Digital Media Lawyer Blog

The FTC's recent settlement against soft goods marketer Iconix Brand Group, Inc. shows the hazards of trying to skirt the hassles of compliance with the Childrens' Online Privacy Protection Act (COPPA). 15 U.S.C. §§ 6501-6506. If your website privacy policy disclaims an intent to collect information from kids and asks kids not to submit personal information on your site, but you have reason to know that these policies are being ignored, you may actually set yourself up for double penalties -- for failure to comply with COPPA and for engaging in deceptive acts.

COPPA prohibits an operator of a website "directed to children" or who has "actual knowledge" that he is collecting personal information from a child under age 13 from collecting, using or disclosing such information without parental consent. Getting this consent is often no easy task. A website operator is prohibited from simply asking parents to provide consent via an online form. Instead the operator must provide the parent with a notice specifying the information collected and its use, and then get parental consent via telephone, fax, email or similar method.

The operator also must post a privacy policy detailing each type of information it collects and how its uses this information. It must maintain a security system to protect the "confidentiality, integrity and security" of personal information collected from a child.

Some website operators believe that they can avoid the cost and hassle of COPPA by officially not marketing themselves to children under age 13 and by including a specific disclaimer of any intent to collect information from children under age 13 in their website privacy policy. For example, Iconix's privacy policy contained the following disclaimer:

We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit personally identifiable information to us . . .

Unfortunately, this type of policy and disclaimer can actually expose a website operator to greater liability under COPPA and the FTC Act. Here's why:

First, the FTC, which enforces COPPA violations, has very broad rules for determining whether a website is directed to children. The FTC doesn't just look at the operator's stated policy or intent, but at the overall character of the site. The FTC focuses on objective factors such as the site's subject matter, its visual or audio content, the age of its models, the language it uses, the advertising appearing on or promoting the site, the intended and actual audience composition, and the use of animated characters or child oriented activities and incentives. 16 C.F.R. §312.2.

The FTC believed that a number of these factors suggested that several of Iconix's websites were directed towards children under age 13, including: the use of cartoon graphics, website domain names such as "Candies.com", "Mudd girls", the use of photos of young girls, and the fact that over 1,000 girls under the age of 13 allegedly had registered on Iconix's websites between 2006-2009.

Continue reading "U.S.A. v. Iconix: A Website's False Disclaimer that It Collects Personal Information from Children under Age 13 Can Lead to Doubled Penalties from the FTC" »

Digital media law update: At last, one of several suits by law enforcement authorities against Craigslist, over its alleged publication of ads promoting prostitution services, has reached a court decision. The result, which appears to be driven at least in part by Craiglist's recent actions to clean up its site, is that Craigslist has been found not liable for aiding and abetting the practice of prostitution in Chicago.

The case, Dart v. Craigslist, Inc., N. D. Ill., No. 1:09-cv-01385, was brought by the Sheriff of Cook County who alleged that Craiglist was facilitating prostitution and creating a public nuisance. According to the complaint, Craigslist had become "the single largest source for prostitution, including child exploitation, in the country." The Sheriff argued that Craigslist facilitated prostitution because it created classified ad categories entitled "erotic" (now "adult") services, subcategories referring to different types of sexual services (such as "w4m"), published thinly-veiled ads offering prostitution services, and allowed these ads to include nude of semi-nude photos of women. For example, one ad read "HELLO GENTLEMEN NOW YOU MEET JADE AND TIPHANY WE DO TWO GIRL SHOWS AND INDIVISUAL CALLS!! WE GUARANTEE THE TIME OF YOUR LIFE!!! (spelling errors in the original).

The Sheriff stated that he and other law enforcement authorities regularly conduct prostitution stings using advertisements published in Craigslist. The Sheriff claimed that he had arrested over 200 people through Craigslist since 2007.

Craigslist countered that while it created the categories the Sheriff cited, its users created the ad content. Moreover, Craigslist claimed that it took steps to discourage ads promoting prostitution by including a provision in its Terms Of Use prohibiting users from posting illegal content, and by placing a "warning and disclaimer" in its erotic/adult services section stating that users entering the section agreed to "flag" prohibited content so that it could be removed. Craiglist also imposed a $10/ad charge on persons posting ads in its adult services section, a fee that had to be paid with a valid credit card. Craigslist said that this provision was designed to make it easier for law enforcement officers to locate the person who placed an ad, again discouraging illegal content.

As the legal basis for his claims against Craigslist, the Sheriff cited Chicago Municipal Code §8-8-020, which provides that "no person shall knowingly direct, take, transport . . . any person for immoral purposes or assist any person by any means to seek or find a prostitute." He claimed that Craigslist's ads performed this very function -- helping people find prostitutes.
District Court Judge John Grady rejected Sheriff claims on Communications Decency Act (CDA) grounds. 47 U.S.C. § 230. The CDA provides that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." The CDA has been consistently held to provide immunity from prosecution from tort, civil rights and state criminal laws for operators of interactive websites.

Continue reading "Dart v. Craigslist: District Court Ruling Clarifies Extent to which a Website Can Permit Publication of Illegal Content but Retain Communications Decency Act (CDA) Immunity" »

It was recently reported by Brian Krebs of the Washington Post, and others, that a Maine construction sued its bank for failing to prevent hackers from transferring some $588,000 in company funds to co-conspirators throughout the U.S. This case bears watching because it may well test the conclusion of the court in Shames-Yeakel v. Citizens Financial Bank that a bank's failure to use multi-factor authentication procedures for wire transfers may not constitute a reasonable business practice. It should also test the effect of a clause in the bank's contract with the construction company, requiring the company to monitor and immediately report questionable transfers to the bank.

The case is Patco Construction Co. v. Ocean Bank, York County Superior Court, 2009. According to the complaint, on May 7, 2009, hackers stole Patco's login credentials and initiated a series of transfers throughout the week that totaled over $588,000. Patco discovered the fraud on May 13, when one of its co-owners found a notice from Ocean Bank in his mailbox, stating that several recent transfers had been rejected. Patco notified the bank on the morning of May 14. While the bank attempted to rescind the transfers, Patco was ultimately out at least $345,000 in stolen funds.

