Second Quarter 2009

In This Issue:

I. E-COMMERCE

I. E-COMMERCE

A. No Third-Party Standing for Craigslist Terms of Use Violation

ABC Real Estate Services sued Rentasy Rentals for violating Craigslist.com's terms of use, claiming that Rentasy was "spamming" by posting repeat advertisements for the same rental properties on Craigslist within a very short period of time. ABC claimed that under California law, it was a third-party beneficiary of Craigslist's terms of use, and as such, had standing to sue Rentasy for its alleged violation. The court found that the Craigslist terms of use did not indicate or expressly state that Craigslist or Rentasy intended Rentasy's promises to benefit ABC. Additionally, the terms of use clearly state that ABC's only recourse if it was at all dissatisfied with Craigslist.com was to stop using Craigslist, and granted to Craigslist the right to enforce the terms. According to the court, this provision "implicitly denied" third parties like ABC the right to enforce the terms. Thus, since ABC was not a third-party beneficiary, it was not able to sue Rentasy for Rentasy's violation of the terms of use.

TIP: If you intend to create a benefit of your terms of use to a third party, your terms of use should expressly state the benefit you wish to confer. Similarly, if you wish to create no third-party beneficiary relationship by your terms of use, such terms should expressly state that no relationship is created.

[Top]

B. CDA Immunity Does Not Extend to State Intellectual Property Law Claims

Six record companies sued Project Playlist, Inc. for copyright infringement and unfair competition. Specifically, the record companies claim that Playlist provides links to third-party Web sites which contain music that is posted without permission from the record companies, and therefore infringe on the record companies' copyrights. Playlist attempted to dismiss the record companies' common law copyright infringement and unfair competition claims, because it asserted that such causes of action were barred by the safe harbor provisions of the Communications Decency Act. The court determined that although CDA immunity is broadly interpreted, Playlist did not itself provide the songs. Instead, Playlist provided a means to access the music, by permitting users to listen to the music on Playlist's Web site. Therefore, as a matter of law, Playlist was entitled to immunity under Section 230(c)(1) of the CDA. However, the record companies claimed that even if Playlist is entitled to CDA immunity, such immunity only extends to federal causes of action. The court agreed, and concluded that the plain language of the statute did not bar the plaintiffs' common law copyright and unfair competition claims.

TIP: The CDA does not provide a shield to Web site providers for intellectual property claims, and according to this court, this includes state law claims. Companies can and should, however, take other measures to help avoid potential liability for third-party violations that occur on their Web sites, and should confer with legal counsel to determine appropriate steps for such protection.

[Top]

C. Craigslist and South Carolina in Battle Over Adult Services Section of Site

For the past several months, Craigslist and the South Carolina Attorney General, among other states attorneys general, have been engaged in a dispute regarding the legality of the "erotic service" section of the Craigslist ad service Web site. In May 2009, South Carolina Attorney General Henry McMaster issued a number of public statements indicating that the "erotic service" section of the Craigslist Web site illegally advertised sex services and otherwise promoted unlawful activities. After Mr. McMaster indicated that Craigslist management may be subject to criminal investigation and prosecution for certain advertisements contained on the site, Craigslist filed for injunctive relief. In its complaint, Craigslist argues that the Communications Decency Act bars Mr. McMaster from commencing any legal proceeding that seeks to hold Craigslist or its management liable for material third parties have posted on Craigslist, inasmuch as any illegal content was created by site users, not by Craigslist.

TIP: We will be watching this case, and others, to see the extent to which the court extends CDA immunity to Craigslist. While these types of cases are ongoing, companies are well served to take measures to ensure that CDA immunity shields will apply for postings made by third parties on their Web sites.

