By:

On April 5, 2012, President Obama signed into law the Jumpstart Our Business Startups Act (JOBS Act), which makes substantial changes securities laws by making it easier for startups and small businesses to raise funds, stay private longer, and avoid or delay some of the burdens that come with taking a company public. The various provisions of the JOBS Act will come into effect over the course of 2012, culminating with the SEC’s much-anticipated crowdfunding rules being issued by the SEC at the end of the year. Below we brief you on the most important provisions of the JOBS Act and what you as an entrepreneur should be thinking about now to take advantage of these changes in the future.

1.                 Cap on Private Equity Holders Increased

What You Should Be Thinking About Now:

Consider whether your company’s organizational documents and related shareholder or investor rights agreements need to be revised in light of the revised shareholder threshold and possibility of increased secondary sale activity.

Before:

Private issuers would have to register a class of securities with the SEC if they were held of record by 500 people or more, which would also subject them to the burdensome reporting obligations of public companies.

After:

The JOBS Act increases the threshold from 500 to 2,000 holders of record, as long as no more than 499 of those 2,000 holders of record are not “accredited investors.” Excluded from this calculation are those who obtained equity under the company’s equity compensation plans and investors who purchased securities pursuant to the crowdfunding exemption discussed below. This allows companies to avoid going public longer and to freely give equity compensation to employees without the fear of being forced to register as a public company. The ability of more companies to stay private longer may also lead to a more robust secondary market for shares of private companies than currently exists.

Effective:

Immediately, although there is no deadline for the SEC to adopt rules to change the definition of “held of record.”

2.                 Some General Solicitation Prohibitions Eliminated

What You Should Be Thinking About Now:

If your private company is looking to raise capital under the Rule 506 exemption, start thinking about how you will let the right people know about your company and its goals. Will you contact accredited investors directly, send the information to investing communities and email lists, contact websites and blogs whose readership includes people interested in your product or service, use social media tools, or some combination of these methods? Companies should also consider what impact these methods may have on the company’s image or credibility and ability to attract desirable investors.

Before:

Private companies that sell equity often rely on the exemption from registration with the SEC under Rule 506 of Regulation D. In exchange for lifting the burden of registering securities, any exemption under Regulation D does not allow the issuer to engage in general solicitation or advertising of the offering. This means that there must be a “pre-existing relationship” between the offeror and the offeree, and one offer without such a relationship would make the exemption inapplicable and trigger the registration requirement.

After:

The JOBS Act amends Rule 506 to allow general solicitation or advertising if all purchasers qualify as “accredited investors” under SEC rules. By eliminating any restrictions on who the securities may be offered to, issuers may now announce that they are seeking funding to anyone, including through a website or email, without worrying about losing the exemption. This greatly widens the pool of potential investors for private companies, especially those without wealthy friends. Issuers must take “reasonable steps” that will be determined by the SEC to verify that all purchasers are accredited investors.

Effective:

By July 4, 2012 (90 days after enactment).

3.                 Fewer Burdens on “Emerging Growth Companies”

What You Should Be Thinking About Now:

If you see your company going public in the future, consider the new benefits of going public while your company qualifies as an EGC. The scaled disclosures, regulatory requirements, and more limited governance obligations of an EGC will reduce the costs of going public, and the enhanced confidentiality in the registration process allow an EGC to resolve presentation and disclosure issues in its registration statement out of the public eye.

Before:

Previously, all companies were subject to the same IPO procedures and reporting obligations, regardless of revenue or other factors.

After:

The JOBS Act introduces the “Emerging Growth Company” (EGC), which is a company with less than $1 billion in revenue. The regulatory burdens that come with going public are reduced for EGCs, and certain SEC compliance measures are phased in over time. Any issuer that priced its IPO before December 9, 2011 does not qualify as an EGC.

• The IPO perks given to EGCs include:
  • Only two years of audited financials will need to be provided, instead of three years, with no selected financial data for prior periods;
  • The ability to make pre-filing offers to investors to “test the waters,” without the current “gun-jumping” restrictions on pre-offering communications;
  • Investment banks will be permitted to publish research reports about an EGC immediately after they become public companies;
• The ability to begin the SEC registration process on a confidential basis; and
• Certain governance and disclosure requirements are scaled back for up to five years for newly public EGCs, including:
  • An exemption from “say-on-pay” votes;
  • A more limited executive compensation disclosure;
  • An exemption from being required to hire an independent auditor to attest to the company’s internal financial controls; and
  • Longer phase-in periods for new or revised financial accounting standards.
• A company remains an EGC until the earlier of:
  • Achieving annual gross revenue in excess of $1 billion;
  • The fifth anniversary of its IPO;
  • Issuing more than $1 billion in non-convertible debt during a three-year period; or
  • Becoming a “large accelerated filer” with at least $700 million in public float.

Effective:

Immediately.

4.                 Crowdfunding Made Easier

What You Should Be Thinking About Now:

Consider whether obtaining investors through crowdfunding is the right choice for your company. Is your company’s management willing and able to communicate regularly and openly with a large number of investors? Anticipate frequent telephone calls and emails from frustrated investors, your company and management to be discussed in Internet chat rooms in potentially graphic terms,  and your competitors to download your disclosure documents from the SEC to use your company’s financial statements and disclosures about risks against it in the marketplace.

If your company’s management is prepared to deal with all that comes with a large number of investors and public offering documents, think about beginning to prepare your disclosure documents now. Harmonize your disclosure documents with your website and marketing literature, make sure financial statements and tax returns are in order, have background checks done on the company owners to avoid surprises during the offering, and start figuring out how to describe the risks of investing in your business in plain, meaningful language. The SEC will be very concerned about fraud, especially in the early years of the exemption, so you do not want to give any of your many investors a reason to claim you did not make adequate risk disclosures. You should also be prepared for considerable variations in price and functionality among the new crowdfunding intermediaries at first, as it will take time for standard practices to emerge.

Before:

Currently, there is no way for a private company to give an investors equity stake in the company through crowdfunding without seriously violating securities laws. Crowdfunding must websites characterize the money that entrepreneurs raise as “donations,” for which the donors may receive various tokens such as stickers or a t-shirt, but may not receive equity in the company itself.