The bank claimed that Patco was responsible for the loss, citing a clause in its ebanking and bill payment agreement, which states that customers who use automated clearinghouse (ACH) transactions on their commercial accounts "assume all liability and responsibility to monitor those accounts on a daily basis" and "[i]n the event you object to any ACH debit, you agree to notify us of your objection on the same day the debit occurs." Patco allegedly didn't discover or report the losses until days after most had occurred.

Patco claims that Ocean Bank is responsible for the loss, arguing that the bank breached its duty to provide a commercially reasonable security system because it only provided a single-factor authentication system for wire transfers.

So, which side is right?

Fraud losses for business deposit accounts, such as those suffered by Patco here, are governed by Part 4A of the Uniform Commercial Code. Part 4A is written from the standpoint of the bank and gives a bank a "safe harbor" from losses associated with wire fraud, if it meets three conditions: (i) the bank and its customer agree to use a particular procedure for verifying the authenticity of wire transfer orders, (ii) the bank has provided a "commercially reasonably method of providing security against unauthorized payment orders" to the customer, and (iii) the bank followed the procedures.

Article 4A permits generally parties to modify its provisions as they see fit -- except where modification is not permitted by Article 4A. See §4A-501. One area where waiver of Article 4A's provision is restricted is in contracts dealing with commercially reasonable security procedures. Under Section 4A-202, a security procedure can be "deemed commercially reasonable if (i) the security procedure was chosen by a customer after the bank offered, and the customer refused, a security procedure that was reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer." According to the official comment to this section, the bank has to first offer a commercially reasonably security procedure to the customer, the customer has to "be made aware of the risk" of rejecting the procedure, and the asset in writing to assume that risk.

Continue reading "Patco Construction v. Ocean Bank: Who Pays when a Hacker Steals Money from a Business Bank Account?" »

Santa Monica, California: Panelists at this Fall's Digital Hollywood agreed that a massive sea-change is about to occur in advertising. There are now "three platforms" -- TV, Internet and mobile -- that are delivering audio-visual content. According to some estimates, Internet media are getting up to 40% of the total share of the eyeball time devoted to media -- and an increasingly greater share of the younger users coveted by advertisers. However, traditional TV still gets 90% of the advertising dollars. This kind of imbalance obviously cannot go on forever.

To compete for a greater share of ad dollars, one strategy used by digital media is to offer advertising that is targeted to the characteristics of individual users. Internet sites are able to provide identification, demographic, browsing, shopping, downloading, and other information about each user and then enable advertisers to deliver ads that are directly targeted to the user's specific interests and needs. Internet sites are now also able to listen in to users' email, Facebook or Twitter conversations, and offer advertising on a real-time basis that is relevant to these discussions -- as well as to each participant's profile.

While these efforts have yet to open up the floodgates of ad money to Internet ads, most people in TV and digital media believe that the flood will come. Since the gross quantity of dollars available for ads is static, these dollars will come from TV ad budgets. This means that TV will have to respond by providing data-enriched content to viewers, and the opportunity for TV advertisers to do more refined ad targeting.

The Jacked solution to targeted content and advertising

A technology that is already here is offered by Jacked. According to its CEO, Bryan Biniak, a Digital Hollywood panelist, Jacked creates web sites that deliver parallel "enriched" content to TV viewers. This content tracks along with a TV broadcast and offers information and advertising that relate in real time to the events on the screen. For example, if a TV viewer is watching a sports program, the Jacked program can present detailed statistical information about the particular team member who has just made a play. It can also provide the viewer with the local (biased) play-by-play radio or TV broadcast, instead of the neutral national play-by-play -- just what the true fan wants!

Jacked can also offer targeted advertising in a variety of forms. It can target ads to the individual scenes in a TV program. So if the actors in a romantic comedy start talking about buying a house, it can deliver real estate sales ads. (Jacked does this by pulling information from the closed captioning for the broadcast). Jacked can also target ads to the geographic region in which the user resides.

To create its enriched "second screen" experience and targeted ads, Jacked draws on available information from multiple platforms, including relevant websites, news sites, closed captioning data, etc. Because Jacked advertising is keyed to the content being delivered on the parallel TV screen, it offers a true form of targeted advertising -- but a form that avoids many of the privacy concerns caused by behavioral targeting, per se.

Continue reading "Notes from Digital Hollywood: Will Behaviorally Targeted Advertising Come to TV?" »

Santa Monica, California: This is the second in a series of reports from Digital Hollywood. Digital Hollywood is a conference for businesses trying to make money from delivery of online content, such as video and gaming. It attracts online video production companies, game manufacturers, media conglomerates, well-known interactive website operators, advertising agencies, Hollywood "talent," service providers like me and many others. A prominent theme throughout this year's convention is confusion over how to make money from delivery of online content such as video and gaming.

The revenue problem for online video content

Generators of online content make money from a variety of sources including subscription fees, micro-transactions and advertising. The dominant means for producers of original online content to generate revenue is from ad sales. However, according to the advertising agency sources, at present advertisers are spending 90% of their ad dollars on traditional print and broadcast media but only 10% on online content. In addition, advertisers are often only willing for online content at rates that about 20% in cpm (cost per thousand viewers) of the rates they will pay for broadcast media. This double squeeze makes it virtually impossible from producers of online content to turn a profit.

So another common theme at Digital Hollywood is the struggle that producers of online content are going through to attract more revenue dollars. Some argue that online content should be judged with different metrics than cpm, the measure commonly used for broadcast media. Others argue that the key is to get advertisers to value the feedback that they get from online sales efforts, feedback that is not available from consumers of broadcast media.

The targeted advertising solution

A frequently proposed solution for attracting more ad dollars is to use the capabilities of the Internet to offer more targeted content to advertisers -- which theoretically could be sold at increased rates. Readers of this site are already familiar with the common use of behavioral targeting, in which a user's demographics, browsing history, etc., are used to target ads to him or her. And, readers of this site are also familiar with the privacy concerns that behaviorally targeted ads create.

