Business and Technology Law

“The Matrix isn't real.” – Trinity. “I disagree, Trinity. I think that the Matrix can be more real than this world. All I do is pull a plug here, and then...” – Cypher.

Historians, take note. In 2007, the virtual world and real world collided. As Federal District Judge Eduardo C. Robreno stated in the opening paragraph of his opinion, “While the property and the world where it is found is ‘virtual,’ the dispute is real.”

In this case, Marc Bragg (“Bragg”) sued Linden Research, Inc. (“Linden”) for unlawfully seizing his virtual real property and revoking his account. Linden operates a massive multiplayer online role-playing game (“MMORPG”) called Second Life. Second Life is an Internet-based virtual world, where its users, called "Residents", interact with each other through motional avatars. Second Life Residents interact, socialize and even conduct business. An integral part of Second Life's real world business model is the exchange of virtual currency known as the Linden Dollar. Residents purchase Linden Dollars with real U.S. Dollars. As noted in Judge Robreno’s opinion, “Second Life avatars may now buy, own and sell virtual goods ranging ‘from cars to homes to slot machines.’”

However, what makes Second Life unique in the MMORPG world is Linden’s recognition for its users’ property rights. In a press release dated November 14, 2003, Philip Rosedale, the Linden’s CEO touted, “The preservation of users’ property rights is a necessary step toward the emergence of genuinely real online worlds.” Plaintiff Bragg purchased virtual real property, the subject of which formed the basis of the lawsuit. In 2005, Plaintiff Bragg paid Linden to join Second Life and become a Resident. One year later, Bragg purchased several plots of virtual real property in Second Life and began to re-sell such parcels to other Residents for a profit. However, in April 2006, Linden sent Bragg a notice stating that he purchased virtual real property through an exploit and subsequently cancelled his account and confiscated all of Bragg’s virtual property. Bragg brought suit claiming misrepresentation and expropriation of property. Linden moved to dismiss for lack of jurisdiction and moved to compel arbitration.

Judge Robreno held that Linden, a California based company, was subject to jurisdiction in Pennsylvania because the interactive nature of its Internet “game” gave the Court specific jurisdiction by means of its minimum contacts. Second, the Court held that the arbitration clause contained in Second Life’s terms of service constituted an unconscionable contract of adhesion under California law and was therefore unenforceable. Specifically, Judge Robreno objected to the lack of mutuality in the contract, that arbitration must take place in California and that the arbitration must take place before a panel of three arbitrators, which is extraordinarily more expensive than pursuing this matter before the Court.

Although the legal issues addressed by the Pennsylvania Federal District Court may be found in standard contract law, the context in which this dispute arose is not ordinary. This virtual real property is a newly created commodity that may create a whole new set of rules and laws. Linden’s creation of Second Life property rights where real money is exchanged and monetary value is no longer considered “virtual” created real damages and real causes of action. The real question to be asked in this virtual world is not whether Linden will be sued again, but when and for what?

The Fair Information Practice Principles (the “Principles”) were first enumerated by the U.S. Department of Health, Education, and Welfare in 1973. In the 30 years since the principles were formulated, they have become the basis for many privacy laws in the United States, Canada, Europe, and other parts of the world. The Principles are designed to provide a framework for the collection and use of personal information.
The original Principles consisted of the following eight guidelines:

• Openness – Data policies should be open and clear and the entity or person controlling the data should be easily identifiable.


• Collection Limitation - Collection of personal data should be limited and obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.


• Purpose Specification - The purpose for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.


• Use Limitation - Personal data should not be disclosed, made available or otherwise used for purposes other than those specified as described above, except with the consent of the data subject or by the authority of law.


• Data Quality - Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, relevant and kept up-to-date.


• Individual Participation - An individual should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons if a request is denied and to be able to challenge such denial; and d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.


• Security Safeguards - Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.


• Accountability - A data controller should be accountable for complying with privacy measures.

The FTC currently articulates five core Principles: notice/awareness, choice/consent, access/participation, integrity/security, and enforcement/redress. Many of the current federal regulations related to privacy contain these five Principles.

Businesses accused of software “piracy” by publishers or trade associations usually are most concerned about their potential exposure in copyright fines, should their dispute proceed to litigation. A recent Sixth Circuit case suggests that statutory damages awards in such cases legally can reach levels that may represent windfalls for prevailing plaintiffs, far outstripping the amount of their actual damages.

In Zomba Enterprises, Inc. v. Panorama Records, Inc., 2007 WL 1814319 (June 26, 2007), the Circuit Court reviewed a trial court’s decision to award a total of $804,000 in statutory damages for what it found to be the defendant’s willful infringement of twenty six copyrights. (In copyright cases, plaintiffs may elect to ask the court either for their actual damages, for which they must present evidence to support the amount claimed, or statutory damages, which is an amount set in the trial court’s discretion between $750 and $30,000 for non-willful infringement and up to $150,000 for willful infringement, per copyright infringed). The defendant in the case was a manufacturer of karaoke discs who had published some karaoke tracks without the consent of the original songs’ copyright holder. On appeal, the defendant argued that the amount was unconstitutionally high, in violation of its substantive due process rights, because the plaintiff’s estimated actual damages totaled only approximately $18,457.92 in lost licensing fees, or about 2.27% of the statutory damages award. The Circuit Court rejected this argument, in part relying on the 1919 Supreme Court case of St. Louis, I.M. & S. Ry. Co. v. Williams, 251 U.S. 63. The Williams case involved a claim by two sisters who were awarded $75 apiece against a railroad under a state statute providing statutory damages for ticketing overcharges. The Supreme Court there held that even though the amount awarded to the sisters was about 113 times the amounts they were overcharged, this did not constitute a violation of the railroad’s due process rights. Disregarding the substantial dissimilarity between the fiscal significance of $75 to a railroad in 1919, on the one hand, and nearly $1 million (including attorney’s fees and costs), to a medium-sized business today, the Sixth Circuit held that the case represented persuasive precedent that the statutory damages award in Zomba should stand.

The facts of Zomba differ considerably from those of many cases involving allegations of software “piracy.” The Zomba defendant was familiar with the entertainment industry and, though it claimed to have been unaware of the need to obtain permission to re-record songs for karaoke discs (even going so far as to claim, amusingly, that such use had an “educational” purpose, thus constituting fair use), it also apparently continued to infringe the copyrights at issue after having received both a cease-and-desist letter from the plaintiff as well as an injunction from the trial court. However, there is always a risk that what seems like a less egregious case of infringement will be read by a trial court much more harshly than initially expected, resulting in substantial costs to a losing defendant. The Zomba case suggests that it makes good sense for a business accused of “piracy” to at least be mindful of the worst-case scenario, and let an experienced attorney work to close the gap between disaster and a more reasonable resolution.

Supreme Court Overturns Antitrust Precedent from 1911

On the last day of the Supreme Court’s 2006 term, the Court published its 5-4 decision in Leegin Creative Leather Products, Inc. v. PSKS, Inc.. Leegin raises an important issue related to retail sales agreements and violation of the Sherman Act.

Leegin manufactures products under the brand name Brighton – whose products include handbags, belts, jewelry and other accessories. PSKS owns a boutique that sold the Brighton products at its store. Leegin required its retailers to agree in writing to a minimum resale price for all of their products. (A minimum resale price maintenance (“Minimum RPM”) agreement is an agreement enforced by the manufacturer requiring the retailer to set the resale price at an agreed upon minimum. For example, Brighton would require PSKS to sell a handbag at a minimum price of $250.) PSKS initially agreed, but later sold products at a reduced price in order to compete against other nearby retailers.

