UETA and ECSA help to eliminate uncertainty of parties engaged in e-commerce by providing greater clarity about the steps to be taken to ensure legal recognition of electronically produced and transmitted signatures, records, transactions and contracts. UETA and ECSA provide that a contract cannot be found unenforceable solely because it is electronic in form and an electronic signature may satisfy legal requirements for a contract. Thus, electronic documents that are intended by the parties to be binding contracts will be legally recognizable.
E-Sign does not apply to business electronic transactions
To address the concerns for electronic transactions, particularly for those states that have not enacted a law to address the same, Electronic Signatures in Global and National Commerce Act (S. 761) ("E-Sign") was signed into law in June of 2000, by the President. However, it is narrower in scope than the UETA, covering only commercial transactions. E-Sign's effect appear limited to consumer transactions. E-Sign does not apply to business or government transactions, such as trusts and estate law, adoption and family law; documents connected with court orders and proceedings; and filings with federal and state regulatory agencies.
Issues to consider in electronic business transactions
When a client requests to conduct a business transaction electronically, some issues to consider include the following:
* establishing an agreement by parties to transact electronically
* creating electronic records capable of retention in its original form, as well as, bring accessible for later reference at the time of receipt
* addressing electronic documents properly to an information processing system designated by the recipient in a form capable of being processed
* agreeing to or obtaining a certification by the Secretary of State as to a security procedure for verifying electronic signatures and electronic records
* incorporating a process by which the individual submitting the proposal may not proceed further with the transaction without necessarily executing the document
* using an asymmetric Cryosystem for creating a digital signature and a public key to verify the digital signature.
Conclusion
Electronic transactions and related regulations, such as ECSA and UETA are still developing. These regulations have not yet been tested by the courts and their full impact cannot be assessed at this point. ECSA appears to be a solid step forward by Illinois as it enters into the arena of e-commerce. Where ECSA declines to address certain electronic transactions issues, such as, when an electronic record is sent or received, or when there are mistakes or errors in electronic communication, attorneys should consider the provisions of UETA to fill in the gaps.
______________
1 Arizona, California, Delaware, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Minnesota, Nebraska, North Carolina, Ohio, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Utah, and Virginia
2 Alabama, Michigan, New Jersey, Vermont, and West Virginia
HIPAA: changing health care operations as we know it
By Robert S. Spadoni and Ryan D. Meade
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") continues to loom large in its impact on the health care industry. Provisions governing the security, privacy, transmission and maintenance of electronic health information will require providers, payors and others to invest heavily in securing compliance. Without undertaking compliance activities, entities covered by HIPAA risk both civil and/or serious criminal penalties. Overall, the process to achieve HIPAA compliance is expected to have a $2 trillion financial impact on the U.S. economy.
Since its passage in 1996, HIPAA has dramatically affected the delivery of health care in the United States. While the health care industry initially focused on HIPAA compliance in areas such as insurance portability and fraud and abuse, attention has now turned to HIPAA's so-called "Administrative Simplification Provisions." The stated objective of these provisions is to reduce the administrative cost of providing and paying for health care by creating a national standard for electronic health information.
The Administrative Simplification Provisions mandated the Secretary of Health and Human Services ("HHS") to adopt standards for transactions involving health information and data elements as well as to promulgate rules to protect the confidentiality of such electronic data. While HHS has issued a number of proposed rules, the proposed privacy standards has garnered the most controversy.
The proposed privacy rules, known as "Standards for Privacy of Individually Identifiable Health Information" (published in the Federal Register on November 3, 1999) prescribes standards for the privacy of individually identifiable health information that has been electronically maintained or transmitted. The final rules are expected to be published by HHS at some point before the close of 2000.
The privacy standards apply to so-called "covered entities," which embrace a broad array of entities, including the following:
1. Health providers--who transmit any health information in electronic form in connection with specified transactions;
2. Health plans--which include insured and self-insured group health plans under ERISA, insurance companies and other organizations licensed to engage in the business of insurance in a state, health maintenance organizations, employee welfare benefit plans or other arrangements established to offer or provide health benefits to employees of two or more employers, and other specified state and federal programs; and
3. Health care clearinghouses--any entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements, including billing service and repricing companies, community health management information systems, community health information systems, and "value added" networks and switches.
