Tort Liability from Data Thefts: The Race is to the Swift

12 Jul 2015 By Leave a Comment

A thief breaks into the corporate headquarters of your digital media company and steals a laptop. He uses the laptop to gain access to your customers’ files, and gleans sensitive information, including their drivers license data, social security numbers and bank account data. Can you be liable to customers for this theft? The answer, at present, is theoretically “yes”, but in many cases, “no” — if you take the right steps.

Many states have statutes protecting personal information of consumers. For example, the California Civil Code requires businesses to: (i) destroy personal information when it is no longer to be retained by the business; (ii) “implement and maintain reasonable security procedures” to protect personal information from unauthorized access; (iii) disclose any breach of security which has caused disclosure of personal information, and (iv) disclose any personal information provided to third parties on the consumer’s request. (Fn 1) The Civil Code provides that a customer may sue to recover damages, as well as injunctive relief, for any violation of these rules. (Fn 2)

So if a thief steals your customer data, and your failure to meet these standards causes your customers to suffer losses — yes — you can be found liable.

But, while these laws have been on the books for about five years, they do not seem to have resulted in a lot of large judgments. There are no reported appellate cases directly dealing with any of them and few unreported court orders mention them.

One reason for this may be the sheer economics of consumer rights litigation. Most consumer rights cases involve small dollars. Because the plaintiff generally must bear his own attorneys fees, few cases hold the promise of a sufficiently large recovery to warrant paying the fees to win the case. This is why the real action in consumer rights cases is in consumer class actions. Combining thousands or millions of cases together can yield sufficient damages to justify the attorney time expended. In addition, bringing a case as a class action may give plaintiffs an argument that they are also entitled to an attorney fee award under state statutes awarding fees for actions taken in the public interest or in defense of civil rights. (Fn 3)

However, even data theft cases brought as class actions have faced significant hurdles. This is mainly because the lead plaintiffs have often been unable to allege actual injuries resulting from the cyber security breach.

Filed Under: Blog, Cybercrime, News Tagged With: ,

Will Cloud Computing Create a Thunderstorm?: Loophole Permits Private Emails and other Digital Data Stored by Third Parties to Be Divulged to the Public without Stored Communications Act Liability

12 Jul 2015 By Leave a Comment

As data storage moves from equipment controlled by its authors into the “cloud” — storage on equipment controlled by third parties — there is an increased risk that unauthorized third parties will access this data and use it for nefarious purposes. The Stored Communications Act (“SCA”, 18 U.S.C. § 2701 et seq.) is widely thought to provide protection from disclosure for emails and other private data that are in such electronic storage. However, a less-known loophole in the SCA can permit stored information to be accessed without the author’s permission and then divulged to competitors, to adversaries, to strangers, or to the general public, without liability under the SCA.

The SCA provides that any person who intentionally accesses stored electronic communications without authorization or beyond the scope of his authorization is subject to civil and criminal penalties. 18 U.S.C. § 2701(a), (b). However, there are two important exceptions to this protection:

Even if an author of a communication has not authorized a third party to access that communication, the SCA provides that this unauthorized third party is immune from liability if he/she was authorized to gain access by the provider of the electronic communications service –such as the ISP or the business the operates the network. The SCA further provides that an unauthorized third party is also immune if he/she has been given permission to access the communication by a user of the service on which the communication is stored — such as a member of a private website, such as a MySpace page.

This means that even if the author has not consented for anyone except for the recipients to access his/her private emails, a lot of people could still be looking at them, copying them and doing who knows whatelse to them — with SCA-immunity.

That sounds bad enough. However, the next section in the SCA — Section 2702 — opens the door to unauthorized disclosure even wider.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

Zango, Inc. v. Kaspersky Lab, Inc.: The Ninth Circuit Gets to the Right Destination But By the Wrong Route

12 Jul 2015 By Leave a Comment

The Ninth Circuit’s recent ruling in Zango, Inc. v. Kaspersky Lab, Inc. is one of the few that directly deal with the provisions in the Communications Decency Act that provide immunity from suit for the screening activities of internet service providers. The relevant section, 47 U.S.C. § 230(c)(2), provides as follows:

“No provider or user of an interactive computer service shall be held liable on account of —

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to make available to information content providers or others the technical means to restrict access to material described in paragraph [A].”

