Business and Technology Law

In May of 2007, Sports Imaging Photography of Utah sent a cease-and-desist letter to Utah School & Sports Imaging requesting it to stop using the “sports imaging” name. Both businesses offer photography services for schools and sports leagues. Utah School refused Sports Imaging's request, claiming that the terms “imaging,” “sports imaging” and “sports imaging photography” are generic and cannot be trademarked. Sports Imaging filed a trademark infringement suit in the United States District Court, District of Utah, against Utah School seeking a preliminary injunction prohibiting further use of its trademark.

The court denied Sports Imaging's request for an injunction because: 1) it did not register its trademark and was therefore not entitled to the presumption of validity that accompanies a registered mark; and 2) terms like sports, photography, and imaging, which describe a relevant class of goods are not entitled to trademark protection.

The court also reasoned that even if the marks were descriptive, rather than generic, Sports Imaging would not be able to demonstrate that the marks had acquired a secondary meaning, which is a necessary element for protection. Although, Sports Imaging had been using its marks for 27 years, it never sought to register the words in its logo, and its request to register its logo was unsuccessful.

The court could not conclude that Sports Imaging, at this preliminary stage in the matter, had a likelihood of success on the merits. If you are seeking to protect a trademark and are considering filing a request for an injunction, it is important to evaluate the likelihood of success on the merits.

A recent decision from the Ninth Circuit clarifies the circumstances under which a company may be held liable for contributory copyright infringement. In Perfect 10, Inc. v. Amazon.com, Inc., 2007 WL 4225819 (9th Cir. 2007), Perfect 10, a website selling copyrighted images of nude celebrities, sued Google and other entities for copyright infringement. Perfect 10 alleged, among other claims, that Google should be held secondarily liable for copyright infringement by other websites that display Perfect 10’s copyrighted images.

Google’s search functionality allows Internet users to search for images based on textual search strings and to then view search results in the form of scaled-down images (“thumbnails”). The user can select an image by clicking on it, at which point Google transfers the user to a page divided into two parts, or frames. The top frame displays a thumbnail as it is stored on Google’s servers. The court concluded that such storage falls within the Copyright Act’s definition of Fair Use. The bottom frame, however, displays Perfect 10’s copyrighted images exactly as they appear on third-party websites that have infringed Perfect 10’s copyright by illegally displaying the images. Google did not dispute that such display by third-party websites constituted copyright infringement.

The court began its analysis with several underlying rules regarding secondary copyright infringement. Initially, contributory liability for copyright infringement may be predicated on:

1. Actively encouraging (or inducing) infringement through specific acts, or
2. Distributing a product distributees use to infringe copyrights, if the product is not capable of substantial non-infringing uses.

The court concluded that Google could be liable under the first prong. Noting that an element of intent is required for contributory infringement and that tort law imputes to a tortfeasor the intention to cause the natural and probable consequences of his conduct, the court reasoned that an actor may be contributorily liable for intentionally encouraging direct infringement if the actor knowingly takes steps that are substantially certain to result in direct infringement.

The court reasoned that a computer system operator can be held contributorily liable if it has actual knowledge that specific infringing material is available using its system and can take simple measures to prevent further damage to copyrighted works, yet continues to provide access to infringing works. The court then ruled that Google could be contributorily liable if it had knowledge that infringing Perfect 10 images were available using its search engine and it could have, but did not, take simple measures to prevent future damage to Perfect 10’s copyrighted content.

That Google’s search engine is also useful for searching and displaying noninfringing content did not sufficiently detract from the effect its world-wide service has on copyrighted and infringing content. The court remanded the issue of Google’s knowledge of the infringing content back to the district court for factual determinations.

If your business is in any way connected to potentially infringing activity, it is important to consider the legal ramifications of your connection to the activities at issue. Knowledge of infringing activity may be a basis for liability if your business had the opportunity to remedy or prevent the infringing conduct but failed to take action.

View the full opinion here.

The FTC recently announced its first settlement regarding FACTA document disposal rule, 16 C.F.R. 682, which requires any company collecting consumer information for a business purpose to dispose of that information in a way that prevents unauthorized access and misuse of the data.

