Business and Technology Law

What is the standard for determining whether the use of a similar mark is likely to cause consumer confusion and lead to trademark infringement?

If you don’t think handbags carry important legal issues, consider the Second Circuit’s statement,

We cannot help but observe that for the person carrying it, a handbag may serve as a practical container of needed items, a fashion statement, or a reflection of its owner's personality; it may fairly be said that in many cases a handbag is so essential that its owner would be lost without it.

Louis Vuitton Malletier v. Dooney & Bourke, 454 F.3d 108 (2d Cir. 2006).

In assessing the likelihood of confusion in a trademark infringement case, courts will consider the non-exclusive multi-factor Polaroid test which includes, (1) the strength of the mark, (2) the similarity of the two marks, (3) the proximity of the products, (4) actual confusion, (5) the likelihood of plaintiff's bridging the gap, (6) defendant's good faith in adopting its mark, (7) the quality of defendant's products, and (8) the sophistication of the consumers. Id. at 116. The similarity of the marks is a key factor in determining likelihood of confusion, and was particularly important in the battle of the handbags trademark infringement case.

The Second Circuit noted that the district court made a mistake in its likelihood of confusion analysis by “inappropriately focusing on the similarity of the marks in a side-by-side comparison instead of when viewed sequentially in the context of the marketplace”. Id. at 117. The Second Circuit recognized that a side-by-side comparison can be useful, as long at the court remains focused on the issue of consumer confusion, and that the law only requires confusing similarity and not identity. Id. at 117. So, while the Louis Vuitton bag and the Dooney & Burke bag look very different side-by-side, the court must consider whether the differences between the marks are “likely to be memorable enough to dispel confusion on serial viewing” in the context of the marketplace. Id. at 177, citing, Louis Vuitton Malletier v. Burlington Coat Factory Warehouse Corp., 426 F.3d 532, 538 (2d Cir.2005).

The Second Circuit recognized that the district court overemphasized the side-by-side comparison, and held that “because no single factor is dispositive, we must remand for the district court to revisit the entire analysis, under the new standard,” keeping in mind the context of the marketplace. Id. at 118.

So, in a trademark infringement case, the standard for determining whether the use of a similar mark is likely to cause consumer confusion is sequential viewing in the context of the marketplace, and not merely a side-by-side comparison.

There is currently a bill working its way through Congress to establish a pilot program among district courts, aimed at the better treatment of patent cases. One purpose or objective is to create “rocket dockets” in those districts with a high volume of intellectual property and patent cases. Another purpose of the program is to establish a sort of “IP certified” judicial roster, under the theory that there are a sufficient number of technologically-savvy judges out there to refer these cases to under circumstances where assignment is warranted.

Patent litigators in Texas have likely become accustomed to, and spoiled by, the sua sponte innovation assumed by the Eastern District, which is considered the second most efficient patent and intellectual property “rocket docket” in the nation. Third in the race to adopt specialized local “patent rules,” the Eastern District drafted its patent mandates in accordance with the first in judicial patent legislating, the Eastern District of Virginia. It interprets those rules however in keeping with the current developer of the intellectual property landscape, the Northern District of California, and in doing so, has remained nationally and locally relevant and respected.

Our Eastern District judiciary, not unaware of the national recognition and sudden press, has risen to the challenge by outfitting the sleepy Marshall town courtrooms with the latest in technology, so that those visiting to litigate their billion dollar patent matters are unable to note any offering provided elsewhere that cannot be found there. Moreover, the intellectual ability of our Eastern District judges to digest the tech-laden presentations that big city firms bring to bear upon those courtrooms is nothing less than impressive.

The question then must be, how many rocket dockets and intellectual-property certified judicial rosters is a state entitled to have? The rumor is that our Northern District has applied and is lobbying heavily for inclusion in the new Pilot Program. Should they win their campaign, Texas will soon be on every intellectual property litigation firm’s radar. An irony that should not go unappreciated. And a down-home advantage that cannot go unnoticed. For the few firms, such as this one, truly skilled in the intellectual property and patent litigation arena, that is good news. Large clients and large firms, however, should be wary. With issues of forum selection dominating the IP litigation field, a friend in the courtroom is imperative. It’s the reason that most lawyers serious in the intellectual property practice have moved to boutiques, so they can specialize, and so that the jury perceives them less as the big firm enemy with their big corporate client. With intellectual property litigation moving towards rocket dockets in down home towns like Marshall and down home states like Texas, that seemingly irrelevant consideration could now be more relevant than ever.