Another method for creating targeted ads is to synch the closed captioning for a video with the video itself, and then use it to trigger ads that are displayed to the user on a real-time basis along with the video to which they relate. For example, if the characters in a video start talking about going on a trip to Miami, their words can be used to trigger Florida travel ads to the user. This type of targeted advertising would provide a non-privacy invasive alternative to behavioral targeting. Of course, video-content based targeting could be combined with behavioral targeting to make the targeting even more specific -- thus resurrecting privacy concerns.

Continue reading "Notes from Digital Hollywood: Online Video Companies Struggle for Means to Turn Online Content into Profits" »

Santa Monica, California: A dominant theme at this week's Digital Hollywood conference is the tension between the need to for truly targeted advertising to online audiences and an individual's right to privacy. The Internet creates the ability for businesses to gather a marketer's dream world of data about their customers. This can include identification data (name, address, phone number, email address), demographic data (age, gender, marital status, sexual orientation), financial data (bank and credit card account data), and behavioral data (browsing history, downloading history) and much, much more. If this type of data falls into the wrong hands, it can subject the customer or identify fraud. But even many purely commercial uses can cause embarrassment or harm to the consumer.

In a recent speech, David Vladeck, Director of the FTC Bureau of Consumer Protection gave the example of an adolescent who didn't want to state publicly that he was gay. A generation ago, if he had wanted to find information about persons in his situation, he could have gone to his local library, and emerged with no record of his search. "That effort would be anonymous, and would leave no paper trail. There was no privacy debate to be had," Vladeck said. Today, he would probably look for information on the Internet on his home computer. But, if he did so, Vladeck pointed out "he may be surprised -- indeed, even mortified -- to receive advertising based on his searches and to learn that third parties have access to information about his searches.

I'll take this one step further. If he was a member of a social networking site, and purchased a book on "coming out" from an online retailer, he might be shocked to find that the social networking site had broadcast his purchase to all his online "friends" -- this outing him.

At today's Digital Hollywood sessions, there were many opinions about how to design a privacy policy to deal with concerns like these. Here are some of the commonly-proposed ideas:

• Only use opt-in targeted advertising: This suggestion, which is on the most privacy protective end of the scale, would prevent the embarrassment that the young man in our hypothetical would have faced -- assuming that the advertiser didn't sell the data to some other firm with different policies.

• Disclose the data that is being gathered: Given the dislike of many consumers for reviewing small print, this suggest would be less privacy protective. But might have prevented the problem raised in our hypothetical.

• Provide consumers with access to the data that has been collected about this -- and permit them decide if they wish to permit this data to be used.

• "Anonymization": This was the most frequent suggestion in today's sessions. Anonymization means that the marketer avoids collecting information about individual users, but simply collects information about the use of a particular computer. The information gathered in this way would be less refined in cases where multiple persons used a single computer. For example, in my household, my 4 year old daughter, 5 year old son, wife and myself all share the same home computer.

Continue reading "Notes from Digital Hollywood: Industry Solutions to Privacy Issues in Online Behavioral Advertising May Not Satisfy FTC Chiefs" »

Digital media law update: On October 14, Judge Denise Cote of the Southern District of New York ruled that a cell phone service provider does not need a public performance license when it provides ringtones to its customers. The Copyright Act provides the owners of musical compositions are entitled to license fees when their works are "publicly" performed. However, Judge Cote held that because each download of a ringtone is only received by a single customer, the transmission of the download cannot be considered a public performance. Cell phone customer playbacks of ringtones are also not public performances because they are typically only heard by the small circle of people near the phone user and are not performed for money. No one sells tickets so people can hear her phone ring!

How this case began

Cell phone customers can download ringtones from the Internet or their cell phone service provider, such as Verizon. When Verizon sells ringtones, it sends a digital file containing the ringtone which is downloaded onto the customer's phone. A customer can listen to the ringtone by clicking on the digital file, or the customer can set up her phone to play the ringtone when she receives an incoming call. After downloading, Verizon's only role in playing the ringtone is to send a signal to the customer's phone to indicate an incoming call. That signal is the same regardless of the ringtone that is played. While Verizon receives a fee from the original download of the ringtone, it does not receive fees when the ringtone is played.

The Copyright Act treats sound recordings separately from the compositions on which they are based. Under the Act, copyright holders of musical compositions have six exclusive rights, including: (1) the right to reproduce the composition, (2) the right to prepare derivative works, based on the composition -- e.g., sound recordings, (3) the right to distribute copies of the composition to the public, (4) the right to perform that composition publicly and two other rights not at issue here. 17 U.S.C. § 106. Copyright holders often license these individual rights separately.

Under a prior ruling, Verizon already pays a royalty of 24 cents per ringtone download to copyright holders of musical compositions for the reproduction and distribution rights to their works (rights (1) and (3) in the list above).

ASCAP negotiates the public performance rights for musical compositions -- right (4) in the list above. In January 2009, Verizon filed this action to determine the reasonable license fee it should pay ASCAP for the performance rights for the ringtones. ASCAP contended that Verizon was liable for performance rights royalties for each download of a ringtone to a customer phone, and for each time a customer played a ringtone on his/her phone. District Court Judge Cote disagreed.

Ringtone Downloads Are Not Public Performances

Under Section 106(4) of the Copyright Act, a composition is only entitled to performance license fees when its is performed "publicly." A composition is considered to have been performed publicly either if it is performed in a public place "where a substantial number of persons outside of a normal circle of a family and its social acquaintances is gathered" (e.g., a concert), or if it is "transmitted" to the public via some device for its enjoyment (e.g., on the radio or Internet). 17 U.S.C. § 101. Public performances are exempt, if they are given "without any purpose of . . . commercial advantage and without payment of any fee . . . for the performance" -- as long as there is no admission charge. 17 U.S.C. § 110(4) (e.g., a free concert).

