IP Law Blog

By: Audrey Millemann and Etan Zaitsu

The federal Stored Communications Act (SCA) of 1986 was established in an attempt to give Fourth Amendment-type privacy protections to people for their Internet communications. In other words, Congress sought to protect people’s Internet privacy from warrantless intrusion.

By: Jeffrey Pietsch and Etan Zaitsu, second year law student at McGeorge School of Law

Thinking of running a smear campaign against a business competitor? Thinking of posting disparaging content about someone anonymously online? Think again. According to a decision made by the Ninth Circuit on July 12, 2010, anonymous online postings may not qualify as protected speech under the First Amendment.

by Dale C. Campbell, David Muradyan* and Sara Davidson*

Is the work product of an attorney always protected? No, according to the First Circuit in a decision which may draw the attention of the U. S. Supreme Court. The First Circuit, sitting en banc (the “Court”) ruled that the attorney work product doctrine did not protect tax accrual work papers prepared by in-house attorneys to support defendant Textron Inc.’s (“Textron”) calculation of tax reserves. United States v. Textron Inc., 577 F.3d 21 (1st Cir. 2009). Practitioners, especially in-house counsel, need to be aware of this decision and determine whether it influences how they practice.

by Scott Hervey

A ruling earlier this month by the Ninth Circuit provided three guidelines all marketing experts and their counsel should take note of.   These guidelines address the extent to which the Telephone Consumer Protection Act (“TCPA”) (and most likely other Federal regulations on telemarketing) impacts texting as part of a marketing campaign. 

In the case at issue, Simon & Schuster hired a third party to manage the promotional campaign for a new Stephen King book, including securing a list of 100,000 cell phone numbers from the licensing agent for Nextones. Nextones offers consumers free cell phone ring tones in exchange for the consumer providing various information, including a cell phone number, and agreeing to receive promotions from Nextone, its “affiliates and brands.”

By Dale Campbell

When can you knowingly republish defamatory statements without risk of liability? When you do so on the Internet. 

The California Supreme Court, in Barrett v. Rosenthal (November 2006) 40 Cal.App.4^th 33, followed the line of federal cases interpreting the Communications Decency Act of 1996 (CDA) to find broad immunity for both Internet service providers and users of an interactive computer service for republishing defamatory statements. 

By James Kachmar

          A California appellate court affirmed last month that an employer is entitled to immunity from tort liability for threatening emails sent on or through the employer’s internet/email system by one of its employees. On December 14, 2006, the Sixth Appellate District in the case Delfino v. Agilent Technologies, Inc., 2006 WL3635399, affirmed summary judgment in Agilent’s favor finding that Agilent, as an employer, was immune from tort liability under the Communications Decency Act of 1996 (“CDA”) for threatening emails sent and posted by one of its employees. This case, apparently one of first impression, extended the immunity protections of the CDA to cover corporate employers who provide their employees with internet access through internal computer systems. Employers thus have additional protection from claims that their employees have used the employer’s computer system to commit torts against third persons.

By Scott Cameron

Here's the next step Big Brother is taking toward an Orwellian 1984: Your cellular telephone can pinpoint your location any time it's turned on. That's right. Any time your cell phone is turned on and within range of a cellular tower, it is communicating with that tower to broadcast your location. It has to. Otherwise you couldn't get your incoming calls. Federal law enforcement agencies have figured this out, and if you are someone a federal law enforcement agency is looking for, they are using that to track you.

By Scott Cameron

It was just a simple discovery tool, used by the Department of Justice in defense of a lawsuit brought by the American Civil Liberties Union. It hasn't gotten much attention. In fact, for several months, it got no attention at all. But it's starting to. So, what is "it?"

On August 25, 2005, Alberto Gonzales, U.S. Attorney General, issued a subpoena to Google, Inc., the online search engine used by millions every day to navigate the Internet. In this subpoena, the Attorney General demanded that Google, who was not a party in the case, produce "1. All URL's that are available to be located through a query on your company's search engine as of July 31, 2005," and "2. All queries that have been entered on your company's search engine between June 1, 2005, and July 31, 2005." In essence, the Department of Justice was asking Google to produce the Internet, and a list of all searches on the Internet for two months.

By Scott Hervey

Businesses own and acquire vast amounts of valuable consumer data; they stockpile this information on networked servers and exchange it with affiliates or third parties subscribers.#160 Recently, national and state regulators have focused on how businesses manage this data.#160 In the wake of the large scale identity thefts from ChoicePoint, Inc. and Bank of America Corp. these issues are now under a white hot light.#160 Businesses and their counsel should pay attention to how consumer data is collected and managed, and how security breaches are responded to.#160 This is not a task for the IT department to handle on their own; corporate counsel needs to be involved.

