Digital Media Lawyer Blog

On September 25, 2009, Amazon.com reached a proposed settlement with the plaintiffs in the class action brought over its unilateral deletion of the George Orwell works 1984 and Animal Farm from Kindle devices. See Gawronski v. Amazon.com, Inc., Western District of Washington, No. 09-cv-01084. The settlement not only provides substantial compensation for affected customers, but it also prohibits Amazon for engaging in future deletions of books sold under its current terms of service for the Kindle.

Everyone remembers the flap this past summer over Amazon.com's unilateral removal of the Orwell books from the Kindle devices. Some customers saw their books disappear before their eyes. Others lost important notes they had written in the "margins" of the books. For example, one customer was a high school student who had purchased 1984 for use in a class and had recorded notes on passages in the book on his Kindle device. When Amazon removed his copy of 1984, his notes, which said things such as "remember this paragraph for your thesis," were rendered useless, since they were no longer associated with the text of the book.

On July 30, 2009, shortly after the Orwell works were removed, a class action was filed in a federal court in the State of Washington by two affected Kindle customers. The class action complaint alleged several legal theories against Amazon, including breach of the terms of use for the Kindle device, damage to the plaintiffs' computers in violation of CFAA, trespass to chattels (the plaintiffs' Kindle Devices), conversion (of the deleted material) and other grounds.

Then, on September 3, 2009, Amazon announced that it had contacted all customers whose Orwell books had been deleted and offered to provide them with a new copy of the deleted book, at no charge, or to pay them $30.00. Amazon had apparently already refunded the purchase price of the books to the some 2,000 affected customers at the time it originally deleted the Orwell books.

In its September 25 settlement, Amazon has agreed to go even further to compensate affected customers. Under the proposed settlement, Amazon has now agreed to restore all notes and annotations made by customers whose books were deleted, as well.

Amazon has also agreed that, for all books purchased pursuant to terms of service granting the Kindle purchaser the "non-exclusive right to keep a permanent copy" of each purchased Work and to "view, use and display [such Works] an unlimited number of times, solely on the [Devices] . . . and solely for [the purchasers'] personal, non-commercial use," it will not remotely delete or modify these books from Kindle devices purchased or being used in the U.S. That's a big mouthful. However, from my visit to the Amazon.com site this afternoon, it appears that this language is still included in the current terms of service for the Kindle. So this appears to mean that Amazon has agreed not to delete content from any Kindle devices that have been sold to date.

Continue reading "Kindle Class Action Settlement: Gawronski v. Amazon Suit Regarding Amazon.com's Removal of Orwell Works from Kindle Devices Settles, but Leaves Many Questions" »

Digital media law update: Corporate officers and directors of corporations that are caught up in malfeasance often hope that their peripheral roles will exempt them from prosecution. However, even if you were "just" the CFO, CIO, or other non-controlling executive, the fact that you were not the guiding hand behind a corporate misdeed will not protect you from prosecution if you were aware of the illegal conduct and were able to do something to prevent it from occurring. For example, in a recent FTC action against two firms involved in a massive "scareware" scheme, a federal judge held that an officer and financial manager at the firms could be individually prosecuted, because by virtue of his alleged position and level of involvement in firm management it was likely that he was aware of and participated in the firms' alleged unfair business practices.

The case is FTC v. Innovative Marketing, District of Maryland, Case No. 1:08-cv-03233. The FTC complaint alleges that the corporate defendants, Innovative Marketing, Inc. and ByteHosting Internet Services, conducted a massive "scareware" scheme that marketed computer software using deceptive advertising. In a "scareware" scam, an Internet company sends false security or privacy warnings to consumers for the purpose of selling software to fix the imagined problems. The FTC's "unfair business practices" claim also named several of the companies' officers and directors whom the FTC alleged participated in or directed the scareware scheme. Among these officers and directors was Marc D'Souza, whom the FTC identified as a corporate officer of the defendants who handled their finances -- apparently, something like a CFO.

D'Souza filed a motion to dismiss, arguing that the FTC's claims against him didn't state a plausible case against him. Judge Richard Bennett disagreed.

Once the FTC establishes corporate liability for unfair business practices, individual defendants can also be held liable if: (1) they had some knowledge of the corporation's unfair practices, and (2) they either participated directly in the practices or acts OR had the authority to control them. FTC v. Amy Travel Service, Inc., 875 F.2d 564, 573 (7th Cir. 1989). Judge Bennett found that the FTC's complaint had satisfied both the knowledge and control/participation prongs.

The words "authority" and "control" are the types of terms that can be subject to a very broad interpretation. In many cases, if an officer/director has the authority to exert some level of control over company policy or is actively involved in the company's business affairs, this can lead to the inference that the officer/director had the authority to control the unfair practices in question. Id. at 573.

Continue reading "FTC v. Innovative Marketing: When Is an Officer or Director Personally Liable if a Corporation Engages in Unfair Business Practices?" »

Digital media law: On September 23, 2009, Judge Ware of the Northern District of California issued a temporary restraining order in a case in a bank advertently sent a file containing confidential customer information to an unidentified Gmail account. The Judge ordered Google and the unidentified Gmail account holder not to access, use or distribute the confidential customer information and required Google to disclose whether the Gmail account was active or dormant, and if active, to disclose the identity of Gmail account holder. The judge also ordered Google to "immediately deactivate the Gmail account."

While Judge Ware's move to cut off the subscriber's Gmail account has been viewed by some as draconian trespass on the email account holder's rights, it was not without at least some legal basis.

The facts of the case are simple. On August 12, 2009 a customer requested that the Bank send some loan statements to a third party representative of the customer. Later that evening, the customer informed that Bank that his representative had not received the information. The next day, August 13, the Bank investigated that matter and discovered that it had sent the customer's information to the wrong email address -- a Gmail address -- and that it had also attached a file containing "names, addresses, tax identification numbers and loan information for . . . 1,325 customer accounts" -- oops!

Upon discovering its double error, the Bank immediately sent another email to the Gmail account holder asking the recipient to immediately delete the file without opening it or reviewing it. Receiving no response from the Gmail account holder, the Bank contacted Google to determine whether the Gmail account was active or dormant, and if active to get information about the account holder. It also asked Google to deactivate the Gmail account.
Google refused to do any of these things without a court order.

The Bank then filed a complaint against Google, seeking an injunction restraining Google and its account holder from accessing or using the confidential customer information, requiring Google to deactivate the Gmail account, requiring Google to delete the email and the confidential customer information from its system, and requiring Google to disclose information about the Gmail account holder. See Complaint, Rocky Mountain Bank v. Google, Inc., N.D. Cal., Case No. 5:09-cv-04385.

On September 23, 2009, Judge Ware issued a temporary restraining order (TRO) granting most of the relief the Bank had requested. The TRO was only be effective for a short time -- until September 28, when the Court would conduct a hearing on whether or not to issue a preliminary injunction, which would then be in effect until the case was fully adjudicated.

A Court only has authority to make an order in favor of a plaintiff, if the plaintiff establishes that it has some legal right that the order would protect. What is striking is that nowhere in its motion papers did the Bank cite any legal basis, such as a statute or case, that would empower the Court to order Google to disable the Gmail account or to prevent Google and the customer from accessing and using the confidential information. Rather, the Bank based its requests for relief on the mere assertions that "Google and its email account holder have no rights in or to the inadvertently disclosed information, while the Bank and its customers have every right to prevent further disclosure and use of such information."

Continue reading "Rocky Mountain Bank v. Google: Was Judge Ware's Order that Google Deactivate the Gmail of a Customer Inadvertently Sent Confidential Information Appropriate?" »

Digital Media Law Update: In another in a long string of cases involving consumer complaints posted on the RipoffReport, a state court in New York dismissed a defamation case filed by a "Study in Europe for the Summer" educational company against one of its former students and against XCentric, the operator of RipoffReport.com. But this time, the defense victory had little to do with the Communications Decency Act. Rather, the decision in this case was driven largely the court's conclusion that the Ripoff Report post constituted nonactionable consumer opinion.

