A proposed new “Truth in Video Game Rating Act” (H.R. 5912), would require the Federal Trade Commission to promulgate rules prohibiting unfair and deceptive acts or practices by video game marketers, and would require ratings to be based on video or computer game content as a whole. It would also be a violation if any producer or maker of these games hid or grossly mischaracterized the content of the game. Joysticks ready?
For the record, privacy, data protection, information security and international law have officially converged with management, compliance and marketing. More than 30 U.S. states have now passed legislation in one form or another that requires businesses to notify consumers if an actual or potential breach of data security may lead to the compromise of personally identifiable information. This comes on the heels of several years of the government tightening its own policies regarding data security breaches and instances of compromised security.
Recently, the Office of Management & Budget, which oversees U.S. federal agencies, announced a tougher policy for government, requiring agencies to follow the security procedures checklist prepared by the National Institute of Standards and Technology (“NIST”) to protect data. An internal OMB memo recommends that data on mobile computers and devices carrying agency data be encrypted, and suggests two-factor authentication (one being separated from the actual computer obtaining access to the data).
As noted in prior issues of Legal Bytes, requirements and compliance obligations for commercial enterprises doing business across state lines and national boundaries vary, although many have common themes. If you are concerned—and you should be—contact us. We can help you sort out your current compliance obligations and help you keep track of the changing privacy and data protection landscape, both domestically and internationally. Even if you choose not to inject your views into the regulatory process, you must keep abreast of developments or risk action by consumers and regulators.
The Mobile Marketing Association has promulgated guidelines, now adopted by many leading wireless carriers and programming networks, to deal with the growing use of email, SMS (text messaging) and similar mechanisms in advertising and marketing. As you will recall, legal and regulatory actions have arisen based on the fact that some companies’ marketing practices fail to adequately disclose the charges, whether subscription or imposed by the wireless carriers, that apply to some of their services and, in some cases, to the advertisements and marketing messages themselves.
Wireless carriers are beginning to adopt content guidelines for what they will or will not transmit from content partners—regulating such things as sexually explicit, graphic violence, profanity, hate speech and other topics, words and images—in some cases including lengthy lists of “forbidden words.” CTIA, the wireless industry trade association, issued fairly broad content guidelines last November, but left the specific implementation to the individual carriers. Some carriers have carried this implementation to a level of detail that covers everything from games, music, images and video, and in some cases even governs the file names of anything downloaded or transmitted.
Wait until you wake up to the issues raised by transmission and posting of “user generated content.” As you may know, in addition to the FTC regulating advertising and certain content in the U.S., and on top of state laws, the Federal Communications Commission (“FCC”) having authority to regulate indecent content on television and radio and the mobile phone as a media and entertainment device is no longer fiction, but fact in many cases. Did you know that our Advertising, Technology & Media Law group has significant experience in all these areas (Judith Harris for FCC and communications; Doug Wood for advertising and marketing; and, of course, any of us or me, if you simply can’t figure out where your need fits).
Web-based videos, through links, feeds or user uploads, are generating significant legal and commercial interest these days. Advertisers are also quick to recognize the potential “buzz” marketing opportunities enabled by the use of the Internet and digital audiovisual technology. User-generated content draws consumers to websites, powerful magnets for advertising messages targeted to those consumers. But beware: Simply because a consumer creates the content, doesn’t mean it is immune from standard legal tests for advertising, endorsements, publicity and product liability.
A lawsuit has recently been filed against one online video-sharing network—Veoh—alleging it allowed video works owned by an adult entertainment company to be viewed through Veoh’s website without authorization. The claims of copyright infringement could be an important test of how the courts view sites that enable sharing or feeds of audiovisual works. Although there are a growing number of popular user-generated content sites such as IFILM, YouTube, Guba, Yahoo! and Google, these sites often have very different policies and some, but not all, of them review user-generated content before it is posted—either to ensure it meets guidelines or to confirm that the user’s tags are accurate.
