Your friendly neighborhood technology legal counsel here: I recently saw an article over at PC World that security firm AVG recently did a study of the safest countries in which to surf the Internet. Seven of the top ten are in Africa, with Sierra Leone rated the safest. The study is based on incidence of attack by a compiled list of virus and malware attacks. The study found that Sierra Leone's average incident rate was one attack in every 692 surfers. Niger also fared well with 1 in 442 rate.
Now, I'm not going to get into the details of the survey, and there are obvious flaws. Particularly since you have a significantly lower number of users logging-on in Africa when compared to the U.S. or Europe. However, the results do bode well for that continent. Result like these may well attract private equity firms who are interested in doing more in the cloud or with SaaS.
Way back in January, 2009, David Castor wrote a good post entitled "Now is the Time to Invest in Africa" (
blog.alerdingcastor.com/blog/business/0/0/now-is-the-time-to-invest-in-africa). I can only imagine that findings like the ones from AVG are only going to continue to continue to fuel the investment potential there.
For those interested, the worst places to surf are Turkey, Russia, and Armenia. The U.S. ranked ninth.
Another post that doesn't quite fit neatly into Indiana Internet litigation or privacy law, but that intrigues me. BusinessWeek, passing along a Tim Greene article from NetworkWorld (found here:
www.networkworld.com/nwlookup.jsp), is reporting that the U.S. military has issued an essay in which it urges its expertise in defense be put to use in protecting civilian networked infrastructure, such as power grids, financial institutions, etc. The essay from Foreign Affairs sets out the concept that our military networks are probed and scanned by outside sources millions of time a day by enemies looking for weakness and access. The Pentagon fears that the civilian cyberstructure could also be at risk from cyber-terrorism and that the U.S. military can help by using its tools to protect those necessary networks.
This concept imposes a sense of fear and foreboding in your friendly neighborhood technology legal counsel. On one hand, I can recognize the importance of protecting those networks. If Bruce Willis and Justin Long taught us nothing, it is that a "fire sale" can cripple this country (and big props to Kevin Smith for his part in that flick). Other than our Amish citizens, we, as a people, rely so heavily on our networks that we need to protect them. However, the idea of the government and military putting their hands into the inner workings of those civilian networks also scares the heck out of me. There are too many "technology deciding it knows what's best for us" movies for me to not worry about increased presence of government and military in our cyberworld.
I guess, the reality is that I have no answer to this issue, but I thought it was interesting. Like many of the questions we see arising in the cyberlaw realm, the answer to military intrusion in your civilian networks is "how much are you willing to give up in order to be safe?"
I don't often blanket repost other blogs that I see, however, in this instance, I think it is appropriate. Venkat, writing for Professor Goldman's blog, writes an excellent analysis of the recent ruling in the
In re: Easysaver Rewards Litigation (S.D. Cal. August 13, 2010). This is a very interesting case in that it covers several different, more traditional causes of action and analysis. I'm interested to see what ramification this case is going to have on SaaS law and privacy litigation. Here you go:
"Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards
[Post by Venkat]
In re: Easysaver Rewards Litigation (S.D. Cal.) (Aug. 13, 2010)
Plaintiffs brought a class action lawsuit against Provide-Commerce (which operated Pro.Flowers.com). The lawsuit alleged that effecting transactions on the Proflowers website resulted in plaintiffs being unwittingly enrolled in a rewards program and being charged credit card fees. The court denied the motion to dismiss brought by defendants.
Background: Provide operated ProFlowers.com. At the time of completion of transactions on ProFlowers, consumers were offered a chance to enroll in a "rewards program" which was operated for Provide by Encore Marketing. Plaintiffs alleged that they were "unwittingly" enrolled in the program:
Plaintiffs allege that Provide leads customers to believe they will receive a complimentary $15.00 gift code to use on their next flower order as a thank you gift. After Plaintiffs completed the purchase of flowers on Provide's website by providing their personal and payment information, 'a window popped up that thanked Plaintiffs and Class Members for their order and offered a gift code for $15.00 off their next purchase at ProFlowers. The window also contained a link for Plaintiffs and Class Members to click on to claim the gift code.' Plaintiffs contend the pop-up window is part of an intentionally misleading and deceptive scheme, jointly orchestrated by Provide and EMI.
The named plaintiffs all testified to slightly different experiences. Some closed the pop-up window and did not provide any personal information, others responded to the pop-up by clicking on "I accept" and entering their personal information. Ultimately, plaintiffs were unable to have the charges relating to the EasySaver program reversed, and brought a variety of claims against both Provide and Encore.
Discussion:
Breach of Contract Claims:
Provide first argued that the privacy policy is not "an actionable contract" but was instead a "general statement . . . of policy." The court doesn't treat this as a colorable argument, citing to the alleged user experience and plaintiffs' reliance on the privacy policy and terms of use, which popped up every step of the way. (But see In re JetBlue, discussed in Professor Goldman's post here: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue.")
Provide also argued that the applicable privacy policy allowed it to transfer information to third parties, but the court holds that there is a disputed factual issue as to whether Provide agreed to only transfer the information with consumers' "informed consent or authorization," and would not share the information "beyond that which was necessary to complete the flower order."
Finally, Provide argued that the "EasySaver Rewards Policy" was not supported by an exchange of consideration, since it only came up after the flower transaction was complete. The court rejects this argument as well, finding that the rewards program was "part and parcel of the underlying flower purchase."
Provide also tried to disclaim liability for Encore's actions by arguing that it was not responsible for anything Encore did. The court cites to language in the description of the rewards program that indicates the program was jointly operated (the program was described as "our" program and Encore was described as Provide's "partner").
A separate sub-class of plaintiffs brought contract claims against Encore. These plaintiffs argued that they did not "knowingly" consent to the rewards program, and even if they did, Encore breached the terms of the program by not providing the stated benefits. Encore argued that these plaintiffs could not have it both ways - either they enrolled in the program (in which case plaintiffs accepted the terms were clearly stated) or they didn't. The court finds that plaintiffs could plead in the alternative that they did not enter into an agreement, and even if they did, Encore breached the terms of the agreement.