The case is Intellect Art Media v. Milewski, Supreme Court of New York, New York County, Index No. 117024/2008. Intellect Art Media operates the Swiss Finance Academy, a summer college program offering business courses in Switzerland. Milewski applied to the Academy in February 2008 and was accepted in March. Milewski was originally told that the program would be held in Verbier, Switzerland. The location was later changed to Lugano. But Milewski didn't learn about the change until shortly before the program commenced in July 2008. When Milewski showed up, he was only able to pay of the $7,000 tuition money. Nevertheless, he was permitted to attend based on his explanation that the remainder of the funds would come once a student loan was funded. However, beginning on July 24, 2008, the school claimed that Milewski began to engage in disruptive behavior. As result of this behavior and his failure to pay the full tuition, Milewski was expelled.

On July 19, 2008 a report was posted on RipoffReport.com regarding the Academy. The author, who was identified only as "Lilly," accused the Academy of being a "bait & switch company," making "false promises," and being run "by two incompetent people." The post went on claim that the Academy "is a 100% bait and switch scam," that "the tell you where the location is then a week before the program starts they change the location as say no refunds whatsoever," "all we got from breakfast was TOAST," and "its all a joke and a scam that needs to be stopped."

The Academy claimed that as a result of this posting, the enrollment for its 2009 summer program fell by 70%. Accordingly it sued Milewski (who it identified as "Lilly" on information and belief) and XCentric, which operates the Ripoff Report, for defamation - and other causes of action.

The standard elements of a case for defamation around the U.S. are that a plaintiff must plead and prove are: (1) the defendant made a false and defamatory statement, (2) which was published to one or more third parties, and (3) which caused damage to the plaintiff. However, the United States has a strong cultural tradition of respecting an individual's right to speak his mind -- as exemplified by the First Amendment. As a result, judges and legislatures tend to create special rules that prevent plaintiffs from recovering in many cases.

For example, under New York law, a defendant can defeat a defamation claim by showing that the published statements are "substantially true." Newport Leasing Service v. Meadowbrook Distributing Corp., 1 AD3d 454 (N.Y. App. 2005). He can also defeat a defamation claim by showing that the defamatory statements, "when read in context would be perceived by a reasonable person to be nothing more than a matter of personal opinion." Immuno AG v. Moor-Jankowski, 77 N.Y.2d 235 (N.Y. 1991). Loose, figurative or hyperbolic statements, even if deprecating to the plaintiff, are not actionable. Dillon v. City of New York, 261 AD2d 34 (N.Y. App. 1999). Moreover, according to Judge Judith Gische, courts in New York as "loathe to stifle someone's criticism of goods as services."

Continue reading "Intellect Art Media v. Milewski: Xcentric/Ripoff Report Escapes Another Defamation Case" »

A recent decision by a judge in the District of Eastern Tennessee reflects the continued judicial unease over an employer's use of the CFAA -- a criminal statute -- to sue an employee who has abused his authority to access the company's computer files by obtaining secret information for use in subsequent employment. See ES&H, Inc. v. Allied Safety Consultants, Inc., E.D.Tenn, No. 3:08-cv-323 (Sept. 16, 2009).

The Computer Fraud and Abuse Act (CFAA) provides criminal penalties and gives victims the right to sue for damages when a person intentionally accesses a computer "without authorization" or "exceeds authorized access" and obtains information, perpetrates a fraud or causes damage. 18 U.S.C. § 1030(a)(2), (4), (5). However, courts have long been split over when a person can be considered to have accessed a computer "without authorization."

In an oft-repeated scenario, an employee, who was granted access to his employer's data as part of job, learns that he is about to be fired or decides to leave on his own. He then quickly downloads information that might be useful to his next employer immediately before formal termination.

Some courts considering this scenario have held that "without authorization" only reaches outsiders who do not have permission to access the company's computer in the first place. Other courts looking at this fact pattern apply agency law principles and hold that an employee who uses his access rights to obtain information to advance an interest adverse to his employer has accessed a computer "without authorization."

In Shamrock Foods Co. v. Gast, 535 F.Supp.2d 962 (D. Ariz. 2008), the defendant, Jeff Gast, began working for Shamrock in 2000. In December 2007, he was promoted to Regional Sales Manager. About that time, he also began employment talks with a Shamrock competitor, Sysco Food Services. On January 4 and 7, 2008, Gast emailed numerous documents containing confidential Shamrock material to his personal account. A few days later, he resigned his position at Shamrock and joined Sysco. Shamrock sued, claiming that Gast had violated CFAA, specifically, 18 U.S.C. § 1030(a)(2), (4) and (5).

The Arizona District Court held that the text and legislative history of CFAA supported the narrower view of "authorization." The strongest argument cited by the court was that the House Committee reports discussing CFAA stated that "Section 1030 deals with an 'unauthorized access' concept of computer fraud, rather than mere use of a computer. Thus, the conduct prohibited is analogous to that of 'breaking and entering' rather than [merely] using a computer . . . in committing the offense." H.R. Rep. No. 98-894 at 20 (1984), as reprinted in 1984 U.S.C.C.A.N. 3689, 3706. The Committee report also repeatedly referred to "hackers" who "trespass into" computers and the inability of "password codes" to protect against this threat." H.R. Rep. No. 98-894 at 10-11. U.S.C.C.A.N. at 3695-97. Based on this narrower interpretation of "authorization," the court dismissed the CFAA claims against the former employee.

While a majority of federal courts have adopted the narrow position, a number of federal courts have taken the more expansive view of the term "authorization." For lists of courts adopting each view, see Shamrock, 535 F.Supp.2d at 964-65, and ES&H, Inc. v. Allied Safety Consultants, Inc., E.D. Tenn. (Sept. 16, 2009).

Continue reading "ES&H v. Allied Safety: Court Sidesteps Split in Authority over Whether CFAA Applies to an Employee Who Misuses His Authority to Access His Employer's Computer Files" »

Consumers who believe they have suffered an injury from a large corporation get excited when they hear that a class action has been filed to requite the wrong. What they often don't realize is that if the class action is successful, it may well result in a settlement that will provide them little or even nothing in the way of direct benefits. In other words, no money.

Such will be the result if the court approves the proposed settlement in the class action brought over Facebook's "Beacon" social advertising system. See Lane v. Facebook, Inc., N.D. Cal., Case No. 5:08-cv-038450. In fact, if the Court approves the settlement, which was proposed last Friday (September 18, 2009), over 96% of the settlement funds will actually wind up being used to pay the plaintiffs' attorneys fees or simply being paid to a Facebook foundation to be used promote online security.

According to the complaint, the purpose of Facebook's Beacon system was to "share news of Facebook members' online purchases with their friends." To make the system work, Facebook set up arrangements with certain online retailers to receive notices whenever their customers made online purchases. When a customer made a purchase, the retailer would notify Facebook electronically of the transaction. If the purchaser was a Facebook member, Facebook would generate a little Beacon popup notifying its member that it had received information about the purchase. Facebook would then create a notice of the purchase and post it on the member's Facebook page.

For example, Sean Lane purchased a white gold and diamond eternity flower ring from Overstock.com for his wife for Christmas 2007. Shortly thereafter, a headline appeared on Sean's Facebook page for all his "friends" to see which read: "Sean Lane bought 14k White Gold 1/5 ct Diamond Eternity Flower Ring from overstock.com." Within two hours, he received an instant message from his wife, Shannon: "Who is this ring for?" She then informed him that Facebook has just put an item on his page saying he bought a ring. It included a link to Overstock, which noted a 51 percent discount on the ring. Sean claimed that his wife's discovery of the purchase ruined his Christmas gifting plans.

