WHD Technology Law Blog

Reviewing and negotiating an IT contract on behalf of a university can be a daunting task. It requires a firm grasp of both technical and legal jargon. In addition, it requires an awareness of the institution’s obligations to comply with various state and Federal laws – especially those relating to the privacy and security of student, employee, patient and customer information. Some examples include the following:

• Family Educational Rights and Privacy Act (FERPA)
• Health Information Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH Act)
• Fair Credit Reporting Act (FCRA)

Legal compliance with privacy and security laws becomes more challenging when the university cedes some its internal IT processes via the Internet to third parties – i.e., cloud computing.
 
If your institution is considering the cloud computing approach, we suggest you read the article: Cloud vs. Office? The Answer is Not as Clear-cut as You Might Think. Moreover, as part of your contract review and legal due diligence, be certain you can answer WHD Attorney Andrew Schlidt’s questions. If you cannot, you should consider contacting legal counsel to address potential legal compliance risks, including those relating to privacy, security, intellectual property and disaster recovery.
 
If your institution currently utilizes the cloud, consider an after-the-fact audit to determine areas processes that may be noncompliant or expose the institution to legal exposure. We recommend, however, that an internal audit of this nature be implemented and documented with legal counsel who may be sensitive the protection of privileged information.

Companies continue to move IT operations to the cloud given the efficiencies and convenience offered by cloud environments. While the cloud is often seen as a practical technological and financial solution by CIOs and CFOs, it conversely raises liability concerns for company risk managers, compliance officers, and in-house lawyers. An International Working Group on Data Protection in Telecommunications recently published a Working Paper in April 2012 to help this latter group wrap its arms around the privacy and data protection issues arising from cloud computing. The Working Paper contains guidance on 44 “best practices” that should be of interest to all cloud customers, especially those with operations, customers, or employees located in the European Union.
 
Outsourcing Review provides commentary on legal developments affecting companies engaged in technology outsourcing (ITO) or business process outsourcing (BPO).

Many companies outsource portions of their marketing program to third party marketing firms. With the continued popularity of text messaging, marketing firms often encourage clients to enhance brand awareness through multiple channels of electronic communication, including text messaging.

Keep in mind that the sending of unauthorized, automated commercial text messages likely violates the Telephone Consumer Protection Act. In a recent “text spam” class action case before the U.S. District Court for the Southern District of California (In re Jiffy Lube International Inc., S.D. Cal., No 11-2261, 3/8/12), six named plaintiffs claimed that the defendants violated the Act for sending unauthorized, automated text messages to cell phones. One of the defendants sought dismissal from the case on grounds that its third party marketing firm sent the messages. The court rejected this particular defendant’s argument and ruled that the defendant should not be relieved of liability under the Act “merely because it hired a different firm to send advertisements to its customers.”

This ruling is a reminder that companies may be held vicariously liable for the acts of their outsource providers. Companies are well-advised to address compliance with laws and allocation of liability for non-compliance in their underlying outsourcing agreements.

Outsourcing Review provides commentary on legal developments affecting companies engaged in technology outsourcing (ITO) or business process outsourcing (BPO).

In keeping with its commitment to protect the lives of children and families, the U.S. Consumer Product Safety Commission is launching “CPSC 2.0,” a comprehensive social networking initiative that will make lifesaving and other safety information more accessible to consumers. Utilizing a variety of technologies and social media sites, CPSC will rapidly expand its reach to millions of consumers.

 

Through social media, CPSC can directly reach millions of the moms, dads and others who need our safety information the most,” said CPSC Chairman Inez Tenenbaum.

