Business and Technology Law

Software is a business asset.

That statement may be so obvious to you that my writing it seems a waste of bandwidth. However, many businesses nevertheless have been “late to the dance” when it comes to effective management of that business asset. While they may rigorously record and catalog the details of their IT hardware and infrastructure, they often fail to pay anything close to the same level of attention to the programs powering those assets.

To a certain extent, that is perhaps unsurprising, since software is a very different kind of asset. Where businesses usually own their network hardware outright, most software use is dependent on the details of a license agreement with the software publisher. Where hardware is relatively easy to safeguard from external dangers, the threats to software are constantly evolving and require similarly constantly evolving strategies to thwart them. Where there is no appreciable risk that a business’ employees are going to bring stolen network switches to work for their personal use, it can be very difficult to keep employees from installing and using pirated or otherwise unlicensed software on company computers.

However, just because software asset management (“SAM”) is a challenge does not mean that business may be (or should want to be) excused from rising to it. Considering the high costs associated not only with software licensing but also with the effort that must be spent to “fix” software-related problems when they occur, businesses simply cannot afford to have ineffective (not to mention missing) SAM tools at their disposal.

With that fact in mind, the International Organization for Standardization (“ISO”) and the International Electrotechnical Commission (“IEC”) released International Standard 19770-1 on May 1, 2006. Standard 19770-1 “establishes a baseline for an integrated set of processes for [SAM].” The standard divides the processes into three main categories – Organizational Processes, Core SAM Processes, and Primary Process Interfaces.

The ISO 19770-1 Organizational Management Processes for SAM are divided into two process subsets: (1) those regarding the SAM Control Environment, which include processes specific to corporate governance as well as organizational roles and responsibilities, policies and procedures, and assurance of competence with regard to SAM; and (2) those regarding SAM Planning and Implementation, which, predictably, include processes specific to planning, implementation, monitoring and continual improvement of SAM.

The key “message” of the Control Environment processes is that effective SAM is impossible without input and support from an organization’s corporate officers, who ultimately are the ones responsible for clearly defining the organizational roles, responsibilities, policies and procedures regarding planning and implementation of SAM. Officers are uniquely situated within an organization not only to oversee the big-picture implementation of effective SAM, but also to objectively assess the risks of incomplete or uninitiated SAM. Therefore, naturally, it must be the officers who select the individuals to execute SAM within the organization, and it must be the officers who approve the initiatives those executives undertake. ISO 19770-1 makes clear that, unless the officers become interested stakeholders, the SAM process will go nowhere.

Once the “captains” for an organization’s SAM efforts place themselves in charge of those efforts, they must make sure that the organization has a useful and standardized “playbook” to guide the SAM process and to prevent the need for micro-management. The SAM Planning and Implementation processes in ISO 19770-1 let the captains know what needs to go in that playbook. As with many ISO standards, one of the goals of ISO 19770-1 is to promote a set of processes that to a large extent implement themselves. While the ISO 19770-1 standard speaks in terms of “SAM owners” – those responsible for the management of one or a set of discrete SAM processes – the processes that an organization implements under ISO 19770-1 are standardized, cross-linked with other SAM processes, and tied by cross-reference to the ISO standard itself. Once implemented correctly, SAM under ISO 19770-1 should exhibit a cost-benefit ratio much lower than might be expected.

In my last entry, I gave an overview of the ISO 19770-1 Organizational Management Processes for SAM. Next in line are what the standard terms its “Core SAM Processes.”

The ISO 19770-1 Core SAM Processes are divided into three process subsets: (1) those pertaining to SAM Inventory Processes, which include processes specific to software asset verification, inventory management, and control; (2) those pertaining to SAM Verification and Compliance Processes, which include processes specific to software asset record verification and security compliance, software licensing compliance, and conformance verification; and (3) those pertaining to Operations Management and Interfaces for SAM, which include processes specific to the management of third-party relationships and contracts, finances, service levels, and IT security.

The Inventory and Verification and Compliance processes together constitute the “meat” of ISO 19770-1 – those most directly related to assessment of an organization’s ownership and proper use of software assets. Unsurprisingly, the SAM Inventory Processes are those that allow an organization to know what software assets it owns and how efficiently it is using those assets. This is an obvious early step to SAM implementation under ISO 19770-1 or any other relevant standard. Without an appreciation for and up-to-date records regarding the assets to be managed and any changes to those assets, the management process is going to be a valueless one for the organization. Closely aligned with core SAM inventory processes are those related to Verification and Compliance. These processes ensure that the assets inventoried under ISO 19770-1 are used within the bounds of applicable organizational policies and contractual obligations, and also according to the ISO 19770-1 standard itself.

The Operations Management Processes and Interfaces of ISO 19770-1 consist of management functions that help an organization to efficiently and effectively implement the core Inventory and Verification and Compliance processes. This subset ensures that everyone influencing the SAM process – vendors, suppliers, budget managers, and responsible staff – provide their respective inputs in a manner that is standardized, reportable, and secure. This allows those ultimately responsible for effective SAM implementation to maintain a clear view of the organization’s current SAM status and opportunities for improvement.

In my last entry, I gave an overview of the ISO 19770-1 Organizational Management Processes for SAM. Next in line are what the standard terms its “Core SAM Processes.”

The ISO 19770-1 Core SAM Processes are divided into three process subsets: (1) those pertaining to SAM Inventory Processes, which include processes specific to software asset verification, inventory management, and control; (2) those pertaining to SAM Verification and Compliance Processes, which include processes specific to software asset record verification and security compliance, software licensing compliance, and conformance verification; and (3) those pertaining to Operations Management and Interfaces for SAM, which include processes specific to the management of third-party relationships and contracts, finances, service levels, and IT security.

