Wednesday, December 19, 2012

FTC Announces Significant Update of COPPA Rule



After a number of rounds of public comment and workshops, the FTC has released its revised regulations under the Children’s Online Privacy Protection Act of 1998 (“COPPA”). The new regulations, to take effect on July 1, 2013, take into account changes in both technology and business since the original statute and regulations were enacted. According to the FTC’s release, the revised COPPA regulations:
  • modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
  • offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
  • close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
  • extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
  • extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
  • strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential;
  • require that covered website operators adopt reasonable procedures for data retention and deletion; and
  • strengthen the FTC’s oversight of self-regulatory safe harbor programs.

In his public statement describing the new Rule, FTC Chairman Jon Leibowitz described the FTC’s intentions with its revisions:

Just like you, we want a Rule that will protect innovation, and we think we have crafted one. Just like you, we want a Rule that will foster safe and vibrant spaces for children that are beneficial for learning and growth without creating a sanitized version of the Internet for older kids and adults, and we think we have struck that balance. Just like you, we want a Rule that will support diverse and free services online, and we think we are offering one today.

And, let’s be clear about one thing: under this Rule, advertisers and even ad networks can continue to advertise, even on sites directed to children. Business models that depend on advertising will continue to thrive. The only limit we place is on behavioral advertising, and in this regard our Rule is simple, effective, and straightforward: until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising purposes. Period.

The FTC has prepared a list of “Five Need-to-Know Changes” to the COPPA Rule for businesses, available here. The full text of the new Rule, to be published in the Federal Register, may be downloaded from this link. Finally, for some historical perspective, the following (courtesy of C-SPAN) is the original floor speech by Senator Richard Bryan of Nevada introducing COPPA on July 17, 1998:
 

Tuesday, December 18, 2012

FTC Orders 9 Data Brokers to Provide Info on Privacy Practices

The FTC announced today that it had issued orders to nine data brokers to disclosure how they collect and use consumer data. This is consistent with earlier guidance from the FTC, which recommended legislation targeting the data broker industry in its March 2012 Report on Protecting Consumer Privacy:



[T]he Commission recommends that Congress consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers. The proposed framework recommended that companies provide consumers with reasonable access to the data the companies maintain about them, proportionate to the sensitivity of the data and the nature of its use. Several commenters discussed in particular the importance of consumers’ ability to access information that information brokers have about them. These commenters noted the lack of transparency about the practices of information brokers, who often buy, compile, and sell a wealth of highly personal information about consumers but never interact directly with them. Consumers are often unaware of the existence of these entities, as well as the purposes for which they collect and use data.
The Commission agrees that consumers should have more control over the practices of information brokers and believes that appropriate legislation could help address this goal. Any such legislation could be modeled on a bill that the House passed on a bipartisan basis during the 111th Congress, which included a procedure for consumers to access and dispute personal data held by information brokers.
According to today's release, the FTC will use the information provided by the nine data brokers "to prepare a study and to make recommendations on whether, and how, the data broker industry could improve its privacy practices." The FTC's orders (in PDF format) may be downloaded here.

Monday, December 17, 2012

Children's Privacy: CDD files FTC Complaint Against Nickelodeon Spongebob App



In the latest legal development in the increasingly active world of children's privacy law, the Center for Digital Democracy announced that it had filed a complaint with the Federal Trade Commission against the cable network Nickelodeon and software developer PlayFirst over the SpongeBob Diner Dash game for iOS. According to the CDD's release, the description for the game in Apple's iTunes store inaccurately states that the app complies with the Children's Online Privacy Protection Act ("COPPA"):

As the complaint documents, Nickelodeon and PlayFirst engage in deceptive acts by representing in the privacy disclosure on the Apple App Store that the app’s “data collection is in accordance with applicable law, such as COPPA,” when in fact it is not. The SpongeBob Diner Dash game asks children to provide a wide range of personal information, including full name, email address, and other online contact information, without providing notice to parents or obtaining prior parental consent, as required by the Children’s Online Privacy Protection Act. Nor does the app provide an adequate description of the personal information it collects or how it is used.  
The FTC has not yet responded to CDD's request to investigate Nickelodeon and PlayFirst. CDD's complaint may be read here.

