Posts Tagged ‘brian goldstein’

We’ve Been Hacked!

Wednesday, September 4th, 2013

By Robyn Guilliams

Dear Law & Disorder: Performing Arts Division,

We are a small presenting organization, and we use an outside company to handle our ticket sales.  The company provides us with cloud-based software, which we use to process both online and box office ticket sales. We were recently informed by the software company that they’d been hacked!  The company told us that all of our patrons’ relevant information may have been compromised, including their credit card information. A lawyer on our board said that we are responsible for notifying all of our patrons of the security breach.  Is this true?  There are over 8,000 patrons in the system, going back quite a few years!  We don’t have the personnel to devote to this type of project.  One of the reasons we out-sourced our ticketing was to avoid handling and storing this type of sensitive information.  If we don’t handle the credit card information, why are we responsible if that information is stolen?

Oy, what a headache!

Unfortunately, I would guess that the terms of your organization’s contract with the ticketing software company require your organization to notify its patrons in the event of this type of security breach.  In fact, the contracts I’ve seen for this type of service require that the presenting organization indemnify the software company in the event of a breach.  This means that you are not only responsible for your own legal expenses and damages should one of your patrons suffer a loss as a result of the breach, but you’ll have to pay the software company’s legal expenses and damages as well!  And usually, these types of provisions are not negotiable.

In addition, you may want to take a look at the website of the PCI (Payment Card Industry) Security Standards Council, which sets the standards for companies who process credit card transactions (like your ticketing software company.)

See: https://www.pcisecuritystandards.org/faq/

Because your organization doesn’t actually handle or store credit card data, it’s not required to be “PCI Compliant.” However, as stated on this site, “it is the responsibility of the merchant to ensure that the data they share with third parties is properly handled and protected – just because a merchant outsources all payment processing does not mean that the merchant won’t be held responsible by their acquirer or payment brand in the event of an account data compromise.”

The good news here (such as it is) is that most states provide a mechanism for an organization like yours to protect itself in the event a third party credit card processor is hacked.  Generally, if you provide timely notice to your patrons of the breach, you can’t be held liable for your patrons’ damages (the theory being that if your patrons know about the breach, they can take steps to protect themselves.)  For instance, in New York (and many other states), your organization is protected from liability if you notify your patrons of the security breach “in the most expedient time possible and without unreasonable delay.”  The notice can be made in writing, electronically, or by phone.

Also, there are insurance policies that cover this type of cyber liability.  These policies usually cover the cost of notifying your patrons, as well as any legal expenses or damages you may have due to the breach.

In short, the volunteer lawyer on your board is correct. (As we don’t often agree with most lawyers, this is a rare occurrence, indeed!) Given the vulnerability of identification fraud and the potential exposure of your organization, you’d be wise to find a way to notify your patrons.

_________________________________________________________________

Brian Goldstein and Robyn Guilliams will be attending the 2013 Midwest Arts Conference in Austin, Texas next week.

Our next blog will be on September 17, 2013.

_________________________________________________________________

For additional information and resources on this and other legal and business issues for the performing arts, visit ggartslaw.com

To ask your own question, write to lawanddisorder@musicalamerica.org.

All questions on any topic related to legal and business issues will be welcome. However, please post only general questions or hypotheticals. GG Arts Law reserves the right to alter, edit or, amend questions to focus on specific issues or to avoid names, circumstances, or any information that could be used to identify or embarrass a specific individual or organization. All questions will be posted anonymously.

__________________________________________________________________

THE OFFICIAL DISCLAIMER:

THIS IS NOT LEGAL ADVICE!

The purpose of this blog is to provide general advice and guidance, not legal advice. Please consult with an attorney familiar with your specific circumstances, facts, challenges, medications, psychiatric disorders, past-lives, karmic debt, and anything else that may impact your situation before drawing any conclusions, deciding upon a course of action, sending a nasty email, filing a lawsuit, or doing anything rash!

Legal Smarts

Thursday, August 25th, 2011

By Edna Landau

To ask a question, please write Ask Edna.

The answers below were prepared with the kind assistance of my good friend and distinguished colleague, attorney Brian Goldstein of FTM Arts Law, to whom I express my heartfelt thanks.