The primary benefit of a software patent is the broad protection provided by the patent laws. An owner of a software patent may prevent all others from making, using, or selling the patented invention. In connection with software, an issued software patent may prevent others from utilizing a certain algorithm without permission, or may prevent others from creating software programs that perform a function in a certain way.

In contrast, copyright law can only prevent the copying of a particular expression of an idea. In connection with computer software, copyright law can be used to prevent the total duplication of a software program, as well as the copying of a portion of software code, which would be literal infringement. Copyright law does provide some protection against non-literal infringement; however, courts have recently been reluctant to interpret copyright protection of computer software in a broad manner. In addition, the basic tenet of copyright law is that copyright will protect only the expression of an idea, and not the idea itself. Therefore, copyright law will not prevent the creation of a competing program that utilizes the same ideas as an existing program if the expression (the code) is different.

As a result, a software patent can provide much greater protection to software developers than copyright law. The benefits of obtaining patent protection can be extraordinary. As more developers understand the potential of software patents, more patents are being issued. According to the Software Patent Institute, thousands of software patents are being issued every year, covering such areas as business software, expert systems, compiling functions, operating system techniques, and editing functions.

There are limitations to obtaining a software patent. A patent can only be issued when an invention is new, useful, and nonobvious. In addition, obtaining a software patent can be an expensive process, costing ten thousand dollars or more. The choice of whether to pursue a software patent or copyright protection for software should be made by comparing the value of the program to the cost of the patent application process and the likelihood of obtaining significant patent protection.

Until December of 2006, the Federal Rules of Civil Procedure related to production of documents in a civil case made no mention at all of electronically stored information. The scope of Rule 34 has now been expanded to include electronic evidence:

Rule 34. Production of Documents, Electronically Stored Information, and Things and Entry Upon Land for Inspection and Other Purposes.

(a)Scope. Any party may serve on any other party a request (1) to produce and permit the party making the request, or someone acting on the requestor's behalf, to inspect, copy, test, or sample any designated documents or electronically stored information -- including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any medium from which information can be obtained -- translated, if necessary, by the respondent into reasonably usable form, or to inspect, copy, test, or sample any designated tangible things which constitute or contain matters within the scope of Rule 26(b) and which are in the possession, custody or control of the party upon whom the request is served*** (emphasis added)

In New York, if a company terminates an employee and prohibits that employee from accessing personal information on a company computer, the company may find itself being sued for conversion. A recent decision by the New York Court of Appeals raises the possibility that by prohibiting a former employee from recovering private or personal electronic data from a company computer, the company might be sued for the tort of conversion. In making its decision, the court essentially recognized that electronic data is just another form of personal property protected by the law. Thyroff v. Nationwide Mutual Insurance, 2007 WL 844860 (N.Y. 2007), involved a Nationwide insurance agent who was terminated. The agent kept personal data and customer information on a company computer system, and after his termination, Nationwide denied him access to that information.

The Court of Appeals expanded the tort of conversion to encompass electronic data, reasoning that what was truly valuable about a document is its contents, not the medium of storage. If Nationwide had kept the agent’s personal papers or effects without permission, there would have been no question that the agent could have sued for conversion. The court recognized that more and more information is being stored electronically. Indeed, the court’s own opinion was drafted and stored on a computer system and distributed to the justices by e-mail.

The court treated the electronic data stored on Nationwide’s computer system as if it were a physical item, seeing no “reason in law or logic why this process of virtual creation should be treated any differently from production by pen on paper or quill on parchment.” The court noted that it was not deciding whether all forms of virtual information would fall within the scope of a conversion claim, but it is difficult to imagine what types of stored data might not be subject to a claim for conversion. When terminating an employee in New York, it is critical to recognize that an employee’s privacy rights and property rights may be affected. To avoid the possibility of a claim for conversion when a company terminates an employee, it may be a wise precaution to allow that employee, under supervision, to retrieve personal information stored on a company computer system.

Not long ago a small software company offered a big cash reward to anyone who read the End User License Agreement (or EULA) for their software product. The catch: you have to read the EULA to even know about the offer.