In a related matter, the FTC will reportedly release its update to the COPPA rules this week. These rules, which have been the subject of significant public discussion and comment, are the key regulatory requirements for those companies which collect personal information from children under the age of 13.

Wednesday, December 12, 2012

Peter Fleischer, Other Google Execs Still May Face Jail in Italy Privacy Case

AP Image of trial court via KLEWTV.com
 In the latest installment in a case that highlights both the legal risks and absurdity of the cross-border nature of the Internet, the Milanese prosecutor in the case against Peter Fleischer and two other Google executives has asked an appeals court to uphold the six-month jail sentences they received in a criminal privacy case. The case arose out of a 2006 posting to Google Video by Italian teenagers of a short video of a learning-disabled classmate. Although none of the executives had any involvement with the posting or its prompt removal by Google Video after notification, they were still charged (along with another colleague, later acquitted) of violations of Italian privacy law. Fleischer, who was then Google's chief privacy counsel in Europe, was arrested when he traveled from his Paris office to Italy to give a lecture in January 2009. After the case came to trial, Fleischer and two of his colleagues (including Google's chief legal officer, David Drummond) were convicted in February 2010 and given six month sentences, automatically suspended under Italian law. The case was then appealed, leading to the latest development.

Fleischer, in a recent blog entry about the appeal, describes both the facts and the illogical nature of the case against him, given that he and his colleagues had nothing to do with the incident:

Under European law, hosting platforms that do not create content, such as Google Video, YouTube, Bebo, Facebook, and even university bulletin boards, are not legally responsible for the content that others upload onto these sites. But in this instance, a public prosecutor in Milan decided to charge us with criminal defamation and a failure to comply with the Italian privacy code.  None of us, however, had anything to do with this video. We did not appear in it, film it, upload it or review it. None of us knew the people involved or were even aware of the video's existence until after it was removed.
 This case, similar in many ways to the action in Germany against Compuserve's Felix Somm in 1996, serves as a stark reminder that those associated with companies doing business online may find themselves facing personal liability or even prosecution based on the laws of other countries, even when the individuals had no connection with the activity in question, and even when the activity was fully legal under the laws of the jurisdiction in which the company is based. While it is impossible to research and be certain of compliance with every relevant law in every possible country with access to the Internet, those who work for high-profile businesses, especially companies whose activities may potentially violate particular nations' cultural norms, should at the least be aware of these risks when considering business or personal travel to other regions. Companies, for their part, must include these risks in their overall assessments when choosing to do business online.

Wednesday, December 5, 2012

FTC Settles With Online Marketer Over "History Sniffing"



The Federal Trade Commission ("FTC"), the chief federal agency for consumer protection, has announced a proposed settlement with online marketer Epic Marketplace, Inc., over what the Commission called a "deceptive" use of a technology called "history sniffing." According to the FTC's release:

Epic Marketplace is a large advertising network that has a presence on 45,000 websites.  Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed.  The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.   
In its privacy policy, Epic claimed that it would collect information only about consumers’ visits to sites in its network.  However, according to the FTC, Epic was employing history-sniffing technology that allowed it to collect data about sites outside its network that consumers had visited, including sites relating to personal health conditions and finances. 
According to the FTC complaint, the history sniffing was deceptive and allowed Epic to determine whether a consumer had visited any of more than 54,000 domains, including pages relating to fertility issues, impotence, menopause, incontinence, disability insurance, credit repair, debt relief, and personal bankruptcy.
The technique used by Epic apparently combined two methods enabled by its cookie-placing network: seeing whether a user's browser program colored particular links to indicate they had been previously clicked, and accessing the cache (temporarily stored files) of the browser.

The proposed settlement order bars Epic from futher history sniffing, mandates full and accurate disclosure of Epic's information collection practices, and places restrictions and retention requirements on Epic's data collection and sharing. It does not, however, contain any financial penalties for Epic's conduct.