[Top]

D. Google Lifts Ban on Trademark Terms for Search Ads

Google announced that it has changed its trademark policy for search ads to allow use of trademarks in ad text by advertisers other than the trademark owner. Google's AdWords system lets advertisers bid for placement of their ad messages as "sponsored links," which appear when certain words or phrases are entered into the search engine. Google's prior policy prohibited use of third-party trademarks in the ad text without the trademark owner's permission. The new policy now allows companies to use another's trademark in their ad text, although it does impose some restrictions, including a prohibition on use of the trademark in a competitive, critical, or negative way. Additionally, the policy requires that the ad link to a landing page that either: (1) clearly facilitates the sale of the trademarked goods or services, or parts or components related to the goods and services; or (2) provides substantive information about the trademarked goods and services. Accordingly, ads using another's trademark to link to a landing page that sells counterfeit goods, to the page of a retailer that primarily sells a competitor's products, or to a page that criticizes the trademarked brand would appear to violate the policy.

TIP: Companies will now need to be more vigilant about a third party's use of their trademarks on the Internet, since the level of protection Google previously provided is no longer available.

[Top]

E. Court Finds Archiving Essays to Prevent Plagiarism is Fair Use

The Court of Appeals for the Fourth Circuit affirmed a lower court decision that archiving copies of high school students' essays in order to prevent plagiarism constitutes a fair use and does not violate the Copyright Act. iParadigms operates a service which provides high school and college educators an automatic means to evaluate the originality of written works submitted by their students. Students submit their assignments by uploading their essays to the system, which checks it against a database of previously submitted essays, as well as various other works available on the Internet. Each essay submitted is archived for use in evaluating the originality of subsequently submitted works. Students at several schools filed suit against iParadigms alleging that the company's archiving and use of their written works constituted copyright infringement. The Fourth Circuit Court of Appeals affirmed the District Court's grant of summary judgment against the students, finding that the company's archiving of the essays constituted a fair use. The court based its decision on its finding that the archiving service's use was transformative even though it added nothing to the work because its use of the essays was completely unrelated to the expressive content and was instead aimed at detecting and discouraging plagiarism. Moreover, the fact that the archiving service's use of the essays was commercial in nature did not prohibit a finding of fair use because the money the service made was related to its anti-plagiarism program, not to the inherent value of the students' original work, and the service's use did not impede the marketability of the works.

TIP: Commercial use of another's work may constitute fair use if it is sufficiently transformative and does not impede the marketability of the work.

[Top]

F. Web Site Terms Containing Unilateral Right to Modify Found Unenforceable

Blockbuster operates an online service where consumers can rent videos online and, through a contract Blockbuster has with Facebook, consumers' movie rental choices will then be placed on the consumers' Facebook pages. Blockbuster was sued by a group of consumers who objected to this practice. The group argued that the posting of their video choices on Facebook violated the Video Privacy Protection Act, which requires that before information about movie selections can be transmitted to third parties, the individual must first give his or her informed, written consent. Blockbuster argued that before consumers could use the online service, they first had to click to accept terms and conditions, which terms prohibited the filing of a class action, and contained a mandatory arbitration provision. Blockbuster therefore tried to avoid the lawsuit by having it dismissed in favor of mandatory arbitration. The plaintiffs argued, and the court agreed, that the terms as a whole, including the arbitration provision, were illusory and unenforceable. The plaintiffs argued that because the terms gave Blockbuster the right to amend the agreement at any time in its sole discretion, and because those revised terms would become effective immediately after they were posted online, the agreement was illusory. For this reason, the court held that the arbitration provision was unenforceable.

TIP: Web Site terms and conditions, in particular the modification sections, should be drafted carefully to ensure that the terms as a whole are not deemed unenforceable.