Continue reading "In re Cellco / Verizon (USA v. ASCAP): Behind the District Court Ruling that Customer Use of Ringtones Does Not Constitute a Public Performance" »

Financial institutions face an uncertain legal environment when they attempt to obtain reimbursement for losses associated with a data breach at a credit card processor. When a data breach at a credit card processor or large merchant occurs, financial institutions are often out millions of dollars associated with cancelling and reissuing customer credit cards and covering losses from unauthorized use of cards. No federal law directly addresses this situation, so financial institutions are left to the vagaries of state law. However, state laws create major obstacles to recovery.

Many of these obstacles are caused by the fact that the financial institution has no direct contractual relationship with the credit card processor. Credit card transactions involve four players. (1) a bank, which enters into an agreement with a corporation that operates a credit card payment system, such as Visa, that permits the bank to issue Visa credit cards to its customers, (2) the consumer, uses the credit card, (3) a credit card processor, which enters into agreements with merchants to process their Visa credit card transactions, and (4) the merchant.

In a typical purchase transaction, the merchant's computer scanners read the cardholder information contained on the magnetic stripe on the credit card, as it is swiped through a terminal at checkout. The merchant sends this information through the Visa network to the bank. The bank reviews the card, and assuming it is valid and has sufficient credit, authorizes the transaction. The merchant completes the transaction and notifies the processor, which pays the merchant. The processor then notifies the bank, which pays the processor and charges the Consumer. See, generally, Sovereign Bank v. BJ's Wholesale Club, Inc., 3rd Cir., No. 06-3405 (July 16, 2008).

While the processor and the bank interact, they generally have no written contractual agreement between them. The lack of a contractual relationship is the source of one of several problems when a bank seeks recovery from a processor data breach.

For example, a class action was recently filed on behalf of banks who incurred losses from the date breach at credit card processor Heartland Payment Systems, Inc. In re Heartland Payment Systems, Inc. Customer Data Security Breach Litigation, S.D. Tex, No. 4:09-md-02046. The complaint attempts to recover on breach of contract, breach of implied contract, negligence, negligence per se, negligent and intentional misrepresentation, and a number of state unfair business practice statutes. However a number of these theories has faced rough sledding in previous data breach class actions by financial institutions:

Breach of contract under a third-party beneficiary theory

A person that is not a party to a contract can still sue for breach of the contract if it can show that it was the "intended beneficiary" of the contract. Some banks have attempted to recover losses under the theory that they are the third-party beneficiaries of the contracts between the processor and the credit card company. For example, in Sovereign Bank v. BJ's Wholesale Club, the plaintiff banks claimed that they were the intended third-party beneficiaries of the contract between the processor and Visa, because a memorandum accompanying the relevant security provisions in the contract stated that their purpose was "to protect the Visa system and [the Banks] from potential fraud exposure . . . ." The 3rd Circuit held that this memo and other evidence, was sufficient for a jury to find that the banks were intended beneficiaries of the processor's contract with Visa.

However, this theory did not work in a subsequent data breach case brought by financial institutions -- In re TJX. By the time that suit was brought, Visa had changed its processor agreement to expressly exclude third-party beneficiaries. As a result, the banks were not able to recover under this theory. In re TJX Companies Security Breach Litigation, 524 F.Supp.2d 83 (D. Mass. 2007).

Continue reading "Heartland Data Breach: Handicapping the Financial Institutions' Suit In Light of Recent Class Actions" »

Digital media law update: A September 30, 2009 decision supports a contention we have made for some time: use of a personal name in a gripe or parody website is unlikely to support a cause of action under trademark law. The exception is when a website misuses a famous name that has become synonymous with a business. However, as this decision also shows, even if your name isn't famous, that doesn't mean you have no legal remedy. You still may be able to sue and recover significant damages under defamation or privacy law.

The case is Bernard J. Carl v. BernardJCarl.com, D.C. Vir., No. 1:07-cv-1128. The Plaintiff, Carl, founded a private equity firm called Brazos Europe, Inc. In 2005, Brazos acquired the French linen company, D. Porthault. Brazos retained the French law firm Darrois Villey & Maillot (Darrois) to facilitate the transaction. Darrois, without Brazos' knowledge, subcontracted some of the work to the law firm Cotty Vivant Marchisio & Lauzeral ("Marchisio").

After the closing, Marchisio claimed that Brazos failed to pay it for its work. Brazos responded that Marchisio's work was defective. Marchisio then sued Brazos in a French court -- but lost! Marchisio, however, was not dissuaded. Instead of slinking away, it registered the domain name "bernardjcarl.com" and posted the following message on the site:

Message to the attention of Brazos Europe Inc. and managing partners Mr Bernard J. Carl and Mrs Shannon Fairbanks

In the meantime, feel free to meditate Benjamin Franklin: "Creditors have better memories than debtors." . . . .

The object of this message, Bernard J. Carl, contended that the statement was false and defamatory. He never hired Manchisio and owed it nothing. He also claimed that several potential investors in Brazos raised questions about the claims in the site. Accordingly, he filed suit -- first against the website, and then against its author Manchisio. His suit ultimately proceeded against Manchisio on three theories: (i) false representation under federal trademark law, based on Manchisio's use of his name "Bernard J. Carl" in the domain name of the website (15 U.S.C. § 1125(a)), (ii) cybersquatting under the Anti-cybersquatting Consumer Protection Act, for Manchisio's use of his name (15 U.S.C. § 1125(b)), (iii) cyberpiracy, also for the use of his name (15 U.S.C. § 1129(a)), and (iv) common law libel.

Continue reading "Carl v. BernardJCarl.com: Co-option of Personal Name for Gripe Website Supports Cause of Action for Defamation, but Not Trademark Infringement or Cybersquatting" »

Digital media law update: On October 8, 2009 a jury returned a verdict based in a case in which an employee claimed that he had been defamed by an email broadcast that contained truthful accusations against him. Massachusetts is one of a handful of states that permits a plaintiff to bring a defamation suit regarding truthful statements made by a defendant -- if those statements were made with actual malice.