American United Mortgage Company agreed to pay a $50,000 penalty in response to the FTC’s accusations that it failed to do the following:

1. Implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports;
2. Take reasonable actions in disposing of such information;
3. Identify reasonably foreseeable internal and external risks to consumer information;
4. Develop, implement, or maintain a comprehensive written information security program; and
5. Provide its customers a privacy notice describing its information collection and sharing practices with respect to affiliated and non-affiliated third parties, as required by the FTC’s Privacy Rule.

The complaint alleged that American United collected personal information about consumers, including Social Security numbers, bank and credit card account numbers, income and credit histories, and consumer reports and that American United failed to dispose of the personal information in accordance with the FACTA provisions regulating document disposal. American United documents containing consumers’ personal information were found in and around a dumpster near its office that was unsecured and easily accessible to the public. Many such documents, some in open trash bags, were found in February 2006.

In addition to the $50,000 payment, the settlement requires American United to obtain an independent, third-party audit to ensure that its security program meets the standards of the order. The audit must be completed every two years for the next 10 years. The settlement also enjoins American United from any further FACTA violations.

If your business collects sensitive consumer information, you should seek counsel for advice regarding FACTA and its state counterparts. FACTA violations could lead to unnecessary expense of time and resources. Properly preparing your business could help prevent subsequent losses.

View the FTC Press Release here.

View the complaint here.

View the FACTA Disposal rule here.

The Massachusetts Appeals Court ruled on January 15 that when parties accept the terms of a settlement agreement via e-mail, the settlement agreement is enforceable. In the midst of a jury-waived trial, plaintiff Basis Technology Corporation and defendant Amazon.com, Incorporated appeared to agree to the terms of a settlement agreement. Basis Technology Corp. v. Amazon.com Inc., No. 06-P-1048 (Mass. App. Ct.). Basis' counsel sent Amazon's counsel an email setting forth six settlement terms to be later memorialized in a writing, after which Basis' counsel wrote, “please contact me first thing tomorrow morning if this e-mail does not accurately summarize the settlement terms….” Amazon's counsel responded with a one word reply: “correct.” Both counsel reported in open court and on the record that a settlement had been reached without specifying the settlement terms. Amazon's counsel sent to Basis' counsel the next day a facsimile of the e-mailed terms.

The parties later disagreed about a settlement term requiring Amazon to convert preferred stock to common stock and Basis sought to enforce the settlement agreement. Amazon opposed. The trial judge ruled that the e-mail constituted an agreement on all material terms and was not ambiguous. Amazon appealed on grounds 1) the trial court incorrectly ruled as a matter of law that the e-mail exchange could create a complete and unambiguous agreement and 2) the trial court incorrectly ruled as a matter of fact-finding that Amazon intended to be bound by the e-mail terms.

The Appeals Court ruled that settlement terms do not become ambiguous simply because the parties develop different meanings of them. Genuine ambiguity requires language susceptible of more than one meaning so that reasonably intelligent persons would differ as to which meaning is the proper one. The court ruled that because Amazon's counsel responded to the e-mail with “correct” that the essential business terms were resolved. Intent to subsequently memorialize terms in writing does not mean intent to create terms. The terms needed only to be recorded. The court determined that where parties agree to material terms, it may be inferred that a document executed by the parties serves as a polished memorandum of an already binding contract.

Amazon’s most strenuously argued contention was that the settlement term requiring application of a formula for a stock conversion was too indefinite. The court ruled that the term described in the email incorporated by reference the ratio set forth in a previous stock purchase agreement and a previous amendment to Basis' certificate of incorporation agreed to by both parties. Because those provisions incorporated the conversion ratio and accompanying formula as constant elements of the Basis certificate of incorporation, they together provided an objective method for determining a variable contractual element. The court determined that Amazon had actual or chargeable knowledge of the formula in question when it agreed to the settlement terms. Amazon’s counsel should have rejected that settlement term if Amazon did not intend to be bound by it.

Washington Attorney General Rob McKenna filed a lawsuit against three California-based Internet affiliate advertisers in February, 2007 under that state’s Computer Spyware Act and Consumer Protection Act. One of the defendants settled in October. HoanVinh V. Nguyenphuoc, owner of FixWinReg, allegedly sent anonymous “Net Send” messages to consumers’ computers that simulated security warnings but were actually ads for registry-cleaner software.