If your company buys or sells goods internationally, whether online or otherwise, you will want to familiarize yourself with the newly released Incoterms® 2010. The Incoterms® are an internationally recognized standard in commerce published by the International Chamber of Commerce and are used worldwide in both international and domestic contracts for the sale of goods (such as equipment, parts and computers). The Incoterms® were first published in 1936 and offer internationally accepted rules of interpretation for many common commercial terms.The Incoterms® help contracting parties avoid expensive misunderstandings by clarifying the responsibilities and risks involved in the delivery of goods overseas. The rules are developed and maintained by experts identified by the International Chamber of Commerce with expertise in international business transactions. The Incoterms® are updated generally every 10 years. A copy of the Incoterms® 2010 can be purchased through the ICC website.Now is a perfect time to review your standard purchase and sale agreements to determine whether updates are appropriate. Consider both your paper contracts as well as your online agreements (such as terms and conditions of sale, purchase orders, acknowledgments and the like). For companies that outsource manufacturing and fulfillment operations to foreign parties, now is the time to update those agreements. Likewise, if your company sells and markets products through foreign distribution channels, now is a good time to confirm that those distribution agreements are in conformance with changes to international commercial law.

On October 18, the Fifth Circuit ruled that a software licensee violated a license agreement by allowing its lawyers to access and use the software. The court found that this use was a violation of the license because the license expressly prohibited any use of the software other than that explicitly granted by the license—and no right to allow use "on behalf" of the licensee was granted. (See Compliance Source Inc. v. GreenPoint Mortgage Funding Inc.). The Fifth Circuit reversed the summary judgment motion that had been granted in favor of the licensee at the district level.In the case, GreenPoint installed software that develops and prepares loan documents, and then allowed its attorneys to access and use the software to prepare loan packages for GreenPoint loans. The court found this to be a violation of the license, and stated that it would not "look past the actual language of a licensing agreement and absolve a licensee who grants third-party access merely because that access is on behalf of, or inures to the benefit of, the licensee." In distinguishing prior cases, the court held that the license itself must allow use "on behalf of" the licensee in order for third-party contractors or agents to have the right to access or use the software. While the concept that those rights not granted are reserved is certainly not new, this case highlights the importance of carefully drafting or negotiating license agreements to insure that all of those people you need to use the software actually have the right to do so.

On August 31, 2010, the United States Court of Appeals for the Federal Circuit issued its decision in Stauffer v. Brooks Brothers. In its opinion, the Federal Circuit held that the plaintiff patent attorney did have standing to sue Brooks Brothers as a qui tam plaintiff. The court also held that the United States had a right to intervene in the patent marking case. This much anticipated decision is likely to embolden would-be patent marking plaintiffs and the number of patent marking lawsuits will undoubtedly continue to grow. If your company has not yet completed product review to ensure markings are correct and up-to-date, now is a very good time to do so. To read the decision, click here.

In what will be a test of just how broad the scope of protection of the FACEBOOK trademark is, Facebook, Inc. has filed suit against Teachbook.com LLC for trademark infringement and related causes of action in the Northern District of California.  Teachbook.com LLC operates a social networking site for educators and teachers (http://www.teachbook.com/), which according to Facebook is deliberately and willfully misappropriating the FACEBOOK brand.  Facebook is arguing that if third parties can use any "generic plus BOOK" mark for online networking services, the word "book" will become generic for online community services, thereby diluting the FACEBOOK trademark.  Key to this argument is Facebook's position that the word "book" is highly distinctive as used in the context of online communities and networking sites.  Further supporting Facebook's complaint, Teachbook touts its service as a substitute for Facebook on its website.  However, the USPTO saw no likelihood of confusion when they approved Teachbook's federal trademark application in September of 2009.  (Facebook has opposed this registration as well.)This should be an interesting case in evaluating the scope of protection of famous marks.

On July 14, members of Congress introduced a proposed federal data security law for the third consecutive Congressional session, even though the previous two versions of the bill were not acted on. The bill would require businesses to implement, maintain, and enforce reasonable data security policies and procedures, and would apply to all businesses regulated by Gramm-Leach-Bliley, businesses covered by the Fair Credit Reporting Act, and the big catch-all—businesses that maintain or communicate sensitive account or personal information in providing services to covered financial entities. Importantly, the bill would pre-empt the 46 different state laws on data security that already exist—eliminating the conflicting standards that exist today, and closing the gaps where no such law exists.  The bill would only require notification to consumers of breaches of security when harm was reasonably likely—not automatically after any breach. A good idea whose time has come?  We will see...