Fraud Claims: Provide raised a variety of arguments against plaintiffs' fraud claims (failure to plead fraud with particularity, failure to allege causation). The court rejects these arguments, holding that whether plaintiffs read the privacy policy or had adequate notice is not something that was amenable to resolution at the motion to dismiss stage.
Conversion: Plaintiffs argued that defendants converted plaintiffs' "private payment information." With respect to plaintiffs' conversation claim, the court notes the historical trend away from limiting conversation claims to tangible property (citing to Kremen v. Cohen, among other cases). The court analogizes conversion of plaintiff's "Private Payment Information" to conversion of bank account information, and finds that plaintiffs adequately state a claim based on conversion of private payment information.
EFTA: The Electronic Funds Transfer Act prohibits, among other things, unauthorized billing. Provide argued that it was Encore and not Provide who engaged in the unauthorized billing. The court agrees and grants Provide's motion to dismiss as to the EFTA claim, finding that there is no liability under the statute for aiding and abetting an EFTA violation. With respect to Encore, the court denies the motion to dismiss. Among other things, the court rejects Encore's argument that the plaintiffs agreed to the membership charges by "entering [their] email address[es] and zip code[s] and clicking the green acceptance button."
___
Defendants will have another opportunity to show that plaintiffs' claims are without merit, but I think the court's resolution at the pleading stage is interesting. A more robust disclaimer and a non-leaky acknowledgment would have no doubt been useful here. (See professor Goldman's post on Scherillo v. Dun and Bradstreet for some good pointers.)
The case also illustrates the importance of the transaction flow and process (the user experience). Often lawyers provide advice, but implementation is left to the business or marketing folks. This case illustrates that in addition to the language of the terms, courts will look to the transaction process to poke holes in the contract formation argument.
Data breach claims alleging a breach of the applicable privacy policy have met with little success. (See, e.g., Ruiz v. Gap, discussed in this post: "9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") Where there is out of pocket loss that is a result of a violation of the privacy policy, plaintiffs have a much easier time bringing claims for violation of the privacy policy. In this case, defendants didn't even raise the argument that plaintiffs had not suffered out of pocket loss or lacked standing - it was a nonstarter.
It was also interesting that defendants tried to rely (and have judicial notice taken of) the online terms, but the court refused to do so, in light of the changing content of the webpages. When defendants pushed this argument, the court predictably trotted out the "[i]nformation from the internet does not necessarily bear an indicia of reliability" argument."
Back in October, 2009, I posted about the new endorsement / testimonial rules set out by the Federal Trad Commission (
blog.alerdingcastor.com/blog/alerding-castor/0/0/ftc-makes-changes-to-blog-law). There has been some development since that time, but mostly everyone is still watching and waiting. The FTC did threaten to pursue Ann Taylor back in April, but otherwise, it has been relatively silent.
That is, however, until now. On August 26, 2010, the FTC reached a settlement with Reverb Communications regarding positive reviews that it left on iTunes for its clients' apps (FTC No. 092-3199). This is an instance where the FTC investigated and pursued an online review source that failed to disclose its material relationship with the party it reviewed.
Reverb Communication reached a settlement with the FTC in which it agreed to remove all product review or endorsement that is currently viewable by the public. There is also a five (5) year evidence maintenance component, including producing all complaints. Finally, there is a requirement that Reverb and its owner deliver copies of the settlement order to all of its current and future employees, agents, and representatives.
I don't really know whether this can be classified as software litigation, privacy litigation, or any other hot-button issue, but as a technology legal counsel, I find this order and settlement to be extremely important. With this very public order, the FTC is making a shot across the bow of all businesses that engage in on-line review of products as part of their business plan. The public nature of the Reverb order is, to me, more telling than any of the language contained therein. Thus, if you blog and '/ or make endorsements as part of your business plan, you need to have your eyes on the lookout for areas where your material connection can be questioned. If those areas, exist, you are exposed to the sanctions and reach of 16 CF.R. 255.0. BE AWARE!
One thing to remember is that the reviews posted by Reverb were not excessive or detailed, and could well have been completely true. "Amazing new game"; "ONE of the BEST"; "Really Cool Game", etc. Obviously, these were not voluminous diatribes expounding the virtues of their client. I almost wonder if the FTC would have scrutinized them as much if they had been more detailed, i.e. if it were more obvious they were paid, would the FTC care as much.
Another point to ponder is that the Reverb order does not go after any of the clients of the company who paid for these endorsements. But, the FTC has considered doing just that in the past. Thus, clients of businesses that are paid for building product and branding support need to be aware of these risks. You may wish to consult with your technology legal counsel to include language in your agreements that protect you against the ramifications of an FTC probe into your marketer. Or if you are a marketer, you may want to consider adding language to your agreements that detail what you will do or won't do with regard to this issue.
Here is a scenario that I can easily see playing out. Marketing Company X enters into an agreement with Client Y for, among other things, on-line marketing and endorsement. Marketing Company X doesn't comply with the FTC guidelines and gets an inquiry. Client Y also gets swept into the inquiry and the "scandal". Client Y then sues Marketing Company X for damages in lost profit, costs, and injury to reputation that it incurs as a result of the improper reviewing. And, I'm not sure that 47 USC 230 would give the Marketing Company X much protection. Thus, if you are Marketing Company X, I suggest that you make sure that such possibilities are clearly addressed in your upfront agreement.
The bottom line is that these laws are not new, but orders like the Reverb order are indicative of a new push by the government to regulate the Internet, and a wake-up call to the fact that the U.S. Government is watching the 'net. If you make your living through the online presence and word-of-mouth, you need to be aware and plan accordingly. Change your actions now to protect yourself down the road.
Below is a nice little article by Tom Spalding at the Indianapolis Star detailing the ExactTarget acquisition of Australian-based mPath Global. We are always happy to see our clients grow and expand. I know that Scott Kreider recently blogged about the importance of our "Partners in Success" mantra. It is never truer than when our clients seize an opportunity to take their business to the next level. Congrats again to all of the folks over at ExactTarget.
"ExactTarget, the fast-growing e-mail marketing and interactive marketer whose headquarters are on Monument Circle, today said it acquired its Australian-based partner, its third buyout since fall 2009.
