaking point on one issue: interstate wine shipping to consumers.

Granholm addressed whether the regulations discriminated against interstate commerce. It did not reach other Commerce Clause issues, e.g., whether mandatory wholesaler requirements impose a form of economic protectionism. Nor did the Court address, under a lesser scrutiny, whether these wine-distribution laws imposed significant burdens on interstate commerce that exceeded local benefits under Pike v. Bruce Church, Inc., 397 U.S. 137 (1970). That set the stage.

THE WINE WARS

Today, the wine-shipping battles are fought largely between wineries and wholesalers — the latter frequently aligned with state governments. The battlefields are state capitols and federal courts. The legal weapon de jure is the Commerce Clause. As one district court has noted:

The Commerce Clause only guarantees an open market, a market free from prohibitive or burdensome regulations; but it does not guarantee a market free from all regulation. As such, under the Twenty-First Amendment, States may engage in a process of balkanization by using regulations such as a three-tiered distribution system to create gated communities composed of state consumers, but not gated communities that include in-state businesses to the exclusion of all out-of-state businesses. (See, Black Star Farms, LLC v. Oliver, 544 F. Supp. 2d 913, 921 (D. Ariz. 2008).)

Because out-of-state wineries are often outmatched by in-state wholesalers when it comes to influencing the state’s legislation, these wineries sometimes choose to litigate when they view the state law as discriminatory to interstate commerce. Challenging state police powers in federal court is a thorny endeavor, though. Speaking at the 2006 Ecommerce Symposium, Kenneth W. Starr noted that “thoughtful judges” are concerned that using the Dormant Commerce Clause in this context is a “pox on this entire enterprise.” 3 Journal of Law, Economics & Pol’y 127, 132-33 (2007).

So is federalism in this context the equivalent of state protectionism? Some principals and counsel of out-of-state wineries think it is. They view a resort-to-court strategy as a necessity. In Beau v. Moore, No. 4:05CV000903, 2007 U.S. LEXIS 83659 (W.D. Ark. Nov. 1, 2007), the plaintiffs (a Michigan winery and an Arkansas resident) challenged Arkansas’ three-tier system that prevents wineries from selling and shipping directly to retailers and consumers. When the suit was filed, Arkansas wineries were exempted from the three-tier distribution and so were permitted to sell and ship directly to consumers and licensed retailers. After the suit, Arkansas amended its laws to ban all direct shipping of wine to consumers, with no exceptions.

In Siesta Village Market, LLC v. Perry, 530 F. Supp. 2d 848 (N.D. Tex. 2008), the plaintiffs (who included a Florida wine retailer) challenged the constitutionality of various Texas statutes that preclude out-of-state wine retailers from selling and shipping wine to Texas consumers. Texas, a three-tier state, allows retailers to ship wine to consumers located within that retailer’s county; out-of-state retailers do not enjoy the right to this “in-state” market. The district court held that the statute violated the Dormant Commerce Clause. The wholesalers might have won the battle, however. In crafting a judicial remedy, the court held that the out-of-state retailers must purchase their wine from Texas wholesalers. An appeal is under way.

More recently, the Seventh Circuit invalidated an Indiana statute protecting wholesalers, Baude v. Heath, Nos. 07-3323 & 07-3338, 2008 U.S. App. LEXIS 17050 (7th Cir. Aug. 7, 2008). The clause provided that a winery could sell directly to consumers only if it did “not hold a permit or license to wholesale alcoholic beverages issued by any authority” and was not owned by an entity that held such a permit. Functionally, the statute prevented California and Oregon wineries from direct shipping because, as manufacturers in a two-tier state, these wineries were deemed “wholesalers” under Indiana law. Indiana argued that the clause was designed to protect the state’s “three-tier system,” under which retailers may buy their inventory only from wholesalers.

Judge Easterbrook wasn’t buying it. He invoked Pike and asked whether Indiana’s facially neutral rules “impose[d] higher costs on interstate commerce as a practical matter.” To support the statute, the wholesalers argued that “the three-tier system may help a state collect taxes and monitor the distribution of alcoholic beverages, because there are fewer wholesalers than there are retailers, so state enforcement efforts can focus on the middle layer.” The court acknowledged the concern, but said that “once a state allows any direct shipment, it has agreed that the wholesaler may be bypassed. It is no harder to collect Indiana’s taxes from a California winery that sells to California retailers than from one that does not.” From there, he held that the “wholesale clause protects Indiana’s wholesalers at the expense of Indiana’s consumers and out-of-state wineries.”

Indiana’s statute reflects a new breed of wine-shipping regulation: facially neutral. Before Granholm, courts struggled to reconcile the Twenty-First Amendment and the Commerce Clause. Now courts know that a facially discriminatory statute will not be saved by the Twenty-First Amendment. The question becomes whether a facially benign state law nonetheless discriminates in purpose, or discriminates in effect, to violate the Dormant Commerce Clause.