The plaintiff in the case, Zango, Inc., is a now-defunct Internet entertainment company that provided access to a catalog of online videos, games and music to users who agreed to view advertisements while surfing the internet. The defendant, Kaspersky Lab, Inc., is still live and kicking, and is a Moscow-based firm which bills itself as “a leading anti-virus software and Internet Security software solution for your home computer or business.”

According to the court, Kaspersky’s software classified Zango as “adware,” a type of malware. Once installed on a user’s computer, adware monitors a user’s browsing habits and causes “pop-up” ads to appear throughout the browsing session. Adware can open up links with websites that themselves contain malware that can infect a personal computer. Kaspersky’s software disabled key features of Zango’s software and through a series of routines, ultimately blocked the use of Zango.

Zango sued Kaspersky, seeking an injunction against its blocking activities. In defense, Kaspersky invoked the protection of §230(c)(2)(B), cited above.

The Ninth Circuit concluded that Kaspersky was “plainly immunized” by the Communications Decency Act. This conclusion was based on its analysis of §230(c)(2)(B) and two related definition sections: § 230(f)(2) which defines the term “interactive computer service” to mean any “information service, system, or access software provider that provides or enables computer access by multiple users to a computer server . . . “; and § 230(f)(4) which defines the term “access software provider” to include providers of software that filter content.

Combining these three sections, the Court concluded that a provider of filtering software or services may not be held liable for any action taken to make its filtering software available “so long as the provider enables access by multiple users to a computer service.” The Court then noted that Kaspersky “provides or enables computer access by multiple users to a “computer server” by providing its customers with online access to its update servers.”

Filed Under: Blog, Cybercrime, News Tagged With: , , , ,

U.S. v. Kilbride: 9th Circuit’s Holding that Internet Obscenity Laws Should Be Governed by a National Standard Rests on Shaky Grounds

3 Jul 2015 By Leave a Comment

Digital media law: The 9th Circuit has done it again. In its ruling last week in U.S. v. Kilbride, the 9th Circuit announced that “a national community standard must be applied in regulating obscene speech on the Internet, including obscenity disseminated by email.” (Case Nos. 07-10528, 07-10534, October 28, 2009). The 9th Circuit stated that its holding followed the view expressed by a majority of U.S. Supreme Court Justices in Ashcroft v ACLU, 535 U.S. 564 (2002) that application of a national community standard in Internet obscenity cases would not “generate serious constitutional concerns.”

The Justices said no such thing. To the contrary, Justice Kennedy, whom the 9th Circuit includes in the majority supposedly agreeing with its holding, wrote that “it is neither realistic nor beyond constitutional doubt for Congress, in effect, to impose the community standards of Maine or Mississippi on Las Vegas and New York” through a national obscenity law. Ashcroft v. ACLU, 535 U.S. at 597. If the U.S. Supreme Court takes the appeal of Kilbride, the 9th Circuit’s ruling here could well be reversed.

The Kilbride case involves the appeal of the criminal convictions of two spammers, Jeffrey Kilbride and James Schaffer, who distributed two sexually explicit images via email throughout the U.S. The Defendants’ spam operation was enormous and generated some 662,000 complaints to the FTC from persons around the country.

The Defendants were ultimately charged with violations of two Federal obscenity laws — 18 U.S.C. § 1462 and 1465, which prohibit the importation into the U.S., and the transportation in interstate commerce, of “obscene, lewd, lascivious, or filthy” books, pictures and other media. Both statutes apply to distribution of materials via the Internet, and specifically include distribution via an “interactive computer service,” as defined by the Communications Decency Act. A conviction under Section 1465 has been upheld for images sent from a computer bulletin board in one state to a personal computer in another state. U.S. v. Thomas, 74 F.3d 701 (6th Cir. 1996).

Prior U.S. Supreme Court decisions have held that obscenity is to be determined by the standards of the local communityin which the publication was made. However in Kilbride, the Defendants were prosecuted for their national distribution of obscene materials. As part of its case, the government called eight witnesses from various parts of the country who had filed complaints with the FTC about the Defendants’ emails. These witnesses testified about the circumstances under which they had received the Defendants’ emails, their reaction and attitudes towards these images and their views on pornography generally. The government also introduced evidence regarding the 662,000 other complaints they had received about the images. For its part, the defense introduced evidence regarding community attitudes towards pornography drawn solely from Arizona — the judicial district where the case was prosecuted.

