Business and Technology Law

Software licensing for medium to large companies is complicated. Not only are the software license agreements often hard to read and understand, but the terms frequently change with little notification to the user. Deploying software across an entire enterprise, therefore, can be exceedingly complex, and it requires both technical expertise and a thorough understanding of the practical application of the terms and conditions of the licenses. Many organizations, relying on their senior IT professional to make software purchasing recommendations, fail to submit the licensing agreements to legal review. For those that do submit the licenses to legal, the lawyers reading the agreements often will understand the typical contract language—the indemnities and limitations of liabilities of the world—but they often will not fully appreciate the practical effect of the license on implementation, deployment, and compliance. Over the coming weeks, I will use Microsoft’s volume licensing agreements as an example to highlight some of the legal and practical issues arising from enterprise-level software licensing agreements—issues that affect how companies deploy software, develop and test software solutions, report usage, design data centers, etc.

To ease some of the pain of licensing software for large organizations, Microsoft developed the Enterprise Agreement (“EA”). At its core, the Microsoft EA was created to standardize licensing across all of an organization’s PCs. It accomplishes this by forcing the company to purchase a pre-defined bundle of software titles, the “Desktop Platform,” for each desktop or user considered “qualified” under the agreement. These bundles include a Microsoft operating system, an Office Suite (Professional or Enterprise), and a Client Access License Suite (Core CAL or Enterprise CAL).

Under the standard EA, Qualified Desktops are all desktop computers owned by the company. Another option is to license not by desktop, but by user. Qualified Users are defined as any user that accesses any of the organization’s server software or online services. This means that every desktop (or user) within an organization must be licensed for one of the pre-defined bundles.

Unfortunately, sometimes organizations get into these agreements without fully appreciating what this means to their organization. Many companies have different classes of users—some require the full Office Suite to perform their job tasks, while others may only need intermittent access to e-mail or Word. The standard flavor of EA would roll-out the same desktop platform to every qualified user or desktop; resulting in dramatically underutilized software deployments. With careful evaluation of internal needs along with a heavily negotiated EA, organizations can avoid these overdeployments and can more successfully take advantage of the discounts and licensing efficiencies originally offered by the EA.

When it comes to Microsoft licensing, we are frequently asked how to license for a situation where a Microsoft server resource is to be accessed both by internal company employees and external non-employee affiliates. Our typical legalese answer to this perfectly reasonable question: “It depends.” The correct answer (read: most-cost-effective-while-still-being-compliant answer) requires an examination of the circumstances surrounding the required access (number of users, manner of access, specific server products implicated) and a grasp of company’s current licensing environment with Microsoft.

In most cases, the threshold question to answer is this: “Are my affiliates paying me for access to the Server resource?” If the answer is yes, then we will generally suggest to our clients to engage with Microsoft in a Service Provider License Agreement, or SPLA. Though designed for use by “hosting or application service providers,” the SPLA can be used for other organizations as well. Essentially, the non-hosting/service providing company will form an affiliate entity that licenses the software from Microsoft under a SPLA, then turns around and provides software services to both internal employees and external affiliates. It’s a fairly straightforward process, but it does increase the transaction costs somewhat. In the right situation, however, the benefits gained from licensing in this manner will outweigh any upfront costs.

On the other hand, if the answer to the “paying for access” question is “no,” then factors such as the number of users and the nature of the required access will determine the best course of action. One model is to purchase user CALs for each employee and affiliate user who will be accessing the resource. Another option is to purchase CALs for internal users, and an External Connector license for those outside the organization. In other cases, a processor license along with an external connector license becomes the more economical choice, from both licensing spend and licensing management perspectives.

The point is, there is no one “right way” to license for this usage environment. The model that is right for a given organization requires thoughtful examination of the facts. To make matters more complicated, it has been our experience that resellers, and many times Microsoft representatives themselves, do not completely understand the intricacies of these licensing schemes, and sometimes inadvertently give technically or financially bad advice because of it. However, our experience is that once you break through the first or second levels of licensing discussion and talk directly with Microsoft’s licensing experts, they are willing to work with you to find the optimal solution.

Arguably as a result of the Obama administration’s call for federal data privacy and security legislation, a number of bills have been introduced this year in both the House and Senate to address consumer-data privacy issues. Introduced earlier this spring were the Do Not Track Online Act, discussed here previously, and the comprehensive, Commercial Privacy Bill of Rights Act sponsored by political heavyweights Senators John Kerry and John McCain. A new crop of bills introduced this summer focuses on data-protection procedures and breach-notification requirements. Highlights from these entries, by Senators Leahy and Pryor and Representative Bono Mack, are outlined below.

Personal Data Privacy and Security Act – Sen. Leahy

• Preempts state breach notification statutes
• Criminalizes intentionally or willfully concealing a data breach
• Breach notification to be made “without unreasonable delay”

Secure and Fortify Electronics (SAFE) Data Act – Rep. Bono Mack

• Preempts state breach notification statutes
• 48 hour breach notification requirement, in some cases
• Civil penalties available; capped at $5M

Data Security and Breach Notification Act – Sen. Pryor

• Similar form to the SAFE Data Act
• 60 day breach notification requirement
• Includes special rules for “Information Brokers”

Whether any of these become law by the end of this year’s session is not clear. However, the 48-hour breach-notification requirement proposed by Rep. Bono Mack seems to be generally unworkable in practice, making the requirement unlikely to be a component of any enacted law. What is clear, however, is that with recent, highly publicized and scrutinized data breaches at Lockheed Martin and Sony, greater-than-average political will exists in Congress to approve some form of federal data privacy and security legislation this year.

The Microsoft Enterprise Agreement renewal process can be a difficult time for many large organizations. The process generally begins with a count of software products, processor cores, and virtualizations. All of these elements are necessary for a thorough evaluation of an organization’s true-up obligations under the EA. Next up is the process of evaluating future needs in order to determine whether the perpetual use rights associated with the licenses purchased under the original EA will satisfy the organization’s needs moving forward. Finally, all of these activities must be conducted under the looming specter of the EA’s expiration date and the associated non-stop communications from the company’s Microsoft account representative.

However, to avoid making a hurried decision that could end up costing an organization hundreds of thousands of dollars in unneeded licenses, decision makers must understand: 1) the penalties, if any, associated with non-renewal; and 2) the actual date by which the decision must be made. It is important to understand that a decision not to renew does not instantly make an organization noncompliant. In fact, one of the biggest benefits to the EA, as opposed to the EAS (Enterprise Agreement Subscription), is the perpetual license grant that comes with most products. On the other hand, there is a significant penalty to Software Assurance users if they let the EA lapse – when the EA agreement expires, Microsoft typically requires its customers to purchase the Software Assurance along with another copy of the product license.

