Business and Technology Law

“The Matrix isn't real.” – Trinity. “I disagree, Trinity. I think that the Matrix can be more real than this world. All I do is pull a plug here, and then...” – Cypher.

Historians, take note. In 2007, the virtual world and real world collided. As Federal District Judge Eduardo C. Robreno stated in the opening paragraph of his opinion, “While the property and the world where it is found is ‘virtual,’ the dispute is real.”

In this case, Marc Bragg (“Bragg”) sued Linden Research, Inc. (“Linden”) for unlawfully seizing his virtual real property and revoking his account. Linden operates a massive multiplayer online role-playing game (“MMORPG”) called Second Life. Second Life is an Internet-based virtual world, where its users, called "Residents", interact with each other through motional avatars. Second Life Residents interact, socialize and even conduct business. An integral part of Second Life's real world business model is the exchange of virtual currency known as the Linden Dollar. Residents purchase Linden Dollars with real U.S. Dollars. As noted in Judge Robreno’s opinion, “Second Life avatars may now buy, own and sell virtual goods ranging ‘from cars to homes to slot machines.’”

However, what makes Second Life unique in the MMORPG world is Linden’s recognition for its users’ property rights. In a press release dated November 14, 2003, Philip Rosedale, the Linden’s CEO touted, “The preservation of users’ property rights is a necessary step toward the emergence of genuinely real online worlds.” Plaintiff Bragg purchased virtual real property, the subject of which formed the basis of the lawsuit. In 2005, Plaintiff Bragg paid Linden to join Second Life and become a Resident. One year later, Bragg purchased several plots of virtual real property in Second Life and began to re-sell such parcels to other Residents for a profit. However, in April 2006, Linden sent Bragg a notice stating that he purchased virtual real property through an exploit and subsequently cancelled his account and confiscated all of Bragg’s virtual property. Bragg brought suit claiming misrepresentation and expropriation of property. Linden moved to dismiss for lack of jurisdiction and moved to compel arbitration.

Judge Robreno held that Linden, a California based company, was subject to jurisdiction in Pennsylvania because the interactive nature of its Internet “game” gave the Court specific jurisdiction by means of its minimum contacts. Second, the Court held that the arbitration clause contained in Second Life’s terms of service constituted an unconscionable contract of adhesion under California law and was therefore unenforceable. Specifically, Judge Robreno objected to the lack of mutuality in the contract, that arbitration must take place in California and that the arbitration must take place before a panel of three arbitrators, which is extraordinarily more expensive than pursuing this matter before the Court.

Although the legal issues addressed by the Pennsylvania Federal District Court may be found in standard contract law, the context in which this dispute arose is not ordinary. This virtual real property is a newly created commodity that may create a whole new set of rules and laws. Linden’s creation of Second Life property rights where real money is exchanged and monetary value is no longer considered “virtual” created real damages and real causes of action. The real question to be asked in this virtual world is not whether Linden will be sued again, but when and for what?

The Fair Information Practice Principles (the “Principles”) were first enumerated by the U.S. Department of Health, Education, and Welfare in 1973. In the 30 years since the principles were formulated, they have become the basis for many privacy laws in the United States, Canada, Europe, and other parts of the world. The Principles are designed to provide a framework for the collection and use of personal information.
The original Principles consisted of the following eight guidelines:

• Openness – Data policies should be open and clear and the entity or person controlling the data should be easily identifiable.


• Collection Limitation - Collection of personal data should be limited and obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.


• Purpose Specification - The purpose for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.


• Use Limitation - Personal data should not be disclosed, made available or otherwise used for purposes other than those specified as described above, except with the consent of the data subject or by the authority of law.


• Data Quality - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, relevant and kept up-to-date.


• Individual Participation - An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request is denied and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.


• Security Safeguards - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.


• Accountability - A data controller should be accountable for complying with privacy measures.

The FTC currently articulates five core Principles: notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. Many of the current federal regulations related to privacy contain these five Principles.

Businesses accused of software “piracy” by publishers or trade associations usually are most concerned about their potential exposure in copyright fines, should their dispute proceed to litigation. A recent Sixth Circuit case suggests that statutory damages awards in such cases legally can reach levels that may represent windfalls for prevailing plaintiffs, far outstripping the amount of their actual damages.

