Archives for June 2015

Frustration for Consumers Seeking to Recover from a Retailer in a Maine Data Theft Case

Consumer suits against retailers for losses from data thefts face many hurdles to recovery. A recent illustration is the court’s dismissal of virtually all claims brought by customers of Hannaford, a supermarket chain based in Maine. In re Hannaford Bros. Co. Customer Data Security Breach Litigation, U.S. District Court, District of Maine, MDL Docket No. 2:08-MD-1954).

From December 2007 through March 2008, “wrongdoers” (apparently a less malevolent class of miscreant than the “evildoers” faced by President Bush) gained access to Hannaford’s information technology systems. The thieves stole some 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers and other customer information. They were able to use this information to rack up an undisclosed amount of charges on customer accounts. Hannaford apparently discovered the security breach, but delayed before warning its customer, who continued to use their credit and debit cards for some time before the breach was closed.

The customers sued in the U.S. District Court in Maine and sought certification as a class action. They brought claims for breach of implied contract, breach of implied warranty, breach of fiduciary duty, breach of a Maine statute requiring disclosure to customers of a data security breach, strict liability, negligence, and unfair trade practices.

District Court Judge Hornby first analyzed the plaintiffs’ ability to recover under each of these causes of action, rejecting all but the breach of implied contract, negligence and unfair trade practice theories. The Court found that under Maine law, a contract includes “all such implied provisions as are indispensible to effectuate the intention of the parties.” When a customer gives a merchant his debit or credit card information, the parties assume that “the merchant will not use the card data for other people’s purchase, will not sell or give data to others, and will take reasonable measures to protect the information.” This duty supported both the breach of implied contract and negligence claims against the merchant.

The court also found that Hannaford could be subject to suit under Maine’s unfair competition law. The Maine statute appears to rather broad (broader than the California UCL) because it permits a consumer who purchases goods or services and “suffers any loss of money or property” as a result of an unfair or deceptive act to sue for “actual damages, restitution” and equitable relief. Here, the plaintiffs claimed that Hannaford failed to disclose the data breach for several months, which caused customers who continued to use plastic at the store to suffer data losses. The court concluded that Hannaford’s inaction justified a UCL claim.

Management Information Apply Only to Automatic, Computerized Copyright Management Systems

Among the anti-circumvention rules in the Digital Millennium Copyright Act (DMCA) are prohibitions against the removal or alteration of “copyright management information.” (17 USC §1202). While the popular understanding of the DMCA is that its provisions are specifically targeted to digital media, the definition of “copyright management information” appears very broad and includes:

• The title and other information identifying a work, including the information set forth in a notice of copyright.
• The name(s) and other identifying information of the author, owner and/or performer of the work.
• Terms and conditions for use of the work, and
• Identifying numbers or symbols referring to such information or links to such information.

At face value, nothing about these definitions appears to limit “copyright management information” to digital or other electronic information. However, the earliest District Court cases decided that Congress had intended to limit this provision to “automated copyright management systems functioning within a computer network environment.” IQ Group, Ltd. v. Wiesner Publishing, LLC, 409 F.Supp.2d 587, 596 (D. New Jersey 2006); Textile Secrets International, Inc. v. Ya-Ya Brand Inc., 524 F.Supp.2d 1184 (C.D. Cal. 2007). Among technological measures that these decisions indicated would qualify under this standard were electronic envelopes and digital watermarks. This interpretation was followed, without significant comment, in another recent Southern District of New York decision. See Silver v. Lavandeira, Southern District of New York, 08 Civ. 6522 (JSR) (January 7, 2009 Magistrate’s Report and Recommendation).

That early trend is meeting some resistance. In March 2007, a court in the Western District of Pennsylvania held that Section 1202(c) defines “copyright management information” broadly to include “any” of the information set forth in its defined categories, whether digital or not. McClatchey v. Associated Press, 2007 WL 776103 (W.D. Pa. 2007). This meant that cropping the title, author’s name and copyright notice on printouts of photographs could violate this provision of the DMCA. In February 2009, directly rejecting the IQ Group and Textile Secrets rulings, a court in the Southern District of New York stated that the phrase “the technological measures of automated systems” is not found in the statute. As such, it found that the statute could cover manual removal of copyright information. See Associated Press v. All Headline News Corp., Southern District of New York, 08 Civ. 323 (PKC) (February 17, 2009 Memorandum and Order).