Leegin sued in the United States District Court for the Eastern District of Texas and the jury found in favor or PSKS because the court determined that the Minimum RPM agreement was per se illegal under the long-standing precedent of Dr. Miles, decided in 1911. The Fifth Circuit Court of Appeals affirmed. The Supreme Court reversed in a 5-4 decision overruling Dr. Miles, and determining that vertical Minimum RPM’s are to be evaluated under the rule of reason – giving judges greater discretion in determining whether the Sherman Act was violated. The rule of reason requires a court to assess restraints on trade by looking at the impact on competition.

Most commentators and the dissent in Leegin believe that this decision will drive up retail prices and consumers will be paying even higher prices for specialty items because now, manufacturers can enforce vertical Minimum RPM agreements under the threat that the retailer will lose the opportunity to sell their goods if they do not comply with the agreement.

On May 29, 2007, the U.S. District Court for the Central District of California, Magistrate Judge Chooljian, found that a computer’s RAM (random access memory), is a tangible document that can be stored and must be turned over in a lawsuit. Because this order prohibits the Web Site from tossing RAM relevant data, it has potential to effect the way future litigants prepare for E-Discovery. It should be noted, however, that this order is currently stayed pending appeal.

Last year, the Motion Picture Association of America (“MPAA”) filed suit against TorrentSpy for copyright infringement. The MPAA believes TorrentSpy acts as a search engine to aid users in finding copyrighted video files thereby contributing, promoting and profiting from piracy.

Because of the nature of these businesses, the court found that TorrentSpy’s RAM contains data relevant to the litigation, and should thus be turned over. In addition, the Judge also ordered TorrentSpy to begin logging and storing user information, but allowed encryption of the Internet Protocol addresses belonging to the visitors of their website. TorrentSpy must now create documents not in the ordinary course of their business by logging user activity. Because this issue was of great concern, the court also questioned whether requiring the defendants to preserve and produce this server log data was equivalent to the creation of new data, and found that it was not, because the information at issue was already in existence – and it is in the defendant’s control and possession. As such, the court held that the order requiring defendants to preserve and produce the info was not tantamount to requiring the creation of new data. Torrent Spy must turn over all of this data to the MPAA.

This order raises several technical E-Discovery concerns. The Court granted this order in belief that the RAM is a tangible document that can be stored. While it is true that RAM can be stored, it is not permanent storage. RAM is continually being updated, changed, deleted, or overwritten in your business’ computers. For example, TorrentSpy’s RAM servers were, in the normal course of business, being overwritten approximately every six hours. Preserving and backing up this ever-changing data surely has the potential to economically cripple businesses, both small and large. In addition, because the nature of RAM is to continually change, spoliation of evidence may be a serious concern. It should be noted however, that this order does not require TorrentSpy to go back and recreate RAM’s past server logs, but rather, to begin storing the RAM server log data from this point forward.

Businesses operating in California may find themselves being sued for practices without any prior notice. In particular, if a company in California has gender-based pricing policies, it may now be sued for civil rights violations even if the plaintiff has not previously demanded equal treatment and been refused. As the California Supreme Court itself acknowledged, this ruling may encourage “shake down” artists who seek out discriminatory pricing practices and try to extort settlements from businesses. The court, however, was willing to accept this possibility absent any change in the law being made by the legislature. In the meantime, a company doing business in California should be aware that it may be subject to suit for discrimination without prior notice.

This particular case arose out of a supper club’s practice of giving admission discounts to women. Angelucci and other plaintiffs filed a complaint against Century Supper Club for violations of the Unruh Civil Rights Act and the Gender Tax Repeal Act of 1995. The plaintiffs alleged that they patronized the supper club on several occasions and were charged an admission fee higher than that charged to women. On some visits, men were charged $20 while women were admitted free. Plaintiffs sought statutory damages under Civil Code section 52(a) for discrimination. The supper club moved for judgment on the pleadings, contending that the plaintiffs could not recover under section 52(a) because they had not alleged that they asked the supper club to be charged the same rate as female patrons. The superior court agreed and entered judgment in favor of the supper club. The court of appeal affirmed, concluding that before a claim could be made for discrimination, the plaintiffs must have made an affirmative assertion of the right to equal treatment. In support of its ruling, the court of appeal stated that this requirement ensured that the statutes would only be used to redress genuine grievances and punish genuine misconduct.

In Angelucci v. Century Supper Club, 2007 WL 1557339 (Cal. 2007), the Supreme Court reversed, holding that to assert a discrimination claim for unequal treatment against a business establishment, it is not necessary to demand equal treatment and be refused. The Unruh Act, as amended by the Gender Tax Repeal Act, prohibits businesses from charging different prices on the basis of gender, and the court noted that these provisions are intended to protect each person’s inherent right to free and equal access to all business establishments. Section 52(a) authorizes individual actions against anyone that discriminates in violation of the Act. The language of section 52(a) does not include a specific requirement that a victim of discrimination must demand equal treatment and be refused before filing suit, nor does it establish any requirement that notice and an opportunity to cure be given before a claim may be made.

The court rejected the court of appeal’s reasoning that the plaintiffs were not denied equal treatment because the supper club never refused an express demand for equal treatment. According to the court, if such a rule were in place, businesses could continue to engage in discriminatory practices, and by making exceptions for patrons who happened to challenge the practices, the businesses could avoid being sued under the Act. That rule would also prohibit suits by persons who discovered that they had been treated unequally only after the fact. The court also made it clear that injury occurs when plaintiffs present themselves for admission and are charged the nondiscounted price. Because arbitrary discrimination is per se injurious, the plaintiffs in this case had standing to bring claims because they were victims of the discriminatory practice, even though they did not challenge the practice at the time. The court did note allegations in the record that the plaintiffs and their attorneys were “professional plaintiffs” who made their living by asserting technical violations of civil rights laws against businesses and extorting settlements. While recognizing the potential for abusive litigation, the court concluded that it was up to the Legislature to determine whether the statutory requisites for filing a claim should be altered. In the meantime, businesses should be aware that if they have discriminatory pricing policies in place, those policies may result in a lawsuit even if no one has previously challenged the policies.

A recent decision by the United States District Court, Southern District of New York, in Matter of September 11th Liability Insurance Cases, 2007 WL 9731666 (SDNY 2007) [Click here to view case], demonstrates that to avoid sanctions under the Federal Discovery rules, it is not sufficient to show that the litigant was instructed by counsel that documents generally were to be preserved when specific documents damaging to that parties’ case were withheld. The decision also illustrates that the obligations to produce documents created in a computer system encompass the obligation to produce any copies maintained in paper form if the electronic version is no longer accessible.

Zurich and its outside counsel represented to the Federal Court during the proceedings that there would be plenty of evidence on the issue of whether the Port Authority of New York was ever an additional insured under the binder issued by Zurich, resulting in the denial of the Port Authority’s motion to dismiss the declaratory judgment complaint. While the evidence before the District Judge showed that outside counsel met with Zurich shortly before the litigation commenced to remind it of its obligations with respect to preservation of evidence, the Court found that Zurich and its law firms had possession of a printed copy of a critical insurance policy document and failed to produce it to Plaintiff’s counsel over a long period of time. After providing Zurich and its counsel with the opportunity to explain why this document had not been produced, the Court rejected the claim of inadvertence and found that Zurich and its counsel were at fault.