Tuesday, December 4, 2012

Blogger Settles Case with Former Employer Over Twitter Follower Ownership

Noah Kravitz' Twttter Statistics


The social media and technology blog Mashable reports that blogger Noah Kravitz has settled the lawsuit filed by his former employer, mobile tech blog PhoneDog, over the Twitter followers Kravitz kept when he left PhoneDog in October 2010 and changed his Twitter account from @phonedog_noah to a more personal @noahkravitz. The original complaint filed in the Northern District of California in July 2011 alleged that Kravitz' keeping the Twitter followers constituted misappropriation of trade secrets, intentional interference with prospective economic advantage, and other business torts. According to Mashable, the case has been settled through mediation.

The issue of ownership of a company's online resources, particularly those created and built by former employees on their own initiatives, is not new; in the mid-nineties, the New York Post had a dispute over the NYPost.com domain name with Farhan Memon, a former freelancer who had registered it during his work for the Post, and MTV had a similar conflict with its former VJ Adam Curry over the MTV.com domain Curry had registered. The Kravitz case, though, serves as a reminder that whenever an organization is being represented through an online presence, it needs to create and enforce clear guidelines in advance over who controls that presence, which should include ensuring that a single employee's departure (willing or otherwise) does not impede the organization's online efforts.

Sunday, December 2, 2012

Australian Federal Police Shut Down Romanian Cybercrime Ring

Australian Federal Police flag


The Australian Federal Police announced on November 29th that it had charged seven people in Romania for "the largest credit card data theft in Australia's history." According to the release, the investigation began in June 2011 based upon a referral from an Australian financial institution, and ultimately involved "numerous international law enforcement partners" including Romanian authorities.

The scope of the data theft is substantial: more than 500,000 credit cards were potentially accessible, with approximately 30,000 being used for "fraudulent transactions amounting to more than $30 million" Australian dollars. The cost of the fraud was apparently not borne by Australian consumers; instead, as in the United States, the issuing banks reimbursed the cardholders for the fraudulent transactions, which were performed throughout the world, including in Europe and the United States.

The case highlights the borderless nature of the Internet and the resulting challenges for law enforcement officials, as well as the significant financial exposure by companies and consumers for international (and local) data breaches and theft.

(Via @mukimu on ZDNet)

Friday, November 30, 2012

Risk Highlight: Syrian Government Turns Off Internet

In the latest salvo between the Syrian government and opposition forces, the government has reportedly used its control over Syria's telecommunications infrastructure to completely cut off the nation's Internet access. (The shut off can be seen in Renesys' Internet traffic graph for Syria, showing the complete cessation of all globally reachable Syrian networks between 10:20 and 10:30 UTC on November 29th:

Renesys Internet Traffic Graph for Syria

In response, other nations and companies have stepped in to try to provide at least limited connectivity to Syrians. Google has reactivated its Speak2Tweet service, although the limited telephone service in Syria may reduce its usefulness, and the U.S. State Department announced that it had previously provided 2,000 communications kits, with computers, telephones and cameras, that are "designed to be independent from and able to circumvent the Syrian domestic network precisely for the reason of keeping them safe, keeping them secure from regime tampering, regime listening, regime interruption."

Beyond the clear local and geopolitical aspects, this latest governmental cutoff of Internet access, as with the outages caused by recent storms in the United States, highlights that the telecommunications infrastructure on which businesses depend is largely out of their control. Effective risk management, involving backup systems, contracts, insurance and other means, must take that reality (and its potential implications) into account.

Wednesday, November 28, 2012

Mobile App Privacy: A Slowly Expanding Area

The area of consumer privacy is a broad area that has been discussed, analyzed and given guidance by both the Federal Trade Commission and the White House. Mobile application privacy, an important subset of consumer privacy, is an area of privacy that has been receiving significant attention over the past year as the importance of the mobile platform increases.

The push for protection in mobile app privacy most clearly began with a Joint Statement of Principles laid out by the California Attorney General, created in February 2012. The California Joint Principles represent an agreement by several top companies in the mobile industry. The agreement, which includes Apple, Google, Research In Motion, HP, and Microsoft (in addition to Facebook, which signed on in June), states what these companies promise to do in their mobile app store. The agreement reached by the major mobile companies provides that the California Online Privacy Protection Act is applicable to any application that collects personal data from a consumer. Such an app requires a “conspicuously posted” privacy policy. The agreement provides that when an app is submitted to a mobile app store by the developer there should be a hyperlink to the privacy policy or the actual privacy policy for that particular app. The privacy policy, whether a hyperlink or the full text, should be available in the mobile app store prior to download of the app. The major mobile companies must also provide a method for users to report apps that do not have such a policy or whose policy does not comply with applicable law.

