At least that’s what the FTC thinks. They charged BJ’s Wholesale Club with failing to maintain adequate computer security—it is the first time the FTC has used Section 5(a) (the section that says if you engage in an unfair or deceptive act, or practice in or affecting commerce, it’s unlawful). The FTC cited failures to encrypt consumer information, storing sensitive computer information for a needlessly long time in files with common or default passwords, and lax measures regarding prevention of unauthorized access, detection and security investigations: The complaint alleged that when taken together, BJ’s failed to provide legally adequate security for sensitive consumer information. The Chairman of the FTC has called for Congress to enact legislation requiring notification to consumers if there is significant identity theft risk, and has asked Congress to consider extending the Gramm-Leach-Bliley Safeguards Rule currently applicable to financial institutions, to non-financial institutions.
Literally as this issue headed to press, the Supreme Court released its unanimous decision in the case of Metro-Goldwyn-Mayer Studios v. Grokster—a decision that is likely to have monumental consequences for years to come. To summarize the basic issues, for many years peer-to-peer file-sharing networks have relied on the 1984 Sony v. Universal Studios decision (“Betamax case”) which held the distribution of a commercial product capable of substantial noninfringing use could NOT give rise to contributory liability unless the distributor had actual knowledge of specific instances of infringement and failed to act. With peer-to-peer file-sharing, the network software architecture is decentralized, making it unlikely that the provider of the file-sharing software (in this case Grokster and StreamCast) could actually know of any specific instances. Even the theories of vicarious infringement were thrown out by the lower courts because neither Grokster nor StreamCast monitored, controlled or supervised the use of the software (nor did they have an independent duty to police against infringement).
Enter the Supreme Court, which agreed to hear the case on appeal from the 9th Circuit, which held that Grokster and StreamCast could not be liable for contributory infringement because there was no ability to prove actual knowledge and the software was capable of substantial non-infringing use. To give readers context, evidence was introduced indicating that on the FastTrack and Gnutella networks, more than 100 million copies of file-sharing software had been downloaded and billions of files are shared across those networks each month! The court noted “the probable scope of copyright infringement is staggering.”
So the Supreme Court overturned the 9th Circuit decision—but not for the reasons you might think. In my view, the Supreme Court did not overturn or even modify the Betamax case. Distributors of peer-to-peer file-sharing software using a decentralized indexing system to share copyrighted songs and movies, and which is capable of substantial non-infringing use, cannot be held liable for contributory infringement absent showing the distributors had specific knowledge and made a material contribution to direct infringement. The court also confirmed that software distributors cannot be held liable for vicarious infringement without showing the ability to block direct infringement by users.
The Supreme Court went to great pains in overturning the 9th Circuit to note “this case is significantly different from Sony and reliance on that case to rule in favor of StreamCast and Grokster was error.” The Sony case applied to distribution of a product that had both lawful and unlawful uses and sought to impose liability because Sony knew some users might use the product unlawfully. That case held it is inequitable to impute fault and corresponding secondary liability based on the unlawful acts of others, where the product has substantial lawful utility.
Intermix Media has reportedly agreed to pay $7.5 million to settle a lawsuit filed by the New York Attorney General, and if true, this represents the largest fine in a consumer online privacy action to date. In addition to agreeing to hire a Chief Privacy Officer, Intermix must agree to stop distributing its adware/spyware and redirect programs which the NYAG alleged were downloaded to consumers’ personal computers with inadequate notice, and then hidden to make it difficult to remove. Besides the annoyance which consumers rail about, often such hidden programs can be part of more elaborate identity theft and security breaches, sometimes without the knowledge of the company that created them. The lawsuit’s primary claims were false advertising and deceptive business practices under New York’s General Business Law statutes.
Whatzup with interactive, web-based digital video games? Plenty, if you believe what we read…coming up in the next issue, with struggling advertising revenues on TV and moviegoers’ increasing annoyance with the resurgence of advertising (which now seems to be replacing the 20 minutes of “coming attraction” trailers), advertisers are looking beyond product placement in reality TV shows and wondering if those captive eyeballs and fanatic game players can turn an interactive gaming industry into the next frontier of advertising. Not to mention those new chipsets and handhelds that are making video game graphics look almost like the real thing. Will virtual reality supplant reality and will promotional and advertising take us there? Stay tuned. [P.S.: This is called a “teaser.”]
Florida’s Game Promotion Statute §849.094 has been modified, substantially reducing requirements for advertising games of chance in Florida—full rules are no longer required by Florida law in print advertising. Where previously a full set of full set of official rules for games of chance needed to be included in print advertisements in Florida, now advertising need only include “material terms” of the rules and regulations if the advertising includes a website address, toll-free telephone number or a mailing address where the full rules and regulations may be obtained.
The U.S. Supreme Court will help decide how content providers will operate on the Internet. The first case, involving more than 20 entertainment companies with names like Viacom, Disney and Time Warner, involves the sharing of content such as movies, videos and music by computer users who download the content from the Internet. This case involves the issue of whether copyrighted material can be shared by users on peer-to-peer networks and, if the court follows the reasoning in the Betamax case which was decided back in 1984, there is a chance the court will decide that because these networks have substantial non-infringing uses, the network operators cannot be held liable for contributory infringement based on the conduct of individuals who use the network. Stay tuned—film at 11:00!!
