Business and Technology Law

As Egypt’s government seized control and cut off that nation’s access to the Internet last week, U.S. Senator Joseph Lieberman reintroduced the “Protecting Cyberspace as a National Asset Act of 2010” legislation, commonly referred to as the Internet Kill Switch Bill. Although the timing unintentionally coincided with the events in Egypt, sponsors of the bill have no intention to abandon the legislation.

The bill is designed to grant the government power to disable the internet in the event of a cyber emergency. The Internet Kill Switch Bill expands the scope of the Communications Act of 1934, which authorized the government to eliminate access to communication. The legislation will empower the President with authority to work with Internet service providers to shut down access to critical infrastructure in the event of an emergency, although it is not yet clear what circumstances may prompt such an action. Proposed language precludes judicial review of the government’s designation of vital Internet and computer systems subject to the Act. Homeland Security would have the authority to establish a list of vital systems and assets that would be affected by the Bill.

Especially in light of the recent events in Egypt, however, there may be a greater likelihood that this legislation will meet stiff opposition in Congress. Moreover, even if it were to be passed in its present form, heightened public sensitivity to the issue would seem to guarantee legal challenges.

Many companies today have their own company Facebook Pages, Twitter accounts or blogs. It is estimated that 4 out of 5 companies with more than 100 employees will utilize social media platforms to communicate with their current customers and to market to potential ones. These companies understand the value of participating in the online marketplace. What is not widely understood, however, is that companies are obligated to store and maintain social media communications as “electronically stored information” or ESI in the same way as they are obligated to store e-mail or written communications. Courts require companies to have document retention policies in place to allow the companies to access and produce such ESI during the discovery phase in the case of litigation.

Many organizations are either unaware that their current document retention policy does not include social media, or they rely on the social media platforms themselves to maintain social networking communications for them. The problem with relying on the social media platform to maintain your company’s communications is that these platforms are typically not under any obligation to do so. Before a company chooses a strategy of “let Twitter manage our communications, and if they lose some, we’ll just tell the court we don’t have ‘em”, organizations should be aware that courts are increasingly penalizing such attempts to avoid responsibility with harsh monetary sanctions.

Companies should revise their document retention policies to include social media communications if they wish to avoid the risks of discovery sanctions. From a technical perspective, there are some vendors emerging with monitoring and storage services designed to maintain social media compliance with document retention policies. Organizations should understand their use of social media platforms, and work with their legal and IT teams to determine the best method for storing and maintaining social media content and communications.

Many business owners seem to have an inaccurate grasp of what it means to acquire trademark rights in a word, phrase, logo or other item capable of serving as a trademark. Usually in the context of a discussion of filing an application to register a trademark with the U.S. Patent & Trademark Office, many practitioners often hear (and some, unfortunately, often say) some derivation of: “It is time to trademark that slogan.” This inaccurately conveys the sense that all trademark rights in that slogan depend on registration with the USPTO. Not so.

It is critical for businesses to remember that, in most cases, they acquire meaningful rights in trademarks as soon as they apply the marks to their goods or use them in connection with their services in commerce. The principal exception to that rule is when other persons or businesses started using the same marks first (or marks that are confusingly similar to them) and, therefore, can claim priority. It is for that reason that it always makes sense to ask an attorney to run or order a trademark screening search – including U.S. federal, state and international registrations as well as common-law sources like business filings and web searches – to determine whether and the extent to which a proposed mark may already be used in commerce.

Registration is an important step for helping to ensure that trademark rights, once vested through first use, are protectable in court. However, registration is not necessary in order to create an ownership right in those marks, and businesses actually may risk losing rights if they assume – incorrectly – they are without remedy for the infringement of an unregistered mark.

In 1986, Congress passed the Computer Fraud and Abuse Act, or CFAA, which established criminal liabilities for unauthorized access to information stored on a protected computer. Since that time, the CFAA has been amended to keep up with new privacy concerns and, in some cases, civil liability has been attached. The typical CFAA claim is asserted by a party against an unrelated entity accused of stealing computer files for personal gain. However, in cases where a company is seeking to prosecute one of its own employees for accessing protected files, the meaning of the phrase “without authorization,” an element of any CFAA claim, is hotly contested.