The Inventory and Verification and Compliance processes together constitute the “meat” of ISO 19770-1 – those most directly related to assessment of an organization’s ownership and proper use of software assets. Unsurprisingly, the SAM Inventory Processes are those that allow an organization to know what software assets it owns and how efficiently it is using those assets. This is an obvious early step to SAM implementation under ISO 19770-1 or any other relevant standard. Without an appreciation for and up-to-date records regarding the assets to be managed and any changes to those assets, the management process is going to be a valueless one for the organization. Closely aligned with core SAM inventory processes are those related to Verification and Compliance. These processes ensure that the assets inventoried under ISO 19770-1 are used within the bounds of applicable organizational policies and contractual obligations, and also according to the ISO 19770-1 standard itself.

The Operations Management Processes and Interfaces of ISO 19770-1 consist of management functions that help an organization to efficiently and effectively implement the core Inventory and Verification and Compliance processes. This subset ensures that everyone influencing the SAM process – vendors, suppliers, budget managers, and responsible staff – provide their respective inputs in a manner that is standardized, reportable, and secure. This allows those ultimately responsible for effective SAM implementation to maintain a clear view of the organization’s current SAM status and opportunities for improvement.

My last two entries discussed, respectively, the ISO 19770-1 Organizational Management Processes and Core Processes for SAM. Last in the series is the “Primary Process Interfaces for SAM” subset, which consists of processes specifically related to management and review of the software lifecycle itself. As such, it is designed to align SAM requirements with lifecycle processes specified in ISO 12207 (defining tasks required for developing and maintaining software) and ISO 20000 (defining tasks required for effective service management).

The lifecycle processes specified in ISO 19770-1 are designed to allow an organization first to identify and manage software changes at a fairly high level and then to specify the details of each “waypoint” in the software lifecycle identified in the standard. Those waypoints progress fairly logically from acquisition and development, to release and deployment, to incident and problem management, and finally to retirement.

As with all of the other processes specified by ISO 19770-1, it is important to keep in mind that the word “specified,” when it comes to this standard, is somewhat of a term of art. ISO 19770-1 lists out the process that an organization should implement and the goals that the organization should have in mind in doing so. However, it leaves the specifics of implementing those processes up to the organization seeking to achieve compliance. There are no ISO 19770-1-approved checklists or schedules included with the standard itself, leaving each organization more or less free to tailor the processes to its own unique set of demands and resources.

You can obtain a copy of the standard here. As I write this, the price is CHF 108.00, which translates into about $90 USD.

Increasingly, generally-accepted industry standards and best practices seem to be saving our legislators much of the detail work when it comes to enacting laws pertaining to technical or otherwise complex fields. For instance, we know that the internal control framework disseminated by the Committee of Sponsoring Organizations of the Treadway Commission (thankfully, generally shortened to “COSO”) is identified by name by the U.S. Securities and Exchange Commission as a standard that businesses may use to achieve compliance with the rigorous internal control evaluation and disclosure requirements contained in the Sarbanes-Oxley Act of 2002 and related regulations.

Now, legislation proposed in Texas goes one step further and stops just shy of naming an industry standard by name in the text of a bill designed to ensure the security of personal data stored in portable “access devices,” such as credit cards. Texas House Bill No. 3222 contains the following provisions:

A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry [“PCI”] data security standards [“DSS”].

…[and]…

A financial institution may bring an action against a business that is subject to a breach of system security if, at the time of the breach, the business is [not in compliance with PCI DSS].

The bill goes on to provide that a business may avoid a lawsuit brought under the statute if the business was certified by a “[PCI]-approved auditor” as being in compliance with PCI DSS at least 90 days before the date of a security breach. However, if the business was not in compliance, and if the lawsuit moves forward, the business may end up having to pay the financial institution’s “actual damages” – including costs incurred in connection with “cancellation or reissuance of an access device affected by the breach,” “closing of a deposit, transaction, share draft, or other account affected by the breach and any action to stop payment or block a transaction with respect to the account,” “opening or reopening of a deposit, transaction, share draft, or other account affected by the breach,” “refund or credit made to an account holder to cover the cost of any unauthorized transaction related to the breach,” and “notification of account holders affected by the breach” – in addition to the financial institution’s attorney’s fees. Obviously, for even a moderately large breach of, for example, credit card account information, the potential penalties flowing from this legislation for noncompliance with PCI DSS could be staggering.

The interesting part of this for me, though, is the bill’s almost express naming (but for the initial capital letters) of a specific industry standard – the Data Security Standard published by the Payment Card Industry Security Standards Council – to substitute for a detailed description of the actions a business must take to be in compliance with the law. Businesses should expect to see ever more numerous examples of this sort of legislation in coming years, making familiarity with and early adoption of generally-accepted business standards all the more advisable.

You can read the full text of HB 3222 here.

In addition, you can download a free copy of the PCI DSS here.

JP Morgan Chase recently received an unwanted reminder that information security demands attention to more than just the data residing on network hard drives and digital media. “Protestors” from the Service Employees International Union (“SEIU”) filmed themselves sifting through trash in dumpsters outside several New York City Chase Bank branch locations and apparently finding numerous, un-shredded customer financial statements in trash bags awaiting pickup. (The SEIU has been in a dispute with Chase regarding the bank’s use of non-union security employees.) The video quickly achieved notoriety after being posted on YouTube.com here.