After:

The JOBS Act requires the SEC to create a new exemption that allows issuers to raise $1 million through crowdfunding transactions within any 12-month period. This limit will be adjusted by the SEC at least every five years to reflect changes in the Consumer Price Index. There will not be a limit to the number of investors that a company may have through the exemption, although the SEC is allowed to impose some restrictions. The amount that an individual investor may invest depends on his or her annual income or net worth. If either is less than $100,000, the investor’s investment in any one issuer may not exceed the greater of $2,000 or 5% of the investor’s annual income or net worth. If either equals or exceeds $100,000, then the investor’s investment in any one issuer is limited to 10% of the investor’s annual income or net worth, up to a limit of $100,000.

Issuers must use either a securities broker or a “funding portal” as an intermediary to find prospective investors, but they may publish notices and direct investors to the intermediary elsewhere if they do not advertise the terms of the offering. Intermediaries must register with the SEC, provide disclosures to investors regarding the level of risk of the offering, “positively affirm” that each investor understands that the investor is risking the loss of the entire investment and can bear that loss, ensure that no investor invests more than permitted under the exemption, take measures to reduce the risk of fraud, and comply with other SEC regulations.

Issuers will still be subject to anti-fraud rules, and all investors will have the right to recover his or her entire investment, with interest, if the issuer made any material misstatement or omitted some material information from the offering documents. Basic information must be filed with the SEC, including names of directors and officers and holders of more than 20% of the company’s shares and a description of the business and financial condition, unless the company also obtains funding through another exemption. States may not adopt registration or offering requirements for securities issued under the crowdfunding exemption (known as “Blue Sky Laws”), and only the state in which the issuer’s principal place of business is located and any other state in which purchasers of at least 50% of the aggregate amount of the issue are residents may require any notice filing or filing fee.

Effective:

                By December 31, 2012 (270 days of the statute’s enactment).

 5.                 Limit on “Mini Public Offerings” Raised

What You Should Be Thinking About Now:

If you have an established private company (that is not a startup) looking to raise capital, consider the pros and cons of the new Regulation A provisions verses a Regulation D offering. Regulation A offerings are more time-consuming and require more disclosures, but they also do not have any limitations on the number or type of investor and the securities may be traded freely immediately after purchase. Because the securities are not restricted, securities purchased through a Regulation A offering may be more appealing to institutional investors.

Before:

Regulation A provides an exemption from registration for public offerings of up to $5 million in any 12 month period, without any restrictions on the types of investors that can participate in the offering.  A Regulation A offering is often characterized as a “mini-public offering” because the process is similar to a public offering, but without some of the reporting and disclosure obligations required for an IPO. Regulation A is rarely used today, however, because the offering threshold has not been adequately increased over the last two decades to reflect the rising costs associated with bringing a small company public and the offering is not exempt from State Blue Sky Laws.

After:

The JOBS Act significantly increases the offering threshold from $5 million to $50 million, which must be reviewed by the SEC every two years. It also creates additional protection for investors by requiring audited financial statements to be included in the offering circular, and the SEC may require periodic disclosures regarding the issuer’s financials, business operations, or other matters to be filed and provided to investors.

Effective:

                Unknown (there is no deadline for the SEC’s rulemaking).

 6.                 Conclusion

The JOBS Act loosens many restrictions that small businesses faced when raising funds, but in exchange more disclosures will be required. In light of the SEC’s significant concerns about investor fraud, companies should carefully weigh the advantages and disadvantages of taking advantage of these new provisions and make sure that their financial documents, disclosures, and other company information are complete and accurate.

 By: Olivera Medenica

Originally Given as part of a lecture to the New York State Bar Association on

Friday, May 20, 2011

This outline was provided to the at the New York State Bar Association as a primer for lawyers not familiar with e-commerce and social media liabilities that often require certain best practices and special insurances to address.  While the outline cannot provide as much information as the lecture it accompanied, it can provide a quick intro for practitioners looking to better understand insurance coverage for their clients. 

·         Section I addresses common insurance coverage and internet/social media risks with illustrative cases.

·         Section II addresses personal injury and advertising injury liability coverage with illustrative cases.

·         Section III provides a brief intro into the new E-Commerce and Cyber-Risk insurance policies that are designed to fill the Internet and Social Media liability coverage void.

·         Section IV provides a brief intro into what liabilities Errors and Omissions insurance policies can guard against.

I.    Internet Risks and Insurance Generally

A.    Introduction

a.       The rise of e-commerce and infiltration of social media in the business context has exposed many companies to a broad range of potential risks and liabilities.

b.      Standard form property and casualty insurance policies issued to e-commerce businesses have gaps in coverage that increase the risk that coverage will be denied when an Internet-related claim is made.

c.       These standard forms are meant to cover a policy holder’s direct physical loss or damage to covered property, and similar liability to third parties. 

B.     Commercial General Liability Insurance (“CGL”)

a.       A CGL policy provides coverage for losses to the insured’s property and losses to third parties arising out of the insured business’ operations.

b.      There are, however, numerous exceptions designed to limit the insurer’s exposure, particularly to third parties.

c.       Typically, the standard-form CGL policy contains a minimum of 15 exclusions.  See, e.g., Ins. Servs. Office, Inc., Commercial General Liability Coverage Form, CG 00 02 10 01 (2000).

 d.      In order to fill gaps in their CGL policies, insureds must purchase coverage endorsements to the CGL or specialty policies.

C.     “Physical” Loss or Damage

a.       The trigger for coverage under CGL policies is “physical loss.”

b.      Internet-related risks often involve non-physical events, and therefore coverage under a standard form CGL policy may be denied.

c.       In the context of the internet, a physical event (i.e. damaged hardware) may cause a minor physical loss but a substantial loss in terms of lost data, revenue and profits, as well as exposure from leaked confidential information.

d.      Examples of items not clearly covered by CGL policies include protection from viruses, defamation, hackers, copyright and trademark infringement.

e.       Insurers have therefore stepped in to provide products that fill the gaps between a standard CGL policy and the risks typically associated with e-commerce.

