Companies cannot survive, let alone thrive, in today’s business environment without an Internet presence. Businesses and brands maintain websites and social media profiles in order to advertise and market products and services, but also to interact with customers. Social media in particular has given businesses an unprecedented ability to reach out to customers and to respond to their concerns. With this ability, however, comes the risk that unauthorized third parties will register an Internet domain with a company’s or brand’s name, or a deceptively similar name, and create a misleading or even harmful website. The practice of registering an Internet domain using the name of a trademarked brand is often known as “cyber-squatting.” Businesses and people who are the victim of cyber-squatting have remedies through a process established by several organizations that oversee and regulate Internet domain names.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a private nonprofit corporation based in Los Angeles, California. It represents a collaboration between government agencies and several private organizations. ICANN has final responsibility for assignment of domain names, IP addresses, and other identifying information used by machines on the Internet.

In order to effectively handle disputes or complaints relating to domain name registrations, ICANN enacted the Uniform Domain Name Dispute Resolution Policy (UDRP). Anyone who owns or registers a domain name with a “.com,” “.org,” or “.net” top-level domain has agreed to abide by the terms of the UDRP by virtue of their agreement with their domain name registrar.

Continue Reading ›

U.S. News recently reported that since mid-2010 over 220,000 individuals have been sued in mass copyright lawsuits regarding the sharing of files over bittorrent. However, with the growth of these types of lawsuits, courts are concerned because of the possibility that subpoenas to obtain internet subscriber information may bring in innocent parties in litigation and improper joinder of parties.

Generally, Bittorrent is a peer-to-peer internet file-sharing protocol that allows a “swarm” of users to download and upload content from each other simultaneously. A user who supplies an entire copy of a file is called a “seeder,” while users in the process of downloading a file who have not yet completed their downloads are called “peers.” Peers download portions of the file at random, and upload those portions to other members of the swarm. Peers do not choose which pieces are downloaded and they do not choose who to share those portions with. Nevertheless, a peer is able to see the IP addresses of the other swarm members. Accordingly, it is possible for a copyright owner to join a swarm and obtain the IP addresses of the users sharing a given file.

It seems that bittorrent litigation will not be slowing down. Thus, courts are now more resistant to mass-joinder cases clogging up their dockets especially when the plaintiffs have no intention of litigation, but rather are merely seeking identifying information and authorization to pursue discovery in the interest of gaining settlement leverage. As more defendants file motions to quash suggesting that that they did not participate in the alleged activity, courts are also becoming sensitive to the idea that IP addresses may not be as likely to identify defendants as previously suspected. Plaintiffs, on the other hand, continue to refine their practices and theories of liability. See Liberty Media Holdings LLC v. Hawaii Members of Swarm…, Case No. 11-CV-00262-DAE-RLP, (Jan. 30, 2012 Order, denying motion to dismiss as to direct and indirect infringement and civil conspiracy, but dismissing allegation that failure to secure WiFi amounts to actionable negligence).

As some of readers, who have active facebook profiles know, the like button is a way to express your support for a cause or idea. However, a federal judge states that, clicking it doeos not constitute constitutionally protected speech.

For example, the employees of a local police department sued their boss (Sheriff B.J. Roberts) for firing them after they supported his opponent in his 2009 re-election campaign. One of those workers, Daniel Ray Carter, had “liked” the Facebook page of Roberts’ opponent, Jim Adams. Exactly what a “like” means – if anything is the main question. The ex-employees posit that their First Amendment rights were violated.

While public employees are allowed to speak as citizens on matters of public concern, the United States District Judge, the Honorable Raymond Jackson, ruled that clicking the “like” button does not amount to expressive speech. Express conduct, also referred to as “symbolic speech,” relates to the communication of ideas through one’s conduct. Expressive conduct raises some interesting constitutional questions because it combines expression, which typically receives First Amendment protection, and conduct, which typically does not receive First Amendment protection. This dualistic nature may account for the court’s position of affording expressive conduct some constitutional protection, but substantially less protection than pure speech.

What is personal jurisdiction? It is the court’s authority to determine a claim affecting a specific person. Generally, providing any type of data or information on the world-wide-web (i.e., Internet) is insufficient to subject a person to personal jurisdiction in each state wherein the date or information is accessed. However, a nonresident’s online activity, must be expressly targeted at, or directed to, the forum state in order to establish minimum contacts necessary to support the exercise of personal jurisdiction. In general, personal jurisdiction may not be exercised against a nonresident whose website was not directed toward any state.

