Privacy Litigation

Another post that doesn't quite fit neatly into Indiana Internet litigation or privacy law, but that intrigues me.  BusinessWeek, passing along a Tim Greene article from NetworkWorld (found here: www.networkworld.com/nwlookup.jsp), is reporting that the U.S. military has issued an essay in which it urges its expertise in defense be put to use in protecting civilian networked infrastructure, such as power grids, financial institutions, etc.  The essay from Foreign Affairs sets out the concept that our military networks are probed and scanned by outside sources millions of time a day by enemies looking for weakness and access.  The Pentagon fears that the civilian cyberstructure could also be at risk from cyber-terrorism and that the U.S. military can help by using its tools to protect those necessary networks.  

This concept imposes a sense of fear and foreboding in your friendly neighborhood technology legal counsel.  On one hand, I can recognize the importance of protecting those networks.  If Bruce Willis and Justin Long taught us nothing, it is that a "fire sale" can cripple this country (and big props to Kevin Smith for his part in that flick).  Other than our Amish citizens, we, as a people, rely so heavily on our networks that we need to protect them.  However, the idea of the government and military putting their hands into the inner workings of those civilian networks also scares the heck out of me.  There are too many "technology deciding it knows what's best for us" movies for me to not worry about increased presence of government and military in our cyberworld.  

I guess, the reality is that I have no answer to this issue, but I thought it was interesting.  Like many of the questions we see arising in the cyberlaw realm, the answer to military intrusion in your civilian networks is "how much are you willing to give up in order to be safe?"

I don't often blanket repost other blogs that I see, however, in this instance, I think it is appropriate.  Venkat, writing for Professor Goldman's blog, writes an excellent analysis of the recent ruling in the In re: Easysaver Rewards Litigation (S.D. Cal. August 13, 2010).  This is a very interesting case in that it covers several different, more traditional causes of action and analysis.  I'm interested to see what ramification this case is going to have on SaaS law and privacy litigation.  Here you go:

"Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards

[Post by Venkat]

In re: Easysaver Rewards Litigation (S.D. Cal.) (Aug. 13, 2010)

Plaintiffs brought a class action lawsuit against Provide-Commerce (which operated Pro.Flowers.com). The lawsuit alleged that effecting transactions on the Proflowers website resulted in plaintiffs being unwittingly enrolled in a rewards program and being charged credit card fees. The court denied the motion to dismiss brought by defendants.

Background: Provide operated ProFlowers.com. At the time of completion of transactions on ProFlowers, consumers were offered a chance to enroll in a "rewards program" which was operated for Provide by Encore Marketing. Plaintiffs alleged that they were "unwittingly" enrolled in the program:

Plaintiffs allege that Provide leads customers to believe they will receive a complimentary $15.00 gift code to use on their next flower order as a thank you gift. After Plaintiffs completed the purchase of flowers on Provide's website by providing their personal and payment information, 'a window popped up that thanked Plaintiffs and Class Members for their order and offered a gift code for $15.00 off their next purchase at ProFlowers. The window also contained a link for Plaintiffs and Class Members to click on to claim the gift code.' Plaintiffs contend the pop-up window is part of an intentionally misleading and deceptive scheme, jointly orchestrated by Provide and EMI.

The named plaintiffs all testified to slightly different experiences. Some closed the pop-up window and did not provide any personal information, others responded to the pop-up by clicking on "I accept" and entering their personal information. Ultimately, plaintiffs were unable to have the charges relating to the EasySaver program reversed, and brought a variety of claims against both Provide and Encore.

Discussion:

Breach of Contract Claims:

Provide first argued that the privacy policy is not "an actionable contract" but was instead a "general statement . . . of policy." The court doesn't treat this as a colorable argument, citing to the alleged user experience and plaintiffs' reliance on the privacy policy and terms of use, which popped up every step of the way. (But see In re JetBlue, discussed in Professor Goldman's post here: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue.")

Provide also argued that the applicable privacy policy allowed it to transfer information to third parties, but the court holds that there is a disputed factual issue as to whether Provide agreed to only transfer the information with consumers' "informed consent or authorization," and would not share the information "beyond that which was necessary to complete the flower order."

Finally, Provide argued that the "EasySaver Rewards Policy" was not supported by an exchange of consideration, since it only came up after the flower transaction was complete. The court rejects this argument as well, finding that the rewards program was "part and parcel of the underlying flower purchase."

Provide also tried to disclaim liability for Encore's actions by arguing that it was not responsible for anything Encore did. The court cites to language in the description of the rewards program that indicates the program was jointly operated (the program was described as "our" program and Encore was described as Provide's "partner").

A separate sub-class of plaintiffs brought contract claims against Encore. These plaintiffs argued that they did not "knowingly" consent to the rewards program, and even if they did, Encore breached the terms of the program by not providing the stated benefits. Encore argued that these plaintiffs could not have it both ways - either they enrolled in the program (in which case plaintiffs accepted the terms were clearly stated) or they didn't. The court finds that plaintiffs could plead in the alternative that they did not enter into an agreement, and even if they did, Encore breached the terms of the agreement.

Fraud Claims: Provide raised a variety of arguments against plaintiffs' fraud claims (failure to plead fraud with particularity, failure to allege causation). The court rejects these arguments, holding that whether plaintiffs read the privacy policy or had adequate notice is not something that was amenable to resolution at the motion to dismiss stage.

Conversion: Plaintiffs argued that defendants converted plaintiffs' "private payment information." With respect to plaintiffs' conversation claim, the court notes the historical trend away from limiting conversation claims to tangible property (citing to Kremen v. Cohen, among other cases). The court analogizes conversion of plaintiff's "Private Payment Information" to conversion of bank account information, and finds that plaintiffs adequately state a claim based on conversion of private payment information.

EFTA: The Electronic Funds Transfer Act prohibits, among other things, unauthorized billing. Provide argued that it was Encore and not Provide who engaged in the unauthorized billing. The court agrees and grants Provide's motion to dismiss as to the EFTA claim, finding that there is no liability under the statute for aiding and abetting an EFTA violation. With respect to Encore, the court denies the motion to dismiss. Among other things, the court rejects Encore's argument that the plaintiffs agreed to the membership charges by "entering [their] email address[es] and zip code[s] and clicking the green acceptance button."

