Business and Technology Law

On April 4, the Washington state legislature passed a bill making it a violation of the state’s unfair competition laws for a business to sell products in Washington “while using stolen or misappropriated information technology in its business operations,” provided that the business first receives notice of the alleged misappropriation. The law applies regardless of whether the theft or misappropriation takes place inside the state or even inside the USA – if a company based in China engages in software piracy in China, the Washington law still affects the sale of goods inside the state.

The measure results in potential civil liability for affected companies doing business in the state, and it also enables the state attorney general to pursue civil damages and injunctive relief against violators. Unsurprisingly, the bill was heavily favored by Microsoft, one of Washington’s largest private employers, which gains a significant new remedy for the unlicensed use of its software products. However, tech companies like Apple, Dell and Motorola lobbied hard against the bill, since it effectively forces them to conduct costly due diligence into their suppliers’ IP and software-licensing practices.

Washington is not the first state to consider this kind of legislation – Louisiana passed a similar measure last year, and Microsoft is actively pursuing a state-by-state campaign to pass similar laws. However, Washington probably is the most economically significant state to pass this kind of measure. Negatively affected businesses can expect to find themselves hauled into Washington state court in the event of a violation or, if they are outside its jurisdiction, might find their product inventory located in Washington being impounded and subject to forfeiture. It also would not be surprising to see this kind of measure used as leverage against businesses in software audit-related matters.

Most Internet service providers are well versed in their obligations with regard to copyrighted content posted by their users. Sophisticated vendors know that the Digital Millennium Copyright Act (DMCA) gives them an important shield against claims of contributory copyright infringement resulting from their users’ actions, as long as the providers have a registered agent to receive claims from content owners and take prompt action to remove infringing content brought to their attention.

However, ISPs’ exposure to IP-related claims does not end there, as a recent judgment in a federal lawsuit demonstrates. On March 14, 2011, the U.S. District Court for the District of South Carolina entered judgment against a search engine optimization firm based on the company’s role in helping to create and host a website used to market counterfeit golf clubs. The plaintiff in the case, Roger Cleveland Golf Company, had alleged that the SEO defendant in question, Bright Builders, knew or should have known that it was hosting and otherwise helping to market a site (under the not-so-subtle domain www.copycatclubs.com) that was being used illegally to infringe the plaintiff’s trademarks. The jury in the case agreed and determined that Bright Builders should be held liable for damages, even though it never received actual notice of infringement from the plaintiff prior to the filing of the lawsuit.

SEO companies and web hosts need to pay close attention to the outcome in this case. There is no equivalent under U.S. trademark law to the safe harbor provisions of the DMCA. This means that aggrieved trademark owners do not have to make ISPs aware of trademark infringements before filing suit and that ISPs therefore have an affirmative duty to take steps to address hosted content that clearly infringes third-party trademarks. The disparate damages awards in this case ($770,750 against Bright Builders, compared to $28,250 against the site owner) should serve as strong incentive for ISPs to maintain a reasonable level of awareness regarding how their services are being used and, ideally, to implement policies allowing trademark owners to easily bring infringing content to the ISPs’ attention.

It appears that Congress is taking seriously the mandate from the Obama Administration regarding Internet privacy issues. In February, Senate Judiciary Committee Chairman Patrick Leahy announced the creation of a new subcommittee called Privacy, Technology and the Law, which will oversee laws and policies that govern the “collection, protection, use and dissemination of commercial information by the private sector.” In March, Senators John McCain and John Kerry introduced proposed legislation that would create an “online bill of rights.” The McCain-Kerry law is poised to become the first comprehensive federal privacy law governing data collection, storage, and transfer. While these actions are aimed at addressing privacy issues as they implicate individual consumer rights, there is no limit to how impactful these laws could be in creating additional administrative and procedural requirements for the majority of cloud computing providers.

Traditionally, cloud service providers have attempted to disclaim any and all liability for violations of state or federal privacy laws. Whether addressed in an “applicable law” or hidden somewhere in a “limitation to liability” provision, cloud providers have put the onus of adherence to state or federal data privacy regulations squarely on their clients. Providers in effect were saying, “we can help you house and store your data, but we cannot be expected to account for laws associated with types of data you store on our servers. That expertise—and therefore liability—lies with you.” Congress’ likely response to cloud providers is that they can, in fact, expect to be liable for data privacy regulations because the laws will specifically require them to be.

If the HITECH Act is any indicator of the direction the wind is blowing on Capitol Hill, cloud providers likely will be forced to enact policies designed to comply with these new privacy laws. Contractual limitations on liability and disclaimers of responsibility for compliance with applicable laws will give way to technical and administrative data security baseline requirements. It is important for software companies considering taking their services to the cloud and for businesses seeking a cloud provider to consider the ramifications these laws will have on their agreements. Careful risk balancing at the outset of a cloud-service relationship can protect both parties from impending developments in federal privacy law regulations.

For organizations experiencing the resource drain that is the impending expiration of a Microsoft Enterprise Agreement (“EA”), the decision of whether to move forward with renewal is critical. These renewals easily can impart a seven-figure hit on an organization’s IT expenditure, and it is important to understand the full spectrum of the costs and benefits of renewal. Key factors to consider when making an EA renewal decision include the following:

1. You already paid for a perpetual license. Upon expiration of the EA, the organization retains perpetual use rights to all of the software titles they ordered during the term of the agreement. Organizations do not need to renew just to continue using the products that are currently licensed and installed under the EA.
2. You will continue to receive product support. Software security fixes, patches, and updates are included in the perpetual license. Microsoft will continue to provide product support for those installed titles for the duration of the product lifecycle regardless of the status of your EA.
3. Premier support services will expire. It is important to distinguish between product support and the premier support services included in your Microsoft EA. If your organization relies on these premier Microsoft environment support services, you should strongly consider renewing the agreement. However, there are other support service options available directly from Microsoft or Microsoft Partners that may fit the needs of your organization.
4. Upgrade rights are available post-EA. Just because your EA expires does not mean you cannot upgrade to the next version of an enrolled product when your organization is ready. You retain the rights to upgrade to the next version so long as that version was released by Microsoft while the EA, or more specifically, the Software Assurance under the EA, was active.
5. Virtualization rights expire. One of the key selling points for Microsoft is the desktop and server virtualization rights that accompany an EA. If your organization is leveraging virtualization to minimize support and deployment costs, it is important to understand the costs of losing these rights.

In addition to the IT analysis and strategy implications, the renewal process should include significant interaction with your legal department to help ensure entitlement reconciliations and renewal agreement negotiations adequately protect your organization from future Microsoft audits. It is not uncommon for the information sharing that occurs during a renewal to raise a red flag for Microsoft, so the entire process should be carefully managed and controlled. Whether you are still making the strategic decision with regard to renewal or are moving forward with the negotiation, we recommend engaging experienced counsel to help protect your rights, avoid situations that may trigger an audit, and obtain the best possible deal for your organization.