The company bought mPath Global in Sydney and Melbourne, which it had worked with since 2005, and renamed that operation ExactTarget Australia. mPath has 150 clients.
Chris Gartlan, chief executive and founder of mPath Global, will lead ExactTarget’s new Australian operation as managing director. All mPath employees have accepted positions with ExactTarget Australia.
No financial terms of the deal were disclosed. CEO Scott Dorsey did not say what prompted the purchase.
The acquisition of mPath Global is the third ExactTarget acquisition in the past year, following the March buyout of San Francisco-based Twitter platform CoTweet and the purchase in September 2009 of Keymail Marketing that allowed ExactTarget to create a new international division in London.
ExactTarget’s clients include Expedia.com, Fairfax Digital, Best Buy, CareerBuilder.com, Gannett Co. (parent of The Indianapolis Star), Tennis Australia, The Home Depot and Indianapolis-based WellPoint.
The company now employs 730; approximately 550 of those employees are in Indianapolis."
The ACH litigation team had its first ever (as far as I'm aware) litigation retreat this weekend, and as I reminisce on our time, I am struck by the realization that to be a successful business, you have to allow your team to envision and strive for excellence with you. This weekend we had some great discussion and "vision-casting" on the areas of privacy litigation, Indiana probate litigation, business law, Internet litigation, banking law, SaaS litigation, and several other areas where we are already working and where we can work more, and throughout the discussions, I was struck again and again by how fantastic and forward-thinking everyone on our team is. The moral of the story to me is that you, as a business person, have surrounded yourself with excellent people. You need to listen to them and see where they can take your company. It doesn't matter what "position" they have in the company because everyone has ideas. Your goal as a manager should be to foster those ideas and push them to verbalize and realize those ideas. Otherwise, you will achieve nothing but stagnation. However, if you allow your team to envision with you, not only will you get some great ideas, but they will also own a piece of your business' future. They will have a stake in your game. Allow them to participate and purposefully embrace their ideas of the company and you can't avoid great results.
Gather 'round kids, this one is interesting. The decision actually came out in May, 2010, and I regret that I haven't had a chance to blog on it until now, but it is still a very interesting order that should have implications to privacy litigation, and litigation in general. In EEOC v. Simply Storage Management, LLC, Docket No. 09-CV-01223, the Southern District of Indiana was faced with the issue of discovery of social networking profiles of two individuals that claimed sexual harrassment by a supervisor. In its discovery, the Company requested "electronic copies of ********'s complete profile on Facebook and MySpace (including all updates, changes, or modifications to *******'s profile) and all status updates, message, wall comments, causes joined, groups joined, activity streams, blog entries, details, blurbs, comments, and applications (including, but not limited to "How well do you know me" and the "Naughty Application").. . . . " The EEOC went to the Court for guidance and the Court entered an order giving general guidelines, but determining that relevant portions of the social networking profiles were discoverable. Interestingly, the Court did not really address any privacy issues implicit in this request other than to reliance on two Canadian cases to establish that setting your profile to "private" is not a shield from discovery. The Court went on to provide the guidance that (1) any profiles, postings, or messages and applications are fair game; (2) third-party communications to the individuals must be produced if they place the claimants' own communications in context; (3) their photos and videos are fair game, but photos in which they are "tagged" are less likely relevant.
This is a very interesting case because it highlights the battle that is going to rage for years to come between the American jurisprudence viewpoint of discovery and the interest in privacy of what you post on the 'Net. "How much is too much in terms of what I post on a social networking site?" v. "If someone is posting it for everyone (or at least select everyone) to see, why can't I use it to prosecute or defend my lawsuit?" I wish I had the answer, but I think as privacy litigation and cloud computing law continue to evolve, these questions are going to become more prevalent.
Overall, I think Magistrate Lynch took a very reasoned approach to this problem. The issues raised in this case involve emotional distress, and the two claimants at issue both indicated that they had additional mental health traumas, above and beyond what one might "normally" expect in this type of case. Thus, if the question is "could the information shed some light on some aspect of this litigation" (which is always the question in discovery), then I think the answer has to be "Yes, it could be relevant to address those issues." It would be akin to a man claiming to have back pain arguing that photos of him water-skiing after the event in question aren't relevant. The simple fact is that our mental health and where we are emotionally is often evident in what we put on our social networking sites (as an aside, I will say that this is more true for some than others. Some people just need to stop posting things; but I digress). The items posted that show these claimants mental states are relevant. Now, the question of how relevant is still to be answered. If I'm the EEOC at this trial, I'm arguing that nobody posts things like "Today I was assaulted." or "I'm really depressed today because my supervisor assaulted me". For the most part, we sterilize (or most of us do) what we put into the 'Net. Thus, your social network profile is not an accurate snapshot of your emotional well-being.
To me, the more interesting question raised here is what happens when cloud computing law meets American discovery rules in the head-on, no-holds barred, death match that is coming. Things will be in the Cloud and there will be some passing relevance to an issue and then the fight will be on. The question in those cases, which I think is a question in this case as well, but that was not addressed by Judge Lynch, is the logistics of it all. Getting information back out of the Cloud, particularly archival information requires the cooperation of third-party entities and can be very burdensome and costly. Discovery is not meant to burdensome or overly complicated. Thus, we are going to be faced with issues of logistics that will need to be addressed. On top of that you add those pesky privacy litigation issue.
Of course, to bring this post to an actual close, this type of order is why I love these emerging legal questions that are derived from the advent and advancement of technology. There are so many facets to these issues and they strike at the heart of what we have always considered to be the core principles of litigation. But so long as you have parties either wanting money or wanting to avoid paying money, you will have zealous advocates turning over every stone to find the nuggets that make their case a win. And as the legal world polices itself, you will have these debates and conflicts over what is best for the individual case and what is best for the system overall. I think Judge Lynch's order alludes to and addresses both of those overarching concerns.