Sean Lane thus became the lead plaintiff in this class action against Facebook. While Facebook initially acted as if it intended to contest this case, it put up very little fight -- postponing its motion to dismiss in favor of settlement talks shortly after it was filed. And apparently for good reason. In its motion to dismiss, Facebook admitted that the Beacon system was live for 30 days before it "changed Beacon to require an affirmative opt-in before actions on third party affiliated websites would be fed back to the users' personal profiles." In other words, Facebook admitted that it didn't get users' permission to start gathering information about or announcing their purchases to the world.

While in its court papers and press releases Facebook denied liability, the settlement agreement calls for Facebook to make a $9.5 million payment to settle the class action. In return, Facebook and all other parties stipulated to certification of the class action. This is a benefit to Facebook, because upon final court approval of the class certification and the settlement, Facebook would be relieved from liability from any future suits regarding the allegations in the complaint -- except by plaintiffs who have specifically opted-out of the settlement.

On the surface, that sounds like a pretty fair deal for Facebook. But wait 'til you hear the rest of the story. Of the $9.5 million:

Continue reading "Lane v. Facebook: Privacy Class Action Settlement Requires Facebook to Pay $9.5 Million, but Provides No Direct Benefits to Most Plaintiffs" »

When a website designer and host and its customer work together to create a website which -- oops! -- contains unlicensed copyrighted images, who is liable for the infringement? A recent case found that the answer was "Both," holding the web designer liable for direct infringement and its customer liable for vicarious infringement. See Corbis Corp. v. Nick Starr, d/b/a Master Maintenance, N.D. Ohio No. 3:07CV3741 (September 2, 2009).

The case involved janitorial maintenance company, Master Maintenance, which hired West Central Ohio Internet Link, Ltd. to redesign and host its website. Master provided at least some of the pictures that were eventually used on the website, and supervised and approved the site's design and publication. Unfortunately, four of the images that were eventually used on the site were owned by the plaintiff, Corbis, a media company which owns a large image collection and which had never licensed the use of its images on Master's site.

In a classic case of finger-pointing, Master claimed that when it was slow in providing additional images, West Central took the bull by the horns, found images from other sources to put on the site, including the four infringing images. Master claimed that the infringing images were part of the pictures that West Central supplied. Of course, West Central claimed that Master provided all of the images.

Judge James Carr said that it didn't matter.

There are only two elements to a claim of direct infringement. The plaintiff must show: (1) its ownership of a copyright, and (2) infringement (e.g., copying) by the defendant. Here, Corbis created a presumption that it owned the four images in question by providing a certificate showing it owned a collection of works in which they were included. Then Corbis proved that West Central copied the images by posting them to Master's website, which West Central hosted on its server.

End of issue. According to Judge James Carr, West Central was liable for direct infringement, plain and simple, regardless of who had originally supplied the images.

For vicarious copyright infringement, a plaintiff only has to show that the defendant: (1) received a financial benefit from direct infringement, and (2) had the right and ability to stop or limit the infringement but failed to do so. Here, three of the four images depicted janitorial or cleaning services. Since the website was used to attract new customers to its janitorial business, Judge Carr found that Master Maintenance had received a financial benefit from the images. Moreover, since it was responsible for approving changes to the website, he found that Master Maintenance also had the right to stop the infringement, but failed to do so.

So even if Master Maintenance denied that it had supplied the infringing images, Judge Carr concluded that it could still be found vicariously liable for West Central's direct copyright infringement as a matter of law.

Continue reading "Corbis Corp. v. Starr: Finger-pointing Could Not Save Web Designer and Customer from Joint Copyright Infringement Liability" »

Digital media law: The FTC's recent complaint against Sears Holding Management Corporation targeted an Internet contracting practice that has heretofore been widely approved of by U.S. courts -- placing key disclosures or terms for an online "clickwrap" agreement in a scrollbox. The courts have often overlooked the fact that placing contract terms in scrollboxes may mean that a consumer never actually reads them, because to do so often requires the consumer to click through multiple tiny scrollbox screens. Instead, many courts have held that a consumer who clicks her acceptance to such terms should beheld to her word. In its case against Sears Holding, which was resolved via consent decree on August 31, 2009, the FTC has now stated that in certain circumstances such "hidden" disclosures will not be enough.

The case is In re Sears Holding Management Corp., FTC Docket No. C-4264. Sears Holding handles marketing operations for the Sears Roebuck and Kmart retail stores, and operates the sears.com and kmart.com online retailing sites. In 2007-2008, Sears Holding created and tried to get customers to voluntarily agree to participate in an online market research program. According to the FTC complaint, the program would run in the background on users' computers and transmit information on virtually all of the users' Internet use to Sears Holding. This included information on web browsing, filling shopping baskets, transacting business during secure sessions, completing online application forms, checking online accounts, and use of web-based email and instant messaging services.

Sears Holding marketed this research program via a popup box that it delivered to 15% of visitors to the sears.com and kmart.com websites. The popup box marked the research program as a method for customers to "talk directly" to a retailer, and to "tell them about the products, services and offers that would really be right for you . . ." The popup box invited viewers to enter their email address to receive a follow-up email with more information.

The follow-up email introduced recipients to the "MY SHC Community," which was billed as "a dynamic and highly interactive online community. It's a place where your voice is heard and your opinion matters . . . " To become a member of MY SHC Community, the email directed recipients to complete a registration process. It explained, "You'll be asked to take a few minutes to download software . . . This research software will confidentially track your online browsing . . ." The email apparently contained no further details on the extent of the information that Sears Holding could obtain from the tracking software. The email also offered visitors a $10 payment for joining the "online community."

The email contained a "Join Now" button. If recipients clicked the button, they were directed to an Internet landing page which further directed them to a registration page. To complete registration, recipients were asked to enter basic biographical information. Below the fields for entering this data, the site presented a scroll box which contained a "Privacy Statement and User License Agreement." While the scroll box contained apparently well over 100 lines of text, it only displayed 10 lines at a time.

Beginning on the 75th line of the scrollbox was information explaining the full extent of the information that MY SCH Community would be able to obtain from participants' computers. The disclosures made in the scroll box appear to have been fairly complete. They revealed that the tracking software would provide the speed, memory capability and Internet connection speed of participants' computers, as well as information on related routers and peripherals. They stated that the software "monitors all of the Internet behavior that occurs on the computers on which you install the application, including both your normal web browsing and that activity you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information . . ."

Below the scrollbox was a link that users could click to get a printable version of these terms. Below this was a checkbox next to a statement confirming that the user have read, agreed to, and obtained the agreement from all other computer users to these terms. Users were required to check this box to complete the registration process.

Sears Holding probably thought it had done everything right. Its initial "come on" to MY SHC Community may not have disclosed all the details about the function of its tracking software, but these details were eventually provided in full. And, consumers were required to certify that they had read and assented these details before being permitted to participate in the MY SHC Community. Moreover, courts regularly enforce click-through or clickwrap agreements that are presented in a form substantially identical to that used by Sears Holdings here -- with detailed terms and conditions contained in a scrollbox to which a user is required to assent by clicking a box stating that she has read and accepted their terms. See, e.g, Feldman v. Google, Inc., 513 F.Supp.2d 229, 235-38 (E.D.Pa. 2007); Forrest v. Verizon Communications, Inc., 805, A.2d 1007, 1010-11 (D.C. 2002); Barnett v. NSI, 38 S.W.3d 200 (Tex. Ct. App. 2001); Caspi v. Microsoft Network, LLC, 323 N.J. Super. 118 (1999).