D.    Examples of Cases Addressing “Physical Damage”

a.       American Guarantee & Liability Ins. Co. v. Ingram Micro Inc., 2000 U.S. Dist. LEXIS 7299 (D. Ariz. April 18, 2000): Ingram’s data center had experienced a power outage which resulted in its computer ordering system and business operations to ground to a halt for 6 hours.  Ingram sought coverage; and American denied it because of the perceived lack of physical damage.  The court held that “ ‘physical damage’ is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality.” 

b.      America Online, Inc. v. St. Paul Mercury Insurance Company, 347 F.3d 89 (4^th Cir. 2003):  AOL released an upgrade, AOL 5.0, during the policy term which ultimately caused substantial damage to end users’ computer systems. A number of class action lawsuits were filed against AOL.  The court held that while damage to physical components of a computer caused by defective software would be covered, there would be no coverage for the loss of instructions, data or information because they are abstract and intangible.  Whatever damage was incurred could be resolved by recoding and reinstalling the operating systems and application software.

E.     Changes to Standard Form Because of AOL Case

a.       The AOL case, as well as subsequent cases following the AOL case, led to changes by the ISO to its standard CGL form making it clear that data is not “tangible property” for purposes of coverage.

b.      New standard insurance forms explicitly reject the notion that electronic data is property.

c.       The definition of “property damage” as amended in 2001 states:  “For the purposes of this insurance, electronic data is not tangible property.  As used in this definition, electronic data means information, facts or programs stored as or on, created or used on, or transmitted to or from computer software, including systems and application software, hard or floppy disks, CD-ROMS, tapes, drives, cells, data processing devices or any other media which are used with electronically controlled equipment.”  See Ins. Servs. Office, Inc., Commercial General Liability Coverage Form, §V (17)(b).

d.      Because of this new definition, large insurance companies offer specialized insurance such as e-business and/or cyber-risk insurance policies.

II.  Personal & Advertising Injury Coverage Generally

A.  “Personal Injury”

a.       The standard commercial general liability policy provides coverage for “personal injury” caused by an offense arising out of the insured’s business, excluding advertising, publishing, broadcasting or telecasting done by or for the insured.

b.      “Personal injury” is an injury, other than bodily injury, arising out of certain enumerated offenses including:

1.      False arrest, detention or imprisonment;

2.      Malicious prosecution;

3.      Wrongful eviction from, wrongful entry into, or invasion of the right of private occupancy of a room, dwelling or premises that a person occupies by or on behalf of its owner, and lord or lessor;

4.      Oral or written publication of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products, or services; or

5.      Oral or written publication of material that violates a person’s right of privacy.

c.       Personal injury coverage is triggered by the commission of the offense, not the injury or damage suffered.

d.      A commercial general liability policy will therefore provide personal injury coverage for an offense committed during the term of the policy, even if the injury occurs after the subject policy expires.

e.       Offenses arising out of advertising, publishing, broadcasting or telecasting done by or for the insured are specifically excluded within the body of the insuring agreement itself.  Pursuant to this provision, injury arising from the insured’s business activities or functions which can be characterized as advertising, publishing, broadcasting, or telecasting will not be covered.  See Schiff v. Federal Insurance Co., 779 F. Supp. 17, 21 (S.D.N.Y. 1991).

B.  “Advertising Injury”

a.    The standard commercial general liability policy provides coverage for “advertising injury” caused by an offense committed in the course of advertising the insured’s goods, products or services.

b.   “Advertising injury” is defined as injury arising out of certain enumerated offenses, including:

1.   Oral or written publication of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products, or services;

2.   Oral or written publication of material that violates a person’s right of privacy;

3.   Misappropriation of advertising ideas or style of doing business; or

4.   Infringement of copyright, title, or slogan.

c.    The term “advertising” generally means widespread promotional activities usually directed at the public at large.

d.   A minority of courts, however, interprets advertising as also including any activity that promotes an insured’s business or product – whether widespread activity or merely one-on-one personal solicitation.  See Kirk King, King Cons., Inc. v. Continental W. Ins. Co., 123 S.W.3d 259, 265 (Mo. Ct. App. 2003); Amazon.com Int’l, Inc. v. American Dynasty Surplus Lines Ins. Co., 120 Wash. App. 610, 617, 85 P.3d 974, 977 (2004), review denied, 152 Wash.2d 1030, 103 P.3d 200 (Wash. 2004).

e.    Courts are more likely to interpret the term advertising broadly if it is being employed in connection with an insuring provision versus an exclusion, and provisions excluding coverage for advertising injury.  See Berman v. Gen. Accident Ins. Co., 176 Misc.2d 13, 19, 671 N.Y.S.2d 619, 623 (1998).

C.  Personal and Advertising Coverage and the Internet

a.       Liability risks arising out of a policyholder’s advertising activities and Internet presence include claims of libel, slander, defamation, violation of privacy rights, misappropriation of advertising ideas, and copyright violations.

b.      Although CGL policies generally include personal and advertising injury, these policies contain a number of exclusions in the personal and advertising injury liability section.

c.       Media and Internet related businesses are specifically excluded from coverage.  See Ins. Servs. Office, Inc., Commercial General Liability Coverage Form, CGGL1, CG 00 01 12 04, Section 1B2(j).

d.      Furthermore, personal and advertising injury committed by “an insured whose business is: advertising, broadcasting, publishing or telecasting; designing or determining content or websites for others; or an internet search, access, content or service provider” is excluded under the standard CGL policy.  For purposes of this exclusion, however, the placing of frames, borders or links, or advertising, for the policyholder or others on the Internet, is not, by itself, considered the business of advertising, broadcasting, publishing or telecasting.

e.       Another enumerated exception is for personal and advertising injury that arises “out of an electronic chatroom or bulletin board the insured hosts, owns, or over which the insured exercises control” is excluded from coverage.

III.New Insurance Policies – E-Commerce and Cyber-Risk

A.    As a result of these gaps, insurers have come up with new insurance policies geared towards e-commerce and the Internet.

B.     A typical e-commerce policy might include the following clauses:

a.                   First party coverage:

1.      Information assets: Actual losses sustained by the insured as a result of a failure of its security system.

2.      Cyber-extortion: Threat or connected series of threats to commit an intentional computer attached against the insured.

3.      Business interruption:  Lost profits and expenses resulting from damage to the insured’s computer network caused by a breach in security.