PC Pitstop buried a clause in their EULA that offered the reward to anyone who sent a message to the enclosed email address. The point was to prove that people rarely, if ever, read their software licenses. They were right – four months and 3,000 downloads later, one sharp-eyed end user finally wrote in and claimed the $1,000 prize. See http://www.pcpitstop.com/spycheck/eula.asp

Software developers are well aware of the fact that the end users who buy their products rarely read their license agreements. Many people are surprised to discover that the EULAs for their software might contain provisions granting the software company the right to conduct an onsite software audit with no notice, waive important consumer rights or other draconian measures which they would never knowingly agree to.

But this trend is changing as more IT professionals discover the importance of understanding their EULAs. Before Windows VISTA was released, Microsoft made the EULA publicly available. Not long after the IT community was in an uproar over some of the proposed provisions, including one that only allowed the end user to transfer the installation to a new system once (upgrading your existing system could constitute such a transfer as well). After that, you’re done. Want to transfer that software twice, or make a couple of upgrades? Go buy another copy of Windows then. That was essentially what the new license stated.

So what happened when the IT community raised their concerns? Not long afterwards, Microsoft removed the EULA and replaced it with a new, more user friendly version. See http://www.securityfocus.com/columnists/420.

This is an important development; as IT professionals and attorneys continue to scrutinize these agreements, software developers will increasingly bring their licenses in line with consumer expectations. These examples prove that it can (literally) pay to read those license agreements.

Software is a business asset.

That statement may be so obvious to you that my writing it seems a waste of bandwidth. However, many businesses nevertheless have been “late to the dance” when it comes to effective management of that business asset. While they may rigorously record and catalog the details of their IT hardware and infrastructure, they often fail to pay anything close to the same level of attention to the programs powering those assets.

To a certain extent, that is perhaps unsurprising, since software is a very different kind of asset. Where businesses usually own their network hardware outright, most software use is dependent on the details of a license agreement with the software publisher. Where hardware is relatively easy to safeguard from external dangers, the threats to software are constantly evolving and require similarly constantly evolving strategies to thwart them. Where there is no appreciable risk that a business’ employees are going to bring stolen network switches to work for their personal use, it can be very difficult to keep employees from installing and using pirated or otherwise unlicensed software on company computers.

However, just because software asset management (“SAM”) is a challenge does not mean that business may be (or should want to be) excused from rising to it. Considering the high costs associated not only with software licensing but also with the effort that must be spent to “fix” software-related problems when they occur, businesses simply cannot afford to have ineffective (not to mention missing) SAM tools at their disposal.

With that fact in mind, the International Organization for Standardization (“ISO”) and the International Electrotechnical Commission (“IEC”) released International Standard 19770-1 on May 1, 2006. Standard 19770-1 “establishes a baseline for an integrated set of processes for [SAM].” The standard divides the processes into three main categories – Organizational Processes, Core SAM Processes, and Primary Process Interfaces.

The ISO 19770-1 Organizational Management Processes for SAM are divided into two process subsets: (1) those regarding the SAM Control Environment, which include processes specific to corporate governance as well as organizational roles and responsibilities, policies and procedures, and assurance of competence with regard to SAM; and (2) those regarding SAM Planning and Implementation, which, predictably, include processes specific to planning, implementation, monitoring and continual improvement of SAM.

The key “message” of the Control Environment processes is that effective SAM is impossible without input and support from an organization’s corporate officers, who ultimately are the ones responsible for clearly defining the organizational roles, responsibilities, policies and procedures regarding planning and implementation of SAM. Officers are uniquely situated within an organization not only to oversee the big-picture implementation of effective SAM, but also to objectively assess the risks of incomplete or uninitiated SAM. Therefore, naturally, it must be the officers who select the individuals to execute SAM within the organization, and it must be the officers who approve the initiatives those executives undertake. ISO 19770-1 makes clear that, unless the officers become interested stakeholders, the SAM process will go nowhere.

Once the “captains” for an organization’s SAM efforts place themselves in charge of those efforts, they must make sure that the organization has a useful and standardized “playbook” to guide the SAM process and to prevent the need for micro-management. The SAM Planning and Implementation processes in ISO 19770-1 let the captains know what needs to go in that playbook. As with many ISO standards, one of the goals of ISO 19770-1 is to promote a set of processes that to a large extent implement themselves. While the ISO 19770-1 standard speaks in terms of “SAM owners” – those responsible for the management of one or a set of discrete SAM processes – the processes that an organization implements under ISO 19770-1 are standardized, cross-linked with other SAM processes, and tied by cross-reference to the ISO standard itself. Once implemented correctly, SAM under ISO 19770-1 should exhibit a cost-benefit ratio much lower than might be expected.