The good news, for most organizations just now coming off a three-year EA, is that Microsoft likely built a grace period into the original agreement by including a 30-day window from the expiration of the previous EA to renew with Software Assurance without being forced to re-buy the underlying product license. The bad news is that Microsoft removed this grace period provision for most EA’s signed after 2009. For these customers, the expiration date for those agreements really is the expiration date.

Microsoft customers should carefully read their EA to determine whether a grace period for Software Assurance is present or consult with an experienced attorney to assist with protecting legal rights when making this expensive decision on renewal.

As with many software publishers, Oracle seems to be making a push to audit their customer base in search of revenue streams arising from licensing deficiencies. However, Oracle usually does not like to use the word “audit” and instead tends to ask its customers to engage in a “license review,” courtesy of the Oracle License Management Services (LMS) division. LMS generally requests that a customer fill out a Server Worksheet, which is essentially an overview of the company’s Oracle deployments.

Before responding to such requests, organizations must understand both their legal rights with respect to a prospective audit, as well as the various Oracle license grants as they apply to their environments. In many cases, organizations inadvertently become non-compliant over the course of a few years, seemingly without growing their database environment. For example, installing Oracle version upgrades sometimes turns on software features, such as the diagnostic and features packs, which trigger an associated increase in licensing cost. A company’s IT department can significantly increase its Oracle spend during version upgrades without knowing it.

If the Oracle Server Worksheet contains information that concerns LMS, Oracle may ask the customer to allow Oracle to run a set of scripts across its network to perform an in-depth network deployment audit—the mere thought of which should make even the most confident CIO squirm. Organizations should carefully consider any response they make to Oracle to avoid that kind of request. If there are any concerns whatsoever about the state of a company’s Oracle deployments and associated entitlements, consulting with experienced counsel prior to responding to an Oracle license review request is highly recommended.

Depending on the size of your organization, Microsoft SQL Server licensing costs easily can be one of the biggest yearly expenditures for an IT department. As multi-core and virtualization technologies have taken hold in nearly every datacenter across the globe, SQL Server spends often consist not only of licensing the SQL Server instances, but also, in many cases, of over-licensing due to a lack of clear understanding of SQL Server licensing models and associated options. Proper licensing of SQL Server depends on, among other things, SQL Server use characterization, access characterization, and developer needs.

Microsoft Developer Tools represent a good example. Microsoft created the Developer Tools category of licenses for use by software developers. Some of the Developer Tools include SQL Server use rights (such as Visual Studio with MSDN and SQL Server Developer), and these generally are licensed on a per-user model. For instance, under the March 2011 Products Use Rights document (which contains license terms applicable to Microsoft software licensed under one of the company’s Volume Licensing programs), a user of a Developer Tool has rights to install unlimited instances of the included software titles, provided the every installation is used “to design, develop, test, and demonstrate” the programs under development. Microsoft Developer Tools licenses also include downgrade rights and end-user testing rights (meaning that end users do not need any license whatsoever to “perform acceptance tests” on the programs being developed). In addition, a SQL Server Developer license entitles developers working in third-party environments (like SAP), to install and access a SQL Server back-end for development, testing and QA purposes, and the SQL Server Developer license also permits the in-place upgrade of the test server to production uses without redeploying the solution to a different “production server.”

Why should you care? A SQL Server Developer license runs $37 per user (at the time of the posting of this article), compared to over $1200 for a Visual Studio Pro w/ MSDN license. Organizations with development groups therefore must carefully evaluate their development, testing, and quality-assurance environments to ensure they are not spending more money than necessary to license the installed SQL Server instances. Savings for a 30-developer team with a testing, quality assurance, and staging environments can be very significant, provided a careful analysis and a deep understanding of Microsoft SQL Server licensing options and use grants.

However, a thorough evaluation of server-use characterization, access characterization, and developer identification requires not only the technical expertise to inventory diverse and varying infrastructures, but also the experience to know the right questions to ask of employees to determine their licensing needs. Therefore, businesses should consider engaging knowledgeable licensing counsel to assist in their assessment processes.

For organizations experiencing the resource drain that is the impending expiration of a Microsoft Enterprise Agreement (“EA”), the decision of whether to move forward with renewal is critical. These renewals easily can impart a seven-figure hit on an organization’s IT expenditure, and it is important to understand the full spectrum of the costs and benefits of renewal. Key factors to consider when making an EA renewal decision include the following:

1. You already paid for a perpetual license. Upon expiration of the EA, the organization retains perpetual use rights to all of the software titles they ordered during the term of the agreement. Organizations do not need to renew just to continue using the products that are currently licensed and installed under the EA.
2. You will continue to receive product support. Software security fixes, patches, and updates are included in the perpetual license. Microsoft will continue to provide product support for those installed titles for the duration of the product lifecycle regardless of the status of your EA.
3. Premier support services will expire. It is important to distinguish between product support and the premier support services included in your Microsoft EA. If your organization relies on these premier Microsoft environment support services, you should strongly consider renewing the agreement. However, there are other support service options available directly from Microsoft or Microsoft Partners that may fit the needs of your organization.
4. Upgrade rights are available post-EA. Just because your EA expires does not mean you cannot upgrade to the next version of an enrolled product when your organization is ready. You retain the rights to upgrade to the next version so long as that version was released by Microsoft while the EA, or more specifically, the Software Assurance under the EA, was active.
5. Virtualization rights expire. One of the key selling points for Microsoft is the desktop and server virtualization rights that accompany an EA. If your organization is leveraging virtualization to minimize support and deployment costs, it is important to understand the costs of losing these rights.

In addition to the IT analysis and strategy implications, the renewal process should include significant interaction with your legal department to help ensure entitlement reconciliations and renewal agreement negotiations adequately protect your organization from future Microsoft audits. It is not uncommon for the information sharing that occurs during a renewal to raise a red flag for Microsoft, so the entire process should be carefully managed and controlled. Whether you are still making the strategic decision with regard to renewal or are moving forward with the negotiation, we recommend engaging experienced counsel to help protect your rights, avoid situations that may trigger an audit, and obtain the best possible deal for your organization.

It appears that Congress is taking seriously the mandate from the Obama Administration regarding Internet privacy issues. In February, Senate Judiciary Committee Chairman Patrick Leahy announced the creation of a new subcommittee called Privacy, Technology and the Law, which will oversee laws and policies that govern the “collection, protection, use and dissemination of commercial information by the private sector.” In March, Senators John McCain and John Kerry introduced proposed legislation that would create an “online bill of rights.” The McCain-Kerry law is poised to become the first comprehensive federal privacy law governing data collection, storage, and transfer. While these actions are aimed at addressing privacy issues as they implicate individual consumer rights, there is no limit to how impactful these laws could be in creating additional administrative and procedural requirements for the majority of cloud computing providers.