[Top]

II. ONLINE AND CONSUMER PRIVACY

A. Major Retailer Settles with FTC Over Online Tracking Application

The Federal Trade Commission recently settled with a major U.S. retailer over claims that the company engaged in unfair and deceptive practices by asking consumers to download an online tracking application without accurately disclosing what information would be collected by the application and how such information would be used. According to the FTC's complaint, the company distributed to consumers an application which it represented would track consumer "online browsing." The FTC alleged, however, that the company did not adequately inform consumers that the application monitored and transmitted to its remote servers nearly all of the consumer's Internet behavior, including the information exchanged between the consumer and Web sites owned by entities other than the company. According to the FTC complaint, this information included data submitted by the consumer in secure sessions with third-party Web sites — such as information in online banking statements, online drug prescription records and e-mail header fields showing the sender, recipient, and subject. As part of the settlement, the company has agreed to clearly and prominently disclose all types of data monitored, recorded, or transmitted by any online tracking application it disseminates, including how the data may be used and whether the data would be used by third parties, and has agreed to obtain express, affirmative, consent from the consumer to download and install any tracking application. The company has also agreed to notify consumers who already downloaded the tracking application what data the tracking application collects and transmits and how to uninstall the application.

TIP: When providing software for consumers to download to their computers, be sure to adequately disclose to consumers any and all data that might be collected by such software, and how the data will be used. We also recommend that the consumer's consent be obtained before the software is downloaded, to address the FTC's concerns that consent be obtained before data is tracked and used.

[Top]

B. Copyright Infringement When Violating Web Site's Terms to Get User Data

Power.com is a service that uses automated systems to obtain personal data and users' pages from Facebook and other social networking sites, and then integrates those sites into a single portal. Users of Power.com provide Power.com with their user names and passwords and then Power.com scrapes user data from those accounts. The company was recently sued by Facebook for copyright infringement, on the grounds that the company violated Facebook's terms of service, which terms bar users from using automated programs to access the Facebook Web site, and from copying content at the Facebook site. While Power.com maintained that Facebook does not own a copyright on user content, the District Court for the Northern District of California found that Power.com copied more than merely the user-generated content. The court found that the complaint sufficiently alleged that Power.com's access was unauthorized because Facebook's user agreement prohibits scraping or otherwise distributing or downloading content from the Web site except by the owner of the content.

TIP: Companies should consider including in their Web site terms prohibitions against the downloading, scraping, or distribution of the content on their sites.

[Top]

C. Telemarketer Agrees to Pay Verizon $25,000 for Making Unsolicited Calls

After a telemarketing company made hundreds of thousands of unsolicited telemarketing calls to Verizon Wireless customers, Verizon filed suit against the company for violations of the federal Telephone Consumer Protection Act (TCPA), the New Jersey Consumer Fraud Act, and for invasion of privacy. Verizon claimed that the calls damaged its relationship with its customers as a number of them blamed Verizon for the calls. Verizon sought statutory damages of $500 for each call made in violation of the TCPA, as well as treble damages for knowing and willful violations of the TCPA, attorneys' fees, and costs. The telemarketing company agreed to pay $25,000 and submit to a permanent injunction barring any future calls to Verizon Wireless customers.

TIP: Companies who make telemarketing calls should ensure they comply with the requirements of the TCPAs.

[Top]

III. FINANCIAL PRIVACY

A. New Federal Gift Card Law Enacted

The Credit Card Act of 2009, which was passed on Friday, May 22, provides federal regulations for gift cards. The law specifically regulates general-use prepaid cards, gift certificates, and store gift cards. The law excludes: (a) cards that are reloadable and not marketed or labeled as a "gift card" or "gift certificate"; (b) loyalty awards or promotional gift cards (which are yet to be defined by the Federal Reserve); (c) cards not marketed to the general public; and (d) cards issued in paper form only. The law prohibits expiration dates on gift cards that are less than five years from the date on which the gift card was issued or the funds were last loaded to the card. The law requires the terms of expiration to be clearly and conspicuously stated. The law permits dormancy, inactivity, and service fees on gift cards only if (a) there has been no activity on the card in the 12-month period prior to which the charge is imposed; (b) not more than one fee is charged in any month and (c) disclosure requirements are met. The disclosure requirements are that the card must clearly and conspicuously state that a fee may be charged, the amount of such fee, how often the fee may be charged, and that the fee will be charged for inactivity. Notably, the fee must be disclosed to consumers before the card is purchased, regardless of whether the card is purchased in person, over the Internet, or by telephone. The law will go into effect in 15 months. The law does not preempt state laws that are more restrictive than this law.