4.      Crisis management:  Cost of hiring a public relations, crisis management, or law firm to restore the confidence of the insured’s customers and investors in the security of the insured’s computer system, following a breach in security.

b.                  Third party coverage:

                                                                        1.      Display of Internet media: Display of any media, including advertisements, on the insured’s website; claims for slander and defamation, copyright infringement, domain name misappropriation, trademark infringement, improper deep-linking or framing, and other items.

                                                                        2.      Providing professional services:  Claims for negligence related to a number of Internet professional services (application service providers, domain name registration services, e-commerce transaction services, Internet hosting services, Internet service providers, search engine services, and other Internet related services).

                                                                        3.      Breaches of security:  Insured’s damages as a result of breaches of insured’s computer security.

c.                   Exclusions:

1.      Losses from a certified act of terrorism

2.      Intentional torts and employee violations of computer network security

3.      Physical damage to the computer network caused by traditional perils such as fire, earthquake, wind and water.

C.     Other insurance products can go further and protect:

a.                   Patent infringement

b.                  Other risks in certain specific Internet businesses (i.e. internet publishing, website hosting, etc.)

 IV.Errors and Omissions Insurance

A.                E&O insurance provides coverage for damages resulting from negligence, omissions, mistakes and errors made by the insured.

B.                 Typical companies that might have E&O exposure include companies that deal in computers, computer equipment and software.

C.                 Example:  Web site designer/programmer where the client sustains damages on its computer network as a result of mistake by designer/programmer.

D.                Examples of exposures:  service outages and interruptions; faulty technical support; faulty security measures; release of confidential information; designing, constructing or maintaining an Internet site; maintenance of chat rooms or bulletin boards; and faulty software.

 E.                 For Internet/E-Commerce businesses, a typical E&O policy might result in a dispute as to the scope of coverage.  It is therefore advisable to discuss with insurance broker as to the scope of applicable coverage.

Those who ballyhoo the death of privacy as we know it should take heed of the FTC Chairman, Jon Leibowitz, and his resort to words of Justice Louis Brandeis.  Quoting a 1928 decision that cast society’s right to privacy as a core constitutional principle, Leibowitz stated the Fourth and Fifth Amendments to the Constitution recognized that the right to be enjoy privacy is “the most comprehensive of rights and the right most valued by civilized men.”  Looks like the FTC is not going to let that notion enter its twilight in 2012.

The FTC’s report provided three guiding principles for future efforts at consumer privacy protection:

1. Transparency. The FTC reiterates that companies bear the burden to disclose details about their collection and use of consumers’ information, and provide consumers access to the data collected about them.  In addition, the FTC makes the point such disclosures should be easier to digest and navigate.
2. Privacy Not as Afterthought but by Design. Businesses should seek to bake in consumer privacy protection during the developmental stages of their applications and products.  These include reasonable security for consumer data, limited collection and retention of such data, and reasonable procedures to promote data accuracy.
3. Simplified Choice for both the End Consumer and Businesses. Consumers should be given clear and navigable choices with respect to how their personal data is used and shared and with whom. The FTC emphasized that no-one has the right to put anything on a consumer’s computer. Finally, the FTC acknowledged the strides being made in “Do Not Track” initiatives.

Some additional points of note:

Data Brokers: The FTC also makes the suggestion that legislation may be required to regulate so called: “data brokers”. Data brokers are those now increasingly essential consumer data clearing and storage houses that are part of the data food chain.  These brokers, as a result, may engage in the very same activities that define regulated credit and consumer reporting agencies, but without being subject to existing legislation or regulatory frameworks. Hence the FTC has requested that such data brokers collaborate to create a centralized database through which they will “(1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”

Promoting Enforceable Self-Regulatory Codes: The FTC will work with the Department of Commerce and stakeholders to develop industry-specific codes of conduct. To the extent that strong privacy codes are developed, when companies adhere to these codes, the FTC will take that into account in its law enforcement efforts. If companies do not honor the codes they sign up for, they could be subject to FTC enforcement actions.

By: Kaiser Wahab and Lauren Mack

Employers are now on full alert that employee’s online activity in the office and in the home has a direct, often beneficial / often detrimental impact, on the bottom line.  And with each day’s headlines new complications and permutations challenge any chance at a one size fits all understanding.  Hence, the few legal boundaries that employers can rely on should be on any manager’s desk.

 Below is a summary of major online employment issues and what employers can and cannot do about them.  Also, there are footnotes and a breakdown of cases in the arena for reference.

1. May employers use the Internet and social media to perform background checks on employees?

An employer may look at anything that is publicly available on the Internet to verify a prospective employee’s credentials. An employer who accesses any information that is password protected or otherwise not available to the public without the authorization of the potential employee will be subject to liability under the Stored Communications Act (SCA), which prohibits intentionally accessing or exceeding authorization to access a facility in which an electronic communication is provided and thereby obtaining access to an electronic communication stored in the system.

If a third party is hired to conduct the background check, the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) requires that the employee consent to the check. Investigations related to suspected employment misconduct, compliance with federal, state or local laws and regulations, or any preexisting written policies of the employer are exempted from the consent requirement under the Fair and Accurate Credit Transactions Act.

An employer may not use information gathered from social media in order to screen out applicants or take adverse action against an employee based on a protected category, such as race or age.

2. May employers monitor employee email?

Yes, and it is often in the employer’s best interest to do so. ^{NOTE 1}  Employers should be aware of what is happening in the workplace, and monitoring work email is one of the best ways to find out. Once an employer decides to monitor email, it is important for the monitoring to be consistent and effective, as monitoring also comes with a duty to investigate and take remedial action if the employer becomes aware of sexual harassment or illegal activity. ^{NOTE 2}  Otherwise, the employer may be held liable for knowingly allowing the inappropriate activity to happen.

When it comes to monitoring the personal emails of employees that are accessed on work devices, however, the line is not as clear. The answer turns on whether the employee had a reasonable expectation of privacy in the personal account when it was accessed at work. It has proven difficult for employees to successfully establish a reasonable expectation of privacy in personal emails accessed on company computers, especially if the use of personal email is forbidden while at work or company policy makes it clear that all communications will be monitored. ^{NOTE 3}   Certain types of statutorily protected communications may not be accessed by employers in any situation, including emails from an employee’s attorney. ^{NOTE 4}

3. May an employer monitor employee conduct on social media?

Employers may monitor their employees’ social media use as long as it does not violate any laws or ethics rules. Just as with background checks, activity that an employee has chosen to make public is fair game, but employers may not violate the SCA by pressuring an employee for a password to a personal social media account, creating a fake account in order to gain access, or otherwise “breaking in” to a protected social media page. ^{NOTE 5} Monitoring of social media profiles and information should be consistent regardless of their race, gender, or other protected class status.