Dear Edna:

I love reading your blog and I had a question that I hope I am not repeating. I am an international student currently studying in the states. I am interested in publishing a cd with cdbaby.com but I am not sure whether it is legal for me to receive money from cd baby from sales while I am a student here. If not, are there any other options for me? Thank you so much for your time. —–Kit

Dear Kit:

Thank you for submitting an excellent question. Visa regulations are in general quite complex and, like most legal issues, depend on an analysis of your specific circumstances. Therefore, it is almost always advisable to seek personal legal advice when trying to understand them.  As a general rule, U.S. law requires an artist to have a visa with work authorization any time an artist performs in the U.S.—even if the artist performs for free or is paid outside of the U.S. The mere act of “performing” triggers the need for work authorization. As a result, performances are almost never permissible on a visitor visa which, by its very nature, contains no work authorization. While recording a live performance in front of an audience would clearly be illegal without work authorization, it’s unclear as to whether or not a recording made in a studio would constitute a “performance”. Regardless, a visa with work authorization is also required any time anyone sells goods in the U.S.  In your case, you have not indicated your current visa status in the U.S. but for the purposes of this blog, we will assume that you are here on an F (student) visa. While F visas do not inherently permit students to perform in the U.S., the student’s school can authorize such work. It may be possible for you to make and sell a recording here if you obtain work authorization from your school to engage in such an activity and it is related to your studies. If your school will not provide you with work authorization, you could still make and distribute a studio recording for promotional purposes, but not sell it. Please note that if you are here on a J (exchange) visa or other type of student visa, different rules may apply as it is up to your sponsoring organization to approve your activities. You might want to approach Volunteer Lawyers for the Arts with your question. They have a legal hotline to field a broad range of questions, Art Law Line, which is fielded five days a week. You can also look at www.artistsfromabroad.org or have a look at the visa information on FTM Art Law’s website, www.FTMArtsLaw-pc.com.

                                                                                        ********

Dear Edna:

My fellow students and I are often asked to sign consent forms. Sometimes we are told that the wording is very standard and that we have nothing to worry about. Usually these forms are presented to us at the last minute and we end up signing them because it seems like less trouble that way. Those of us who do not speak English as a first language find the legal jargon intimidating and confusing but we don’t want to admit to not understanding it. I was recently handed a release that, if signed, would have granted my consent to the “absolute and irrevocable right and permission to use my name and likeness to reproduce, edit, exhibit, project, display, copyright and publish the moving pictures and/or videotaped images of me with or without my voice and to circulate the same in all forms of a particular filmed show and/or any other lawful purpose whatsoever.” I was also asked to waive any compensation for such consent. I did not sign this release but there is still a negotiation going on. I am wondering: is there such a thing as a standard consent form that would be less one-sided and would give us more control?  —concerned musician

Dear concerned musician:

If there were such a thing as a standard consent form, the world of the performing artist would be a simpler place. In fact, all terms are negotiable. Just because someone tells you a specific form or contract is “standard” does not mean you have to agree.  I understand the emotions you have experienced when someone gave you a form to sign at the eleventh hour and you felt pressured, especially if you thought that the future release of your filmed or recorded performance might have a major impact on your career. However, you should never feel pressured or compelled to sign any agreement or form and you should never grant any right to another party unless you understand everything about how those rights will be used and are comfortable with the terms. If necessary, any future usage can be subject to a separate agreement to be negotiated at a later time. You are always entitled to ask questions. You are also entitled to take the time you need to seek legal advice and you should, either from a personal attorney to whom you have access or via an organization such as Volunteer Lawyers for the Arts (see above). Ultimately, whether it’s an engagement contract, a recording deal, or a consent form, if you want terms that are less one-sided and would give you more control, you are entitled to propose different terms. The words “absolute and irrevocable right and permission” are scary because they would give someone the right to use your name, images, and a recording of your performance for any purpose and at any time in the future, without having to seek your permission or pay you any fees. Your name, image, and recordings have value. Even if you may not be receiving compensation for your performance (by prior agreement), your name and likeness could have significant value as your career grows. The time to take control of this type of situation is right at the start, at the first mention of possible audio or video recording of your interview or performance. If you were not informed that camera crews or recording engineers might film or record your rehearsal, performance or participation in an extended event, such as a festival, you shouldn’t hesitate to speak up and question such an occurrence at first glimpse of a camera or recording microphone. In fact, unless you specifically object, your consent could be implied. You mention that you did not yet sign the release and that there is still a negotiation going on. That may not be enough  to protect you. In any situation where someone presents you with a contract or form, even if you do not sign it, if you proceed with the performance and do not specifically reject the terms you find objectionable or specifically clarify, in writing, which terms are still under negotiation, you may be legally bound by the contract. Oral or implied consent can also be legally binding. A contract need not necessarily be signed.

I hope this information will make you feel more secure and in control when situations like this present themselves in the future.

To ask a question, please write Ask Edna.

© Edna Landau 2011