At the close of evidence, the jury was instructed that it should use the standards of the “community as a whole, that is to say by society at large, or people in general” in determining whether the images distributed by the Defendants were obscene. This community was “not defined by a precise geographic area”, so the jury could consider evidence of standards existing outside Arizona. They were also told that they could consider their “own experience and judgment” as well as the evidence presented in making this determination. The jury ultimately returned a verdict finding the Defendants guilty under the two statutes.

On appeal to the 9th Circuit, the Defendants argued that these instructions were improper, because they asked the jury to apply a global or societal standard for obscenity. The Defendants claimed that because the distribution of the emails was made nationally, the District Court should have instructed the jury to apply a “national” obscenity standard.

The 9th Circuit agreed that the Defendants had a point. It cited a 2002 plurality U.S. Supreme Court decision regarding the Child Online Protection Act (COPA), in which two Justices, O’Connor and Breyer, had stated that a “national standard” should be used for laws involving distribution of obscene material over the Internet. Ashcroft v. ACLU, 535 U.S. 564, 122 S.Ct. 1700 (2002). Justice O’Connor stated that community standards for obscenity vary greatly throughout the country. However, persons using the Internet to publish materials are unable to control the geographic location of their audience. As a result, requiring Internet publishers to hold to a “local community” standard for obscenity, would require them to adopt the most restrictive view of obscenity taken by any community in the country. In Justice O’Connor’s view, this would “potentially suppress an inordinate amount of expression.” Id. at 587.

Filed Under: Blog, Cybercrime, News Tagged With: , , , , , , , ,

Frustration for Consumers Seeking to Recover from a Retailer in a Maine Data Theft Case

22 Jun 2015 By Leave a Comment

Consumer suits against retailers for losses from data thefts face many hurdles to recovery. A recent illustration is the court’s dismissal of virtually all claims brought by customers of Hannaford, a supermarket chain based in Maine. In re Hannaford Bros. Co. Customer Data Security Breach Litigation, U.S. District Court, District of Maine, MDL Docket No. 2:08-MD-1954).

From December 2007 through March 2008, “wrongdoers” (apparently a less malevolent class of miscreant than the “evildoers” faced by President Bush) gained access to Hannaford’s information technology systems. The thieves stole some 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers and other customer information. They were able to use this information to rack up an undisclosed amount of charges on customer accounts. Hannaford apparently discovered the security breach, but delayed before warning its customer, who continued to use their credit and debit cards for some time before the breach was closed.

The customers sued in the U.S. District Court in Maine and sought certification as a class action. They brought claims for breach of implied contract, breach of implied warranty, breach of fiduciary duty, breach of a Maine statute requiring disclosure to customers of a data security breach, strict liability, negligence, and unfair trade practices.

District Court Judge Hornby first analyzed the plaintiffs’ ability to recover under each of these causes of action, rejecting all but the breach of implied contract, negligence and unfair trade practice theories. The Court found that under Maine law, a contract includes “all such implied provisions as are indispensible to effectuate the intention of the parties.” When a customer gives a merchant his debit or credit card information, the parties assume that “the merchant will not use the card data for other people’s purchase, will not sell or give data to others, and will take reasonable measures to protect the information.” This duty supported both the breach of implied contract and negligence claims against the merchant.

The court also found that Hannaford could be subject to suit under Maine’s unfair competition law. The Maine statute appears to rather broad (broader than the California UCL) because it permits a consumer who purchases goods or services and “suffers any loss of money or property” as a result of an unfair or deceptive act to sue for “actual damages, restitution” and equitable relief. Here, the plaintiffs claimed that Hannaford failed to disclose the data breach for several months, which caused customers who continued to use plastic at the store to suffer data losses. The court concluded that Hannaford’s inaction justified a UCL claim.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

Management Information Apply Only to Automatic, Computerized Copyright Management Systems

17 Jun 2015 By Leave a Comment

Among the anti-circumvention rules in the Digital Millennium Copyright Act (DMCA) are prohibitions against the removal or alteration of “copyright management information.” (17 USC §1202). While the popular understanding of the DMCA is that its provisions are specifically targeted to digital media, the definition of “copyright management information” appears very broad and includes:

• The title and other information identifying a work, including the information set forth in a notice of copyright.
• The name(s) and other identifying information of the author, owner and/or performer of the work.
• Terms and conditions for use of the work, and
• Identifying numbers or symbols referring to such information or links to such information.