Continue reading "FTC v. Sears: Is Placing Material Internet Contract Terms in a Scrollbox Now Taboo?" »

Consumer electronics/green energy regulations: Despite the objections of major players in the consumer electronics industry, the California Energy Commission announced today (September 18, 2009) that it intends to move ahead with restrictions on television power use that were originally proposed by the energy industry. Under the proposed rules, all new televisions sold in California with a screen size less than 1400 square inches must meet the following standards:

• Tier I (effective January 1, 2011): limited to 1 watt of power while in "passive stand-by" mode and to 0.20 watts x screen area (in square inches) + 32 while in "on mode."

• Tier II (effective January 1, 2013): limited to 1 watt of power while in "passive stand-by" mode and to 0.12 watts x screen area (in square inches) + 32 while in "on mode."

Televisions with a screen size equal to or less than 1400 square inches -- which corresponds roughly to a 58" screen size -- were intentionally omitted from the proposed standards. This concession was in response to objections from many small retailers who sell high-end specialty home theatres that consist almost entirely of screen sizes greater than 58". However, the Commission indicated that it intends to regulate power consumption in these large screen models in a second rulemaking phase.

Effective on January 1, 2011, all TVs would also be required to have a "power factor" of at least 0.9 for units with a power usage greater than or equal to 100 watts. The term "power factor" refers to a TV's maximum draw from the power grid. For example, if a 100 watt TV works by drawing 200 watts from the grid for 0.5 seconds, it would have a power factor of 0.5 (100 watts divided by 200 watts). Many TVs work by drawing a large amount of power from the grid, storing it, using it, and then drawing more power. According to the Commission, these types of designs are energy inefficient, because they lose more energy via heat. Mandating a minimum 0.9 power factor eliminates these types of designs.

In addition to these power restrictions, the Commission also plans to implement: (i) a luminance performance requirement under which a TV's power use in "default mode" can be no greater that 65% of its luminance in its brightest most, (ii) a requirement that all TVs enter standby-passive mode after a maximum of 15 minutes without user input, and (iii) a requirement that all televisions be marked with their on-mode power consumption.

Continue reading "California Energy Commission Rebuffs the Consumer Electronics Association and Announces Move to Implement Strict Restrictions on TV Power Use" »

Data security law: There is no question that it is a trend. In the latest in the never-to-be ended series of data breach cases, a Connecticut District Court held that a plaintiff may not maintain a claim for damages after a data breach merely based on a fear of future identity theft losses.

The case is McLoughlin v. People's United Bank, Inc., District of Connecticut, No. 3:08-cv-00944. People's United Bank had a contract with co-defendant BNY Mellon to handle People's customer information, including its customers' names, addresses, Social Security numbers and bank account information. In February 2008, a metal box containing six to ten unencrypted backup tapes of People's customer data was lost or stolen from a courier truck. The truck had a broken lock and was left unattended during the transport.

About two months after the breach, Peoples and BNY Mellon began informing customers of the loss of the unencrypted back-up tapes. BNY Mellon ultimately offered affected customers two years of free credit monitoring, $25,000 in identity theft insurance and free credit freezes. The plaintiffs eventually brought the present case -- a class action against People and BNY Mellon.

After removal to Federal court, the defendants moved to dismiss for lack of standing, arguing that the plaintiffs had pleaded no actual damages.

Citing U.S. Supreme Court precedent in Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., 528 U.S. 167, 180 (2000), the District Court stated that "to satisfy Article III's standing requirements, a plaintiff must show (1) it has suffered 'injury in fact', that is (a) concrete and particularized, and (b) actual and imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."

To be cognizable, actual damages may flow directly from the defendants' act, or may flow indirectly, in the form of costs spent to remedy the harm. For example, in a case brought against a bank for giving faulty tax advice, actual harm was held to include the "costly and time-consuming step" the plaintiffs had taken "to rectify errors in their past or future tax filings" and the fees they paid for advice. Denny v. Deutsche Bank AG, 443 F.3d 253, 264 (2nd Cir. 2006). Under Second Circuit precedent, "injury in fact" may also be based on "the fear or injury of future harm." Id.

Here, the plaintiffs' claims for damages were not based on direct losses or indirect payments of fees or expenses, but solely on their fear of future losses from identity theft. However, while fear of identity theft been held sufficient to confer standing, it has also been held to be insufficient to satisfy the "actual damages" elements of state tort claims. For example, in Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y. 2008), the court found that an employee had alleged sufficiently alleged injury-in-fact for standing purposes when his laptop was stolen from his employer, but could not sustain a claim for negligence or breach of fiduciary duty. See also Ruiz v. Gap, Inc., 540 F.Supp.2d 1121 (N.D.Call 2009) (standing but no quantifiable damages where thief broke into data processor's office, stealing laptops containing unencrypted personal data).

Following these precedents, the Court in McLoughlin found that the plaintiffs had pled an injury-in-fact sufficient to comply with Federal standing requirements. However, also following these precedent, the Court found that the plaintiff had not alleged damages sufficient to state a claim under Connecticut law which controlled here.

Continue reading "McLoughlin v. People's United Bank: No Claim for Future Identity Theft Losses where Plaintiffs Were Unable to Claim that Data Lost in a Breach Was Misused" »

In a recent decision on a claim for false endorsement, Judge Rudolph Randa of the Eastern District District of Wisconsin found that a plaintiff must at least show that she has an intent to make a commercial use of her name to bring a claim under the Lanham Act. Stayart v. Yahoo!, Inc., E.D. Wisc., No. 09-C-116 (August 28, 2009). Federal courts are less than settled on the standing requirements for a person to bring a false endorsement claim under the Act. On one extreme, some require a plaintiff to have celebrity status to bring such a claim. On the other extreme, at least one court has held that any person whose name is misused may bring such claims. Judge Randa's decision is squarely in the middle.

The Plaintiff, Beverly Stayart, worked for a number of major Chicago financial institutions, eventually attaining the rank of Vice President. For the past several years, she has been actively involved in animal protection programs and genealogy research throughout the world, and uses the Internet in support of these causes. She contributes to an online discussion forum relating to the Siouan (Saponi) nation. Her posts to this site have generated 17,000 hits over the past three years. Two poems she wrote supporting the preservation of baby seals have also appeared in Danish websites.

In December 2008, Ms. Stayart performed searches on her own name on the Yahoo! and AltaVista search engines. She was dismayed to find that her name appeared in Yahoo! (and Overture) results linking her to porn and Cialis websites. The name BevStayart was also allegedly used on a website advertising an adult-oriented operated by AdultFriendFinder.com.

Ms. Stayart sued Yahoo!, Overture, and Friendfinder.com under the Lanham Act (15 U.S.C. § 1125(a)), as well as under state law privacy theories. The Lanham Act provides that a person who "uses in commerce" any "name" which "is likely to cause confusion, or to cause mistake, or to deceive as to the affiliation, connection, or association of such person with another person, or as to the origin, sponsorship, or approval or his or her goods or services, . . . shall be held liable in a civil action by any person who believes that he or she is likely to be damaged by such act."

From the little that can be divined from the Court's records, this case seems to reflect a variation on concepts frequently used in keyword advertising (and search engine optimization). Instead of using a well-known tradename, the advertiser uses any term that gets a significant amount of traffic. The 17,000 hits to Ms. Stewart's blog entries apparently generated enough traffic for advertisers to decide to use her as a draw. In some cases, Ms. Stewart's name was included as part of a "nonsense sentence" in an on-line ad (with the text of the nonsense sentence likely lifted from one of her blog posts). In other cases, her name appeared as part of the URL for an advertising site.

From my point of view, Ms. Stayart's case has the most in common with keyword advertising cases. Plaintiffs have prevailed in such cases on initial interest confusion and trademark dilution theories.