___

Defendants will have another opportunity to show that plaintiffs' claims are without merit, but I think the court's resolution at the pleading stage is interesting. A more robust disclaimer and a non-leaky acknowledgment would have no doubt been useful here. (See professor Goldman's post on Scherillo v. Dun and Bradstreet for some good pointers.)

The case also illustrates the importance of the transaction flow and process (the user experience). Often lawyers provide advice, but implementation is left to the business or marketing folks. This case illustrates that in addition to the language of the terms, courts will look to the transaction process to poke holes in the contract formation argument.

Data breach claims alleging a breach of the applicable privacy policy have met with little success. (See, e.g., Ruiz v. Gap, discussed in this post: "9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") Where there is out of pocket loss that is a result of a violation of the privacy policy, plaintiffs have a much easier time bringing claims for violation of the privacy policy. In this case, defendants didn't even raise the argument that plaintiffs had not suffered out of pocket loss or lacked standing - it was a nonstarter.

It was also interesting that defendants tried to rely (and have judicial notice taken of) the online terms, but the court refused to do so, in light of the changing content of the webpages. When defendants pushed this argument, the court predictably trotted out the "[i]nformation from the internet does not necessarily bear an indicia of reliability" argument."

Back in October, 2009, I posted about the new endorsement / testimonial rules set out by the Federal Trad Commission (blog.alerdingcastor.com/blog/alerding-castor/0/0/ftc-makes-changes-to-blog-law).  There has been some development since that time, but mostly everyone is still watching and waiting.  The FTC did threaten to pursue Ann Taylor back in April, but otherwise, it has been relatively silent.

That is, however, until now.  On August 26, 2010, the FTC reached a settlement with Reverb Communications regarding positive reviews that it left on iTunes for its clients' apps (FTC No. 092-3199).  This is an instance where the FTC investigated and pursued an online review source that failed to disclose its material relationship with the party it reviewed.   

Reverb Communication reached a settlement with the FTC in which it agreed to remove all product review or endorsement that is currently viewable by the public.  There is also a five (5) year evidence maintenance component, including producing all complaints.  Finally, there is a requirement that Reverb and its owner deliver copies of the settlement order to all of its current and future employees, agents, and representatives.    

I don't really know whether this can be classified as software litigation, privacy litigation, or any other hot-button issue, but as a technology legal counsel, I find this order and settlement to be extremely important.  With this very public order, the FTC is making a shot across the bow of all businesses that engage in on-line review of products as part of their business plan.  The public nature of the Reverb order is, to me, more telling than any of the language contained therein.  Thus, if you blog and '/ or make endorsements as part of your business plan, you need to have your eyes on the lookout for areas where your material connection can be questioned.  If those areas, exist, you are exposed to the sanctions and reach of 16 CF.R. 255.0.  BE AWARE!

One thing to remember is that the reviews posted by Reverb were not excessive or detailed, and could well have been completely true.  "Amazing new game"; "ONE of the BEST"; "Really Cool Game", etc.  Obviously, these were not voluminous diatribes expounding the virtues of their client.  I almost wonder if the FTC would have scrutinized them as much if they had been more detailed, i.e. if it were more obvious they were paid, would the FTC care as much.  

Another point to ponder is that the Reverb order does not go after any of the clients of the company who paid for these endorsements.  But, the FTC has considered doing just that in the past.  Thus, clients of businesses that are paid for building product and branding support need to be aware of these risks.  You may wish to consult with your technology legal counsel to include language in your agreements that protect you against the ramifications of an FTC probe into your marketer.  Or if you are a marketer, you may want to consider adding language to your agreements that detail what you will do or won't do with regard to this issue.  

Here is a scenario that I can easily see playing out.  Marketing Company X enters into an agreement with Client Y for, among other things, on-line marketing and endorsement.  Marketing Company X doesn't comply with the FTC guidelines and gets an inquiry.  Client Y also gets swept into the inquiry and the "scandal".  Client Y then sues Marketing Company X for damages in lost profit, costs, and injury to reputation that it incurs as a result of the improper reviewing.  And, I'm not sure that 47 USC 230 would give the Marketing Company X much protection.  Thus, if you are Marketing Company X, I suggest that you make sure that such possibilities are clearly addressed in your upfront agreement.

The bottom line is that these laws are not new, but orders like the Reverb order are indicative of a new push by the government to regulate the Internet, and a wake-up call to the fact that the U.S. Government is watching the 'net.  If you make your living through the online presence and word-of-mouth, you need to be aware and plan accordingly.  Change your actions now to protect yourself down the road.

The ACH litigation team had its first ever (as far as I'm aware) litigation retreat this weekend, and as I reminisce on our time, I am struck by the realization that to be a successful business, you have to allow your team to envision and strive for excellence with you.  This weekend we had some great discussion and "vision-casting" on the areas of privacy litigation, Indiana probate litigation, business law, Internet litigation, banking law, SaaS litigation, and several other areas where we are already working and where we can work more, and throughout the discussions, I was struck again and again by how fantastic and forward-thinking everyone on our team is.  The moral of the story to me is that you, as a business person, have surrounded yourself with excellent people.  You need to listen to them and see where they can take your company.  It doesn't matter what "position" they have in the company because everyone has ideas.  Your goal as a manager should be to foster those ideas and push them to verbalize and realize those ideas.  Otherwise, you will achieve nothing but stagnation.  However, if you allow your team to envision with you, not only will you get some great ideas, but they will also own a piece of your business' future.  They will have a stake in your game.  Allow them to participate and purposefully embrace their ideas of the company and you can't avoid great results.   