The District Court imposed sanctions under the Federal E-discovery Rules in the amount of $500,000 under FRCP 37 jointly and severally against Zurich and its counsel for misconduct under FRCP 37 for Zurich’s failure to timely produce the insurance policy maintained on Zurich’s computer system and an additional $750,000 in sanctions against them for frivolous litigation conduct under FRCP 11.

The Court observed that bad faith is not required to be shown in order to warrant the imposition upon the adverse party of e-discovery sanctions.

Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.


• Orders prohibiting further misrepresentations;


• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.


• Claims based on negligence for failing to follow enumerated policies.


• Civil fines.


• Officer and director liability.

“Today, management has no stake in the company! All together, these men sitting up here own less than three percent of the company. And where does Mr. Cromwell put his million-dollar salary? Not in Teldar stock; he owns less than one percent. You own the company. That's right, you, the stockholder. And you are all being royally screwed over by these, these bureaucrats, with their luncheons, their hunting and fishing trips, their corporate jets and golden parachutes.” – Gordon Gekko

Why does a company’s Board of Directors need to worry about data privacy? The cliché goes, “A company’s most important asset is information.” The Information Age describes a time when information was considered a limited commodity and provided a distinctive competitive advantage. Today, information is everywhere. The Information Age quietly evolved into the Knowledge Economy. The Knowledge Economy focuses on the production, management and use of information. It’s this use of information, specifically the use of an individual’s non-public personally identifiable information, which brings this new wave of legislation.

Data management and data privacy are no longer confined to the windowless basement of a company’s headquarters. Identity Theft is the crime du décinne. Every four seconds in America, another person falls victim to identity theft. This week, Fidelity National Information Services announced that an employee, one employee, sold 2.3 million consumer records containing credit card, bank account and other personal information to a data broker. The data broker, in turn, sold this information to several direct marketing firms. What was once Fidelity’s most important asset is now its most significant liability. Fidelity will not only have to answer to its consumers, but also its shareholders and the Federal Government.

According to its Web Site:

Fidelity National Information Services, Inc. (NYSE:FIS) is a leading provider of core financial institution processing, card issuer and transaction processing services, mortgage loan processing and related information products and outsourcing services to financial institutions, retailers, mortgage lenders and real estate professionals. FIS has processing and technology relationships with 31 of the top 50 global banks, including nine of the top ten. Nearly 50 percent of all U.S. residential mortgages are processed using FIS software. Headquartered in Jacksonville, Florida, FIS maintains a strong global presence, serving over 7,800 financial institutions. FIS is part of the S&P 500. FIS has also been named the #1 banking technology provider and the #2 overall technology provider in the world by American Banker and Financial Insights (FinTech 100).

It’s doubtful American Banker and Financial Insights will rank Fidelity #1 and #2 this year. Similarly, Fidelity may lose several of its 31 of 50 global banks as clients. The European Union enforces strict privacy laws and often criticizes America’s lax privacy and data breach laws. The misconduct of just one employee will likely cost Fidelity millions. Fidelity will spend real dollars investigating, managing and litigating this data breach.

A company’s Board of Directors owes a fiduciary duty, a duty of care and loyalty. This week’s data breach will require the attention of Fidelity’s Board of Directors. The Federal Government and the shareholders will likely demand a response from Fidelity’s Board of Directors. Fidelity’s Board of Directors will be asked whether a company that boasts “a strong global presence, serving over 7,800 financial institutions” implemented best practices to protect its consumers’ non-public personally identifiable information. Is your company implementing best practices? The business technology attorneys at Scott & Scott LLP are recognized thought leaders in regulatory compliance, enterprise network risk, data breach and security, and imminent litigation. For more information contact Adam W. Vanek, Scott & Scott LLP, avanek@scottandscottllp.com.

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:

“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”

However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.

The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.

None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.

A recent federal district court decision has clarified when state law claims are preempted by the federal Copyright Act and highlights the importance of registering for a copyright. Because different remedies and damages are available under federal and state law, the interaction of the two regimes affects a company’s potential exposure for infringement. In particular, businesses may be able to assert preemption of state law claims by arguing that the federal Copyright Act provides the exclusive remedy for any purported misappropriation of a work. Companies seeking to protect a work should also be aware that they may not be able to rely on the protections of state law where the work falls within the scope of the Copyright Act. To be entitled to any protection under the Copyright Act, it will be necessary to register the work.

The Frontier Group, Inc. v. Northwest Drafting & Design, Inc., 2007 WL 1880299 (D. Conn. 2007), arose out of a dispute over architectural plans. Frontier Group brought an action in state court under Connecticut law against Northwest Design Group, Mark Robinson, and Martial Grondin. While the claims against Northwest Design and Robinson were settled, Frontier alleged that Grondin violated the ownership rights Frontier had in a set of architectural plans, drawings, and specifications by converting Frontier’s rights to his own benefit to the exclusion of Frontier. Frontier created the plans for a home, but the homeowner sold the property to Grondin, who took the plans to another company to finish construction without consent or authorization from Frontier.

Frontier alleged that Grondin converted its ownership and possession rights in the plans, and thereby violated Connecticut’s Unfair Trade Practices Act. Grondin prevailed by arguing that Frontier’s claim was, in reality, a copyright infringement case and that Grondin’s state law claims were preempted. Grondin was able to remove the case to federal court and successfully move for summary judgment.

In assessing whether Frontier’s claims were preempted, the court used a two-prong test to determine whether the Copyright Act governs Frontier’s claim. The first prong is called the subject matter requirement and the second prong is called the general scope requirement. First, the court must determine whether the allegedly infringed work falls within the type of work protected by the Copyright Act, and second the court must determine whether the state law claim protects the same rights as the Copyright Act. The court found that the plans satisfied the first prong because they are works of authorship, fixed in a tangible medium of expression that fall within the categories protected by the Copyright Act. The court also found that the second prong was satisfied because Frontier’s claims did not contain any “extra elements” that made the claims different from a copyright infringement claim, a factor that would have helped to avoid preemption.

While the court found that the Copyright Act did apply, the court then granted summary judgment in favor of Grondin because Frontier did not have a registered copyright on the architectural plans, which is required before a copyright infringement suit may be instituted.

On June 29, 2007, the California Court of Appeal reversed a 15 million dollar jury award against Nestlé arising from the unauthorized use of a model’s image on a coffee label and in advertising. While Nestlé managed to get the large damages award reversed on what was essentially a limitations argument by invoking the “single publication rule,” the case nevertheless serves as a reminder to businesses that the use of a person’s image without authorization may result in significant exposure.

Sometime in 1986, Nestlé Canada arranged a photo shoot where Russell Christoff, a professional model, gazed into a cup of coffee and appeared to enjoy the aroma. Christoff was paid for his photo appearance and given a contract regarding the use of his image. This contract provided that if Nestlé Canada used the picture on a coffee brick label it was designing, he would be paid $2,000 plus an agency commission. The contract also stated that further negotiations would be needed for any other use. Without paying Christoff according to the terms of the contract, or even notifying him, Nestlé Canada used his image on the coffee brick.