While the video might have been more clearly damning if it had included footage of Chase employees actually dumping the bags, regardless of its weight, it serves as a valuable reminder to all businesses maintaining sensitive customer records that information security does not begin and end with electronic data. Clearly, no IS policy is complete unless it includes provisions for the proper collection, handling, storage and disposal of paper records containing private information. Chase has stated that it has reached out to the SEIU for information regarding the records appearing in the video and that it is investigating whether and/or the extent to which its employees may have violated its internal IS policies.

The consequences for failing to adequately protect against loss or theft of personal customer data are becoming increasingly severe. Expenses associated with information security breaches can and often do include the costs to notify and assist affected persons, loss of customers, litigation and consulting costs, regulatory fines, and diminution of stockholder share value. In Chase’s case, if the video footage does in fact end up being evidence of a failure on the company’s part to effectively enforce the paper record disposal policies it says it has, then it is not difficult to imagine that the number of affected customers – and Chase’s potential loss exposure – could be quite high indeed.

For more information regarding the consequences of data breaches, you can obtain a copy of a recent national survey on that subject commissioned by Scott & Scott, LLP and independently conducted by the Ponemon Institute by clicking here.

Currently, businesses responding to a breach of their customers’ personal information must consult a patchwork of state laws to determine what steps they are required take to mitigate the damage, including whether and to what extent they must notify those customers that their information may have been compromised. There is not yet a federal privacy statute applicable to such situations. (More information regarding the present state of the law on this issue can be found here.)

However, since all of the alternative legislation now pending in Congress would preempt state laws to one degree or another, it makes sense for companies to begin to familiarize themselves with the direction that Congress might be heading in this regard in order to ensure early and full compliance with whatever rules Washington ends up enacting. The various privacy bills still pending in the House and Senate described in the article referenced above are a good place to start. In addition, though, on April 30, 2007, Congress received a report on a study conducted by the U.S. Government Accountability Office (“GAO”) in order to assess the government’s own response to data breaches. While the stated aim of the study was to help federal agencies improve their ability to respond to such incidents, the basic framework of the GAO’s policy recommendations incorporates many concepts found in pending federal and enacted state legislation, and it is therefore easy enough to translate to a business context. To the extent that the report will return congressional attention to the issue of data security, it should be a useful resource for businesses wanting to begin early implementation of internal procedures that likely will not be too far from the mark, once a final federal rule is enacted and becomes effective.

Many of the GAO’s policy recommendations will sound familiar to those who have some experience with existing data security regulations and best practices. Among other measures, the report recommends: a “two-tiered” approach to incident reporting, where all incidents are reported to a designated, responsible government office, with only those entailing a risk of identity theft being reported to the affected individuals; the designation of a “core management group” to be responsible for quickly responding to incidents; the implementation of mechanisms to allow for the efficient retrieval of addresses of potentially-affected individuals for notification purposes; and taking steps to ensure awareness and training on data security issues. both among internal staff as well as among contractors.

The full report may be obtained here.

On May 14, 2007, the office of the U.S. Attorney General transmitted a legislative proposal to U.S. House Speaker Nancy Pelosi that would represent one of the most significant overhauls of federal copyright law in recent years. Most of the proposal’s provisions work to expand the scope of the statute and include more tools to combat criminal copyright violations. However, one provision in particular would represent a significant new weapon for those who target businesses for copyright litigation based on software use. The proposed modification to 17 U.S.C. § 503(a) is underlined below:

At any time while an action under this title is pending, the court may order the impounding, on such terms as it may deem reasonable, of all copies or phonorecords claimed to have been made or used in violation of the copyright owner’s exclusive rights, and of all plates, molds, matrices, masters, tapes, film negatives, or other articles by means of which such copies or phonorecords may be reproduced, and records documenting the manufacture, sale, or receipt of things involved in such violation. The court shall enter an appropriate protective order with respect to discovery by the applicant of any records that have been seized. The protective order shall provide for appropriate procedures to assure that confidential information contained in such records is not improperly disclosed to the applicant.

The potential for this or similar legislative proposals to affect the operations of your business makes it even more important to ensure that all records regarding software license purchases and installations are readily available, or at least easy to retrieve. Such pro-active organization on your part not only makes good business sense, it also greatly facilitates the software audit process for those destined to receive letters from the Business Software Alliance or the Software & Information Industry Association (as are an ever-increasing number of U.S. businesses)…and it might help to avoid some of the harsher remedies that the future may hold under the Copyright Act.

A copy of the legislative proposal may be found here.

Most protections afforded to intellectual property (IP) are available only after the property is in the public realm. For instance, trademarks must be used in commerce to identify products and services offered to consumers. Creators of original works generally must publish or register those works before they may enjoy any meaningful copyright protections. More significantly, prospective patent holders must not only submit their inventions to the scrutiny of the patent process, ultimately resulting in a publicly accessible record of every last detail concerning that invention's construction and use, they also must be willing to see their exclusive rights in that invention vanish upon the expiration of the patent. While patent holders do obtain a large measure of predicable certainty regarding the remedies they have available to protect their inventions, in many cases, the high cost (both substantive and procedural) of obtaining those protections may represent a poor investment, depending on the type of IP to be protected. In those cases, owners might find a more appropriate IP regime under trade secrets law.

In effect, a trade secret operates as a kind perpetual patent; the owner potentially can use the secret for his or her own commercial benefit forever. Moreover, almost anything can be a trade secret, while the availability of trademark, copyright or patent protection may be limited based on the nature of the IP at issue. However, "forever," with respect to trade secrets, may be roughly translated as: "for as long as you can keep it." Unlike with patents, where a fairly complex, federal statutory regime usually provides most of the protection afforded to patent holders, those who intend to protect their inventions as trade secrets must be willing to do more of the heavy lifting themselves, using, in the United States, two primary tools: state law and contracts.