Gather 'round kids, this one is interesting.  The decision actually came out in May, 2010, and I regret that I haven't had a chance to blog on it until now, but it is still a very interesting order that should have implications to privacy litigation, and litigation in general.  In EEOC v. Simply Storage Management, LLC, Docket No. 09-CV-01223, the Southern District of Indiana was faced with the issue of discovery of social networking profiles of two individuals that claimed sexual harrassment by a supervisor.  In its discovery, the Company requested "electronic copies of  ********'s complete profile on Facebook and MySpace (including all updates, changes, or modifications to *******'s profile) and all status updates, message, wall comments, causes joined, groups joined, activity streams, blog entries, details, blurbs, comments, and applications (including, but not limited to "How well do you know me" and the "Naughty Application").. . . . "  The EEOC went to the Court for guidance and the Court entered an order giving general guidelines, but determining that relevant portions of the social networking profiles were discoverable.  Interestingly, the Court did not really address any privacy issues implicit in this request other than to reliance on two Canadian cases to establish that setting your profile to "private" is not a shield from discovery.   The Court went on to provide the guidance that (1) any profiles, postings, or messages and applications are fair game; (2) third-party communications to the individuals must be produced  if they place the claimants' own communications in context; (3) their photos and videos are fair game, but photos in which they are "tagged" are less likely relevant.   

This is a very interesting case because it highlights the battle that is going to rage for years to come between the American jurisprudence viewpoint of discovery and the interest in privacy of what you post on the 'Net.  "How much is too much in terms of what I post on a social networking site?" v. "If someone is posting it for everyone (or at least select everyone) to see, why can't I use it to prosecute or defend my lawsuit?"  I wish I had the answer, but I think as privacy litigation and cloud computing law continue to evolve, these questions are going to become more prevalent.

Overall, I think Magistrate Lynch took a very reasoned approach to this problem.  The issues raised in this case involve emotional distress, and the two claimants at issue both indicated that they had additional mental health traumas, above and beyond what one might "normally" expect in this type of case.  Thus, if the question is "could the information shed some light on some aspect of this litigation" (which is always the question in discovery), then I think the answer has to be "Yes, it could be relevant to address those issues."   It would be akin to a man claiming to have back pain arguing that photos of him water-skiing after the event in question aren't relevant.  The simple fact is that our mental health and where we are emotionally is often evident in what we put on our social networking sites (as an aside, I will say that this is more true for some than others.  Some people just need to stop posting things; but I digress).  The items posted that show these claimants mental states are relevant.  Now, the question of how relevant is still to be answered.  If I'm the EEOC at this trial, I'm arguing that nobody posts things like "Today I was assaulted." or "I'm really depressed today because my supervisor assaulted me".  For the most part, we sterilize (or most of us do) what we put into the 'Net.  Thus, your social network profile is not an accurate snapshot of your emotional well-being.

To me, the more interesting question raised here is what happens when cloud computing law meets American discovery rules in the head-on, no-holds barred, death match that is coming.  Things will be in the Cloud and there will be some passing relevance to an issue and then the fight will be on.  The question in those cases, which I think is a question in this case as well, but that was not addressed by Judge Lynch, is the logistics of it all.  Getting information back out of the Cloud, particularly archival information requires the cooperation of third-party entities and can be very burdensome and costly.  Discovery is not meant to burdensome or overly complicated.  Thus, we are going to be faced with issues of logistics that will need to be addressed.  On top of that you add those pesky privacy litigation issue.

 Of course, to bring this post to an actual close, this type of order is why I love these emerging legal questions that are derived from the advent and advancement of technology.  There are so many facets to these issues and they strike at the heart of what we have always considered to be the core principles of litigation.  But so long as you have parties either wanting money or wanting to avoid paying money, you will have zealous advocates turning over every stone to find the nuggets that make their case a win.  And as the legal world polices itself, you will have these debates and conflicts over what is best for the individual case and what is best for the system overall.  I think Judge Lynch's order alludes to and addresses both of those overarching concerns. 

Your friendly Indianapolis attorney and Partner In Success at Alerding Castor Hewitt, LLP here with another post, this time for both business entities and lawyers who find themselves in the trenches of business law, SaaS law, internet laws, and privacy litigation and probate litigation.  Partner and fellow blogger Dave Castor sort of beat me to the bunch by pointing out a great blog post by Michael P. Alerding (ACH’s Mike Alerding’s father) at Alerding & Co., LLC, which Dave re-posted below.  I encourage all of you to read it if you haven’t already.

Mr. Alerding’s blog is not only great for businesses; it’s good for lawyers, too.  We can debate all day long the chicken and the egg analogy about who is to blame for the “downward spiral” Mr. Alerding mentions.  I propose that a better use of our time would be to recognize the problem and all work collectively as lawyers and business people to resolve it.  Indeed, lawyers have a unique opportunity to help guide their clients to a resolution of issues, and they should feel that it is an obligation to work to get the client to do the “right thing.”  Not only that, we as lawyers should take pride in being able to assist with that process.     

Of course, I am one of those people who believe that words mean something.  But I agree with the implications of Mr. Alerding’s post that the world is getting a little “overly-lawyered” with its legalese.  For instance, if you can say something in 10 words, why use 45 to say the same thing?  Do you have to flex your ego or demonstrate your academic prowess, or are you trying bill that extra time to demonstrate your worth to the client or partners?  Likewise, a deal or agreement should remain a deal or agreement.  So, as lawyers, if we tell another lawyer that we are going to look into something, or make a concession, why do we feel that we aren’t bound if we didn’t put it in writing?  Why do some of us feel like we can play games (like “gotcha”) with an opposing party or competitor?  Why do we as lawyers avoid doing the “right thing” and focus so much on “winning” an argument, or fall back on the excuse “well, I have to be a zealous advocate”?     

All that the one-upmanship mentality or reneging on oral promises does is add to an aura of mistrust in a world that, in the modern age of technology, isn’t that big.  Lawyers, i.e., folks engaged in the business and practice of law, can take away a lot from Mr. Adlerding’s message in our practice and in our counseling of our clients.