Eleven years later, Nestlé redesigned their label for Taster’s Choice instant coffee and decided to use Christoff's image to replace the original Nestlé “taster” that graced the old label. A designer for Nestlé did not inquire into the terms of the contract with Christoff, nor did she attempt to contact him because she was under the mistaken belief that Nestlé owned the rights to his image. Nestlé began printing Christoff’s image on several different mediums of advertisement for Taster’s Choice, including the coffee products themselves. His image was even altered and used in Mexico. Despite all of this, Christoff claims he did not become aware of the use of his image until 2002. Christoff sued Nestlé in 2003 alleging causes of action for violation of California Civil Code section 3344 (which prohibits, inter alia, the unauthorized use of a person’s likeness or photograph), common law appropriation of likeness, quantum meruit, and unjust enrichment. At trial, the jury awarded more than $15 million in damages.
On appeal, Nestlé argued that the jury award must be reversed because the action was time-barred from the start. The SPR (“Single Publication Rule”) restricts all damages found upon a “single publication” to one cause of action only. A “single publication,” however, is distinguished from “republication,” which brings about a new cause of action. A republication occurs when its use is intended to reach a new audience, or if there is a modification to the presentation of the person’s likeness. The court also examined the possible application of republication when the same marketing pitch is applied to different states at different times, in contrast to when the same marketing plan is pitched to all states at the same time. The fact that Christoff’s image was used in different mediums apparently was of no interest to the court, so long as Christoff’s image was part of a mass marketing pitch. The court, however, made it clear that it could not tell from the record what marketing intentions Nestlé had. Surely Christoff’s image alteration and “Latinization” for the Nestle Mexico label could be considered a republication.

In the end, the court agreed with Nestlé, holding that the single publication rule applied to Christoff’s claim under section 3344 and his common law claim for misappropriation of his likeness. As a result, Christoff should have brought this suit within 2 years from the date Nestlé first published his image, or within 2 years of when a reasonable person in Christoff’s position had a meaningful ability to discover the use of his likeness. The court indicated that on remand, the jury would need to consider whether a reasonable person in Christoff’s position had a meaningful ability to discover that his likeness was being used and whether any republications occurred within the limitations period. In reading the court’s decision, it appears that to establish a republication theory, Christoff would have to request that Nestlé disclose all of their past marketing plans, including agendas, specified target markets, various mediums, and product and advertisement launch dates.

The appellate court further held that the jury’s damages determination was erroneous because Christoff’s expert testimony failed to establish that Christoff’s specific characteristics rose to icon status, or created value in the icon (the Taster’s Choice label illustration). This is mainly because “the icon with the image of a handsome man existed before and after Christoff’s likeness was used.” In other words – he was just another pretty face. The court further held that while the Copyright Act protected the photograph taken of Christoff, section 3344 protected his identity and persona. These protections applied even though Christoff was not a celebrity. Section 3344 provided a remedy beyond that afforded by the Copyright Act because, although embodied in a photograph, Christoff’s likeness itself was entitled to protection. On retrial, Christoff will have to demonstrate that some portion of Nestlé’s profits was attributable to the use of his likeness, and not just that of another handsome man being used as part of the “Taster’s Choice” imagery.

Full opinion: http://www.courtinfo.ca.gov/opinions/documents/B182880.PDF

Copyright issues can often arise in unexpected places – even in a karaoke bar. In Zomba Enterprises, Inc. v. Panorama Records, Inc., 2001 WL 1814319 (6th Cir. 2007), the Sixth Circuit addressed the interaction of copyright law and karaoke music. The defendant in Zomba does not seem to have thought about the possible effects of intellectual property law on its conduct, and it paid a heavy price for this omission. Businesses concerned about avoiding potential claims should instead consider ahead of time the potential intellectual property repercussions of conduct that might involve the protected rights of others.

The court in Zomba began its opinion by noting that while “countless people have lined up at various venues to perform their favorite songs with, and in front of, their friends,” few of the participants “with the possible exception of IP lawyers,” would ever even think about “the intellectual property regime governing karaoke.” Defendant Panorama Records certainly didn’t think about it. Beginning in 1998, Panorama manufactured and sold karaoke compact discs. Panorama hired musicians to record songs that at some time had been made popular by another artist. The discs contained a graphic element designed, to be viewed on a karaoke machine, which consisted of the text of each song’s lyrics. As the lyrics scrolled across a screen and the music, without vocals, played, karaoke participants could read the lyrics as they sang along. Panorama issued a new disc each month in a variety of musical genres. Each monthly “karaoke package” contained the top hits in that genre for the relevant month. Panorama apparently gave no thought to whether its karaoke packages might be infringing on the intellectual property rights of others.

The Copyright Act, however, affords protection to “musical works, including any accompanying words.” 17 U.S.C. § 102(a)(2). Plaintiff Zomba Enterprises publishes and holds copyrights to various songs, including music performed by pop music performers such as 98 Degrees, the Backstreet Boys, NSYNC, and Britney Spears. Zomba learned that Panorama’s karaoke packages contained unauthorized copies of some of Zomba’s songs. Zomba filed suit asserting thirty counts of copyright infringement – one count for each Zomba-owned musical composition that Panorama recorded and sold in its karaoke packages.

The Sixth Circuit rejected Panorama’s argument that its copying of Zomba’s songs should be considered “fair use” under the Copyright Act. Section 107 of the Copyright Act provides that “the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” 17 U.S.C. § 107. In analyzing a fair use claim, a court is also to consider the purpose and character of the use, the nature of the copyrighted work, the amount and substantiality of the use in relation to the copyrighted work as a whole, and the effect of the use upon the potential market for or value of the copyrighted work.

The Sixth Circuit held that, in particular, a court assessing fair use should consider whether the use is transformative. A work is transformative and more likely to be protected by the fair use defense if it adds something new or alters the work with new expression or different character. In this case, Panorama’s hired musicians did not change the music or the words of the songs.

The court also rejected Panorama’s contentions that its use was transformative because, unlike the original songs, the karaoke packages could be used as a teaching tool and encouraged creativity. Panorama admitted, however, that karaoke is primarily a form of entertainment, and it was unable to produce any evidence that its discs had ever been used as a “teaching” tool. The court also noted that the end-user’s utilization of the discs was largely irrelevant to the fair-use analysis. According to the court, “Zomba does not challenge karaoke crooners’ renditions (atrocious or otherwise) of the relevant compositions, but rather Panorama’s decision to copy these songs onto CD+Gs and then distribute them without paying royalties.” Panorama’s use of the songs was commercial in nature, and the “creativity” of the karaoke performers did not change that fact.

Panorama also failed to prove its copying did not adversely affect the market value of Zomba’s copyrights. The court went on to conclude that Panorama’s copying was willful and sustained the district court’s award of $31,000 in damages per infringement plus attorney’s fees. For business concerned about copyright infringement, the decision in Zomba highlights the evolving law of copyrights and the limits of the fair use doctrine.

Full opinion: http://www.ca6.uscourts.gov/opinions.pdf/07a0242p-06.pdf

A recent Seventh Circuit opinion illustrated that even the judiciary may sometimes be insensitive (or at least oblivious) to copyright infringement on the Internet. In Central Manufacturing, Inc., v. Brett, 2007 WL 1965673 (7th Cir. 2007), the court denied relief to a plaintiff alleging that George Brett and his company were infringing on a trademark. The court’s opinion includes a number of links to materials on the Internet. As part of the court’s discussion of the famous “pine tar” incident in 1983 involving Brett, Billy Martin, and the Yankees, the court notes that the “whole colorful episode is preserved, in all its glory, on YouTube” and links to a YouTube video. Ironically, that You Tube link now leads to a page displaying the warning “This video no longer available due to a copyright claim by MLB Advanced Media.”

