Posted on

FINRA Issues Guidance in New Social Media Websites Notice

In November, Legal Bytes reported (Regulators Poised to Give Financial Institutions a Slap in the Facebook) that Richard Ketchum, Chief Executive of the Financial Industry Regulatory Authority (FINRA), acknowledged Wall Street is eager to use social media to interact with customers. In the course of his remarks at a recent meeting of the Securities Industry and Financial Markets Association (SIFMA), he noted, “We continue to witness the advent of technologies that will challenge your ability to ensure compliance with regulatory requirements,” and “Social networking is one such innovation.

Now, supplementing existing FINRA Rules, FINRA has released a notice concerning online media rules (you can download and read a copy of the notice below) whose key components include requirements that securities firms:

  • Must develop policies and require its employees to comply with the new regulatory requirements
  • Must retain records of communications (a compliance requirement of the Securities Exchange Act of 1934) when social media is used to communicate
  • Must ensure that recommendations made through social media are suitable to all investors to whom the recommendation is made (e.g., by limiting or filtering access based on investor/consumer qualifications)

FINRA’s notice takes the position that securities firms must adapt existing rules to social media and essentially mirror the 2003 FINRA definition of “public appearance.” This definition noted that chat room postings were no different than if a firm representative was in a room making statements to a room filled with investors. FINRA’s current notice indicates that information posted or content placed online (static information) is subject to these same rules and must be approved by a firm principal – presumably, even information about individuals in the firm that may be part of an individual’s profile on the firm’s website or in social media platforms. But online interactions that are occurring on the fly (e.g., in real time), while subject to supervisory requirements (e.g., they must be supervised, perhaps even monitored), do not require such approvals.

You can read or download the FINRA Regulatory Notice 10-06 (Social Media Web Sites) [PDF] here.

As mentioned in the Legal Bytes November post, SEC disclosure rules apply to Tweets, blog postings, wall postings and other communication platforms provided by social media sites, and other regulatory agencies are seeking to address the use of social media sites by the entities they regulate (e.g., the FCC, the New York State Insurance Department). So if any of this is of interest and if you need to know more or need help, please contact me, Joseph I. Rosenbaum, or the Rimon attorney with whom you regularly work. We are happy to help.

Update:  Rimon lawyers Christopher P. Bennet, Amy J. Greer, Jacob Thride and Kevin Xu have prepared a Client Alert on the subject which you can read by going to: FINRA Issues Notice for Financial Firms Using Social Media.

Posted on

Freedom of the Press = Freedom to Tweet

Twitter keeps hitting the newswires—in this instance, in a matter involving freedom of the press. You might have heard from time to time, especially in high-profile or emotionally charged cases, about judges who have used their power to control proceedings by restricting the use of certain communications equipment and mechanisms from within their courtrooms (e.g., use of mobile phones, video recording equipment, etc.).

From Pennsylvania comes an order from a Dauphin County judge refusing to bar reporters from sending Tweets during the course of a public and high-profile trial. In response to a motion by the defendants counsel, Judge Lewis, in a brief order, noted that “. . . to impose the proposed restriction would be premature and that the restriction itself is overly broad.”

In this particular case, the defendants were concerned that reporters, using Twitter inside the courtroom, would broadcast witnesses testimony, which could then be read or seen by other witnesses who were yet to testify. While refusing to ban Twitter to reporters, the judge did order the witnesses to avoid reading or listening to reports concerning the trial.

As icing on the cake, our own Rimon lawyers, Tom McGough, Mark Tamburri and Tom Pohl, won the order on behalf of the Associated Press and Pittsburgh Post-Gazette. Yes, Virginia, there is a place for social media in jurisprudence.

If you remember, Twitter was also the subject of some controversy in Pittsburgh during the G20 Summit last year. In that case, involving freedom of speech, police in Pittsburgh arrested a man who was using Twitter to send messages about the movements of police officers as protests were unfolding. Although the police sought to charge the man with aiding an illegal protest, the man was broadcasting what was easily visible in plain sight.