This is one of those great posts that gets to combine cloud computing law with privacy law with political intrigue.  Before I get too far in, I want to set out my own caveat.  In my opinion, there is a data war brewing between the United States, EU, and China and everyone if vying for the top dog spot.  The basis of this is the fact that each faction views the protection of data very differently and they each want to be the best.  To just give you a surface level scratch of the differences I'll simplify (which is one of the things I do best):  US is pro-capitalism / free market and free flow of information, even private data;  EU is much more pro-individual and retention of private data, even at the detriment of businesses; China is much more pro-state and focuses on keeping data managed.  Each entity thinks that they are completely right and they are trying to work together (except for China, who doesn't seem to care what anyone else thinks), but really they each have an ultimate goal of obtaining dominance of their position.  Interestingly, I believe that the EU is seeking its dominance by applying economic pressures (something we've used for generations), and is having the most luck.  Business are being forced to comply and are doing so in order to maintain market share.  It is, nevertheless, very much a "cold war" between US and EU on the data protection front.  And, as was anticipated, it is now entering into the realm of cloud computing law.

Before I delve into the ruling, I need to explain some concepts that I haven't put out here before.  First, is that each member country of the EU has their own Data Protection Administration (DPA) that governs and rules over the access and permission to access private, individual data.  In 1998, EU issued the European Directive on Data Protection that, among other things, prohibits the transfer of personal data to non-EU countries unless they haven't met the EU "adequacy" standards to protect the data.  This directive actually causes great consternation in business as well as the litigation arena, privacy litigation or otherwise, because it limits what a U.S. defendant can legitimately produce.  In a country where discovery in a lawsuit is often viewed as a fishing expedition in which one drains the lake and simply picks the fish up off the bottom, this limitation on access to data has caused and is causing businesses sleepless nights and making lawyers rich.  Enter the U.S. Safe Harbor framework.  This is essentially a compliance mechanism devised (supposedly) through joint efforts between the U.S. and EU that businesses can opt into by self-certifying that they comply.  The main areas of focus are transfer of data, notice to the data holder, transfer to third-parties, access to data, security measures, and data integrity.  If a business properly complies with this self-certification they will be deemed "adequate".

I know you've read all of this and said "What does any of this have to do with cloud computing law, you dolt!".  To which I would reply, "ouch" and then go on to explain that yesterday, Germany's DPA made a ruling on the use of cloud computing and the implications to the European Directive.  Most importantly, the DPA determined that clouds located outside the EU are per se unlawful, even if the EU has issued an adequacy decision in favor of the foreign country.  Thus, if your cloud is based anywhere other than the EU, it is unlawful to store private EU data there (and in case your curious, everything is private data in the EU's eyes).  Of course, the decision goes on to state that you can avoid this result if you apply German rules on data processing and using the EU-approved model contract for controller-processor data transfers.  Basically, if you want to follow our rules and use our contract, you can do it.

What is even more interesting is that the DPA determined that the U.S. Safe Harbor is not adequate to protect information in the cloud.  Thus, these companies that go through the self-certification process, still can't host cloud data (sorry Google).  The reasoning is that even though one entity may have self-certified, the inherent nature of the cloud is that data is accessible to third-parties and those parties are not adequate. 

This leaves the ultimate question of "what does this mean for cloud computing" The obvious answer is that it will force companies that want to utilize the cloud to either (a) adopt the EU rules and contracts or (b) enter a binding corporate rule that complies with the EU rules (which is another option the German DPA suggested).  This will, ultimately, increase the costs associated with using the cloud and will likely have a cooling effect on pushes on that front.  OF course, the developments that I will be watching from the cheap seats as an technology lawyer is what response the U.S. takes.  Will it rely on businesses to police themselves and comply as they choose or will it try to enforce rules to keep the Safe Harbor alive.  And, if Germany makes this type of ruling on the cloud  now, essentially obliterating the Safe Harbor Framework, can Safe Harbor survive?  Or more importantly, should Safe Harbor survive?

Your friendly neighborhood technology counsel here:  A couple of recent state court decisions are going to start personal injury attorneys frothing at the mouth, and might render some sleepless nights for defense attorneys.  Both Ohio and Florida recently issued opinions in which they applied their state's respective long-arm statutes to garner personal jurisdiction over an out-of-state resident for tortious conduct that transpired over the Internet. 

First, you need to know what a long-arm statute is.  Essentially, it is a mechanism by which a state can obtain jurisdiction over an out-of-state resident for activities or actions undertaken that are related to an in-state resident or citizen.  Without boring you with the legal details, they stem from the concepts of full faith and credit and due process and require a minimum amount of contact within the state to trigger.  And, they have posed a pickle in Internet litigation because the Web allows access from out-of-state residents without actual presence or contact.  At least that was the case until recently.  

In Internet Solutions Corporation v. Marshall, the Florida Supreme Court, addressing a certified question from the Eleventh Circuit, determined that exercising jurisdiction over an out-of-state resident under Florida's long-arm statute did not violate due process.  The basic facts are that Marshall ran a website based out of Washington, where she is a resident.  She had no contact with Florida other than a short business related trip several years ago.  However, she wrote a blog about a Florida based company and then she and some other posters trashed them online in the comment section.  The Florida-based company sued for defamation in federal court under a diversity action (action between two citizens of different states).  The district court found no personal jurisdiction and the Eleventh Circuit certified the question to the Florida Supreme Court.  The Florida Supreme Court looked at two main analysis points:  (1) whether the complaint alleged sufficient jurisdictional facts to being the action within the ambit of the statute, and (2) whether sufficient minimum contacts are demonstrated to satisfy due process requirements.  The Court determined that both were satisfied.  An interesting analysis point is that the Court reasoned that the long-arm statute had been applied to telephonic, electronic or written communications in the past and that the Internet is an extension of those rulings.  Overall, it is a well-reasoned opinion applying a standard long-arm statute to the Internet.

Similarly, in Kauffman Racing Equipment, LLC v. Roberts, the Ohio Court of Appeals reached a similar conclusion when determining if an out-of-state residents comments over an Internet blog about an in-state plaintiff can be grounds for jurisdiction over the out-of-state resident in a defamation action.  The Court utilized the same general analysis as in Marshall.  