Earlier this month, the New York State Consumer Protection Board published an official warning about content available on Google Video, the new Google site for user-generated content. Because videos are uploaded by users, Google Video relies on tags (labels which describe the content) which are input and generated by the users. Since the content is not indexed or catalogued by Google, a search will turn up whatever the user submits—and that is what has irritated the New York authorities. As with many websites that allow user-generated content to be uploaded for viewing, Google warns users about uploading obscene or illegal material or items protected by copyright, but currently has no mechanism for filtering it out.
In a move widely viewed as adding an air of legitimacy to these sites, Warner Bros. agreed to allow Guba to distribute some of its television shows and motion pictures, online. NBC is allegedly planning to make clips of some of its most popular programs available to YouTube to promote its fall programming lineup. NBC’s decision is reportedly coupled with advertising commitments for both companies in broadcast television medium and the Internet. That should come as no surprise since advertising is what is usually at the root of all of these revenue models—a fact that has not escaped broadcast network executives.
Also this month, a number of leading television production and motion picture companies joined forces in filing suit against Cablevision, one of the largest cable television companies in the United States. The action asks the U.S. District Court in New York to declare the time-shifting service Cablevision has announced, but not yet offered, in violation of U.S. copyright law. Cablevision has countered that time-shifting of programming by consumers is legal. Unlike an “on-demand” service which would record everything and replay programs when selected by the consumer, Cablevision intends to offer subscribers a specific amount of allocated storage space on the network. Analogous to an outsourced set-top box or digital video recording device that a consumer might purchase, Cablevision will offer consumers an opportunity to buy storage space and use it to record and play back programs and then erase them to free space for new programs—no different than if the storage medium was sitting in their living rooms. Stay tuned.
Just about a year ago, the Supreme Court in Grokster modified a decades-old ruling in the “Sony Betamax” case to remove the insulation automatically given to Internet service providers and hosting services when it can be shown that even with a substantial non-infringing use, a service condoned and encouraged (and made money) through illegal sharing of copyrighted materials. This month, a unanimous U.S. Supreme Court decided a case in favor of eBay which overturns decades of legal precedent favoring the issuance of injunctions as an automatic right granted to plaintiffs for patent infringement. The case involved eBay’s “buy-it-now” feature that permitted customers to buy items “now” without being involved in the auction process. Although the Supreme Court sent the case back to the lower court to ultimately determine if an injunction was or was not appropriate, the significance of the decision cannot be underestimated.
By way of background, when a lower court first held that eBay’s “buy-it-now” feature infringed two patents owned by Tom Woolston (founder of MercExchange), the court ordered eBay to pay damages (approximately $25 million), but did not issue an injunction. That court reasoned that since MercExchange was apparently willing to license its patents, an injunction was neither necessary nor appropriate. Unfortunately, the next court on the ladder upwards, the U.S. Appeals Court for the Federal Circuit, reversed that decision stating the “general rule” that injunctions must follow all infringement findings unless “exceptional circumstances” exist. Since an appeal was pending to the Supreme Court, the court held the injunction in abeyance awaiting the Supreme Court’s decision.
The Supreme Court, in a unanimous decision, held the lower courts did not properly evaluate the case under federal requirements. More importantly, language in the concurring opinion written by Justice Kennedy and signed by Justices Stevens, Souter and Breyer noted that courts must consider the broader implications of using injunctions because an “industry has developed in which firms use patents not as a basis for producing and selling goods but, instead, primarily for obtaining licensing fees,” and in those instances, “legal damages may well be sufficient to compensate for the infringement and an injunction may not serve the public interest.”