Once an entity is established as a "covered entity," the privacy regulations are triggered any time the entity accesses, uses or discloses protected health information, even within the organization.
Covered entities are not the only organizations affected by HIPAA. HIPAA will also impact those entities with whom the covered entity conducts business, including so-called "business partners." Under the privacy regulations, business partners refer to any person or organization that receives from a covered entity individually identifiable health information that has been electronically maintained or transmitted, including auditors, lawyers, consultants, third-party administrators, health care clearinghouses, data processing firms, and billing firms.
These privacy standards will govern the use and disclosure of individually identifiable health information that has been electronically transmitted or maintained by a covered entity. In other words, the standards will apply any and each time a covered entity places in an electronic format health information that identifies the individual, or when there is a reasonable basis to believe that the information can be used to identify the individual. This category of information will be known as "protected health information." Data can retain the status as protected health information even if the electronic form is destroyed and the only remaining version of the data exists on paper.
As a general rule, protected health information may not be used or disclosed (even within an organization) unless a covered entity receives specific authorization from the individual for the use or disclosure of the patient's health information. Unfortunately, a covered entity will not, in most cases, be able to rely upon a sweeping patient consent form for use or disclosure of the information. The individual authorization must be detailed enough for the individual to be effectively given notice of the reason(s) for which a covered entity will be using or disclosing the information.
The proposed regulations specify a number of exceptions when individual authorization will not be required. Significantly, a covered entity will not need to obtain authorization to use or disclose protected health information for purposes of treatment, payment, health care operations and a variety of public health and government administrative purposes. However, even when protected health information may be permissibly used or disclosed, a covered entity may only use or disclose the minimum necessary amount of information needed to accomplish the purpose for accessing the information. In certain special cases, a covered entity will be required to obtain individual authorization even if an exception would otherwise apply. Such special cases include the use or disclosure of psychotherapy notes.
The proposed privacy regulations also set out patients' rights to access and amend their health information and, upon a patient's request, require notification of how the information is used, as well as an accounting of all uses and disclosures of protected health information for which authorization is required.
The penalties for violating the privacy standards will be steep. A covered entity could be subject to civil fines of $100 per violation. Criminal penalties are also available against entities or persons who knowingly use or disclose protected health information inappropriately. Criminal penalties range from two years to 10 years imprisonment and $25,000 to $250,000 depending upon the circumstances of the privacy breach.
The HIPAA privacy standards will have far reaching effect on the operations of health care, not only on the provider level but also with payors and many organizations that do business with a "covered entity." The time to prepare is now.
Software piracy, licensing and compliance: one copy--
multiple users
By Robert N. Kamensky
Introduction
It usually starts with a former or disgruntled employee who, either out of revenge or pangs of consciousness, makes a phone call to one of the many anti-piracy hotlines. Next thing you know your company receives a visit from representatives of the software publishers demanding to audit the company's computers to ensure that all of the installed software is properly licensed. It is already too late --your company has been caught. In fact, every company which has been approached for an audit has been found to have had pirated some software.1
Software piracy
The United States Copyright Act2 ("Copyright Act") protects a person's right to control the reproduction of their intellectual creations. Under the Copyright Act, it is unlawful to make, distribute or utilize copies of software without authorization from the copyright holder. Software piracy is the unauthorized copying, distribution or usage of software products. Typically, corporate piracy3 is not committed for financial gain or intentionally, but rather, due to:
(i) an entity intentionally or inadvertently installing more copies of software than authorized by its license,
(ii) an employee or reseller installing unauthorized software without the knowledge of the entity or under the belief that the software is properly licensed,
(iii) the difficulty of tracking and managing software licenses, such that the entity simply fails to keep up on its licenses4, or (iv) the entity making a business decision that purchasing the required type or number of licenses for all of its users is too costly.
Regardless of how innocent the reason may be, the result is still piracy and still illegal. The simple fact is that intent has no bearing on the illegality of the act.