DISCRIMINATORY EFFECT, DISCRIMINATORY PURPOSE

[quote2] In theory, the states’ task is simple: Create a playing field that does not discriminate against out-of-state wineries, while maintaining regulatory control over alcoholic beverages. States have broad power to prevent underage access to alcohol, collect taxes and maintain an orderly and regulated market. What has complicated this task is a thriving — and, indeed, politically active — wholesaler industry. Why would these middlemen remove themselves from the distribution chain? For now, the wholesalers don’t wish to experiment with new market dynamics. And some interesting legislative devices have emerged.

Production Limits

Some states (e.g., Indiana, Kentucky and Maryland) issue winery shipping permits to wineries that produce less than “X” gallons annually. In a challenge to Arizona’s production limit, a district court observed that “more than half of the wineries across the country produce less than 20,000 gallons of wine per year and are thus eligible to take advantage of the gallonage cap exception under Arizona’s domestic farm winery permit,” noting that more out-of-state wineries than in-state wineries had obtained domestic farm winery licenses. With that finding, the court held that “Arizona’s gallonage cap exception does not restrict the flow of interstate commerce in favor of in-state wineries and in effect opens up the State’s wine market to allow more out-of-state wineries than in-state wineries to take advantage of Arizona’s gallonage cap exception and directly ship to Arizona consumers.” Black Star Farms, LLC v. Oliver, 544 F. Supp. 2d 913, 928 (D. Ariz. 2008).

Massachusetts’ gallonage caps on direct shipping are now under attack. See, Family Winemakers of Calif. v. Jenkins, No. 1:06-CV-11682- RWZ (E.D. Mass.) (plaintiffs’ summary judgment motion pending).

Case Limits

Some states (e.g., Minnesota) limit cases shipped to consumers rather than gallons produced by wineries. In Minnesota, a winery may ship no more than two cases of wine to a customer per year. Indiana tags the other end of the commercial transaction: A winery may ship no more than 3,000 cases per year to all customers.

Florida’s 2008 legislative session concluded without passing a bill that would have limited shipment to eight cases per household, per year; another house bill that would have prevented wineries producing more than 100,000 cases from shipping directly to consumers died, too.

Face-to-Face Purchase Requirements

Other states (e.g., Arizona, Kentucky and Mississippi) have imposed a “face-to-face,” or “on-site,” purchasing requirement on direct shipping sales. The consumer must purchase the wine in a face-to-face transaction on the winery’s premises to ship that wine home. Some states will allow the wine to be broken down into multiple shipments during the year.

Face-to-face restrictions have been challenged. In Black Star Farms, the plaintiffs (including a Michigan winery) argued that Arizona’s in-person exception violated the Dormant Commerce Clause. Recognizing that the in-person exception was facially neutral, the plaintiffs argued that it “in effect” creates an economic barrier that benefits in-state wineries and burdens out-of-state wineries because consumers cannot afford to travel to out-of-state wineries just to buy wine. The court disagreed. Upholding the face-to-face requirement, it said the Dormant Commerce Clause “does not require States to provide out-of-state businesses with additional rights to compensate for existing advantages that in-state businesses possess through geographic location.” A face-to-face challenge to Indiana’s statute also failed. (See, Baude v. Heath, supra.)

Permit Costs

Other states impose high permit fees that might exclude small nonresident wineries with only limited sales in the state. A district court recently held a New Jersey fee unconstitutional, in Freeman v. Fischer, No. 03-3140, 2008 U.S. Dist. LEXIS 49718, at 18 (D.N.J. June 30, 2008). The court held: “The Act requires out-of-state wineries to pay twice the fees paid by in-state wineries for essentially the same privileges, but defendants posit no evidence that these fee amounts were calculated based on increased costs of regulating out-of-state wineries or some other legitimate state service rendered to out-of-state wineries and not in-state wineries.”

Reciprocity

According to Law Professor James A. Tanford’s article “E-Commerce in Wine,” 13 states had reciprocity laws before Granholm. See, 3 Journal of Law, Economics & Pol’y 275, 325 (2007). These laws say, essentially, that an out-of-state winery may ship directly to consumers, but only if that winery’s home state affords reciprocal direct-shipping privileges. (Until this year, three states had reciprocity laws; now two do, because Wisconsin repealed its reciprocity law, to be effective on October 1, 2008.)

WHERE CAN I SHIP WINE?

A wonderful resource for learning where wine may be shipped is WineInstitute.org, which bills itself as a “public policy advocacy association of California wineries.” The Web site offers a summary of state wine-shipping laws. California and New Hampshire are among the least-restricted shipping destinations.

Other states have closed Internet sales altogether. According to FreeTheGrapes.org (another aggregate site, last visited Aug. 17, 2008), Alabama, Arkansas, Delaware, Kentucky, Maine, Mississippi, Montana, New Jersey, Oklahoma, South Dakota, Tennessee and Utah fall into this category. Other states are debating what to do. Pennsylvania, for instance, just ended its legislative session without “coming to grips” with Granholm, reports Christopher Wink for The Morning Call of Allentown, the state’s third-largest city.