Most states have enacted trade secrets legislation - usually modeled on the Uniform Trade Secrets Act - under which an owner of a trade secret may obtain injunctive relief to prevent another from misappropriating that secret by acquiring or using it without the owner's consent. The Trade Secrets Act also gives the owner the opportunity to seek civil damages arising out of such misappropriation, as well as attorney's fees. However, in many cases, an owner's resort to such statutory protection will represent a failure of the owner's front-line trade secrets defenses: his contracts and internal policies.

The key to effective trade secrets protection lies in addressing those secrets with a holistic set of internal policies regarding their use and with a well-crafted set of contractual agreements designed to restrict the ability of a third party to misappropriate them. Internally, access to the existence or details of a trade secret should be clearly limited by internal policies to only those employees who need to have such access, and those policies themselves must be crafted in such a way as not to attract unnecessary (or, sometimes, any) attention to the secrets they should be designed to protect. Moreover, a trade secrets owner must always be mindful of the extent to which any vendors or contractors or even customers are allowed to access those secrets, and it should include enforceable provisions in contracts with such parties to protect its interests. Finally, a trade secrets owner needs to include a comprehensive set of protections in its employment agreements, which should provide, within the bounds of what is permitted in the owner's jurisdiction, that work completed by employees in the course of their employment constitutes property of the employer and that those employees will remain bound to the terms of specified non-disclosure agreements and non-compete covenants during the course of, and for a period of time following, the term of their employment. What is and is not legally permissible with respect to such clauses usually varies from state to state.

It is worth noting that most of these same protections are good ideas for patent holders as much as they are for trade secrets owners. With trade secrets, though, while the owner must devote more vigilance to the implementation and enforcement of such protections, it need not necessarily undertake the considerable initial expense to obtain the protection in the first place.

Whether it makes sense to construct a comprehensive trade secrets protection regime for your IP will depend on your willingness to commit to full implementation and enforcement, and that willingness may itself depend on the type of property at issue. If that property likely will become obsolete within the patent term (generally, 20 years) just by virtue of the market in which it competes, then it may make more sense to seek protection from other sources. If that is not the case, though, trade secrets protection could be the most appropriate means of protecting your IP.

Recently, the Coalition Against Counterfeiting and Piracy (CACP), a group consisting of heavy-hitting IP stakeholders, such as the Recording Industry Association of America, the Business Software Alliance (BSA), the Software and Information Industry Association (SIIA), and the U.S. Chamber of Commerce, announced its intent to push for rapid improvements in what it perceives to be universally lax enforcement of U.S. laws protecting IP rights. At a news conference on Thursday, June 14, the CACP, through its Chairman, NBC Universal general counsel Rick Cotton, announced that under this "aggressive, comprehensive" effort, the CACP would seek to increase resources for governmental investigation and enforcement of criminal IP laws, to "reform civil and judicial process" (whatever that means), and to educate consumers.

Generally speaking, few would quarrel with the notion that intellectual property is a valuable and important property interest, fully deserving of strong protection. However, in announcing this new, altruistically-titled "Campaign to Protect America," Mr. Cotton verbally expressed a degree of fanaticism that is, in practice, characteristic of many industry organizations that cite to the public interest to justify their sometimes indiscriminate targeting of alleged IP infringers. Mr. Cotton said:

Our law enforcement resources are seriously misaligned...If you add up all the various kinds of property crimes in this country, everything from theft, to fraud, to burglary, bank-robbing, all of it, it costs the country $16 billion a year. But intellectual property crime runs to hundreds of billions a year.

At least Mr. Cotton was kind enough to limit his generalization to "property crimes."

Statements like these should make clear to any business targeted and accused of "piracy" by organizations such as the BSA or the SIIA that the IP "defenders" are more likely to be interested in making examples of their targets, rather than reaching a solution that truly accounts for all the facts (not the least of which is the usually confusing and even deceptive way that software publishers in particular undertake to license and market their content). If your business has been accused of "pirating" software, it is immensely important that you know whom you are dealing with before you divulge any information or sign any agreement.

A copy of the CACP’s press release can be found here.

Businesses accused of software “piracy” by publishers or trade associations usually are most concerned about their potential exposure in copyright fines, should their dispute proceed to litigation. A recent Sixth Circuit case suggests that statutory damages awards in such cases legally can reach levels that may represent windfalls for prevailing plaintiffs, far outstripping the amount of their actual damages.

In Zomba Enterprises, Inc. v. Panorama Records, Inc., 2007 WL 1814319 (June 26, 2007), the Circuit Court reviewed a trial court’s decision to award a total of $804,000 in statutory damages for what it found to be the defendant’s willful infringement of twenty six copyrights. (In copyright cases, plaintiffs may elect to ask the court either for their actual damages, for which they must present evidence to support the amount claimed, or statutory damages, which is an amount set in the trial court’s discretion between $750 and $30,000 for non-willful infringement and up to $150,000 for willful infringement, per copyright infringed). The defendant in the case was a manufacturer of karaoke discs who had published some karaoke tracks without the consent of the original songs’ copyright holder. On appeal, the defendant argued that the amount was unconstitutionally high, in violation of its substantive due process rights, because the plaintiff’s estimated actual damages totaled only approximately $18,457.92 in lost licensing fees, or about 2.27% of the statutory damages award. The Circuit Court rejected this argument, in part relying on the 1919 Supreme Court case of St. Louis, I.M. & S. Ry. Co. v. Williams, 251 U.S. 63. The Williams case involved a claim by two sisters who were awarded $75 apiece against a railroad under a state statute providing statutory damages for ticketing overcharges. The Supreme Court there held that even though the amount awarded to the sisters was about 113 times the amounts they were overcharged, this did not constitute a violation of the railroad’s due process rights. Disregarding the substantial dissimilarity between the fiscal significance of $75 to a railroad in 1919, on the one hand, and nearly $1 million (including attorney’s fees and costs), to a medium-sized business today, the Sixth Circuit held that the case represented persuasive precedent that the statutory damages award in Zomba should stand.