The Supreme Court is also deciding a ‘gatekeeper’ case related to broadband service delivery by cable operators. Today, cable operators control the broadband portal or gateway that customers can use, and while a user can go through the portal and log on to another website (say Yahoo! or AOL), they still must first go through the cable provider’s designated broadband operator. The case coming up challenges that gatekeeping role and seeks to require cable operators to give consumers the right to pick the broadband connection they wish to have through the cable. We will keep you posted as developments unfold.
According to Technology Partners International as reported in CIO magazine, Europe has now overtaken the United States in major outsourcing deals (i.e., deals valued in excess of about $50mm). In 2004, out of $76 billion in contract value, Europe garnered 49 percent beating the United States and Asia. One of the most important statistics behind those numbers is the fact that more and more outsourcing companies are becoming major players and the competition is heating up. The article lists the big-six outsourcing companies (you’ll have to call me to find out who they said they are) and notes that in 2003 these companies accounted for about 70 percent of the outsourcing contracts, but in 2004 their share dropped to just over 40 percent—a big drop in one year. What that means is that if 26 providers shared the 100 best deals in 2003, 36 shared them in 2004, and only time will tell if the outsourcing market is saturated or if more providers will jump to the front lines in 2005. One trend we are seeing is the segmentation of outsourcing arrangements by sophisticated end-user customers. Not just seeking competitive bidding among providers as in days past, these customers are actually segmenting their outsourcing requirements by function, business activity and operational needs, and seeking niche-based outsourcing providers who are best in the class in those areas.
It seems that the tempting idea of putting all one outsourcing eggs in one basket in order to make it “easier” to manage the relationship has not proved to be very smart after all. It appears that retaining the expertise necessary to manage outsourcing relationships in-house and being sure you have the right outsourcing provider with the right contractual relationship for each function or activity is the wiser course. Speaking of contractual relationships—Rimon has a team of international lawyers experienced in outsourcing. You might want to call us if your thoughts turn to outsourcing; we can and are happy to help. You might also go get a copy of the new book, Outsourcing Agreements Line by Line, written by me and published by Aspatore Publishing—it’s available online (an unabashed plug for both the book and our ability to assist with your legal needs).
Most of you have read about the security issues that have confronted LexisNexis and ChoicePoint, and each day we learn more news about more systems and databases that have been or may have been compromised. Here’s a secret, “Google hacking” is easier. It’s a term used to describe the simple act of using publicly available search engines (no, not only Google) to find information that criminals and wrong-doers can use.
Several months ago, The Wall Street Journal reported that some security experts held a contest to demonstrate how good Google hacking can be—they limited contestants to using only Google’s search engine and in less than one hour they unearthed enough information to perpetrate financial fraud on about 25 million people—including useful combinations of names, birth dates, credit card and social security numbers. In one such experiment, a team of contestants found a directory of more than 70 million social security numbers—all belonging to individuals who are no longer alive.
OK. You’ve all been reading about the recent security breaches which are exposing sensitive financial and other non-public personally identifiable information to potential disclosure—in some cases actual release and compromise of that information. Well it turns out that in one area—the retailer cases involving Polo (Ralph Lauren), DSW (Shoe Warehouse) and others—are all being traced back to software that merchants use to process credit, charge and debit transactions. The problem, it seems, stems from the fact that the hidden coding that resides on the magnetic strip of our plastic money and that is supposed to authenticate and provide a degree of transactional security in processing payment is being retained by the merchants’ systems, rather than being immediately deleted and cleansed from these systems once the transaction is approved and complete. Hackers, learning of this vulnerability, were quick to attempt to break into these merchant systems and “steal” the codes, in many cases enabling them to create counterfeit plastic and compromise personal information of the cardholder in the process. In one case, BJ’s Wholesale Club is being sued by banks and credit unions because hackers made off with customer’s credit card numbers, and BJ’s has decided to sue IBM, whose software allegedly stored the numbers in computer logs. In legal papers filed in response to the suit, IBM not only claims there is no proof the stolen card numbers came from BJ’s systems, but it also claims that its contract with BJ’s disclaims liability for damages because of security breaches. OK, all of you go check your software contracts. Now.
In February, in the Circuit Court in Miller County, Arkansas, some plaintiffs—led by Lane’s Gifts, an Arkansas retailer—sued Google, Yahoo!, Time Warner, Disney, and Ask Jeeves, among other Internet companies, alleging that these companies knowingly overcharged for the advertising they sold and that they conspired with each other in doing so! The plaintiffs now want the suit certified as a class action which relates to the growing problem of “click fraud” a practice our very own litigator and legal guru Peter Raymond knows and has spoken about. Clicking ads or even automating the click-throughs—in some cases by competitors—can illegally run up the advertising charges, and analysts estimate these can increase by more than 15 percent because of such fraud.