Continue reading "Stayart v. Yahoo!: Failure to Allege Intent to Commercialize One's Identity Dooms Action for False Endorsement under Lanham Act" »

Digital media law: Has Judge Matz gone too far? With his September 11, 2009 grant of summary judgment in favor of Veoh, Judge Matz closed the loop on UMG's copyright infringement case against Veoh. UMG Recordings, Inc. v. Veoh Networks, Inc., Central Dist. of Calif., No. CV-07-5744. However, under his ruling, to qualify for a DMCA safe harbor against infringement, an interactive service provider is not required to "ferret out" cases of infringement, can do nothing in the face of generalized awareness of infringement on its site, and is effectively only required to remove access to infringing materials if provided information from a copyright holder that would pass muster under the DMCA "notice and takedown" rules. Does Judge Matz' decision, which places virtually all of the burden of preventing copyright infringement onto the backs of copyright holders, accurately reflect the intent of the DMCA?

The UMG v. Veoh case should already be familiar to those in the digital media community, since a prior summary judgment has already been the subject of a published opinion. UMG Recordings, Inc. v. Veoh Networks, Inc., 620 F.Supp2d 1081 (C.D.Cal. 2008). Veoh operates a video sharing platform that is something of a combination of Hulu and YouTube. As part of its interactive side, Veoh permits users to upload videos which are available for free downloads. Veoh also permits users to download content from major media companies such as SonyBMG, ABC, CBS, ESPN, Viacom and Warner Television.

Veoh employs robust copyright protection technology and procedures. Veoh's terms of use prohibit users from uploading copyrighted material. They also provide a procedure for copyright holders to send in notices of infringement. When copyright holders send in a notice of infringement, Veoh disables access to the allegedly infringing videos within a day or two, at most. While Veoh does not review videos prior to their being uploaded, it employs a couple of different forms of fingerprinting technology to remove infringing videos after they have been uploaded. One form of fingerprinting technology disables access to any video that has previously been identified as infringing. Another fingerprinting technology, "Audible Magic," takes an audio fingerprint of uploaded files and compares them to fingerprints in Audio Magic's database. Veoh removes videos that contain material in the Audio Magic database for which Veoh has not obtained a license.

Despite its use of these technologies, UMG sued Veoh in September 2007, claiming that Veoh had permitted users to upload thousands of allegedly infringing video files onto its site. Veoh claimed that it was entitled to a DMCA safe harbor for this material, because it resided on its system "at the direction of a user of [the] material." 17 U.S.C. § 512(c)(1).

To qualify for this DMCA safe harbor, an interactive service provider must show, inter alia, that: (1) it has no actual or constructive knowledge of the infringement, (2) upon receiving knowledge of an act of infringement, it "acts expeditiously to remover, or disable access to, the material", (3) it does not receive a direct financial benefit from infringing conduct that it controls, (4) it operates a notice and takedown system for infringing material, and (5) it reasonably implements a policy for terminating repeat infringers. 17 U.S.C. § 512(c), (i), (j).

UMG claimed that Veoh had failed most of these tests.

The knowledge tests

Judge Matz was highly skeptical of any evidence that could show that Veoh had actual or constructive knowledge of infringement -- short of fully compliant and sworn DMCA notices.
UMG claimed that Veoh had actual knowledge that an entire category of music Veoh users were uploading was subject to copyright protection - music. Judge Matz rightfully rejected this overreaching argument, stating that "merely hosting videos with music cannot be a basis for finding actual knowledge." However, UMG further argued that Veoh had actual knowledge that infringement was occurring after the RIAA sent Veoh notices of names of artists whose copyrighted works appeared on its site. Judge Matz also rejected this argument, noting that the DMCA notice procedures require that a copyright holder provide a "representative list of works" that are infringed on a site, not the names of artists whose works are infringed.

Continue reading "UMG v. Veoh: Has Judge Matz Gone too Far in Placing the Burden of Identifying Instances of Copyright Infringement onto the Backs of Copyright Holders?" »

New York trial courts seem to be confused over which of the several prevailing standards for uncovering the identity of an anonymous blogger should be followed by New York courts. In the Liskula Cohen case, a New York County judge imposed a "light" standard, and merely required the plaintiff to show that her motion would survive a motion to dismiss. However, in another recent case, involving former Congressman Richard Ottinger, a Westchester County judge applied a much heavier standard, and required the plaintiff to provide evidence to support each of the elements of his defamation claims, to the extent such evidence was under his control See In re Ottinger & Ottinger, Supreme Court of the State of New York, County of Westchester, IAS Part, Index No. 08-03892 (July 1 2008). (Thanks to Wendy Davis, editor of the Daily Online Examiner, for telling me about the Ottinger case).

Trial courts around the U.S. vary greatly on the standards they impose on plaintiffs seeking to uncover the identity of an anonymous author of a web post. On the light end of the scale, some merely require a plaintiff to show that his/her complaint against the unknown blogger would pass a motion to dismiss. On the heavy end, others require a plaintiff to provide evidence for every element of his/her claims against the blogger -- a virtual impossibility in many cases. As a alternative to these extremes, some courts have adopted a middle path and require a plaintiff to provide evidence in support of claims to the extent that such evidence is within the plaintiff's control. Many courts also require a plaintiff seeking an order to uncover an anonymous blogger's identity to take steps to notify the anonymous of the action.

In the Ottinger case, the judge adopted a blend of the heavy and moderate positions. The Ottingers are both long-time New York politicos. Richard Ottinger is a former U.S. Congressman from the State of New York. His wife, June Ottinger, served as a Trustee for the Village of Mamaroneck and chairman of the Harbor and Coastal Zone Management Commission (the "Commission"). In 2007, the Ottingers applied for building permits and approvals from several Village boards to renovate their home. One of the boards they applied to was the Commission, of which June was Chairman at the time -- although she did not participate in the consideration of the building permit.

Some of the Ottingers' neighbors and local activists began attending public meetings at which their permit applications were being discussed. One such neighbor and activist, Suzanne McCrory, became convinced that the Village was giving the Ottingers favorable treatment. She filed a petition challenging their permits. She also spoke at a televised meeting in which she stated that the confirming deed for the Ottinger property was "invalid' and "fraudulent."

Shortly thereafter, an anonymous blogger posted a forum on LoHud.com, a public forum section of the online version of the local newspaper -- The Journal News -- entitled "The Sounds of Silence." In this forum he posted comments suggesting that the Ottingers' deed was fraudulent, and that the Ottingers had used political pressure and bribery to get permits for their renovation project. Here is an example of one of the posts:

"THEY PAID THE RIGHT PEOPLE OFF! They started off with taking care of the Mayor, everybody knows that. I would guess the Building Inspector and Zoning Board were not forgotten in their largesse. The Ottingers have been very generous in greasing the wheels of corruption. With the news of the fraudulent deed they submitted it becomes quite clear that they must have taken care of the surveyor and the prior owner of the property, under they are two of the dumbest people on earth!"

Continue reading "Ottinger v. Tiekert: New York Trial Courts Are Split on the Burdens to Be Imposed on a Plaintiff Seeking to Uncover the Identity of an Anonymous Blogger" »

Internet gaming: On September 1, 2009, the 3rd Circuit handed down an opinion rejecting several facial challenges to the Unlawful Internet Gambling Enforcement Act (UIGEA) of 2006 (31 U.S.C. § 5361). This decision was on a suit brought by the Interactive Media Entertainment and Gaming Association - iMEGA -- a gaming industry advocacy group. Interactive Media Entertainment and Gaming Association, Inc. v. Attorney General, U.S.C.A., Third Circuit, Case No. 08-1981.

The UIGEA does not directly outlaw internet gambling, but instead makes if unlawful financial institutions and other persons to knowingly financial instruments such as credit cards, ETFs and checks in connection with "unlawful Internet gambling" by a third party. The effect of the UIGEA has been to seriously dampen the involvement of U.S.-based financial institutions in Internet gaming.