In Zomba Enterprises, Inc. v. Panorama Records, Inc., 2007 WL 1814319 (June 26, 2007), the Circuit Court reviewed a trial court’s decision to award a total of $804,000 in statutory damages for what it found to be the defendant’s willful infringement of twenty six copyrights. (In copyright cases, plaintiffs may elect to ask the court either for their actual damages, for which they must present evidence to support the amount claimed, or statutory damages, which is an amount set in the trial court’s discretion between $750 and $30,000 for non-willful infringement and up to $150,000 for willful infringement, per copyright infringed). The defendant in the case was a manufacturer of karaoke discs who had published some karaoke tracks without the consent of the original songs’ copyright holder. On appeal, the defendant argued that the amount was unconstitutionally high, in violation of its substantive due process rights, because the plaintiff’s estimated actual damages totaled only approximately $18,457.92 in lost licensing fees, or about 2.27% of the statutory damages award. The Circuit Court rejected this argument, in part relying on the 1919 Supreme Court case of St. Louis, I.M. & S. Ry. Co. v. Williams, 251 U.S. 63. The Williams case involved a claim by two sisters who were awarded $75 apiece against a railroad under a state statute providing statutory damages for ticketing overcharges. The Supreme Court there held that even though the amount awarded to the sisters was about 113 times the amounts they were overcharged, this did not constitute a violation of the railroad’s due process rights. Disregarding the substantial dissimilarity between the fiscal significance of $75 to a railroad in 1919, on the one hand, and nearly $1 million (including attorney’s fees and costs), to a medium-sized business today, the Sixth Circuit held that the case represented persuasive precedent that the statutory damages award in Zomba should stand.

The facts of Zomba differ considerably from those of many cases involving allegations of software “piracy.” The Zomba defendant was familiar with the entertainment industry and, though it claimed to have been unaware of the need to obtain permission to re-record songs for karaoke discs (even going so far as to claim, amusingly, that such use had an “educational” purpose, thus constituting fair use), it also apparently continued to infringe the copyrights at issue after having received both a cease-and-desist letter from the plaintiff as well as an injunction from the trial court. However, there is always a risk that what seems like a less egregious case of infringement will be read by a trial court much more harshly than initially expected, resulting in substantial costs to a losing defendant. The Zomba case suggests that it makes good sense for a business accused of “piracy” to at least be mindful of the worst-case scenario, and let an experienced attorney work to close the gap between disaster and a more reasonable resolution.

Supreme Court Overturns Antitrust Precedent from 1911

On the last day of the Supreme Court’s 2006 term, the Court published its 5-4 decision in Leegin Creative Leather Products, Inc. v. PSKS, Inc.. Leegin raises an important issue related to retail sales agreements and violation of the Sherman Act.

Leegin manufactures products under the brand name Brighton – whose products include handbags, belts, jewelry and other accessories. PSKS owns a boutique that sold the Brighton products at its store. Leegin required its retailers to agree in writing to a minimum resale price for all of their products. (A minimum resale price maintenance (“Minimum RPM”) agreement is an agreement enforced by the manufacturer requiring the retailer to set the resale price at an agreed upon minimum. For example, Brighton would require PSKS to sell a handbag at a minimum price of $250.) PSKS initially agreed, but later sold products at a reduced price in order to compete against other nearby retailers.

Leegin sued in the United States District Court for the Eastern District of Texas and the jury found in favor or PSKS because the court determined that the Minimum RPM agreement was per se illegal under the long-standing precedent of Dr. Miles, decided in 1911. The Fifth Circuit Court of Appeals affirmed. The Supreme Court reversed in a 5-4 decision overruling Dr. Miles, and determining that vertical Minimum RPM’s are to be evaluated under the rule of reason – giving judges greater discretion in determining whether the Sherman Act was violated. The rule of reason requires a court to assess restraints on trade by looking at the impact on competition.

Most commentators and the dissent in Leegin believe that this decision will drive up retail prices and consumers will be paying even higher prices for specialty items because now, manufacturers can enforce vertical Minimum RPM agreements under the threat that the retailer will lose the opportunity to sell their goods if they do not comply with the agreement.

On May 29, 2007, the U.S. District Court for the Central District of California, Magistrate Judge Chooljian, found that a computer’s RAM (random access memory), is a tangible document that can be stored and must be turned over in a lawsuit. Because this order prohibits the Web Site from tossing RAM relevant data, it has potential to effect the way future litigants prepare for E-Discovery. It should be noted, however, that this order is currently stayed pending appeal.

Last year, the Motion Picture Association of America (“MPAA”) filed suit against TorrentSpy for copyright infringement. The MPAA believes TorrentSpy acts as a search engine to aid users in finding copyrighted video files thereby contributing, promoting and profiting from piracy.