It is too early to tell how this split will be resolved. If the broader view of the statute is accepted, it could substantially change the requirements even for fair use of copyrighted information. Under the statute removal or alteration of copyright information is prohibited “without the authority of the copyright owner or law” — without exception. Section 1202(b).

The Legacy of Perfect 10: Websites that Use In-line Linking and Thumbnails to Bring Third Party Content to Users Can Avoid Suits for Direct Copyright Infringement

I have recently had a number of discussions with website operators that bring audio, video and other content to their websites via “in-line” linking, about whether this practice violates copyright laws. In-line linking is a form of hyperlinking that permits a host website to incorporate images and other materials from other websites into the host website. The HTML in the “in-line” link directs the user’s browser to retrieve a linked-to image from a source website and display it on the user’s screen — all without leaving the host website.

Typically, the linked material appears on the user’s screen in a “frame” — surrounding material from the host website. In many cases, a shot of the opening frame (in the case of video clips) or a diluted version object itself (in the case of photographs) will be used as a “thumbnail,” which the user will click to activate the hyperlink. This technology has been used in Google’s image search function and in social networking and affinity sites, among others.

“In-line” linking and “framing” have often been criticized by the owners of the source objects. For example, in many cases, the “frames” on the host website will cover over advertising and trademarks of the source website. This reduces the ad revenue stream that the source website may have counted on to pay for the content. It is also often claimed that the creation of thumbnails reduces the demand for cell-phone downloads of images.

So do in-line linking, framing and the use of thumbnails violate copyright laws? In many cases — as the legacy of series of decisions in the Perfect 10 case — the answer will be “No.”

Perfect 10 is a media company that distributes photographs of female models through its magazine, website and via cell-phone downloads. Because it exists on the internet, it was covered by Google’s search text and image engines. Google image searches would recover Perfect 10 photographs, which would be displayed as thumbnails on Google’s site. When a user clicked on the thumbnail, “his computer would pull up a page comprised of two distinct frames, one hosted by Google and a second hosted by the underlying website that originally hosted the full-size image.” Perfect 10 v. Google, Inc., 416 F.Supp.2d 828 (C.D. Cal. 2006).

The Google frame, at the top of the screen, stated that the thumbnail “may be scaled down” and that the Google frame was not the context in which the picture was originally found. The Google frame also gave the URL of the source of the picture, although often in truncated form. The thumbnail was created by Google from the original photograph and existed on Google’s servers. While the essence of the image could be viewed, thumbnails typically eliminated over 97% of the pixels in the original image. Id. at p. 847, n. 13.

AT&T v. FCC: 3rd Circuit Rules that Corporations May Invoke Personal Privacy Exception to FOIA Disclosure

Courts have long recognized that corporations have rights that are at least akin to individual privacy rights. Recognized corporate privacy rights include trade secrets and the exercise of the attorney-client privilege. However, the scope of corporate privacy rights is not nearly as broad as the scope of individual privacy rights. Many federal and state privacy laws only apply to individuals, not corporations. For example, the Federal Privacy Act only prohibits the government from collecting and disclosing certain types of information about “individuals” — a term defined to only include U.S. citizens and permanent resident aliens. See 5 U.S.C. § 552a(a)(2).

When dealing with a law that provides protection for privacy rights, attorneys and judges are often unsure whether the law applies only to individuals or covers corporations, as well. An opportunity for such line-drawing has recently arisen as to the scope of a “personal privacy” exception to the Freedom of Information Act (FOIA). 5 U.S.C. §552(b)(7).

Under FOIA, a government agency is generally obligated to produce any records in its possession upon a request form any person. 5 U.S.C. § 552(a)(3). However, there are many exceptions to this rule. Among these are, matters that are:

Exception 4: trade secrets and commercial or financial information obtained from a person and privileged or confidential (5 U.S.C. § 552(b)(4));

Exception 6: personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy (Id. at § 552(b)(6)); and

Exception 7(C): records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information . . . (C) could reasonably be expected to constitute an unwarranted invasion of personal privacy (Id. at § 552(b)(7)(C)).