A major reason is that the statute defines "unlawful Internet gambling" to include placing, receiving or transmitting a bet or wager by means of the Internet "where such bet or wager is unlawful under applicable Federal or State law in the State or Tribal lands in which such bet or wager is initiated, received, or otherwise made." This means that even if the gambling business operates in a location where Internet gambling is legal, it is prohibited from accepting common financial instruments from an Internet gambler if the gambler is located in a place where Internet gambling is illegal.

The problem is that financial institutions often cannot determine the precise jurisdiction from which a gambler has placed a bet over the Internet. As a result, it cannot determine whether the bet is lawful. While Internet gambling, per se, has only been outlawed in a handful of states, the effect of the UIGEA has been to seriously dampen the involvement of U.S. financial institutions in Internet gambling. iMEGA filed the this suit in 2007 against the U.S. Attorney General, the FTC and the Federal Reserve in an attempt to block enforcement of the UIGEA.

The District Court rejected iMEGA's suit. On appeal to the 3rd Circuit, iMEGA raised two primary arguments: that the UIGEA on its face is void for vagueness and that it violates an individual's right to privacy. A plaintiff raising a facial challenge to a statute faces a serious uphill battle, because he must prove that the law is impermissibly vague in all its applications. A statute is void for vagueness if it fails to provide "fair notice" of what is prohibited or if it permits seriously discriminatory enforcement.

The 3rd Circuit held that iMEGA had failed to meet this tests because it believed that the conduct outlawed in the UIGEA was clear enough -- it prohibits acceptance of financial instruments in connection with Internet gambling initiated at a place where such gambling is illegal. Because at least some States have clear laws outlawing Internet gambling, the UIGEA would clearly apply to Internet gambling initiated from those locations. Because the UIGEA could clearly be applied to gambling initiated from those locations, it is not void for vagueness.
Interactive argued that the UIGEA was also impermissibly vague, because it is often difficult for a financial institution to determine the location form which a gambler has placed an Internet bet. The 3rd Circuit rejected this argument, noting that the mere fact that it may be difficult to prove an element of a law does not mean that the law itself is vague.

iMEGA also argued that under the law of some foreign jurisdictions, a bet is deemed to have been placed in the location where it is received. As such, a financial institution processing payments relating to such a transaction would be unable to know where the bet was placed as a matter of law. The 3rd Circuit had little patience for this argument, stating that nothing in the language of the UIGEA "suggest[s] that Congress meant anything other that the physical location of a bettor or gambling business in the definition of "unlawful Internet gambling."

Continue reading "iMEGA v. Holder: Third Circuit Rejects Gaming Industry Group's Constitutional Challenges to Federal Internet Gambling Law (UIGEA)" »

Internet law: The Communications Decency Act (CDA) sets the standard for determining a website operator's liability for publishing information on the Internet. The CDA provides that a website operator may not be treated as the publisher of information "provided by another information content provider." In other words, if a third party provides information for posting on a website, the webhost will not be held liable for things such as federal civil rights violations, state law crimes, or common-law torts like defamation or invasion of privacy, for publishing that information on its site.

When conducting seminars on digital media law, I am often asked when information will be considered to have been "provided by another information content provider." For example, does CDA immunity apply if a web host finds an article she likes and republishes on her site? Or, if someone sends the web host an email, does CDA immunity apply if she publishes that email on her site?

The answers to these questions were provided by the 9th Circuit in a case I litigated several years ago, Batzel v. Smith, 333 F.3d 1018 (9th Cir. 2003).

Ellen Batzel was a lawyer who resided in North Carolina. She employed a handyman named Robert Smith to perform work at her home. Unfortunately, she had a falling-out with Smith, and he apparently decided to take revenge. So he sent the following mail to the Museum Security Network, a Dutch website that publishes information about stolen art:

"From: Bob Smith
To: securma@museum-security.org
Subject: Stolen Art

Hi there,

I am a building contractor in Asheville, North Carolina, USA. A month ago, I did a remodeling job for a woman, Ellen L. Batzel who bragged to me about being the grand daughter [sic] of "one of Adolph Hitler's right-hand men." At the time, I was concentrating on performing my tasks, but upon reflection, I believe she said she was the descendant of Heinrich Himmler.

Ellen Batzel has hundreds of older European paintings on her walls, all with heavy carved wooden frames. She told me she inherited them. I believe these paintings were looted during WWII and are the rightful legacy of the Jewish people. Her address is [omitted].

I also believe that the descendants of criminals should not be persecuted for the crimes of the [sic] fathers, nor should they benefit. I do not know who to contact about this, so I start with your organization. Please contact me via email [...] if you would like to discuss this matter.

Bob."

Continue reading "Batzel v. Smith: No Communications Decency Act Immunity for Publishing Private Communications on Your Website" »

Digital media law: Startling high damage awards in a number of recent copyright, trademark and cybersquatting cases are often the result of simple math. Plaintiffs in these cases have the right to demand an award of statutory damages in lieu of proving actual damages. In each case, the amount of damages is tied to the number of copyrighted works or trademarks infringed, or the number of infringing domain names. It is very common for juries or judges to make per violation awards of $50,000 to $1,000,000 and more. Where a defendant has committed infringements of multiple works or marks, using simple math, it is quite easy to get to damage awards in the tens of millions of dollars -- regardless of the actual harm suffered by the plaintiff or the profits earned by the defendant.

Here is the short and skinny law on these types of statutory damages:

• The Copyright Act provides for a minimum statutory award of $750 and a maximum of $30,000 for each copyright infringed. If the plaintiff proves that the infringement was willful, the maximum damage award is raised to $150,000. 17 U.S.C. § 504(c)(1), (2).

• The Lanham Act provides for statutory damages in trademark cases involving "counterfeit marks" of not less than $1,000 or more than $200,000 per counterfeit mark per type of good or services sold, offered for sale or distributed. The maximum is raised to $2,000,000 for willful infringement. 15 U.S.C. § 1117(c).

• The Anti-Cybersquatting Protection Act permits statutory damage awards of not less than $1,000 and not more than $100,000 per domain name. 15 U.S.C. § 1117(d). Courts take factors such as willfulness into account in determining the appropriate amount of statutory damages.

In all three cases, the plaintiff may elect an award of statutory damages, in lieu of actual damages, at any time before entry of final judgment.

Here are some recent examples of how the "math" of statutory damages has played out:

• Microsoft Corp. v. McGee, 490 F.Supp.2d 874 (S.D. Ohio 2007):
Microsoft brought this copyright and trademark infringement suit against the operator of the Computerme.net website, which sold and installed a variety of Microsoft software products. According to Microsoft, in August 2006 the defendant sold a counterfeit copy of Office 2000 Pro to a Microsoft investigator. Microsoft ultimately sued for infringement of five of its trademarks and seven of its copyrights. The defendant defaulted and Microsoft sought an award of statutory damages.

The Court found that the defendant had acted willfully because it had failed to respond to Microsoft's demand letters and had defaulted at trial. However, because Microsoft had only requested the maximum amount of non-willful damages for trademark and copyright infringement, the Court awarded just that: $30,000 each for the 7 copyrights infringed ($210,000) and $100,000 each for the 5 trademarks infringed ($500,000) -- a total of $710,000.

Continue reading "Akanoc, OnlineNIC and Computerme : Suits Involving Multiple Copyright, Trademark or Cybersquatting Claims Provide Opportunities for Startling Statutory Damage Awards" »

Trademarks on the Internet: We recently reported that a Dallas jury found in favor of the Dallas-based cosmetic giant Mary Kay, Inc. on a trademark suit it brought against a reseller of its products. See our post of August 2, 2009. This verdict seemed odd, because resellers of branded products are generally protected by the first sale and nominative fair use doctrines. Juries do not write opinions, so it is often difficult to understand the reasoning behind their decisions. However, in this case, a recent post-trial ruling by the presiding judge, Hon. Joe Fish, denying the defendants' motion for a new trial, has provided some fresh insight -- and confirms my earlier suspicions about the sufficiency of the evidence in this case. See Mary Kay, Inc., v. Weber, U.S.D.C. Northern District of Texas, Case No. 3:08-cv-0776 (August 14, 2009).