One proposal would have allowed in-state and out-of-state wineries to ship wine to consumers through Pennsylvania’s state-owned liquor stores. Customers would then have the wine shipped from the store, or pick up the wine from the store.

WINE WARS SHAPING CONSTITUTIONAL LITIGATION

Facial challenges are becoming fact-intensive. Last term, in rejecting the challenge to Indiana’s voter-ID law, the U.S. Supreme Court noted that there was not “any concrete evidence of the burden imposed on voters who now lack photo identification.” Crawford v. Marion County Election Bd., 128 S. Ct. 1610 (2008). It’s put up, or shut up. This is why, in Baude, Judge Easterbrook said it would be “awfully hard to take judicial notice that in-person verification with photo ID has no effect on wine fraud and therefore flunks the interstate Commerce Clause” if the Supreme Court could not do it in a voter-ID setting.

At least one scholar believes that discrimination-in-effect evidence is necessary to bolster a facial-discrimination claim. David S. Day, The Expanded Concept of Facial Discrimination in the Dormant Commerce Clause, 497 Creighton L. Rev. 497, 513-14 (2007). Facial-discrimination claims are “increasingly interwoven with discriminatory-effects theories” (Day at 514 n.110).

And the Wine Wars are proving that.

By: Dennis J. Gerschick, Attorney, CPA, CFA[1. © 2008 Dennis J. Gerschick. All Rights Reserved. Dennis Gerschick is the President of Gerschick Business & Investment Counsel, LLC and can be reached at dennis@gerschick.com. Part 1 of this article can be found here. Dennis would appreciate your suggestions for future articles. ] Every company is a “troubled company” because every company has problems or issues it must address. “Trouble” is only a matter of degree. Companies that are successful one day do not always remain successful. Well managed companies remain vigilant, always alert for warning signs, and they react quickly when problems arise.

In Part I of this article, I noted that even when problems are identified or become obvious, many people will ignore them for a variety of reasons. I also noted that in diagnosing a company, a good starting point is to have the company do an honest self-assessment. A self assessment involves asking many questions and carefully listening to and interpreting the answers.

Troubled companies may face financial problems, such as a lack of cash flow, too much debt, low margins, etc., and/or operational problems, such as defective manufacturing processes or distribution problems. One problem may lead to another. For example, a lack of cash flow may tempt a company to cut back on its inspections which may then lead to poor quality and defective products. Conversely, late shipments may lead to a loss of business and a lack of cash flow. Is the identified problem the disease or only a symptom?

A company’s financial statements may provide clues. “Big picture” questions that should be addressed include:

1. Is revenue increasing or decreasing? At what rate? Why?

2. Is the company’s gross profit margin and net profit margin increasing or decreasing?

3. What expenses should be cut? Which expenses should be increased?

4. What is the company’s cash flow? Is the cash flow from operations positive? Is cash flow increasing or decreasing? At what rate? Why?

5. Compare the company’s current cash on hand to liabilities due within 30 days, 60 days, 90 days, etc. What can be done to defer payment of cash?

6. Are the company’s accounts receivables growing? Review an aging schedule of the receivables. What can be done to expedite collections?

7. Can any of the company’s assets be sold? Can any be leased or licensed to others?

8. Can the company refinance any debt?

9. Is it possible to raise any new equity capital? If so, on what terms?

10. What can be done to improve the company’s reputation and image?

Albert Einstein defined insanity as doing the same thing and expecting a different result. However, many troubled companies do exactly that. They continue doing what they have been doing thinking that if they are persistent and patient the business will improve. I believe that if you want different results, you have to do things differently. This is not to suggest that a company should act like a fish out of water – flopping about and changing its strategy often. Strategy should not be changed too often but tactics used to implement the strategy can and should be changed or modified to get better results. Management should constantly be asking: What tactics are effective and which ones are not?

In Part I of this article, I noted that a company should solicit input from its customers. Bill Gates has written that when customers complain that is actually a good sign for the company because it indicates the customer has psychologically committed to continue to do business with the company. If the customer decided to go elsewhere for the product or service, they would not waste their time complaining to the company. Customer complaints really provide the company with a roadmap – the customers are telling the company what it should do to better serve them in the future and to enhance the relationship.

Companies should consider several points including: (1) How easily can customers complain to the company? (2) How quickly and effectively does the company respond to the complaint? (3) What attitude does the company express with its response? Is it “the customer is always right,” or is it “if we ignore them maybe they will just go away,” or perhaps “the customer is overly demanding, unrealistic, and really just a pain in our backside.” The key to most businesses is to get repeat business from customers, and to convert customers into the company’s goodwill ambassadors. How companies handle customer complaints is critical to their long term success. Satisfied customers are often a company’s most effective advertising. While a company should strive to minimize the number of dissatisfied customers, it is important is to change unhappy customers into satisfied customers. Does the company do this consistently, most of the time, some of the time, or never?