The Noonan case

The case is Noonan v. Staples, Inc., D.C. Mass, No. 06-10716. In 2005, Staples, the well-known office supply chain, conducted an audit of the expense reports of 65 employees, including Noonan, a traveling salesman. The auditors discovered a May 2005 expense report in which Noonan had requested $1,622 in reimbursements above what he actually spent. A subsequent audit of other reports he submitted uncovered more errors -- some in Noonan's favor and some in Staples' favor. Nevertheless, based on its findings, the audit team concluded that Noonan had falsified his expense reports. As a result, Staples fired him.

Staples also sent an email to all employees in the division where Noonan was employed -- approximately 1,500 people -- that stated:

"It is with sincere regret that I must inform you of the termination of Alan Noonan's employment with Staples. A thorough investigation determined that Alan was not in compliance with our [travel and expenses] policies. As always, our policies are consistently applied to everyone and compliance is mandatory on everyone's part. It is incumbent on all managers to understand Staple'[s] policies and to consistently communicate, educate and monitor compliance every single day. Compliance with company policies is not subject to personal discretion and is not optional. In addition to ensuring compliance, the approver's responsibility to monitor and question is a critical factor in effective management of this and all policies.

If you have any questions about Staple['s] policies or Code of Ethics, call the Ethics Hotline . . . or ask your human resources manager."

In addition, because he was being fired for cause, Staples refused to permit Noonan to exercise options to purchase almost 24,000 shares of stock (apparently worth a lot of money), and denied him any severance benefits.

Noonan sued Staples for libel and other causes of action relating Staples' actions against him. A cause of action for libel in Massachusetts, like most States, requires that a plaintiff show that (1) the defendant published a written statement, (2) concerning the plaintiff, that was both (3) defamatory, and (4) false, and (5) either caused economic loss or is actionable without economic loss. Stanton v. Metro Corp., 438 F.3d 119, 124 (1st Cir. 2006). Staples brought a motion for summary judgment on the libel claim, arguing that the evidence clearly established that Noonan had violated Staple's travel and expense policy, and that the email was consequently true and no libel action could lie. The District Court granted the motion.

On appeal, the 1st Circuit agreed that there was no triable issue of fact as to whether the email was true. However, the Justices noted that under Massachusetts law, "even a true statement can form the basis of a libel action if the plaintiff proves that the defendant acted with 'actual malice.'" Mass. Gen. Laws. ch. 231, § 92. Under modern defamation law, a plaintiff is often permitted establish malice by showing that the defendant made the defamatory statement with knowledge that it was false, or with reckless disregard for whether it was false or not. However, for the purposes of truth + malice defamation, the 1st Circuit held that the older meaning for malice -- hatred or ill will toward the plaintiff -- was required.

Continue reading "Noonan v. Staples: Jury Decides Against Plaintiff in Truth + Malice Internet Defamation Case" »

Treatises often claim that WIPO and NAF cybersquatting decisions lack precedential value. However, WIPO and NAF decisions routinely cite and rely on other WIPO and NAF decisions. Federal courts ruling on cybersquatting cases also pay attention to prior WIPO and NAF decisions. A case in point was the recent decision in Wilcox Associates, Inc. v. Xspect Solutions, E.D.Mich, Case No. 08-14695 (Sept. 24, 2009) in which Judge Hood's decision to reject Xpect's laches defense was almost entirely driven by a prior WIPO decision in a related case.

Wilcox manufactures CMMs -- "coordinate measuring devices" -- which are used by manufacturers to measure and reproduce three-dimensional products. Wilcox sells these devices under the Brown & Sharpe, Hexagon, Romer and other trademarks.

In 2004-2005, the Xspect, a competitor in the CMM business with Wilcox, registered 52 domain names that incorporated Wilcox's trademarks. These domain names included Brownsharp-cmm.info, Hexagon-cmm.com, and Romer-arm.info. Xspect used these domain names to direct traffic to its website. Xspect's website also claimed that Xspect was an "approved source" for machines produced by Wilcox -- even though Xspect's goods are not affiliated with Wilcox's. For example, Xspect's website displays a photograph of a Brown and Sharpe CMM along with the heading "We are the Factory."

In 2005, the Plaintiffs filed a complaint with WIPO regarding 42 of the 52 domain names. After the Xspect failed to respond to this complaint, the WIPO Panelist found for the Plaintiffs. As part of his decision, the WIPO Panelist that Xspect had engaged in bad faith by registering the Plaintiffs' trademarks as domain names. According to the Panelist, these domain names "form[ed] a vast trap or funnel through which Internet users looking for Complainants' products [we]re actually redirected to Respondent's website."

While Wilcox was successful on this complaint, it somehow overlooked 10 additional domain names that Xspect had registered and that also incorporated the Plaintiffs marks. In 2008, Wilcox realized its error and filed suit in federal court to enjoin use of these names as well. This time, in addition to seeking an injunction against Xspect's further use of these names -- which is about all a Plaintiff can get in a WIPO proceeding -- Wilcox also sued for damages and attorneys fees.

As part of its defense to the suit, Xspect raised the laches defense. A laches defense bars recovery by a plaintiff who has waited an unreasonably long time to bring suit and thus prejudiced the defendant. In the 6th Circuit -- were this case was decided -- a defendant who asserts a laches defense must show: (1) that the plaintiff was not diligent in pursuing its trademark claim against the defendant, and (2) that the plaintiff's delay caused prejudice to the defendant. Natron Corp. v. STMicroelectronics, Inc., 305 F.3d 397, 408 (6th Cir. 2002).

In the 6th Circuit, if the statute of limitations for the plaintiffs' trademark claim has expired prior to the plaintiff's bringing suit, then this creates a presumption that the plaintiff's delay has been prejudicial to the defendant. Id. To overcome this presumption, plaintiff must either (1) rebut the presumption of prejudice; (2) establish that there is a good excuse for its delay; or (3) show that the defendant engaged in "particularly egregious conduct which would change the equities significantly in the plaintiff's favor." Id. at 409.