While commercial cases often involve money or intellectual property rights, or rights of publicity or privacy, cases are emerging that involve fundamental Constitutional rights. The law will need to move quickly into the digital and social media age in order to keep up. Some courts and judges are doing just that!

Need to know more? Contact me, Joseph I. Rosenbaum, or any Rimon attorney with whom you regularly work.

Posted on

Court Rules Twitter Libel is Stale, and Neither Ripe Nor Moldy

Back in July, Legal Bytes posted a report (Landlord Can’t Let Tweet sMOLDer) about a Twitter "tweet" posted by Amanda Bonnen, that contained the following statement: "Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it’s OK."

Back then we told you that Horizon Group Management, the landlord of the apartment building involved, filed suit in a Cook County Illinois Court for libel, alleging that it was a "malicious and defamatory" tweet about the state of her apartment. 

Well this past Wednesday (Jan. 20, 2010), Cook County Circuit Court Judge Diane J. Larsen dismissed the suit, and Ms. Bonnen’s attorney indicated the judge described the posting as too vague to constitute libel under the legal tests applicable to such a claim.

To support a claim of libel, Horizon would have had to show that Ms. Bonnen wasn’t merely offering her opinion, that the statement must be reasonably understood by everyone to refer to the specific entity—in this case, this particular Horizon realty company—and that there was actual harm that can be proved, flowing from the statement. The fact that the statement was made on Twitter, and consequently widely available across the Internet, doesn’t change the standard one must meet to prove libel, and the judge dismissed the case. 

As you can guess, these aren’t the only cases involving defamation in the context of social media. For example, the action against Courtney Love, wife of the late Kurt Cobain, is alive and well. You might recall that case arose when a fashion designer claimed Ms. Love tweeted that the designer was a drug addict, a prostitute and called her a "lying hosebag thief." As we reported in Legal Bytes this past August (Court Orders Google to Turn Over Blogger Identity Information), cases of defamation become even more complex when the identity of the actual "tweeter" is hidden behind a pseudonym.

These cases all hinge upon the friction created by social interaction. Defamation is not a new concept, and whether broadcast over radio waves or propagated across the web, it should come as no surprise that when human beings populate the borderless universe of cyberspace, these interactions can give rise to legal actions. The laws that apply to publicity, privacy, libel, deceptive advertising, unfair competition and intellectual property may need to be applied or viewed differently, but they don’t disappear simply because the content is digital. Need to know more? Contact me, Joseph I. Rosenbaum, or any Rimon attorney with whom you regularly work.

George Washington Carver (1864-1943)

“How far you go in life depends on your being tender with the young, compassionate with the aged, sympathetic with the striving, and tolerant of the weak and strong. Because someday in your life you will have been all of these.”

Posted on

When the Fog Lifts, Don’t Be Surprised if You Still See Clouds

“If computers of the kind I have advocated become the computers of the future, then computing may someday be organized as a public utility just as the telephone system is a public utility . . . The computer utility could become the basis of a new and important industry.”

                                      John McCarthy, MIT Centennial, 1961

“Cloud computing” is a term used to describe the use of computer resources not solely as a communications protocol (e.g., the Internet), nor solely as a content or transaction host (World Wide Web), but as an application development and information processing service. To help explain further, to send an email, much like using the telephone, it makes no difference who your provider or host is or which carrier you use. There is a protocol that allows interoperability across networks and processors, and as long as the sender and recipient have an email address and access to an Internet connection, the email gets through. On the web, with access to the Internet and a browser (technology that displays content and functionality hosted at a particular Internet address), you can interact with the website – you can see the material displayed and you can "select" (click) to enable certain features.

Today, as a general rule, if you wanted to create, edit, spell check, save, send or share most content or information with someone, unless you plan on typing and formatting a very long email, you still need word processing, spreadsheet or presentation software programs to create and upload (communicate or store for display), or to see and use content that you might download. In a cloud-computing environment, all of these functions are resident in the "cloud." Imagine that you no longer needed a desktop or laptop computer processor, and all you had were input and display devices (e.g., keyboard, mouse, monitor), which you could either carry or borrow wherever you went. Plug into a universal "outlet," enter your unique pass codes and authentication information, and you have everything you need – where and when you need it. Like telephone, electric or gas service, computing becomes a commodity accessible virtually anywhere and anytime, generally priced by usage, the applications, and the amount and type of storage for which you want and need access.