If a non-resident defendant publishes statements that fall under the category of defamatory comments concerning the plaintiff on a website, the effects of which were clearly directed at the forum state, result in sufficient contact with the forum to warrant the assertion of jurisdiction over the nonresident defendant. On the other hand, the publication of defamatory comments concerning the plaintiff on a website is not, by itself enough to support the exercise of jurisdiction over a nonresident defendant (e.g., when an article was not specifically directed to residents in the forum state, or was not primarily directed at the plaintiff in that state).

Our readers must keep in mind that the tort of defamation can be committed in the jurisdiction (i.e., the state), even if the message was not directed there, if it has effects in that state.

Cyberattacks can hit businesses of any size, causing catastrophic damage to a business’s finances and to the integrity of its information security. Hundreds of breaches occurred at large corporations during 2011, affecting over thirty million sensitive or confidential records. Hackers went after Sony, NASDAQ, and other giant businesses, but small companies are also vulnerable to attack. According to a report in the Business Journals, as many as eighty-five percent of small business owners do not see cyberattacks, which may include hackers or malicious software, as a serious threat. Heightened security at these big companies, though, could lead hackers and other cyber criminals to focus their attacks on smaller businesses who may not be so prepared.

Guarding against cybercrime is simply good business for small companies. A hacker targeting a small business can cripple the business or even force it to shut down with a very simple series of hacks or viruses. If a cyber criminal targets a small business’ banking system, it could empty its cash reserves and leave it unable to operate. A hacker who compromises a business’ confidential client data could expose the business to enough liability to put it out of business.

The “Common Sense Guide to Cyber Security,” published by a coalition of government agencies and organizations, including the Federal Emergency Management Agency and the U.S. Chamber of Commerce, offers a set of security practices small businesses can use to protect themselves from cyberattack. After an initial set-up period, most practices involve simple daily maintenance and monitoring.

Risk Management Planning. Businesses should carefully assess the risks and weaknesses in their computing systems to see where protection is most needed. They should prepare contingency plans in case a breach or loss occurs, including how to continue business operations with alternate computing systems or at an alternate location.

Access Control and Accountability. A business’s network security plan should include access controls that limit who may access critical systems and information. A single department or officer should have responsibility for information security and for approving new hardware and software, thus ensuring accountability for decisions and errors. At the same time, a business should educate all employees and officers as a means of creating a “culture of security.” All employees should sign an agreement committing to the company’s cybersecurity policies.

Firewalls and Other Security Measures. Firewalls can protect businesses from many common attacks, particularly from viruses and malware. Companies should also encourage use of complex passwords that combine upper- and lowercase letters, numbers, and other symbols; avoid common words and phrases; and change at least every three months.

Continue Reading ›

Computers and computing activities play an increasingly integral role in daily life in America, affecting our financial activity, social interactions, and more. With an increased level of dependence on networked devices comes the risk of theft, or even attacks, on and through our computer networks. While the business community has already recognized the importance of cybersecurity, the government and legal system are finally responding in five key areas.

National security. The federal government has made cybersecurity a central feature of its national security strategy. Recognizing the risk of an attack on the nation’s computer networks by a foreign power or sub-national group, the Department of Defense created a comprehensive strategy for cybersecurity (PDF file) in 2011. The strategy treats “cyberspace” as its own “operational domain,” requiring specialized training and organization. The government has also taken steps to combat online theft, which can include not only monetary theft but theft of intellectual property and identity theft. The latter has become more and more sophisticated as thieves find ways to exploit personally identifiable information (PII) stored online.

Federal legislation. The Obama administration proposed legislation outlining ten points for cybersecurity protection. These generally included protection of the American people, the nation’s infrastructure, and the federal government’s networks and computer systems. Several bills pending in Congress address aspects of cybersecurity. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, allows sharing of data between companies and the National Security Agency in order to investigate and combat cybersecurity threats.

State legislation. Protection of government data, PII, and personal privacy have informed numerous state statutes enacted in the past ten years. California passed a law requiring notification of cybersecurity breaches in 2003, and forty-six other states and the District of Columbia followed suit. Laws requiring “reasonable” levels of security for protected information exist in at least ten states, and numerous states are enacting statutes protecting people from wiretapping and other monitoring of electronic activity.