At face value, nothing about these definitions appears to limit “copyright management information” to digital or other electronic information. However, the earliest District Court cases decided that Congress had intended to limit this provision to “automated copyright management systems functioning within a computer network environment.” IQ Group, Ltd. v. Wiesner Publishing, LLC, 409 F.Supp.2d 587, 596 (D. New Jersey 2006); Textile Secrets International, Inc. v. Ya-Ya Brand Inc., 524 F.Supp.2d 1184 (C.D. Cal. 2007). Among technological measures that these decisions indicated would qualify under this standard were electronic envelopes and digital watermarks. This interpretation was followed, without significant comment, in another recent Southern District of New York decision. See Silver v. Lavandeira, Southern District of New York, 08 Civ. 6522 (JSR) (January 7, 2009 Magistrate’s Report and Recommendation).

That early trend is meeting some resistance. In March 2007, a court in the Western District of Pennsylvania held that Section 1202(c) defines “copyright management information” broadly to include “any” of the information set forth in its defined categories, whether digital or not. McClatchey v. Associated Press, 2007 WL 776103 (W.D. Pa. 2007). This meant that cropping the title, author’s name and copyright notice on printouts of photographs could violate this provision of the DMCA. In February 2009, directly rejecting the IQ Group and Textile Secrets rulings, a court in the Southern District of New York stated that the phrase “the technological measures of automated systems” is not found in the statute. As such, it found that the statute could cover manual removal of copyright information. See Associated Press v. All Headline News Corp., Southern District of New York, 08 Civ. 323 (PKC) (February 17, 2009 Memorandum and Order).

It is too early to tell how this split will be resolved. If the broader view of the statute is accepted, it could substantially change the requirements even for fair use of copyrighted information. Under the statute removal or alteration of copyright information is prohibited “without the authority of the copyright owner or law” — without exception. Section 1202(b).

Filed Under: Blog, Cybercrime Tagged With: , ,

The Legacy of Perfect 10: Websites that Use In-line Linking and Thumbnails to Bring Third Party Content to Users Can Avoid Suits for Direct Copyright Infringement

15 Jun 2015 By Leave a Comment

I have recently had a number of discussions with website operators that bring audio, video and other content to their websites via “in-line” linking, about whether this practice violates copyright laws. In-line linking is a form of hyperlinking that permits a host website to incorporate images and other materials from other websites into the host website. The HTML in the “in-line” link directs the user’s browser to retrieve a linked-to image from a source website and display it on the user’s screen — all without leaving the host website.

Typically, the linked material appears on the user’s screen in a “frame” — surrounding material from the host website. In many cases, a shot of the opening frame (in the case of video clips) or a diluted version object itself (in the case of photographs) will be used as a “thumbnail,” which the user will click to activate the hyperlink. This technology has been used in Google’s image search function and in social networking and affinity sites, among others.

“In-line” linking and “framing” have often been criticized by the owners of the source objects. For example, in many cases, the “frames” on the host website will cover over advertising and trademarks of the source website. This reduces the ad revenue stream that the source website may have counted on to pay for the content. It is also often claimed that the creation of thumbnails reduces the demand for cell-phone downloads of images.

So do in-line linking, framing and the use of thumbnails violate copyright laws? In many cases — as the legacy of series of decisions in the Perfect 10 case — the answer will be “No.”

Perfect 10 is a media company that distributes photographs of female models through its magazine, website and via cell-phone downloads. Because it exists on the internet, it was covered by Google’s search text and image engines. Google image searches would recover Perfect 10 photographs, which would be displayed as thumbnails on Google’s site. When a user clicked on the thumbnail, “his computer would pull up a page comprised of two distinct frames, one hosted by Google and a second hosted by the underlying website that originally hosted the full-size image.” Perfect 10 v. Google, Inc., 416 F.Supp.2d 828 (C.D. Cal. 2006).