This one is a fun little piece of pseudo-software litigation. The basic facts are that Facebook and its majority stockholder Mark Zuckerberg have been sued by Paul D. Ceglia, who claims 84% ownership in the website juggernaut. The part of this story that has been clogging the Net is that a state court judge in New York actually issued a temporary restraining order ("TRO") prohibiting Zuckerberg and Facebook, Inc. from disposing or selling any of its assets. This has produced the viral "Facebook assets frozen". Interestingly, Ceglia has produced a written contract, making this suit slightly more interesting than prior software litigation involving Facebook ownership in which former students at Harvard claimed Zuckerberg stole the idea from them (which a court ultimately found to be "dorm room chit-chat").
One aspect that the technology legal counsel in me finds interesting is that the Court granted the TRO. Generally speaking a TRO is an injunctive mechanism that can be used to stop someone from doing something. In order to get a TRO, you generally have to show that you have a basis for your claim and that you have a likelihood of success on the merits. I don't know for sure that New York is the same standard as Indiana, but I suspect that it is. That means that a court looked at the documents and found that there might be something here. I find that very intriguing. I will note, however, that Facebook's attorneys filed a motion to dissolve the TRO and noted that it was ex parte, meaning that it was entered without Zuckerberg or Facebook being given the opportunity to respond. It also sets forth that the only evidence presented to support the TRO was a "scant" affidavit. But, one must conclude that the Court nevertheless did the appropriate analysis.
Also, having read the documents filed, there might be something to discuss. However, the biggest issue that I see at the outset is that the contract allegedly happened in April, 2003. It would seem to me that there are is a statute of limitations issue, which may kill this lawsuit before it gets into really fun electronic discovery.
Facebook has removed this case to Federal court, which I think is a smart move. We'll see what develops. But I would urge everyone to consider the reality that this case poses to the software developer or web-designer. From the "Zuckerberg" side, be extremely careful what terms you put in your contracts because you may have to rely on or defend them later (after you are a famous success). In this software litigation, Cegila is claiming 84% ownership in the company based on a damages provision that stated that he would get 1% ownership for each month after January 1, 2004 that the contract was fulfilled. And, if the case survives the statute of limitations issue, this may become hotly contested.
Thus, be careful that you hold tightly to your equity in your company. Don't give it away willy-nilly. And, above all else, get good technology legal counsel; specifically ones that understand what should be in a well-drafted contract and that have available the expertise to determine how that contract language will play out in court.
This is one of those great posts that gets to combine cloud computing law with privacy law with political intrigue. Before I get too far in, I want to set out my own caveat. In my opinion, there is a data war brewing between the United States, EU, and China and everyone if vying for the top dog spot. The basis of this is the fact that each faction views the protection of data very differently and they each want to be the best. To just give you a surface level scratch of the differences I'll simplify (which is one of the things I do best): US is pro-capitalism / free market and free flow of information, even private data; EU is much more pro-individual and retention of private data, even at the detriment of businesses; China is much more pro-state and focuses on keeping data managed. Each entity thinks that they are completely right and they are trying to work together (except for China, who doesn't seem to care what anyone else thinks), but really they each have an ultimate goal of obtaining dominance of their position. Interestingly, I believe that the EU is seeking its dominance by applying economic pressures (something we've used for generations), and is having the most luck. Business are being forced to comply and are doing so in order to maintain market share. It is, nevertheless, very much a "cold war" between US and EU on the data protection front. And, as was anticipated, it is now entering into the realm of cloud computing law.
Before I delve into the ruling, I need to explain some concepts that I haven't put out here before. First, is that each member country of the EU has their own Data Protection Administration (DPA) that governs and rules over the access and permission to access private, individual data. In 1998, EU issued the European Directive on Data Protection that, among other things, prohibits the transfer of personal data to non-EU countries unless they haven't met the EU "adequacy" standards to protect the data. This directive actually causes great consternation in business as well as the litigation arena, privacy litigation or otherwise, because it limits what a U.S. defendant can legitimately produce. In a country where discovery in a lawsuit is often viewed as a fishing expedition in which one drains the lake and simply picks the fish up off the bottom, this limitation on access to data has caused and is causing businesses sleepless nights and making lawyers rich. Enter the U.S. Safe Harbor framework. This is essentially a compliance mechanism devised (supposedly) through joint efforts between the U.S. and EU that businesses can opt into by self-certifying that they comply. The main areas of focus are transfer of data, notice to the data holder, transfer to third-parties, access to data, security measures, and data integrity. If a business properly complies with this self-certification they will be deemed "adequate".
I know you've read all of this and said "What does any of this have to do with cloud computing law, you dolt!". To which I would reply, "ouch" and then go on to explain that yesterday, Germany's DPA made a ruling on the use of cloud computing and the implications to the European Directive. Most importantly, the DPA determined that clouds located outside the EU are per se unlawful, even if the EU has issued an adequacy decision in favor of the foreign country. Thus, if your cloud is based anywhere other than the EU, it is unlawful to store private EU data there (and in case your curious, everything is private data in the EU's eyes). Of course, the decision goes on to state that you can avoid this result if you apply German rules on data processing and using the EU-approved model contract for controller-processor data transfers. Basically, if you want to follow our rules and use our contract, you can do it.
What is even more interesting is that the DPA determined that the U.S. Safe Harbor is not adequate to protect information in the cloud. Thus, these companies that go through the self-certification process, still can't host cloud data (sorry Google). The reasoning is that even though one entity may have self-certified, the inherent nature of the cloud is that data is accessible to third-parties and those parties are not adequate.
This leaves the ultimate question of "what does this mean for cloud computing" The obvious answer is that it will force companies that want to utilize the cloud to either (a) adopt the EU rules and contracts or (b) enter a binding corporate rule that complies with the EU rules (which is another option the German DPA suggested). This will, ultimately, increase the costs associated with using the cloud and will likely have a cooling effect on pushes on that front. OF course, the developments that I will be watching from the cheap seats as an technology lawyer is what response the U.S. takes. Will it rely on businesses to police themselves and comply as they choose or will it try to enforce rules to keep the Safe Harbor alive. And, if Germany makes this type of ruling on the cloud now, essentially obliterating the Safe Harbor Framework, can Safe Harbor survive? Or more importantly, should Safe Harbor survive?
Your friendly neighborhood technology counsel here: A couple of recent state court decisions are going to start personal injury attorneys frothing at the mouth, and might render some sleepless nights for defense attorneys. Both Ohio and Florida recently issued opinions in which they applied their state's respective long-arm statutes to garner personal jurisdiction over an out-of-state resident for tortious conduct that transpired over the Internet.