Even if a business does not directly infringe a trademark or copyright, courts seem more willing to hold companies vicariously liable for contributing to others’ infringement. Recent decisions by the Ninth Circuit indicate that determining when such liability may arise can be tricky.

In Perfect 10, Inc.. v. Visa Intern. Service Ass’n, 2007 WL 1892885 (9th Cir. 2007), the US Court of Appeals for the Ninth Circuit held that Visa couldn’t be held vicariously or contributorily liable for allowing the purchase of copyright protected, and violated, images. Perfect Ten sued Visa, Mastercard, and other affiliated banks for processing credit card payments to websites that infringe Perfect 10’s intellectual property rights. Perfect Ten also alleged that international websites stole its images, altered them, and then illegally offered them for sale online. Rather than suing the direct infringers, Plaintiffs sued the deeper pockets – the financial institutions. The Ninth Circuit held that, despite having knowledge of the on going infringement, the credit card processors could not be held liable for inducing, enabling, or contributing to the infringing activity in the same way defendants in Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., 545 U.S. 913 (2005), A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001), and Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996), had been.

But in another case involving Perfect 10, the Ninth Circuit held that Google could be held contributorialy liable. In Perfect 10, Inc. v. Amazon.com, Inc., 487 F.3d 701 (9th Circ. 2007), the court concluded that Google could be liable for infringement if it had knowledge that the infringing images were available using its search engine and failed to take steps to prevent further damage to Perfect 10’s copyrighted work. The distinction drawn by the court was that Google’s search engine itself assists in the distribution of infringing content to the Internet users, while Visa and the financial institutions do not. The court in Perfect Ten v. Visa did acknowledge, however, that the financial institutions do make it more profitable for infringers to violate copyrights.

The law governing the privacy of e-mail and internet communications continues to develop. Attempts by the government to obtain access to e-mails and website information have recently raised these privacy issues. As discussed in the June 28, 2007 posting “Does the Constitution Protect the Privacy of Your E-mails?,” the Sixth Circuit’s decision in United States v. Warshak appeared to recognize that individuals and businesses may have protected privacy interests in the contents of e-mail communications. According to the Ninth Circuit in United States v. Forrester, 2007 WL 1952390 (9th Cir. 2007), however, this expectation does not extend to all information connected with electronic communications. According to the court, certain aspects of electronic communications – to/from address information, website addresses, and the amount of data transferred – do not raise Fourth Amendment or other privacy issues. While the decisions themselves deal with the government’s ability to access e-mail information, the implications of the rulings may affect how e-mail is dealt with by companies and individuals in both civil and criminal contexts.

In Forrester, the Ninth Circuit dealt with the constitutionality of certain computer surveillance techniques. The government indicated Forrester and Alba on one count of conspiracy to manufacture Ecstasy. As part of its investigation, the government employed various methods to monitor Alba’s e-mail and internet activity, including installing what the court described as a “pen register analogue” on Alba’s computer. The only data obtained were the to/from addresses of Alba’s e-mail messages, the IP addresses of websites he visited, and the total volume of information sent to or from his computer account.

Although decided after Warshak, the Ninth Circuit indicated that it was unaware of any other decisions by federal appellate courts addressing the constitutionality of such surveillance techniques. The court went on to hold that surveillance of e-mail and website addresses was conceptually indistinguishable from government surveillance of physical mail or telephone calls. The Supreme Court has previously held that while the contents of mail and phone calls are protected, the address and telephone number information is not entitled to protection because that information is voluntarily disclosed to third parties. Accordingly, the court held that the government’s monitoring of Alba’s e-mail to/from address information and website addresses was not a search for Fourth Amendment purposes.

In the wake of Warshak and Forrester, it appears that a consensus may be developing in the federal courts. Users have no reasonable expectation of privacy in the to/from addresses of e-mails, the IP addresses of the websites they visit, or the size of the e-mails they send or receive.

Full Opinion text –
http://www.ca9.uscourts.gov/ca9/newopinions.nsf/F0E09BB37A97D51A88257310004D1DAC/$file/0550410.pdf?openelement

No doubt much to its chagrin, Google has found itself at the receiving end of a number of lawsuits internationally in recent years alleging that the search engine behemoth should bear some level of liability when companies use its AdSense pay-per-click advertising system to infringe other businesses' trademarks or otherwise allegedly mislead consumers.
Now, no doubt to its even greater chagrin, Google is for the first time having to defend itself against somewhat similar charges brought by at least one government regulatory agency.

On July 12, the Australian Competition and Consumer Commission (ACCC) announced that it instituted legal proceedings against Google as well as an Australian company that used two competitors' business names in pay-per-click ads published through AdSense in 2005. The ACCC specifically has alleged that Google violated Title 52 of the Australian Trade Practices Act of 1974 by "causing the [allegedly deceptive] links to be published on its website" and by "failing to adequately distinguish sponsored links from 'organic' search results." While the suit does not seek any monetary penalty, the ACCC is asking the Sydney Federal Court, among other things, to enjoin Google "from publishing sponsored links of advertisers representing an association, sponsorship or affiliation where one does not exist" and also "from publishing search results that do not expressly distinguish advertisements from organic search results."

While I make no predictions as to whether this lawsuit might prove to be a catalyst that leads to similar actions being instituted in other countries, I think that this should be a interesting case to watch, especially for those interested in search engine optimization. If those in charge at Mountain View decide that the risk of future legal proceedings outweighs the cost of re-tooling their advertising machine, we might see a different-looking Google in years to come.

You can read the ACCC's press release regarding the lawsuit here.

“You may not realize it when it happens, but a kick in the teeth may be the best thing in the world for you.” – Walt Disney

Disney recently reported that an employee of one of its independent contractors, Alta Resources, Inc., was caught trying to sell customer credit card information. Alta Resources processes transactions for the Disney Movie Club. Now Disney and Alta Resources are being investigated by the Secret Service. Furthermore, The Disney Club had to notify in writing its 1 million members. The customer data stolen included credit card numbers, names, addresses, telephone numbers and even e-mail addresses.

More and more data breach laws and the proposed Leahy-Spector Personal Data Privacy and Security Act seek to hold companies responsible for data breaches of their independent contractors and affiliated companies. So Disney may be on the proverbial “Captain’s” hook. Now Disney may spend hundreds of thousands of dollars investigating, managing and litigating this data breach. Disney will likely spend additional resources re-evaluating its third party contracts and investigate what steps its contractors are taking to ensure the security of nonpublic personally identifiable information. Disney has already amended and republished its data privacy and security policy.

The lesson to be learned from Disney and the recent Fidelity National Information Services breach is that insider fraud and negligence should be considered a more probable threat and potentially more dangerous than an outside hacker. Your company should have written security policies in place to reduce the risks associated with insider fraud and negligence. In an investigation, a company that experienced a data breach will have to explain whether that company implemented the security policies and whether its data privacy and security program was “appropriate” to the company’s size and complexity and is appropriate to the sensitivity of the customer information at issue. The business technology lawyers at Scott & Scott are recognized leaders in regulatory compliance, enterprise network risk, data risk and security, and related litigation. For more information contact Adam W. Vanek at avanek@scottandscottllp.com.

Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:

• Disclosure to the Census Bureau and the Bureau of Labor Statistics;


• Disclosure for routine uses within a U.S. government agency;


• Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”


• Disclosure to law enforcement agencies;


• Disclosure to aid in congressional investigations; or


• Disclosure for other administrative purposes.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.