This language in the Supreme Court’s decision could deal a serious blow to companies that exist solely to engage in patent infringement litigation (so-called “patent trolls”) and who use the U.S. patent system to coerce lucrative settlements from companies who previously faced injunctions that threatened to shut down entire businesses. Hearken back to the RIM “Blackberry” litigation which recently settled. If the schedule had been a few months earlier, RIM could certainly have been much better positioned before choosing to settle for more than $600 million rather than face the possibility of an injunction shutting down (or certainly making life exceedingly difficult with work-arounds) an entire business.
The Supreme Court’s decision in the eBay case could lead to a higher threshold for injunctions, now that money damages are not automatically precluded (nor injunctions automatically issued) in adjudicating patent infringement cases. Some critics complain that the ruling creates the possibility that courts can become the arbiters of a damage-based compulsory licensing system, while advocates say the ruling will prevent companies from buying up patents and exploiting their litigation value, rather than the underlying invention itself—the basis for patent protection in the first place. Most analysts, however, agree on one thing—the likelihood that products subject to patent infringement actions will be threatened with automatic shut downs will start to decrease, increasing the leverage defendants have in any patent infringement suit to settle cases.
In Apple v. Does (a.k.a. O’Grady v. Superior Court) Apple Computer sought to find the sources of certain leaks and rumors relating to trade secrets associated with an Apple product. Apple wanted to compel an email provider and Web publishers to divulge the information and the California Court of Appeal said “‘no,” ruling that the Stored Communications Act (the “Act”) prohibits these kinds of civil discovery efforts and prohibits Apple from compelling disclosure of the identity of the Websites’ sources. Aside from the holding that such a subpoena is not enforceable under the plain meaning of the Act, a subpoena compelling the disclosure of unpublished information from these particular entities would be unenforceable because of shield protections afforded reporters in California and, under the facts presented to the court, trying to get at these particular sources is protected by a conditional constitutional privilege against compulsory disclosure of confidential sources. If all this sounds like a lot of legal-ease, the bottom line is that Apple was barred from obtaining this type of information.
In the news, yet more breaches of data security and the potential disclosure of personally identifiable, non-public information about you. From Wells Fargo to the Veterans Administration, breaches are becoming almost daily news. In response, more and more states are enacting breach disclosure laws requiring companies to notify consumers if there is an actual or potential breach of security compromising (or potentially compromising) your information. Even Congress is getting into the act of considering legislation at the national level. Although not all the definitions are uniform, nor are the requirements identical, most have common themes—but to understand what they are, how they affect you and what obligations you may have, you have to contact me, or you can simply wait for the next issue of Legal Bytes—stay tuned.
Although many people think the Trojan Horse story comes from Homer, the Iliad ends before Odysseus comes up with the famous deception and the Odyssey occurs after Troy has fallen. It is Virgil, the most famous poet of Ancient Rome, who wrote the Aeneid that actually fills the gap. In Book II, the priest Laocoon warns the Trojans not to accept a giant wooden horse placed outside the walls and gates of Troy: “Quidquid id est, timeo Danaos et dona ferentes”—which translates into “Whatever it is, I fear Dardanians [Greeks] even when they bring gifts.” While we have come to think of a “Trojan” Horse as a form of malicious code—a computer virus wrapped in a friendly cocoon—the “Trojan” Horse wasn’t really Trojan at all: it was a Greek horse figure filled with Greek fighters who deceived and overpowered the drunken Trojans who thought it was a gift. The English expression “beware of Greeks bearing gifts” is derived from Virgil’s Aeneid.
Deception is also at the heart of legislation regulating gift cards, gift certificates, e-cards, gift codes and similar instruments—we’ll call them all gift cards in this article. Essentially plastic or electronic prepaid or stored value cards, they can be purchased or obtained by one person, freely transferred or gifted to another, used in promotions, or used by the original purchaser. Years ago, prepaid phone cards adorned the walls of gas stations and retail outlets. Today, newsstands, retail stores, the Internet are filled with them—adorning walls, displays, check-out counters, e-greeting card websites and online digital music services.