Traditionally, cloud service providers have attempted to disclaim any and all liability for violations of state or federal privacy laws. Whether addressed in an “applicable law” or hidden somewhere in a “limitation to liability” provision, cloud providers have put the onus of adherence to state or federal data privacy regulations squarely on their clients. Providers in effect were saying, “we can help you house and store your data, but we cannot be expected to account for laws associated with types of data you store on our servers. That expertise—and therefore liability—lies with you.” Congress’ likely response to cloud providers is that they can, in fact, expect to be liable for data privacy regulations because the laws will specifically require them to be.

If the HITECH Act is any indicator of the direction the wind is blowing on Capitol Hill, cloud providers likely will be forced to enact policies designed to comply with these new privacy laws. Contractual limitations on liability and disclaimers of responsibility for compliance with applicable laws will give way to technical and administrative data security baseline requirements. It is important for software companies considering taking their services to the cloud and for businesses seeking a cloud provider to consider the ramifications these laws will have on their agreements. Careful risk balancing at the outset of a cloud-service relationship can protect both parties from impending developments in federal privacy law regulations.

In December of 2010, Facebook relaxed the rules on creating and implementing promotions designed to drive user “Likes” to company Pages. It did so in part due to the marketing industry’s recognition that the value for each Like to a company Facebook page can be calculated in real dollars. For example, Sycapse, a social media management company, conducted a study that calculated the average value of a Facebook Like to be over $70 of extra spending by each user on the company’s goods or services. To capitalize on this interest in the platform, Facebook eased the process to set up a promotion from a technical perspective and no longer requires companies to obtain specific approval from Facebook for each promotion run on its platform. Despite this lowered bar to entry, companies and social media managers should take note that although Facebook relaxed its internal rules, each promotion still should be evaluated carefully in light of various state and federal laws that may be implicated when running this type of promotion.

Each state has specific laws governing contests and sweepstakes targeting its citizens. For instance, promotions that target children may have a different set of requirements under state law than the same promotion that targets only adults—and these requirements may vary from state to state. However, as a general rule, all promotions must be accompanied by clear contest rules that are available to any individual prior to entering the contest. Companies therefore must follow those rules to the letter when conducting contests and selecting winners. If a contest rule is drafted in a way that violates state law, or if the company deviates from its own rules, then the company may expose itself to significant liability.

In addition, it is critical to be mindful of intellectual property rights of others who may be either directly or indirectly involved in the promotion. While most consulting firms that develop Facebook promotions are careful to obtain the required licenses or releases for the images or logos used in the promotion, few smaller companies take the time to ensure compliance with intellectual property laws. For example, a company might contract with an independent graphic developer to create a fantastic splash page for a Facebook promotion that includes copyrighted images of the giveaway item. If the promotion is published prior to obtaining permission to use those images (likely from the company that manufactures the product being given away), then the promoting company likely will be in violation of federal copyright law and could find itself subject to a copyright-damages award. Statutory damages under U.S. copyright law can be as much as $30,000 per work found to be infringed (and up to $150,000 per work found to be infringed willfully).

These are but two examples of the way Facebook promotions can expose a company to legal liability if not carefully considered. Before any promotion is undertaken on Facebook, a company should consult with an experienced attorney to draft contest rules, review promotion materials, and monitor contest implementation to ensure compliance with state and federal law.

Last month, California Representative Jackie Speier introduced H.R. 654, the so-called Do Not Track Me Online bill, to Congress. The bill is the first response to the Federal Trade Commission’s December 2010 request for the establishment of a Do Not Track registry for online users that would be similar to the Do Not Call registry for telemarketing calls established in 2003. The Do Not Track Me Online bill calls for the FTC to establish regulations requiring covered entities (defined as companies engaging in interstate commerce that collect or store online data), to allow customers to opt out of online tracking. The bill provides for monetary penalties for violations of the bill, not to exceed $5 million for a related series of events.

The Do Not Track Me Online bill would require covered entities to comply with the requests of consumers not to track their online movements via tracking cookies and other technologies, and also to provide reports to the agency regarding data-collection methodology and data-sharing activities. The bill also leaves open options for the FTC to modify its rules to include other requirements, specifically including a provision to force covered entities to provide consumers with means to access the consumers online activity data stored by the covered entity.

These regulatory requirements would not apply to companies that: 1) store online activity information on less than 15,000 people; 2) collect online activity information from less than 10,000 consumers in a year; 3) do not collect sensitive information from consumers; and 4) do not use online activity information to analyze online behavior as the company’s primary business. Although this is the preliminary draft and likely will undergo significant changes before it gets to the floor for a vote, the power and reach of the bill lies in the “sensitive information” element to the exclusion above. The bill defines sensitive information as information related to the health, race, religious, sexual orientation, financial accounts, geolocation, or personal identifiers of the consumer, though it allows the FTC room to modify this definition. The FTC could broaden the scope of covered entities to include those that collect other personally identifying information—a move that would increase the rule’s scope to require any company that collects sensitive information, regardless of its size, to be forced to comply with these regulations.

Businesses are beginning to fully realize the immense marketing power of Facebook and other social media platforms. Users of these sites often log on daily to share personal information, pictures and videos, and informal product reviews and endorsements, presenting businesses with tremendous opportunities to engage and communicate directly with their customers. However, brand managers need to understand the dangers presented by this kind of communication and user-generated content. Users can infringe on the intellectual property rights of organizations, potentially reaching millions of users and diluting brands with the click of a button. Monitoring and protecting trademark rights on social media sites such as Facebook is a critical element in every brand management strategy.

Trademark infringement on Facebook can arise in several ways. First, Facebook allows users to select “vanity URLs,” which are words appended to the end of the www.facebook.com URL (for instance: www.facebook.com/your.company.name). A company seeking to develop their own Facebook presence for the first time may find that another unauthorized user is squatting on the company’s vanity URL using the company’s trademark. Also, unauthorized users might use a company’s trademarked logo or slogan in violation of the company’s intellectual property rights. Finally, a company may find that a Facebook App is misappropriating the company’s trademark by creating a Facebook application that purports to be sponsored or developed by the company itself.

So what does a company do when they discover its mark is being infringed? Unlike copyright, which provides for a specific procedure to address infringement of copyrighted material on the Internet (see our other post on the Digital Millennium Copyright Act (“DMCA”)), trademark law has no such scheme to address online infringement. However, Facebook has set up an internal procedure that essentially mimics the take down notices required by the DMCA. Using Facebook’s Notice of Intellectual Property Infringement (non-Copyright Claim) form, brand owners can notify Facebook of most alleged infringing activity occurring on the site. Facebook then will review the request and will remove or disable access to the content should they find that there is evidence of infringement. However, in the case of infringement in an App, Facebook takes no responsibility since Apps are hosted on the developer’s sites and not within the Facebook servers. In these situations, the trademark owner must contact the developer directly to engage in traditional trademark dispute procedures.

In any case, it is advisable for companies to understand how their trademark rights are being infringed before making use of either method to address an alleged infringement. Further, even if a business uses Facebook’s built-in claim form to report trademark infringement, it still may make sense to contact the infringer directly in some cases in order to prevent future infringing conduct.