The facts of Zomba differ considerably from those of many cases involving allegations of software “piracy.” The Zomba defendant was familiar with the entertainment industry and, though it claimed to have been unaware of the need to obtain permission to re-record songs for karaoke discs (even going so far as to claim, amusingly, that such use had an “educational” purpose, thus constituting fair use), it also apparently continued to infringe the copyrights at issue after having received both a cease-and-desist letter from the plaintiff as well as an injunction from the trial court. However, there is always a risk that what seems like a less egregious case of infringement will be read by a trial court much more harshly than initially expected, resulting in substantial costs to a losing defendant. The Zomba case suggests that it makes good sense for a business accused of “piracy” to at least be mindful of the worst-case scenario, and let an experienced attorney work to close the gap between disaster and a more reasonable resolution.

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:

“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”

However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.

The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.

None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.

No doubt much to its chagrin, Google has found itself at the receiving end of a number of lawsuits internationally in recent years alleging that the search engine behemoth should bear some level of liability when companies use its AdSense pay-per-click advertising system to infringe other businesses' trademarks or otherwise allegedly mislead consumers.
Now, no doubt to its even greater chagrin, Google is for the first time having to defend itself against somewhat similar charges brought by at least one government regulatory agency.

On July 12, the Australian Competition and Consumer Commission (ACCC) announced that it instituted legal proceedings against Google as well as an Australian company that used two competitors' business names in pay-per-click ads published through AdSense in 2005. The ACCC specifically has alleged that Google violated Title 52 of the Australian Trade Practices Act of 1974 by "causing the [allegedly deceptive] links to be published on its website" and by "failing to adequately distinguish sponsored links from 'organic' search results." While the suit does not seek any monetary penalty, the ACCC is asking the Sydney Federal Court, among other things, to enjoin Google "from publishing sponsored links of advertisers representing an association, sponsorship or affiliation where one does not exist" and also "from publishing search results that do not expressly distinguish advertisements from organic search results."

While I make no predictions as to whether this lawsuit might prove to be a catalyst that leads to similar actions being instituted in other countries, I think that this should be a interesting case to watch, especially for those interested in search engine optimization. If those in charge at Mountain View decide that the risk of future legal proceedings outweighs the cost of re-tooling their advertising machine, we might see a different-looking Google in years to come.

You can read the ACCC's press release regarding the lawsuit here.

Late in the day on July 19, the U.S. Senate Judiciary Committee gave its approval to an amended version of the Patent Reform Act of 2007. The Senate action came a day after the U.S. House Judiciary Committee approved a substantively similar bill. While some differences between the House and Senate bills will need to be resolved in conference, passage and enactment of the legislation at this point seems to be much more likely than in years past when similarly extensive overhauls to the nation’s patent laws have been proposed.

Both versions of the Act attempt to curb the frequency of patent lawsuits both by replacing the current “first to invent” standard with a “first to file” patent system, as well as by establishing a “post-grant opposition” authority within the Patent & Trademark Office itself to address and resolve challenges to newly awarded patents. The bills also would restrict permissible venue options for patent litigants to avoid forum-shopping, would increase the factual showing required of claimants in order to prove a case of willful infringement and, thus, treble damages, and would allow courts to award damages based on a patent’s “contribution” to an infringing product’s market demand (which, as an aside, might address the scope of damages for patent infringement, but also would raise an astoundingly complex fact issue).

Recent Congressional action notwithstanding, support for the legislation, as with all attempts at patent reform, remains mixed. Those who invest heavily in research & design, such as pharmaceutical companies and technology licensors such as Qualcomm, have opposed the reforms as an attempt to weaken their ability to protect their intellectual property. On the other hand, technology manufacturers like Apple and most software publishers have supported the reforms as welcome relief from the high volume of patent litigation that tends to flow from products that incorporate a high volume of technological concepts or components.

It remains to be seen whether Congress will be able to work out the differences between the two versions and send a final bill to the White House that the President will be willing to sign. However, the mere fact that the legislation has made it this far means that this is a reform attempt well worth watching.

The Senate version of the Act is available here, the House version here.

A recent U.S. Second Circuit Court of Appeals opinion should give contract drafters pause when including what they may consider to be mere boilerplate forum selection clauses in contracts implicating intellectual property rights. In Phillips v. Audio Active Ltd., 2007 WL 2090202 (2nd Cir.(N.Y.) Jul 24, 2007), Plaintiff-Appellant Peter Phillips (a/k/a Pete Rock, an influential hip-hop DJ, producer and rapper) appealed the decision of the New York Southern District Court to dismiss his contract, copyright and state law claims against defendant music companies based on a forum selection clause in the contract between the parties. The clause at issue read: "[t]he validity[,] construction[,] and effect of this agreement and any or all modifications hereof shall be governed by English Law and any legal proceedings that may arise out of it are to be brought in England." The Second Circuit affirmed the trial court’s decision to dismiss the contract claims as clearly falling within the scope of the forum selection clause, but it reversed the decision to dismiss the state law claims (asserting unjust enrichment and unfair competition) and copyright claims based on its determination that those claims did not, as the clause states, “arise out of” the contract.