“Learning a lesson from Hurricane Katrina: "One of the most important lessons, is that by reducing vulnerability to high-impact/low-probability disruptions, a company will reduce its vulnerability…”
– Professor Yossi Sheffi, Massachusetts Institute of Technology

On May 22, 2007 President Bush issued a White House directive ordering federal agencies to develop and implement a breach notification policy within 120 days. With September 22nd right around the corner, federal agencies are frantically trying to comply with the White House directive and are finding out that it’s not as easy as what it may sound. It seems that drafting a security and breach notification policy is not the main problem. The Federal Government is of course, very adept at drafting wordy documents that satisfy Congressional mandates, but the main challenge for federal agencies is actually executing.

The fact that the U.S. Federal Government has a problem implementing and executing should come as no surprise to anyone who has been on this planet for more than a week. However, this is also the main challenge for most private companies as well. When it comes to private companies implementing and executing a program, in this case a privacy policy and breach notification plan, the challenge is almost universal: M-O-N-E-Y. Scott & Scott’s clients commonly discuss the balance between drafting data security and privacy policies as well as a breach notification plan and the practical challenge of putting words into action.

Just like most company emergencies, the matter does not receive the necessary budgetary allocation until it has become… a emergency. You probably know of several empirical examples within your company of such post-catastrophe funding, big and small. In other words, it’s common for a company to use the ostrich approach and ignore a problem hoping that it will just go away. However, when there is a data breach, then and only then will the decision makers throw money at the problem. Unfortunately, the money is in essence thrown into a fan and it gets blown everywhere. The limited resources are spread across all departments that hold out their hand, but the money does not necessarily get spent on the areas that will get a maximum return on investment. The attorneys and technical advisors at Scott & Scott are sensitive to this budgetary balance and advise their clients on the best way to get the most bang for their buck and receive effective legal and technical protection.

Turning the focus back on Capitol Hill, the White House’s directive applies to all Federal information and information systems. In other words, the directive applies to every Federal Agency with a computer. Senator Arlen Spector (R-PA) and Senator Patrick Leahy (D-VT) along with the help of Senator Dianne Feinstein (D-CA) are still trying to push their co-authored Personal Data Privacy and Security Act through Congress. This bill goes beyond the White House’s directive and puts into law rules and regulations Federal Agencies must follow regarding data privacy and security. Consumer groups and privacy advocates criticize the bill’s numerous exceptions instituted by Republicans, but both parties agree that a bill of this nature is long overdue. Industry titans such as Microsoft, Sun, and Hewlett-Packard recognize the inevitable legislation and have become a part of the regulatory process as well, vis-à-vis their lobbyists of course.

Now, how can you get your company’s attention to dedicate the necessary resources to implement and execute its data privacy and security policies and breach notification plan into action? As with most potential emergencies, planning is the key to averting such incidents and planning will also save your company considerable money. Just like your car’s engine, it’s cheaper to prevent the problem than to repair it. Scott & Scott has a proven track record of developing a cost-effective data security and privacy plan uniquely suited for its client’s individual circumstance and budget. The most common mistake companies make is promise more than is legally required. Let us show you how we can save your company time and money as well as give you peace of mind.

Late in the day on July 19, the U.S. Senate Judiciary Committee gave its approval to an amended version of the Patent Reform Act of 2007. The Senate action came a day after the U.S. House Judiciary Committee approved a substantively similar bill. While some differences between the House and Senate bills will need to be resolved in conference, passage and enactment of the legislation at this point seems to be much more likely than in years past when similarly extensive overhauls to the nation’s patent laws have been proposed.

Both versions of the Act attempt to curb the frequency of patent lawsuits both by replacing the current “first to invent” standard with a “first to file” patent system, as well as by establishing a “post-grant opposition” authority within the Patent & Trademark Office itself to address and resolve challenges to newly awarded patents. The bills also would restrict permissible venue options for patent litigants to avoid forum-shopping, would increase the factual showing required of claimants in order to prove a case of willful infringement and, thus, treble damages, and would allow courts to award damages based on a patent’s “contribution” to an infringing product’s market demand (which, as an aside, might address the scope of damages for patent infringement, but also would raise an astoundingly complex fact issue).

Recent Congressional action notwithstanding, support for the legislation, as with all attempts at patent reform, remains mixed. Those who invest heavily in research & design, such as pharmaceutical companies and technology licensors such as Qualcomm, have opposed the reforms as an attempt to weaken their ability to protect their intellectual property. On the other hand, technology manufacturers like Apple and most software publishers have supported the reforms as welcome relief from the high volume of patent litigation that tends to flow from products that incorporate a high volume of technological concepts or components.

It remains to be seen whether Congress will be able to work out the differences between the two versions and send a final bill to the White House that the President will be willing to sign. However, the mere fact that the legislation has made it this far means that this is a reform attempt well worth watching.

The Senate version of the Act is available here, the House version here.

The U.S. Department of Health and Human Services (“HHS”) promulgated the privacy rule pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”), and the Office of Civil Rights (“OCR”) has responsibility for ensuring that health care providers implement and enforce the rule. The HIPAA privacy rule applies to health plans, health care clearinghouses, and health care providers. The privacy rule also requires covered entities that use contractors to protect the information using Business Associate Agreements.

What is a Covered Entity?

As discussed above, covered entities include health care providers, health care clearinghouses, and private benefit plans. It may be difficult to determine whether HIPAA applies in a particular situation. For instance, is information collected by an employer for a health-care plan subject to HIPAA? An individual or an entity is a health care provider if the person, business or agency furnishes, bills, or receives payment for health care in the normal course of business and sends any covered transactions electronically. Covered transactions include requests for payment, requests for benefit information, enrollment in health plans, payments, and remittance. A business or agency is a health care clearinghouse if it processes or facilitates the processing of health information from one format to another and if the business or agency performs this function for another legal entity. A private benefit plan can be a health plan covered by HIPAA if:

• It is a group plan that has more than 50 participants or a group plan with fewer than 50 participants that is not self-administered;


• It is a health insurance issuer;


• It is an issuer of a Medicare supplemental policy;


• It is an HMO;


• It is a multi-employer welfare benefit plan;


• It is an issuer of long-term care policies that provides only nursing home fixed-indemnity policies; or


• It is a plan that provides benefits other than excepted benefits.

What are the Basic HIPAA Requirements?

Pursuant to the rule, a covered entity may use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities and (6) Limited Data Set for the purposes of research, public health or health care operations. Entities governed by HIPAA can rely on professional ethics and their best judgment to determine which disclosures to make. Covered entities cannot use or disclose protected health information unless the use or disclosure is specifically articulated by the HIPAA privacy rule.

Businesses and individuals are bombarded with contractual legalese daily, and seldom consider the consequence of the language prior to agreeing to the contract. A recent decision addresses the recurring issue of whether language in an adhesion contract barring class actions is enforceable. Authority is split nationwide on the critical question of whether class action waivers in arbitration clauses are enforceable. Several states have denied these waivers any worth, while others continue to enforce class action waiver clauses.