Every savvy business owner understands the importance of due diligence when engaging in an M&A transaction, but the Third Circuit issued a ruling that serves to underscore the point that due diligence must be accompanied by a thoughtful risk assessment exercise. On January 21st, 2011, the Third Circuit ruled that a buyer who purchases a seller’s assets may be liable for the seller’s late contributions to certain benefit plans. Einhorn v. M.L. Ruberton Construction Co., No. 09-4204 (3d. Cir. 2011). The court reasoned that interest in federal labor law policy is more important than common-law, “successor-liability” doctrines that normally shield buyers from a seller’s liabilities (unless the buyer is merely a re-organization of the seller).

In Einhorn, the purchaser corporation, Ruberton Construction Co., was aware of the late contributions prior to its purchase of the assets of Statewide Hi-Way Safety, Inc. Shortly after the purchase, the administrator of the benefit plan in question sued Statewide for the delinquencies, plus liquidated damages. Statewide and Einhorn entered into a settlement agreement under which Statewide was to pay the late contributions in a series of installments. Statewide later breached that agreement, and Einhorn sued Ruberton. The Third Circuit ruled that Ruberton was liable for the delinquencies, even though Ruberton was not merely a continuation of Statewide. While the finding that Ruberton was liable for Statewide’s failure to contribute to an ERISA plan can be viewed as a narrow exception to the successor-liability doctrine, it may signal a trend toward expanding the responsibilities of buyers for the liabilities of sellers.

Purchasers and M&A counsel should take note that due diligence is more than reviewing a checklist of documents produced by sellers. In Einhorn, Ruberton knew of the liability prior to purchasing Statewide, which suggests that an open and honest due diligence process was employed. However, risk assessment goes hand-in-hand with due diligence checklist review. While a purchaser may be eager to execute a deal, experienced counsel must understand the implications of each piece of information gleaned from the due diligence process and must take time to outline the associated risks for their client prior to closing the deal.

In 1986, Congress passed the Computer Fraud and Abuse Act, or CFAA, which established criminal liabilities for unauthorized access to information stored on a protected computer. Since that time, the CFAA has been amended to keep up with new privacy concerns and, in some cases, civil liability has been attached. The typical CFAA claim is asserted by a party against an unrelated entity accused of stealing computer files for personal gain. However, in cases where a company is seeking to prosecute one of its own employees for accessing protected files, the meaning of the phrase “without authorization,” an element of any CFAA claim, is hotly contested.

In a December 27, 2010, decision by the Eleventh Circuit, the court upheld the conviction of an employee for accessing certain social security information for improper purposes, even though the employee was authorized to access that social security information. The court said that policies defining both the types of information that an employee may access along with the purpose for which the employee may use that information are both relevant under the CFAA “without authorization” inquiry. In contrast, the Ninth Circuit ruled in 2009 that an employee who was given access to files, without such access being accompanied by a specific “permitted use” requirement, could not be considered in violation of the CFAA regardless of the use of the information—even if the use was clearly non-business-related.

The decisions by these two and other Circuit courts are indicative of a split in authority when interpreting “without authorization.” However, the lessons for businesses should not be subject to debate. Businesses need to implement thoroughly considered and well-crafted Acceptable Use Policies addressing, among other things, the specific types of information that employees may access along with descriptions of how such information may be used by those employees. It is best practice to review and amend these documents on an annual basis, as changes to company structure or employee access frequently change.

Many companies today have their own company Facebook Pages, Twitter accounts or blogs. It is estimated that 4 out of 5 companies with more than 100 employees will utilize social media platforms to communicate with their current customers and to market to potential ones. These companies understand the value of participating in the online marketplace. What is not widely understood, however, is that companies are obligated to store and maintain social media communications as “electronically stored information” or ESI in the same way as they are obligated to store e-mail or written communications. Courts require companies to have document retention policies in place to allow the companies to access and produce such ESI during the discovery phase in the case of litigation.

Many organizations are either unaware that their current document retention policy does not include social media, or they rely on the social media platforms themselves to maintain social networking communications for them. The problem with relying on the social media platform to maintain your company’s communications is that these platforms are typically not under any obligation to do so. Before a company chooses a strategy of “let Twitter manage our communications, and if they lose some, we’ll just tell the court we don’t have ‘em”, organizations should be aware that courts are increasingly penalizing such attempts to avoid responsibility with harsh monetary sanctions.

Companies should revise their document retention policies to include social media communications if they wish to avoid the risks of discovery sanctions. From a technical perspective, there are some vendors emerging with monitoring and storage services designed to maintain social media compliance with document retention policies. Organizations should understand their use of social media platforms, and work with their legal and IT teams to determine the best method for storing and maintaining social media content and communications.

In a ruling handed down on December 14, 2010, the Sixth Circuit in United States v. Warshak held that a user of a third-party e-mail service has a reasonable expectation of privacy in the e-mails stored on the third-party’s servers. In the case, the government failed to obtain a search warrant based on probable cause before it compelled Warshak’s ISP to turn over his e-mail communications. The government argued that the Stored Communications Act of 1986 (SCA) permitted just such a warrantless search. In holding that Warshak had a reasonable expectation of privacy, the court struck that part of the SCA as unconstitutional.

Privacy issues such as those addressed by the Sixth Circuit in Warshak likely will continue to dominate the news in the coming year. As more individuals, companies, and governments communicate and store data in the cloud, both the technological and legal privacy and security of that data will be tested. And as the Warshak case demonstrates, federal statutes drafted decades ago — or even mere years ago —cannot be reasonably be interpreted in light of the current state of online data storage and communication. At its base, the privacy issue in Warshak is no different than traditional forms of private communication, which the Sixth Circuit correctly reasoned. In 1986, however, it was not so simple to draw the analogy between electronically stored communications and regular mail. Legislators are not often elected for their ability to understand how technological changes will effect current legislation.

Legislation aimed at regulating, or otherwise affecting, technological change is almost always going to be outdated shortly after it is passed. This is not necessarily because we do not have bright, technologically savvy legislators drafting these laws. Rather, it likely has more to do with the fact that our brand of democracy results in a government that often is slow to respond. To effectively mitigate privacy and security risks, reliance on the government for protection is not a wise strategy. The best protection will result from carefully considered, contractual provisions that include in the balance of equities the privacy and security risks individuals and organizations face when entering the cloud.

Earlier this year, Mississippi passed legislation requiring organizations to notify individuals whose personal information is compromised by a data breach. With only Alabama, Kentucky, New Mexico and South Dakota as the remaining states without data breach notification laws, Mississippi joins the vast majority of states to have passed such legislation. House Bill 583 will not go into effect until July 1, 2011, but its form and structure tracks many other states’ notice requirements in the event of a data breach.