In addition to the Joint Principles, the FTC has released a new Report on marketing mobile applications, in September of 2012, that contains suggestions on how to limit privacy concerns in a mobile app.  The FTC suggests that mobile app creators:

Build privacy considerations in from the start.  The FTC calls this “privacy by design.”… Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need.  Apply these principles in selecting the default settings for your app and make the default settings consistent with what people would expect based on the kind of app you’re selling.  For any collection or sharing of information that’s not apparent, get users’ express agreement.  That way your customers aren’t unwittingly disclosing information they didn’t mean to share.
Be transparent about your data practices….Offer choices that are easy to find and easy to use…Honor your privacy promises…The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises in the day-to-day operation of their business.  The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers…Protect kids’ privacy…
Collect sensitive information only with consent.  Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.  It’s a mistake to assume they won’t mind.
Keep user data secure...The wisest policy is to:
  •  collect only the data you need;
  • secure the data you keep by taking reasonable precautions against well-known security risks;
  • limit access to a need-to-know basis; and
  • safely dispose of data you no longer need.
As mobile app privacy is a new and growing area, the actual implications on businesses are not yet clear. The California Joint Statements only require that those mobile app store providers will provide a location for the individual app’s privacy policy. This only implicitly requires that mobile app creators should have a privacy policy. The FTC guidelines are less stringent. As stated in its report on consumer privacy, the FTC does not believe that they have the powers, at this time, to broadly regulate the area of privacy. However, the FTC suggestions show what the the Commission might enforce if given the power to do so by Congress.

(Written by Brett Alazraki, Fall 2012 IBLT Entrepreneurship Assistance Fellow)

Tuesday, November 27, 2012

HIPAA De-Identification Guidance from HHS OCR

The Office of Civil Rights ("OCR") of the U.S. Department of Health and Human Services recently issued guidance for appropriate ways to de-identify (remove personally identifiable information from) electronically stored health records. De-identification is required by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule in order to permit scientific analyses and other publicly beneficial uses of health records without violating the privacy of the patients whose health information is being shared for analysis. Section 164.514(b) of the HIPAA privacy rule provides two methods for de-identification: Expert Determination and the so-called "Safe Harbor."

It can be challenging, though, to completely de-identify any health information, since those with other sources of information may be able to combine those databases with the de-identified data to "re-identify" individual patients. (In a non-health context, this was demonstrated in 2006 after AOL released a supposedly anonymized search query database of its users, and reporters were able to positively identify at least one user by her particular searches.) With its latest guidance (which can be downloaded here), OCR answers questions about the use and limitations of its approved de-identification methods.

(via IAPP)

Facebook “Hoax” Shows Privacy A Serious Matter for Users


In recent days, numerous Facebook users have posted a legal-sounding statement as an update to their pages containing some version of the following:

“In response to the new Facebook guidelines I hereby declare that my copyright is attached to all of my personal details, illustrations, comics, paintings, professional photos and videos, etc. (as a result of the Berner Convention). For any commercial use of the above my written consent is needed at all times! Anyone reading this can copy this text and paste it on their Facebook Wall. This will place you under protection of copyright laws. By the present communiqué, I notify Facebook that it is strictly forbidden to disclose, copy, distribute, disseminate, or take any other action against me on the basis of this profile and/or its contents.

The aforementioned prohibited actions also apply to employees, students, agents and/or any staff of Facebook or under their direction or control. The content of this profile is private and confidential information. A violation of my privacy is punishable by law (UCC 1 1-308-308 1-103 and the Rome Statute).

Facebook is now an open capital entity. All members are recommended to publish a notice like this, or if you prefer, you may copy and paste this version. If you do not publish a statement at least once, you will be tacitly allowing the use of elements such as your photos as well as the information contained in your profile status updates.”

