Selling your business?  Make sure you are not selling your attorney-client privileged communications.  A recent decision highlights the problem.  In Great Hill Equity Partners IV LP v. SIG Growth Equity Fund I LLLP, 80 A.3d 155 (Del. Ch. 2013), the buyer of a business sued the former owners of the company claiming that the owners had fraudulently induced the plaintiff into purchasing the business.  After the complaint was filed, the buyer realized that it had access to the seller’s pre-transaction communications with the company’s then-lawyers because they were stored on the company’s computers.  The seller claimed the documents were privileged and therefore needed to be returned to the seller.

The Delaware Chancery court ruled that based on the “plain operation of clear Delaware statutory law,” the seller’s pre-merger communications now belonged to the buyer.  The Chancery Court’s opinion relied on a Delaware corporate statute which provides that, post-merger, “all property, rights, privileges, powers and franchises, and all and every other interest shall be thereafter as effectually the property of the surviving or resulting corporation ....”  The Court held that the broad language of the statute was intended to apply to all property and interests and even “all privileges, including the attorney-client privilege.”

The Court was well aware that its decision would prejudice sellers by disclosing pre-merger privileged communications to the buyer.  However, to prevent such disclosures, the Court explained that “the answer to any parties worried about facing this predicament in the future is to use their contractual freedom ... to exclude from the transferred assets the attorney-client communications they wish to retain as their own.”

New York leading court has a very different take on this issue.  In Tekni–Plex, Inc. v. Meyner & Landis, 89 N.Y.2d 123, 130, 136–38 (1996), the Court of Appeals squarely held that while the buyer is the holder of the company’s attorney-client privileged communications, that does not apply to attorney-client communications concerning the subject of the acquisition itself.  The Court reasoned that to grant [the acquiror] control over the attorney-client privilege as to communications concerning the merger transaction would thwart, rather than promote, the purposes underlying the privilege.  Therefore, the seller still controls the pre-merger attorney-client communications of the sold company.

Just because New York courts protect the seller’s privileged communications does not necessarily mean that New York businesses need not be concerned about the Delaware precedent.  Many transactions in New York involve the sale of companies that are incorporated in Delaware or contain contract provisions applying Delaware law.  Consequently, sellers of businesses should insist on a contractual provision that excludes privileged communications from being included among the assets passing to the acquiring company in the merger.

It’s been nearly two years since the Obama Administration announced its Big Data Research and Development Initiative in March 2012, committing to improve the ways and means that the Federal government accesses, organizes and analyzes huge quantities of data.  The initiative promised to develop and harness state-of-the-art technologies to accelerate and “transform our ability to use Big Data for scientific discovery, environmental and biomedical research, education, and national security.”  Now, after the maelstrom of the Snowden revelations, and the ensuing (and ever-brewing) debate about NSA surveillance policies, the White House has launched a new program to review how the public and private sectors are gathering and utilizing “big data,” and the implications of such analysis when it comes up against privacy issues.President Obama announced in a January 17th speech that he had appointed his counselor, John Podesta, to spearhead this review.   Less than a week later, Podesta posted an overview of his 90-day plan to tackle his daunting task: Audit current procedures, anticipate technological trends, and determine whether additional protections need to be implemented in order to balance the benefits of potential innovation and knowledge gleaned from massive consumer data–collection with the potential concerns that inevitably result from it, whether they are a matter of privacy, public policy, economy, or national security.  As this may involve further government research, funding, and/or policy changes, Podesta’s team will be collaborating with numerous industry experts, government officials, academic institutions, think tanks, civil liberties groups, and other organizations here and around the world to develop the most comprehensive and robust plan of action.

This initiative was introduced at the tail end of the President’s outlining of numerous sweeping reforms to US intelligence programs, including the NSA.  Considering the timing, some people question whether this program is a long-awaited Executive acknowledgment of the privacy risks of big data, or simply a ploy to distract the nation from the NSA controversy.  Others welcome the attention and believe that, in addition to the anticipated improvement of consumer privacy, these expanded efforts to deal with big data will contribute to the creation of millions of IT jobs globally.  Meanwhile, various groups have been petitioning to encourage the “meaningful public participation in the development of this important policy,” insisting that the public “should be given the opportunity to contribute to the…review of ‘Big Data and the Future of Privacy’ since it is their information that is being collected and their privacy and their future that is at stake.”  With about 60 days remaining to Podesta’s timeline, it will be interesting to see if and how this review will take into account the input of all stakeholders.

LinkedIn Corporation may not have a face (or name) for the individuals responsible for circumventing many of their security measures to mine a significant amount of user data since last May, but they certainly have a case against them.  The professional social network noticed suspicious patterns of activity and discovered that thousands of fake profiles had been created by automated software programs, somehow avoiding the various safeguards (e.g. CAPTCHA, daily activity limits, etc.) meant to weed out such “bots.”  These artificial accounts were being used to copy, or “scrape” information from hundreds of thousands of bona fide member profiles, presumably for less-than-noble purposes such as identity theft, phishing, or other spammy practices.  The bogus profiles were traced back to a mass of accounts on Amazon’s cloud-computing platform, and as part of its suit filed against these Doe Defendants last week, LinkedIn “intends to file motions to expedite…discovery requests” that it will be serving on Amazon Web Services, in hopes that they will fork over the names of the offending accountholders.  (Amazon.com, itself, is not being charged.)Interestingly, the fact that no specific defendants are named here does not put a damper on such a lawsuit.  It’s been done (and won) before, and continuing with the investigation and legal proceedings—even with as-yet-unidentified defendants—serves numerous purposes.  It disrupts a botnet’s activities, since its operators are probably running scared, knowing that the authorities are on to them.  At the same time, the lawsuit intimidates future cybercriminals from targeting the plaintiff’s sites, since they see that these digital crimes are being taken seriously.  Legal action also incentivizes third parties to cooperate with the investigation, since it involves actual subpoenas, and not just (oft-ignored) letters and voicemails to a company’s in-house counsel.  Finally, if and when the perpetrators are identified, a strong case has already been built up against them, ready to wallop the defendants as soon as they hit the courtroom.

The individuals ultimately responsible for the illegal data extraction used so many different tactics to evade LinkedIn’s security measures, that the company believes they must have been aware of the various restriction levels built into the site’s technology.  Not only do these practices violate LinkedIn’s User Agreement, they also break state and federal laws relating to cyber-fraud (and possibly copyright laws, as well), making this infraction a pretty big deal.  However, the botnet behind this case may very well be a “zombie army” made up of unsuspecting individuals’ computers, which have been infected by a virus or otherwise compromised.  So, even if the physical infrastructure is taken out, unless the actual hackers are caught, they could, theoretically, pull off such a scheme again.  LinkedIn has already disabled the fake profiles and implemented additional security measures on its site.  Given the extensive usage of its networking tools amongst today’s professionals and recruiters, though, LinkedIn’s engineers (and those of other companies like it) certainly have their work cut out for them in terms of making their systems more secure; after all, malicious technology advances right along with the more honorable kind.

While I am sure that the vast majority of users never review privacy policies for the websites and devices they use, the content of these policies do matter.  On February 22, 2013, the FTC settled a privacy-related investigation against HTC America for violation of HTC's privacy and security policies.  The FTC charged that HTC America's mobile devices failed to employ reasonable and appropriate security practices and that these failures allowed unauthorized access to users' private data.

The settlement not only requires the establishment of a comprehensive security program, but also prohibits HTC America from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices. HTC America and its network operator partners also agreed to deploy security patches to consumers’ devices.

The takeaway?  Privacy policies are not just boilerplate--they should be examined periodically to make sure that they are being followed.