In Scott v. Cingular Wireless, 2007 WL 2003404, (Wash. July 12, 2007), the Supreme Court of Washington granted a substantial win to consumers in a case involving cellular service giant Cingular. Cingular’s service contract included an arbitration clause that provided, inter alia, that the parties waived any right to proceed as part of a class action. The arbitration clause included other provisions applying the American Arbitration Association rules and guaranteeing compensation for consumer arbitration fees, unless determined frivolous. Under the Federal Arbitration Act, written arbitration agreements “shall be valid, irrevocable, and enforceable, save upon such grounds as exits at law or in equity for the revocation of any contract.” The court nevertheless threw out the arbitration clause and held that a class action waiver in Cingular’s standard arbitration clause was unconscionable and violates Washington State public policy. The court wrote that the waiver “effectively denies large numbers of consumers the protection of Washington’s Consumer Protection Act . . . and because it effectively exculpates Cingular from liability for a whole class of wrongful conduct.” The court reached this conclusion based on its acknowledgement that many of the grievances consumers might have against Cingular would never be litigated absent the filing of a class action because the cases were too small individually.

While Washington has now weighed in on the issue, the question of whether the right to proceed as a class action may be waived as part of an arbitration agreement remains open in other jurisdictions.

The United States Supreme Court has adopted a revised version of its Rules of Court that are set to take effect on October 1, 2007. The new rules will affect any business litigating before the court. Companies, trade associations, and interest groups should pay particular attention to changes in the rules governing amicus briefs.

Business interests that are not parties to pending cases are often interested in the issues being dealt with by the court. Companies often participate in cases through trade associations or otherwise by filing amicus briefs. The court has been considering adding a requirement that the first footnote of an amicus brief indicate whether counsel or a party is a member of the amicus curiae or made a monetary contribution to the preparation or submission of the brief. The final version of the rule did not impose this sweeping disclosure requirement. Instead, under new Rule 37.6, the first footnote of an amicus brief must indicate whether a party or its counsel “made a monetary contribution to the preparation or submission of an amicus curiae brief in the capacity of a member of the entity filing as amicus curiae. Such disclosure is limited to monetary contributions that are intended to fund the preparation or submission of the brief; general membership dues in an organization need not be disclosed.”

The procedure for amicus filings have also been changed. Under the new Rule 37.2, amicus briefs in favor of or in opposition to granting certiorari, which formerly were due when the brief in opposition was due, must now be filed within 30 days after the case is docketed. In cases where a respondent waives its right to file a brief in opposition to the petition but the court requests a response, amicus briefs may be filed on the date such a response is due. Anyone filing an amicus brief is now required to notify the parties of their intent to file a brief at least ten days before that brief is due. This will give the respondent an opportunity to seek an extension of time to file its response so that it can address arguments advanced in the amicus brief. Amicus briefs on the merits must be filed within 7 days after the brief for the party supported is filed or, if the brief is in support of neither party, within 7 days after the date for filing the petitioner’s brief. Under this procedure, an amicus will have an opportunity to review the completed brief of the party it is supporting before filing its own brief.

All litigants in the Supreme Court will be affected by the new rules eliminating the old page limitation for briefs and petitions in favor of word count limitations. The new word count provisions found in Rule 33 are similar to those that have been used in the Federal Rules of Appellate Procedure since the 1998 amendments to those rules. Petitions for writ of certiorari and briefs in opposition to a petition may not exceed 9,000 words, while a reply in support of a petition is limited to 3,000 words. Amicus briefs in support or opposition to a petition are limited to 3,000 words. Briefs on the merits are limited to 15,000 words, with reply briefs on the merits limited to 7,500 words. Amicus briefs on the merits will be limited to 9,000 words.

The court has, for the most part, retained its strict guidelines for how petitions and briefs are to be formatted. Documents must now be in 12-point font for text and 10-point font for footnotes, instead of the former 11-point rule for all text. The court now requires that all documents be typeset in a “Century family” font, such as Century Expanded, New Century Schoolbook, or Century Schoolbook. All parties filing merits briefs, including amicic curiae, are required to transmit electronic versions of the briefs to the court.

The court has also shortened the briefing schedule at the merits stage. Under the old rules, a respondent’s brief was due 35 days after the petitioner’s brief. New rule 25 requires that brief to be filed 30 days after the petitioner’s brief, with any reply brief due 30 days after the respondent’s brief has been filed.

Complete Text of
the Revised Rules: http://www.supremecourtus.gov/ctrules/2007rulesofthecourt.pdf

Potential security problems with the iPhone offer yet another example of the potential legal issues that can arise for businesses when new technology hits the streets. Neither marketing hype nor exciting innovations will protect a company that has not also devoted resources to considering the legal implications of a new product.

Apple sold over 700,000 iPhones the first 3 days of release, for as much as $600 each. It is one of the priciest and most anticipated high tech phones to ever hit the market. Unfortunately, it appears Apple spent more time on their trademark advertising campaigns and media hype than on investigating the loopholes in the phone’s security system. A Baltimore expert security team just unveiled the iPhone’s hacking sweet-spot.

According to the Independent Security Evaluators , a security attacker can gain access to the iPhone through a website controlled by the hacker, or through a wireless access point. The 7 person part-time team of investigators managed to hack the phone in just 2 weeks. They discovered that attackers can create a network with the same name and encryption method as the one the phone already uses. Thereafter the attacker can substitute a webpage with exploit code to gain access to the phone. Another means of breaching the phone’s security system is by using a link planted on an unedited or unmoderated online forum, or a link sent by SMS or e-mail. When the iPhone user opens a “malicious” webpage, the attacker’s code can be run on the phone and allow the attacker to read the iPhone’s SMS address book, SMS log, call history, and voice-mail information. This information is then also sent to the attacker. One hacked, the attacker can also access the iPhone and manipulate it to send the hacker the phone’s passwords, send text messages to sign up for additional services, and record audio to relay to the attacker. The Independent Security evaluators introduced a patch for the susceptible spot to Apple, and will reveal further information about the exploit at a conference in Las Vegas on August 2, 2007. This patch is not yet available to consumers.

It is unknown whether any lawsuits concerning the breach have been filed to date , however, the causes of action will be broad and no-doubt, creative. Causes of action could range from the vanilla actions like fraudulent inducement, negligence, breach of warranty for services, Texas Wiretap Act, or product defect to more creative causes of action such as contributory invasion of privacy or public disclosure of private facts. Unlike the data breach incidents involving TJMaxx, DSW, Disney, or Check N’ Go, most of the personal data in the iPhone (such as address books and SMS messages) is not uploaded and stored by Apple. Instead, the data is uploaded voluntarily by the consumer, just like it was a personal home computer. Apple’s potential liability on other data breaches, such as the attacker accessing and manipulating the consumer’s billing, are more questionable. Because such little information is known about the security breach, and each state’s Privacy and Security Laws differ, it is unknown whether this breach would be in violation of the any state Data Security Acts. Without federal mandates on security breach and notification, the state courts are left to their own interpretation of the state’s laws in light of the issues presented.

Fretful potential plaintiffs will probably look to AT&T, the exclusive service provider for the iPhone, for liability as well. As mentioned in a July 24, 2007 blog entry entitled Arbitration Clause Barring Class Actions is Unconscionable and Unenforceable, AT&T is currently caught in the middle of disputes arising from its arbitration clause forbidding class actions. Washington’s Supreme Court recently threw out the arbitration clause in its entirety; however, the states nationwide are struggling with waiver of class action language in arbitration clauses. Long story short, this will be an interesting and potentially messy case to track.