This is not the first time Facebook users have felt the need to add a legal disclaimer to their statuses in an effort to protect their rights. A similar statement made the rounds a few months ago, with a greater focus on privacy:

Facebook is now a publicly traded entity. Unless you state otherwise, anyone can infringe on your right to privacy once you post to this site. It is recommended that you and other members post a similar notice as this, or you may copy and paste this version. If you do not post such a statement once, then you are indirectly allowing public use of items such as your photos and the information contained in your status updates.

PRIVACY NOTICE: Warning - any person and/or institution and/or Agent and/or Agency of any governmental structure including but not limited to the United States Federal Government also using or monitoring/using this website or any of its associated websites, you do NOT have my permission to utilize any of my profile information nor any of the content contained herein including, but not limited to my photos, and/or the comments made about my photos or any other "picture" art posted on my profile.

You are hereby notified that you are strictly prohibited from disclosing, copying, distributing, disseminating, or taking any other action against me with regard to this profile and the contents herein. The foregoing prohibitions also apply to your employee , agent , student or any personnel under your direction or control.

The contents of this profile are private and legally privileged and confidential information, and the violation of my personal privacy is punishable by law. UCC 1-103 1-308 ALL RIGHTS RESERVED WITHOUT PREJUDICE

These two statements have a few elements in common. First, there was no new policy (or change to a policy) at Facebook to trigger these notices. Next, even had there been such a policy, the notices themselves were ineffectual and inaccurate from a legal perspective (e.g. profile notices do not modify contracts; there is a Berne Convention regarding copyright but no “Berner Convention”; the U.C.C., or Uniform Commercial Code, is a state law regarding the sale of goods, having nothing to do with Facebook profiles or privacy). Additionally, both notices went viral very quickly, spreading to literally tens of thousands or more Facebook users, even as others posted rebuttals and links to sites such as Snopes.com and news sites covered and furthered debunk the warnings about “new Facebook guidelines.”

The main factor that these viral postings share, though, is the lesson that they can provide to Facebook and numerous other organizations: namely, that users care deeply about, and do whatever they think they can to ensure, their privacy. This is not a new idea, nor is this the first time a rumored (though inaccurate) threat to privacy generated vast consumer and even legislative response. In late 1996, e-mails spread warning about the supposed revelation by Lexis/Nexis of Social Security numbers and mothers’ maiden names (two important pieces of data that could be misused by identity thieves to steal account access) in its new P-Trak consumer information database. In reality, P-Trak had originally included Social Security numbers but had been quickly revised to allow only searching by such numbers if the searcher already knew them, and the database had never contained mothers’ maiden names. Nonetheless, consumers jammed Lexis/Nexis’ customer service lines demanding to be removed, and the incident sparked a letter from three senators to the FTC and a resulting FTC public workshop and report to Congress on privacy of social security numbers and other information.

The overall idea of consumers and other users being able to know and manage the information being collected about them has long been a significant part of privacy best practices. The FTC and numerous other bodies in the U.S. and throughout the world have promulgated some version of Fair Information Practice Principles (“FIPP”), which generally include sections on notice, choice and participation. More recently, in February 2012, the Obama Administration published a report entitled Consumer Data Privacy In A Networked World: A Framework For Protecting Privacy And Promoting Innovation In The Global Digital Economy, which included a Consumer Privacy Bill of Rights incorporating individual control, transparency, and access and accuracy among its elements. The whole concept of a Web site’s “privacy policy” is that it serves as a disclosure document, informing and empowering consumers with regard to the personal information collection and use by the site’s owner, and even absent general federal mandates for privacy policies in the United States, the vast majority of sites offer them, largely because consumers might otherwise suspect a site without a privacy policy of misusing their personal data.

Unfortunately, the theory of privacy policies and fair information practices does not always translate into reality. The double wave of Facebook viral postings, which were frequently made by those who weren’t either privacy advocates or lawyers, shows both that accurate information about Facebook’s practices was not being effectively communicated to its millions of users, and that users did not know how to find and use Facebook’s actual privacy controls. As confusing as Facebook’s controls may be, those of search/software/service giant Google are substantially more challenging, given how many different products Google offers, the numerous platforms on which they run, and the sheer volume of information being collected and used by Google.