Because of the nature of these businesses, the court found that TorrentSpy’s RAM contains data relevant to the litigation, and should thus be turned over. In addition, the Judge also ordered TorrentSpy to begin logging and storing user information, but allowed encryption of the Internet Protocol addresses belonging to the visitors of their website. TorrentSpy must now create documents not in the ordinary course of their business by logging user activity. Because this issue was of great concern, the court also questioned whether requiring the defendants to preserve and produce this server log data was equivalent to the creation of new data, and found that it was not, because the information at issue was already in existence – and it is in the defendant’s control and possession. As such, the court held that the order requiring defendants to preserve and produce the info was not tantamount to requiring the creation of new data. Torrent Spy must turn over all of this data to the MPAA.

This order raises several technical E-Discovery concerns. The Court granted this order in belief that the RAM is a tangible document that can be stored. While it is true that RAM can be stored, it is not permanent storage. RAM is continually being updated, changed, deleted, or overwritten in your business’ computers. For example, TorrentSpy’s RAM servers were, in the normal course of business, being overwritten approximately every six hours. Preserving and backing up this ever-changing data surely has the potential to economically cripple businesses, both small and large. In addition, because the nature of RAM is to continually change, spoliation of evidence may be a serious concern. It should be noted however, that this order does not require TorrentSpy to go back and recreate RAM’s past server logs, but rather, to begin storing the RAM server log data from this point forward.

Businesses operating in California may find themselves being sued for practices without any prior notice. In particular, if a company in California has gender-based pricing policies, it may now be sued for civil rights violations even if the plaintiff has not previously demanded equal treatment and been refused. As the California Supreme Court itself acknowledged, this ruling may encourage “shake down” artists who seek out discriminatory pricing practices and try to extort settlements from businesses. The court, however, was willing to accept this possibility absent any change in the law being made by the legislature. In the meantime, a company doing business in California should be aware that it may be subject to suit for discrimination without prior notice.

This particular case arose out of a supper club’s practice of giving admission discounts to women. Angelucci and other plaintiffs filed a complaint against Century Supper Club for violations of the Unruh Civil Rights Act and the Gender Tax Repeal Act of 1995. The plaintiffs alleged that they patronized the supper club on several occasions and were charged an admission fee higher than that charged to women. On some visits, men were charged $20 while women were admitted free. Plaintiffs sought statutory damages under Civil Code section 52(a) for discrimination. The supper club moved for judgment on the pleadings, contending that the plaintiffs could not recover under section 52(a) because they had not alleged that they asked the supper club to be charged the same rate as female patrons. The superior court agreed and entered judgment in favor of the supper club. The court of appeal affirmed, concluding that before a claim could be made for discrimination, the plaintiffs must have made an affirmative assertion of the right to equal treatment. In support of its ruling, the court of appeal stated that this requirement ensured that the statutes would only be used to redress genuine grievances and punish genuine misconduct.

In Angelucci v. Century Supper Club, 2007 WL 1557339 (Cal. 2007), the Supreme Court reversed, holding that to assert a discrimination claim for unequal treatment against a business establishment, it is not necessary to demand equal treatment and be refused. The Unruh Act, as amended by the Gender Tax Repeal Act, prohibits businesses from charging different prices on the basis of gender, and the court noted that these provisions are intended to protect each person’s inherent right to free and equal access to all business establishments. Section 52(a) authorizes individual actions against anyone that discriminates in violation of the Act. The language of section 52(a) does not include a specific requirement that a victim of discrimination must demand equal treatment and be refused before filing suit, nor does it establish any requirement that notice and an opportunity to cure be given before a claim may be made.

The court rejected the court of appeal’s reasoning that the plaintiffs were not denied equal treatment because the supper club never refused an express demand for equal treatment. According to the court, if such a rule were in place, businesses could continue to engage in discriminatory practices, and by making exceptions for patrons who happened to challenge the practices, the businesses could avoid being sued under the Act. That rule would also prohibit suits by persons who discovered that they had been treated unequally only after the fact. The court also made it clear that injury occurs when plaintiffs present themselves for admission and are charged the nondiscounted price. Because arbitrary discrimination is per se injurious, the plaintiffs in this case had standing to bring claims because they were victims of the discriminatory practice, even though they did not challenge the practice at the time. The court did note allegations in the record that the plaintiffs and their attorneys were “professional plaintiffs” who made their living by asserting technical violations of civil rights laws against businesses and extorting settlements. While recognizing the potential for abusive litigation, the court concluded that it was up to the Legislature to determine whether the statutory requisites for filing a claim should be altered. In the meantime, businesses should be aware that if they have discriminatory pricing policies in place, those policies may result in a lawsuit even if no one has previously challenged the policies.

A recent decision by the United States District Court, Southern District of New York, in Matter of September 11th Liability Insurance Cases, 2007 WL 9731666 (SDNY 2007) [Click here to view case], demonstrates that to avoid sanctions under the Federal Discovery rules, it is not sufficient to show that the litigant was instructed by counsel that documents generally were to be preserved when specific documents damaging to that parties’ case were withheld. The decision also illustrates that the obligations to produce documents created in a computer system encompass the obligation to produce any copies maintained in paper form if the electronic version is no longer accessible.