The Google frame, at the top of the screen, stated that the thumbnail “may be scaled down” and that the Google frame was not the context in which the picture was originally found. The Google frame also gave the URL of the source of the picture, although often in truncated form. The thumbnail was created by Google from the original photograph and existed on Google’s servers. While the essence of the image could be viewed, thumbnails typically eliminated over 97% of the pixels in the original image. Id. at p. 847, n. 13.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

TJX Data Security Breach Saga Continues: Financial Institution Class Action against TJX Survives on Based on Unfair Competition Claim Predicated on Statements in FTC Complaint against T.J. Maxx / Marshalls’ Parent Company

9 Jun 2015 By Leave a Comment

TJX’s legal saga concerning its massive security breach in 2003 and 2006 lives on. TJX is a large retailer, with over 2000 T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J. Wright stores in the U.S. and Puerto Rico, During 2003 and 2006, hackers broke into the TJX computer network that handled its credit and debit card, check and return merchandise transactions. The intrusion involved transactions occurring in 2003 and from May-December 2006. TJX learned about the intrusion in mid-December 2006, but delayed making public notification until January 17, 2007. Reports indicated that approximately 45.7 million customer credit and debit cards were affected by the breach.

According to TJX’s most recent 10-Q (May 2, 2009), TJX initially established a reserve of $178.1 million to reflect its losses from the data intrusion. TJX later reduced this reserve by $39.4 million. This means that TJX’s expects its net losses from the data intrusion to total almost $139 million. While TJX will survive, this is truly a massive loss and represents one of the largest computer-related losses experienced by a company.

An expanding of body of federal and state law has imposed two types of data security regulations on companies handling consumer financial transactions: (i) a duty to employ reasonable security measures, and (ii) a duty to notify consumers when a breach of security has occurred.

After TJX announced its data security breach, it was hit with a lengthy list of legal actions. These included: (i) a regulatory complaint by the FTC; (ii) claims by the credit card companies to recover tens of millions in fraud losses; (iii) regulatory actions by over 40 state attorneys general; (iv) several consumer class actions; and (v) a class action on behalf of thousands of banks that had lost money as a result of the breach. All but one of these major legal actions appear to have been resolved.

The FTC Complaint was resolved in July 29, 2008 with the entry of a consent order requiring TJX to install and maintain a “comprehensive information security program to protect the security, confidentiality, and integrity of personal information collected from customers.” TJX is also required to provide initial and biennial audits affirming the quality of this system for the next 20 years. (Fn1) The State Attorney General actions were settled on June 22, 2009 with another consent decree requiring TJX to maintain a “comprehensive information security program.” TJX also agreed to comply with state breach notification laws and to pay the states $9.75 million.

The credit card company claims were settled for an amount estimated to be at least $24 million, but possibly much more. The consumer class action was settled in early 2008 in consumer class action dollars: including (i) the choice of a $60 gift certificate or $30 in cash, (ii) three years of credit monitoring from Equifax, (iii) the replacement cost of a drivers license and(iv) the amount of any actual, unreimbursed damages. Plus, TJX agreed that all its stores would hold a one-time Special Event (a sale) in which prices at its stores would be reduced by 15%. The plaintiffs’ attorneys received $6.5 million in attorneys fees, as well. (Fn2)

The major piece of litigation that remains is the financial institution class action. (Fn3) The suit is brought on behalf of “thousands of financial institutions” who apparently suffered losses too small to bring individual actions. So if the court refused to certify the plaintiffs as a class action, their claims would likely go away.

Filed Under: Blog, Cybercrime, News Tagged With: ,

Too Soon to Worry about the Anti-Counterfeiting Trade Agreement (ACTA)?

25 May 2015 By Leave a Comment

Digital media law update: Despite the tremors caused by the Lenz case, a recent decision by a Wisconsin District Court shows that it can still be difficult to obtain a judgment holding a defendant liable for sending a false DMCA notice. See Third Education Group, Inc. v. Phelps, E.D.Wisc., No. 07-c-1094, Decision and Order Following Court Trial (November 25, 2009).