In my last entry, I gave an overview of the ISO 19770-1 Organizational Management Processes for SAM. Next in line are what the standard terms its “Core SAM Processes.”

The ISO 19770-1 Core SAM Processes are divided into three process subsets: (1) those pertaining to SAM Inventory Processes, which include processes specific to software asset verification, inventory management, and control; (2) those pertaining to SAM Verification and Compliance Processes, which include processes specific to software asset record verification and security compliance, software licensing compliance, and conformance verification; and (3) those pertaining to Operations Management and Interfaces for SAM, which include processes specific to the management of third-party relationships and contracts, finances, service levels, and IT security.

The Inventory and Verification and Compliance processes together constitute the “meat” of ISO 19770-1 – those most directly related to assessment of an organization’s ownership and proper use of software assets. Unsurprisingly, the SAM Inventory Processes are those that allow an organization to know what software assets it owns and how efficiently it is using those assets. This is an obvious early step to SAM implementation under ISO 19770-1 or any other relevant standard. Without an appreciation for and up-to-date records regarding the assets to be managed and any changes to those assets, the management process is going to be a valueless one for the organization. Closely aligned with core SAM inventory processes are those related to Verification and Compliance. These processes ensure that the assets inventoried under ISO 19770-1 are used within the bounds of applicable organizational policies and contractual obligations, and also according to the ISO 19770-1 standard itself.

The Operations Management Processes and Interfaces of ISO 19770-1 consist of management functions that help an organization to efficiently and effectively implement the core Inventory and Verification and Compliance processes. This subset ensures that everyone influencing the SAM process – vendors, suppliers, budget managers, and responsible staff – provide their respective inputs in a manner that is standardized, reportable, and secure. This allows those ultimately responsible for effective SAM implementation to maintain a clear view of the organization’s current SAM status and opportunities for improvement.

Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.

After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.

Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident.

The adversary demanding the production of electronic information is now authorized to specify the manner in which the information is produced. Fed R. Civ P 34(b). The manner of production demanded by the adversary may not correspond with the format in which the data is maintained. The manner in which the demand is framed may impose a substantial burden on the responding party. When served with such a demand, it is critical first step to ensure that timely and specific objection is made to the manner of production. It is important to remember however that the making of those objections merely preserves them for resolution by the Court. While some Judges are technically adept, we advise clients involved in responding to electronic discovery to develop and document a protocol as to document retention and manner of storage as a proactive measure. Sharing the protocol may result in an agreement by adversary counsel to formulate demands in a manner in which the information is maintained or in the absence of an agreement, to show the Court that the manner of production demanded is out of synch with the manner, presents an unreasonable burden and should not be allowed.

The word spoil or spoiled is commonly used in non-litigation contexts. Food spoils if it needs to be refrigerated and is not. Paint spoils if the can if left open. In the litigation context, a spoliator is a party that failed to preserve evidence that was demanded in litigation or fails to preserve relevant evidence for litigation that is reasonably contemplated. What is not commonly understood is that in some State and Federal Courts, a party who spoils evidence may be severely sanctioned even if the loss of the evidence resulted from carelessness.

Where relevant evidence is spoiled, the jury may be invited to infer that the evidence lost was unfavorable to the party who failed to preserve it, with the prospect of devastating results on the outcome. An article written by the author and recently published in the New York Law Journal entitled “Destroyed E-Data Won’t Make Spoliation Sanctions Disappear” discusses these issues in more detail.

On the highest level, open source is the principle to allow free access to the intellectual property of the design of products to promote creativity. The term is now most often associated with software. Open source software is source code that is made available to the general public with relaxed or no intellectual property restraints that would keep another person from customizing the source code for their particular use or from building on the original source code to make use of the software for their particular use.

In early 1998, the industry leaders of the open source movement met at an event that would later become known as the “Open Source Summit.” This meeting led to the organization of the Open Source Initiative, a non-profit corporation formed to advocate the benefits of open source software. According to the Open Source Initiative, whether software can be considered open source really depends on the distribution terms of the open source software.