The defendant music companies argued in the District Court that the copyright claims in particular did “arise out of” the contract provisions giving them the right to distribute an unspecified number of songs to be recorded by Phillips. The Second Circuit disagreed. While it did not give any weight to Phillips’ argument that a claim implicating a law of the United States may never be subject to contractual provisions governing disputes between parties, the court nevertheless found that, on the facts of the case before it and based on the language used in the contract, the forum selection clause had no bearing on Phillips’ right to pursue his copyright claims in any appropriate forum. The songs alleged to have been infringed by the music companies were authored and recorded by Phillips, making him, absent a valid assignment to another party, the owner of the copyright therein, regardless of anything contained in the contract. The defendants clearly could raise the contract terms as a defense against Phillips’ copyright claims, but the source of those claims – where it is that they “arise out of” – is the Copyright Act, not the contract.

The case serves as a useful reminder that a contract drafter who treats any “ordinary” or “boilerplate” provision as a given does so at his or her peril. While the opinion did not specify which party was responsible for drafting the contract, it was likely one or more of the defendant music companies (since it was Phillips who was objecting to litigating his claims in England). Those companies (or their lawyer) likely could have avoided the outcome of the case either by including some measure of specificity in the choice of law or by simply rewording it to include Copyright claims.

You can read the Phillips opinion here.

Many companies who comply with a demand by a software publisher or industry association (such as the BSA or the SIIA) for an internal software audit end up facing significant settlement demands after forwarding their audit materials to the other side. One of the reasons the settlement demands often are so high is the fact that the auditing entities frequently base their demands, in part, on the “unbundled” price of software suites. Thus, where a company may expect to pay a fine based on the MSRP of, for example, one undocumented installation Microsoft Office Professional 2007 ($679), it likely will end up receiving a settlement demand based on the combined MSRPs of each of the components of that undocumented suite: Word ($229), Excel ($229), PowerPoint ($229), Outlook ($110), Publisher ($169), and Access ($229), all totaling $1195. In a typical case these difference add tens of thousands of dollars to the amount in controversy.

Another way in which publishers or auditing entities raise the amount in controversy in software audits is the attempt to assess separate “fines” for each allegedly infringing installation of a software product. Thus, a company reporting just ten undocumented installations of Office Professional 2007, with no other licensing shortfalls, may receive a settlement offer based on the combined, “unbundled” MSRPs of the component products totaling just shy of $12,000. Moreover, that is before the auditing entity applies any multipliers to that figure (yet another common tactic) or makes any assessments for their claimed legal fees, both of which factors may drive the opening settlement offer in the above example to $40,000 or more.

It is not difficult to see how owners of small to medium businesses who think that they have a handle on their financial exposure in a software audit matter often end up with truly unpleasant surprises after submitting audit materials to the BSA or SIIA that they may have believed would be negotiating on a more equitable basis.

If your business has been accused of software “piracy” and is responding to a software audit demand either from a software publisher like Autodesk or from the BSA or the SIIA, an experienced attorney can give you visibility into the process and help you avoid unpleasant surprises.

Since Google acquired YouTube for $1.65 billion in November 2006, it has been forced to defend itself and its new acquisition against claims of copyright infringement made by swarms of angry copyright owners. Such cases include Viacom, which has claimed over $1 billion in damages, and the class action matter The Football Association Premier League Limited, et al. v. YouTube, Inc., et al.. Both cases are currently pending in the U.S. District Court for the Southern District of New York. (The current class action complaint is available at the web site set up by the plaintiffs’ attorneys here.)

Central to YouTube’s and Google’s defense in these cases is their claim that, though the YouTube.com site may be hosting audio and video works copyrighted by third parties, that action does not constitute actionable copyright infringement, thanks to Section 512(c) of the Digital Millennium Copyright Act (DMCA), which provides:

A service provider shall not be liable for monetary relief, or, [with some exceptions], for injunctive or other equitable relief, for infringement of copyright by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider, if the service provider:

(A) (i) does not have actual knowledge that the material or an activity using the material on the system or network is infringing;

(ii) in the absence of such actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent; OR

(iii) upon obtaining such knowledge or awareness, acts expeditiously to remove, or disable access to, the material;

(B) does not receive a financial benefit directly attributable to the infringing activity, in a case in which the service provider has the right and ability to control such activity; AND

(C) upon notification [as specified elsewhere in the statute] of claimed infringement…responds expeditiously to remove, or disable access to, the material that is claimed to be infringing or to be the subject of infringing activity.

Thus, YouTube and Google claim that, though they are working on technological countermeasures to filter copyrighted material, the YouTube.com site has such a large volume of users that they cannot effectively monitor all of the site’s content for infringing copies. Therefore, until given notice by copyright owners of the presence of infringing works on the site, they cannot be held liable for copyright infringement.

In response, the class action plaintiffs offer a number of arguments attempting to distinguish YouTube and Google’s actions from those of the average, theoretical, safe-harbor-eligible service provider: the defendants do not just “store” information at the direction of users, but rather provide functions to actively assist users disseminate copyrighted materials; the defendants have no policy in place to terminate the accounts of “repeat” copyright infringers; the defendants have failed in the past to timely respond to Section 512 takedown notices; the defendants “have failed to police” the site for the presence of infringing materials; and defendants have failed to employ existing, readily-available techniques to monitor the site and remove copyrighted works. (You can read the complaint here.)

It remains to be seen what success any of the parties will have with any of the above arguments. Perhaps the Supreme Court will consider the issues, at which point we hopefully will receive some much-needed clarification regarding the scope and implementation of the DMCA’s safe harbor provisions. However any of those cases may conclude, expect the pressure on Congress to modify the DMCA – pressure coming from copyright holders, on the one hand, and Internet service providers and content hosts, on the other – to only increase in coming months and years. And rightfully so. Whichever side you may fall on regarding the intent of the DMCA, in light of the fracas surrounding YouTube.com, few would dispute that it is a statute in need of extensive revision or elaboration.