The Digital Millennium Copyright Act puts a powerful tool in the hands of a person who claims to be the owner of a copyright. Copyright law provides for six-figure statutory damages against an ISP who permits infringing material to reside on a site under its control after receiving notice of the presence of the material. However, the DMCA provides immunity from these civil damages if an ISP takes down such material in response to a notice from the putative owner of the copyright, and meets certain other tests. This provides a strong incentive for an ISP to reflexively take down infringing material — such as by disabling an entire website — upon receiving a DMCA takedown notice.

This puts serious weapon in the hands of the general public that can be used protect legitimate copyright interests — or can be misused by someone who has no rights in material used by a competing business to get its site shut down.

To prevent abuse of the notice and take down system, Congress put two major protective measures into the DMCA: the counter-notice procedures in § 512(g) and the misrepresentation rule in § 512(f). Section 512(f) provides that a person who “knowingly” misrepresents that material on a site is infringing is liable for any damages, including attorneys fees, incurred by the alleged infringer.”

It can be very hard to prove a knowing misrepresentation occurred. Courts interpreting this statute have generally found that to be liable, the person who sent a false DMCA notice must have lacked the honest belief that material was infringing. As stated by the 9th Circuit, “Congress’s apparent intent [was] that the statute protect potential violators from subjectively improper actions by copyright owners.” Rossi v. MPAA, 391 F.3d 1000, 1005 (9th Cir. 2004).

To determine whether the sender of a false DMCA notice had a good faith belief in the truth of the notice, courts do not limit themselves to the testimony of the sender. Rather, courts consider the information that the sender relied on. However, it doesn’t take much evidence for the court to find that the author of a DMCA notice acted in good faith.

For example, the Rossi case concerned the website www.internetmovies.com, which Rossi described as an online magazine that provided visitors with a directory of websites containing information about movies. Rossi’s site contained the words “Join to download full length movies online now!” In fact, users could actually download no movies through Rossi’s site or through the links to which he referred users — a fact that MPAA investigators missed because they never attempted to download any movies from Rossi’s site.

However, the 9th Circuit stated that the sender of a DMCA takedown notice is not required to perform a “reasonable investigation” and “cannot be held liable simply because an unknowing mistake is made, even if the copyright owner acted unreasonably in making the mistake.” Id. at 1005. Accordingly, the 9th Circuit found that the MPAA acted in subjective good faith because the language on Rossi’s site “led the MPAA employees to conclude in good faith that motion pictures owned by MPAA members were available for immediate downloading from the website.”

In a more recent case, a director and president of a small Wisconsin corporation, Third Education Group, Inc., which operated an online magazine at thirdeducationgroup.net and thirdeducationgroup.org, had a falling out with the other directors. He resigned from the board, and then changed the passwords to the two sites, locking the corporation from access to the sites. He then utilized the domain names as the home for his own independent organization which he incorporated in Iowa under the same name — Third Education Group, Inc.

After being locked out of its own websites, the Wisconsin corporation created a new site under the domain name tegr.org and populated it with material largely copied from thirdeducationgroup.net and thirdeducationgroup.org. In response, the absconding former president of the Wisconsin corporation sent DMCA takedown notices to the ISPs which hosted the terg.com site, resulting in the ISPs blocking access to the tegr.com site. See Third Education Group, Inc. v. Phelps, E.D.Wisc., No. 07-c-1094, Decision and Order Following Court Trial, November 25, 2009).

The absconding president argued that he could not be held liable for under Section 512(f) because he believed that he the right to take control of the websites. He was the person that had registered them, and he had registered them prior to the formation of the Wisconsin corporation — although after he had agreed with the other directors to form Third Education Group.

The Court ultimately found that the absconding president’s belief that he had a right to the websites was ill-founded and that the domain names belonged to the Wisconsin corporation. However, the Court nevertheless found that he could not be held liable for misrepresenting his entitlement to the domain names. The Court stated that “[d]etermining the ownership of the website material required resolution of complex and somewhat novel questions common law related to unincorporated associations and how the intellectual property of a voluntary association is affect when the association subsequently incorporates.” The absconding president was also largely responsible for coming up with the idea of the journal, and did or paid for nearly all the work on the website, including writing the allegedly infringing content at issue. As such, the judge concluded that there was no evidence that he acted in bad faith when he issued his DMCA notices. Id. at p. 16.