In a December 27, 2010, decision by the Eleventh Circuit, the court upheld the conviction of an employee for accessing certain social security information for improper purposes, even though the employee was authorized to access that social security information. The court said that policies defining both the types of information that an employee may access along with the purpose for which the employee may use that information are both relevant under the CFAA “without authorization” inquiry. In contrast, the Ninth Circuit ruled in 2009 that an employee who was given access to files, without such access being accompanied by a specific “permitted use” requirement, could not be considered in violation of the CFAA regardless of the use of the information—even if the use was clearly non-business-related.

The decisions by these two and other Circuit courts are indicative of a split in authority when interpreting “without authorization.” However, the lessons for businesses should not be subject to debate. Businesses need to implement thoroughly considered and well-crafted Acceptable Use Policies addressing, among other things, the specific types of information that employees may access along with descriptions of how such information may be used by those employees. It is best practice to review and amend these documents on an annual basis, as changes to company structure or employee access frequently change.

Every savvy business owner understands the importance of due diligence when engaging in an M&A transaction, but the Third Circuit issued a ruling that serves to underscore the point that due diligence must be accompanied by a thoughtful risk assessment exercise. On January 21st, 2011, the Third Circuit ruled that a buyer who purchases a seller’s assets may be liable for the seller’s late contributions to certain benefit plans. Einhorn v. M.L. Ruberton Construction Co., No. 09-4204 (3d. Cir. 2011). The court reasoned that interest in federal labor law policy is more important than common-law, “successor-liability” doctrines that normally shield buyers from a seller’s liabilities (unless the buyer is merely a re-organization of the seller).

In Einhorn, the purchaser corporation, Ruberton Construction Co., was aware of the late contributions prior to its purchase of the assets of Statewide Hi-Way Safety, Inc. Shortly after the purchase, the administrator of the benefit plan in question sued Statewide for the delinquencies, plus liquidated damages. Statewide and Einhorn entered into a settlement agreement under which Statewide was to pay the late contributions in a series of installments. Statewide later breached that agreement, and Einhorn sued Ruberton. The Third Circuit ruled that Ruberton was liable for the delinquencies, even though Ruberton was not merely a continuation of Statewide. While the finding that Ruberton was liable for Statewide’s failure to contribute to an ERISA plan can be viewed as a narrow exception to the successor-liability doctrine, it may signal a trend toward expanding the responsibilities of buyers for the liabilities of sellers.

Purchasers and M&A counsel should take note that due diligence is more than reviewing a checklist of documents produced by sellers. In Einhorn, Ruberton knew of the liability prior to purchasing Statewide, which suggests that an open and honest due diligence process was employed. However, risk assessment goes hand-in-hand with due diligence checklist review. While a purchaser may be eager to execute a deal, experienced counsel must understand the implications of each piece of information gleaned from the due diligence process and must take time to outline the associated risks for their client prior to closing the deal.

In February, Sony posted a notice on its official PlayStation blog threatening to permanently ban users from the company’s online PlayStation services if those users deploy circumvention devices or software to “jailbreak” their PlayStation consoles, thereby enabling those consoles to play pirated or otherwise unauthorized game software. Sony considers such activities to be a violation of the PlayStation software license agreement and a breach of the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA). The announcement represents the latest in a series of anti-PlayStation-jailbreaking actions by Sony, which previously sought a temporary restraining order against hackers who published a how-to guide for PS3 jailbreaking.

Hardware and software tools used to overcome encryption or access-control functions in software can constitute violations of the anti-circumvention provision of the DMCA. That provision allows for civil and, in cases of willful conduct, criminal penalties for users found to have violated its terms. The court also may grant necessary injunctive relief and may apply punitive and actual damages in response to profits received as a result of the infringement, in addition to attorney’s fees for the copyright owner.

Although Sony’s lawsuit against the hackers is ongoing, Sony was granted an inspection of the defendants’ hard drive and the right to remove any circumvention devices found. The hackers’ web site also was ordered to be removed from YouTube. If Sony ultimately prevails against the hackers, it may seek civil damages in addition to the injunction relief already granted.