The messages gave the computer users phony warnings regarding registry errors in the computer and informed the users that they needed to take immediate action to avoid data loss and corruption. The warnings encouraged users to proceed to a web site where they could download a free trial version of software that would scan the computer for registry errors. The software consistently identified ‘critical errors,’ and consumers were directed to buy the full version of the software to remove the errors.

The Washington Attorney General brought five lawsuits under the state’s Spyware Act. Under the terms of the settlement agreement Nguyenphoc agreed to pay attorneys’ fees in the amount of $25,000. If he fails to comply with any of the settlement terms, Nguyenphoc will be liable for an additional $75,000.

Texas Attorney General Greg Abbot brought similar claims against Sony BMG and the parties reached a settlement on December 26, 2006. The complaint, the first filed under Texas’ Consumer Protection Against Computer Spyware Act of 2005, alleged that Sony BMG surreptitiously installed spyware on compact music discs (CDs) that consumers inserted into their computers to play. The spyware had the ability to compromise the consumers’ computers.

Sony BMG settled with Texas one year after the suit was filed. Sony was required to publish claim forms on its Web site allowing consumers seeking restitution to receive up to $175 each to compensate them for the costs of repairing computers damaged by Sony BMG products. Even consumers without proof of out-of-pocket expenses were still eligible for $25. The settlement agreement also provided for other incentives for consumers damaged by Sony BMG’s products. Sony BMG also agreed not to manufacture or distribute CDs with DRM or other similar software, and that any existing CDs that contain DRM software must have a conspicuous warning alerting the consumer to the software allowing the user to decline the installation of any software.

If your business uses DRM software, you should seek counsel with the ability to advise you regarding your rights and responsibilities. Failure to comply with state consumer protection laws could lead to unnecessary and costly liability.

View the Texas petition here.

View the Texas settlement agreement here.
View the Washington complaint here.

View the Washington settlement here.

The rock band The Romantics filed a lawsuit on November 20, 2007 against the producers of the video game Guitar Hero alleging, among other claims, violation of right of publicity, and moved for preliminary injunction preventing the manufacture, distribution, sale, or marketing of the game during the pendency of the civil action. The plaintiffs claimed that a substantial number of ordinarily prudent consumers of Guitar Hero have been, or are likely to be in the future, confused, deceived, or mistaken about whether the plaintiffs sponsored or endorsed the game.

Judge Nancy G. Edmunds of the Eastern District of Michigan recently ruled that the band was not likely to prevail in its cause of action because the game producers have a valid synchronization license to use the song. Furthermore, there is no evidence that players of the video game would think The Romantics were endorsing or sponsoring the game. The judge also determined that if the plaintiffs do win any of their claims, monetary damages will be sufficient compensation.

Guitar Hero includes the band’s popular song “What I Like About You” in its catalog of songs. The video game permits players to play along with musical compositions by utilizing a mechanical guitar with buttons to simulate guitar play. Defendants obtained a valid nonexclusive synchronization license from the owner of the copyright in The Romantics’ song. A synchronization license, in the context of a video game, permits the game producers to make a new recording of the song and to use that recording in synchronization with visual images in the video game to enable game play. In accordance with this license, defendants recorded a new version of the song which was incorporated, or synchronized, into Guitar Hero.

The court concluded that issuing the injunction would cause irreparable harm to the defendants, who have successfully negotiated with numerous artists to develop video game versions of songs. The version of The Romantics’ song in the game is conspicuously identified with the phrase “as made famous by The Romantics,” alerting players that the song on the game is not the version recorded by The Romantics. Judge Edmunds also determined that the defendants did not use The Romantics’ song in its advertising or marketing materials used to promote the game and defendants did not include The Romantics’ name nor the names of the individual plaintiffs in the product packaging.

The court applied a four-factor test to evaluate the plaintiffs request for an injunction:

1) whether plaintiffs have shown a strong or substantial likelihood of success on the merits;
2) whether plaintiffs have demonstrated irreparable injury;
3) whether the issuance of a preliminary injunction would cause substantial harm to others; and
4) whether the public interest is served by the issuance of an injunction.