Based on California’s original definition of personally identifying information (PII), for a breach to trigger the Mississippi notification requirement, the leaked PII must include a name along with a social security number or driver’s license or an account number in combination with any required security or access code. In the event of a triggering breach, notification must be made to individuals only, not to government regulators or any credit reporting agencies. However, in cases where the breaching organization reasonably determines that the breach is not likely to result in harm to the affected individuals, the notification requirement is waived. The law also includes a safe harbor for organizations that secure PII by encryption or other technologies rendering the PII “unreadable or unusable.”

Although there are many similarities between Mississippi’s breach requirement and other state breach notification requirements, significant differences exist with respect to acceptable time to notify, criminal and civil penalties, safe harbors and exemptions. For the vast majority of businesses handling personal information, a careful review of PII handling policies as well as an implementation of a breach notification procedure is recommended. For an outline of the major requirements under each state’s breach notification law, please see our State Data Breach Notification Laws chart.

With the intense scrutiny and speculation swirling around WikiLeaks’ most recent posting of confidential U.S. State Department documents, it should not come as a surprise that Amazon, WikiLeaks’ hosting provider, found itself under informal investigation by Congress. Facing this type of inquiry, it did not take long for Amazon to terminate its cloud agreement with WikiLeaks, leaving the whistle-blowing site temporarily without an online presence as it searched for a new cloud provider to host its materials.

While this action by Amazon is arguably the right decision from a national security perspective, it raises some general concerns regarding cloud computing, specifically: How much power do cloud providers wield over your company’s business continuity? Cloud contracts generally include language allowing for the provider to terminate the agreement for cause, citing illegal or improper use of its platform. However, problems arise for cloud customers when these contracts give the cloud provider complete and sole discretion over what constitutes improper use. Based on the Acceptable Use Policy incorporated into Amazon’s Web Services agreement, this provision is likely what Amazon pointed to in justifying its action to terminate its agreement with WikiLeaks.

Such unfettered control by the cloud provider is a risk that companies working in the cloud clearly should not accept, if at all possible. Most companies do not engage in the types of activities at issue in the WikiLeaks affair, but less egregious activity easily can be justified by the provider under these broad termination provisions, leaving the cloud customer scrambling to keep its business operational while it seeks alternatives. Companies should carefully review and negotiate the acceptable use policies attached to contracts to retain some control over the termination provisions before moving business-critical activities to the cloud.

In an earlier post, we examined “copyright trolling,” an unsettling trend in intellectual property enforcement. So far, the primary culprit is the Las Vegas Review-Journal (LVRJ) by way of Righthaven LLC, a copyright litigation specialist possibly created to work exclusively on LVRJ cases, which searches for websites that have reposted articles from the LVRJ without explicit permission to do so. When Righthaven finds a website that has reposted portions of or entire articles, its strategy has been to proceed directly to filing suit instead of engaging in the typical procedure of attempting to resolve the issue first without involving the courts. The more cynical among you may contemplate that Righthaven’s strategy may be designed to extract settlements from unsophisticated bloggers intent on avoiding costly legal battles.

Whatever the thought process behind the sue-first-ask-questions-later strategy, some of the targeted organizations are fighting back. In October, U.S. District Judge Larry Hicks ruled for defendant Realty One Group, Inc. when it dismissed a Righthaven infringement suit finding that the defendant’s posting of the first eight sentences of a 30-sentence LVRJ article to be “fair use” of another’s copyright. While this decision is not necessarily binding precedent on other courts, Judge Hicks reasoning has not gone unnoticed. Then, in early November, in another Righthaven case, the court entered an order for Righthaven to “show cause” why its infringement claim in this case should not also be dismissed on “fair use” grounds. Interestingly, the judge raised this issue without the defendant in the case first doing so. The rulings appear to have had an effect on Righthaven’s strategy. In a motion filed in the Realty One lawsuit on November 15, 2010, Righthaven announced that it “does not anticipate filing any future lawsuits founded upon infringements of less than 75% of a copyrighted work.”

With holdings against it on the fair use issue, it is understandable that Righthaven would want to focus its efforts on businesses that copy its content in full, rather than in excerpts. However, businesses should not rely on these results in assuming they are safe from the kinds of tactics employed by Righthaven, but instead should work with counsel to ensure their compliance with laws affecting their potential liability for published content, such as the Digital Millennium Copyright Act (DMCA).

No one questions the prevalence and increasing reliance on social media from a corporate perspective. Earlier this year, PR firm Burson-Marsteller released a study of 100 of the top Fortune 500 companies and found that upwards of 75% of the companies use blogs, YouTube, Facebook or Twitter to communicate with their clients or stakeholders. Personal use of social media sites continues to rise as well, with the Pew Internet & American Life Project finding social networking use by users 18-24 at 86%, while use by users 50-64 at a surprising 42%. Along with this increased use come rising concerns of privacy issues on social media sites. One has to look no further than two of the Internet’s behemoths, Facebook and Google, to understand the privacy risks associated with social media.

Now, U.S. Courts are beginning to weigh in on social media, potentially highlighting a new privacy concern. In September, a New York court considered a discovery request by the defendant for the current and historical content of the plaintiff’s Facebook and MySpace profile. The court found that despite the plaintiff’s privacy concerns, the defendant’s need for access to the information contained in the profile outweighed that privacy right. In doing so, the court found an analogy for posting material to a social media site, even one restricting access, to a Second Circuit case where the appeals court found that individuals have no expectation of privacy for e-mails.

For corporations, there is the potential for this kind of finding to extend to social media accounts accessed by employees while at work. A 2010 Trend Micro study found that social media use in the workplace has risen from 19% to 24% in the past two years, and it is not hard to predict that number will continue trending up. For companies seeking to protect themselves from this discovery risk, a corporate Acceptable Use Policy (AUP) should be implemented either prohibiting social media use in the workplace or outlining very specific and acceptable uses of these sites while at work. Factors such as company size, technological capability, and corporate culture should be considered when developing an effective AUP. Experienced counsel should be able to help in the design and implementation of an effective AUP, which would mitigate some social media risks.

Cloud computing contracts vary widely depending on the type of service being provided and the market to which that service is targeted. Cloud services that are inexpensive or free generally present the contract in the familiar “click-wrap” format that we all, at one point or another, have “agreed to” (but that we almost never actually read). Those agreements often are wholly in favor of the cloud service provider. On the other hand, larger cloud implementations representing considerable, strategic business decisions on the part of the customer (and considerable sales on the part of the cloud service providers) usually are accompanied by agreements that should be read, understood and negotiated to meet the right balance of risk and incentive for both parties. However, many of these large-scale implementation cloud contracts nevertheless are missing a critical term: the cyber risk insurance requirement.