The obvious implications to Internet litigation of these opinions are pretty substantial.   Until now, suing for tortious actions done over the Internet has been difficult because of those pesky due process minimum contacts, but that is slowly changing.  These cases are a framework for an enterprising personal injury lawyer to sue someone that has never set foot in their state for tortious activities on the Web.  And, right now we are only talking about defamation, but why wouldn't it extend to other torts.  What about tortious interference with a business relationship, intentional infliction of emotion distress, and assault, to name a few.  This is going to change the face of Internet litigation.  We are going to see more lawsuits based on this.  And, further, you, as a business owner, will need to be aware of what you are putting out on the cyberspace.  You may be inadvertently exposing yourself. 

And think of the other areas of technology litigation that this can be tied into.  Two of the most predominant to me are privacy litigation and cloud computing law.  Imagine that I have posted private information about you on the Internet in contravention to the law.  We've never met and I've never been in your state, but the Internet has.  Under these holdings, I can be hauled into the courtroom to address my actions.  Or I've placed something into the cloud that doesn't belong.  I've now exposed myself to multiple jurisdictions depending on to whom I have shown the material.

The ramifications are mind-numbing, but we'll see what other states start jumping on board.  As I've always said, technology litigation and Internet litigation is in its infancy and we are going to see wide-spread changes from court's making decisions at the federal and state court level.  It should be fun.

Be prepared:  I'm going to get on a bit of a soapbox.  I read a recent article at WSJ.com entitled "Using Social Networking as  Legal Tool" (Linked Below).  There is nothing wrong with this article.  It very succinctly and pleasantly explains how certain law firms are using social networking and the Web to find clients for high-value plaintiff cases.  And I don't disagree with that approach.  As an attorney posting on a blog, I too hope to use social networking to get business, and would be foolish to argue otherwise.  Thus, I cannot fault the firms employing such tactics.  And I am glad that a more "mainstream" press outlet would pick up a story of this nature; highlighting the use of technology by lawyers.

The fault that I find, and what, frankly, irks me, is that this article gives no credence to the more innovative aspects of technological use that are gaining hold in the legal community.  The article highlights the practice of "ambulance chasing" for the 21st Century.  But there is so much more happening in the cyberworld.  Legal scholars like Eric Goldman are posting daily with the new and interesting ways that technology litigation and cyberlaw are being explored.  Courts are posting their opinions on-line to further the pursuit of knowledge by the populace.  Courts and communities are moving to on-line activity such as filing and case work to speed up the legal process and reduce our environmental impact.  Technology legal counsel throughout the world are espousing the virtues and pitfalls of cyberlaw.  Property rights are being generated in virtual worlds.  Privacy litigation is defining what can and cannot be exposed in the real and virtual worlds.  Software litigation is defining what can and cannot be done with these wonderful bits and bytes of information.  Cloud computing law is going to dominate the future courtrooms of the world as more and more data is put into the cloud.  All of these things are happening now.  

Our world is becoming a smaller place as we all become more connected, and lawyers are at the forefront of those debates and discussions.  Yes, I think it is very interesting that Law Firm X has 25 people on staff twittering and establishing domain names so that sufferers of acute hypersensitivity can find a law firm willing to represent them.  PLEASE don't misunderstand me because I believe that allowing those people to easily find representation IS IMPORTANT.  But it is not the only thing that is happening out there in the cyber-ether.  Instead of focusing on the new and novel way that lawyers are getting business, let's shine light on how those in the legal community are using the Web to define, explain and expand our world.

WSJ article: (online.wsj.com/article/SB10001424052748704324304575306581598351428.html

Every once in awhile, I have the inkling to make a blog post that is not about developments in privacy litigation or technology litigation or cloud computing law or foreclosures or any of the other endless stream of ideas and legal thoughts that pass across my desk.  This is one of those times.  Because, while I think it is important for our readers to know that Mexico passed a new data privacy law or that litigation related to CAN SPAM is likely a rising field, I think it is equally important for our readers and clients to gain insight into the psyche of Alerding Castor Hewitt, LLP as it is viewed through the eyes of this humble writer.  Thus the question:  Who are Alerding Castor Hewitt, LLP.

First, I must note that I intentionally chose the plural tense in that question because, although I agree that Alerding Castor Hewitt, LLP is an entity that could be viewed as a singular, I fully believe that we are made of the people that permeate this place.  Thus, we are a plural.  Second, if what you are looking for is our resumes and the curriculum vitae of these Indiana technology counsel, you can check them out on our webpage.

Rather, I intend to discuss who we are in such a way that our readers and clients can relate to the ideals for which we stand.  We are the rogues.  We are the fighters.  We are the fixers.  We are the counselors.  To a person, the attorneys at ACH are products of years of experience.  We have all trudged through the mud of the legal profession in other locales before coming to this place.  Which, inevitably, leads to the question of "why here?" 

The answer to that simple question is that because here we can be what our clients need.  We can be entrepreneurs.  We can be fighters.  We can truly embody the idea of counselor that so many of us sought when we went to law school in the first place. 

Does that mean that I always give my clients the advise that they want to hear?  No.  My job, and the job of any great attorney, is to give the advise that is warranted in the situation.  ACH not only gives its attorneys the ability to do that, but rather encourages it.  I can honestly say that I have practiced from the biggest of big to the smallest of small, in the private sector and the public sector, and there is no place that I would rather practice law.  I have told colleagues that ask me about ACH that I practice law in a way that every attorney wants to practice when they are honest with themselves as to what they want out of their profession.

This place is filled to the brim with spirit, humor, knowledge, and skill.  And I think there are two quotes that best answer the question of Who are Alerding Castor Hewitt, LLP.  The first is from Ulysses S. Grant.  In a speech in London, Grant stated "Although a soldier by profession, I have never felt any sort of fondness for war, and I have never advocated it, except as a means of peace."  The second is from Ode by Arthur William Edgar O'Shaughnessy, but was made famous (in my opinion) by Gene Wilder in Willy Wonka and the Chocolate Factory:  "We are the music makers, And we are the dreamers of dreams."  