The court found that the plaintiffs failed to state a claim for violation of their right of publicity because Michigan has never recognized a right of publicity in the sound of a voice, even if distinctive, nor has it recognized a right of publicity for a combination of voices. Additionally, not all of the plaintiffs performed on the original master recording of the song, and the lead singer on the original recording is not party to the suit. The court concluded that substantial issues regarding plaintiffs' standing to assert a right of publicity claim even if one were to exist.

The Court also applied a First Amendment analysis and determined that the Guitar Hero is an expressive artistic work entitled to First Amendment protection because the game contains significant transformative elements and is not likely to interfere with the economic interest protected by the right of publicity. Furthermore, plaintiffs’ state law claim is preempted by the Copyright Act. Finally, sections 106 and 114(b) of the Copyright Act permit the owner of a copyright in a musical composition to license others to make specified commercial uses of the composition. This expressly allows third parties such as defendants to make a sound-alike recording of a song.

In Applied Information Sciences Corp. v. eBay Inc., 511 F.3d 966 (9th Cir. 2007), the Ninth Circuit affirmed a district court decision awarding summary judgment to defendant eBay, Inc. (“eBay”) in a trademark infringement action brought by Applied Information Sciences Corp (“AIS”). AIS secured a trademark in 1998 for the phrase “SmartSearch” for use on “computer software and instruction manuals sold together which allow the user to retrieve information from on-line services via phone line in the fields of agriculture and nutrition, books, chemistry, computers and electronics, education, law, medicine and bio-sciences, news, science and technology, social sciences and humanities.”

In 2000, eBay, an online auction website, used the phrase “Smart Search” in a link on its homepage that took users to a separate page with advanced search options. AIS alleged that eBay’s use of the term “Smarty Search” violated AIS’ trademark. The United States District Court for the Central District of California disagreed and granted summary judgment in favor of eBay. AIS appealed.

In order to prevail on its claim of trademark infringement, AIS was required to show that it has a valid, protectable trademark and that eBay's use of the mark is likely to cause confusion. The Ninth Circuit determined that the district incorrectly ruled that AIS lacked a protectable interest because eBay's use of SmartSearch fell outside the scope of goods and services on AIS's registration.

Notwithstanding the district court’s faulty analysis, the Ninth Circuit affirmed the summary judgment because AIS failed to produce any admissible evidence to show a likelihood of confusion, or address any of the factors required for a likelihood of confusion analysis.

If your business is involved in a trademark infringement dispute or you would like secure a trademark to protect your intellectual property, you should seek counsel with the ability to guide you through the trademark registration and defense process.

Many businesses use Microsoft server products to manage their network, their data, and their e-mail communications. However, businesses often select a Microsoft server product without weighing the advantages and disadvantages of the products' Standard and Enterprise versions. Carefully examining the functionality and licensing schemes of each product can help prevent unnecessary expenditures on software.

Standard products are generally less expensive and less robust than their Enterprise counterparts. This does not mean that Standard products are the wrong choice for a business. Standard products are often powerful enough for a business' needs. A business that is better matched to a Standard product may experience more difficulty managing the numerous features and settings of an Enterprise product, which may require significantly more effort and expertise to properly implement.

A business that owns a properly licensed copy of a Standard product can not operate an Enterprise version without purchasing and owning an Enterprise license. Obtaining an Enterprise product by alternative means and installing it in place of a Standard product may lead to compliance issues in the case of an audit. Management may be unaware of the technology solutions deployed in its environment, and to its surprise, discover too late that the business is out of compliance and under investigation by one of the several auditing entities that represent Microsoft. An improperly licensed Enterprise product may lead to exponentially higher licensing costs than a Standard product.

Enterprise products are typically used in complex environments such as universities, hospitals, and data centers serving users numbered in the hundreds or thousands. Consulting the features and licensing rules for individual products could result in a more cost-effective purchase for your business.

The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years.

Goal Financial provides a variety of loan services and collects personal information from loan applications and other sources. The information includes name, address, telephone number, driver’s license number, Social Security number, date of birth, and income, debt, and employment information in its course of business. The company is therefore a “financial institution” according to the Gramm-Leach-Bliley Act (“GLBA”) and is subject to the GLBA’s Safeguards Rule and Privacy Rule. Goal Financial stores the records in electronic and paper form.

