Third Quarter 2008

In This Issue:

I. E-COMMERCE

I. E-COMMERCE

A. Disclosure of Material Terms Not Sufficient to Avoid FTC Action

The FTC brought action against a software company that provided customers with "free" software but then continued to bill consumers for a "software continuation plan," the terms of which were buried in the software's Terms of Use. Under the terms of the offer, consumers who agreed to receive a "free" software CD (and pay only shipping and handling charges) would then receive three additional CDs with no shipping and handling or other charges. However, the Terms of Use for the first CD, which were provided through a hyperlink on a click-through screen, included a provision that stated that consumers would be required to send back two of the four CDs within 10 days or they would be billed for the CDs. In addition, consumers would continue to receive additional CDs through a software continuity program. Because most consumers were not aware of these charges until they were billed, the FTC brought action for violation of the FTC Act and Unordered Merchandise Statute, which prohibits billing recipients for merchandise they did not purchase. The settlement requires the defendants to pay $2.167 million for consumer redress and requires that the defendants properly disclose all the terms and conditions of any negative option.

TIP: If you do not clearly and conspicuously disclose all major terms and conditions of any continuity program, including refund and cancellation policies, your program could be deemed false and misleading. From this case we learn that disclosure of a material term in the Terms of Use may not be prominent enough.

[Top]

B. Knowledge of Counterfeits Does Not Create Vicarious Liability

After alleged hundreds of thousands of counterfeit Tiffany silver jewelry were offered for sale on the popular online auction house eBay, the jewelry retailer brought suit, alleging that eBay was liable for both direct and contributory trademark infringement. Tiffany – the well-known, high-end jewelry retailer of blue-box frame – indicated that it understood individual eBay sellers listed the problematic auctions. Nevertheless, Tiffany argued that eBay should be held accountable since it was on general notice that a problem existed. According to Tiffany, eBay had a duty to monitor its site to remove counterfeits. eBay argued that it was Tiffany's responsibility. Tiffany brought suit in the Northern District of New York, and the court sided with eBay. The court found that eBay's use of the Tiffany marks were nominative fair use, and that eBay was not liable for contributory infringement because eBay immediately removed the listings as soon as Tiffany notified the online auction house that a specific seller was engaging in infringing activity (selling a counterfeit). The court noted that there was no affirmative obligation on eBay to take preemptive measures, such as monitoring its site for counterfeits.

TIP: This ruling reminds trademark owners that they are responsible for protecting their brands, even on third party sites. It is thus possible that sites that allow users to post content may be contacted more frequently by brand owners. Site owners should ensure that they have processes in place to address possible concerns from brand owners.

[Top]

C. Online Posting Does Not Equal Availability for Copying

The Middle District of Florida recently reminded J. Jargon Co., holder in the rights to "Menopause The Musical," that merely because something is publicly available on the Internet, that does not make it fair game to be copied. The case began after John Thorton, creator of a trivia quiz called "The Baby Boomer Qualifying Exam," attended a performance of the musical and found a quiz in the program book that was substantially similar to the one he had created. The court found that the quiz Thorton created was sufficiently original to merit protection, however, it was a question of fact whether the quiz in the musical's program book was substantially similar to the one created by Thorton. Of note, the court rejected arguments made by J. Jargon that because the quiz was posted online, there was an implied license that others could copy elements of Thorton's work.

TIP: Merely because something is posted online does not mean that you can freely copy it. Content may be protected by a variety of laws, in particular, copyright law.

[Top]

D. CD ROM Collection Can Be Privileged Reproduction Under Copyright Law

A digital collection of a print publication is privileged just as a microform republication would be, according to the Eleventh Circuit Court of Appeals, sitting en banc. In a case that began in 1997, before the Supreme Court's 2001 holding in Tasini that articles from The New York Times could be reproduced in microform without violating the underlying copyrights, the Appeals Court ruled in late June that National Geographic did not violate a photographer's rights when it reproduced those photographs in their original context in its 30-CD Complete National Geographic. The court denied the photographer's argument that it was a "new collective work" not entitled to any privilege as a revision permitted under Section 201 (c) of the copyright law.