4. What if an employee’s off-duty social media use is unacceptable to the employer?

Several states have laws that protect off-duty conduct, although it is unclear whether they apply to off-duty communications. For example, New York Labor Law §201-d protects employees engaging in recreational or certain political activities if they are off duty and not using work equipment or work property.

Recently, however, the NLRB has taken a strong stance on defending the rights of employees to engage in protected activities on social networks while not at work. An NLRB challenge of American Medical Response’s social media policy ended in early 2011 when AMR agreed to not restrict, discipline, or discharge employees from engaging in protected activities while not at work, as such discussing their wages, hours, or working conditions. As both union and non-union employees are protected by the National Labor Relations Act (NLRA), all employers should have narrowly tailored policies that avoid restricting protected activities outside of work and consider whether an employee’s post on a social media network is protected activity before taking any action against that employee. ^{NOTE 6}

5. May an employer regulate employees’ Internet use at the office?

Unless there is a state statute or ethics rule that prohibits monitoring work time, an employer may monitor how much time employee spend using the Internet and social media networks at the office. ^{NOTE 7}  Whether the use is for employer purposes or not does not matter, although employers may want to consider giving employees some input into the company social media policy if social media use is a job requirement.

6. Can an employer ever be held liable for an employee’s online conduct?

FTC regulations (16 CFR § 255.1(d)) hold advertisers liable for failure to disclose material connections between themselves and their endorsers. This means that a company can be held liable every time an employee endorses the company’s product or service without disclosing his or her relationship, whether the employer was aware of the endorsement or not. An endorsement could include as little as positive comment on a blog or social media site if it reflects the employee’s “opinions, beliefs, or experiences.” For this reason, company policy should bar all employee communications about company products and services, or at least prohibit those without the proper disclosures.

Employers should also regulate what employees post on the company’s website. A 2008 SEC guideline (Release No. 34-58288) made it clear that statements made by an employee in a company interactive forum are never made in an individual capacity, and the company may therefore be held liable for those comments as well.

7. May an employer keep an employee (or ex-employee) from making defamatory comments about the employer online? Can the employer successfully sue the website hosting the comments if this happens?

An employer may terminate current employees for making defamatory comments about the company online, but courts will avoid enjoining ex-employees from making such comments as it is a prior restraint on free speech. ^{NOTE 8}

An employer will not be able to obtain damages from any website hosting offensive comments due to the Communications Decency Act (47 U.S.C. § 230 et seq.), which protects the provider of an interactive computer service from liability arising from communications made by third parties in most cases. ^{NOTE 9}

8. What can an employer do if an employee posts trade secrets or confidential information online?

While there may be some common law protection, employers should have confidentiality agreements and policies in place to avoid employee disclosure of confidential information. Employers must wait to take action against the employee until after the information has been disclosed, as enjoining employees from posting confidential information or intellectual property also creates a prior restraint on free speech. ^{NOTE 10} If the content posted is copyrighted by the company, the employer may request that the infringing content be removed under the procedures outlined in 17 U.S.C. § 512(c) as long as the employee’s post cannot be considered a fair use.

9. Are there additional protections or considerations when it comes to union employees?

Employer policies prohibiting employees from using email for non-work related solicitations do not violate the NLRA and union employees may be disciplined for online conduct as long as it is not protected activity. ^{NOTE 11}   Employers may need to give notice to the union with an opportunity to bargain before adopting a social media policy. ^{NOTE 12} Secondary picketing issues may arise if mass emails soliciting membership or support are sent to employees or if employees use email to put economic pressure on a secondary employer to stop doing business with a primary employer.

10. Should employers have an acceptable use policy and what should it contain?

Employers should not only have a comprehensive acceptable use policy, but also make sure that employees are aware of its contents and that it is enforced. The policy should cover everything relating to work computer use, company-provided cell phone use, the use of company trademarks or other intellectual property, and the disclosure of confidential information and trade secrets.

• Employees should be prohibited from:
  • Exposing confidential information and trade secrets.
  • Using company trademarks inappropriately or without authorization.
  • Referring to company clients, customers, or partners online without permission.
  • Making discriminatory statements or sexual innuendo towards other employees, customers, or anyone else associated with the employer (see #2).
  • Making defamatory or derogatory statements about other employees, customers, or anyone else associated with the employer.
  • Communicating about or endorsing company products or services without the employer’s consent and a disclosure of the employment relationship (see #6).
  • Engaging in illegal conduct using company software or equipment.
  • Accessing personal or inappropriate websites while at work.
  • Posting copyrighted content on the company’s website.
  • Posting a recommendation or informal review of a subordinate.
• Employees should be warned:
  • That all work email and computer use may be monitored.
  • That employee social media use will be monitored, whether while on the job or off-duty.
  • That professionalism is expected in all postings and publications on behalf of the company (see #6).
  • If material must be reviewed before being posted to the company website.
  • What kinds of disciplinary action may be taken if the policy is violated.
• Employees should be required to:
  • Provide all passwords to work-related accounts to management.
  • Comply with the Terms of Service of social networking sites.
  • Report any communications they find that violate the policy.

Notes: Case Law

1. Fraser v. Nationwide Mutual Ins. Co., 352 F.3d 107 (3d Circ. 2003): The employer did not improperly intercept an employee’s work-related emails under the Electronic Privacy Communications Act because they were in post-transmission storage.

2. Doe v. XYC Corp., 382 N.J. Super. 122, 887 A.2d 156 (App. Div. 2005): An employer has a duty to investigate the employee’s activity if it is on notice that an employee is using a work computer to access pornography, potentially including child pornography.

3. U.S. v. Butler, 151 F. Supp. 2d 82 (D. Me. 2001): There was no reasonable expectation of privacy in a student’s use of a computer that was part of a university network system.