Cyber risk insurance, or cyber liability insurance, provides coverage extending beyond the typical commercial general liability (“CGL”) coverage. For example, in the event of a data breach event, a cloud provider would find it difficult to convince their insurance provider to cover losses if the cloud provider was relying solely on CGL coverage. Cyber liability, on the other hand, is an insurance product specifically designed to address losses arising from incidents involving the delivery of information technology solutions. Cyber liability comes in a variety of flavors that should be customized for each cloud provider based on the nature of the cloud service being provided and the types of data stored in its servers. Ideally, cyber liability should include Errors and Omissions (covers claims related to the delivery of technical services), Media Liability (covers claims related to handling of media, invasion of privacy, and some intellectual property claims), and Fidelity Liability (employee crimes, such as intentionally leaking data or using personal information) coverage.

Without an appropriate insurance policy incorporating sufficient coverage limits for privacy or security breaches, those ubiquitous indemnity provisions may be ineffectual at best. Prospective cloud customers should require cyber liability coverage whenever possible and should work closely with the cloud service provider during negotiations to ensure that the appropriate mix of coverage and dollar limits are obtained based on the type of cloud service being offered.

Early this month, the National Labor Relations Board (NLRB) issued a press release regarding a complaint issued by the Board’s Hartford regional office against a company that terminated an employee who “posted negative remarks about her supervisor on her Facebook page.” The NLRB contends that, among other things, the company’s Internet use policy contained provisions prohibiting employees from engaging in protected concerted activity—a violation of Sections 7 and 8(a)(1) of the National Labor Relations Act (NLRA).

In the complaint, the NLRB states that blanket prohibitions on employees voicing dissatisfaction or posting disparaging remarks about their employers are overly broad and a violation of the NLRA. However, this complaint is even more interesting due to the fact that it appears to be in direct opposition to an Advice Memo filed by the NLRB in 2009, where the Board found that a Social Media Policy issued by an employer was specifically not in violation of Sections 7 and 8(a)(1). The policies in question are strikingly similar, so the apparent 180-degree turn by the NLRB may be a sign of a significant ideological shift in the Board.

If upheld, this complaint has implications for companies attempting to protect themselves from employees’ use of blogging and social media sites through Internet use policies. How companies should react to the NLRB complaint likely will not be clear until the complaint is heard in January of 2011, but for companies falling under the NLRA, a full internal review of Internet use and related policies should be planned.

New media technologies always will create unforeseen challenges for copyright law. For example, in the 1950s and 60s cable television providers battled broadcasters over the cable operators’ right to re-transmit broadcast television signals to cable subscribers. After numerous courtroom scrapes, Congress stepped in with Section 111 of the Copyright Act, which established a statutory fee to be paid by cable broadcasters in return for the right to re-broadcast television signals.

Recently, a new technology has emerged, uncovering the old broadcast-rights wounds that were long since considered fully-healed. ivi, Inc., an online television service has begun re-transmitting broadcast television to its own subscriber base. And ivi’s argument is no different than the cable operators of the mid-century.

ivi’s service essentially takes a broadcast feed, called a “primary transmission,” and rebroadcasts it as a “secondary transmission” over the Internet to users who have installed the ivi software. This allows users to watch essentially real-time broadcast television from across the country. Broadcasters are not pleased and anyone familiar with sporting event blackout rules instantly will recognize why content owners consider this to be a significant problem. In fact, after only a week or so into the launch, ivi was served with cease and desist letters from the likes of NBC, CBS, MLB, and others. ivi's lawyers, certainly expecting this uproar from content owners and broadcasters, filed a request for declaratory judgment on September 20th, claiming that the Copyright Act, and specifically Section 111, expressly authorizes just this kind of retransmission.

According to the congressional notes accompanying the adoption of Section 111 of the Copyright Act, the section was a concession to the cable companies from the broadcasters, allowing cable television providers to transmit broadcast signals to their subscriber base so long as they paid a statutory licensing fee to the Copyright Office. That fee is then in turn redistributed to the broadcasters. ivi argues that their service is functionally no different than a cable provider’s and therefore should be allowed to utilize the same statutory compulsory license tool to continue to re-broadcast the primary transmission from broadcast stations.

Whether the federal court legitimizes ivi’s business model remains to be seen, but ivi’s argument certainly is clever and likely will make for interesting discourse on this new intersection of copyright law and technology.

Earlier this year, this blog introduced you to “copyright trolling,” a new business model for intellectual property lawyers. The copyright trolling concept is simple: search the Internet for instances where another website has used portions or all of your original work, sue the website operator for infringement demanding statutory damages completely out-of-line with any actual damages, rely on the website operator’s evaluation of the cost of settlement versus the cost of a protracted legal battle, and collect a settlement of a few thousand dollars for all your hard work. Oh yes, and to be successful as a copyright troll, the IP attorney must completely ignore other sections of the copyright statute pertaining to fair use—the legal concept that not all copying of copyrighted material constitutes infringement. Rinse and repeat.

Righthaven, a Las Vegas-based business with apparently only one client, is the law firm currently at the epicenter of this copyright trolling development. On behalf of Stephens Media, a media company that includes the Las Vegas Review-Journal, among other newspapers, Righthaven has sued upwards of 145 web site operators for copyright infringement, and has reportedly settled 20% of the suits so far. The Internet was awash in commentary about copyright trolling, with early speculation that the Electronic Freedom Foundation (“EFF”) would likely be interested in defending the rights of website operators. Though it took a few months, the EFF apparently has found an appropriate test case. On September 27, EFF filed an answer and counterclaim on behalf of the website Democratic Underground.

In the suit, the EFF argues that Righthaven is abusing copyright law to extract windfall settlements from website operators by filing nuisance lawsuits. In keeping with their defending-the-little-guy posture, EFF is seeking no damages in the case—they only want the court to rule that Democratic Underground has not infringed the copyrights of Stephens Media. Through this, the EFF hopes to set a precedent that would be invaluable to all bloggers and online media players, while destroying the copyright troll business model. Whether the court will agree with the EFF is hard to guess—but a decision in their favor could create the first opinion legally validating the unwritten rules of online blog behavior. Stay tuned.

The exhaustive media coverage surrounding “cloud computing” is enough to induce readers to tune-out on the topic altogether, but ignoring computing in the cloud is a perilous proposition. Cloud computing will soon be as mainstream as e-mail (coincidentally, one of the first successful cloud offerings). The hype is fueled by pro-cloud commentators, vehemently promoting the cloud panacea, battling it out with cloud naysayers who warn that a move to the cloud is fraught with too much risk for serious consideration. I think both sides are right. An investment in the cloud can yield a tangible cost savings on upfront set-up and ongoing maintenance costs for companies. Additionally, the on-demand aspect of cloud architecture means that companies quickly can adapt to opportunities for growth and can tighten their belts when demand for their services and products shrinks. But cloud detractors are not mere panic mongers—there is significant risk lurking in the cloud. Happily, most companies can have it both ways by focusing on a document, frequently overlooked, that is a shield against many cloud-based risks—the Service Level Agreement or “SLA”.