To meet the standards of the Open Source Initiative, the distribution terms of open source software must meet the following criteria:

1. The open source software license cannot restrict any party from selling or giving away the software as a component of another software program containing programs from several different sources and the license cannot require any fee for sale.

2. The open source software must include source code and must allow distribution of the source code.

3. The open source software license must allow modifications and derivative works, and, importantly, must allow the modifications and derivative works to be distributed under the same terms as the license of the original software.

4. The open source software license may restrict source code from being distributed in modified form only if the license allows distribution of patch files with the source code for the purpose of modifying the program at build time. The license must permit distribution of software built from modified source code.

5. The open source software license cannot limit use to any person or group of people.

6. The open source software license cannot limit use in any field, such as for commercial purposes.

7. The rights attached to the open source software must apply to all whom the program is redistributed without the need for execution of an additional license.

8. The open source software license cannot be specific to a product.

9. The open source software license cannot place restrictions on other software that is distributed with the open source software.

10. The open source software license cannot demand that a specific technology be used with the software.

In order to win under Anti-Cybersquatting statute, a plaintiff must prove the defendant (a) had a “bad faith intent to profit from the mark,” and (b) registered or uses a domain name that is “identical or confusingly similar” to the mark in question. 15 U.S.C. § 1125(d)(1)(A)(i)-(ii). Much of this turns on whether the defendant operates in the same goods as the plaintiff.

For example, in Bally Total Fitness Holding Corp. v. Faber, 29 F. Supp. 2d 1161 (C.D. Cal. 1998), the defendant operated a website under the name “ballysucks.com,” a website dedicated to complaints about the plaintiff’s Bally’s health-club business. The court found that even though the plaintiff and the defendant both hosted websites on the internet using the term “BALLY” in the domain name, the parties did not operate in “related goods.” Id. at 1163. The court concluded “[n]o reasonable consumer comparing Bally’s official web site with [the defendant]’s site would assume [the defendant]’s site to come from the same source, or thought to be affiliated with, connected with, or sponsored by the trademark owner.” Id. at 1163-65.

When faced with a claim under the Anti-Cybersquatting statute it is very important to evaluate an argument that the defendant does not operate related goods.

To show that a mark is used in commerce, a plaintiff must prove that the mark “is used or displayed in the sale or advertising of services and the service are rendered in commerce.” 15 U.S.C. § 1127(2). The issue in internet marketing cases is whether using a mark to generate search-result links and sponsored links is considered use “in commerce.” If you are faced with a trademark infringement claim related to internet marketing it is important to evaluate this defense.

In Merck & Co. v. Mediplan Health Consulting, Inc., 425 F. Supp. 2d 402, 415 (S.D.N.Y. 2006), the defendant used the plaintiff’s mark, “ZOCOR” as a search-engine keyword to generate sponsored links. The court found that as a matter of law, this type of use was not use in commerce, but rather “an internal use of the mark.” Based on the plaintiff’s failure to show use of the mark in commerce, the court dismissed the plaintiff’s trademark claim and declared that use of “a key word to trigger the display of sponsored links is not use of the mark in a trademark sense.” Id.

A successful defense based upon no use in commerce can result in an early disposition of a case because unlike many trademark infringement defenses this is a legal issue decided by the court on a pre-trial motion to dismiss or for summary judgment.

It is sometimes difficult to predict what laws will apply to a particular compliance issue. For instance, in Section 814 of the Patriot Act, the U.S. Congress extended the jurisdiction of its federal law enforcement officers to include crimes that do not occur in the U.S. or have any victims in the U.S. It could be argued that “[e]very nation has the right to extend the scope of its law beyond its borders to protect the rights and property of its own nationals.” See Security Focus: Ashcroft’s Global Internet Power-Grab by Mark Rasch located at www.securityfocus.com/columnists/39. However, when neither the criminal nor the victims reside in the U.S., it is difficult to determine what protections are being afforded to citizens. There is no question that lawmakers and politicians are focusing on trends in technology. Robert Holleyman, CEO and President of the Business Software Alliance applauded recent trends. “The Congress and the President will face important policy decisions this year, and we remain hopeful that any new policies will enhance the future of American innovation,” Holleyman said. “We look forward to working with the Congress and the Bush Administration to enact legislation and promote policies that will ensure a robust, competitive environment for our economy generally, and for information technology specifically.”

