Business and Technology Law

Many businesses use Microsoft server products to manage their network, their data, and their e-mail communications. However, businesses often select a Microsoft server product without weighing the advantages and disadvantages of the products' Standard and Enterprise versions. Carefully examining the functionality and licensing schemes of each product can help prevent unnecessary expenditures on software.

Standard products are generally less expensive and less robust than their Enterprise counterparts. This does not mean that Standard products are the wrong choice for a business. Standard products are often powerful enough for a business' needs. A business that is better matched to a Standard product may experience more difficulty managing the numerous features and settings of an Enterprise product, which may require significantly more effort and expertise to properly implement.

A business that owns a properly licensed copy of a Standard product can not operate an Enterprise version without purchasing and owning an Enterprise license. Obtaining an Enterprise product by alternative means and installing it in place of a Standard product may lead to compliance issues in the case of an audit. Management may be unaware of the technology solutions deployed in its environment, and to its surprise, discover too late that the business is out of compliance and under investigation by one of the several auditing entities that represent Microsoft. An improperly licensed Enterprise product may lead to exponentially higher licensing costs than a Standard product.

Enterprise products are typically used in complex environments such as universities, hospitals, and data centers serving users numbered in the hundreds or thousands. Consulting the features and licensing rules for individual products could result in a more cost-effective purchase for your business.

eBay recently entered into a stipulated final judgment with the operator of another Internet auction site that, as alleged by eBay, committed trademark infringement, dilution, false designation of origin and unfair competition through its use of a confusingly similar domain name – CoinBay.biz. Under the agreement, the CoinBay operator agreed to change the name of its site to CoinDay.com and to never attempt to register any trademark with “bay” or with a logo that includes offset letters or alternating colors, as in the well-known eBay logo.

The case serves as a reminder to all businesses owning famous marks that policing potentially infringing use of those marks by others can be a challenging prospect. An illegally infringing use can involve all or, as in the eBay case, only part of a mark. In some cases, though there may be a facially infringing use, if it is not tied to the promotion of products or services similar to those associated with the protected mark, the owner’s legal remedies may be limited. Furthermore, while certain cases may require trademark, cybersquatting, or unfair competition litigation in order to reach a resolution, others may be addressed through indirect methods, such as a request to an Internet service provider (ISP) that it take down an infringing site. With trademarks, as opposed to copyrights, the latter remedy may be somewhat less obvious, as there is no trademark equivalent to the Digital Millennium Copyright Act, under which an ISP is given safe harbor from potential copyright claims only if it removes infringing material in response to written notice from the copyright owner. In contrast, for trademarks, an ISP’s own terms of use often can be helpful in convincing it to remove infringing content.

The amount of business conducted worldwide on the Internet will only continue to increase into the future. Policing unauthorized use of protected marks on the Internet is therefore the lynchpin to an effective trademark enforcement regime.

Network World recently published the results of a Computer Technology Industry Association (“CITA”) survey indicating that many businesses are in need of IT professionals with a variety of security and data privacy skills. Although approximately 75 percent of businesses identified security, firewall, and privacy skills as essential to the success of their organization, only about half of the businesses surveyed said they believed their employees possessed the necessary privacy and skills.

Many organizations are aware of the skills gaps in their IT departments and are planning to offer training or encourage employees to complete certification courses. However, the skills gaps could pose a problem for organizations that do not take corrective action soon enough. For instance, if a HIPAA-covered entity is aware that its security personnel are not adequately trained, and takes no steps to correct the deficiency, the organization is likely out of compliance with HIPAA requirements.

It is important for organizations to review their privacy and security policies, identify any risks, prioritize the corrective action, and implement solutions. Organizations that are struggling to find qualified candidates may consider using outside consulting services to assist with the privacy and security initiatives.

Overruling a number of decisions by intermediate appellate courts, a divided California Supreme Court has rejected the notion that an employment discrimination plaintiff may file claims against individual defendants for retaliation. The decision in Jones v. The Lodge at Torrey Pines Partnership, 2008 WL 443670 (Cal. 2008), will foreclose the pursuit of claims against individual defendants for retaliation under California’s employment discrimination laws.

The case arose when Jones sued his employer and Jean Weiss, his supervisor, for various causes of action, including sexual-orientation harassment, sexual-orientation discrimination, and retaliation in violation of the California Fair Employment and Housing Act (“FEHA”). The trial court granted summary adjudication to the defendants on the harassment claim, finding that Jones failed to present admissible evidence of harassment by Weiss. The discrimination claim against the employer proceeded to trial, as did the discrimination and retaliation claims against Weiss, and the jury returned a verdict in favor of Jones. The trial court granted the defendants’ motions for judgment notwithstanding the verdict and for a new trial, concluding, inter alia, that an individual cannot be liable for retaliation. The Court of Appeal reversed, finding that an individual can be held liable for retaliation under FEHA. This holding was consistent with rulings made by other divisions of the Court of Appeal.

The Supreme Court, however, concluded that individuals cannot be held liable for retaliation. The court noted that as a general proposition, individuals cannot be held liable under FEHA for discrimination. Specifically, the court indicated that while employers may be liable for unlawful discrimination, “individuals working for the employer, including supervisors, are not personally liable for that discrimination.” But unlike the statutes prohibiting discrimination, the retaliation statute makes it unlawful for an employer, labor organization, employment agency “or person” to retaliate against an individual who opposes unlawful practices or files a complaint about such practices. Jones argued that because the retaliation statute includes the word “person,” the statute’s plain meaning indicates that the legislature intended that an individual could be personally liable for retaliation.