Here are some additional important points:

1. A company’s CFO and/or its outside CPA should be proactive and alert the company to downward trends or warning signs. Unfortunately, too many CFOs and CPAs do not perform this service because they do not want to be the “bearer of bad news.”

2. Many, if not most, business owners and executives can identify problems. Fewer can explain the true cause of the problem. Even fewer can offer practical solutions. I believe strongly that companies should consider all of their options and the advantages and disadvantages of each one before making a decision. Having outside, independent directors can be a big advantage in this regard.

3. Before deciding which option to implement to solve a problem, many factors should be considered including: (a) the amount of time that will be needed to implement the solution; (b) who, within the company, will be involved and the impact on their other duties; (c) whether the company even has the qualified personnel needed to implement the solution or whether new employees or consultants need to be hired; (d) the cost of implementing the solution in terms of both dollars and other opportunities that cannot be taken advantage of due to monetary restraints; and (e) the effect of the solution on the company’s culture, strategy, branding, etc.

Conclusion

Now, many well known corporations are filing for bankruptcy protection. Many other companies are simply closing their doors. Why did they fail? Why couldn’t they turn their business around? People do not like to do business with troubled companies. Once a company is perceived to be in a downward spiral, customers often go to the company’s competitors and the company’s downward spiral accelerates. It is very difficult to get out of the spiral; if it were easy, everyone would do it. The goal should be to avoid getting into the spiral in the first place – that too is harder to do than it sounds.

By Thomas Traylor, III [0. Thomas Traylor, III is an attorney for the City of Atlanta Department of Law, Hartsfield-Jackson Atlanta Airport.] Data security breaches are a very real and pervasive threat. There are three principal data security breach sources: internal, external, and partners. Internal breaches refer to employees who abuse or exceed their access to personally identifiable information (“PII”). External breaches refer to unauthorized access to PII by third parties, such as network hacking, wireless packet sniffing, and malicious code. Breaches by partners occur when a business partner compromises PII, such as through a stolen notebook computer or lost backup tapes.

A recent study on data breaches determined that internal breaches compromised the highest median number of records per incident - followed by partner breaches and external breaches.[1. See Verizon Business, 2008 Data Breach Investigations Report (2008). The median number of records compromised for each data breach category was as follows: internal 375,000, partner 187,500, and external 30,000. See id. at 11.] In addition to understanding the relative damage per incident, it is important to examine the frequency of occurrence for each data breach category. The study determined that external breaches are significantly more likely to occur than either internal or partner breaches.[2. See id. at 11.] By calculating a risk index value from the data, the study determined that the greatest data breach risk is through partner breaches.[3. The risk index value was determined by multiplying the relative damage per incident (the median number of records compromised) by the likelihood of the breach occurring. See id. at 11.]

The study further noted that 55% of all external data system attacks required no or low level hacking skills. Only 17% were sophisticated attacks, with the balance of attacks falling in the middle.[4. See id. at 17-18.] This represents a shift from “fame” attacks, where the hacker was more interested in notoriety than in financial gain, to higher volume and lower sophistication financial attacks. This shift may represent the growing involvement of criminal hacking syndicates in emerging market countries.[5. See Marianne Kolbasuk McGee, DOJ Charges 11 in Retail Hacking, ID Theft Scheme (last modified Aug. 5, 2008) <http://www.informationweek.com/story/showArticle.jhtml?articleID=209903401>.]

In an effort to protect individuals from the growing threat of identity theft caused by data breaches, the Georgia General Assembly passed the Georgia Personal Identity Protection Act in 2005 (“GPIPA”).[6. 2005 Georgia Laws Act 163.] Initially, GPIPA’s applicability was limited to credit reporting entities; however, in 2007 the Georgia General Assembly expanded GPIPA’s coverage. [7. 2007 Georgia Laws Act 241.]

COVERED GPIPA ENTITIES

GPIPA covers three types of entities: information brokers, data collectors, and persons or businesses that maintain computerized data on behalf of an information broker or data collector. [8. O.C.GA. §10-1-911(2),(3); O.C.G.A. §10-1-912(b).]

Information brokers are people or entities that collect and process PII as a paid service for non-affiliated third parties.[9. O.C.G.A. §10-1-911(3).] However, this classification does not include any governmental agency that maintains records primarily for traffic, safety, law enforcement, or licensing purposes.[10. Id.] In contrast, data collectors include any state or local government entity that maintains PII.[11. O.C.G.A. §10-1-911(2).] However, PII that is maintained primarily for traffic, safety, law enforcement, or licensing purposes or for purposes of providing public access to court records or to real or personal property information is not covered by GPIPA.[12. Id.]

WHEN DOES GPIPA APPLY?