The FTC’s complaint alleges that Goal Financial engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security measures
to protect personal information. Specifically, the complaint alleges that Goal Financial placed at risk the personal information of over 41,000 consumers because it failed to:

(1) assess adequately risks to the information it collected and stored in its paper files and on its computer network;
(2) restrict adequately access to personal information stored in its paper files and on its computer network to authorized employees;
(3) implement a comprehensive information security program, including reasonable policies and procedures in key areas such as the collection, handling, and disposal of personal information;
(4) provide adequate training to employees about handling and protecting personal information and responding to security incidents; and
(5) require third-party service providers by contract to protect the security and confidentiality of personal information.

Goal Financial’s employees allegedly exploited these failures and removed more than 7000 consumer files containing sensitive information without authorization and transferred them to third parties. In 2006, a Goal Financial employee sold to the public computer hard drives containing personal information of approximately 34,000 consumers.

Due to such failures, Goal Financial also violated the Safeguards Rule of the GLBA which requires financial institutions to protect the security, confidentiality, and integrity of customer information be developing a comprehensive written information security program that contains reasonable administrative, technical, and physical safeguards.

Additionally, The Privacy Rule requires financial institutions to provide customers, no later than when a customer relationship arises and annually for the duration of that relationship, “a clear and conspicuous notice that accurately reflects [the financial institution’s] privacy policies and practices” including its security policies and practices. Goal Financial distributed to its customers a privacy policy that contained false or misleading statements regarding the measures implemented to protect its customers’ personal information.

The proposed settlement requires Goal Financial to institute measures to bring it into compliance with the rules stated above and to prevent it from committing future violations.

View the news release http://www.ftc.gov/opa/2008/03/studlend.shtm

View the complaint http://www.ftc.gov/os/caselist/0723013/080304complaint.pdf

View the proposed settlement http://www.ftc.gov/os/caselist/0723013/080304analysis.pdf

The Business Software Alliance (“BSA”), a trade association representing a number of software manufacturers, routinely updates its published member list list of members on its website. Staying current on the BSA's list of active members is important because the list indicates which software publishers may be included in a BSA-initiated software audit. The BSA generally provides in its initial notice letter to a business an enumerated list of the software publishers at issue in the matter. However, new publishers will become members of the BSA, and will be included in audits initiated by BSA members. Knowing which software publishers the BSA represents will help a business respond appropriately to a BSA audit.

Curently, Corel is listed as a BSA member. Corel publishes the widely-used software CorelDRAW Graphics Suite ® and the office productivity suite WordPerfect Office ®. EMC Corporation is a new addition to the BSA's list. EMC publishes the document management product ApplicationXtender and its web interface, WebXtender.

Siemens PLM (Product Lifecycle Management) recently acquired UGS Corporation, making both BSA members. Other new members include Synopsis, Inc., SAP, Quest Software, Inc., Parametric Technology Corporation (PTC), Monotype Imaging, and Quark Inc., producers of QuarkXpress ®.

Keeping an eye on the BSA member list will provide your business with visibility into what publishers would be implicated in a BSA audit. Counsel experienced with handling BSA matters can help your business manage its software licensing and avoid potential losses associated with a BSA investigation.

Data brokers Reed Elsevier and Seisint have agreed to conduct biennial audits of its data protection procedures for 20 years as part of a settlement with the FTC. Businesses that find themselves under the FTC's scrutiny and choose to settle data privacy allegations may have to eventually assume the expense of conducting costly audits for as long as 20 years.

Reed Elsevier, via its LexisNexis data broker business, and Seisint gather information about millions of consumers, including names, current and prior addresses, dates of birth, drivers’ license numbers and Social Security Numbers. The companies relied on user IDs and passwords to control customer access to consumer information in their databases.

The FTC alleged that Reed Elsevier and Seisint failed, among other things, to:
• Make Seisint user credentials hard to guess;
• Suspend credentials after a certain number unsuccessful log-in attempts;
• Require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint Web sites;
• Verify that new user credentials were created by customers rather than identity thieves;
• Prevent users from sharing credentials;
• Adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks; and
• Implement simple, low-cost, and readily available defenses to such attacks.