TIP: Be sure to check contracts of freelance photographers and writers when creating a new collective, archival or retrospective work. The privilege to reproduce works originally printed in a publication is limited to complete reproductions in their original context, as in the Complete National Geographic work cited above.

[Top]

E. Blogger Sued for Infringement

The Oklahoma Publishing Company and one of its employees sued a blogger, who goes by the name Darth Husker, over an Internet article entitled "Two Sooner Quarterbacks Arrested for Intent to Distribute Cocaine." In the article, drafted by Husker, Husker indicates that two college football players had been arrested for an intent to distribute cocaine. According to the complaint, the article appeared to originate from plaintiffs' Web sites. In fact, the plaintiffs allege, the article did not originate from plaintiffs but were fabricated. To make it appear to readers as if they were from the plaintiff, Husker replicated plaintiff's marks and trade dress. Moreover, the article did not contain factual information, the plaintiffs alleged. According to the complaint, at least two other news outlets picked up the story after reading the blog entry, and attributed the source to plaintiffs. Plaintiffs are seeking an injunction, corrective advertising, treble damages, and attorneys fees.

TIP: Bloggers are not immune from allegations of trademark or other types of intellectual property infringement. Companies that allow bloggers to operate on their Web sites should take care to shield themselves from liability for actions caused by bloggers, and should keep blogger liability in mind if allowing their employees to blog on the company's behalf.

[Top]

II. ONLINE AND CONSUMER PRIVACY

A. FTC Issues Final Telemarketing Sales Rule Prohibiting Prerecorded Calls

The Federal Trade Commission recently amended the Telemarketing Sales Rule (TSR) to expressly prohibit telemarketing sales calls that deliver prerecorded messages, unless the seller has previously obtained the recipient's signed, written agreement to receive such calls. The amendments will not affect consumers' ability to continue to receive calls that deliver purely "informational" prerecorded messages notifying recipients, for example, that their flight has been cancelled, that they have a service appointment, or similar messages, provided they do not attempt to sell the called party any goods or services.

TIP: In the event that you are in the business of making pre­recorded calls to consumers in order to sell products and services, you should review your business plans to determine if modifications are needed to comply with the amended rule.

[Top]

B. California Merchants OK'd for Collecting Personal Information for Returns

A California man who purchased a product from AutoZone filed a class action lawsuit against the company after he was required to provide his name, telephone number, and signature in order to process the return of a gas cap he had purchased earlier that day. The California Court of Appeals (Second District) reversed a lower court decision, and held that such information collection was acceptable and not prohibited by California law. The court disagreed with the plaintiff, who had attempted to argue that Cal. Civ. Code § 1747.08, which prohibits requesting or requiring personal information as part of a credit card transaction, applied in a return situation. The court concluded that it did not.

TIP: While retailers may be able to collect personal information during a return in California, and other states with similar laws, they should exercise caution if engaging in such practices, as it appears that consumers are becoming more and more savvy regarding data protection laws.

[Top]

C. Internet Impersonation Outlawed in New York

New York Governor David A. Patterson has signed into law S. 4053, which makes it a criminal offense to impersonate someone over the Internet or through electronic communications. Specifically, the law makes it a Class A Misdemeanor to impersonate another "by communication by Internet Web site, or electronic means with intent to obtain a benefit or injure or defraud another, or by such communication pretends to be a public servant in order to induce another to submit to such authority or act in reliance on such pretense." Sponsors of the bill cited the need to protect New Yorkers from identity theft and harassment, particularly in light of the increased use of social networking sites. The law takes effect November 1, 2008

TIP: Advertisers may have another tool against third parties who attempt to defraud their customers, at least in New York.