 

Your friendly neighborhood technology counsel here:  So, Mexico recently passed a new data protection law.  On April 27, 2010, Mexico passed the Federal Law for the Protection of Personal data, which is likely to be signed into law by the President in the near future.  This law not only allows for a mind-boggling $1.5 million penalty for violation, but it also applies to the private sector. Private and public entities will need to protect themselves from privacy litigation. 

This law is much akin to the EU's data privacy laws.  Meaning, among other things, that scope of the law is extremely broad.  Additionally, all data is included, but certain types of data are given greater protection.  This Sensitive Personal Data includes: "In particular, consider those that may reveal sensitive issues such as racial or ethnic origin, health status, present and future, genetic information, religious, philosophical and moral, union membership, political views, sexual preference." (translated from the Bill).  The dissemination of any information that contains this sensitive data will require written consent from the owner of the data, the individual. 

Now the $1.5 million question:  What does this mean for my business?  The simple answer is: Potentially alot.  In the world of e-discovery and privacy litigation,this issue has already begun to rear its head in the context of the EU's data privacy law.  With the number of American manufacturers and companies with a presence and facilities in Mexico, this type of broad legislation could result in the expenditure of millions of compliance dollars to craft protocols and document retention issues.  Think of the billions of e-mails that must run through a Fortune 500 company.  Now think about how many of those e-mails contain some amount of information that fits within the category I described above.  To disseminate that information, each individual has to be contacted and give written consent.  Like I said, mind-boggling.  

Obviously, society is walking a thin line between protection of information and the availability of information for legitimate purposes.  Privacy litigation both here and abroad is going to shape the breadth and direction of that line.  And then, when we think we have a handle on it all, we'll start talking about what we are going to do under cloud computing law for that data that is stuck firmly in the cloud. 

I must take a moment to open with a caveat.  The study of privacy and hence privacy law or privacy litigation is an analysis that spans centuries.  In fact, while it seems like privacy issues have only recently come to the forefront with the advent of technology, they have, in fact, been prevalent in ever major level of recorded history.  I put this point out there to help you recognize that there are books and books addressing the issues of privacy and my little foray into the issue is but a nail-scratch on the surface of a very large issue.  Nevertheless, I would be remiss in my role as an Indiana technology lawyer if I didn't delve into the issue at least from an overview perspective.  Now, onto the bigger (and better) question of "what the heck is it?".  There are, in my humble opinion, four basic approaches to this question:  (1) academically; (2) legally; (3) structurally; and (4) realistically.  I will address each approach separately.

Academic Perspective:  In the simplest of academic terms, privacy law is the method and mechanism of protecting the private matters or interests of the citizen.  This definition leads to the ultimate issue from the scholarly perspective of what is privacy.  The debate over that simple term, however, has raged for years and encompasses an extremely wide umbrella of ideas.  From a political perspective, privacy is that sphere of information that wholly belongs to the individual and is unnecessary for the overall governmental function.  Aristotle believed that there were two spheres.  The first is the public sphere and in this sphere is the information necessary to govern the polis or city-state.  The other sphere is the individual sphere in which each person has the information and matters pertinent to only themselves.  It does not impact the polis and is solely private, but must exist to ensure the welfare of the entirety.  Later, John Lock would address the issue by theorizing that the inherent state of man (the state of nature) is one in which they all have equal right to their self.  It is this act of giving up some of these rights to the greater body that leads, according to Locke, to the development of organized government. 

Anthropologically,  privacy are those matters that we keep from the community at large.  Anthropologists have found that even in social settings where there is very little physical privacy, the members of that society will act to protect their own privacy in other matters (i.e. hiding feelings, averting eyes, etc) to maintain some level of intimacy and ultimately, individuality.  And this doesn't even get into philosophically, economically, medically, or any other - ly of which we may think.  As you can see, the academic perspective is somewhat scattered, but the overarching theme is that privacy (and subsequently privacy law) is the component of self that is maintained to establish and maintain the individual.  

Legal Perspective: From the legal perspective, privacy law is the protection of information related to the person.  There are two basic types of legal perspective.  The first is the protection of private information from a constitutional perspective.  This is the basic premise behind the Fourth Amendment.  The idea that citizens are free from the government simply prying into their business is fundamental to American jurisprudence.  It is also a fundamental difference between the United States and other countries that has led to some very interesting debates related to privacy, but we'll cover that more in Part 2.  From a constitutional standpoint, privacy is the protection of the individual from the invasion of the government without a reason.  The other legal perspective is the protection of information from the tort perspective.  These are the private causes of actions that relate to the invasion of privacy and lead to the majority of the privacy litigation that we see today.  Questions such as: can my employer look at my e-mails;  can my insurance company see my health records;  can this website give my address to the cyberworld.  These questions are the bread and butter of the tort perspective.  And, frankly, are the most important to my clients.  But overall, the legal perspective of privacy is, like the academic perspective, focused on the establishment and maintenance of barriers between individuals.

Structural Perspective:  What I'm calling the structural perspective is actually the most amorphous perspective that I've made up.  It is deals with the components and subparts that make up privacy law because the parts make up the whole.  But, the components of privacy law are as widely varied as the other definitions.  There is a component for protecting information about one's health.  There is a component for protecting those activities that one engages in in their home.  There is a component for protecting the contents of one's vehicle or property.  There is a component for protecting one's personal contact information.  There is a component for protecting one's financial information.  The list goes on.  Needless to say, from a structural perspective, privacy law is the protection of that information that is necessary and pertinent to our identity, well-being, and overarching individuality.  

Realistic Perspective:   Finally, we get to the perspective that is most likely to impact our individual lives.  For the individual, privacy law realistically means those steps and actions that one must take or protect to ensure that information pertinent to your well-being is protected from dissemination to parties without legitimate interest in the information.  Whether this is monitoring against identity theft or moving to quash a subpoena that seeks information in violation of HIPAA.  These are the steps that have to be done to protect your individual information.  For the business, privacy law realistically means the steps and actions that must be undertaken to protect against the dissemination of information related to either my clients, my products, or my business perspectives.  This is important both from a regulatory approach and a litigation approach.  Both individuals and businesses need to know (a) what information is protected and (b) how to protect it.  These are the fundamental realistic questions to be answered.  