Estimates have put a worldwide revenue loss of $12 billion during the calendar year 19995 for pirated software. As a result, software publishers have expended significant resources in an effort to combat software piracy. The leading anti-piracy associations are the Business Software Alliance ("BSA") and the Software & Information Industry Association, ("SIIA"). The BSA and SIIA are the principle trade associations for the software publishing industry. Each association seeks to protect the intellectual property of industry members and act against unauthorized use, reproduction and distribution of software and each has been empowered by its members to investigate and settle claims.6 The BSA has at least 500 ongoing investigations at any one time7 and during the past 12 months, the SIIA has initiated and settled actions against a total of 1,016 organizations.8
It is also interesting to note that these enforcement statistics do not include actions by the individual software publishers. According to Microsoft, its anti-piracy hotline currently receives approximately 7,500 contacts in North America each month and Microsoft investigates every report of piracy it receives.9 Adobe reports that it receives over 2,600 reports of piracy each year.10
Piracy investigations are typically initiated from a user's technical support calls to the publisher, on-site sales calls and product registration information11, however, most investigations commence with a call by a former or disgruntled employee to one of the many anti-piracy hotlines or even a visit to an anti-piracy Web site.12 The BSA is notable for its aggressive advertising campaigns targeting employees to turn in their employers. Contrary to widely held beliefs, nether the BSA/SIIA nor the software publishers offer any remuneration to those who turn in those committing piracy.
Typically, the BSA or SIIA will proceed to gain voluntary compliance through the use of a cease and desist letter to the organization requesting that the association be given the opportunity to audit the entity's computers. These methods have been very effective and the vast majority of those entities receiving voluntary audit requests agree to cooperate.13 In fact, every entity that has been approached by the SIIA for an audit has been found to have had pirated software.14 However, if there is concern that the entity may try to destroy the evidence of the piracy, involuntary compliance may be in order. Involuntary compliance may include a lawsuit or an unannounced audit on a entity whereby the enforcing association or publisher shows up with U.S. Marshals and a warrant to search the organization's computer systems. While most small to mid-size organizations think that they will never be caught because of their size, they would be mistaken.15 In fact, companies with as few as three personal computers have been the subject of piracy investigations.16 Apparently, given the low likelihood of success at trial, all of the piracy allegations the BSA, and all except one that the SIIA, has pursued have ultimately ended in some form of settlement.17 The settlements typically consist of: (i) the organization destroying all of the infringing software, (ii) re-purchasing it legally, (iii) implementing a policy in order to prevent future infringement, and (iii) paying a penalty. The penalty is generally a multiplier of one to three times the value of the infringing software.18 It is important to remember that employers will be held vicariously liable for the acts of their employees--particularly when it comes to software piracy.
The main reason to cooperate is due to the harsh remedies provided to copyright owners under the Copyright Act. The Copyright Act provides for both civil and criminal liability. The remedies under the Copyright Act include both temporary and permanent injunctions to prevent or restrain infringement19, statutory damages of up to $150,000 per software title20 for willful infringement21 and potential criminal penalties if the copyright infringement was committed willfully by the reproduction during any 180 day period of any one or more copyrighted works which have a total retail value of more than $1,000.22
Nearly all software in the United States is licensed by the software publisher rather than sold out right to the consumer. A software license grants the user the legal right to use a particular piece of software. For each software program utilized, a license is needed.23 Although software is an asset, many organizations fail to manage it properly resulting in costly compliance issues.
In order to manage its software effectively, an entity must understand how the publishers license their software. The software industry has adopted a number of software licensing methods. While each software publisher may license their software in any manner they see fit, there are four general categories of licensing including the Single-Use License, Network (or Server) License, Concurrent Use License and Site (or Enterprise) License.
* A Single-Use License provides that a company (or end user) may install and use the software on one dedicated machine only. This method may also be called a "per seat" license which extends a set number of dedicated licenses to a certain number of machines.
* A Network or Server License is similar to a Single-Use License in that the software may be installed on one particular network or server. The license may provide that all users attached to the network or server may access and use the software or the software is dedicated for use on the particular network or server (typically for server utilities software).
* A Concurrent Use License allows a company to install the software on a network which use is then limited to a certain number of simultaneous users. The number of users may be less than the number of attached computers. Most software publishers no longer utilize this method of licensing as it is prone to abuse.24
* A Site or Enterprise License allows all users at one particular site or the entire enterprise to use and access the software. The software may be installed on a server or with each machine depending upon the terms of the particular license.
Occasionally, software publishers will provide a home or portable use license provision. This provision gives the licensee the right to use the software on an additional machine (at home or on a portable computer) provided that the additional copy is not used at the same time the software is used on the primary machine.