[Top]

III. EMPLOYMENT AND WORKPLACE PRIVACY

A. Employee Misappropriation of Data May Not Be a CFAA Violation

The U.S. District Court for the Western District of Tennessee recently held that an employee who copied a large volume of confidential documents from his employer's secure servers and shared them with a competing company did not violate the Computer Fraud Abuse Act (CFAA). The court acknowledged a split in legal authority as to whether the CFAA applies in situations where an employee who has been granted access to his employer's computers uses that access for an improper purpose. Deciding that the purpose of the CFAA was only to punish trespassers and hackers, the court found that because the defendant employee had permission to access the information in question and was within the scope of his duties, his misappropriation did not constitute a trespass.

TIP: Companies should examine their procedures to ensure they have sufficient protections for confidential data, as the CFAA relief is not always available (companies, of course, can still combat employee misappropriation of electronic data through civil actions).

[Top]

B. Company Internet Policies May Not Eliminate Spousal Privilege

When Cristin L. Sprenger brought an ADA suit against former employer Virginia Tech, Virginia Tech issued a subpoena to her husband's employer, a state agency, to produce all electronic communication between the spouses concerning the suit. The state agency's Internet Use Policy stated that no state employee should have any expectation of privacy in their electronic data while using state computer equipment or Internet access, and that state agencies have the right to monitor e-mail sent or received by agency users. Virginia Tech argued that the records were not protected by the spousal privilege because Sprenger and her husband were both state employees and therefore subject to the Internet Use Policy. The U.S. District Court for the Western District of Virginia found that because there was no evidence that the Sprengers were notified or aware of the policy or that the policy was actually enforced, and given the important nature of the marital communications involved, the Sprengers maintained an objectively reasonable expectation of privacy. Virginia Tech therefore did not meet its burden to demonstrate that the marital communications privilege had been waived, and the subpoena was quashed.

TIP: Businesses should make sure to explicitly notify their employees of any computer and Internet policies, and should consistently enforce such policies.

[Top]

C. Business Practice Creates Informal Policy Resulting in Expectation of Privacy

Plaintiff Jeff Quon, an Ontario Police Sergeant, brought an action against the City of Ontario and Ontario Police Department (OPD) for accessing and reading his pager text messages during an audit. The city had an Internet, Computer, and Email Use Policy, under which employees were informed that messages would be read, but it had no formal pager policy. It did have an informal pager policy, which was to have employees pay for any overages over their allotted text messages, without conducting any audits. The policy was silent as to whether messages would be read. The Ninth Circuit found that because Quon had exceeded his text character limit several times and had simply paid for the overages without anyone reviewing the text of his messages, he reasonably relied on the "informal policy" (that messages would not be read), and therefore had a reasonable expectation of privacy in his text messages.

TIP: Make sure to include all potential electronic communication mechanisms in your company's formal Internet and computer use policy.

[Top]

D. New York Law Restricts Employers Use of Social Security Numbers

On July 7, New York Governor David A. Patterson signed into law S. 8376A, which strengthens the state’s identity theft laws by restricting the use of Social Security numbers by not only state and local governments but also private companies. Among other protections, the new law prohibits employers from publicly posting or displaying an employee’s “personal identifying information,” which is defined to include SSN, home address or telephone number, personal e-mail address, parents’ surname before marriage and driver’s license number. Further, the law prohibits the use of SSNs as an identification number for any occupational licensing. The law provides that it will be presumptive evidence that a violation by an employer was knowing if the employer has not put in place any policies and procedures to safeguard against violations.

TIP: Companies that do business in New York should review their business policies to ensure that they are in compliance with this new law. Companies doing business elsewhere may also want to review their practices, as the New York law joins those in other states that place restrictions on the use of Social Security numbers.

[Top]

IV. DATA SECURITY AND BREACH

A. FTC to Examine Consumer Protection Issues Relating to RFID Technology

The FTC announced that it will host a workshop to learn more about the implications of radio frequency identification technology on consumer privacy and protection. The workshop, entitled "Transatlantic RFID Workshop on Consumer Privacy and Data Security," will be held in Washington, D.C. on September 23. In addition to participating in person, interested parties can submit written comments or research until October 23. The intent is for workshop attendees to discuss how RFID technology is used in payment devices, on public transit systems, and the use of the technology to tag items sold at retail locations.