The United States’ efforts to expand its jurisdiction over defendants who do not reside in the United States is not unique. For example, other countries have exercised jurisdiction over foreign defendants in hacking cases. In one highly publicized case, a British company and a Russian company were embroiled in a legal battle with a state-owned company in Tajikstan. When the British company’s computers were hacked, the British company made a claim against the Russian company under Sections 1 and 2 of the British Computer Misuse Act of 1990. See Out-Law News: Russian Hacking Case Can be Heard in England, Says Judge located at www.out-law.com/page-7434. The court based its conclusion on the fact that the server was located in the U.K. and therefore, the most significant element of the offense occurred in the U.K.

When faced with a foreign lawsuit, some companies elect to ignore the proceedings and allow the plaintiff to receive an award by default. This approach can have dire consequences. For example, Spamhaus, a British company that maintains a spam blacklist was sued in the United States by e360 Insight. Spamhaus concluded that the Illinois court did not have jurisdiction over it and declined to appear or defend itself in the action. See Out-Law News: Spamhaus decides to fight first US court Action located at http://www.out-law.com/page-7404. The Illinois court entered a default judgment in favor of e360 Insight for $11.7 million. The court also instructed ICANN to suspend the spamhaus.org domain. ICANN claimed it did not have the power to suspend the domain, but indicated that Spamhaus’ hosting company would do so. With precedents like Spamhaus, defendants may be reluctant to ignore foreign lawsuits. The best strategy is to consult with legal counsel in both jurisdictions and formulate an approach that minimizes your risks without jeopardizing your legal position.

In an April 24, 2007 opinion written by Chief Judge Walker of the United States Court of Appeals for the Second Circuit in Arbor Hills Concerned Citizens Neighborhood Assoc. v. Cty of Albany, et al., the Court agreed that the District Court placed undue reliance on the “forum rule” for determining attorneys’ fee awards on Federal statutory claims. Under the forum rule, an attorney whose client prevailed on a statutory claim would have his or her rates set not based upon what the market would be willing to pay for such services or upon their market rate to paying clients but rather based upon the Court’s reference to fee ranges approved in prior cases in that District The result of using the forum rule was a different range of hourly rates for the same type of litigation in the Second Circuit, depending on where the case was venued, with cases in the Southern District of New York (New York City) having the highest rates, those in the Eastern District (Long Island, Brooklyn, Queens, Staten Island) having lesser rates and the upstate Districts (Northern and Western Districts) having the lowest rates. It was not uncommon for the rate differentials for the same work to command rates 25+% higher in the Southern District.

In Arbor Hills, the Second Circuit admitted that its “fee-setting jurisprudence has become needlessly confused-untethered from the free market it is meant to approximate.” It therefore clarified that the District Court is to consider all of the factors that would be relevant in the free market, such as the reputation of the attorney or firm, the complexity of the case, the resources required to handle the matter aggressively and effectively and any professional benefits which would independently motivate counsel to pursue the litigation. The Court concluded that the fee award should compensate counsel in an amount equal to what a reasonable paying client would pay for that same representation.

The New York Court of Appeals’ decision in Thyroff recognizing a conversion claim based on a company preventing a former employee from accessing personal information stored on the company’s computer certainly presents some difficult privacy issues for businesses, who already face enough potential legal troubles when terminating employees. You suggested that to avoid infringing on an employee’s privacy rights in electronic data on a business computer, a business could give a terminated employee access to the computer to retrieve their personal information. That may present practical difficulties because that access would have to be supervised or somehow limited to prevent the former employee from gaining access to confidential business information or even, in the worst case, sabotaging the company’s computer. Do you have any other ideas on how a business might protect its former employee’s privacy rights and avoid potential tort liability?

The issue of employee privacy rights in data stored on an employer’s computer is a difficult one. If an employee displayed framed family photos on her desk, an employer would not refuse to turn those photos over to the employee upon termination. These days, the employee is just as likely to keep such photos as jpegs or gifs on her PC at work, along with many other types of personal information, from correspondence to recipes. Allowing a terminated employee access to that computer after termination does present practical difficulties, and a business that chooses this method of avoiding liability for breach of employee privacy rights should implement safeguards to prevent the former employee from compromising company security or having access to trade secrets and other valuable business information.