Regulatory initiatives. Multiple regulatory agencies have addressed cybersecurity concerns through additional regulations, guidelines, and enforcement actions. The U.S. Security and Exchange Commission (SEC), for example, recently issued a new set of guidelines for publicly-traded companies. The guidelines address disclosure of cybersecurity breaches as a means of making information available to investors. The FBI, meanwhile, established a joint task force to investigate cyber threats.

Continue Reading ›

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose “cyberrisks,” even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC’s guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident’s “personal information,” such as social security number, home address, driver’s license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California’s lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

Continue Reading ›

An effective employee manual is an essential tool for any business or corporation that employs workers. It is a valuable way for businesses to communicate a company’s expectations to its employees. A well written employee manual will outline company procedures, policies, and expectations. A poorly written manual can create both legal and personnel headaches for your business.

The following policies are important for any employer to consider when writing or revising an employee manual:

  • Each employee manual should include a disclaimer which states that the publication is not an employment contract. This can protect a business from terminated workers filing breach of contract claims against the business.
  • An employee manual should successfully communicate company objectives and the organization’s mission statement. By doing so, the manual can foster each employee’s understanding of business goals and provide them with an enhanced sense of purpose.
  • An effective employee manual will state your business has a zero tolerance policy for any kind of discrimination or harassment. The manual should also explain how to identify and report harassment. A company’s employee manual should also specifically prohibit discrimination based upon sexual orientation.
  • Employee leave and termination policies should always be addressed in an employee manual. Any leave eligibility differences or restrictions based on job functions or employee status should also be addressed. A well written manual will also remind employees that any discrimination based on disability will not be tolerated, and also discuss the Family Medical Leave Act.
  • An employee handbook should define worker misconduct and discuss the company’s disciplinary process. A disciplinary policy should be flexible and include a disclaimer which states misconduct is not limited to behaviors specifically outlined in the manual.
  • A well written employee manual will describe the process for raising workplace issues and filing a formal complaint or grievance. This is important because it shows workers the company will take employee concerns seriously.
  • Because no one should feel threatened at work, each employee manual should provide workers with guidance regarding how to address and respond to workplace violence and other conflicts. An employee handbook should also include a zero tolerance policy for workplace bullying.
  • Finally, as the use of social media such like Facebook and Twitter becomes more common, it is essential for businesses to address employee use or misuse of social networking websites. An employee handbook should discuss what sort of workplace-related communications are inappropriate and remind workers that disseminating confidential or proprietary information is prohibited. A social media policy should also address disparaging or harassing the company or fellow employees.

Continue Reading ›

Last year, the California State Legislature made various efforts to regulate commercial transactions on the Internet. These efforts provide interesting questions and concerns regarding practical and constitutional limits on a state’s capability to legislate or regulate transactions on the world-wide-web (i.e., the Internet) due to its intrinsic interstate character.

One important consideration is the Dormant Commerce Clause, which stems from Article I, section 8, clause 3 of the federal Constitution. This doctrine implies that Congress only has the power to regulate interstate commerce and that the states do not have such power. Its application to the regulation of activities on the Internet is not quite developed and includes a series of judicially-created analyses. So far, the United States Supreme Court (which is the nation’s highest court) has not issued any definitive rulings. In addition, we do not have authoritative decisions by federal courts regarding the capability of the states to control online privacy and data security, tax online sales, or regulate online gambling.

As mentioned in this article, the legislators in this state passed or proposed laws that would develop our state’s regulatory power over transactions on the Internet which relate to the following topics: (i) privacy and data security; (ii) taxation of retail sales over the Internet; and (ii) online gambling.

Megaupload.com was among the world’s biggest file-sharing sites with 150 million registered users and about 50 million hits daily. It was big enough that it earned founder Kim Dotcom $42 million in 2011.

The movie industry objected that the site was making money off pirated material; even though, Megaupload is based in Hong Kong and the founder was living in New Zealand, some of the alleged pirated content was hosted on leased servers in Virginia, which was sufficient for U.S. prosecutors to take action.

Thereafter, the site was closed and its founder and three Megaupload employees were arrested in New Zealand on allegations by American prosecutors that they facilitated millions of illegal downloads of films, music and other content, costing copyright holders at least $500 million in lost revenue.