Zurich and its outside counsel represented to the Federal Court during the proceedings that there would be plenty of evidence on the issue of whether the Port Authority of New York was ever an additional insured under the binder issued by Zurich, resulting in the denial of the Port Authority’s motion to dismiss the declaratory judgment complaint. While the evidence before the District Judge showed that outside counsel met with Zurich shortly before the litigation commenced to remind it of its obligations with respect to preservation of evidence, the Court found that Zurich and its law firms had possession of a printed copy of a critical insurance policy document and failed to produce it to Plaintiff’s counsel over a long period of time. After providing Zurich and its counsel with the opportunity to explain why this document had not been produced, the Court rejected the claim of inadvertence and found that Zurich and its counsel were at fault.

The District Court imposed sanctions under the Federal E-discovery Rules in the amount of $500,000 under FRCP 37 jointly and severally against Zurich and its counsel for misconduct under FRCP 37 for Zurich’s failure to timely produce the insurance policy maintained on Zurich’s computer system and an additional $750,000 in sanctions against them for frivolous litigation conduct under FRCP 11.

The Court observed that bad faith is not required to be shown in order to warrant the imposition upon the adverse party of e-discovery sanctions.

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.


• Orders prohibiting further misrepresentations;


• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.


• Claims based on negligence for failing to follow enumerated policies.


• Civil fines.


• Officer and director liability.

“Today, management has no stake in the company! All together, these men sitting up here own less than three percent of the company. And where does Mr. Cromwell put his million-dollar salary? Not in Teldar stock; he owns less than one percent. You own the company. That's right, you, the stockholder. And you are all being royally screwed over by these, these bureaucrats, with their luncheons, their hunting and fishing trips, their corporate jets and golden parachutes.” – Gordon Gekko

Why does a company’s Board of Directors need to worry about data privacy? The cliché goes, “A company’s most important asset is information.” The Information Age describes a time when information was considered a limited commodity and provided a distinctive competitive advantage. Today, information is everywhere. The Information Age quietly evolved into the Knowledge Economy. The Knowledge Economy focuses on the production, management and use of information. It’s this use of information, specifically the use of an individual’s non-public personally identifiable information, which brings this new wave of legislation.

Data management and data privacy are no longer confined to the windowless basement of a company’s headquarters. Identity Theft is the crime du décinne. Every four seconds in America, another person falls victim to identity theft. This week, Fidelity National Information Services announced that an employee, one employee, sold 2.3 million consumer records containing credit card, bank account and other personal information to a data broker. The data broker, in turn, sold this information to several direct marketing firms. What was once Fidelity’s most important asset is now its most significant liability. Fidelity will not only have to answer to its consumers, but also its shareholders and the Federal Government.

According to its Web Site:

Fidelity National Information Services, Inc. (NYSE:FIS) is a leading provider of core financial institution processing, card issuer and transaction processing services, mortgage loan processing and related information products and outsourcing services to financial institutions, retailers, mortgage lenders and real estate professionals. FIS has processing and technology relationships with 31 of the top 50 global banks, including nine of the top ten. Nearly 50 percent of all U.S. residential mortgages are processed using FIS software. Headquartered in Jacksonville, Florida, FIS maintains a strong global presence, serving over 7,800 financial institutions. FIS is part of the S&P 500. FIS has also been named the #1 banking technology provider and the #2 overall technology provider in the world by American Banker and Financial Insights (FinTech 100).

It’s doubtful American Banker and Financial Insights will rank Fidelity #1 and #2 this year. Similarly, Fidelity may lose several of its 31 of 50 global banks as clients. The European Union enforces strict privacy laws and often criticizes America’s lax privacy and data breach laws. The misconduct of just one employee will likely cost Fidelity millions. Fidelity will spend real dollars investigating, managing and litigating this data breach.

A company’s Board of Directors owes a fiduciary duty, a duty of care and loyalty. This week’s data breach will require the attention of Fidelity’s Board of Directors. The Federal Government and the shareholders will likely demand a response from Fidelity’s Board of Directors. Fidelity’s Board of Directors will be asked whether a company that boasts “a strong global presence, serving over 7,800 financial institutions” implemented best practices to protect its consumers’ non-public personally identifiable information. Is your company implementing best practices? The business technology attorneys at Scott & Scott LLP are recognized thought leaders in regulatory compliance, enterprise network risk, data breach and security, and imminent litigation. For more information contact Adam W. Vanek, Scott & Scott LLP, avanek@scottandscottllp.com.