The key to understanding GPIPA is a close examination of the covered data combinations (a “GPIPA Event”). A GPIPA Event is the combination of a person’s first name (or initial) and last name, plus one or more of the following: (i) social security number; (ii) driver’s license number; (iii) state identification card number; (iv) account number; (v) credit card number; (vi) debit card number; (vii) account passwords; (viii) PINs; or (ix) other access codes. Items (iv), (v), and (vi) only apply if the account number could be used without additional access codes. [13. O.C.G.A. §10-1-911(6).]

If a GPIPA Event occurs and results (or is reasonably believed to result) in the unauthorized acquisition of an individual’s electronic data that compromises the security, confidentiality, or integrity of the personal information of such individual, then GPIPA applies.[14. O.C.G.A. §10-1-912(a).] However, GPIPA can apply, absent a GPIPA Event, if the compromised information is sufficient to perform or to attempt to perform identity theft.[15. O.C.G.A. §10-1-911(6)(E).]

EXCLUSIONS TO GPIPA

There are several important exclusions to otherwise viable GPIPA Events: (i) publicly available information; (ii) encrypted data (with no required minimum level of encryption); and (iii) redacted information (such as a partially redacted credit card number). [16. O.C.G.A. §10-1-911(6).]

NOTIFICATION OF A GPIPA EVENT

After discovery of a GPIPA Event, notification must be given to all Georgia residents who may be affected.[17. Id.] GPIPA does not require actual knowledge that PII was compromised; rather, a reasonable belief that an unauthorized person acquired PII is sufficient to require notification.[18. O.C.G.A. §10-1-912(a).] Although the notification duty only covers Georgia residents, notifying all affected individuals is good practice.[19. Id.]

Under GPIPA, notice of a data breach must be given in the most expedient time possible and without unreasonable delay. However, the notice may be delayed while law enforcement investigates the data breach, while the scope of the breach is determined, or while the system’s integrity, security, and confidentiality is restored.[20. Id.]

There are three primary notice methods and four substitute notice methods under GPIPA.[21. O.C.G.A. §10-1-911.] The primary notice methods are written notice, telephone notice, and electronic notice.[22. O.C.G.A. §10-1-911(4)(A)-(C).] However, electronic notice only may be given if the consumer consented in advance to receive electronic notices in lieu of paper notices.[23. O.C.G.A. §10-1-911(4)(C).] The procedures required for consumer consent to electronic notices is outlined in 15 U.S.C.A. § 7001.[24. Id.] In the alternative, substitute notice may be given if an organization can demonstrate that: (i) the cost of giving notice through one of the primary methods exceeds $50,000; (ii) there are more than 100,000 individuals affected; or (iii) the organization does not have sufficient contact information to provide primary notice.[25. O.C.G.A. §10-1-911(4)(D).] E-mail, conspicuous notice on the entity’s webpage, notification of state-wide media, or notification prescribed by existing security policies (as long as these are consistent with GPIPA’s notice timing requirements) are acceptable substitute notice methods.[26. O.C.G.A. §10-1-911(4)(D).]

For third parties that maintain data on behalf of an information broker or data collector, notice of the breach must be given to the information broker or data collector within 24 hours.[27. O.C.G.A. §10-1-912(b).] Presumably, after the information broker or data collector receives notice from the third party, the information broker or data collector would be subject to the same notice schedule as if the data breach originated on its system.

Additionally, if more than 10,000 Georgia residents are affected by a particular breach, notice must be given to all consumer reporting agencies without unreasonable delay. [28. O.C.G.A. §10-1-912(d).] The notice to the credit reporting agencies must include details of the timing, distribution, and content of the notifications to the affected individuals.[29. Id.]

All entities covered by GPIPA should create a data breach notification plan, so that it can be readily initiated if a data breach occurs. Some suggested elements of the notification plan are: (i) the internal notification procedure for the organization that lists the members of the response team and their emergency contact information; (ii) a form press release that quickly can be adapted to the facts of any situation; (iii) an on-call agreement with a direct mailing company to handle the volume of letters that may need to be printed, folded, and mailed; (iv) a plan for providing credit monitoring for affected individuals (although credit monitoring is not required under GPIPA, providing this accommodation may help preserve consumer goodwill); and (v) a notice to the insurance carrier, if there is an insurance policy available for a data breach event.

LIABILITY

Although GPIPA does not create an independent civil cause of action, violations likely could be pursued under a variety of other theories, such as negligence per se. GPIPA does not contain any statutory remedies, in contrast to other states’ data protection laws. For example, California’s statutory remedies for data loss include a civil cause of action, statutory damages of $3,000 per violation for a willful, intentional, or reckless violation (otherwise $500 per violation), injunctive relief, attorneys’ fees and costs, and a cumulative remedy provision.[30. Cal. Civ. Code §1798.84.]