The Uniform Domain Name Dispute Resolution Policy (UDRP) was designed to provide a quick, low-cost arbitration-like process for resolving domain name disputes.  Governed by the World Intellectual Property Organization, a UDRP complainant must establish that (i) the domain name at issue is confusingly similar to their trademark, and (ii) that the domain name is used in bad faith. While the UDRP is effective in many situations, the case Volvo Trademark Holding AB v. Volvospares.com illustrates one of its big problems—proving bad faith in "grey areas."In this case, the domain name www.volvospares.com was used to sell low-priced parts for Volvo cars; the problem was that the registrant had no connection with Volvo. When Volvo filed a complaint under the UDRP, the arbitrator did not find the domain to have been registered in bad faith because the website had a disclaimer that it was not related to Volvo, and there was no other proof of misrepresentation. However, when Volvo filed a federal cyber-squatting complaint, where the discretion of the judge is far broader, Volvo won transfer of the domain name. The court found what should have been clear in the UDRP—there was intent to divert sales using the Volvo mark.The case illustrates one of the problems with the UDRP. While the UDRP is very efficient and effective in open-shut cases, it is often better to file a cyber squatting complaint where more complex issues of fact will arise.

After six years of battling with Google in the courtroom over Google's sale of Rescuecom's trademarked adwords, Rescuecom has dropped its trademark infringement lawsuit.As we previously wrote, in April 2009, the Second Circuit Court of Appeals held that Google's sale of trademarked adwords constituted "use in commerce."  This holding was a major victory for Rescuecom as some courts had previously been readily dismissing adwords cases on this issue at the very early stages of litigation.  The case was remanded to district court where Rescuecom next had to prove that the sale of trademarked adwords also constituted "likelihood of confusion," the second prong of a trademark infringement action.  The case has been closely followed by both the business and legal communities since the issue of whether use of trademarked adwords can constitute trademark infringement is largely unsettled.So why would Rescuecom simply drop its important case after years of litigation?Apparently Rescuecom found itself on both sides of the adwords action.  Rescuecom purchased the Google adwords "geek squad" to optimize its own search engine ranking.  In October 2009, Best Buy demanded that Rescuecom stop using "geek squad" as an adword.  Rescuecom then quietly brought a declaratory judgment action in the Northern District of New York claiming that its use of the "geek squad" adwords was legitimate.  Best Buy counterclaimed, alleging trademark infringement and substantially the same allegations Rescuecom had asserted in its Google case.  That case is still pending.  It appears, however, that Rescuecom found it difficult to argue both sides of the issue.  Unfortunately, this means the Rescuecom case will not result in the precedent many were waiting for.Interestingly, however, this issue is still percolating internationally.  In September 2009, the European Court of Justice's Advocate General issued an advisory opinion which held that use of trademarked keywords by Google or third-party users through Google's AdWords program did not constitute trademark infringement.  Instead, the Advocate General found that Google was providing information society services.  The advisory opinion, however, is not binding and several cases are still pending in European courts, including the heated adwords lawsuit between Louis Vuitton and Google.

The use of social media in the workplace (Facebook, Twitter, Myspace, LinkedIn, etc.) is fraught with legal issues. Questions regarding ownership of information and data, potential copyright infringement risks, and personal privacy issues all intermingle when employees use employer-owned equipment to access and use social media. Concerns about confidentiality and trade secret information are raised when employees discuss company actions, plans, or decisions on social media. Additionally, the decision about how a company should interact with its customers in the social media marketplace is a difficult one. At the end of the day, there may be no one "right" answer—but there certainly are some wrong ones.It is important that every company have a social media policy to address the risks and rewards of this new communication medium. Even the Florida State Bar is weighing in on the issue, issuing an opinion on November 17, Op. 2009-20 whereby a majority of the Florida Supreme Court judicial ethics committee found "friending" between judges and lawyers to be inappropriate! While there is significant disagreement on whether this position is correct even among legal scholars, it illustrates the increasing importance of social media in all industries. Use of social media is a cutting edge issue that requires some significant thought by businesses of all size.