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:

“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”

However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.

The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.

None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.

A recent federal district court decision has clarified when state law claims are preempted by the federal Copyright Act and highlights the importance of registering for a copyright. Because different remedies and damages are available under federal and state law, the interaction of the two regimes affects a company’s potential exposure for infringement. In particular, businesses may be able to assert preemption of state law claims by arguing that the federal Copyright Act provides the exclusive remedy for any purported misappropriation of a work. Companies seeking to protect a work should also be aware that they may not be able to rely on the protections of state law where the work falls within the scope of the Copyright Act. To be entitled to any protection under the Copyright Act, it will be necessary to register the work.

The Frontier Group, Inc. v. Northwest Drafting & Design, Inc., 2007 WL 1880299 (D. Conn. 2007), arose out of a dispute over architectural plans. Frontier Group brought an action in state court under Connecticut law against Northwest Design Group, Mark Robinson, and Martial Grondin. While the claims against Northwest Design and Robinson were settled, Frontier alleged that Grondin violated the ownership rights Frontier had in a set of architectural plans, drawings, and specifications by converting Frontier’s rights to his own benefit to the exclusion of Frontier. Frontier created the plans for a home, but the homeowner sold the property to Grondin, who took the plans to another company to finish construction without consent or authorization from Frontier.

Frontier alleged that Grondin converted its ownership and possession rights in the plans, and thereby violated Connecticut’s Unfair Trade Practices Act. Grondin prevailed by arguing that Frontier’s claim was, in reality, a copyright infringement case and that Grondin’s state law claims were preempted. Grondin was able to remove the case to federal court and successfully move for summary judgment.

In assessing whether Frontier’s claims were preempted, the court used a two-prong test to determine whether the Copyright Act governs Frontier’s claim. The first prong is called the subject matter requirement and the second prong is called the general scope requirement. First, the court must determine whether the allegedly infringed work falls within the type of work protected by the Copyright Act, and second the court must determine whether the state law claim protects the same rights as the Copyright Act. The court found that the plans satisfied the first prong because they are works of authorship, fixed in a tangible medium of expression that fall within the categories protected by the Copyright Act. The court also found that the second prong was satisfied because Frontier’s claims did not contain any “extra elements” that made the claims different from a copyright infringement claim, a factor that would have helped to avoid preemption.

While the court found that the Copyright Act did apply, the court then granted summary judgment in favor of Grondin because Frontier did not have a registered copyright on the architectural plans, which is required before a copyright infringement suit may be instituted.

On June 29, 2007, the California Court of Appeal reversed a 15 million dollar jury award against Nestlé arising from the unauthorized use of a model’s image on a coffee label and in advertising. While Nestlé managed to get the large damages award reversed on what was essentially a limitations argument by invoking the “single publication rule,” the case nevertheless serves as a reminder to businesses that the use of a person’s image without authorization may result in significant exposure.

Sometime in 1986, Nestlé Canada arranged a photo shoot where Russell Christoff, a professional model, gazed into a cup of coffee and appeared to enjoy the aroma. Christoff was paid for his photo appearance and given a contract regarding the use of his image. This contract provided that if Nestlé Canada used the picture on a coffee brick label it was designing, he would be paid $2,000 plus an agency commission. The contract also stated that further negotiations would be needed for any other use. Without paying Christoff according to the terms of the contract, or even notifying him, Nestlé Canada used his image on the coffee brick.

Eleven years later, Nestlé redesigned their label for Taster’s Choice instant coffee and decided to use Christoff's image to replace the original Nestlé “taster” that graced the old label. A designer for Nestlé did not inquire into the terms of the contract with Christoff, nor did she attempt to contact him because she was under the mistaken belief that Nestlé owned the rights to his image. Nestlé began printing Christoff’s image on several different mediums of advertisement for Taster’s Choice, including the coffee products themselves. His image was even altered and used in Mexico. Despite all of this, Christoff claims he did not become aware of the use of his image until 2002. Christoff sued Nestlé in 2003 alleging causes of action for violation of California Civil Code section 3344 (which prohibits, inter alia, the unauthorized use of a person’s likeness or photograph), common law appropriation of likeness, quantum meruit, and unjust enrichment. At trial, the jury awarded more than $15 million in damages.
On appeal, Nestlé argued that the jury award must be reversed because the action was time-barred from the start. The SPR (“Single Publication Rule”) restricts all damages found upon a “single publication” to one cause of action only. A “single publication,” however, is distinguished from “republication,” which brings about a new cause of action. A republication occurs when its use is intended to reach a new audience, or if there is a modification to the presentation of the person’s likeness. The court also examined the possible application of republication when the same marketing pitch is applied to different states at different times, in contrast to when the same marketing plan is pitched to all states at the same time. The fact that Christoff’s image was used in different mediums apparently was of no interest to the court, so long as Christoff’s image was part of a mass marketing pitch. The court, however, made it clear that it could not tell from the record what marketing intentions Nestlé had. Surely Christoff’s image alteration and “Latinization” for the Nestle Mexico label could be considered a republication.