MINIMIZING EXPOSURE

Although the breadth of GPIPA’s applicability to data breaches is broad, there are several strategies to minimize its applicability: (i) prevent data breaches by using updated security systems (many system breaches occur as a result of the exploitation of known security vulnerabilities that users fail to patch); (ii) design systems to minimize the storage of PII; (iii) use non-PII unique identifying numbers (rather than a social security number); (iv) verify that all stored PII is kept because of a compelling business reason;[31. Data systems should be designed in a way that minimizes the unnecessary storage of PII - keeping only data required to accomplish a business objective.] (v) to the extent that PII must be stored, unnecessary portions should be redacted (i.e. - instead of storing an entire credit card number, only store the last four digits); (vi) use storage substitutes such as hashes in place of PII; [32. A hash value is a mathematical computation of the data that masks the data’s real value. The hash value can verify user inputs against the hash value to verify authenticity, without actually storing the value the hash represents. For example, system passwords can be stored as a hash value, instead of storing the actual password. When a user attempts to log onto the system, the inputted password is compared to the hash value for authentication. However, if a hacker were to compromise the database of hashed passwords, the actual password cannot be “reverse-engineered” from the hash value – hash translation is a one-way process.] (vii) verify that stored PII is encrypted using a strong algorithm;[33. The use of encryption can help secure data and prevent GPIPA liability. Compromised data that otherwise would be covered by GPIPA is not considered a GPIPA Event if the data is encrypted. There are many types of encryption technology commercially available, with varying degrees of security confidence. Although GPIPA does not mandate a specific grade of encryption, higher grades of encryption offer the best protection. ] and (viii) design databases that compartmentalize the storage of PII on different network segments to make a GPIPA Event less likely.[34. To the extent that PII needs to be stored, its storage should be compartmentalized to make the creation of a GPIPA combination more difficult.]

RECOVERY FROM A HACKER

Depending on the specific facts associated with the data breach, your organization may be able to recover damages from the hacker. Two possible methods for civil recovery are the Computer Fraud and Abuse Act (17 U.S.C.A. §1030) and the Georgia Computer Systems Protection Act (O.C.G.A. §16-9-90 et. seq.). However, there are a number of factors that may prevent a meaningful recovery, such as difficulty tracking the hacker, enforcing a United States judgment abroad, and a high likelihood of relative insolvency. Unfortunately, unless you can track the hacker to the basement of his parents’ multi-million dollar home, there may be little assets to recover.

INCREASING REGULATION

In addition to GPIPA, the Federal Trade Commission’s involvement in data security breaches is increasing. According to the FTC, it has filed twenty complaints alleging “security deficiencies in protecting sensitive consumer information.” In two recent complaints, In the Matter of the TJX Companies, Inc., 2008 WL 3150421 (2008) and In the Matter of Reed Elsevier Inc. and Seisint, Inc., 2008 WL 3150420 (2008), the FTC alleged that failing to employ reasonable and appropriate security measures to protect personal information is an unfair trade practice. In both cases, the parties agreed to consent orders that included the implementation of a comprehensive data security program and regular third-party data security assessments for twenty years.

Legislative action in the area of data protection likely will increase, so it is important to view GPIPA as an evolving statute. Future revisions to GPIPA may include a tightening of the encryption safe harbor, expanded remedies, and broader applicability to companies doing business in Georgia.

By Larry H. Kunin Chair, Technology Section Litigation Committee Join the Technology Section Litigation Committee. The Litigation Committee is looking for new members. The committee serves a forum to debate technology-related litigation issues and a resource for technology litigation issues for its members. The committee meets quarterly for breakfast or lunch, and sponsors one of the Technology Section’s quarterly CLE luncheons, and provides this quarterly e-discovery update. For information please contact Larry Kunin, Morris, Manning & Martin, LLP at 404-504-7798.

QualComm Update #2 – Sanctions Against Attorneys Lifted. In the last edition of this E-Discovery update, we reported the sanctions of $8,568,633.24 against QualComm and a referral of ethical violations by QualComm’s attorneys to the California Bar. The District Court has now vacated and remanded to the magistrate the sanctions against counsel. The court held that on remand, counsel would be permitted to fully defend themselves notwithstanding the attorney-client privilege.

Request for Metadata Denied. D'Onofrio v. SFX Sports Group, Inc., 2008 WL 189842 (D.D.C. Jan. 23, 2008): In this case, Plaintiff sought the production of documents in native format, including metadata. Plaintiff, however, had not initially requested the in native format as required by the new Federal Rules. Additionally, defendants argued that the new Federal Rules do not require the production of metadata absent a showing of relevance. The court agreed with the defendant and rejected plaintiff’s request.

Defendant Responsible For Cost Of Plaintiff’s Expert And Over-Exclusion Caused By Unilateral Requests To Broaden Privilege Search. Henry v. Quicken Loans, Inc., 2008 WL 474127 (E.D. Mich. Feb. 15, 2008): Following the defendant’s objection to the production of potentially privileged emails under a clawback agreement, the court resolved a motion to compel by requiring that the parties agree to search terms to be given to the plaintiffs expert to search defendant’s back-up tapes. The order required that plaintiff be responsible for the expert’s costs. After an initial search excluded fewer emails than defense counsel expected, defense counsel unilaterally instructed the expert to broaden the privilege search, resulting in additional expert costs and over-exclusion of emails. After rejecting an assertion that communications between defense counsel and the expert were unethical, the court ordered that defense counsel be responsible for the expert’s cost for the additional, broader searches.