TIP: If you sell gift cards with expiration dates, you may have to change your nationwide policies. Under the Credit Card Act of 2009, cards cannot expire in less than five years, inactivity fees can only be charged after 12 months inactivity, and the law's disclosure requirements must be met. This new federal law does not seem to apply to gift cards given as part of a loyalty reward or promotional program, but what such programs exactly are has yet to be defined. The law also does not seem to apply if you elect not to market or label your cards as a "gift card" of "gift certificate."

[Top]

B. Rules Issued Regarding Information Submitted to Credit Reporting Agencies

On June 10, the Office of the Comptroller of the Currency (OCC) approved final rules and guidelines promulgated under the Fair and Accurate Credit Transactions Act of 2003. The final rules and guidelines, which were developed by the OCC together with other federal agencies, and will take effect in 2010, require financial institutions and other businesses to develop and implement reasonable policies and procedures to ensure the accuracy and integrity of information that they provide to consumer reporting agencies about consumers. In addition, the final rules and guidelines provide consumers with the right to directly dispute any inaccurate information contained in a consumer report.

TIP: If your company furnishes consumer information to consumer reporting agencies, it should review its policies and procedures to ensure that they will be in compliance with the requirements of the final rules and guidelines by the effective date.

[Top]

C. Guidance Issued on Red Flags, Addresses Discrepancy Rules

On Thursday, June 11, six federal agencies issued a set of frequently asked questions (FAQs) to provide guidance for compliance with the "Red Flags Rules" issued under the Fair and Accurate Credit Transactions Act of 2003 in November 2007. As we reported on April 22, these rules create obligations for financial institutions and creditors to design and implement identity theft prevention programs, and require card issuers and consumer reports users to employ certain policies and procedures regarding changes in a consumer's address or notification regarding address discrepancy. The FAQs provide more detailed guidance on certain issues that were not specifically addressed by the rules, such as the entities and types of accounts covered by the rules, establishment of identity theft prevention programs, and the scope obligations applicable to card issuers and users of consumer reports. Last month, the FTC indicated that it will not be enforcing the Red Flag rules until August 1, 2009, the second enforcement delay for these rules.

TIP: If your company is a financial institution or creditor, it should review its FAQs to determine whether it may hold any "covered accounts" and determine whether it must take additional action to implement an identity theft prevention program that complies with the rules.

[Top]

D. Fourth Circuit Affirms $200,000 Damages Award in FCRA Suit

The Fourth Circuit Court of Appeals affirmed a lower court's jury award of $200,000 for actual damages sustained by a consumer as a result of errors in her credit report. The consumer originally discovered that she had been the victim of identity theft in 2001 and worked with Equifax, a consumer credit reporting firm, to correct her credit report. As a result of her efforts, the erroneous entries were removed from her credit file. However, over the next few years, Equifax mistakenly sent the erroneous information to companies performing credit checks on the consumer, which resulted in the consumer either being denied credit or being offered credit on much less advantageous terms. After struggling with Equifax for several years, the consumer filed suit under the Fair Credit Reporting Act (FCRA) which creates a private right of action allowing injured consumers to receive actual damages caused by negligent violations and both actual and punitive damages for willful noncompliance. Notably, actual damages may include economic damages, as well as damages for humiliation and mental distress. In affirming the District Court award, the court found that the consumer met her burden of proving actual damages by offering evidence of loss of opportunity in the home mortgage market, emotional distress as established by testimony from friends and family, and loss of income from approximately 300 hours of work addressing Equifax's mistakes.

TIP: Failure to ensure customer credit information is accurate can result in liability under the FCRA.