If Facebook is paying attention to its users, it can do a huge service to them and the overall Internet community by taking this latest viral reaction to heart. Facebook should use this incident as a spark to substantially improve user access to and understanding of, its information collection practices. Other sites, including those many news sites that covered the story, should likewise reexamine and improve their own user privacy experiences. Otherwise, they may face not only unhappy and confused users, but regulatory and legislative actions that have a much more severe and longlasting impact on their businesses and their ability to properly (and transparently) use what they learn about their customers.

Friday, November 23, 2012

ABA Adopts New Cybersecurity Policy

The Board of Governors of the American Bar Association ("ABA"), the U.S.' largest legal professional organization, has recently adopted a cybersecurity policy recommended by the association's Cybersecurity Legal Task Force. The ABA hopes that its new effort will guide "the executive and legislative branches" of the government in "making policy determinations for improving cybersecurity for the U.S. public and private sectors."

The ABA's policy consists of five principles:
  • Principle 1: Public–private frameworks are essential to successfully protect U.S. assets, infrastructure, and economic interests from cybersecurity attacks.
  • Principle 2: Robust information sharing and collaboration between government agencies and private industry are necessary to manage global cyber risks.
  • Principle 3: Legal and policy environments must be modernized to stay ahead of or, at a minimum, keep pace with technological advancements.
  • Principle 4: Privacy and civil liberties must remain a priority when developing cybersecurity law and policy.
  • Principle 5: Training, education, and workforce development of government and corporate senior leadership, technical operators, and lawyers require adequate investment and resourcing in cybersecurity to be successful.
Beyond their stated goal of governmental guidance, the ABA's principles also form a useful roadmap for every organization, public and private, considering and implementing cybersecurity efforts. Further, even if an organization is not itself managing network security (for example, if it outsources its IT functions), the new guidelines will assist it in understanding and specifying the level of service it receives from the entity that is responsible for cybersecurity.

The new policy is one of many recent initiatives by the ABA seeking to raise both the awareness and diligence of attorneys and lawmakers about technology's impact on law and legal ethics. While the ABA has no formal enforcement authority, its recommendations can be very influential on state and federal governments as well as courts.

Friday, November 9, 2012

Hurricane Sandy and Force Majeure Provisions

Large numbers of individuals and companies (and those firms with which they do business) have been seriously impacted over the past week by Hurricane Sandy. Power failures, gasoline shortages, flood and wind damage and other factors may make it difficult or impossible to conduct business normally, and may raise the possibility of potentially breaching contracts.

Fortunately, many agreements contain a so-called “force majeure” clause, which can temporarily excuse a failure to perform under a contract caused by circumstances outside the party’s control, as with this example:
Neither party shall be deemed in default of this Agreement to the extent that performance of its obligations or attempts to cure any breach are delayed or prevented by reason of any act of God, fire, natural disaster, accident, riots, acts of government, shortage of materials or supplies, or any other cause beyond the reasonable control of such party; provided, that the party interfered gives the other party written notice thereof within ten (10) working days of any such event or occurrence.

Some clauses specify the types of circumstances that trigger the right not to perform, while others are more general. A force majeure clause may also carve out certain obligations that are not excused, such as a requirement to make payments.

Even where a contract does provide for a force majeure excuse, it may require certain actions by a party in order to take advantage of the clause. One possible requirement is notice; in the sample provision above, the party that couldn’t perform must provide the other party with written notice “within ten (10) working days of any such event or occurrence.” If this notice is not given (or given late), the failure to perform may be deemed a breach of the contract. In other agreements, the party seeking to take advantage of a force majeure right may be obligated to do what it can to mitigate (or reduce) the damages caused by its non-performance in order to be generally excused, whether after the fact or in anticipation of a possible force majeure event.

However you may have been affected by Hurricane Sandy or other major situations out of your control, we would advise you to review all of your relevant contracts, particularly any force majeure sections. Whether you need to take advantage of such a right, or you may anticipate others with which you have contracts doing so, it’s crucial you are aware of any restrictions and requirements contained in the language of the provision, and particularly that you ensure you meet any deadlines to notify other parties’ of your business’ problems.