Companies charged with patent infringement often make use of the federal Declaratory Judgment Act to attack the validity and enforceability of patents. In Benitec Australia, Ltd. v. Nucleonics, Inc., 2007 WL 2069646 (Fed. Cir. 2007), the Federal Circuit limited the circumstances under which such claims may be advanced. Specifically, the court has made it plain that an actual, substantial, and immediate controversy must exist before a claim for declaratory relief will be entertained by a federal court. If the initial claim for infringement is rendered moot by dismissal or otherwise, the counterclaim for invalidity will also, in all likelihood, be dismissed unless the party asserting such a claim can establish that a substantial, actual, and real controversy still exists.

Benitec and Nucleonics are both biotechnology companies involved in “gene silencing,” where disease-causing genes are “switched off” by a mechanism other than genetic modification. Benitec sued Nucleonics for infringing a patent related to RNA-based disease therapy. Nucleonics moved to dismiss the complaint, arguing that the court did not have jurisdiction because Benitec’s claim was based on Nucleonic’s development and submission of information to the FDA. Nucleonics asserted that no controversy had actually yet arisen, given that no new drug application had been submitted to the FDA and no competing product had yet been manufactured or marketed. Nucleonics also sought leave of court to amend its answer and add declaratory relief counterclaims alleging invalidity and unenforceability based upon alleged inventorship fraud. Benitec moved to dismiss its own patent-infringement claim on the grounds that the Supreme Court’s decision in Merck KGaA v. Integra Lifesciences I, Ltd., 545 U.S. 193 (2005), expanded the pharmaceutical research exception to the patent laws, calling into question whether it did have a viable claim. The district court then denied Nucleonics’ request for leave to amend for lack of jurisdiction under the Declaratory Judgment Act.

The Federal Circuit affirmed the dismissal of Nucleonics’ counterclaims for declaratory judgment and in doing so, the court clarified the prerequisites for seeking declaratory relief. In large measure, the court’s analysis was prompted by the Supreme Court’s 2007 decision in MedImmune, Inc. v. Genentech, Inc., 127 S. Ct. 764 (2007), where the Supreme Court disapproved the Federal Circuit’s previous use of the “reasonable
apprehension of imminent suit” test for determining declaratory judgment jurisdiction. The court noted that parties cannot invoke the Declaratory Judgment Act to seek what amounts to an advisory an opinion regarding “what the law would be upon a hypothetical state of facts.” Applying MedImmune, the Federal Circuit concluded that a party seeking declaratory relief under the Declaratory Judgment Act has the burden of demonstrating that when the claim is filed, there is a substantial controversy with sufficient immediacy and reality to warrant a declaratory judgment. The court did indicate that if a defendant had been charged with actual infringement of a patent, the substantial controversy requirement will be met.

While Nucleonics had been sued for patent infringement, Benitec’s subsequent dismissal of its claim proved to be Nucleonics’ undoing. The Federal Circuit made it clear that to seek declaratory relief, a substantial controversy must also continue throughout the litigation. Benitec properly dismissed its patent infringement claim because Nucleonic’s actions in developing and submitting information to the FDA prior to filing a new drug application were not a legitimate basis for asserting patent infringement. Under the Supreme Court’s decision in Merck, no infringement case would arise until after Nucleonics actually filed a new drug application with the FDA. The Federal Circuit ruled that “the fact that Nucleonics may file [a new drug application] in a few years does not provide the immediacy and reality required for a declaratory judgment.”

One judge dissented from the decision, asserting that “a different test for determining whether there is a case or controversy applies when the allegation of infringement is withdrawn during the course of litigation.” Specifically, the dissenting judge contended that under the Supreme Court’s decision in Cardinal Chem. Co. v. Morton Int’l, Inc., 508 U.S. 83, 98 (1993), if an infringement claim is mooted, an invalidity counterclaim should not be dismissed unless the patent holder demonstrates that there is no possibility of a future controversy with respect to invalidity. The Supreme Court may yet weigh in on this complex intersection of patent and declaratory judgment jurisprudence. In the meantime, the decision in Benitec will limit the circumstances under which a party charged with infringement will be able to assert a declaratory judgment counterclaim for invalidity.

Full Opinion Text: http://fedcir.gov/opinions/06-1122.pdf

A recent U.S. Second Circuit Court of Appeals opinion should give contract drafters pause when including what they may consider to be mere boilerplate forum selection clauses in contracts implicating intellectual property rights. In Phillips v. Audio Active Ltd., 2007 WL 2090202 (2nd Cir.(N.Y.) Jul 24, 2007), Plaintiff-Appellant Peter Phillips (a/k/a Pete Rock, an influential hip-hop DJ, producer and rapper) appealed the decision of the New York Southern District Court to dismiss his contract, copyright and state law claims against defendant music companies based on a forum selection clause in the contract between the parties. The clause at issue read: "[t]he validity[,] construction[,] and effect of this agreement and any or all modifications hereof shall be governed by English Law and any legal proceedings that may arise out of it are to be brought in England." The Second Circuit affirmed the trial court’s decision to dismiss the contract claims as clearly falling within the scope of the forum selection clause, but it reversed the decision to dismiss the state law claims (asserting unjust enrichment and unfair competition) and copyright claims based on its determination that those claims did not, as the clause states, “arise out of” the contract.

The defendant music companies argued in the District Court that the copyright claims in particular did “arise out of” the contract provisions giving them the right to distribute an unspecified number of songs to be recorded by Phillips. The Second Circuit disagreed. While it did not give any weight to Phillips’ argument that a claim implicating a law of the United States may never be subject to contractual provisions governing disputes between parties, the court nevertheless found that, on the facts of the case before it and based on the language used in the contract, the forum selection clause had no bearing on Phillips’ right to pursue his copyright claims in any appropriate forum. The songs alleged to have been infringed by the music companies were authored and recorded by Phillips, making him, absent a valid assignment to another party, the owner of the copyright therein, regardless of anything contained in the contract. The defendants clearly could raise the contract terms as a defense against Phillips’ copyright claims, but the source of those claims – where it is that they “arise out of” – is the Copyright Act, not the contract.

The case serves as a useful reminder that a contract drafter who treats any “ordinary” or “boilerplate” provision as a given does so at his or her peril. While the opinion did not specify which party was responsible for drafting the contract, it was likely one or more of the defendant music companies (since it was Phillips who was objecting to litigating his claims in England). Those companies (or their lawyer) likely could have avoided the outcome of the case either by including some measure of specificity in the choice of law or by simply rewording it to include Copyright claims.

You can read the Phillips opinion here.

To encourage the free movement of personal data without diminishing protection of that data, fifteen member states of the European Union were required to enact national legislation that complied with Directive 95/46/EC (the “Data Protection Directive”). Data collectors must follow the following principles when collecting or processing data:

• Data must be processed fairly and lawfully.
  
• Data must be collected for explicit and legitimate purposes and used accordingly.
  
• Data must be relevant and not excessive in relation to the purpose for which it is processed.
  
• Data must be accurate and where necessary, kept up to date.
  
• Data controllers are required to provide reasonable measures for data subjects to rectify, erase or block incorrect data about them.
  
• Data that identifies individuals must not be kept longer than necessary.
  
• In principle, all data controllers must notify supervisory authorities when they process data. Member States may provide for simplification or exemption from notification for specific types of processing which do not entail particular risks. Exception and simplification can also be granted when, in conformity with national law, an independent officer in charge of data protection has been appointed by the controller.

• Notice


• Choice


• Onward Transfer (Transfers to Third Parties)


• Access


• Security


• Data integrity


• Enforcement