The main function of any SLA is to establish expectations for the client with respect to software availability or “uptime”. In addition to service guarantees, a good SLA should accomplish the following: 1) establish built-in remedies for the customer if the vendor is unable to meet service guarantees; 2) define disaster recovery provisions; 3) define customer duties with respect to the manner of use of the software; and 4) establish procedures for software maintenance and upgrades. Because most cloud customers depend on software hosted on external networks, stipulating the level of service customers have the right to expect is critical.

Vendors generally measure their availability using metrics that seem understandable, but that often are dangerously vague and difficult to measure from an accounting perspective. For instance, customers may see a “99.999% service access uptime,” (or some variation thereof), standard guarantee from ISPs. This metric may be easy to understand, but it does not necessarily reflect the needs of the customers. For instance, a cloud service may be technically accessible, while large swaths of the functionality are inoperable. With a “service access uptime” metric in place, a customer may be left without access to service credits that should otherwise be available to it. One alternative to consider in those situations may be a SLA based on incident-response-time guarantees or some other metric that is easier to apply and that does not require constant attention.

Because the SLA is so critical to mitigation of one of the primary risks in cloud computing, it is important for a customer to carefully read and understand the SLA and either accept the risk associated with the standard metric or negotiate for more appropriate measurement of success.

Both state and federal governments are seeking ways to ensure citizens’ personal information is secure and remains private, but the laws vary wildly and are sometimes frustratingly complex. For businesses, it is not always clear which laws, if any, the business is subject to. Once applicability of the law to a business is determined, the process of evaluating compliance of IT systems and policies can be time-consuming.

Now imagine you are the vendor of software products that could potentially store statutorily protected data for your customers. You potentially have just inherited compliance evaluation projects for every one of your customers.

For many vendors, such compliance demands are too burdensome, and a quick review of their cloud computing agreements shows that their methods for handling these requirements often consist of avoiding the subject altogether or by expressly absolving themselves of the responsibility. Many vendors attempt to avoid liability by including provision in their contracts disclaiming any liability for data breaches or compliance with data security regulations. Cloud customers that do not carefully evaluate cloud agreements can find themselves holding the bag for data breaches that may have been caused by their cloud vendors.

Some statutes, such as the recently revised HIPAA rules, have addressed such contractual liability avoidance by specifying that business associates of companies covered by the statutes are also liable for data breaches. As the cloud computing industry matures, vendors will learn that they have to comply with statutory security requirements. During this maturation, new and possibly standardized methods to share responsibility for security of customer information will emerge. For now, customers should seek the advice of experienced counsel before entering into any cloud computing agreement to mitigate or eliminate vendor avoidance and to ensure the vendor will adequately protect protected personal information.

A new type of copyright lawyer has arrived on the intellectual property scene—not terribly good news for bloggers or online media outfits. Righthaven LLC CEO Steve Gibson is on the attack, beginning a campaign this past March against bloggers and website operators who post articles from the Las Vegas Review-Journal, his first client. Righthaven has acquired copyrights to the LVRJ content and is filing suit against these operators for copyright infringement. According to a Wired.com article, Righthaven plans to continue targeting bloggers who repost entire articles without permission by filing hundreds of lawsuits by the end of the year.

While there is clearly nothing improper about protecting intellectual property, some commentators are accusing Righthaven of “trolling,” a tactic known in patent law circles where a patent owner enforces its patents against an infringer, often in an aggressive manner, without any intention to actually market or develop the patented technology. In the case of Righthaven and LVRJ, lawsuits have been filed against bloggers with miniscule web traffic numbers, where the actual damages caused by the infringement are correspondingly minor. However, Righthaven uses the threat of statutory damages—which can range up to $150,000 per infringement—to scare the media outfit into settlement. For a blogger who receives notice of a lawsuit, often without first receiving a request to remove the infringing material, the prospect of a lengthy federal court battle is far too expensive. Righthaven apparently counts on such analysis to encourage quick, monetary settlement of these cases.

The “copyright trolling” trend being pioneered by Righthaven likely will expand before any material reform to copyright law occurs. Regardless of whether this type of use (or misuse) of copyright law is appropriate, Internet media companies and bloggers must ensure that any use of third-party content is either properly licensed or falls within the safe harbors provided by the copyright law prior to publication.

Microsoft’s cloud offering, Windows Azure, is a cloud services platform designed for software development, hosting and web service management. The platform includes a cloud-based operating system with pre-configured developer tools and other options available. The license agreements are available online here and here. So, how does the Microsoft cloud licensing model stack up to our concerns regarding cloud computing?

The basic Azure agreement consists of two parts: a service level agreement (“SLA”); and an online subscription agreement (“OSA”). The SLAs are written in clear, layperson-friendly language, but may not adequately protect the customer from certain types of service outages. Also, the responsibility to monitor service levels and report outages remains wholly on the customer (something many cloud customers may want to try to avoid). The OSA provides some protections against third-party intellectual property infringement claims, but it also severely limits recovery on claims arising from any legal action, including breach-of-contract and negligence claims. These service and liability limitations are typical in low-transaction-cost offerings, and they are likely unavoidable for a product sold online and across such a broad user base.

Of greater concern, however, is the fact that neither agreement addresses compliance or liability arising from federal and state privacy and data security statutes, (such as HIPAA and the new Massachusetts Standards for the Protection of Personal Information). HIPAA, in particular, imposes significant responsibility on third party vendors (“business associates”, under the language of the statute), that may house or transmit protected health information (“PHI”). A company storing PHI on Microsoft Azure servers without an agreement contemplating that type of data storage could be in violation of the law and subject to liability.

Further, there are no provisions concerning ownership, use, or transfer of customer-owned data upon termination of the agreement. As is evident by the low cost of cloud-based solutions, the platform is the commodity and the only real value is in the data. Without specific language identifying data ownership and transfer upon termination, a company may be risking too much relative to any perceived cost or operational benefits.

Microsoft likely will have to address these concerns as the legal issues associated with cloud computing become better understood. In the meantime, careful analysis of intellectual property and data security compliance risks should be undertaken to avoid the unforeseen liabilities and hidden costs present in many cloud computing agreements.

On June 24, 2010, Salesforce.com filed suit against Microsoft in a Delaware Federal court claiming Microsoft willfully infringed five Salesforce.com cloud computing-related patents. This is an apparent counter to a May 18th suit filed by Microsoft accusing Salesforce.com of patent infringement. Though Salesforce.com and Microsoft promote slightly different cloud computing models, each company claimed the patents infringed were significant components to their platforms, signifying that the fight over cloud market controls is ramping up.

While the choice between pursuing a pure (Salesforce.com) versus hybrid (Microsoft) cloud computing platform certainly requires a thoughtful business decision, a choice in either direction involves identical legal issues. For instance, data security regulations must be addressed in either case. Companies in the healthcare industry are by now quite familiar with these requirements and with related demands on their third-party vendors, but data security regulations such as the recently enacted Massachusetts privacy law are implicating companies and industries that have not had the pleasure of interpreting statutory data security requirements. As a result, many of these companies may be unaware of the extent to which cloud computing agreements must address and protect the company with respect to all data-related regulatory requirements.