Recently, a Danish pop band from the 1980s gave Sony BMG an uncomfortable reminder that business officers who neglect to review their contracts in light of changes in technology and commercial objectives may find themselves having to play a costly game of catch-up when the terms of those contracts no longer reflect the current state-of-the-art technology.

Dodo and the Dodos apparently are one of Denmark’s all-time best-selling pop bands, famous (in certain regions along the eastern shore of the Atlantic Ocean, anyway) for several hits, including their biggest, “Vågner i natten’ (‘Waking in the Night’).” More than five years ago, Sony BMG sent out notices to approximately 400 composers of songs for which the company held distribution rights, including the Dodos, informing them that their compositions were slated to begin distribution via Internet download. The Dodos were the only recipients to object to and challenge their notice, based both on their belief that their current royalty deal was inadequate to fully compensate them for Internet distribution as well as, more importantly, on the fact that their existing contract with Sony did not explicitly allow for that method of distribution. Apparently, when the Sony-Dodos deal was inked, there was no reason to mention music downloads, as they were not then a technologically viable option for distribution.

After losing the case against it at the trial level, Sony appealed the decision to the Eastern High Court of Denmark, which upheld the trial court’s decision in a ruling issued on August 9. The case is believed to be the first of its kind involving electronic distribution of copyrighted content under dated distribution agreements. While the final decision is not necessarily controlling on courts in other jurisdictions, it is likely that it will be important ammunition for other similarly situated copyright owners who want to challenge Internet distribution of their works under terms of aging contracts that they may believe fail to provide adequate compensation.

As important as the case may prove to be for the music industry and other businesses handling electronic distribution of copyrighted materials, it serves as an important lesson for any company that enters into contracts affected by technological issues. Contract drafters sometimes make the mistake of failing to write agreements that are flexible enough to adapt to changes in technology over the life of those agreements. In other situations, contract managers fail to regularly review the terms of existing contracts to determine whether technological changes and advances have occurred since execution that will impact the interpretation of those contracts. Being behind the ball with respect to either consideration can prove to be an expensive mistake.

You can read a brief, English-language description of the case at The Copenhagen Post here.

Hot on the heels of uncharacteristic agreement in Congress concerning pending legislation to enact a number of tech manufacturer- and publisher-friendly reforms to the nation’s patent laws (more on that here), Seagate Technology has secured a victory in the Federal Circuit Court of Appeals that likely will give those same industry groups even more reason to celebrate. In re Seagate Technology, LLC, --- F.3d ----, 2007 WL 2358677 (C.A. Fed. (N.Y.), August 20, 2007), originated with Seagate’s petition for writ of mandamus to reverse the N.Y. Southern District trial court’s order compelling Seagate to submit to discovery of that part of its trial counsel’s work product, as well as communications with its trial counsel, related to the work of Seagate’s opinion counsel. Seagate had independently retained and designated opinion counsel both to refute the claims of willful patent infringement by plaintiffs Convolve, Inc. and the Massachusetts Institute of Technology as well as to support Seagate’s asserted advise of counsel defense. Following oral argument and the Federal Circuit’s review of the nearly two dozen party and amicus briefs that were submitted for and against the petition, the court, sitting en banc of its own accord, not only reversed the discovery order, but also fundamentally changed the controlling standard for a finding of willful patent infringement.

The trial court relied on the Federal Circuit’s prior precedent, which held: (1) that a potential patent infringer with actual notice of another’s patent rights had an affirmative duty to exercise due care to determine whether he is infringing those rights, and that failure to exercise such due care would give rise to a claim of willful infringement (and, thus, enhanced monetary damages), and (2) that assertion of an advice of counsel defense (under which the accused infringer raises advice received from his attorneys that he was not infringing as evidence of due care taken), in most cases functioned as a waiver of both the attorney-client privilege and the work product privilege, so that the validity of the defense could be tested. In interpreting the latter holding, trial courts had adopted differing approaches regarding the scope of that waiver, with some courts holding that it extended to all communications and work product of trial counsel, other courts holding that it extended to no such communications or work product, and still others holding that it extended only to such communications or work product that contradicted or cast doubt on the opinions used to support the advice of counsel defense.

In Seagate, the Federal Circuit attempted to eliminate that confusion. Before it did so, however, it first did away with the “affirmative duty” standard, which the court stated set a threshold for willful infringement that amounted to mere negligence, thereby placing an improper burden on the numerous attorney-client relationships affected by assertion of the advice of counsel defense. In its place, the court held that for claims of willful infringement, a recklessness standard would now control, under which patentees “must show by clear and convincing evidence that the infringer acted despite an objectively high likelihood that its actions constituted infringement of a valid patent.” Thus, the court shifted the burden from defendants to claimants to prove the existence, rather than the absence, of willful infringement, thereby eliminating much of the need for the advice of counsel defense in the first place. In addition, though, the court explicitly limited the scope of the privilege waiver, absent extraordinary circumstances, to communications with or work product of trial counsel.

It will be interesting in coming weeks and months to see the extent to which this very important opinion informs the congressional debate over proposed patent reforms.

You can read the Federal Circuit’s Seagate opinion here.