TIP: It is possible that we may see guidelines, enforcement, or other actions and comments from the FTC about RFID technology as a result of this workshop. Companies that employ this technology when selling goods in the marketplace may thus wish to participate, either in person on September 23, or by submitting written comments before the October 23 deadline.

[Top]

B. RadioShack Corp. and Texas Settle Data Disposal Case

In April 2007, we reported that RadioShack Corp. was sued by the Texas attorney general for failure to securely destroy customer records. The attorney general alleged that certain RadioShack retail locations had thrown away records that contained consumer data, including credit card information. Such unsecured disposal violates the Texas Identity Theft Enforcement and Protection Act. This month the parties announced that they had reached a settlement, under which RadioShack Corp. will pay $630,000, will implement a written data destruction policy, will train employees on the program, and will designate a corporate-level employee to be the company's compliance officer. The compliance program agreed upon will include training for store management and employee training, training certification, and compliance checks.

TIP: Companies that maintain sensitive consumer data that falls under either the Texas requirements for secure destruction, or similar requirements under other states, can look to this recent decision for ideas on how to implement a data destruction policy.

[Top]

C. Nevada Breach Notice Law Now Requires Encryption

Nevada's data breach notification law went into effect in January 2006. Under the law, companies are required to notify consumers if certain data has been breached. Beginning October 1, 2008, the law will also require that personal information be encrypted. Personal information includes first name or initial and last name with SSN, account number, credit card number, and security code, among other data.

TIP: If your company maintains person information (as that term is defined in the statute), you should review your data storage practices to ensure the data is encrypted.

[Top]

V. HEALTH PRIVACY AND SECURITY

A. First HHS Settlement Involving HIPAA Privacy Compliance

The U.S. Department of Health and Human Services agreed to settle HIPAA privacy and security rule violations based on breaches of patient health information by Providence Health in the first action of its kind taken by the federal government. Pursuant to the settlement agreement, Providence will pay a "resolution amount" of $100,000 and will implement a corrective action plan to safeguard patient data. The settlement agreement arose from the 2005 and 2006 loss of back-up tapes and laptops with unencrypted protected health information of more than 300,000 patients. The Providence action is the first time HHS has required a resolution agreement from an entity covered by HIPAA. Both HHS's Office of Civil Rights (which has responsibility for HIPAA privacy rule enforcement) and the Centers for Medicare and Medicaid Services (which deals with the HIPAA security rule) were involved in the agreement which may be a harbinger for future enforcement actions by HHS in this area.

TIP: Make sure all protected health information is encrypted and handled, stored, and disposed of consistent with both HIPAA and any applicable state privacy laws.

[Top]

B. HIPAA Violations Pursued Department of Justice

A licensed practical nurse was indicted and pled guilty in federal court to one count of wrongful disclosure of individually identifiable health information for personal gain in violation of HIPAA. According to the U.S. Attorney whose office brought the indictment in Arkansas, the nurse accessed the patient's health information and then disclosed it to the nurse's husband who told the patient he intended to use the information against the patient in an upcoming legal proceeding. Despite attempts by the nurse's counsel to get the U.S. Attorney to agree to lesser charges, the felony conviction was entered, which will almost certainly cause the nurse to lose her license and likely will make it difficult, if not impossible, for her to find work in the health care field. The U.S. Attorney's Office indicated that it intends to vigorously prosecute persons and covered entities who violate HIPAA for economic or personal gain or malicious harm.

TIP: Be sure to have proper training and monitoring systems in place to ensure HIPAA compliance and alert employees to the growing interest by the government to criminally prosecute violators.