Cloud computing platform agreements also must meet the needs of companies to locate, preserve and cull data to meet electronic discovery requirements. As more companies adopt cloud computing platforms to house not only e-mail, but other business records, courts increasingly will require companies to implement litigation holds and production from cloud sources in a manner identical to that which companies currently perform on their internal networks.

When evaluating a cloud computing platform, take time to carefully review the agreement in as much detail as your business and IT decision-makers do when looking at software functionality. A cloud platform that is technically sound and functional remains a serious liability if the service agreement does not address these and other critical legal issues associated with cloud computing. When in doubt, seek the advice of an attorney who is knowledgeable regarding legal issues surrounding IT service providers.

On May 26, 2010, in the case of Crispin v. Christian Audigier, Inc. (C.D. Cal. Case No. No. CV 09-09509), Judge Margaret Morrow of the U.S. District Court of Central California issued a ruling in a copyright suit concerning, in part, the discoverability of private messages sent between users on MySpace and Facebook. This decision marks one of the first examinations of the applicability of federal e-discovery rules to social media site content. In her decision, the judge reversed a magistrate judge’s finding that private messages sent between users over social networking sites are public communications and quashed subpoenas that had been issued in an attempt to obtain copies of those messages.

Elaborating on the differences among the various messaging options offered by social networking sites, Judge Morrow found that messages sent between users via Facebook and MySpace private messaging systems are no different than e-mail under the Stored Communications Act. Under the Act, a third-party company storing private electronic data is not required to turn over the private information unless presented with a federal criminal law warrant. However, the judge limited her decision to private messages sent on social media sites and left unanswered other questions, such as the issue of discoverability, through subpoena, of semi-private postings on user walls visible only to a select few.

Increasingly, courts will be asked to interpret outdated discovery rules against new technologies and heightened public concern over online privacy. Following the recent furor over Facebook privacy settings in the press, we expect to see a court take on the task of a comprehensive examination of social media privacy concerns with respect to electronic discovery, similar to Judge Shira Scheindlin’s Zubulake opinion on general e-discovery issues, before the Supreme Court and Congress undertake revisions to the Federal Rules.

The Second Circuit Court of Appeals recently made what may have been the first U.S. federal appellate decision finding an album of music recordings to be a single work under the damages provision of the Copyright Act of 1976. In Bryant v. Media Right Productions, Inc., the court agreed with the lower court that an album is to be considered a “compilation” under the Act and, therefore, that a plaintiff is only entitled to statutory damages on a per-album basis. Specifically, the court says:

Based on a plain reading of the statute, therefore, infringement of an album should result in only one statutory damage award. The fact that each song may have received a separate copyright is irrelevant to this analysis.

The plaintiffs in this case argued that each copyrighted song constitutes a “work” under the 1972 Act, and therefore demanded statutory damages for each song contained on the two albums in the complaint. To make their argument, the plaintiffs relied heavily on decisions where other Circuits applied an “independent economic value” test to determine whether each work contained within a compilation qualifies for separate statutory damages. Here, the Second Circuit specifically rejected the “independent economic value” test and instead relied on a plain reading of the statute along with accompanying legislative commentary to hold that an album compiled by the songwriters constitutes a single work.

The Second Circuit’s reading of the compilation language of the 1976 Act may significantly reduce the value placed on album-infringement disputes by copyright holders. Whether this ruling could reach beyond the music industry to influence other decisions regarding assembling preexisting copyrighted materials into a compilation—such as bundled software packages in software copyright disputes—is an interesting question that could have broad ramifications.

The United States District Court of New Jersey recently issued an opinion in a defamation action regarding an author’s post to a USENET group. The plaintiff, Charles Novins, an attorney in New Jersey, sent a letter to the defendant, Kevin Cannon, in early 2009 demanding Cannon retract his post to a USENET group in which Cannon accused Novins of, among other things, hiring drug addicts at his firm. After apparently not receiving the relief requested in his letter, Novins filed suit against Cannon along with a host of other defendants. The defendants moved to dismiss under the argument that the U.S. Communications Decency Act (“CDA”) immunizes everyone involved in content delivery with the exception of the “information content provider,” who was, in this case, the post’s author. The court agreed and dismissed the lawsuit.

The CDA often is applied to Internet service providers, but it has also been used by individuals who operate websites and web-based forums. The CDA even has been used to protect individuals who knowingly allow content to be posted to a website under their control.

Although the New Jersey case involved an antiquated forum (USENET can be properly characterized as Web 0.1), the rule generally applies to Web 2.0 as well, from Twitter to Facebook to, likely, whatever comes next. Courts continue to find that the CDA immunizes publishers from liability for defamatory comments posted to their websites.

In many cases, filing suit against anyone other than the author of arguably defamatory content is likely to produce no advantage for the complainant. A better approach to dealing with attacks on your online brand may be to utilize other methods, such as drowning the negative comments with positive publicity. An attorney knowledgeable regarding Internet marketing and brand protection efforts can assist you to formulate an appropriate strategy in response defamatory, third-party activities.

On January 7, 2008, the United States Magistrate Judge Barbara Major issued a sanctions order against Qualcomm and certain in-house and outside counsel for discovery misconduct. Specifically, the Court ordered that Qualcomm pay $8.5 million in opposing counsel’s fees for withholding critical documents during discovery, and Qualcomm’s attorneys further were referred to the California State Bar for an appropriate investigation.

On March 5, 2008, United States District Judge Rudi M. Brewster vacated the sanctions against the attorneys and remanded to Judge Major to investigate. Roughly fifteen months later, at untold cost to the attorneys involved, a massive discovery effort came to a close. On April 2, 2010, Judge Major issued an order declining to impose sanctions against the attorneys. In her order, the Judge states that although there was a “massive discovery failure” resulting from “significant mistakes, oversights, and miscommunication,” the attorneys made significant attempts to comply with their discovery obligations.

Judge Major enumerates the errors that gave rise to the discovery failures, indicating that an “incredible breakdown in communication” was the fundamental problem. No attorneys, in-house or otherwise, ever met in person with the Qualcomm employees who were likely to be important witnesses. Nor did outside counsel make any attempts to understand how and where data was stored on Qualcomm’s computer network. Finally, there was no single attorney responsible for discovery, resulting in the finger-pointing that occurred among the legal counsel when it came time to defend the discovery process.

In the end, the Judge reasoned that these failures were exacerbated by the lack of candor on the part of Qualcomm employees to such a degree as to foil any good faith attempts by the attorneys to meet their discovery obligations. And although the attorney sanctions were dropped, the cost in time and money for all parties involved should serve as a warning to all in-house counsel, corporate leadership and litigators: effective communication is fundamental to any discovery process. Without it, millions of dollars, thousands of hours, and whole careers are at risk.