Cloud-computer services can be sold and paid for using plans not dissimilar to phone service – per call, per minute, unlimited, features, functions – and they disaggregate the user, whether individual or business enterprise, from the procurement, maintenance and operations of the underlying processors and software programs. Clouds can be public – made available to anyone on demand (think Wi-Fi registration based hot spots) or private (large companies can operate or arrange to have someone operate a closed-cloud environment). I summarize the basic characteristics of cloud computing as follows:

  • Flexibility – the user can easily modify use, resources, demand, access and virtually every other resource, without the need to purchase or dispose of any equipment or software, other than input and output devices. Increases or decreases in processing, development, storage or other requirements can be managed easily in real time and on an infinitely scalable basis.
  • Cost – commodity or utility pricing lowers user costs. Capital expenditures can be eliminated, license fees reduced and access fees managed more efficiently.
  • Resources – shared resources enable lower per-user, per-unit pricing, and optimization of peak and non-peak loads across user communities. Resource upgrades and enhancements can be amortized across a broad user base, seamlessly and transparently to the user community. Inter-exchange agreements between cloud providers will enable continuity and recovery, load management, and resource backup capability at optimal prices.
  • Independence – time, space and resource constraints become largely irrelevant to the extent Internet or web access is available.
  • Interoperability – absent unique or customized requirements that can be managed separately by the user, standardized applications, development tools and protocols are simpler to maintain and operate, debug, update and support. 

While security and privacy is always a concern – more so where data, in addition to processing capability and storage, becomes more concentrated and accessible rather than distributed – more users and businesses will have the potential benefit of stronger security measures than are currently affordable or in use, to the extent cloud providers can develop and implement strong security standards and protocols within their service offerings. 

So who are the actual or prospective players? Well lots of prognosticators and labelers are out there, but here is my list in basic categories:

  • Providers are those who procure, create, host and manage cloud resources and then sell access, services, features and functions in a cloud environment – wholesale or retail
  • Users are those who need to use and take advantage of cloud services, features and functions, whether individually or as part of a business
  • Intermediators are those who create intermediation and aggregation opportunities between and among providers. On the one hand, intermediators can bridge gaps between providers and create interface and sharing environments between or among providers. On the other hand, intermediators may begin finding niches in customizing or aggregating services, features or functions for particular industries or in particular regions.
  • Developers and supporters are those who develop utilities, applications, tools, features and functions to enhance the cloud experience, make additional services and applications available, and who maintain and support the efficient functioning of the cloud environment.

There may be others – my list is not intended to be comprehensive or even definitive. I don’t have a crystal ball, so time and experience will determine what we cannot now predict. Four computers, interconnected to respond to the perceived vulnerability of centralized computing, were the origins of the Internet. Distributed computing represented commercial attempts to amortize costs, decentralize institutionalized information, and enable greater redundancy and recovery capability. Networking and web-based computing gave us the ability to communicate, share and store information across multiple processors and devices through share protocols. While it’s still too foggy to tell what the future will bring, cloud computing represents the next big innovative thing in making the power of the computer and the Internet easier to use, more available, more interoperable and more cost-effective.

When the fog starts to lift, we may see clouds on the horizon. Whether they are storm clouds or fluffy wondrous sights of joy, I leave to your imagination. Stay tuned. But no matter what your visions of the future may be, if you see a cloud and you aren’t sure what the legal implications might be, please feel free to contact me, Joseph I. (“Joe”) Rosenbaum, or the Rimon attorney with whom you regularly work.