Many reading this are no doubt shouting, “What about the Lenz case?” Didn’t that essentially impose a duty on the sender of a DMCA notice to at least investigate whether the use of the content at issue was fair? See Lenz v. Universal Musical Corp., 572 F.Supp.2d 1150 (N.D. Cal. 2008). Actually, what Judge Fogel stated in Lenz was that the DMCA requires copyright owners to make an “initial review of the potentially infringing material prior to sending a takedown notice.” Id. at 1155 (emphasis added). As part of that initial review, there must a consideration of factors that relate to whether the use of copyrighted material is infringing, including the possible applicability of the fair use doctrine.

The impact of the Lenz case is that it implies that to act in good faith, the person sending a DMCA notice must have at least a basic knowledge of copyright law. This means that when reviewing a potentially infringing site (or setting up a review system), a copyright holder should consult with an expert on copyright law so that it can appropriately take into account the numerous factors that determine whether a use is infringing.

However, the case law on Section 512(f), as a whole also indicates that a copyright holder’s review of a potentially infringing site does not have to go very far. If the facially obvious evidence supports a conclusion that a use is infringing and there is no other evidence that the copyright holder acted in bad faith, a Court is unlikely to hold it liable for sending a DMCA notice that ultimately proves to rest on a false claim of infringement.

Filed Under: Blog, Cybercrime, News Tagged With: , ,

On-line Privacy Update: FTC Uses Its Mandate to Expand Reach of Consumer Data Security Laws to Non-Financial Businesses

22 May 2015 By Leave a Comment

The Federal Trade Commission (FTC) is increasingly using its broad powers to require businesses to enact privacy measures to protect their customers’ personal data. According to the FTC, all companies must “maintain reasonable and appropriate measures to protect sensitive consumer information.” And the FTC is ready and willing to step in and make them implement such measures — regardless of whether Congress has enacted a specific statute requiring the business to do so.

When most people think about the Federal Trade Commission (FTC), they think about a federal agency that fights monopolies or big consumer frauds. However, the FTC Act, the statute that created the FTC, gave it a very broad mandate: “to prevent persons, partnerships or corporations . . . from using unfair methods of competition in or affecting commerce and unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(2). In the digital media world, throughout the past decade, the FTC has used this vague “unfairness” mandate to require consumer-based businesses to enact data security measures.

There are federal laws that impose data security requirements, such as the Fair Credit Reporting Act (15 U.S.C. § 1681e) and the Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.). These laws apply to financial institutions and credit reporting agencies. However, in its recent enforcement actions, the FTC has begun apply these data security rules to consumer businesses as a whole. (Fn1) According to a June 17, 2009 statement by the FTC to the U.S. House (Fn2), since 2001, the FCT has brought 26 cases against businesses that allegedly failed to protect consumer’s personal information. This includes cases against Microsoft, TJX, LexisNexis, Tower Records, Petco, Reed Elsevier, CVS and Compgeeks.com. None of these companies would commonly be considered financial or credit reporting companies.

The legal authority for the FTC’s actions in each case differed, but in some cases, such as the TJX and Compgeeks.comcases, rested solely on the FTC’s broad mandate to fight “unfairness.” (Fn3) Nevertheless, the terms of the consent orders reached in both cases imposed on TJX and Compgeeks.com the same obligations required of financial companies under the Gramm-Leach-Bliley Act. Both consent orders required the implementation of “a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” This is language taken directly from 16 C.F.R. §314.3, the FTC’s rules implementing Gramm-Leach-Bliley.

The FTC complaints in its cases against non-financial businesses “have alleged such practices as the failure to (1) comply with posted privacy policies; (2) take even the most basic steps to protect against common technology threats, (3) dispose of data properly, and (4) take reasonable steps to ensure that they do not share customer data with unauthorized third parties.” According to the FTC, “all of the cases stand for the principle that companies must maintain reasonable and appropriate measures to protect sensitive consumer information.”

Some may wonder about the breadth of the FTC’s powers. However, prior case law had held that the FTC is not limited to merely enforcing specific laws that the Congress has elsewhere enacted. To the contrary, the FTC has the power to declare legal practices as unfair or deceptive, hence making them illegal.

Filed Under: Blog, Cybercrime, News Tagged With: , ,