First, you need to know what a long-arm statute is. Essentially, it is a mechanism by which a state can obtain jurisdiction over an out-of-state resident for activities or actions undertaken that are related to an in-state resident or citizen. Without boring you with the legal details, they stem from the concepts of full faith and credit and due process and require a minimum amount of contact within the state to trigger. And, they have posed a pickle in Internet litigation because the Web allows access from out-of-state residents without actual presence or contact. At least that was the case until recently.
In Internet Solutions Corporation v. Marshall, the Florida Supreme Court, addressing a certified question from the Eleventh Circuit, determined that exercising jurisdiction over an out-of-state resident under Florida's long-arm statute did not violate due process. The basic facts are that Marshall ran a website based out of Washington, where she is a resident. She had no contact with Florida other than a short business related trip several years ago. However, she wrote a blog about a Florida based company and then she and some other posters trashed them online in the comment section. The Florida-based company sued for defamation in federal court under a diversity action (action between two citizens of different states). The district court found no personal jurisdiction and the Eleventh Circuit certified the question to the Florida Supreme Court. The Florida Supreme Court looked at two main analysis points: (1) whether the complaint alleged sufficient jurisdictional facts to being the action within the ambit of the statute, and (2) whether sufficient minimum contacts are demonstrated to satisfy due process requirements. The Court determined that both were satisfied. An interesting analysis point is that the Court reasoned that the long-arm statute had been applied to telephonic, electronic or written communications in the past and that the Internet is an extension of those rulings. Overall, it is a well-reasoned opinion applying a standard long-arm statute to the Internet.
Similarly, in Kauffman Racing Equipment, LLC v. Roberts, the Ohio Court of Appeals reached a similar conclusion when determining if an out-of-state residents comments over an Internet blog about an in-state plaintiff can be grounds for jurisdiction over the out-of-state resident in a defamation action. The Court utilized the same general analysis as in Marshall.
The obvious implications to Internet litigation of these opinions are pretty substantial. Until now, suing for tortious actions done over the Internet has been difficult because of those pesky due process minimum contacts, but that is slowly changing. These cases are a framework for an enterprising personal injury lawyer to sue someone that has never set foot in their state for tortious activities on the Web. And, right now we are only talking about defamation, but why wouldn't it extend to other torts. What about tortious interference with a business relationship, intentional infliction of emotion distress, and assault, to name a few. This is going to change the face of Internet litigation. We are going to see more lawsuits based on this. And, further, you, as a business owner, will need to be aware of what you are putting out on the cyberspace. You may be inadvertently exposing yourself.
And think of the other areas of technology litigation that this can be tied into. Two of the most predominant to me are privacy litigation and cloud computing law. Imagine that I have posted private information about you on the Internet in contravention to the law. We've never met and I've never been in your state, but the Internet has. Under these holdings, I can be hauled into the courtroom to address my actions. Or I've placed something into the cloud that doesn't belong. I've now exposed myself to multiple jurisdictions depending on to whom I have shown the material.
The ramifications are mind-numbing, but we'll see what other states start jumping on board. As I've always said, technology litigation and Internet litigation is in its infancy and we are going to see wide-spread changes from court's making decisions at the federal and state court level. It should be fun.
Be prepared: I'm going to get on a bit of a soapbox. I read a recent article at WSJ.com entitled "Using Social Networking as Legal Tool" (
Linked Below). There is nothing wrong with this article. It very succinctly and pleasantly explains how certain law firms are using social networking and the Web to find clients for high-value plaintiff cases. And I don't disagree with that approach. As an attorney posting on a blog, I too hope to use social networking to get business, and would be foolish to argue otherwise. Thus, I cannot fault the firms employing such tactics. And I am glad that a more "mainstream" press outlet would pick up a story of this nature; highlighting the use of technology by lawyers.
The fault that I find, and what, frankly, irks me, is that this article gives no credence to the more innovative aspects of technological use that are gaining hold in the legal community. The article highlights the practice of "ambulance chasing" for the 21st Century. But there is so much more happening in the cyberworld. Legal scholars like Eric Goldman are posting daily with the new and interesting ways that technology litigation and cyberlaw are being explored. Courts are posting their opinions on-line to further the pursuit of knowledge by the populace. Courts and communities are moving to on-line activity such as filing and case work to speed up the legal process and reduce our environmental impact. Technology legal counsel throughout the world are espousing the virtues and pitfalls of cyberlaw. Property rights are being generated in virtual worlds. Privacy litigation is defining what can and cannot be exposed in the real and virtual worlds. Software litigation is defining what can and cannot be done with these wonderful bits and bytes of information. Cloud computing law is going to dominate the future courtrooms of the world as more and more data is put into the cloud. All of these things are happening now.
Our world is becoming a smaller place as we all become more connected, and lawyers are at the forefront of those debates and discussions. Yes, I think it is very interesting that Law Firm X has 25 people on staff twittering and establishing domain names so that sufferers of acute hypersensitivity can find a law firm willing to represent them. PLEASE don't misunderstand me because I believe that allowing those people to easily find representation IS IMPORTANT. But it is not the only thing that is happening out there in the cyber-ether. Instead of focusing on the new and novel way that lawyers are getting business, let's shine light on how those in the legal community are using the Web to define, explain and expand our world.
WSJ article: (
online.wsj.com/article/SB10001424052748704324304575306581598351428.html
I'm going to cheat a little on this. I read a great blog post by Jeff Ready over at the McStartup blog (www.mcstartup.com). The blog post is all about the importance of radical innovation. I have a place in my heart for radical innovation because I believe that in the legal community, we are the radical innovators. ACH strives after its goal to be an information technology law firm, a venture capital law firm and a business law firm, but we go about it in a way that is radical to many other attorneys, because we are business-minded first and we are looking at the areas of business that others are overlooking. So, rather than re-capsulate Jeff's thoughts, here they are in full quoted glory:
The Art of Radical Innovation
Following up on my post about Tom Mason and Rose-Hulman, I wanted to touch on something that Tom is a big believer in and used as the focus of his retirement speech: radical innovation.Radically innovation refers to that type of innovation so powerful and different that it can completely change the profession, institution, industry, business, or person in one fell swoop. Thinking about how radical innovations come about and how they impact the world around us is a favorite subject of Tom.