Posted on

HITECH Means High Stakes in First-Ever State HIPAA Lawsuit

Yesterday, the Attorney General of the State of Connecticut filed suit against the Connecticut subsidiary of Health Net, charging it with violations of the privacy and security requirements of HIPAA. The action, filed yesterday in the United States District Court in Connecticut, comes on the heels of a security breach involving medical records and Social Security numbers. The suit also names United Health Group Inc. and Oxford Health Plans LLC, who acquired Health Net of Connecticut but who were not involved in the data breach.

If you forgot, last year the Health Information Technology for Economic and Clinical Health Act (HITECH), for the first time authorized individual state attorneys’ general to enforce the security and data privacy regulations under HIPAA, and this appears to be the first such action.

The lawsuit claims that Health Net in Connecticut failed to provide adequate security for the medical and financial records of hundreds of thousands of enrolled individuals, and failed to notify them promptly in connection with the breach. The breach, which took place last May, involved the disappearance of a computer hard drive. Health Net eventually reported the breach, posting a notice on its website and starting a staggered process of mailing letters to consumers November 30, 2009, almost six months after the security breach. For those of you involved in the collection, handling, maintenance, or use of personal, financial and medical information covered by HIPAA, new federal rules under the HITECH Act require “timely” notification of certain breaches, rules that have a compliance deadline of February 22, 2010.

Health Net attributed the delay in reporting to its inability to determine exactly what was on the computer hard drive that disappeared, thus not being sure if a notice was even required. One can only surmise that the mere fact that Health Net didn’t know what information was contained on a removable computer hard drive made its reasoning less than satisfactory to the Connecticut State Attorney General. Although Health Net appears to have conceded that the data was not encrypted, it did indicate that the data should not be visible without the use of specific software. However, Kroll Inc., a computer forensic firm retained by Health Net to investigate the breach, reported the data could be viewable with commonly available software.

Privacy, security and data protection of non-public, personally identifiable and sensitive information (e.g., health, financial data) are increasingly subject to stricter rules and regulations. The use of the Internet and web, making digital information more susceptible to undetected duplication, transmission and access – not to mention the obvious fact that carrying millions of pages of records would be impossible, while walking out with a single hard disk or CD-ROM on which the same data and information has been scanned or stored in digital form – can be virtually undetectable.

Do you know of any law firm that has a team of privacy and data security, identity theft and data breach legal professionals? A firm that has health care, financial services and insurance specialists, as well as lawyers steeped in digital technology, information security and e-commerce? A firm that has transactional, regulatory compliance and policy-oriented lawyers who can audit current practices and policies, assist in developing mechanisms needed to satisfy regulatory requirements, and provide legal support to help avoid a legal problem, and also regulatory, compliance and litigation professionals who can represent and defend clients if a problem arises? Now you do – Rimon. If you need more information, contact me, Joseph I. (“Joe”) Rosenbaum, or Mark Melodia or Paul Bond, or the Rimon attorney with whom you regularly work, if you need legal advice, information or support on this subject.

Posted on

UK Sports Minister Proposes Changes to Gambling Legislation

This post was also written by Laura Hicks.

Last week, Gerry Sutcliffe, Minister for Sport in the United Kingdom, announced proposals to make significant changes to the existing legislative framework under which remote gambling is regulated. Following a review of the system of online gambling regulation in Great Britain by the Department for Culture, Media and Sport, a consultation is being launched with a view to introducing laws requiring all online operators to apply for a license from the Gambling Commission in order to either advertise or provide gambling services to British consumers. According to the Minister for Sport, the proposed changes were “necessary to ensure the protections in the Gambling Act – to keep gambling crime free, to ensure gambling is fair and open, and to ensure that children and vulnerable people are protected from harm – continue to be afforded to British consumers.”

Under the proposals, a license will be required even if the gambling services are offered to British consumers using remote gambling equipment from outside Great Britain. Currently, only operators based and licensed in the UK are allowed to advertise in the UK, unless the country in which they are based is either a member state of the EEA or on the government’s “whitelist.” More information on the “whitelist” is available on the Department for Culture, Media and Sport website, but to give you some insight, territories currently on the list are Antigua and Barbuda, Tasmania, the States of Alderney and the Isle of Man. “Whitelisting” is the process used by the UK Ministry to assess the regulatory framework for gambling in any jurisdictions outside the EEA that apply for permission to advertise their services within the UK.