[Top]

E. Statutory Damages Under the FACT Act Held to be Constitutional

The Eleventh Circuit recently upheld the statutory damages provision of the FCRA and the Fair and Accurate Credit Transactions Act (FACT Act) as constitutional. The FACT Act prohibits businesses from printing more than the last five digits of a credit card or debit card number, or the expiration date, on any electronically-generated receipt provided to the cardholder at the point of purchase. The FCRA provides statutory damages from $100 up to $1,000 for the willful violations of the FCRA, which includes the FACT Act. The Eleventh Circuit vacated the district court's ruling that the statutory damages provision was unconstitutionally vague and excessive, both facially and as applied. The Eleventh Circuit found that statutory damages were not vague or arbitrary, but rather that potential defendants had notice of the consequences of violating the FCRA and the statute did not provide juries with excessive discretion. The Eleventh Circuit further found that the prescribed statutory damages were not excessive since it is possible that the actual harm suffered from violations of the FACT Act may be difficult to calculate and in such cases actual harm suffered might be similar to the statutory damages provided by the statute.

TIP: Violations of the FCRA and the FACT Act may be subject to statutory damages even when a consumer may not have suffered actual damage from such violations.

[Top]

IV. DATA BREACH AND DATA SECURITY

A. New Breach Notification Laws in South Carolina and Alaska, Revised in Maine

Two data breach notification laws are to go into effect on July 1 in South Carolina and Alaska, and are very similar to the existing laws in other jurisdictions. Under the Alaska law, in the event of a breach, impacted individuals must be notified, and if there are more than 1,000 state residents involved in the breach, consumer credit reporting agencies must also be notified. The South Carolina law, on the other hand, provides that if more than 1,000 state residents are impacted, the Consumer Protection Division of South Carolina's Department of Consumer Affairs must also be notified.

Maine's breach notification law was recently revised to require businesses to notify an individual within seven days after having concluded a good-faith and prompt investigation to determine if data that has been breached has been or might be misused.

TIP: Companies should ensure that they are aware of state data breach notification requirements. Since the time frame for notification can be tight, we recommend that companies put in place procedures to notify individuals in the event that the law so requires.

[Top]

B. Nevada to Require Companies to Encrypt Data on Mobile Devices

Under existing Nevada law, companies must encrypt personal information that contains financial data or Social Security numbers when transferring that data outside of the company. That law has now been amended to include that when a company moves a storage device — which includes a USB drive or mobile device — "beyond [its] . . . logical or physical controls," it must "use encryption to ensure the security of that information."

TIP: If you allow personally identifiable information that includes sensitive personal information to be transferred onto data storage devices, and those devices may end up outside of your employees' control (and contain data regarding Nevada residents), be sure to read and understand these new requirements. We suggest that all such data be encrypted before being placed on portable devices.

[Top]

C. SSN Must Be Redacted From Land Records Prior to Release

The New Jersey Supreme Court found that Data Trace Information Services, a land records database company that sought millions of pages of real estate records under New Jersey's open records law, must pay the costs of redacting Social Security numbers from those records. The company had sued the New Jersey county clerk after the clerk indicated that it would be unable to provide the requested records due to the high cost of redacting the Social Security numbers on the records. The New Jersey Supreme Court found that the law requiring disclosure must be balanced with citizens' privacy interests, and the disclosure of Social Security numbers would violate citizens' expectation of privacy. Consequently, the records would only be released if Data Trace Information Services pays for the costs of redaction.

TIP: When using the Freedom of Information Act or similar state laws, take care to ensure that you take all necessary steps to protect the privacy of individuals included in the requested information.