Continue reading "Wilcox Associates v. Xspect Solutions: Court Finding of Bad Faith Was Primarily Based on Prior WIPO Finding that Defendant Acted in Bad Faith" »

Digital media law update: Courts have long recognized that corporations have rights that are at least akin to individual privacy rights. Recognized corporate privacy rights include trade secrets and the exercise of the attorney-client privilege. However, the scope of corporate privacy rights is not nearly as broad as the scope of individual privacy rights. Many federal and state privacy laws only apply to individuals, not corporations. For example, the Federal Privacy Act only prohibits the government from collecting and disclosing certain types of information about "individuals" -- a term defined to only include U.S. citizens and permanent resident aliens. See 5 U.S.C. § 552a(a)(2).

When dealing with a law that provides protection for privacy rights, attorneys and judges are often unsure whether the law applies only to individuals or covers corporations, as well. An opportunity for such line-drawing has recently arisen as to the scope of a "personal privacy" exception to the Freedom of Information Act (FOIA). 5 U.S.C. §552(b)(7).

Under FOIA, a government agency is generally obligated to produce any records in its possession upon a request form any person. 5 U.S.C. § 552(a)(3). However, there are many exceptions to this rule. Among these are, matters that are:

• Exception 4: trade secrets and commercial or financial information obtained from a person and privileged or confidential (5 U.S.C. § 552(b)(4));

• Exception 6: personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy (Id. at § 552(b)(6)); and

• Exception 7(C): records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information . . . (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy (Id. at § 552(b)(7)(C)).

Prior decisions in the D.C. Circuit, which handles the plurality of FOIA appeals, have held that Exception 4, for "trade secrets," does apply to business entities, such as corporations. Judicial Watch, Inc. v. U.S. Dept. of Energy, 310 F.Supp.2d 271 (D.D.C. 2004), affm'd in part, 412 F.3d 125 (D.D.C. 2004) (§(b)(4) exemption "serves the interest of the government in operating efficiently and effectively by enabling it to obtain necessary commercial and financial information from private persons and business entities").

However, Exception 6, for "personal and medical files," has so far only been applied to individuals. For example, in Multi Ag Media LLC v. Dept. of Agriculture, 515 F.3d 1224 (D.D.C. 2008), the Court stated that "Exemption 6 "has not been extended to protect the privacy interests of businesses or corporations". Of course, this statement does not necessarily mean that Exception 6 might not also one day be extended to cover corporations as well.

Similar laconic statements have been made about Exception 7(C). However, the restriction of Exception 7(C) to individuals has now been soundly rejected by the 3rd Circuit.

Continue reading "AT&T v. FCC: 3rd Circuit Rules that Corporations May Invoke Personal Privacy Exception to FOIA Disclosure" »

Combatants in cybersquatting or domain name disputes are often not aware of the great degree to which the result they get depends on the judicial body that makes the decision. A clear illustration of how forum choice affects results can be seen in the widely varying deference given by the different judicial bodies to a defendant's assertion of a "laches" defense to a cybersquatting complaint.

A laches defense has a lot in common with a statute of limitations defense. When recognized by a judge, it bars recovery by a plaintiff who has waited an unreasonably long time to bring suit and thus prejudiced the defendant. Judges tend to allow a laches defense when a plaintiff has deliberately delayed bringing its suit until key evidence has been lost, witnesses have died, or the memories of witnesses have grown stale. The defense may also be allowed where a defendant has relied on the plaintiff's long delay in bringing suit to build up a valuable business around a trademark.

To resolve a dispute over a domain name, a U.S. plaintiff may file a suit in Federal court under the Anti-Cybersquatting Consumer Protection Act. See 15 U.S.C. § 1125(d). If the dispute is over a "generic top-level domain name" (e.g., .com, .org, .biz) or certain country top-level domain names, it can file for arbitration using ICANN's dispute resolution system -- called UDRP (for Uniform Dispute Resolution Policy). Under UDRP, a plaintiff (called a "complainant") can choose to have its domain name dispute resolved by one of four ICANN-approved resolution providers. The two providers that are most commonly used by U.S. firms are the National Arbitration Forum (NAF), a private ADR firm, headquartered in Minneapolis, and the World Intellectual Property Organization (WIPO), a U.N. agency. (Fn1)

Cybersquatting cases area subspecies of trademark infringement cases, so in theory laches should be permitted as a defense. In practice, the availability of laches varies greatly, depending on which of these three tribunals -- Federal court, NAF or WIPO -- decides the case.

Federal courts

The greatest deference to the laches defense is given in Federal courts. At least five federal courts have found that this defense can be applied to cybersquatting claims. These include the 6th Circuit, and District Courts in the 1st, 7th and 11th Circuits. (Fn2)

For example, in September 2008, in Southern Grouts & Mortars, Inc. v. 3M Co. (S.D. Fla., No. 0:07-cv-61388), a Florida District Court dismissed a cybersquatting case concerning the domain name diamondbrite.com on laches grounds. The Court found that the plaintiff knew that 3M owned the diamondbrite.com domain and that the domain was inactive as early as July 2002, but neglected to bring suit for five years. During this intervening period, the plaintiff made little attempt to assert its claim to the name, only sending two letters and one email to 3M regarding the domain. The delay had also prejudiced 3M. Many of 3M's employees who had information regarding its acquisition and use of the diamondbrite.com name had left its employ, and relevant documents have been destroyed or lost.

Continue reading "Federal Court or UDRP Arbitration? How the Forum that Decides a Domain Name Dispute Can Make a Big Difference in the Results" »

Digital media law: Is it paranoia, or merely an overweening desire to be in control? In either case, in both the Bush and Obama administrations, citizens have needed to be on their guard against attempts by the political class to improperly gain intelligence on the political activities of citizens. Recent examples of such spying have included DOJ political appointees running Internet searches to determine the political leanings of potential Justice hires, White House officials asking citizens to send emails to a website reporting on citizens who are making "fishy" claims about proposed legislation, or bureaucrats proposing to install software to track use of government websites.