As well as being obliged to share information about suspicious betting patterns with the UK’s sports governing bodies and the Gambling Commission, foreign operators would also have to comply with British license requirements concerning the protection of children and vulnerable people, and contribute to the research, education and treatment of problem gambling in the UK.

This appears to be a move by the UK government to close a loophole in the laws that protect online gamblers in the UK, and that more closely mirror the more protectionist regime in the United States. If this extension of the licensing regime is introduced into legislation, it will be interesting to see how the regulator intends to enforce the license scheme against gambling companies with no UK presence. In the United States, enforcement has involved a variety of “indirect” mechanisms, from the Department of Justice’s use of the Interstate Wire Act of 1951, which applies to sports betting to assert jurisdiction over online gaming – even though the Fifth Circuit ruled in 2002 that the Wire Act only applies to sports betting – to seizing advertising payments made to broadcast networks by advertisers seeking to promote online gambling considered illegal by the United States. Since 2006, with the enactment of the Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA), the United States has sought to seize assets in financial institutions tied to online gambling, based on what it considers illegal activity, money laundering and a variety of other offenses. It is noteworthy that UIGEA does not make online gambling illegal per se, but rather prohibits any transfer of funds from a financial institution (as defined in the legislation) to an illegal Internet gambling site.

Once you read the UK Sports Ministry’s announcement, if you need more information, contact Laura Hicks, an associate in the Media and Technology team, in our London office. Of course, you can always contact me, Joseph I. (“Joe”) Rosenbaum in New York, or Gregor Pryor in London, or the Rimon attorney with whom you regularly work, if you need legal advice, information or support on this subject.

Posted on

2010 ANA Advertising Law & Public Policy Conference

Join top legal professionals and government regulators March 17-18, 2010 in Washington, D.C., at the 2010 Annual ANA Advertising Law & Public Policy Conference, where you will hear from Jon Leibowitz, Chairman of the FTC and Doug Gansler, Maryland attorney general, as well as leading legal experts both from law firms and client-side marketers.

Connect with key industry leaders and policymakers as we discuss the most volatile and fast-moving legal and political environment for advertising and marketing in decades. Learn about the new regulations, legislation and major court cases that are fundamentally changing the business environment, and how you can keep up!

Posted on

Libel Tourism: Will Free Speech Return to the United Kingdom?

[The following article, authored by Michael Skrein and Tom Webley, who are both resident in our London office, reviews the current (and future) state of the UK’s libel multiple publication rule. It was first published as “In Focus. Libel Tourism,” in Legal Strategy Review, Issue 5 (Winter 2009/10), and Legal Bytes gratefully acknowledges and appreciates their permission to re-publish it.]

Media organisations, publishers, journalists and human rights lawyers have, for many years, argued that the UK’s libel multiple publication rule is incompatible with free speech in the modern digital age. This ancient rule renders each publication of defamatory material liable to be sued on as a separate cause of action. That means, for example, that if material remains available online in archives or live websites, the threat of proceedings being issued will hang over the head of the publisher indefinitely. 

The limitation periods in England and Wales for defamation is one year from publication. However, under the multiple publication rule, each ‘hit’ on a website is treated as a new publication and can lead to a claim being brought within that time frame. The rule dates back to a case in 1849 which arose when the Duke of Brunswick purchased a copy of a newspaper published 17 years previously. He then sued for defamation over its contents. The new purchase was ruled to equate to a new publication, thereby allowing him to sue. The rule has been applied to defamation cases in England and Wales ever since. 

A Time For Change?

Unsurprisingly, many lawyers in England and Wales have been arguing that the rule is completely inappropriate and a dangerous anachronism. Many overseas lawyers greet the existence of the rule with disbelief. Nearly 100 years after the Duke of Brunswick case, in 1948, the New York appellate court decided that the multiple publication rule had no place in an American society with mass publication and nationwide distribution, and it replaced the rule with a single publication regime. 