In the end, the court agreed with Nestlé, holding that the single publication rule applied to Christoff’s claim under section 3344 and his common law claim for misappropriation of his likeness. As a result, Christoff should have brought this suit within 2 years from the date Nestlé first published his image, or within 2 years of when a reasonable person in Christoff’s position had a meaningful ability to discover the use of his likeness. The court indicated that on remand, the jury would need to consider whether a reasonable person in Christoff’s position had a meaningful ability to discover that his likeness was being used and whether any republications occurred within the limitations period. In reading the court’s decision, it appears that to establish a republication theory, Christoff would have to request that Nestlé disclose all of their past marketing plans, including agendas, specified target markets, various mediums, and product and advertisement launch dates.

The appellate court further held that the jury’s damages determination was erroneous because Christoff’s expert testimony failed to establish that Christoff’s specific characteristics rose to icon status, or created value in the icon (the Taster’s Choice label illustration). This is mainly because “the icon with the image of a handsome man existed before and after Christoff’s likeness was used.” In other words – he was just another pretty face. The court further held that while the Copyright Act protected the photograph taken of Christoff, section 3344 protected his identity and persona. These protections applied even though Christoff was not a celebrity. Section 3344 provided a remedy beyond that afforded by the Copyright Act because, although embodied in a photograph, Christoff’s likeness itself was entitled to protection. On retrial, Christoff will have to demonstrate that some portion of Nestlé’s profits was attributable to the use of his likeness, and not just that of another handsome man being used as part of the “Taster’s Choice” imagery.

Full opinion: http://www.courtinfo.ca.gov/opinions/documents/B182880.PDF

Copyright issues can often arise in unexpected places – even in a karaoke bar. In Zomba Enterprises, Inc. v. Panorama Records, Inc., 2001 WL 1814319 (6th Cir. 2007), the Sixth Circuit addressed the interaction of copyright law and karaoke music. The defendant in Zomba does not seem to have thought about the possible effects of intellectual property law on its conduct, and it paid a heavy price for this omission. Businesses concerned about avoiding potential claims should instead consider ahead of time the potential intellectual property repercussions of conduct that might involve the protected rights of others.

The court in Zomba began its opinion by noting that while “countless people have lined up at various venues to perform their favorite songs with, and in front of, their friends,” few of the participants “with the possible exception of IP lawyers,” would ever even think about “the intellectual property regime governing karaoke.” Defendant Panorama Records certainly didn’t think about it. Beginning in 1998, Panorama manufactured and sold karaoke compact discs. Panorama hired musicians to record songs that at some time had been made popular by another artist. The discs contained a graphic element designed, to be viewed on a karaoke machine, which consisted of the text of each song’s lyrics. As the lyrics scrolled across a screen and the music, without vocals, played, karaoke participants could read the lyrics as they sang along. Panorama issued a new disc each month in a variety of musical genres. Each monthly “karaoke package” contained the top hits in that genre for the relevant month. Panorama apparently gave no thought to whether its karaoke packages might be infringing on the intellectual property rights of others.

The Copyright Act, however, affords protection to “musical works, including any accompanying words.” 17 U.S.C. § 102(a)(2). Plaintiff Zomba Enterprises publishes and holds copyrights to various songs, including music performed by pop music performers such as 98 Degrees, the Backstreet Boys, NSYNC, and Britney Spears. Zomba learned that Panorama’s karaoke packages contained unauthorized copies of some of Zomba’s songs. Zomba filed suit asserting thirty counts of copyright infringement – one count for each Zomba-owned musical composition that Panorama recorded and sold in its karaoke packages.

The Sixth Circuit rejected Panorama’s argument that its copying of Zomba’s songs should be considered “fair use” under the Copyright Act. Section 107 of the Copyright Act provides that “the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” 17 U.S.C. § 107. In analyzing a fair use claim, a court is also to consider the purpose and character of the use, the nature of the copyrighted work, the amount and substantiality of the use in relation to the copyrighted work as a whole, and the effect of the use upon the potential market for or value of the copyrighted work.

The Sixth Circuit held that, in particular, a court assessing fair use should consider whether the use is transformative. A work is transformative and more likely to be protected by the fair use defense if it adds something new or alters the work with new expression or different character. In this case, Panorama’s hired musicians did not change the music or the words of the songs.