Garrity v. John Hancock Mutual Life Ins. Co., 2002 WL 974676 (D. Mass. 2002): Marking folders as personal did not create a reasonable expectation of privacy for employee.

United Sates v. Hassoun, 2007 W.L. 141151 (S.D. Fla. 2007): The employee had no reasonable expectation of privacy in his office computer based on the employer’s written policies.

4. Stengart v. Loving Care Agency Inc., 201 N.J. 300, 990 A.2d 650 (N.J. 2010): An employer cannot violate statutory privileges in accessing emails, such as attorney client privilege, even when company policy states that there is no privacy in emails accessed on a work computer.

5. Pietrylo v. Hillstone Restaurant Group, 2009 WL 3128420 (D.N.J. 2009): Restaurant managers who obtained the password to a an invite-only MySpace gripe group from an employee (who claimed to be under duress) and knowingly accessed the MySpace group without authorization violated the SCA and the New Jersey Wiretapping and Electronic Surveillance Control Act.

VanAlstyne v. Elec. Scriptorium Ltd., 560 F.3d 199, 28 IER Cases 1441 (4th Cir. 2009): Punitive damages were awarded under the SCA without a showing of actual damages when an employer accessed an employee’s personal email account after she left the company without the employee’s authorization.

Philadelphia Bar Ass’n Professional Guidance Comm’ee Opn. 2009-02 (March 2009): An advisory opinion issued by the Philadelphia Bar Association’s Professional Guidance Committee concluded that asking another person to contact a witness on a social media site in order to gain access to the information on their personal profiles would violate attorney ethical prohibitions against misconduct and requirements for truthfulness in statements to others.

6. Marshall v. Mayor and Alderman of City of Savannah, 2010 WL 537852 (11th Cir. 2010): An employee who posted photographs of other employees obtained from the employer’s website alongside scantily clad pictures of herself on MySpace was reprimanded and then terminated after denying she was violating her employer’s policy. The 11^th Circuit found her postings were not protected by the First Amendment and that because male employees were not treated differently, she was not fired solely for her social media postings.

7. Calandriello v. Tennessee Processing Center, LLC, 2009 WL 5170193 (M.D. Tenn. 2009): No discrimination was found when a bipolar employee was terminated for loss of confidence after he admitted to accessing violent websites that included news about serial killers on his work computer and altering a company inspirational poster with a photograph of Charles Manson, despite the employee’s claims that his use of the Internet did not violate company policy because other employees often surfed the Internet.

Cervantez v. KMGP Services Co. Inc, 349 Fed. Appx. 4 (5th Circ. 2009): Violation of the employer’s computer use policy by accessing pornographic sites was a legitimate reason for discharging the employee. The Court also noted that even if the logs produced by the employer were inconsistent, summary judgment was still appropriate since actual innocence is irrelevant if the employer reasonably believed the reason for termination and acted in good faith.

Pacenza v. IBM Corp., 2010 WL 346810 (2nd Circ. 2010): When an employee with post-traumatic stress disorder was fired for violating company policies by accessing sexual materials on the Internet while at work, his termination was legitimate because there was no showing that he was singled out or treated more harshly than similarly situated non-disabled employees.

8. Ramos v. Madison Square Garden Corp, 257 A.D.2d 492 (1st Dept. 1999): An employer’s request for an injunction against an employee’s defamatory statements was refused because granting relief in the form of prior restraint is undesirable and damages after the publication of the states is an adequate remedy at law.

Aguilar v. Avis Rent-A-Car System, Inc., 21 Cal. 4th 121 (1999): A limited injunction was granted that prohibited racial epithets in the workplace.

Varian Med. Sys., Inc. v. Delfino, 113 Cal. App. 4th 272 (2003): An employer may terminate an employee for posting derogatory comments about the company and company executives.

9. Doe v. MySpace, Inc., 474 F. Supp. 2d 843 (W. D. Tex. 2007): MySpace could not be held liable on a negligence claim by the victim of sexual abuse by an online predator who contacted the victim through the service.

Shiamili v. The Real Estate Group of New York, Inc., 2011 NY Slip Op 05111 (2011): A website that took an anonymous comment by a third party, moved it to a stand-alone blog post, and added non-defamatory content was not held liable for the original comment’s allegedly defamatory content.

10.  Ford Motor Co. v. Lane, 67 F. Supp. 2d 745 (E.D. Mich. 1999): Enjoining an employee from posting allegedly misappropriated trade secrets and copyrighted material would violate the First Amendment as a prior restraint.

11.  Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Circ. 2002): When an employee claimed he was wrongly disciplined and was critical of labor concessions on his blog, the blog content was considered protected union activity and lacked the actual malice needed to make it defamatory.

State of Minn., 117 Lab. Arb. Rep. (BNA) 1569 (2002): Allowed an extensive investigation of chain of pornographic emails and related computer use based on an employee’s complaint that she saw a nude woman on co-worker’s computer screen.

12. Kuhlman Elec. Corp., 123 Lab. Arb. Rep. (BNA) 257, 262 (2006): A new policy on use of computers and the Internet was not contrary to the collective bargaining agreement and did not materially, substantially, and significantly affect the terms and conditions of employment.

California Newspaper Partnerships, 350 N.L.R.B. No. 89 (Sept. 10, 2007): An employer must bargain with the union over a policy forbidding use of email accounts to send messages about union affairs.

As Congress grapples with ways to kick start the economy and spur small business formation and growth, one proposal it is considering is relaxing the long-standing ban on general advertising or solicitation imposed on private companies seeking to raise capital under the private placement rules of Reg D of Section 4(2) of the 1933 Securities Act.

Perhaps the most commonly used “safe harbor” private offering exemption is found under Rule 506 which, along with Rule 502, provides “that neither the issuer nor any person acting on its behalf shall offer or sell the securities by any form of general solicitation or general advertising, including, but not limited to, the following:”

1. Any advertisement, article, notice or other communication published in any newspaper, magazine, or similar media or broadcast over television or radio; and
2. Any seminar or meeting whose attendees have been invited by any general solicitation or general advertising.