[Top]

C. Health Department Allowed to Disclose Medical Records to Law Enforcement

The Idaho Supreme Court ruled that a man who received HIV-related services from a state-affiliated health department has no Fourth Amendment or state constitutional right to prevent the health department from disclosing the medical records to law enforcement. The court made its ruling despite the fact that the prosecutor did not subpoena the records but merely requested them. In State v. Mubita, No. 332252 (Idaho June 11, 2008), the defendant was convicted of transferring bodily fluids, which may have contained the HIV virus. The prosecution requested that the health department turn over medical records to establish the defendant's HIV status for use at trial. The defendant sought to suppress the introduction of the medical records, citing his Fourth Amendment and state constitutional rights. The Idaho Supreme Court concluded that disclosure is permitted under HIPAA without a subpoena if a request is made that is material to a law enforcement inquiry, the request was specific and limited in scope and de-identified information was not an option. Moreover, the court concluded that, even if the state had violated the HIPAA standards, suppression of the evidence would not have been the proper remedy, relying on United States v. Miller, 425 U.S. 435 (1976), where the U.S. Supreme Court held that persons lack Fourth Amendment rights to information they voluntarily turn over to third parties. The fact that the information sought was medical records made no difference according to the Idaho Supreme Court, which further noted that the documents signed by the defendant stating that his medical information would not be disclosed without his consent were not medical records but rather business records maintained by the health department to administer its HIV-related services.

TIP: Even with proper confidentiality provisions in place, medical records still may have to be turned over to the government without a subpoena if the HIPAA requirements are otherwise met.

[Top]

VI. FINANCIAL PRIVACY

A. Customers Bring Class Action Against Bank Following Security Breach

Customers of Indiana's Old National Bancorp brought a class action lawsuit against the bank, alleging that the bank had failed to adequately safeguard and secure the personal information of its customers. The plaintiffs claimed that a hacker was able to obtain access to the personal data of tens of thousands of the bank's customers as a result of the bank's failure to adequately protect the data. The plaintiffs sought to recover their expenses for the ongoing credit monitoring services they obtained in order to determine whether their confidential information was being misused as a result of the breach. The district court dismissed the case on the bank's motion because it determined that under Indiana law, damages must be more than speculative and the plaintiffs' allegations only included a claim that they suffered potential economic damages. The Seventh Circuit affirmed the district court's decision, finding that the costs to guard against future identity theft does not constitute the required "compensable injury and consequent damages" to state a claim for relief under Indiana law.

TIP: If your company collects personally identifiable information, be sure to have adequate data protection measures in place to avoid the considerable costs that can be associated with a security breach.

[Top]

B. Court Finds that Retailer is Required Follow Visa Rules

BJ's Wholesale Club, a large national retailer, was sued by various banks as third party beneficiaries of contracts between Visa U.S.A. Inc. and Fifth Third Bank, for failing to comply with Visa's data security requirements. The lawsuit originates from a theft of information on cards that were used at BJ's between July 2003 and February 2004. The theft stemmed from BJ's failure to delete information that was stored on the cards magnetic strips. Visa requires that such information contained on the cards be deleted. The various banks cancelled thousands of Visa cards and issues new ones to those card members that were impacted by the theft. The banks argued that BJ's was required to delete the information, and Fifth Third should ensure that BJ's comply with Visa's regulations. The Third Circuit reversed the district court's ruling, agreeing that BJ's was required to comply with Visa's regulations.

TIP: Merchants should ensure that they comply not only with the data security requirements of their banks, but also with any contractual obligations they have with credit card companies.

[Top]

If you have any questions about items that appeared in this bulletin, or would like to learn more about any of these topics, please contact one of the following attorneys:

Attorney Advising Materials

If you no longer wish to receive the Privacy and Technology Client Bulletin, please e-mail us at IPUpdate@winston.com or write us at Winston & Strawn LLP, Attention: Business Development Clerk, 35 W. Wacker Drive, Chicago, IL 60601.

These materials have been prepared by Winston & Strawn LLP for informational purposes only, and are not intended as, nor should they be used as a substitute for, legal advice which turns on specific facts. Receipt of this information does not create an attorney-client relationship.

Along with this Client Bulletin, a library of all the Winston & Strawn LLP Client Bulletins published to date can be accessed by visiting the Publications section of Winston & Strawn LLP's Web site (www.winston.com).

Copyright © 2008. Winston & Strawn LLP.