Identity thieves allegedly exploited these security failures and obtained access to the sensitive information of at least 316,000 consumers from Accurint databases. The identity thieves used the information to create and activate new credit cards with which they made fraudulent purchases. Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time Reed Elsevier controlled Seisint’s practices.

For the next 20 years, auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected. The Reed Elsevier and Seisint settlements also contain bookkeeping and record keeping provisions to allow the FTC to monitor compliance with its orders.
View the compliant here.
View the settlement agreement here.

The District Court of Oregon recently ordered a group of record companies to pay an accused file-sharer's attorneys’ fees in the amount of $300,000 for defending her suit over a two-year period. Plaintiffs Atlantic Recording Corp., Priority Records LLC, Capitol Records Inc., UMG Recordings Inc., and BMG Music accused Tanya Andersen of sharing more than 1,000 music files from her computer via the peer-to-per file sharing network Kazaa in 2005.

The plaintiffs were unable to locate sufficient evidence to convince the court that the Defendant infringed any copyrights and attempted to depose Andersen's 10-year-old daughter. Eventually, the record companies stipulated to a dismissal of the case with prejudice. Andersen thereafter moved to recover attorney's fees.

The record companies disputed Andersen's status as “prevailing party.” The Copyright Act allows the court to award reasonable attorney's fees to the prevailing party in a copyright action. The court stated that awarding fees under this provision is a matter of the court's discretion, but that it is to be applied in an evenhanded manner. In other words, prevailing plaintiffs and prevailing defendants are to be treated alike.

Although Plaintiff record companies argued that fees may not be awarded to a prevailing party unless there is a material alteration of the legal relationship of the parties as demonstrated by an enforceable judgment on the merits or a court-ordered consent decree, the court refused to apply such a strict analysis. Instead, the court reviewed the underlying social policy of the Copyright Act to determine how the purposes of the Act would best be served given the specific facts and relevant considerations.

The court ultimately concluded that the policy underlying the Copyright Act was best served by awarding Anderson the $300,000 she incurred in defending the copyright infringement suit.

An Arizona district judge recently reconsidered its decision to grant summary judgment in favor of a group of recording companies in Atlantic Recording Corporation et al. v. Howell. The record companies accused Mr. and Mrs. Howell of using music-sharing software KaZaA to share music files in violation of the Copyright Act. The Howells, proceeding pro se, argued that KaZaA shared Mr. Howell’s private music folder without his authorization or knowledge. Mr. Howell denied placing music files in KaZaA’s shared folder, which allows public access to computer files. The district court originally granted summary judgment based on the record companies’ evidence that Mr. Howell admitted he shared copyrighted materials through KaZaA. However, upon reconsideration, the court determined that Mr. Howell never admitted he disseminated the materials.

The Copyright Act provides in section 106(3) that the owner of a copyright possesses, among other rights, the exclusive right to distribute copies of the copyrighted work. Although the Copyright Act does not define “distribute,” the court followed precedent from other jurisdictions and determined that actual dissemination of either copies or phonorecords is required to demonstrate a violation of Section 106.

The court concluded that unless a copy of the work is transferred “by sale or other transfer of ownership, or by rental, lease, or lending,” there is no distribution. Judge Wake added that merely making available an unauthorized copy for public access is does not violate the copyright owner's exclusive right to distribution. Combined with other circumstantial evidence, such conduct may create liability, but it is insufficient on its own to result in a copyright violation.

Although the record companies may ultimately prevail on their copyright claims, the court’s ruling makes it difficult for plaintiffs in Arizona to prevail merely by showing that copyrighted material was available on a file-sharing network without an additional showing that the defendant affirmatively disseminated the material.

To view the court’s opinion, click here.

The judge in MySpace Inc. v. Wallace, et al, CV-07-1929-ABC-AGR (C.D. Cal. May 12, 2008) entered a default judgment against Sanford Wallace and Walter Rines for violations of the CAN-SPAM Act and ordered the defendants to pay MySpace over $230 million in statutory damages. The CAN-SPAM Act regulates the transmission of commercial email and various activities related to commercial email, such as prohibiting the use of false, misleading, or deceptive information, prohibiting the use of automated “bots” to create multiple email accounts, and requiring certain contact information in commercial electronic mail messages.