I bring it up here, because I believe that radical innovation is the key to success in whatever you do – and not just radical innovation, but, as Tom puts it, “continuous radical innovation” – the constant search for those things that will turn your world on its head.
It is true that most businesses are looking to innovate, but to think about radical innovation really changes the way you view things. It’s very different from thinking about “constant innovation” or “continuous improvement” which is the mantra of many businesses today. As Tom quipped during his speech, “General Motors followed the mantra of continuous improvement all the way into bankruptcy.”
Put another way, and to borrow from the world of academia, continuous improvement gets college campuses wired, installs the latest lab environments in the buildings, and creates a campus environment more rewarding for the students. Radical innovation moves the entire university experience online and does away with the campus altogether.
Continuous improvement puts shocks on your carriage. Radical innovation replaces the horse with an engine. Continuous improvement accelerates the reload speed and accuracy of your rifle. Radical innovation gives you a machine gun. You get the idea.
The challenge is to continuously seek the radical innovations in your business – to look for and to go after the very technologies that, if developed elsewhere, would bring a swift and painful end to your business. In the mean time, of course you need to look for ways to improve your business, your products, and your practices. However, time and resources need to be spent going after the radical, not just the better.
This probably sounds a lot easier than it is. Radically innovation is an unpredictable, expensive, and messy business. With limited resources, the temptation will always be to direct those resources toward the projects that will have the most immediate and predictable impact. Just as you would imagine the mad scientist to find himself surrounded by doubters (right up until the invention actually works), you’ll find that investors, employees, partners, and competitors will view resources directed to these “rogue projects” as wasteful, silly, and distracting.
Thus is the challenge of going after radical innovation within an ongoing enterprise. The near term benefit sits squarely on the opposite, and in a world of business that’s often driven by quarterly numbers, high rates of employee turnover and movement, and a desire for immediate satisfaction, it can be extremely difficult to manage the balance of resources between what is today’s reality, and what might change that reality.
The pressure will be on improving today’s reality. But if you’re not careful, you’ll have the world’s greatest carriage company – right up until Henry Ford hands you your lunch – just ask GM.
Every once in awhile, I have the inkling to make a blog post that is not about developments in privacy litigation or technology litigation or cloud computing law or foreclosures or any of the other endless stream of ideas and legal thoughts that pass across my desk. This is one of those times. Because, while I think it is important for our readers to know that Mexico passed a new data privacy law or that litigation related to CAN SPAM is likely a rising field, I think it is equally important for our readers and clients to gain insight into the psyche of Alerding Castor Hewitt, LLP as it is viewed through the eyes of this humble writer. Thus the question: Who are Alerding Castor Hewitt, LLP.
First, I must note that I intentionally chose the plural tense in that question because, although I agree that Alerding Castor Hewitt, LLP is an entity that could be viewed as a singular, I fully believe that we are made of the people that permeate this place. Thus, we are a plural. Second, if what you are looking for is our resumes and the curriculum vitae of these Indiana technology counsel, you can check them out on our webpage.
Rather, I intend to discuss who we are in such a way that our readers and clients can relate to the ideals for which we stand. We are the rogues. We are the fighters. We are the fixers. We are the counselors. To a person, the attorneys at ACH are products of years of experience. We have all trudged through the mud of the legal profession in other locales before coming to this place. Which, inevitably, leads to the question of "why here?"
The answer to that simple question is that because here we can be what our clients need. We can be entrepreneurs. We can be fighters. We can truly embody the idea of counselor that so many of us sought when we went to law school in the first place.
Does that mean that I always give my clients the advise that they want to hear? No. My job, and the job of any great attorney, is to give the advise that is warranted in the situation. ACH not only gives its attorneys the ability to do that, but rather encourages it. I can honestly say that I have practiced from the biggest of big to the smallest of small, in the private sector and the public sector, and there is no place that I would rather practice law. I have told colleagues that ask me about ACH that I practice law in a way that every attorney wants to practice when they are honest with themselves as to what they want out of their profession.
This place is filled to the brim with spirit, humor, knowledge, and skill. And I think there are two quotes that best answer the question of Who are Alerding Castor Hewitt, LLP. The first is from Ulysses S. Grant. In a speech in London, Grant stated "Although a soldier by profession, I have never felt any sort of fondness for war, and I have never advocated it, except as a means of peace." The second is from Ode by Arthur William Edgar O'Shaughnessy, but was made famous (in my opinion) by Gene Wilder in Willy Wonka and the Chocolate Factory: "We are the music makers, And we are the dreamers of dreams."
China has enacted the "Interim Administrative Measures on Internet-based Transactions of Goods and Related Services" that will take effect on July 1, 2010. This regulations should have a significant impact on e-commerce in China. One can only assume that it will also impact Software Service Level Agreements, SaaS law, and cloud computing law. The regulations appear to be focused on Business - to-Consumer issues and consumer-to-consumer activities, but the actual language of the regulation is pretty broad. There are quite a few requirements related to form, contracts, issuing receipts, collection and treatment of information, record retention, etc.
The main thrust of the regulation is to aimed at C2C platforms like taobao and E-Bay. These platforms will need to verify vendor information as being a real name with real contact details. It also push individuals to establish companies and obtain business licenses.
The impact that this regulation is likely to have on U.S. e-commerce or U.S. Business in general is likely nominal. However, it does illustrate a trend toward regulation. Luckily for me, more regulation means more work for yours truly.
Your friendly neighborhood technology counsel here: So, Mexico recently passed a new data protection law. On April 27, 2010, Mexico passed the Federal Law for the Protection of Personal data, which is likely to be signed into law by the President in the near future. This law not only allows for a mind-boggling $1.5 million penalty for violation, but it also applies to the private sector. Private and public entities will need to protect themselves from privacy litigation.