This prohibition essentially mandates that any issuer utilizing the Rule 506 exemption must have a bona fide, pre-existing relationship with every potential investor. The prohibition has come under increasing criticism as unnecessarily restricting on the ability of private companies to raise capital. On January 6, 2012, the SEC’s Advisory Committee on Small and Emerging Companies made the following recommendation:

[T]he Advisory Committee recommends that the Commission take immediate action to relax or modify the restrictions on general solicitation and general advertising to permit general solicitation and general advertising in private offerings of securities under Rule 506 where securities are sold only to accredited investors.

If enacted, the number and visibility of private placement under rule 506 should increase substantially making it easier for small companies to find the accredited investor they need to fund their growth.

I. Require an Affirmative Act for User to Convey Assent (to Click or not to Click…)  The operative word in click wrap agreement is “click”.  Hence merely having the agreement as a permalink at the bottom of the site is insufficient to demonstrate that a user really had adequate notice of its existence and, further, the user actually agreed to it.  Hence having a means to make the agreement a mandatory part of the process (registering, ordering, etc.) is the best course for demonstrating the agreement was assented to and, as a result, binding.   The current du jure method is to employ a check the box or click the button marked “I Agree” or “I Accept.”

II. Allow the User to Exit the Process at Any Time.  Providing the user a clear, manageable way to not assent to the agreement is just as strong a requirement, as providing a clear means to show assent.  In other words, just as the check the box indicates assent, having a means for the user to exit the process demonstrates that the process is voluntary and that any assent was not made under duress.

III. Keep Accurate Records of the Process. If a tree falls in the forest and no one heard it did it really fall?  Implementing a robust framework to show assent or non-assent will not help your cause, if you do not have the record keeping to corroborate it.  In short, you must be able to adequately demonstrate what steps the user undertook during the click wrap agreement process and what that user actually saw during that process. Hence, your platform should have the technical ability to create a record of the transaction indicating what documents were submitted to the user, the time and date of that submission, as well as the user’s ultimate actions (e.g., checked the box or not).

IV. Be Aware of whether you are Dealing with Children and Minors.  Increasingly children are using the Internet in the same fashion as their parents, as consumers of information and goods.  And due to the extreme anonymity and automation of the net, many operations fall into the trap of click wrap agreements being given to minors and small children.  In the worst case, those children may seek to use the defense of “infancy” or being a minor to get out of their contractual obligations and restrictions.  So far the legal landscape is fragmented on this issue, with only the 4^th circuit saying definitively that clickwrap agreements are enforceable upon minors at this time (A.V. v. iParadigms, LLC, 2009 U.S. App. LEXIS 7892 (4^th Cir. Apr. 16, 2009)).

V.  Beware of Legacy Agreements.  Businesses that are seeking to take the leap from paper to digital agreements should be careful not to create a tangled web of conflicting terms.  Without proper vetting of previous agreements and those terms, in particular, language that prevents modification of the legacy agreement without a written and signed instrument, the click wrap agreement could be dead on arrival.  In that event, a court may decline to enforce those new click wrap terms because they were not actually “signed” or because there was no separate signed document to modify the original agreement.  Hence a review of legacy agreements with business counsel prior to click wrap migration is a good idea overall.

By making both parties aware of their responsibilities and when they may be held liable for failing to live up to those responsibilities, a strong SLA can help prevent many of the hassles and dangers that can come with switching over to the cloud.  This article provides insight into the major parameters and provisions that drive the SLA.

The provisions of an SLA generally fall into three broad categories:

1. Data Processing and Storage;
2. Infrastructure and Security; and
3. The Provider-Client Relationship.

1. DATA PROCESSING AND STORAGE

Ownership of Data – For any business, it is imperative that the SLA clearly state that the client retains all ownership in the data it stores with the provider.  This is especially important if the business plans to store any copyrighted, trademarked, or patented content or other proprietary data to which it owns the rights.  Depending on the nature of the services, businesses may also want to clarify the ownership of the product of any data processing that occurs on the provider’s system.

Access to and Use of Data – The agreement should stipulate that the client has the right to access and retrieve any of its data stored by the provider.  For situations in which there is an emergency and data needs to be accessed right away, a procedure and timeline should be in place for the client to quickly address time-sensitive matters.  Businesses may also want to consider a provision prohibiting the provider from using the data for any purpose other than the agreed upon services or from allowing third parties to access and use the stored data.

Location of Data – Because the stored data’s physical location determines many of the laws that will apply to it, it is very important for the client to know in what jurisdiction its data will be located.  The laws of that jurisdiction will govern who can access the data, how it must be stored, and how security breaches must be handled.  It is often the client’s responsibility to make sure that it complies with these laws, but it cannot know what laws it must obey without knowing where the data resides.  The provider may need to certify that it complies with the European Union Data Protection Directive if personal information about citizens of EU countries will be stored in its infrastructure.  Businesses must be aware of and make sure that the provider complies with any other foreign laws governing the storage or transfer of the personal information of that country’s citizens that may apply.  Clients should also be cautious of violating United States export control regulations if certain types of data are “exported” to a server outside of the United States.

Government Requests for Access to Data – The SLA should also address what will happen if there is a subpoena or other government request for the client’s data.  It should contemplate whether the client will be notified before or after the provider discloses the data (if the client is notified at all) and what the provider’s obligations are if the client decides to contest the order.  Clients may also want to include a provision requiring the provider to limit the disclosure of the business’ data as much as possible when responding to a government order.

Data Retention and Deletion – State, federal, and international laws may govern the retention and deletion of the client’s data.  If the business has a data retention policy, the SLA should bind the provider to those same procedures to ensure that retention requirements for certain types of data are complied with and, in the case of a lawsuit, any discovery obligations.

Metrics – The SLA might also describe several technical aspects of the provider’s service so that the client knows what kind of performance it should expect, including how quickly it responds, how often it is available, how likely the data is to be lost, the maximum amount of storage or bandwidth, how well the system performs as load increases, the percentage of requests that are handled automatically, and how quickly the provider responds to a service request.  A penalty for failing to meet these standards may be built into the contract, as well as incentives for meeting or exceeding them.

2. INFRASTRUCTURE AND SECURITY

Data Security – Depending on the type of data and the location where it will be stored, the SLA may need to require a specific minimum level of security to comply with state, federal, and foreign laws.  Clients should know what level of security their data must have to comply with any applicable laws and make sure that the SLA holds the provider to those minimum requirements or higher.