The good news is that the federal Privacy Act (5 U.S.C. § 552a) makes these kinds of domestic spying illegal. The Privacy Act is the lesser known cousin to the well-known Freedom of Information Act (5 U.S.C. § 552). The thrust of FOIA is to provide procedures to make information maintained by government agencies available to the public. The thrust of the Privacy Act is to (i) limit the types of information government agencies can collect about individuals, (ii) provide procedures for individuals to correct misinformation in government files, and (iii) limit the ability of agencies to disclose information about individuals to other agencies or the public.

The Privacy Act also provides private rights of action, under which an individual can sue a government agency which violates its rules, and obtain an injunction, damages and attorneys fees.

Basic elements of the Privacy Act

Here is a broadbrush summary of the Act:

• Coverage limited to "individuals": Only citizens and aliens "lawfully admitted for permanent residence" qualify as individuals covered by the Act. 5 U.S.C. § 552a(a)(2). This means that the Act does not apply to aliens without permanent resident status. It also does not apply to fictional entities, such as corporations. OKC Corp. v. Williams, 461 F.Supp. 540 (N.D. Tex. 1978).

• Generally prohibits federal agencies from disclosing personal records about an individual: Protected records include those that contain any information that would identify an individual, such as his name, social security numbers or fingerprints. 5 U.S.C. §§ 552a(a)(4), (b). Disclosure cannot be made to "any person or to another agency." However, there are many exceptions. For example, an agency is permitted to disclose records about individuals to persons within the agency that collected the records who have a need for the record to perform their duties, or to persons in other federal agencies to assist in civil or criminal enforcement activities. Id. at §§ 552(b)(1), (7). An agency is also permitted to disclose such records to comply with FOIA. Id. at § 552(b)(2).

• Requires recordkeeping of disclosures: Agencies are required to keep "an accurate accounting" of all disclosures they make of individual records, except for disclosures made to persons within the agency or pursuant to a FOIA request. 5 U.S.C. § 552a(c)(1). This accounting must be maintained for at least five years, and, with limited exceptions, must be provided to the individual on his request.

• Individuals generally have a right to access records maintained about them: 5 U.S.C. § 552a(d). However, agencies have the right to promulgate rules that prohibit access to records for national security and law enforcement purposes. Id. at § 552a(j), (k).

• Individuals may request that amendments be made to their records: 5 U.S.C. § 552a(d)(2)-(4). An agency may refuse to grant a request to amend, but if it does so, must provide the individual with a statement of the reasons for the denial.

• Agencies have limits on the information they may collect about individuals: Among the more important of these limits are that an agency must: (1) only retain "relevant and necessary" information; (2) collect information to the greatest extent practicable from the individual him/herself when the information may result in an adverse determination about the individual's rights, benefits or privileges under a Federal program, (3) maintain all records used in agency determinations about an individual with "such accuracy, relevance, timeliness and completeness as is reasonably necessary to assure fairness"; and (4) maintain no record, describing how any individual exercises rights guaranteed by the First Amendment, unless expressly authorized by statute or by the individual, or unless needed for a law enforcement activity. 5 U.S.C. § 552a(e)(1), (2), (5), (7).

Continue reading "What Is the Federal Privacy Act? How the Privacy Act Can Protect Your First Amendment Rights from Government Intrusion" »

New FTC Rules on Bloggers: According to the Word of Mouth Marketing Association (WOMMA), word of mouth advertising is "the most honest form of marketing, building upon people's natural desire to share their experiences with family, friends, and colleagues." But here comes the rub. When marketers pay for "word of mouth" messages, haven't the messages ceased to be the result of "people's natural desire to share" -- and instead become the result of people's natural desire to make money?

This certainly is the view of the FTC, which on October 5, 2009 finalized a new revision of its rules governing the use of testimonials and endorsements in advertising (to be codified at 16 C.F.R. §255). These revisions make it clear that the FTC intends to extend the reach of its advertising regulation and enforcement to bloggers who make sponsored endorsements of products and services.

The rules affect both advertisers and bloggers who cooperate on sponsored endorsements. For example, the new rules state that the FTC intends to hold both advertisers and bloggers liable for false and misleading statements made by either party in the course of an endorsement. This means that an advertiser who provides free products to a blogger can be liable if the blogger makes false statements about the products in her blog. And the blogger can be liable if she repeats false statements from the advertiser. Both parties can also be liable if the blogger fails to disclose her connection with the advertiser.

Word of mouth advertising in the age of Web 2.0

Word of mouth advertising was once naively thought to refer to a spontaneous and uncompensated testimonial communicated from one consumer who was excited about a product he had just tried to another customer. Word of mouth marketing has long been thought to be more effective than print advertising because the message comes from a peer that the customer trusts. When a customer hears a peer rave about a product, she assumes that the endorser is speaking out of his genuine experience with the product.

Now that we have moved into the world of Web 2.0, which has put the megaphone of the Internet into the hands of consumers, word of mouth has morphed into planned, compensated advertising that is piped through consumers via social media, such as blogs. This once spontaneous activity now has its own trade association -- WOMMA -- which boasts over 400 marketers as members.

WOMMA's website lists about a dozen different types of word of mouth marketing campaigns, by which an advertiser can "harness, amplify, and improve" on this "pre-existing phenomenon." Some of these methods include old-fashioned P.R., such as using high-profile entertainment events or news to create "buzz." Others include creating social networks or affinity groups of users that have a special interest in a product.

However, several categories involve providing products or compensation to "influential" consumers, who "volunteer" to tell others about the product. In "product seeding," the marketer provides samples of product to "influential" individuals, such as bloggers or persons with large social networks, who then write posts about the product on their sites. In "evangelist" and "influencer" marketing, the marketing "cultivates evangelists, advocates, or volunteers who are encouraged to take a leadership role in actively spreading the word on [the marketer's] behalf" -- in other words, the marketer pays the blogger to write about the product.