Federal and State Regulations

There are a number of Federal regulations that address the protection of electronic data.#160 The Sarbanes-Oxley Act, a federal law implemented to address corporate fraud, requires that companies establish and implement "internal control" procedures that provide reasonable assurance to prevent or allow for the timely detection of unauthorized acquisition, use or disposition of company assets that could have a material effect on the financial statements.#160

The recent ChoicePoint situation exemplifies how data loss or theft can have a material effect on a company's financial statements.#160 The Chicago Tribune (March 14, 2005) reports that ChoicePoint Inc. is suspending sales of consumer information to small businesses in the wake of the security breach that allowed hackers to take personal information of about 145,000 people. The Tribune reported Chief Executive Derek Smith as stating that the decision to halt sales to small businesses follows "the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them."#160 According to the Tribune, ChoicePoint's 17,000 small-business customers accounted for about 5 percent of its annual revenue of $900 million. As a result of suspending sales to them, ChoicePoint said it expects a decline in revenue this year of $15 million to $20 million.

In addition to Sarbanes, several federal agencies have issued data management regulations to the financial industry in connection with the implementation of the Gramm-Leach-Bliley Act (GLB).#160 These agencies include the Federal Trade Commission (the Safeguard Rules), and the Treasury Department (Interagency Safety and Soundness security guidelines).#160 Generally, the regulations mandate that regulated companies institute processes for responding to data intrusion and that they be consistent with the best practices and part of an overall information security plan.#160

The healthcare area has nearly identical statutory requirements under the Health Insurance Portability and Accountability Act (HIPPA).#160 The HIPPA guidelines specifically require that "documenting and reporting incidents, as well as responding to incidents, are an integral part of a security program."

California Goes Further

Although Sarbanes, HIPPA and the GLB contend that companies should have data management and control processes in place and that these processes should reflect "best practices," they do not give any guidance on what the processes should entail.#160 #160The state of California recently implemented legislation that, in the wake of recent events, appears to provide this element.#160 (In support of the proposition that California's data security laws establish the minimum requirements for internal control processes,#160 California Senator Dianne Feinstein, in response to the ChoicePoint situation, introduced a bill that is similar to California's Data Security Law (AB 1950)).

AB 1950, California's Data Security Act, was enacted on September 29, 2004.#160 This new law applies to companies that own or license unencrypted personal information about California residents and it requires these companies to "implement and maintain reasonable security procedures and practices for that data."#160 #160 The law applies to companies located both inside the state and out (and possibly outside of the U.S.); the jurisdictional nexus is the ownership or possession of a Californian's "personal information."#160 The "personal information" which, if owned or licensed, triggers compliance with this new law is: name and Social Security number; drivers license number; financial account information; medical information; and other private information.#160

The Act also requires companies that disclose the above personal information to vendors or other non-affiliated third parties require by contract the third parties implement and maintain reasonable security procedures and practices that are "appropriate to the nature of the information" provided, and protect the information from unauthorized access, destruction, use, modification or disclosure.#160 Obviously, any business affected by California's Data Security Act that discloses personal information to non-affiliated third parties should also include other provisions, including but not limited to an indemnity provision, in their contracts.

The crux of the Act revolves around providing California residents with notice of a breach in the security of the database in which their personal information is housed.#160 The Act requires companies to#160 disclose any breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.#160 The section also provides that "any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

In addition to data security, California also regulates the way in which certain information belonging to a Californian can be used.#160 As part of the Data Security Act, California has implemented restrictions on the use of certain information in direct marketing.#160 If a business discloses "personal information" to third parties, and knows or reasonably should know that the third parties used the personal information for the third parties' direct marketing purposes, then the business is under certain document retention and disclosure requirements.#160 The disclosure requirements include establishing a mailing address, electronic mail address, or a toll-free telephone or facsimile number where customers may request (and businesses must provide ) a written list of the categories of personal information disclosed by the business to third parties for the third parties' direct marketing purposes during the immediately preceding calendar year, as well as the names and addresses of all of the third parties that received personal information from the business for the third party's direct marketing purposes during the preceding calendar year.

What qualifies as "personal information" triggering the above disclosure requirements?#160 It is the following: name and address; electronic mail address; age or date of birth; names of children; electronic mail or other addresses of children; number of children; the age or gender of children; height; weight; race; religion; occupation; telephone number; education; political party affiliation; medical condition; drugs, therapies, or medical products or equipment used; the kind of product the customer purchased, leased, or rented; real property purchased, leased, or rented; the kind of service provided; social security number; bank account number; credit card number; debit card number; bank or investment account, debit card, or credit card balance. payment history; or information pertaining to the customer's creditworthiness, assets, income, or liabilities.

The law also requires companies to have a "Your Privacy Rights" section on its webpage and describe these rights to the user.#160 A company can't, as part of its "Terms of Use" or any other contract, require users to waive their rights.#160 Any such waiver is void as against public policy.#160 Any customer injured by a violation of the above provisions may bring a civil lawsuit and recover damages, as well as attorneys' fees and costs.

It's Time To Take Data Management Seriously

In addition to the above, a company has additional laws, rules and requirements it must meet in connection with the acquisition, management and use of consumer information.#160 The laws and regulations discussed above hardly scratch the surface.#160 Companies and their counsel are encouraged to take a hard look at data management protocols and take steps to come into compliance with existing Federal and State requirements.