This law is much akin to the EU's data privacy laws. Meaning, among other things, that scope of the law is extremely broad. Additionally, all data is included, but certain types of data are given greater protection. This Sensitive Personal Data includes: "In particular, consider those that may reveal sensitive issues such as racial or ethnic origin, health status, present and future, genetic information, religious, philosophical and moral, union membership, political views, sexual preference." (translated from the Bill). The dissemination of any information that contains this sensitive data will require written consent from the owner of the data, the individual.
Now the $1.5 million question: What does this mean for my business? The simple answer is: Potentially alot. In the world of e-discovery and privacy litigation,this issue has already begun to rear its head in the context of the EU's data privacy law. With the number of American manufacturers and companies with a presence and facilities in Mexico, this type of broad legislation could result in the expenditure of millions of compliance dollars to craft protocols and document retention issues. Think of the billions of e-mails that must run through a Fortune 500 company. Now think about how many of those e-mails contain some amount of information that fits within the category I described above. To disseminate that information, each individual has to be contacted and give written consent. Like I said, mind-boggling.
Obviously, society is walking a thin line between protection of information and the availability of information for legitimate purposes. Privacy litigation both here and abroad is going to shape the breadth and direction of that line. And then, when we think we have a handle on it all, we'll start talking about what we are going to do under cloud computing law for that data that is stuck firmly in the cloud.
Your friendly neighborhood technology counsel here: As you likely know, my goal is to become THE Indiana technology lawyer; however, technology is not my only area of interest. Like many of the folks at Alerding Castor Hewitt, technology law is a passion, but we all strive to be a full service law firm for all businesses. Thus, in addition to tech stuff, I also litigate matters for several banking and business clients. And, as any good lawyer does, when I see changes in the law that may impact my clients, I want to shout it from the rooftops. One such change that, to date, has gone largely unheralded is an amendment passed to the Indiana "Get Hope. Get Help" statute (Ind. Code 32-30-10.5-8).
For those that don't know, this provision, enacted originally in 2009, requires a lender to send a written notice to a mortgage holder regarding their default and options to avoid foreclosure before the lender can proceed with a foreclosure suit. The intended purpose of the law is to avoid unnecessary foreclosure of residential properties by "requiring early contact and communications among creditors, agents and debtors" and "facilitating the modification of residential mortgages in appropriate circumstances." This is debtor safeguard that lenders have to navigate before they can foreclose on a property. The letter itself has a large "GET HOPE. GET HELP" header, hence the nomenclature.
The new provisions amended to the statute in the 2010 session clarify that any time before a sheriff's sale, a debtor can do one of three things with the property. They can: (1) appeal a finding of abandonment; (2) redeem the real estates; or (3) retain possession of the property until the sale. These three things already existed in Indiana law, but are now more clearly set out and obvious. The goal is clearly to make the options abundantly clear to all involved.
To me the more important change is the requirement that the applicable notice prescribed by the statute must be in 14 point font. The necessary language is "Mortgage foreclosure is a complex process. People may approach you about "saving" your home. You should be careful about any such promises. There are government agencies and non-profit organizations you may contact for helpful information about the foreclosure process. For the name and telephone number of an organization near you, please call the Indiana Foreclosure Prevention Network".
So, all you lenders out there heed the warning of the new statute. There are procedures that you must follow before you can even get to a court room. While I understand the reasoning behind these provisions, they are certainly something about which lenders should be aware. The foreclosure process is a necessarily lengthy one, and you don't want to unnecessarily extend that by using the wrong size font.
I must take a moment to open with a caveat. The study of privacy and hence privacy law or privacy litigation is an analysis that spans centuries. In fact, while it seems like privacy issues have only recently come to the forefront with the advent of technology, they have, in fact, been prevalent in ever major level of recorded history. I put this point out there to help you recognize that there are books and books addressing the issues of privacy and my little foray into the issue is but a nail-scratch on the surface of a very large issue. Nevertheless, I would be remiss in my role as an Indiana technology lawyer if I didn't delve into the issue at least from an overview perspective. Now, onto the bigger (and better) question of "what the heck is it?". There are, in my humble opinion, four basic approaches to this question: (1) academically; (2) legally; (3) structurally; and (4) realistically. I will address each approach separately.
Academic Perspective: In the simplest of academic terms, privacy law is the method and mechanism of protecting the private matters or interests of the citizen. This definition leads to the ultimate issue from the scholarly perspective of what is privacy. The debate over that simple term, however, has raged for years and encompasses an extremely wide umbrella of ideas. From a political perspective, privacy is that sphere of information that wholly belongs to the individual and is unnecessary for the overall governmental function. Aristotle believed that there were two spheres. The first is the public sphere and in this sphere is the information necessary to govern the polis or city-state. The other sphere is the individual sphere in which each person has the information and matters pertinent to only themselves. It does not impact the polis and is solely private, but must exist to ensure the welfare of the entirety. Later, John Lock would address the issue by theorizing that the inherent state of man (the state of nature) is one in which they all have equal right to their self. It is this act of giving up some of these rights to the greater body that leads, according to Locke, to the development of organized government.
Anthropologically, privacy are those matters that we keep from the community at large. Anthropologists have found that even in social settings where there is very little physical privacy, the members of that society will act to protect their own privacy in other matters (i.e. hiding feelings, averting eyes, etc) to maintain some level of intimacy and ultimately, individuality. And this doesn't even get into philosophically, economically, medically, or any other - ly of which we may think. As you can see, the academic perspective is somewhat scattered, but the overarching theme is that privacy (and subsequently privacy law) is the component of self that is maintained to establish and maintain the individual.
Legal Perspective: From the legal perspective, privacy law is the protection of information related to the person. There are two basic types of legal perspective. The first is the protection of private information from a constitutional perspective. This is the basic premise behind the Fourth Amendment. The idea that citizens are free from the government simply prying into their business is fundamental to American jurisprudence. It is also a fundamental difference between the United States and other countries that has led to some very interesting debates related to privacy, but we'll cover that more in Part 2. From a constitutional standpoint, privacy is the protection of the individual from the invasion of the government without a reason. The other legal perspective is the protection of information from the tort perspective. These are the private causes of actions that relate to the invasion of privacy and lead to the majority of the privacy litigation that we see today. Questions such as: can my employer look at my e-mails; can my insurance company see my health records; can this website give my address to the cyberworld. These questions are the bread and butter of the tort perspective. And, frankly, are the most important to my clients. But overall, the legal perspective of privacy is, like the academic perspective, focused on the establishment and maintenance of barriers between individuals.