So, in conclusion, privacy law is an enigma wrapped in a riddle.  We know we need it, but aren't always a hundred percent sure what it is.  It is rooted in our mythos and theory.  It is part of the underpinnings of society, both American and human in general.  And, the more connected we get, the more important it becomes.  In Part 3, I'll take a look at some of the major legal precedents on the issues of privacy law and litigation.  Stay tuned. 
  

Your friendly neighborhood technology lawyer here:  Clients and colleagues often ask me to explain what I mean when I say "technology litigation".  And, to be frank, that term is really composed of several different subsets of the law.  One such subset is privacy law.  Over the next several blog posts, I will provide a general overview of privacy law and privacy litigation to arm you, my humble reader, with the knowledge to assist your company (as well impress your friends at parties). 

The Parts:

1. What is Privacy Law:  This part will focus on the academic, legislative and practical definitions of privacy law, as well as its general subparts / components
2. What is the current state of the law:  In this subsection, I will focus on the various statutory schemes and case law that has developed related to the privacy law.  I will also highlight the current black-letter legal principles at play in privacy litigation.
3. What does it mean for your business:  The third substantive subsection will focus on the implications of privacy law to the general business.  It will focus on: (1) regulatory compliance; (2) protection and use of your own data; (3) protection and use of your client's data; and (4)  the implications of privacy laws on litigation a business may face.
4. What will the future hold:   In the final subsection, I will focus on the future of privacy law.  In particular, I will look at the current and future issues revolving around the different approaches to privacy take by the United States and the European Union.  I will also look at the implications  on privacy law of advanced technology and the increased use of social media.

 Your friendly neighborhood technology lawyer here:  As you know, I'm a bit of a technophile and I've been watching the iPad craze with interest.  There are other similar products that will be inundating the market in the near future (HP Slate and the one that I'm watching with anticipation, Notion Ink's Adam).  As I watch, I've come to the conclusion that tablet computers are the future of litigation, whether you're talking privacy litigation, SaaS litigation, personal injury litigation, or commercial litigation.  The reality of this technology is that it will allow a lawyer to have his library in his briefcase.  I envision the ability to look up a treatise and show it to the judge from the comfort of my tablet, and if necessary, hook up to the wireless and look up the case law needed to win my case.  Additionally, as more files go paperless and data is maintained only in an electronic form, the tablet computer will permit entire files to be carried with you.  I'm not putting my trial case on mothballs just yet, but I do like to see technology changing the way we practice law.  The wise counsel will allow technology to assist them in their practice to allow them to provide the best representation they can.  

The United States Supreme Court (SCOTUS) has granted certiori on a case  in the privacy litigation arena that focuses on the question of whether a governmental employee has Fourth Amendment rights in the contents of an employer issued pager.  The case is City of Ontario v. Quon (www.ca9.uscourts.gov/datastore/opinions/2008/06/18/0755282.pdf).  In Quon, the Ninth Circuit made several decisions.  It first decided that a third party company that provided texting services to the City of Ontario was a Electronic Communication Provider and not a Remote Computing Provider for purposes of the Stored Communications Act ("SCA").  Given the impact on liability, I think this aspect of the opinion (which was not raised on cert) is very intriguing from a technology litigation / electronic discovery perspective.  If a text message company is a ECP and not a RCP, they are exposed to more liability.  This fact can be used as a sword or a shield in a litigation arena.

The remainder of the 9th Circuit opinion focuses on Fourth Amendment privacy rights in electronically stored information.  The point that was raised on cert is whether a governmental employer has an expectation of privacy in his information transmitted electronically from a government provided device.  This has some implications for Indiana privacy litigation as well as general licensing agreement negotiations.  Interestingly, if SCOTUS agrees with the 9th Circuit, the employee would have a reasonable expectation of privacy in the information, regardless of what state public record acts say.  Thus, I, Joe Citizen, would have more access to the information than the State itself.  This has the potential for interesting results.  Maybe the state will have to ask me to find out if their employees are responsibly using the equipment provided to them.  

Additionally, if the Court agrees with the 9th Circuit, a search that was conducted when there were less intrusive means of obtaining the information would not be reasonable.  This also creates a lot of grey area and room for courts (and litigants) to maneuver.  I think it certainly raises instant triable issues regarding whether a means was intrusive and what less intrusive means existed.  

Overall, this ruling should be fun, even if I personally think the more interesting question was not raised on cert.  (ie whether a third party provider is an ECP or a RCP under the SCA [you have to love acronyms]).  I'll be watching this one.

I know that as your friendly neighborhood Indiana technology counsel, I usually post wonderful things about privacy litigation (look to see my blog on the Supreme Court taking up a case of privacy expectation in texting) and other fun cyberspace law, but today I'm going to digress for just a bit.  Indiana Senate Bill 192 has recently been introduced by State Senator Sue Errington (D-Delaware County) and would govern how a hospital applies visitation rights in a domestic partnership situation (www.in.gov/legislative/bills/2010/IN/IN0192.1.html)  The bill is not aimed at a distinction based on sexual orientation and does a good job of defining "domestic partnership" without going to the obvious.  Further, it allows a hospital to still govern the needs of the patient and implement rules accordingly.  What it stops is arbitrary and capricious denial of access to a loved one simply because the relationship between them is not familial, marriage, or civil union.

I believe that this law is a direct result of the 2007 Court of Appeals decision of In Re the Guardianship of Patrick Atkins (www.ai.org/judiciary/opinions/pdf/06270701jgb.pdf), which is a heart-wrenching decision that I think is right under the current law, but is a wake-up call to change the law.  It is definitely worth a read.

Regardless of your opinion on same-sex relationships and the rights that they should or should not be afforded, Senate Bill 192 is a logical and reasonable approach to a heated argument.  No matter what rights are ultimately given to domestic partnerships (same-sex or otherwise), a person should have access to their loved ones when they are in the hospital.  So if you are in Indiana, I hope you'll give Bill 192 a read and if you agree with it, call your representative and say so.  If you are not in Indiana, I hope that you'll take a read of Atkins and this law and see what potential pitfalls are out there and if you are so inclined, call your representative. 