Mary Kay is a well-known manufacturer of cosmetics, which it distributes world-wide via a network of "beauty consultants". Defendant Mary Weber, was a Mary Kay beauty consultant until 2004. When she stopped working for Mary Kay, Ms Weber was left with a large inventory of Mary Kay products that she couldn't sell. To dispose of these leftovers, she began selling them on eBay. After Ms. Weber sold all of her products, she began to purchase leftovers from other Mary Kay beauty consultants, which she later resold on eBay as well. Eventually Ms. Weber and her husband set up an eBay store called "marykay1stop" to sell these products.
When eBay objected to this use of its trade name in this site, the Webers changed the name to touchofpinkcosmetics.com and set up their own website under this name.

Touchofpinkcosmetics.com continued to sell Mary Kay products, which it identified with the "Mary Kay" trademark. According to the Court, "[a]ll the products sold by the defendants were purchased from current or former Mary Kay [beauty consultants]" and [t]he defendants do not alter the products they sell in any way."

The Webers' business model sounds like the perfect case for the application of both the first sale and nominative fair use doctrines.

The Evidence on the First Sale Doctrine Defense

Under the first sale doctrine, a trademark's owners rights do not extend past the first sale of goods bearing its mark. As a result, so long as the trademarked goods it sells are genuine, a distributor who resells trademarked goods without change is not liable for trademark infringement. Polymer Technology Corp. v. Mimran, 975 F.2d 58, 61-21 (2d Cir. 1992).

The first sale doctrine protects the important secondary markets that exist in many branded goods, such as automobiles, boats and jewelry. While the existence of a secondary market likely deprives a trademark holders of some sales volume, the presence of a strong secondary market is often cited by trademark holders as evidence of the quality of their goods -- and likely increases the sales price of their new goods. Secondary markets clearly help consumers. Sellers are able to use them to dispose of usable assets for which they have no further use, and buyers are able to use them to purchase quality goods at far lower prices than new goods. Since the Webers were reselling genuine Mary Kay products, it would seem that the first sale doctrine should protect the secondary market they were creating in these goods.

Continue reading "Court Explains Why On-line Reseller Was Not Entitled to First Sale and Nominative Fair Use Defenses in Mary Kay Trademark Suit" »

Copyright law: A recent case from the Southern District of New York demonstrates the need to register each revision of software provided to third parties in order to maintain copyright protection over it.

The case was SimplexGrinnell LP v. Integrated Systems & Power, Inc., U.S.D.C., Southern District of New York, Case No. 07Civ2700. The plaintiff, Simplex, makes fire alarm and sprinkler equipment. The defendant, ISPI, was an installer of Simplex's equipment in the New York and New Jersey areas and was granted, as part of a bankruptcy court order, a license to use Simplex's programming software to service Simplex alarm systems for ISPI's existing customers. However, ISPI began using Simplex's software to service new customers, as well. Simplex sued for copyright infringement, seeking to block ISPI from using its software to service new customers.

The Court found that it simply could not issue an order this broad. Simplex had created five "revisions" of its software, numbered 8, 9, 10, 11 and 12. It had also issued serial editions of each revision. For example, versions 10.01, 10.50, 10.60, 10.61, 10.60.99 and 10.61.01 were all part of revision 10. However Simplex had only obtained proper copyright registration for four of these multiple versions: versions 8.04, 9.02, 10.01 and 11.01.

The problem for Simplex was that under the Copyright Act, a court only has subject matter jurisdiction over registered copyrights. See 17 U.S.C. § 411(a) ("no action for infringement shall be instituted until registration of the copyright claim has been made in accordance with this title"). As such, the Court held that it was not authorized enforce Simplex's copyrights for any versions of its software, except for the four registered versions.

Copyright law classifies works as "original" and "derivative" works. A "derivative" work is a work that is based on "one or more preexisting works." 17 U.S.C. § 101. To be fully protected, derivative works must be copyrighted separately from the original works on which they are based. In an attempt to circumvent the Court's ruling, Simplex argued that the changes it had made in the software between the serial editions of each revision were trivial, so the different editions within each revision did not qualify as "derivative" works and did not require separate copyright registration. Under Simplex's theory, because each version of the software was not a derivative work, it registration of one of the versions within each "revision" should be sufficient to confer subject matter jurisdiction over the entire revision.

Continue reading "Good Copyright Registration "Hygiene" Necessary to Obtain Copyright Protection over Revised Versions of Software" »

Internet privacy law: Lawyers frequently vent their frustration over the widely variant interpretations given to the outdated Electronic Communications Privacy ACT (ECPA) by courts around the country. A recent decision by a court in the Eastern District of Illinois reveals the problems caused by these differences, and also illustrates how thoughtful forum selection and "kitchen sink" pleading can prevent a plaintiff from being deprived of a remedy.

The facts of the case:

The case is Steinbach v. Village of Forest Park, Northern District of Illinois, Case No. 06C4215. The plaintiff, Theresa Steinbach was elected Commissioner of the Village of Forest Park in 2003. Upon her election, the Village provided Ms. Steinbach with a personal email account that was hosted by Hostway Corporation, a third party webmail service. Ms. Steinbach had a Village IT tech configure this email account so that it would forward all email traffic to her personal email account, which was not associated with the Village.

In 2006, Ms. Steinbach ran for mayor against co-defendant Anthony Calderone, but lost. Around this time, she discovered that she was not receiving all of her email in her private account. An investigation revealed that eleven emails she had sent from her personal email account had been forwarded to Calderone.

Ms. Steinbach sued Forest Park under four different legal authorities: (i) ECPA Part I (a/k/a, the Wiretap Act, 18 U.S.C. § 2510 et seq.); (ii) ECPA II (a/k/a, the Stored Communications Act, 18 U.S.C. § 2701 et seq.); (iii) The state common law claim, "intrusion of seclusion," and (iv) CFAA (18 U.S.C. § 1030).

The Court's inconsistent rulings on ECPA Parts I and II are based on a troublesome 7th Circuit position

Parts I and II of the ECPA were enacted as part of the same legislative process and use many of the same terms. For example, ECPA Part I contains a lengthy definition section, which Part II does not bother to repeat. Instead, the definition section for Part II, 18 U.S.C. § 2711, merely provides that the terms used in Part II have the same meanings given in the definition section for Part I, 18 U.S.C. § 2510. Similarly, both sections permit private causes of action for violations of their provisions "from the person or entity which engaged in that violation." See §§ 2520(a); 2707(a).

In apparent disregard of this parallelism, the Court found that the plaintiff did not have a right to bring a cause of action against the Village under ECPA Part I, but permitted her to maintain her cause of action against the Village under ECPA Part II. The Court never explained these inconsistent rulings. Its decision to reject the ECPA Part I claim was based on the fact that this ruling was required by controlling 7th Circuit precedent -- which itself seems to rest on very shaky ground.

Continue reading "Steinbach v. Forest Park: Navigating the Federal Court Splits on the Interpretation of the Electronic Communications Privacy Act (ECPA) to a Remedy" »

Digital media law: As reported yesterday by Jaikumar Vijayan of ComputerWord.com, on August 28, a San Jose, California jury reached verdict in excess of $32M favor of Louis Vuitton Malletier against ISP operator Akanoc Solutions, Inc. and related defendants on contributory trademark and copyright infringement claims. Louis Vuitton Malletier, S.A. v. Akanoc Solutions, Inc., U.S.D.C., Northern District of California, Case No. C07-03952. The contributory trademark infringement claims in this case are similar to those raised in Tiffany v. eBay. Tiffany (NJ) Inc. v. Tiffany and Co., 576 F.Supp2d 463 (S.D.N.Y. 2008). However, the trials in the two cases have produced opposite results, largely based on the differing views taken by the courts of the evidence that can be used to show knowledge of infringing activity.