MySpace, a social networking site, allows individuals to create unique user profiles containing personal and private information and to share their profile information with others. The networking site allows users to send each other messages within the MySpace network and to post comments on each other’s profile pages.

MySpace alleged that Wallace and Rines created over 11,000 false profiles by circumventing MySpace’s security measures designed to prevent such actions. MySpace further asserted that Wallace and Rines sent nearly 400,000 commercial messages and posted 890,000 comments from 320,000 profiles defendants “hijacked” by luring users to a website designed to look like a MySpace page. The phony MySpace page then solicited MySpace users’ account credentials which defendants Wallace and Rines used to hijack user profiles and send messages.

The court found that Wallace and Rines violated the CAN-SPAM Act and assessed damages as follows:

- $157,390,200 against Wallace and $233,777,500 against Rines, for violations of the CAN-SPAM Act ($157,390,200 in joint and several liability and an additional $63,387,300 against Rines).

- Statutory damages in the amount of $1,500,000 against both defendants for violations of California’s anti-phishing statute, Cal. Bus. & Prof. Code § 22948.2.

- Attorneys’ fees in the amount of $4,709,140.00, as calculated pursuant to the formula prescribed by Local Rule 55-3 ($5,600 plus 2% of the amount over $100,000); plus costs of suit.

In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products.

ValueClick, through its wholly owned subsidiary, E-Babylon, sold printer ink and printer accessories through a variety of websites that utilized an on-line credit and debit card payment processing system. Consumers purchasing products on these websites were required to provide personal information including name, address, phone number, credit card number, and credit card expiration date. The website also required consumers to provide the three-digit credit card verification code ("CVV2 code") printed on the back of credit cards. CVV2 codes are particularly sensitive because they are intended to protect consumers against fraudulent internet and telephone purchases in which a sales associate can not physically verify that the card belongs to the card-holder. If stolen, possession of the CVV2 code in conjunction with the consumer's personal information would make it easy for information thieves to make fraudulent purchases with stolen information.

The FTC also alleged that ValueClick and its subsidiaries distributed or caused to be distributed privacy policies that claimed to protect consumers' personal information by encrypting data collected for the purpose of delivering products and services to consumers. The privacy policies claimed to use "industry standard" security measures to protect consumers' personal information. ValueClick and its subsidiaries used either no or limited encryption in its database systems. One of the defendant's systems used a simple alphabetic substitution system that was not consistent with industry standards.

Furthermore, the E-Babylon sites were subject to Structured Query Language (SQL) injection attacks. In SQL injection attacks, the attacker manipulates the address in the internet browser's address bar to gain access to information in the database supporting the website. These databases contained consumers' personal information and credit card information. The FTC alleged that SQL attacks were a well-known and well-publicized form of hacking and that solutions were both available and inexpensive.

In addition to the monetary penalties, ValueClick agreed to clearly disclose in its ads and web pages that consumers must spend money to qualify for “free” merchandise. Additionally, ValueClick and its subsidiaries must refrain from making misrepresentations about the use of encryption to protect consumers’ data. Finally, ValueClick agreed to independent third-party assessments of its programs for 20 years.

The Business Software Alliance (“BSA”), a trade association representing a number of software publishers, is launching a new campaign to attract would-be informants to its reward program. The BSA’s new Know it / Report it / Reward it campaign will attempt to attract a larger number of informants through a coordinated effort involving online advertisements, radio advertisements, research reports, and other tools.

The program continues the BSA’s practice of offering rewards of up to one million dollars for qualifying reports of software piracy. Individuals allegedly possessing knowledge about a business’ software compliance practices report information to the BSA which may become the basis of a legal engagement.

Issuance of a Software Policy can also provide the education and training employees need to help the business maintain compliance. Management should clearly delineate the company’s software asset philosophy and process to ensure compliance across the organization. Companies that receive audit letters from the BSA should contact experienced counsel for assistance.

View the BSA press release here.