I promise to geek out next time.

Google announced in its blog today that Los Angeles has officially switched to using Google Apps for e-mail and collaboration.  34,000 city employees will now be using the Google cloud to do their work and, more importantly, their communication.  This is a substantial development in cloud computing law.  This will highlight the pros and cons of cloud computing for the future,and is likely to shape the success of other municipalities going the same way.  Data issues and privacy litigation is likely to start popping up even more predominately related to the cloud.  Plus the bloggers will get to continue to discuss the impact of Google taking over the technology world. 

Overall, I think that cloud computing is the future, but as a technology legal counsel, I can't help but watch this development with youngster-like anticipation.  As goes the cities, so goes the country.  Keep your eyes on the horizon for developments from this jump by L.A..  The litigation that is possible from this decision by L.A. will be delectable.    

A colleague of mine brought to my attention two recent federal cases in which the courts elected to deny motions to compel electronically stored information (ESI).  In Kay Beer Distributing v. Energy Brands, Inc., the Eastern District of Wisconsin determined that, among other things, Kay's request for every e-mail with their name in it was too broad.  The court also considered in its determination  the fact that Energy Brand's counsel had offered to work with Kay to do more directed keyword searching of the e-mail engine, but Kay declined. 

In my opinion, these cases are indicative of a trend that you'll see more prevalent in litigation, whether you're talking about technology litigation or run of the mill commercial litigation.  When ESI discovery came onto the scene, judges were more prone to let the parties just duke it out and allowed for more expansive discovery requests.  In my opinion, as the frequency of requests increase and judges are exposed to more and more decisions related to ESI, they are becoming more educated on technological capacity and will become less and less likely to allow for expansive discovery.  

This leads me to the actual point of this post.  For the entrepreneur, there can be significant benefits to cooperation in discovery related to ESI.  Long before I became involved with Indiana technology litigation, I was fortunate enough to participate in some large scale discovery productions that involved searches electronically stored information.  One of the pivotal points of the production involved the necessity to explain to the Court and the opposing party what they search system would and would not do.  Much to the chagrin of my boss at the time, I suggested that we allow the opposing party to have direction in their search by doing it in conjunction with us.  The Court called this an "organic search" (a term that I hated, but that ultimately stuck to what were were doing).  It involve the opposing counsel conducting the searches with us and then directing further searches based on those results.  With a limit on the time to conduct the search, we were able to minimize defense cost on the issue, appease plaintiff's counsel, and make the judge happy.  And all we, as defense attorneys, had to do was the searches that we would have had to do anyway.

My point is that with technological capabilities comes a necessity to think outside of the box.  As a business owner, you may be able to minimize your exposure and costs by simply allowing the other side into your office while you're doing their search.  As an attorney, our jobs are to make sure that the appropriate safeguards are in place to protect our client, but also must be willing to effectuate for them the best result.  Obviously, some areas of law, like privacy litigation, medical records, etc. are going to be less viable for this type of solution, but overall, there can be an upside to cooperation.  Think about it.

As an admitted technophile, I can't help but look into all the newest gizmos and gadgets.  Plus, working at an information technology law firm, I can even bill it sometimes.  Thus, I've recently begun a fascination with e-books.  Jason Wilson has  done a very interesting set of blogs looking at the use of e-books (or lack of use) for lawyers (www.jasnwilsn.com/).  Jason's viewpoint is as a counterpoint to a recent set of blogs by Professor Eugene Volokh (volokh.com/2009/10/02/the-future-of-books-related-to-the-law/).  I find this debate interesting for lawyers in general, but litigators specifically.


While I appreciate Jason's point of the importance of cloud computing and web based interfaces for lawyers, I have to admit that I personally think that e-readers are likely to have increasing presence in courtrooms around the country.  I am genuinely intrigued by the thought of turning to my e-reader to "leaf" through a treatise on privacy litigation or ASP law that I've downloaded while sitting in a courtroom.  This is particularly true when the courtroom that I'm sitting in is located in small town Indiana (or any other small town) that is still working on integrated computer systems and look at you askew when you ask about WI-fi.  Web based interfaces are extremely important to the 21st century attorney, but there are still limitations.  And if technology can allow me to carry treatises and law books that I might need before a court while still using my super sleek briefcase, I'm all for it.

Section 230 of the Communications Decency Act (47 USC 230), entitled “Protection for private blocking and screening of offensive material”, is an important federal statute for any interactive computer service provider.  As a technology lawyer, my law practice largely focuses on SaaS law, software licensing law and Internet based businesses, this statute impacts several of my clients.

The statute essentially provides protection for providers of interactive computer services against information published by third parties on their site, provided that “a  provider of interactive computer service shall, at the time of entering an agreement with a customer for the provision of interactive computer service and in a manner deemed appropriate by the provider, notify such customer that parental control protections… are commercially available that may assist the customer in limiting access to material that is harmful to minors. Such notice shall identify, or provide the customer with access to information identifying, current providers of such protections.”

Where the notification requirement is met, Section 230 provides certain protections from liability when users encounter objectionable material through the Internet service.  230 essentially divides online content into first party content and third party content and says that online parties cannot be liable for third party content unless (1) it is covered by the Electronic Communications and Privacy Act (protection of individual’s communications via technology by government officers without court order), (2) federal criminal enforcement, or (3) intellectual property claims.

I often read the Technology & Marketing Law Blog by Eric Goldman.  In a recent post, Professor Goldman summarizes liabilities under Section 230.  Here is an excerpt:

As a final point, with the global nature of many ISPs, it is worth noting that many other countries do not afford the protections that the US provides under Section 230 (e.g., certain first world countries have found ISPs liable for negligence where they have failed to investigate material or user published content).  For Internet based companies doing business globally, it is worth considering the application of Internet laws of those countries.


~~~~~~

Alerding Castor is an Indianapolis law firm focusing on business law, information technology law (including SaaS law and legal technology consulting), private equity consulting, probate and business litigation.