[Top]

D. B. Nutter Settles With FTC Over Data Security Allegations

The FTC recently settled with B. Nutter & Company, which provides single-family mortgage loans, regarding the FTC's claims that B. Nutter failed to properly safeguard and secure consumer personal information in violation of the FTC's Safeguards Rule and Privacy Rule. The FTC claimed that B. Nutter operated a computer network that it used to, among other things, obtain and store customers' personal information and prepare documentation containing personal information. The FTC further alleged that B. Nutter violated FTC privacy regulations by failing to develop and implement a written information security program, failing to train employees about information safeguarding practices, storing personal information in readable text, failing to employ measures to prevent or detect unauthorized access to personal information, failing to assess rights to personal information, and providing unencrypted backup tapes to third-party service providers without requiring such service providers to maintain the security and confidentiality of the information. Additionally, the FTC alleged that B. Nutter violated the Privacy Rule by failing to provide consumers with privacy notices that set out B. Nutter's privacy practices and third-party information sharing practices, and by requiring customers to exercise their opt-out rights within 30 days, even though the Privacy Rule provides the option to opt-out at any time. As part of the consent agreement, B. Nutter was ordered to establish and maintain a comprehensive security program and submit to periodic and routine assessments by the FTC.

TIP: When collecting and storing sensitive personal information, ensure that your privacy policies accurately reflect your privacy and security practices, and that you have adequately safeguarded personal information by maintaining policies and procedures, training staff and employees as to your policies, and encrypting sensitive information.

[Top]

V. EMPLOYMENT AND WORKPLACE PRIVACY

A. Employee Claim Allowed Against Employer Who Monitored Work E-Mails

Metteyya Brahmana, an employee at CyberData Corporation, sued CyberData for violating the Electronic Communications Privacy Act (also referred to as the Federal Wiretap Act). Brahmana alleged that CyberData used software and hardware monitoring tools, such as local area network analyzers and key loggers, to obtain the password to Brahmana's personal e-mail account, and used the password to access the content of Brahmana's personal e-mail. Brahmana sued CyberData under the Federal Wiretap Act to stop CyberData from monitoring and reviewing the e-mails. CyberData moved to dismiss Brahmana's complaint, stating that Brahmana failed to allege that CyberData's conduct affected interstate commerce. The Federal Wiretap Act defines electronic communication as "any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photooptical system that affects interstate or foreign commerce." The court allowed the case to proceed, holding that after discovery, evidence may demonstrate that CyberData's conduct did affect interstate commerce in violation of Brahmana's rights.

TIP: Companies should be careful when using software or hardware to monitor an employee's conduct.

[Top]

B. Firing Public Employee for Impartial Posting Not Free Speech Violation

In a recent case, a federal district court ruled that the Pennsylvania Department of Education and the Office of Dispute Resolution did not violate a hearing officer's free speech rights under the First Amendment when it refused to renew her contract after she began blogging about school district policies and procedures. The court noted that although the plaintiff's blog entries were protected by the First Amendment, since they were made not as an employee but as a private citizen about matters of public concern, any free speech interests were outweighed by the employer's interest in promoting workplace efficiency and avoiding workplace disruption. Thus, because of the plaintiff's role as a hearing officer, the court held that maintaining an appearance of impartiality was of vital importance. The employee's blogging activity raised questions about her impartiality in connection with her official duties. Furthermore, the court found that an employee's free speech may be subject to restrictions necessary for their employers to operate efficiently and effectively, and noted that the plaintiff's blog entries generated numerous complaints, which posed a legitimate threat to the efficient operation of Office of Dispute Resolution, even though no actual disruption occurred. Thus, the court found that although plaintiff's blog entries were statements of public concern and afforded protection by the First Amendment, the government's interests in impartiality and maintaining an efficient and effective workplace outweighed the plaintiff's free speech interests.

TIP: Employee blogging activities when conducted outside the scope of their duties are likely to be protected by the First Amendment, but may be subject to some restriction by an employer. Establishing employee guidelines regarding blogging and social networking practices is recommended to prevent employees from engaging in practices that may result in workplace disruption.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

Attorney Advertising Materials

These materials have been prepared by Winston & Strawn for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this client bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn's Web site (www.winston.com).

Copyright © 2009. Winston & Strawn LLP.