The case Patco Construction Co. Inc. v. People's United Bank d/b/a Ocean Bank, D. Maine, No. 2:09-CV-00503-DBH, 1/19/10) is one of several recent cases alleging breaches of online security in financial transactions that may provide some guidelines as to what constitutes "reasonable care" in online financial transactions. The case alleges that use of several "challenge questions" added no practical safety beyond a password, and that additional mechanisms such as authentication tokens are required to meet the commercially reasonable standard. (Commercial banks are required to take "commercially reasonable" steps to protect customers against fraud.)This case could be one more step towards a requirement of multi-factor authentication in financial transactions.

The US District Court for the Central District of California confirmed that the trademark ownership that is necessary to pursue a claim under the Anticybersquatting Consumer Protection Act (ACPA) does not require ownership of a federal trademark registration. (See Monex Deposit Co. v. Gilliam, C.D. Cal., No. CV 09-287, 12/3/09.) In making this decision the court recognized that common law trademark rights and ownership will support an ACPA claim even if the trademark owner has not obtained a federal trademark registration. While this decision is not surprising based on the language of the ACPA statute, (which requires trademark ownership, not specifically registration), it provides case law for common law owners to rely on in asserting these claims.The court also held that the fact that a third party may own a registration for the same mark at issue but on different and distinctive goods and services, (thus preventing confusion between the marks), will not prevent assertion of an ACPA claim by a common law trademark owner. This decision is also consistent with federal trademark law, but provides further ammunition for common law trademark owners in ACPA suits, and presumably in UDRP actions and other domain name dispute resolution procedures.

Have you recently received an invoice for an international trademark registration fee and wondered in which country the mark was registered? Was the invoice legitimate looking, yet somewhat confusing? Were you wondering why you received the invoice directly rather than through your trademark attorney? Hopefully you thought about all of the above and inquired into the situation a bit more. The sad reality is that there are several overseas organizations, such as http://www.patentonline.org/, which use these types of letters and their hoax websites to extort money from unwitting businesses. You are more likely to become duped if you have a large, international trademark portfolio, so registration and maintenance costs are nothing out of the ordinary; or if you typically handle all such fees directly in house.A client recently received an invoice for the registration fee of one of its marks for almost $2,500 from the "Register of International Patents and Trademarks." It contained a drawing of the client's trademark with a registration number (which coincidentally corresponded with the client's U.S. Reg. No. for the mark) and a "Published" date (which corresponded to the U.S. Registration Date). The fine print:

"Dear madam, and sir, the publishing of the public registration of your patent is the basis of our offer. We offer the registration of your Patent dates in our private Database. ... Our offer will be accepted, with the payment of the amount, and becomes a binding contract between you and ODM srl, is irrevocably binding for one year. Please notice that this private registration hasn't any connection with the publication of official registrations, but is a solicitation without obligation to pay, unless our offer is accepted...."

Had they paid the fee, they would have received registry in nothing more than an unofficial, private registry. It was a scam. The clear lesson is to always carefully review invoices and correspondence such as this. If you receive any invoices for trademark or patent fees, carefully review the invoice to ensure it matches up with your company's trademark portfolio. Be vary of invoices that do not clearly indicate a known patent and trademark registry, such as the U.S. Patent and Trademark Office. If your attorney has assisted you with the trademark application/registration, you should not be receiving invoices directly. Last but not least, always read the fine print. Of course, if you have any doubt, be sure to consult with your trademark attorney to verify whether it is legitimate. While you would never want to miss an important fee deadline, you certainly do not want to fall prey to this type of scam.

The District Court for the Northern District of California rejected a proposed settlement in a class action data breach case against TD Ameritrade Inc., stating that the settlement provided no value to the class. In re TD Ameritrade Accountholder Litig., N.D. Cal., No. 3:07-cv-02852-VRW, 10/23/09.) TD Ameritrade suffered a data breach in 2007 where the personal date of approximately 6 million customers was hacked into. The rejected settlement provided approximately $1.9 million in attorneys' fees but no financial award to the class. The judge stated that requirements in the settlement for TD Ameritrade to conduct data security tests and hire independent experts to analyze the breach were measures any responsible company would take independent of litigation, and that the data security software that would be provided to the victims was available at no charge online already. TD Ameritrade suffered a data breach in 2007 where the personal date of approximately 6 million customers was hacked into. The rejected settlement provided approximately $1.9 million in attorneys' fees but no financial award to the class. The judge stated that requirements in the settlement for TD Ameritrade to conduct data security tests and hire independent experts to analyze the breach were measures any responsible company would take independent of litigation, and that the data security software that would be provided to the victims was available at no charge online already.In a rapidly evolving area of law, this case indicates that it may be harder than you think to "get out of" a data breach case once it is initiated, providing yet another reason to get the right security in place at the outset.