The court also rejected Panorama’s contentions that its use was transformative because, unlike the original songs, the karaoke packages could be used as a teaching tool and encouraged creativity. Panorama admitted, however, that karaoke is primarily a form of entertainment, and it was unable to produce any evidence that its discs had ever been used as a “teaching” tool. The court also noted that the end-user’s utilization of the discs was largely irrelevant to the fair-use analysis. According to the court, “Zomba does not challenge karaoke crooners’ renditions (atrocious or otherwise) of the relevant compositions, but rather Panorama’s decision to copy these songs onto CD+Gs and then distribute them without paying royalties.” Panorama’s use of the songs was commercial in nature, and the “creativity” of the karaoke performers did not change that fact.

Panorama also failed to prove its copying did not adversely affect the market value of Zomba’s copyrights. The court went on to conclude that Panorama’s copying was willful and sustained the district court’s award of $31,000 in damages per infringement plus attorney’s fees. For business concerned about copyright infringement, the decision in Zomba highlights the evolving law of copyrights and the limits of the fair use doctrine.

Full opinion: http://www.ca6.uscourts.gov/opinions.pdf/07a0242p-06.pdf

A recent Seventh Circuit opinion illustrated that even the judiciary may sometimes be insensitive (or at least oblivious) to copyright infringement on the Internet. In Central Manufacturing, Inc., v. Brett, 2007 WL 1965673 (7th Cir. 2007), the court denied relief to a plaintiff alleging that George Brett and his company were infringing on a trademark. The court’s opinion includes a number of links to materials on the Internet. As part of the court’s discussion of the famous “pine tar” incident in 1983 involving Brett, Billy Martin, and the Yankees, the court notes that the “whole colorful episode is preserved, in all its glory, on YouTube” and links to a YouTube video. Ironically, that You Tube link now leads to a page displaying the warning “This video no longer available due to a copyright claim by MLB Advanced Media.”

Even if a business does not directly infringe a trademark or copyright, courts seem more willing to hold companies vicariously liable for contributing to others’ infringement. Recent decisions by the Ninth Circuit indicate that determining when such liability may arise can be tricky.

In Perfect 10, Inc.. v. Visa Intern. Service Ass’n, 2007 WL 1892885 (9th Cir. 2007), the US Court of Appeals for the Ninth Circuit held that Visa couldn’t be held vicariously or contributorily liable for allowing the purchase of copyright protected, and violated, images. Perfect Ten sued Visa, Mastercard, and other affiliated banks for processing credit card payments to websites that infringe Perfect 10’s intellectual property rights. Perfect Ten also alleged that international websites stole its images, altered them, and then illegally offered them for sale online. Rather than suing the direct infringers, Plaintiffs sued the deeper pockets – the financial institutions. The Ninth Circuit held that, despite having knowledge of the on going infringement, the credit card processors could not be held liable for inducing, enabling, or contributing to the infringing activity in the same way defendants in Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), and Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996), had been.

But in another case involving Perfect 10, the Ninth Circuit held that Google could be held contributorialy liable. In Perfect 10, Inc. v. Amazon.com, Inc., 487 F.3d 701 (9th Circ. 2007), the court concluded that Google could be liable for infringement if it had knowledge that the infringing images were available using its search engine and failed to take steps to prevent further damage to Perfect 10’s copyrighted work. The distinction drawn by the court was that Google’s search engine itself assists in the distribution of infringing content to the Internet users, while Visa and the financial institutions do not. The court in Perfect Ten v. Visa did acknowledge, however, that the financial institutions do make it more profitable for infringers to violate copyrights.

The law governing the privacy of e-mail and internet communications continues to develop. Attempts by the government to obtain access to e-mails and website information have recently raised these privacy issues. As discussed in the June 28, 2007 posting “Does the Constitution Protect the Privacy of Your E-mails?,” the Sixth Circuit’s decision in United States v. Warshak appeared to recognize that individuals and businesses may have protected privacy interests in the contents of e-mail communications. According to the Ninth Circuit in United States v. Forrester, 2007 WL 1952390 (9th Cir. 2007), however, this expectation does not extend to all information connected with electronic communications. According to the court, certain aspects of electronic communications – to/from address information, website addresses, and the amount of data transferred – do not raise Fourth Amendment or other privacy issues. While the decisions themselves deal with the government’s ability to access e-mail information, the implications of the rulings may affect how e-mail is dealt with by companies and individuals in both civil and criminal contexts.