Prior decisions in the D.C. Circuit, which handles the plurality of FOIA appeals, have held that Exception 4, for “trade secrets,” does apply to business entities, such as corporations. Judicial Watch, Inc. v. U.S. Dept. of Energy, 310 F.Supp.2d 271 (D.D.C. 2004), affm’d in part, 412 F.3d 125 (D.D.C. 2004) (§(b)(4) exemption “serves the interest of the government in operating efficiently and effectively by enabling it to obtain necessary commercial and financial information from private persons and business entities”).

However, Exception 6, for “personal and medical files,” has so far only been applied to individuals. For example, in Multi Ag Media LLC v. Dept. of Agriculture, 515 F.3d 1224 (D.D.C. 2008), the Court stated that “Exemption 6 “has not been extended to protect the privacy interests of businesses or corporations”. Of course, this statement does not necessarily mean that Exception 6 might not also one day be extended to cover corporations as well.

Similar laconic statements have been made about Exception 7(C). However, the restriction of Exception 7(C) to individuals has now been soundly rejected by the 3rd Circuit.

TJX Data Security Breach Saga Continues: Financial Institution Class Action against TJX Survives on Based on Unfair Competition Claim Predicated on Statements in FTC Complaint against T.J. Maxx / Marshalls’ Parent Company

TJX’s legal saga concerning its massive security breach in 2003 and 2006 lives on. TJX is a large retailer, with over 2000 T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J. Wright stores in the U.S. and Puerto Rico, During 2003 and 2006, hackers broke into the TJX computer network that handled its credit and debit card, check and return merchandise transactions. The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.

According to TJX’s most recent 10-Q (May 2, 2009), TJX initially established a reserve of $178.1 million to reflect its losses from the data intrusion. TJX later reduced this reserve by $39.4 million. This means that TJX’s expects its net losses from the data intrusion to total almost $139 million. While TJX will survive, this is truly a massive loss and represents one of the largest computer-related losses experienced by a company.

An expanding of body of federal and state law has imposed two types of data security regulations on companies handling consumer financial transactions: (i) a duty to employ reasonable security measures, and (ii) a duty to notify consumers when a breach of security has occurred.

After TJX announced its data security breach, it was hit with a lengthy list of legal actions. These included: (i) a regulatory complaint by the FTC; (ii) claims by the credit card companies to recover tens of millions in fraud losses; (iii) regulatory actions by over 40 state attorneys general; (iv) several consumer class actions; and (v) a class action on behalf of thousands of banks that had lost money as a result of the breach. All but one of these major legal actions appear to have been resolved.

The FTC Complaint was resolved in July 29, 2008 with the entry of a consent order requiring TJX to install and maintain a “comprehensive information security program to protect the security, confidentiality, and integrity of personal information collected from customers.” TJX is also required to provide initial and biennial audits affirming the quality of this system for the next 20 years. (Fn1) The State Attorney General actions were settled on June 22, 2009 with another consent decree requiring TJX to maintain a “comprehensive information security program.” TJX also agreed to comply with state breach notification laws and to pay the states $9.75 million.

The credit card company claims were settled for an amount estimated to be at least $24 million, but possibly much more. The consumer class action was settled in early 2008 in consumer class action dollars: including (i) the choice of a $60 gift certificate or $30 in cash, (ii) three years of credit monitoring from Equifax, (iii) the replacement cost of a drivers license and(iv) the amount of any actual, unreimbursed damages. Plus, TJX agreed that all its stores would hold a one-time Special Event (a sale) in which prices at its stores would be reduced by 15%. The plaintiffs’ attorneys received $6.5 million in attorneys fees, as well. (Fn2)

The major piece of litigation that remains is the financial institution class action. (Fn3) The suit is brought on behalf of “thousands of financial institutions” who apparently suffered losses too small to bring individual actions. So if the court refused to certify the plaintiffs as a class action, their claims would likely go away.