How to keep compliant
Each company has an affirmative duty to confirm that the software they are buying is legitimate and licensed properly. It is important for every company to have an effective policy in place to prevent piracy. Tips to manage software and prevent piracy include:25
* Licensing agreements are different for each software publisher. Be sure to read and understand them.
* Buy software from reputable dealers26. Beware of prices that are too good to be true.
* Make sure the software comes with a license agreement, original disks, and authentic packaging for all of the software your company buys.
* Make sure your organization acquires the correct type and number of licenses it needs for all of its users. Generally a license is required for each copy of software.
* Retain original receipts, licenses, disks, CDs and the documentation.
* Audit your company's software usage at least once a year.
More information on anti-piracy efforts, compliance and auditing may be obtained from The Business Software Alliance's Web site at www.bsa.org and the Software Information and Industry Association's Web site at www.siia.net/piracy.
_______________
Robert N. Kamensky is a corporate associate with the law firm of Fagel & Haber in Chicago. Prior to attending law school, Mr. Kamensky sold large volume software licenses for ASAP Software Express, one of the largest national corporate software resellers.
1 Interview with Peter Beruk, Vice-President of Anti-Piracy, the Software & Information Industry Association (hereinafter referred to as "Beruk") (October 27, 2000); Interview with Batur Oktay, Senior Corporate Counsel for Adobe Systems Incorporated (October 27, 2000) (hereinafter referred to as "Oktay").
2 17 U.S.C. §101 et seq.
3 Corporate piracy has also often been termed "softlifting" which is defined as purchasing a single licensed copy of software and loading it on several machines, contrary to the terms of the license agreement. Certified Software Manager Course Manual, 3-12, copyright 1998-2000 Software Publishers Association.
4 David M. Hornik, "Combating Software Piracy: The Softlifting Problem," 7 Harv. J. Law & Tec 377, 378 (1994)
5 $12 billion is for business applications only. Business Software Alliance and Software & Information Industry Association, 1999 Global Software Piracy Report (2000)
6 The BSA's enforcement division members have given the BSA the power to enforce piracy cases, including litigation. Enforcement division members include: Autodesk, Adobe, Apple, Bentley Systems, Corel, Microsoft, Macromedia, Network Associates, Symantec, CNC Software and Mastercam. 900 of the 1,000 members of the SIIA have given it the power to investigate, audit and provide a release of claims. Additional authorization is required for litigation.
7 Interview with Jenny Blank, Director of Enforcement for the Business Software Alliance (October 25, 2000) (hereinafter referred to as "Blank").
8 SIIA Files Federal Lawsuit Against Alpha Train, Inc. (visited October 26, 2000) <http://www.siia.net/sharedcontent/press/ 2000/10-17-00.html>
9 Microsoft Protecting Against Software Piracy: Reporting Piracy In The U.S. (visited October 26,2 000) <http://www.microsoft.com/piracy/reporting/piracy_in_us.asp>
10 Oktay.
11 Beruk.
12 E.g. BSA: 888-No-Piracy, SIIA: (800) 388-7478, Adobe: <http://www.adobe.com/aboutadobe/antipiracy/report.html>, Microsoft: <http://www.microsoft.com/piracy/>
13 Beruk.
14 Beruk.
15 Thomas J. Cole, "Watch Out for the Software Police," Albuquerque Journal, June 29, 1998.
16 Blank; Beruk.
17 Blank; Beruk.; As an example of a recent settlement, CIC, Inc. (CIC), a pre-employment background verification company, paid the BSA $207,000 to settle claims of unlicensed software installed on its office computers. In another case, KV Pharmaceutical Company (KV) of St. Louis, agreed to pay the BSA $65,000 to settle claims related to unlicensed software on its office computers. In addition, both companies agreed to destroy all unlicensed software, purchase replacement software and strengthen their software management practices.
18 Beruk; Blank.
19 17 U.S.C. §502.
2 The penalties are for each software product infringed. For example, WordPerfect 5.1 and WordPerfect 5.5 would be different products.
21 17 U.S.C. §504.
22 17 U.S.C. §506.
23 Microsoft Software Licensing FAQ (visited October 24, 2000) <http://www.microsoft.com/enterprise/licensing/FAQ.htm>