Structural Perspective: What I'm calling the structural perspective is actually the most amorphous perspective that I've made up. It is deals with the components and subparts that make up privacy law because the parts make up the whole. But, the components of privacy law are as widely varied as the other definitions. There is a component for protecting information about one's health. There is a component for protecting those activities that one engages in in their home. There is a component for protecting the contents of one's vehicle or property. There is a component for protecting one's personal contact information. There is a component for protecting one's financial information. The list goes on. Needless to say, from a structural perspective, privacy law is the protection of that information that is necessary and pertinent to our identity, well-being, and overarching individuality.
Realistic Perspective: Finally, we get to the perspective that is most likely to impact our individual lives. For the individual, privacy law realistically means those steps and actions that one must take or protect to ensure that information pertinent to your well-being is protected from dissemination to parties without legitimate interest in the information. Whether this is monitoring against identity theft or moving to quash a subpoena that seeks information in violation of HIPAA. These are the steps that have to be done to protect your individual information. For the business, privacy law realistically means the steps and actions that must be undertaken to protect against the dissemination of information related to either my clients, my products, or my business perspectives. This is important both from a regulatory approach and a litigation approach. Both individuals and businesses need to know (a) what information is protected and (b) how to protect it. These are the fundamental realistic questions to be answered.
So, in conclusion, privacy law is an enigma wrapped in a riddle. We know we need it, but aren't always a hundred percent sure what it is. It is rooted in our mythos and theory. It is part of the underpinnings of society, both American and human in general. And, the more connected we get, the more important it becomes. In Part 3, I'll take a look at some of the major legal precedents on the issues of privacy law and litigation. Stay tuned.
Your friendly neighborhood technology lawyer here: Clients and colleagues often ask me to explain what I mean when I say "technology litigation". And, to be frank, that term is really composed of several different subsets of the law. One such subset is privacy law. Over the next several blog posts, I will provide a general overview of privacy law and privacy litigation to arm you, my humble reader, with the knowledge to assist your company (as well impress your friends at parties).
The Parts: My analysis will address the following questions:
- What is Privacy Law: This part will focus on the academic, legislative and practical definitions of privacy law, as well as its general subparts / components
- What is the current state of the law: In this subsection, I will focus on the various statutory schemes and case law that has developed related to the privacy law. I will also highlight the current black-letter legal principles at play in privacy litigation.
- What does it mean for your business: The third substantive subsection will focus on the implications of privacy law to the general business. It will focus on: (1) regulatory compliance; (2) protection and use of your own data; (3) protection and use of your client's data; and (4) the implications of privacy laws on litigation a business may face.
- What will the future hold: In the final subsection, I will focus on the future of privacy law. In particular, I will look at the current and future issues revolving around the different approaches to privacy take by the United States and the European Union. I will also look at the implications on privacy law of advanced technology and the increased use of social media.
Why it matters:
Perhaps, however, the most important question to be address is: why does privacy law matter to me? The succinct answer is that any business or business owner seeking to profit in the 21st Century must have, at the very least, an elementary level grasp of privacy law because governments throughout the world will demand compliance with an expanding set of legislative and precedential authority. It is this level of education that I plan to provide over the next few blog posts.
So, stay tuned.
Your friendly neighborhood technology counsel here: The Indiana Supreme Court recently discussed the ability of a lay witness to provide "expert" opinions in Sibbing v. Cave, 922 N.E.2d 594 (Ind. 2010). In that case, counsel asked the plaintiff what she believed caused her pain. She responded something to the effect of "the bulging disc in my lower back", and the opposing party objected based on a lack of expert foundation. The basic argument to the trial court was that this lay person cannot provide a medical diagnosis of what caused her pain because she wasn't an expert. The Supreme Court, upholding the trial court, found that a recitation of one's personal belief regarding a fact (in this case, the source of her pain) was within the scope of Indiana Evidence Rule 701.
I can read your minds at this point of my blog. You are thinking, "What in the heck does this have to do with technology litigation, SaaS litigation, software litigation, or any of the stuff that you normally discuss?" The important point of this case is that it can be used to get to "expert" type opinions from a lay person. This is important in tech lit because most of our technology clients have some knowledge as to the x's and o's of what is happening behind the scenes of a given situation or product, but they don't necessarily have enough expertise to survive a full-blown Daubert challenge to their status as an expert. Using Sibbing, a tech litigator (i.e. me) can now ask the straight forward question of "why do you think the widget broke" or "how do you think this SaaS agreement harms your company" or "what do you think your damages are" and allow our clients to spout their opinions, and in the face of a challenge, cite this precedential case. As you can imagine, the potential of this ruling is huge.
Additionally, for those really interested in law-dorking out [yes, I made up that word, so what], there is also a good analysis in Sibbing of the use of the medical diagnosis exception to the hearsay rule found in IRE 803(4) that distinguishes the previously held standard set forth in Coffey v. Coffey, 649 N.E.2d 1074. Not overly important in tech lit, but a good read for any litigator.
Your friendly neighborhood technology lawyer here: As you know, I'm a bit of a technophile and I've been watching the iPad craze with interest. There are other similar products that will be inundating the market in the near future (HP Slate and the one that I'm watching with anticipation, Notion Ink's Adam). As I watch, I've come to the conclusion that tablet computers are the future of litigation, whether you're talking privacy litigation, SaaS litigation, personal injury litigation, or commercial litigation. The reality of this technology is that it will allow a lawyer to have his library in his briefcase. I envision the ability to look up a treatise and show it to the judge from the comfort of my tablet, and if necessary, hook up to the wireless and look up the case law needed to win my case. Additionally, as more files go paperless and data is maintained only in an electronic form, the tablet computer will permit entire files to be carried with you. I'm not putting my trial case on mothballs just yet, but I do like to see technology changing the way we practice law. The wise counsel will allow technology to assist them in their practice to allow them to provide the best representation they can.
Powered by Compendium Blogware