The UK Ministry of Justice has recently published a consultation paper on the topic. It agrees that the multiple publication rule has failed to keep pace with the digital age, conceding that defending a claim becomes increasingly difficult as time passes. 

However, it says that this difficulty must be balanced against the need for a claimant to be given suitable redress for damage to reputation. The paper suggests implementing a single publication rule in which the limitation period runs from the date on which the claimant discovers the defamatory material (if this is within 10 years of initial publication) and/or to have a defence of qualified privilege for archived material (this defence would be defeated if the defendant failed to remove the material having received a reasonable request to do so). 

Implementing a single publication rule in England and Wales would be good news for publishers operating in those countries, and others worldwide would also breathe a sigh of relief as it would reduce the incidence of ‘libel tourism’ in the jurisdictions. For many years, overseas claimants have flocked to the courts to bring defamation actions. As there is no equivalent to the U.S. First Amendment, defendants face several additional legal hurdles, and they may have to pay damages and huge legal fees if they lose. 

The consultation closed on 16 December 2009 and the Ministry of Justice will now consider the responses. Perhaps soon English law will finally lay to rest the spirit of the Duke of Brunswick. 

If you need to know, you need to contact Michael Skrein, a partner, and Tom Webley, an associate, both in our London office. Of course, you can always contact me, Joseph I. (“Joe”) Rosenbaum – or your favorite Rimon attorney – who will be more than happy to help or coordinate getting your legal needs taken care of.

Posted on

That’s Cloud Computing, Not Smog, Spreading From L.A.

Although reports of dissipating smog may be premature, if postings from Google are to be believed, Los Angeles is officially in the cloud. Google’s online email and collaboration cloud, that is! City employees will now use cloud computing for email and working on collaborative projects together. Google hails cloud computing for the city of Los Angeles as something that “will improve the security and reliability of city email, transitioning from servers in the City Hall basement to hosted, secure data centers.”

Los Angeles isn’t the only place to fall in love with clouds. VISI, the largest provider of data-center and managed-hosting services last month (December 2009), announced a public beta of ReliaCloud – a cloud computing service available to users anywhere. Set up an account online, set up computer servers in one of the VISI data centers, and employee-users can access the service from anywhere – anywhere there’s an Internet browser and connection. Cost? Reportedly, the pricing starts at 5 cents an hour! Welcome to fungible, commodity computing. According to VISI, its cloud service was designed to be reliable, affordable and scalable. The beta is targeted at small- to medium-sized commercial users, and businesses can apply at www.reliacloud.com. And VISI anticipates storage and other services to become available over time as part of a suite of offerings. Just one example among many of companies offering and embracing cloud computing.

The United States isn’t the only country where cloud computing environments are springing up. Back in September, the city of Dongying in China announced a strategic initiative with IBM, where the city is hoping to transform its industrial, petroleum-based environment into a service-driven economy. The cloud will be designed to allow start-up companies to do testing and software development through the web, but will also include electronic government services (e.g., e-services). IBM has also set up cloud computing in the Chinese city of Wuxi, and was recently picked to build another cloud computing platform – Quang Trung Software City – in Ho Chi Minh City (Saigon, the former capital of South Vietnam). For you trivia buffs, Quang Trung was an Emperor of Vietnam centuries ago. IBM is another emerging player, along with Microsoft’s Azure, Amazon.com’s EC2, and Google’s AppEngine, to name only a few of the more prominent participants in the growing move to cloud computing environments.

So, if your head is in the clouds or if all of this seems foggy to you, you should consider learning more – especially about the legal implications and issues. And you probably should start doing so BEFORE your IT, Finance, HR, Security, Audit, or Operations people (or maybe even the government regulators), come knocking on the door! Want or need help? Contact me, Joseph I. (“Joe”) Rosenbaum, or the Rimon attorney with whom you regularly work. We’ll help get you out of the mist and back on Cloud Nine!