Social media posts covered by the FTC rules

The new FTC rules don't constitute a new extension of the FTC regulations on deceptive advertising to blogs. The prior FTC rules already arguably covered any form of media, including social media, such as blogs. Rather, the new rules and the FTC's statements in its Notice of Adoption simply make it clear that the FTC intends enforce these rules on new media sites, including, specifically, blogs.

Continue reading "Bloggers and Advertisers Beware: FTC Rules on Sponsored Endorsements Create Major Risks for "Word of Mouth" Advertising" »

For many firms, on-line property, such as their domain names and the interactive software that they permits users to access, constitutes the vast majority of the value of their business. Firms such as Amazon.com and eBay heavily market their domain names, with the result that their domain names have become their primary trademarks and are worth billions of dollars. Lenders would naturally like to have the ability to obtain security interests in these valuable assets for loans to these businesses. Creditors also would like to be able to seize these assets to satisfy unpaid debts. However, there are significant hurdles in both state and federal law to both of these uses of domain names.

The following is a survey of some of the issues faced when attempting to use a domain name as collateral, along with suggestions of methods for dealing with these problems.

The "assignment in gross" problem

To the extent that a domain name constitutes a trademark, it is subject to what is call "the anti-assignment in gross" rule. This rule is based on the notion that a trademark is really the embodiment of the goodwill relating to a business. As such, it cannot be transferred apart from this goodwill. If a trademark could be assigned and used for a different product or business, it could result in fraud on consumers, who would assume that the trademark signified that the same nature and quality of goods were present as when it was used in the original business. See McCarthy on Trademarks § 18:2-3.

I am aware of no cases dealing with domain names that directly address this issue. However, cases dealing with assignments of trademarks in general hold that if a lender wants to take a security interest in a trademark, it should obtain a security interest in the goodwill of the business associated with the trademark as well. See Marshak v. Green, 746 F.2d 927 (2d. Cir. 1984). What this means is that a lender wishing to obtain a security interest in a domain name should obtain a security interest in the goodwill of the business associated with the domain name.

Anti-assignment clauses

Domain name registrants assume that they can transfer their domain names to third parties at will -- via sale or use as collateral. Indeed, there has long been a well-developed market for domain names. Ian Ballon's treatise on internet law contains a list of hundreds of such sales over the past few years, with sale prices ranging into the many millions of dollars. See Ian Ballon, E-Commerce and Internet Law, §7.23[3].

Most domain name registrants have obtained their domain names via a contract with a domain name registrar. While many domain name registrars have procedures that permit the transfer of domain names, they often do not permit direct assignments. See Warren E. Agin, I'm a Domain Name. What Am I? Making Sense of Kremen v. Cohen, 14 Journal of Bankruptcy Law and Practice 3:73, 79 (2005). This would present a problem for parties wishing to use a domain name as a security interest, were it not for a special provision in the Uniform Commercial Code (UCC) that trumps such anti-assignment provisions. Section 9-408 of the UCC provides that a security interest may be granted in a general intangible, even if assignment is prohibited under by the contract relating to the intangible. See UCC § 9-408, comment 5. Most legal scholars believe that an Internet domain name qualifies as a general intangible under the UCC. See, e.g., McCarthy on Trademarks, § 18:7. As such, a lender should be able to obtain a security interest in a domain name, despite the presence of an anti-assignment clause in the borrower's contract with the registrar.

Continue reading "The Domain Name as Collateral: Considerations for Creditors Seeking to Use a Domain Name as a Security Interest or as a Source of Payment on a Judgment" »

We recently wrote about a common scenario in which an employee abuses his authority to access his company's computer files by obtaining secret information for use in his outside employment. The Computer Fraud and Abuse Act (CFAA) provides criminal penalties and gives victims the right to sue for damages when a person intentionally accesses a computer "without authorization" or "exceeds authorized access" and obtains information, perpetrates a fraud or causes damage. 18 U.S.C. § 1030(a)(2), (4), (5). However, courts have long been split over whether such a disgruntled/disloyal employee can be considered to have accessed the computer "without authorization."

Our September 24, 2009 post explained that the majority position is that "without authorization" only refers to persons who do not have permission to access the company's computer in the first place. However, a minority of courts, led by the 7th Circuit, have held that an employee can also be found to have accessed a computer "without authorization," if he uses his access rights to obtain information to advance a personal interest that is adverse to his employer. International Airport Centers, LLC v. Citrin, 440 F.3d 418 (7th Cir. 2006).

In a case decided in just the past 2 weeks, the 9th Circuit has now come down firmly on the side of the majority position. See LVRC Holdings, Inc. v. Brekka, 9th Circuit, Case No. 07-17116 (Sept. 15, 2009). The 9th Circuit's opinion is largely based on the reasoning and case law discussed in our September 24 post.

The plaintiff in the case, LVRC, operates Fountain Ridge, an addiction treatment center in Nevada. In April 2003, LVRC hired Christopher Brekka to oversee the facility. At the time he was hired, Brekka also owned two consulting businesses, located in Florida and Nevada, that provided potential patients with referrals to addiction treatment centers and vise versa. While Brekka worked for LVRC, he shuttled between Florida where he lived, and Nevada where LVRC was located. While commuting, he emailed documents from LVRC back to his home computer.

In June 2003, Brekka obtained an administrative log-in for LVRC's website. Using this password, Brekka gained access to information about LVRC's website, which he used in managing LVRC's internet marketing -- one of his areas of responsibility. In August 2003, Brekka began to talk with LVRC about acquiring an ownership interest in the company. During this time, Brekka emailed a number of LVRC financial, admissions and marketing documents to his home computer. However, in September 2003, the negotiations broke down, and Brekka ceased working for LVRC.

Sometime after Brekka left their employment, LVRC discovered that he had emailed its financial, admissions and marketing documents to his home computer. LVRC then filed suit, claiming that these actions were without authorization and hence violated the CFAA.

The District Court and the 9th Circuit disagreed.

Continue reading "LVRC v. Brekka: 9th Circuit Decision Creates Circuit Split on Whether CFAA Applies to an Employee Who Misuses His Authority to Access His Employer's Computer Files" »