Gift cards owe their origins to pieces of paper issued by merchants allowing one person to pre-purchase value that can be given to someone else as a gift and which they can then use at an establishment to purchase goods or services available from that merchant. When you engage in a transaction with a merchant at the point of sale, you are presumed to know (or you should be able to know) the terms and conditions that apply. While there are legal exceptions, a posted sign that says “no refunds, no exchanges—store credit only” is part of the bargain you make when buying from that retailer. But what about a gift? If I hand you a gift card, how will you know what restrictions or limitations apply…the Trojan Horse!
Not limited by geography, gift cards can be used virtually (pardon the pun) anywhere. Chain store near you? Buy a gift card for your nephew across the street or across the country. Know a teenager who loves rock and roll, but prefer not sending a check for $100 and hope they head for the CD rack? Send a gift card that enables downloads, CD or subscription purchases online.
For failing to preserve records, Morgan Stanley is paying $15 million to the SEC and a number of other regulators under an agreement reached with the SEC’s Division of Enforcement. Although any such settlement requires approval of the Commission, and Morgan Stanley is still in settlement discussions with the NASD. If you recall, last year Morgan Stanley ended up paying $1.57 billion resulting from a lawsuit in which much of the attention was devoted not merely to its inability to produce documents, but also because the judge concluded that Morgan Stanley’s conduct was knowing, in bad faith and deliberate.
The $15 million current fine, the highest ever imposed for a firm’s inability to retain and produce records, may have been the result of the SEC’s belief that an agreement relating to document retention previously agreed upon, was not being complied with.
Pennsylvania is among the most recent to enact an “information security breach notification” statute bringing the total to well over 30 in one form or another in just the past few years. In case you are keeping score, Pennsylvania’s law goes into effect in June of this year, while Montana and Rhode Island have breach notification statutes which become effective March 1. And you thought legislatures move at a snail’s pace!
Most state statutes relating to breach notifications apply to entities that conduct business in the state, have databases or information in the state, and/or have customers who reside in the state, but the Pennsylvania law also covers anyone that “destroys” records. As a general rule, “breach of security” is defined to mean any unauthorized access to personal information, and some state laws only cover “unencrypted” personal information—but not all state laws are consistent in their definitions and what constitutes covered information is defined in each statute. If you want to generalize, name, address, email and other similar non-public personally identifiable information, driver’s license, credit or financial account information, date of birth, and the like are almost always included within the definition.
When it comes to notification, in addition to the protected consumers involved, some states require notification to law enforcement, others require notification to the consumer reporting agencies, and some require all of these. Although states may differ slightly, one can learn some general themes from the common denominators that we see in most of them. First, on or about the time that notice is given, the integrity and confidentiality of the network, database or system whose security has been compromised, should be restored. As a general rule, the notice should be able to identify (or you should know) the cause and extent of the breach that has occurred and should include an indication of the steps that have been taken to prevent a repetition and the continuation of the breach that has been identified. In virtually all states, government officials (e.g., the Attorney General, federal and state law enforcement agencies) can defer or suspend the notification obligation if an investigation would be impaired by disclosing the information normally required in a notice.
Even the form of notice is specifically spelled out in most statutes. All of them provide for notice in writing, but also permit electronic communications if the consumer has elected to receive messages electronically, and some allow notice by phone. In addition, many states have enacted substitute notification rules that are triggered when the notice requirements affect a number of consumers or a dollar amount for sending notifications above a certain threshold, or if there is not enough information to send mail or an electronic message. That said, the substitute notification rules are often significantly more public and generally require email notification, posting on your website and notice to all major media (news, television, radio). In fact, at least one state requires that the cumulative total readership, viewing or listening audience be equal to or greater than a specified percentage of the total population of the state.
While we hope it never happens to you, simply reading the newspaper after ChoicePoint’s announcement on February 15, 2005, and a chronology of only those incidents that have been publicly reported, is frightening indeed. An ounce of prevention…well, you know the rest.