The Supreme Court disagreed. The court began by noting that the statutory language is not plain, in that it does not clearly establish that an individual is to be held personally liable for retaliation. Instead, the court concluded that the same principles it applied to discrimination cases were controlling in retaliation actions. According to the court, discrimination claims “arise out of the performance of necessary personnel management duties,” unlike harassment claims, which are based on individual actions. The decision to harass an employee falls outside an individual’s normal job duties, making individual liability appropriate, while personnel decisions and actions have to be made, even if they turn to be discriminatory. The court concluded that this reasoning, as well as other reasons for not imposing individual liability for discrimination, “apply equally to retaliation.” Three justices dissented, pointing to what they described as the clear language in the statute providing for individual liability.

Full Opinion Text: http://www.courtinfo.ca.gov/opinions/documents/S151022.PDF

It is not possible to copyright an idea. The owner of a small business in Georgia recently received an undoubtedly unwanted lesson in this sometimes-overlooked aspect of copyright law when she saw her suit for copyright infringement dismissed following the court’s grant of summary judgment in the defendant’s favor.

At issue in Ristuccia v. Super Duper, Inc. were decks of flash cards used to assist individuals undergoing speech therapy to learn to properly pronounce the letter ‘R’ in the English language. The plaintiff claimed that the defendant infringed the decks she published by “(1) copying her selection of R allophones and/or words and images, and (2) arranging its Vocalic R Cards decks in a phonetically consistent manner.” The Plaintiff believed her sound selections and arrangements to be original and protected by copyright.

However, as the trial court explained in its opinion, the scope and availability of copyright protections afforded to the “selection and arrangement” of constituent elements in a compilation is “thin,” even in cases where the bulk of the elements comprising an alleged infringer’s work were copied from material published by a claimant. With regard specifically to the arrangement of the selected components, the court stated:

Once again, Plaintiff is attempting to argue that her educational ideas are protected by copyright. They are not. Although the concept of arranging words in a “phonetically consistent” manner may be a useful educational innovation, a concept is not protectable by copyright. Defendant cannot be liable for simply arranging a non-infringing selection of words in a “phonetically consistent” manner.

(citations omitted)

This issue is sometimes described as the “idea-expression dichotomy” in copyright law. In many instances, it can present more of a challenging dilemma than in the Ristuccia case, because the “idea” and the “expression” are both intangible concepts, and their contours are therefore subjective. In closer cases, the outcome may be different, and a business that uses copyrighted content in a way that it believes to be a different expression of a common idea may nevertheless find itself on the losing end of a lawsuit.

The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years.

Goal Financial provides a variety of loan services and collects personal information from loan applications and other sources. The information includes name, address, telephone number, driver’s license number, Social Security number, date of birth, and income, debt, and employment information in its course of business. The company is therefore a “financial institution” according to the Gramm-Leach-Bliley Act (“GLBA”) and is subject to the GLBA’s Safeguards Rule and Privacy Rule. Goal Financial stores the records in electronic and paper form.

The FTC’s complaint alleges that Goal Financial engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security measures
to protect personal information. Specifically, the complaint alleges that Goal Financial placed at risk the personal information of over 41,000 consumers because it failed to:

(1) assess adequately risks to the information it collected and stored in its paper files and on its computer network;
(2) restrict adequately access to personal information stored in its paper files and on its computer network to authorized employees;
(3) implement a comprehensive information security program, including reasonable policies and procedures in key areas such as the collection, handling, and disposal of personal information;
(4) provide adequate training to employees about handling and protecting personal information and responding to security incidents; and
(5) require third-party service providers by contract to protect the security and confidentiality of personal information.

Goal Financial’s employees allegedly exploited these failures and removed more than 7000 consumer files containing sensitive information without authorization and transferred them to third parties. In 2006, a Goal Financial employee sold to the public computer hard drives containing personal information of approximately 34,000 consumers.

Due to such failures, Goal Financial also violated the Safeguards Rule of the GLBA which requires financial institutions to protect the security, confidentiality, and integrity of customer information be developing a comprehensive written information security program that contains reasonable administrative, technical, and physical safeguards.

Additionally, The Privacy Rule requires financial institutions to provide customers, no later than when a customer relationship arises and annually for the duration of that relationship, “a clear and conspicuous notice that accurately reflects [the financial institution’s] privacy policies and practices” including its security policies and practices. Goal Financial distributed to its customers a privacy policy that contained false or misleading statements regarding the measures implemented to protect its customers’ personal information.

The proposed settlement requires Goal Financial to institute measures to bring it into compliance with the rules stated above and to prevent it from committing future violations.

View the news release http://www.ftc.gov/opa/2008/03/studlend.shtm

View the complaint http://www.ftc.gov/os/caselist/0723013/080304complaint.pdf

View the proposed settlement http://www.ftc.gov/os/caselist/0723013/080304analysis.pdf

Businesses that use behavioral marketing and advertising techniques may consider reviewing and commenting on the Federal Trade Commission’s (“FTC”) proposed guidelines. The guidelines are designed to provide consumers with more visibility into the behavioral advertising process, which the FTC recognizes can be very valuable.

The FTC’s guidelines are designed to address four primary concerns:
- greater transparency and consumer control;
- the need to prevent criminals from accessing data collected for behavioral advertising;
- ensuring that companies keep their privacy promises when changing their privacy policies;
- the collection of sensitive data, like medical records or children’s activities, for behavioral advertising.

According to the FTC, businesses could use the guidelines as a tool for self regulation. The FTC has extended the deadline for commenting on the guidelines until April 11. For the complete text of the proposed guidelines, visit Ferderal Trade Commission.