Attorneys Negligent for Relying on Client's Defective Search Methods, but Only Client Sanctioned. Finley v. Hartford Life and Acc. Ins. Co., 2008 WL 509084 (N.D. Cal. Feb. 22, 2008): In this disability benefits case, defendant produced certain surveillance videos, but failed to produce a specific kitchen video due to what defendant claimed was an oversight. The kitchen video, however, was ultimately produced in a supplemental production. Plaintiff filed a motion for sanctions, seeking reimbursement of depositions and expert costs that were incurred prior to the supplemental production. The court granted the motion based on the defendant’s defective search for producible materials, stating that an oversight does not excuse its production obligations. Notably, the video was not misplaced, it was located exactly where it should have been. The court, however, did not sanction the attorneys for failing to provide more detailed search instructions because plaintiff ’s request for production did not specifically request the video. In other words, counsel did not know specifically what to ask the client to search for. Nonetheless, the client when conducting a search should have located the video. As such, the court issued sanctions against the defendant in the amount of $9,000, a fraction of what was sought.

Spoliation Sanctions Rejected; Although Deleted Email was Not Reasonably Accessible, Court Holds No Duty to Search Backup Tapes. Petcou v. C.H. Robinson Worldwide, Inc., 2008 WL 542684 (N.D. Ga. Feb. 25, 2008): Due to the manner in which the defendant’s email system was setup, deleted emails are retained for only 8 days, and when an employee is terminated all emails are deleted after 10 days. It is thus unlikely that relevant emails were still on the defendant’s system. The emails are presumably captured on backup tapes but at an expensive cost, reaching almost $80,000 to search one year of tapes. The court weighed (i) the cost against; (ii) the breadth of the plaintiffs request, complications determining which emails were relevant, and potential value given the likelihood they would be cumulative evidence. The court concluded that defendant met a showing of undue burden. The court also rejected a request for spoliation sanctions, holding that deletion of the emails was in accordance with its normal document retention plan.

Merely Alleging Undue Burden is Not Sufficient to Avoid Production. City of Seattle v. Prof'l Basketball Club, LLC, 2008 WL 539809 (W.D. Wash. Feb. 25, 2008): After finding that requested information was relevant, the court cited new Federal Rule 26(b)(2)(B) to reject a bald assertion that production would produce mountains of work. Instead, to avoid production, the producing party must specifically establish the burdensome nature of production.

Sanctions Rejected Where Computer System Did Not Retain “Sent” Emails. Clearone Communications, Inc. v. Chiang, 2008 WL 704228 (D. Utah Mar. 10, 2008): Plaintiff alleged that a defendant should be sanctioned for failure to produce a smoking gun email that was ultimately produced by another party who was a recipient of the email. The court, however, disagreed, instead finding that the defendant did not withhold the email, it simply did not have it due to the unusual fact that the subject computer system did not retain “sent” emails.

Plaintiff Permitted to Assert State Law Claim for Spoliation For Failure to Implement Litigation Hold. Ed Schmidt Pontiac-GMC Truck, Inc. v. DaimlerChrysler Motors Co., LLC, 2008 WL 668267 (N.D. Ohio Mar. 11, 2008): During discovery, plaintiff alleged that the defendant failed to implement a litigation hold, resulting in the destruction of relevant evidence. Specifically, plaintiff alleged that the defendant replaced or altered hard drives before plaintiff made forensic images designed to preserve evidence. As a result, plaintiff desired to add a claim of spoliation under Ohio state law, which recognizes such a cause of action. Finding that the plaintiff was able to allege the elements, the court permitted the amendment. The elements of spoliation under Ohio law are: (i) pending or probable litigation involving the plaintiff; (ii) knowledge on the part of the defendant that the litigation exists or is probable; (iii) willful destruction of the evidence by the defendant designed to disrupt the plaintiff's case; (iv) disruption of the plaintiff's case; and (v) damages proximately caused by the defendant's actions.

Request to Produce Document in Native Format Rejected. Autotech Techs. Ltd. P’ship v. Automationdirect.com, Inc., 2008 WL 902957 (N.D. Ill. Apr. 2, 2008): Following the production of a document in .pdf and in paper format, defendant requested that the document be produced in native format so that it could see metadata. The court rejected the request, noting that the paper version of the document included a history of changes made to the document. Also, the defendant had not specified what specific metadata it sought, and did not include it in its initial requests. Notably, the court cited the Sedona Principles for the proposition that ordinarily a party need not take efforts to preserve metadata.