In Forrester, the Ninth Circuit dealt with the constitutionality of certain computer surveillance techniques. The government indicated Forrester and Alba on one count of conspiracy to manufacture Ecstasy. As part of its investigation, the government employed various methods to monitor Alba’s e-mail and internet activity, including installing what the court described as a “pen register analogue” on Alba’s computer. The only data obtained were the to/from addresses of Alba’s e-mail messages, the IP addresses of websites he visited, and the total volume of information sent to or from his computer account.

Although decided after Warshak, the Ninth Circuit indicated that it was unaware of any other decisions by federal appellate courts addressing the constitutionality of such surveillance techniques. The court went on to hold that surveillance of e-mail and website addresses was conceptually indistinguishable from government surveillance of physical mail or telephone calls. The Supreme Court has previously held that while the contents of mail and phone calls are protected, the address and telephone number information is not entitled to protection because that information is voluntarily disclosed to third parties. Accordingly, the court held that the government’s monitoring of Alba’s e-mail to/from address information and website addresses was not a search for Fourth Amendment purposes.

In the wake of Warshak and Forrester, it appears that a consensus may be developing in the federal courts. Users have no reasonable expectation of privacy in the to/from addresses of e-mails, the IP addresses of the websites they visit, or the size of the e-mails they send or receive.

Full Opinion text –
http://www.ca9.uscourts.gov/ca9/newopinions.nsf/F0E09BB37A97D51A88257310004D1DAC/$file/0550410.pdf?openelement

No doubt much to its chagrin, Google has found itself at the receiving end of a number of lawsuits internationally in recent years alleging that the search engine behemoth should bear some level of liability when companies use its AdSense pay-per-click advertising system to infringe other businesses' trademarks or otherwise allegedly mislead consumers.
Now, no doubt to its even greater chagrin, Google is for the first time having to defend itself against somewhat similar charges brought by at least one government regulatory agency.

On July 12, the Australian Competition and Consumer Commission (ACCC) announced that it instituted legal proceedings against Google as well as an Australian company that used two competitors' business names in pay-per-click ads published through AdSense in 2005. The ACCC specifically has alleged that Google violated Title 52 of the Australian Trade Practices Act of 1974 by "causing the [allegedly deceptive] links to be published on its website" and by "failing to adequately distinguish sponsored links from 'organic' search results." While the suit does not seek any monetary penalty, the ACCC is asking the Sydney Federal Court, among other things, to enjoin Google "from publishing sponsored links of advertisers representing an association, sponsorship or affiliation where one does not exist" and also "from publishing search results that do not expressly distinguish advertisements from organic search results."

While I make no predictions as to whether this lawsuit might prove to be a catalyst that leads to similar actions being instituted in other countries, I think that this should be a interesting case to watch, especially for those interested in search engine optimization. If those in charge at Mountain View decide that the risk of future legal proceedings outweighs the cost of re-tooling their advertising machine, we might see a different-looking Google in years to come.

You can read the ACCC's press release regarding the lawsuit here.

“You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.” – Walt Disney

Disney recently reported that an employee of one of its independent contractors, Alta Resources, Inc., was caught trying to sell customer credit card information. Alta Resources processes transactions for the Disney Movie Club. Now Disney and Alta Resources are being investigated by the Secret Service. Furthermore, The Disney Club had to notify in writing its 1 million members. The customer data stolen included credit card numbers, names, addresses, telephone numbers and even e-mail addresses.

More and more data breach laws and the proposed Leahy-Spector Personal Data Privacy and Security Act seek to hold companies responsible for data breaches of their independent contractors and affiliated companies. So Disney may be on the proverbial “Captain’s” hook. Now Disney may spend hundreds of thousands of dollars investigating, managing and litigating this data breach. Disney will likely spend additional resources re-evaluating its third party contracts and investigate what steps its contractors are taking to ensure the security of nonpublic personally identifiable information. Disney has already amended and republished its data privacy and security policy.

The lesson to be learned from Disney and the recent Fidelity National Information Services breach is that insider fraud and negligence should be considered a more probable threat and potentially more dangerous than an outside hacker. Your company should have written security policies in place to reduce the risks associated with insider fraud and negligence. In an investigation, a company that experienced a data breach will have to explain whether that company implemented the security policies and whether its data privacy and security program was “appropriate” to the company’s size and complexity and is appropriate to the sensitivity of the customer information at issue. The business technology lawyers at Scott & Scott are recognized leaders in regulatory compliance, enterprise network risk, data risk and security, and related litigation. For more information contact Adam W. Vanek at avanek@scottandscottllp.com.

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:

• Disclosure to the Census Bureau and the Bureau of Labor Statistics;


• Disclosure for routine uses within a U.S. government agency;


• Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”


• Disclosure to law enforcement agencies;


• Disclosure to aid in congressional investigations; or


• Disclosure for other administrative purposes.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.