A company could adopt a policy prohibiting employees from storing personal information on a company computer, though this may be impractical to enforce. A number of courts have held that an employee has no privacy expectation in workplace computer files where company guidelines and policy explicitly inform the employee that no expectation of privacy exists. See, e.g., Muick v. Genayre, 280 F.3d 741, 743 (7th Cir.2002); United States v. Simons, 206 F.3d 392, 398 (4th Cir.2000); Thygeson v. Bancorp, 2004 WL 2066746 (D. Or. 2004); Kelleher v. City of Reading, 2002 WL 1067442 (E.D. Pa. 2002). A company could adopt such a policy, which could be used as evidence that when the employee stored in the information, the employee was aware that she had no privacy interest in that electronic data and that the information no longer belonged to her.

It might also be helpful to require employees to acknowledge in writing that any information stored on a company computer belongs to the company and that they have no privacy interests in such information. The Thyroff decision did not indicate whether or not Northwest Mutual had such a policy in place. It is also not clear whether a court might conclude that whether or not there was a privacy expectation, the employee still had a property right in the information that could be enforced in an action for conversion. Nevertheless, a company’s litigation position would in all likelihood be strengthened by implementing and enforcing a policy regarding storage of personal data on company computers.

My last two entries discussed, respectively, the ISO 19770-1 Organizational Management Processes and Core Processes for SAM. Last in the series is the “Primary Process Interfaces for SAM” subset, which consists of processes specifically related to management and review of the software lifecycle itself. As such, it is designed to align SAM requirements with lifecycle processes specified in ISO 12207 (defining tasks required for developing and maintaining software) and ISO 20000 (defining tasks required for effective service management).

The lifecycle processes specified in ISO 19770-1 are designed to allow an organization first to identify and manage software changes at a fairly high level and then to specify the details of each “waypoint” in the software lifecycle identified in the standard. Those waypoints progress fairly logically from acquisition and development, to release and deployment, to incident and problem management, and finally to retirement.

As with all of the other processes specified by ISO 19770-1, it is important to keep in mind that the word “specified,” when it comes to this standard, is somewhat of a term of art. ISO 19770-1 lists out the process that an organization should implement and the goals that the organization should have in mind in doing so. However, it leaves the specifics of implementing those processes up to the organization seeking to achieve compliance. There are no ISO 19770-1-approved checklists or schedules included with the standard itself, leaving each organization more or less free to tailor the processes to its own unique set of demands and resources.

You can obtain a copy of the standard here. As I write this, the price is CHF 108.00, which translates into about $90 USD.

Many companies allow their employees to blog during work, or off work, about work, and work related issues. Companies should be aware that their employees may be tempted to blog about subjects that include trade secrets. For instance, on their own time, employees may blog about what they do at work, what they are inventing at work, who their company’s customers are, how the company attracts customers, and other proprietary and confidential information. All of these subjects are potentially exposing the company’s trade secrets. A company must take reasonable measures to protect disclosure of its trade secrets, and keep the trade secrets out of the public domain. If a company fails to take reasonable measures to protect its trade secrets from exposure in the public domain, they will no longer be considered trade secrets.

What can a company do to protect its trade secrets from blogging employees?

The simple answer is to create a blogging policy. A policy should outline the parameters that employees must follow while blogging about the company, and should coincide with the company’s policy manual related to confidential and proprietary information. The following items are suggestions to include in a company blogging policy.

The policy should contain provisions that the employee shall not blog about proprietary and confidential information. The company should provide a definition of proprietary and confidential information.

The policy should contain a provision requiring that the employee shall not post any obscene, defamatory, libelous, abusive or hateful remarks about any the company, company employees, company’s competitors, or company’s customers or partners.

The policy should contain a provision requiring the employee to gain permission from the company before using the company’s symbols, trademarks, or graphics.

For employees who have personal blogs unrelated to the company, the company may want to incorporate a provision that requires the blogger to place a disclaimer on its blog, that all content is that of the author and does not reflect the views of the company.

The policy should not stifle creativity or treat the employee as though they cannot write about work-related topics, but must inform the employee about the legal boundaries of their actions related to blogging about trade secrets, and that the company must take reasonable steps to protect its trade secrets so that they do not lose their status as trade secrets.