In a recent public comment addressed to the United States Copyright Office, the Federal Trade Commission seemingly expanded upon remarks made at the National Advertising Division back in September that it will aggressively and proactively challenge alleged unfair practices involving artificial intelligence, even if that means stretching the meaning of “unfair” to increase its jurisdiction over such matters.
Nolan Goldberg
Nolan M. Goldberg is a partner in the Litigation Department, co-head of the Data Privacy and Cybersecurity Litigation Group, and a member of the Patent Law Group. His practice focuses on technology-centric litigation, arbitration (including international arbitrations), investigations and counseling, covering a range of types of disputes, including cybersecurity, intellectual property, and commercial. Nolan’s understanding of technology allows him to develop defenses and strategies that might otherwise be overlooked or less effective and enhances the “story telling” that is critical to bringing a dispute to a successful conclusion.
Nolan is a registered patent attorney before the U.S. Patent & Trademark Office; and an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional, United States (US CIPP) and Certified Information Privacy Technologist (US CIPT).
Cybersecurity
Nolan’s electrical engineering background, coupled with a litigation and risk management-centric focus, allows him to assist companies in all phases of incident response. Nolan often acts as a bridge between the technical and legal response teams (both inside and outside forensic consultants). Nolan uses this deep familiarity with the company and its systems to defend the company in litigations, arbitrations and regulatory investigations, including before the Federal Communications Commission (FCC); Federal Trade Commission (FTC) and before various State’s Attorneys General, including Multi-State investigations.
Nolan has worked on incidents that range from simple phishing attacks on e-mail accounts by cyber-criminals to intrusions by (formerly) trusted inside employees to complex technical breaches of hosted systems by state-sponsored advanced persistent threats (APTs). These incidents have involved both client systems, and systems of a vendor of a client that hosted its data.
It is often the case (both in response to an incident and for other reasons) that a company will want to undertake an assessment of its security posture, but has concerns about the discoverability of any such analysis. Accordingly, Nolan also frequently assists companies’ scope and conduct privileged security assessments, including “dual purpose” assessments where privileged analysis are also used for ordinary-course purposes.
Commercial Disputes
Nolan also assists companies with commercial disputes, particularly in cases where there is a technology component, including disputes arising from hosted software agreements; outsourcing and managed services agreements; software and technology development agreements and the dissolution of joint ventures. When these disputes cannot be amicably resolved, Nolan has litigated them in State and Federal Court and in arbitrations, including international arbitrations.
Intellectual Property
Nolan's work has included numerous patent and trade secret litigations and negotiations, primarily in cases involving computer and network-related technologies. In particular, the litigations have involved at least the following technologies: hosted software; telecommunications, computer networking; network and computer-related security hardware and software; microprocessors, voice-over Internet protocol ("VoIP"); bar code scanners financial business methods and software, including securities settlement, fail management and trade execution and reporting software; data compression; handheld computers; pharmaceuticals; cardiac electro-stimulatory devices and prosthetics.
Nolan also has experience prosecuting patent applications before the U.S. Patent and Trademark Office in encryption, CMOS, HDTV, virtual private networks ("VPN"), e-commerce, XML/XSL, financial instruments, semiconductor electronics, medical device technology, inventory control and analysis, cellular communications, Check 21 and business methods. Nolan also has conducted numerous freedom-to-operate searches, written opinions, and counseled clients in the areas of bar code scanners, imaging, book publishing, computer networking, business methods, Power Over Ethernet ("PoE"), and digital content distribution.
He has assisted in evaluating patents for inclusion in patent pools involving large consumer electronics and entertainment companies concerning CD and DVD technology.
Computer Forensics and Electronic Discovery
Nolan is often called upon to develop e-discovery strategies to be used in all types of litigations, with a particular focus on selecting appropriate tools, developing proportionate discovery plans, cross border electronic discovery, managing the overall burden and cost of the electronic discovery process, and obtaining often overlooked electronic evidence, including computer forensics. He also assists clients to develop and implement information management programs to reduce expense and risk, meet compliance obligations, and tame e-discovery burdens.
Thought Leadership
Nolan has authored numerous articles and given numerous presentations on emerging issues and trends in both technology and law, and has often been called upon to comment on various media outlets including Business Week, IPlaw360, IT Business Edge, CIO.com, Forbes, and The National Law Journal.
Prior to practicing law, Nolan was a computer specialist at Underwriters Laboratories (UL).
FTC Continues to Stake Out Role as Key AI Regulator
While speaking at the annual conference of the National Advertising Division on September 19, 2023, the Federal Trade Commission (“FTC”) announced a generative AI (“AI”) policy that is consistent with Chairwoman Khan’s focus on the perceived harms to consumers from large technology companies, fully embracing a plan to regulate AI swiftly, aggressively, and proactively.
The agency began its remarks on AI by observing that its purported policy decision to allow technology companies to self-regulate during the “Web 2.0” era was a mistake. Self-regulation, according to the FTC, was a failure that ultimately resulted in the collection of too much power and too much data by a handful of large technology companies.
A Timely Reason to Review Procedures for Risk Assessments and Vendor Contracts in Light of the SolarWinds Attack
As reported last week, a state-sponsored hacker may have breached multiple U.S. government networks through a widely-used software product offered by SolarWinds. The compromised product helps organizations manage their networks, servers and networked devices. The product is not only used by government agencies, but is widely used in both the…
District Court Affirms Order Requiring Production of Cyber-Investigation Report after Considering Totality of Circumstances
As we previously reported, the Magistrate Judge in In re: Capital One Customer Data Security Breach Litigation, found that a forensic report that Capital One had claimed was protected by the privilege and work product doctrines needed to be produced because Capital One had not met its burden under the dual-purpose doctrine to show that the report was protected. In re: Capital One Customer Data Sec. Breach Litig. (“Magistrate’s Order”). The forensic report at issue (the “Report”) related to a 2019 data breach where a hacker purportedly accessed and stole highly sensitive customer information from Capital One’s online cloud environment (the “Breach”). Capital One hired outside counsel to investigate the Breach and to help the company prepare for anticipated litigation and regulatory inquiries. To assist counsel’s investigation, outside counsel engaged a cybersecurity consultant (“Consultant”). As developed in the Magistrate’s Order, Capital One had used this same Consultant prior to the Breach in the normal course of its business.
Maintaining Privilege and Work Product Protections in Dual Purpose (Legal and Business) Investigations
Requires More than Merely Adding Counsel’s Name to a Forensic Report.
Technical investigations conducted following cyber-incidents often have both legal and ordinary-course business purposes. In certain jurisdictions, reports generated as a result of such investigations can be protected from discovery by privilege and work product protections– despite certain non-legal use – under the “dual purpose” doctrine when “consider[ing] the totality of the circumstances . . . it can fairly be said that the document was created because of anticipated litigation and would not have been created in substantially similar form but for the prospect of litigation.” California Earthquake Auth. v. Metro. West Sec. LLC. However, as a recent opinion illustrates, dual purpose-type privilege claims may not be upheld if challenged in the absence of proper precautions. In re: Capital One Customer Data Sec. Breach Litig., MDL No. 1:19-md-02915, D.I. 490, Slip. Op. (E.D. Va. May 26, 2020) (“Slip Op.”).