Late Friday, the U.S. House passed, by a 220 to 175 margin, significant reforms to the nation’s patent laws. Those who have been paying attention to this issue already know that recent Congressional activity regarding patent reform has been moving forward at a pace that has been uncharacteristically steady, considering past attempts to enact changes to U.S. patent law. The passage of the House bill on Friday follows approval by the Senate Judiciary Committee in July of its own set of largely similar reforms. The full Senate has yet to vote on its own bill, though, and differences between the two bills of course will need to be dealt with before final legislation can be approved and sent to the President for signing.

The Washington Post reports that the spokesman for Senate Majority Leader Harry Reid predicts that a Senate vote may be forthcoming within a couple weeks. However, the Bush Administration, while generally expressing agreement with proposed patent reforms, also has expressed its concern with some proposals, most notably those involving damages in patent lawsuits. It will be very interesting in coming weeks to see whether and to what extent the House and Senate can agree on a set of reforms that meet with the President’s approval.

Section 512 of the Digital Millennium Copyright Act (DMCA) gives providers of online content “safe harbor” from liability for copyright-infringing material stored on their web domains by third parties. In most cases, however, the shield provided by Section 512 is used as a sword by copyright owners, who are able to send “DMCA takedown notices” to content providers in order to force those providers to remove infringing content. Regardless of whether your business is on the sending or receiving end of such a notice, it is important to be aware of the requirements that the notice must satisfy in order for it to carry legal weight.

While Section 512 contains other liability-limiting provisions applicable to other types of service providers, the part of the act that most associate with “safe harbor” requires that a takedown notice contain:

A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.

Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.

A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.

A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

A notice that does not substantially comply with all of the above requirements is not effective to give a content service provider notice that infringing material is present on their domain.

Although most of the requirements are straightforward, a person sending a notice should pay special attention to the second and third elements, especially in light of the fact that the notice must be signed by a responsible person under penalty of perjury. A sloppy description of the copyrighted material and/or a sloppy description of the content alleged to infringe that copyright, or transmission of a purported takedown notice that does not fall within the scope of the protections afforded under the Copyright Act, could result in an inference that there was no good faith basis for the takedown requested under the notice. A separate subpart of Section 512 provides that a “knowing,” “material” misrepresentation that online content is infringing could result in liability for damages, costs and attorney’s fees to the alleged infringer, the content service provider, or both. For example, in the case of Online Policy Group v. Diebold, Inc., 337 F.Supp.2d 1195, (N.D.Cal. 2004), Diebold sent a takedown notice to the Internet service provider for two college students, who had published on their web site, in an effort to draw critical attention to voting machines manufactured by Diebold, internal e-mails exchanged among Diebold employees. In its opinion, the court found that Diebold had violated Section 512, holding:

No reasonable copyright holder could have believed that the portions of the email archive discussing possible technical problems with Diebold's voting machines were protected by copyright, and there is no genuine issue of fact that Diebold knew-and indeed that it specifically intended-that its letters…would result in prevention of publication of that content.

Diebold eventually agreed to a settlement in which it paid the plaintiffs $125,000 in damages and fees.

These issues are receiving renewed attention in the wake of news regarding notice sent by the Science Fiction and Fantasy Writers of America (SFWA) to Scribd.com, a site allowing users to upload and share text files. The SFWA’s notice apparently included material – such as a schoolteacher’s bibliography for students – that could not reasonably be argued as infringing any copyright. (The SFWA has since issued a statement regarding the flaws in its notice and suspended the committee that was responsible for sending the notice.) It remains to be seen whether any legal liability will flow from the incident, but it should serve as a reminder to anyone dealing with either end of a takedown notice that it pays to be aware of just what the DMCA does – and does not – allow.

Many companies have started to experience the consequences of non-existent, insufficient or poorly implemented data security plans in the form of enforcement lawsuits filed by state attorneys general for violations of state data privacy and data security laws. However, in an interesting twist on this usual variety of state-initiated litigation arising out of poor data breach planning, the State of Connecticut is suing IT consultant Accenture for alleged negligence in losing electronic files containing information on bank accounts for almost all Connecticut state agencies as well as several hundred state purchasing cards and a handful of Connecticut taxpayers. Connecticut’s lawsuit also alleges unauthorized use of state information and breach of contract.

Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though similar project for the State of Ohio. (The tape also contained personal information on about 1.3 million Ohio residents.) The intern apparently had been using the Connecticut program as a template for the Ohio project. You can read more about the incident and subsequent lawsuit here and here.

The Accenture case underscores the business necessity of having a thorough data security program that employees actually follow, because breaches can be very costly and weak link in the security chain are prevalent. An effective plan should provide for contingencies affecting sensitive data, especially financial or health information. Plans should also ensure either that all of the business’ employees are aware of the data security policies and procedures, or, better yet, provide for physical, electronic, or procedural barriers to prevent data from being used for any unnecessary or non-business-critical purposes. Companies implementing security plans should consider reducing the risks identified in the Accenture matter by prohibiting interns from having access to sensitive information and restricting the presence of sensitive information on portable devices.

With the increasing number of lawsuits focused on data breach and security incidents, it is crucial that all businesses take steps to develop comprehensive security policies and also to ensure that their assets will be protected in the event that those policies fail.

Last month, the Software & Information Industry Association (SIIA) announced the first major settlement reached by its Corporate Content Anti-Piracy Program (CCAPP). (You can read the SIIA’s press release here.) The settlement was reached with Knowledge Networks, Inc. (KNI), a market research firm based in Menlo Park, California, with fewer than 500 employees nationwide. The SIIA accused KNI of copyright infringement arising out of KNI’s internal distribution to its employees of written content authored by SIIA members, such as the Associated Press, Reed Elsevier, and United Press International, without securing licenses to copy the content. The SIIA learned about the content distribution through a confidential tip from an informant who later received a $6,000 reward from the SIIA. In order to resolve the matte