Attorneys Sanctioned for Obstructing Forensic Examination. Sterle v. Elizabeth Arden, Inc., 2008 WL 961216 (D. Conn. Apr. 9, 2008): In this case, the court established a protocol for the inspection of defendant’s computers by a mutual independent forensic expert. When the expert appeared at defendant’s premises, however, his access was restricted by defense counsel, thus preventing a full inspection. Plaintiff filed a motion for contempt, which was granted. The court stated that defense counsel’s conducted amounted to obstruction and ordered counsel to pay plaintiff ’s counsel the fees and costs expended in efforts to enforce the protocol, as well as the expert’s fees and costs.

Larry Kunin practices in Morris, Manning & Martin’s Litigation Department with a concentration in technology and intellectual property litigation, including trade secret, software performance, trademark and copyright litigation, as well as general commercial and reinsurance litigation. Larry received his B.A. from the University of South Florida, his M.B.A. from the University of Miami, and his J.D. from the University of Florida. He can be reached at lkunin@mmmlaw.com.

By Dennis J. Gerschick, Attorney, CPA, CFA  In a prior article, I noted that the first step in solving a problem is to acknowledge there is a problem. I explored why getting people to acknowledge problems is a significant hurdle. However, assuming that problems have been acknowledged, the next step should be to determine what is causing the problems. Then, you can focus on the possible solutions.

Even when problems are identified or become obvious, many people will ignore them for a variety of reasons. One, they may tell themselves the problem is not that big and it will take care of itself. Two, it is a matter of priorities; people will generally focus on the things that cause them the most pain. “The squeaky wheel gets the grease”. Three, they see problems as irritants, not proof that something is broken. Like Scarlett O’Hara, they will “deal with it tomorrow.” Unfortunately, as time goes by, little problems often becomes bigger and bigger.

In diagnosing a company, a good starting point is to have the company do an honest self-assessment. I emphasize the word honest, because I tell executives if they start lying to themselves, the game is over. A self-assessment requires a company to explore many questions including:

• Where is the company today?
• What are its competitive advantages?
• What are its weaknesses?
• Compare the company to its competitors.
• What are the competitors doing well that the company can emulate?
• What market position does the company have?
• What is the company’s business strategy? Is it the right strategy?
• Is the company executing the strategy effectively? If not, why not?

Many other questions need to be explored. The key point is that it is important to get people to start thinking, challenging conventional wisdom, and talking openly and honestly.

A hurdle at many companies is that employees tell their bosses what they think they want to hear, instead of what they need to hear. Office politics is often an impediment to progress. Who knows what a company’s problems are? Executives should talk regularly with the company’s customers, suppliers, and employees. Bill Gates has written that the key to business is to make it easy for customers to complain. If you make it easy for them to complain, guess what happens – they will complain! While no one enjoys listening to complaints, it is important because it educates management from the customer’s perspective and provides an opportunity to fix the problem. Will management listen? Many don’t. Henry Ford once said customers could have any color they wanted so long as it was black! Was he interested in what the customer wanted? No! He was interested in what was easy and economical for his company. His decision allowed General Motors to gain a competitive advantage because GM started offering its cars in different colors. A company should solicit input from customers. How this can be done is an important topic, but one that is too big for this article.

Employees are another great source of information that can be exploited if done correctly. Unfortunately, many companies ignore employees who speak up or worse, punish them. Companies would be well advised to create a culture that encourages employees to speak up. As one step, a company should acknowledge within the company the employee’s initiative if they identify a problem and offer a practical solution. The employee should also be rewarded, because what gets rewarded gets done.

Some companies face numerous problems and they may seem overwhelming. I suggest they make a list that includes:

• A description of the problem.
• Evidence that the problem exists.
• Possible causes of the problem.
• Possible solutions and what the solution requires in terms of money, expertise, and time. (Time is important both in terms of how long will it take to implement the solution, and how many hours of labor by the employees and/or third parties will be required.)
• The individual or individuals responsible for fixing the problem.

Management can then confer regularly with those individual(s) to monitor their progress. The list should be usually in order of priority. That is, the biggest problem should be addressed first. In some cases, management might elect to fix smaller problems if they will not take too much time or money. If they fix some problems, they send the message throughout the company they are serious about fixing them and if progress is seen by employees, morale often improves. One good step leads to another; it is a matter of momentum.

Summary of Key Points

1. Every business has problems; it is only a matter of how big or small the problem is. 2. The world is constantly changing. What worked at one time, may not be effective at a later time. Companies must continuously adapt to changing circumstances. 3. Even when problems are identified, companies do not always fix them promptly for a number of reasons. 4. Usually, it takes time to get into trouble, and it will take time to get out of trouble. The sooner a company starts to address its problems, the easier it will be to fix them. 5. Companies help themselves by having a culture that encourages employees, customers, and suppliers to speak up and addressing the problems they see promptly.

Copyright 2008 Dennis J. Gerschick All Rights Reserved. Dennis Gerschick is the President of Gerschick Business & Investment Counsel, LLC and can be reached at dennis@gerschick.com. Dennis would appreciate your suggestions for future articles.