Louis Vuitton is the distributor of the well-known line of luxury handbags that bear the distinctive LV trademark. Akanoc offers traditional ISP webhosting services. However, its website indicates that it specializes in providing English-language webhosting services to Chinese companies, to assist in their sale of goods into the U.S. Its site states that "Attracting American clients through use of an online web presence is the key to success!" and that " Our company specializes in creating unique solutions to solve urgent needs of information exchange between the two nations based on the extensive background knowledge of the Chinese economy."

In 2006-2007, Louis Vuitton had its investigators purchase goods sold using its trademarks from websites hosted by Akanoc. Each item purchased was sent using a return address in China. After inspection, Louis Vuitton concluded that the goods were counterfeit. Louis Vuitton then sent letters to Akanoc identifying the websites that it believed were selling counterfeit goods and asking Akanoc to take down the sites. Akanoc acted to take down at least some of the sites. However, in its amended complaint, Louis Vuitton identified dozens of infringing websites that it claimed were still operational as of July 2008.

Louis Vuitton went forward at trial solely on contributory trademark and copyright infringement theories -- and prevailed on both of these claims, winning a jury award of $31.5M on its trademark claims and $900,000 on its copyright claims. Trial documents indicate that this victory was, at least in part, the result of the relaxed view taken by Judge James Ware of the evidence that is admissible and/or sufficient to establish a defendant's knowledge of the presence of infringing activity by the users of its services.

In Inwood Labs, Inc. v. Ives Labs, Inc., 456 U.S. 822, 102 S.Ct. 2182 (1982), the U.S. Supreme Court stated that "if a supplier of a manufacturer or distributor intentionally induces another to infringe a trademark, or if it continues to supply its product to one whom it knows or has reason to know is engaging in trademark infringement, the manufacturer or distributor is contributorially responsible for any harm done as a result of the deceit." Id. at 855. These rules have been held to apply whether the supplier is providing an ingredient for the infringer's product, or a service, such as space in a flea market, for the infringer to sell his wares. Hard Rock Café Licensing Corp. v. Concession Services., Inc., 955 F.2d 1143, 1148-49 (7th Cir. 1992).

Continue reading "Louis Vuitton v. Akanoc: Letters to ISP Demanding Takedown of Infringing Websites Played Critical Role in Jury Finding that ISP Had Knowledge of Trademark Infringement" »

Keeping up with the constant changes in security measures necessary to handle the latest threats to data can make a business feel like it is running out of breath. When a business already has a quality data security system in place, implementing the latest security protocol may feel like a distraction and a waste of money. However, state and federal legislatures and regulators, as well as courts around the country, are increasingly unwilling to let businesses slack off from the cyber-security arms race. As seen in a recent Indiana District Court decision, failure to implement the latest and greatest in data protection measures may be found to be a breach of expected standards of care and expose a business to liability for data breaches.

The case is Shames-Yeakel v. Citizens Financial Bank, U.S.D.C., Northern District of Illinois, Case No. 07-c-5387. The plaintiffs operated a bookkeeping and accounting service from their home, presciently named "Best Practices." The plaintiffs had personal checking accounts with the defendant, Citizens Financial Bank, as well as a business account under the Best Practices name. The plaintiffs also obtained a home equity line of credit from Citizens, which they drew on to make a down payment on a loft in Chicago, pay off their auto loans, make roof repairs to their residence and purchase a car for their daughter. The plaintiffs linked the line of credit to their Best Practices business checking and made payments on the line through that account.

In 2007, an unknown person gained access to the plaintiffs' online accounts by using Ms. Shames-Yeakel's username and password. This person ordered a $26,500 advance on the home equity line of credit, which was eventually transferred to a bank in Austria. When the theft was discovered and the funds traced, the Austrian bank refused to return the money.
Citizens Bank notified the plaintiffs that it intended to hold them liable for the loss. The online banking agreement between Citizens and the plaintiffs stated "We will have no liability to you for any unauthorized payment or transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice." Citizens then began to bill the plaintiffs for the $26,500. When they failed to pay the balance on time, Citizens reported the account as delinquent to national credit bureaus. Citizens also threatened to foreclose on their home, if the plaintiffs continued to refuse to make payments.

The plaintiffs complained to the Office of Thrift Supervision ("OTC"). However, the OTC informed them that they had no objection to Citizens holding them liable. In support of its conclusion, the OTC noted that Regulation E, which implements the Electronic Funds Transfer Act, only protects demand deposit and consumer asset accounts, not credit accounts like a home equity line of credit. It also noted that Regulation Z, which implements the Truth in Lending Act, only covers lines of credit when the credit is used for personal purposes. Here, because the plaintiffs had linked the line of credit to a business checking account, the OTC concluded that it was a business line of credit.

Continue reading "Shames-Yeakel v. Citizens Financial Bank: Failure to Expeditiously Implement State-of the Art Security Measures Can Create Liability for Negligence in Data Breach Cases" »

Communications Decency Act Update: As readers of this blog are aware, Craigslist is engaged in a pitched battle against the State attorneys general regarding its former erotic services classified ads category. Earlier this year, in response to threats of prosecution of aiding and abetting prostitution, Craigslist changed this category title, at least for its U.S. web pages, from "Erotic" services to "Adult" services. It also began screening postings for nudity and illegal content, and began charging persons placing ads under this category.

Despite these changes, in March 2009, Craigslist was sued by the Thomas Dart, Sheriff of Cook County, Illinois, for public nuisance and violation of local prostitution statutes. Complaint, Dart v. Craigslist, Inc., U.S.D.C., Northern District of Illinois, Case No. 1:09-cv-01385. The Complaint specifically targets Craigslist for three activities: (i) creating an "Erotic" services category, under which third-party posts for prostitution services were published, (ii) creating twenty-one sexual predilection subcategories within the Erotic services category, such as "w4m, m4m, m4w, w4w", etc., and (iii) creating a word search function that permits users to "search for a prostitute based on desired search terms relating to location, type of service, physical dimensions, or ethnicity." The suit seeks a declaration that Craigslist's conduct is a public nuisance, to award the Sheriff his costs in abating this nuisance, and to enjoin Craigslist from engaging such conduct in the future.

Craigslist has filed a motion for judgment on the pleadings -- essentially a motion to dismiss. At present, briefing is completed and waiting a decision by Northern District of Illinois Judge Grady.

The pleadings filed by the parties give very different perspectives on the law that should be applied to this case. As expected, much of Craigslist's motion focuses on the Communications Decency Act (CDA), arguing that the claims against it amount to an attempt to hold it liable for publishing material from third-party information providers -- an activity that is immune under the CDA. Motion at 15-16. Craigslist also argues that the attempt to enjoin its conduct amounted to an unconstitutional prior restraint on speech.

The Sheriff's responsive pleadings start with a bang, by claiming that "Craigslist is the largest source of prostitution in the country." Response to Motion for Judgment on the Pleadings, p. 3. The Sheriff's brief then moves onto several flawed arguments: First, it claims that Craigslist's CDA defense "is built on the assumption that the underlying content, advertisements for prostitution and escort services, is constitutionally protected." Response at 3. This argument is simply off-base. The CDA applies to a website operator, regardless of whether the third-party content posted on its site is entitled to First Amendment protection. Indeed, in several recent cases, the CDA has been held to provide immunity, even though the material published was fraudulent and used to violate state criminal laws -- all constitutionally unprotected activities. See Doe v. MySpace, Inc. (5th Cir. 2008) 528 F.3d 413; Doe v. MySpace, consol., Cal. Ct. App., No. B205643 (Cal.App. June 30, 2009).

Continue reading "Dart v. Craigslist: Competing Views of Craigslist's Liability for Creating its "Adult" Services Section" »