On October 30, 2009, the FTC decided for the second time to extend the enforcement date of the "Red Flag Rules"—this time to June 1, 2010. This decision comes as the ranks of the critics of the rules continues to grow. On the litigation front, on October 29, 2009, the District Court of the District of Columbia granted a permanent injunction preventing the FTC from enforcing the Red Flag Rules against attorneys. On the legislative front, on October 20, the House of Representatives passed a bill that would exclude health care practices, accounting practices, and legal practices with 20 or fewer employees from the Rule, and would also exempt any business: (i) where all the clients or customers were known individually; (ii) that only perform services in or around residences of their customers; or (iii) have not experienced identity theft and are in an industry where identity theft is rare.The continuing extension of enforcement dates, the pending legislative modifications, and the success of legal challenges mean that the Red Flag Rules, when they are eventually enforced, will likely apply to a smaller number of businesses, and will likely have additional provisions that "water-down" the requirements.

Choicepoint has agreed to pay $275,000 to the FTC, and to conduct bi-annual assessments of their information security program and provide these assessments to the FTC for 20 years, in a modified settlement order issued by the Northern District of Georgia stemming from charges brought by the FTC related to Choicepoint's violations of a previous court order requiring implementation of a comprehensive information security program. The modified settlement order also imposes additional reporting obligations on Choicepoint regarding changes in corporate structure that may impact compliance, bi-monthly reporting on security incidents and the responses to them for the next two years, and other detailed reporting and record-keeping requirements.In 2005, Choicepoint suffered a data breach that resulted in at least 800 cases of identity theft, imposition of more than $15 million in fines and damages, and a court order to maintain a comprehensive data security program. In 2008, this security program was significantly weakened when a key electronic security tool was turned off for four months resulting in additional data breaches. Choicepoint self-reported the breach, which resulted in the modified settlement order.This order illustrates the point that the FTC is becoming more active in enforcing information security requirements—and once they start looking into your business, it may be hard to get them out.

Heartland Payment Systems, the fifth largest payment processor in the United States, is the defendant in a class action lawsuit brought by nine banks and credit unions claiming that Heartland did not do enough to safeguard against security breaches. (See In re: Heartland Payment Systems Inc. Data Security Breach Litigation, S.D. Texas, No. 4-09-md-02046, 9/23/09.) Heartland's system was breached by hackers beginning in late 2007, resulting in the theft of personal financial information associated with millions of credit and debit cards, resulting in large expenses by the associated banks and credit unions that issued the cards—costs associated with destroying comprised cards, issuing new accounts, reimbursing consumers for fraudulent transactions, etc. Heartland's system was breached by hackers beginning in late 2007, resulting in the theft of personal financial information associated with millions of credit and debit cards, resulting in large expenses by the associated banks and credit unions that issued the cards—costs associated with destroying comprised cards, issuing new accounts, reimbursing consumers for fraudulent transactions, etc.Interestingly, Heartland was compliant with the Payment Card Industry Data Security Standards (PCI-DSS) at the time of the hack. The PCI-DSS are standards issued by the major credit card companies requiring certain security standards and data management protocols by vendors using or accessing credit card information. (The standards are available at www.pcisecuritystandards.org. The complaint alleges that Heartland knew before the hack that the "bare minimum PSI-DSS standards were insufficient to protect it from attack by sophisticated hackers." In fact, according to the complaint, a statement made by Heartland in a 2008 Earnings Call acknowledged the need for greater data security beyond the PSI-DSS.The case goes to show the continued need for online vigilance in the financial industry. It also raises a warning: don't simply rely on standards developed by others for your own security; be pro-active and go beyond what the baseline requirements may be.