Security Breaches – It is very important that a SLA define what constitutes a security breach.  This could range from a narrow definition, such as a breach of the security obligations set forth in the agreement, to a broader definition, such as “any actual or reasonably suspected unauthorized use of or access to provider systems or unauthorized disclosure or alteration of client information.”  Although some state and federal laws already require providers to notify clients of a security breach, breach notification procedures should be in place to govern how and when the client will be notified, as well as any other details concerning the breach that need to be communicated to the client.  The SLA may require the provider to investigate the breach, use its best efforts to mitigate the breach’s impact, collect evidence surrounding the breach, and document its response.  If the breach is due to an error on the part of the provider, the agreement may make any resulting damages or fines the provider’s responsibility.

Disaster Recovery – The client should be aware of how much redundancy there is in the provider’s system to ascertain its ability to prevent outages and how the provider plans to continue to supply uninterrupted service if there is a disaster or other unforeseen event.  There should be notification procedures for when the service is down or data is damaged, and the agreement should also specify under what circumstances the provider must compensate the client for service outages or damaged data.

Maintenance – Clients may want to contract for advance warning when maintenance tasks will be performed on the provider’s infrastructure and whether the service will be down or slowed during that time.

Right to Audit – The client will often want an annual right to audit the provider’s security to make sure that it is complying with all security requirements in the agreement, as well as any applicable privacy and data security laws.  An audit right is also useful in determining any system vulnerabilities, whether data transfer restrictions are being complied with, whether the data retention policy is being followed, and whether the data is properly deleted after termination of the relationship.  How and when the audits will occur should be determined, as well as any fees or limits the provider places on the audit, such as a cap on provider labor costs incurred as a result of the audit.

3. PROVIDER-CLIENT RELATIONSHIP

Price Caps – The Client may want to contractually limit the amount that the provider can increase its fees each year by creating a price cap based on a percentage increase or what the provider charges its other customers.  Clients who plan ahead will also want to negotiate the costs of any expansions of volume or usage in the future.

Functionality – Since cloud computing is constantly evolving, providers often update their infrastructure, including adding and deleting features.  Clients may want to ask for notification whenever the provider plans to delete functions or features enough time in advance for the Client to be able to switch to another provider if the update creates problems for the business.

Vendor Outsourcing – When a cloud user contracts with a provider, it is not always necessarily the case that same provider hosts the cloud user’s data.  That provider may contract with another provider for cloud services, who may then turn around and contract for cloud services from yet another provider, to the point where neither the Client nor the original provider know where the Client’s information is actually being stored.  As discussed above, there are several reasons why the Client must know the location of its data.  The SLA should address whether the provider may outsource its services, whether the Client must be given notice and approve of any subcontractors, and whether the subcontractors must also comply with the SLA or meet other security standards.

Limitations on Liability – Both parties should be aware of how much liability the SLA allocates to the provider.  Some agreements may narrow the scope of information or the circumstances under which the provider is liable in the event of a breach or cap the amount of damages it will be responsible for if it is liable, while others will leave the amount of the provider’s liability in the event of a security breach unlimited.

Indemnification – Many provider contracts do not include an indemnification provision, but a clause indemnifying the Client for any security breach or breach of applicable privacy laws caused by the provider can save the Client a lot of time, money, and hassle.  The indemnification clause may include expenses beyond those associated with claims, litigation, and fines to cover the cost of notifying customers, employees, and regulatory bodies; investigating, assessing, and remedying the breach, including by providing crediting monitoring or other services to those affected by the breach; hiring public relations consultants; and responding to government investigations.

Termination – Who may terminate the contract as well as when and why must be included, along with any associated fees or refunds.  The SLA should also describe how, when, and in what format the data will be returned to or retrieved by the Client upon termination.  If the provider stores data in a format that is not accessible by the Client, this could become a problem when the Client attempts to switch providers if the format is not specified.  Once the data has been successfully transferred to the Client, the contract should require the provider to destroy its copies of the data.

CONCLUSION – While there is no template SLA and each cloud solution vendor is unique, the above is a good roadmap to understanding the general issues.  Moreover, with that insight, better terms can be negotiated to address your operation’s unique concerns.  Certainly, if a vendor’s SLA is light on details that alone may be an indicator that the vendor is light on accountability.

So rather than dwell on the finer academic points of the registration equation, below are the quick and dirty Top 5 for securing copyright protection for you and your operation.

Top 5 Reasons:

1. You can Sue. I’ll say it again, no copyright registration, quite possibly no right to drag someone to court.  It’s that simple. You may “technically” have a copyright the minute you write something down, but a court won’t care often unless there is a firm piece of paper (i.e., a registration certificate). Moreover, once you’re in federal court you may be able to inflict a world of hurt on an infringer with up to $150,000 in statutory damages and attorney’s fees.

2. Stop Fakers, Biters, and Infringers at the Border. Imagine making US Customs your enforcement agency?  That is exactly what is possible with a federal Copyright registration.  Leveraging one to prevent importation of infringing goods can mean the difference between competitive edge and catastrophic failure. Pro Tip: you will also need to record your copyright registration with the U.S. Customs Service.

3. Public Notice of Rights. As with all forms of protection, deterrence is the name of the game.  With a copyright registration, as a legal matter, others are placed on notice that you have rights.  Registration creates a public record that also provides much needed ammunition in quashing internet violations and infringements (again, no paperwork and an ISP may be less inclined to take your takedown request seriously). In addition, registration can affect your bargaining position in disputes and negotiations (registration provides the paperwork you may need to assign, sell, pledge or license your copyrighted asset).

4. Presumption of Validity. In a courtroom, a copyright registration within five years of a work’s “publication” will be deemed valid and the alleged infringer will be faced with an uphill battle of proving otherwise.  Hence, a copyright registration, if undertaken early, makes an enforcement lawsuit more formidable.

5.  It’s Really, Really Cheap.  Copyright is by far the most affordable form of federal intellectual property protection.  While each prong of intellectual property provides certain rights and remedies and addresses certain features of a work (e.g., contrast trademarks against copyrights), copyright offers significant protection, deterrent value, and other features for the cost of a good meal.  At 35 dollars a pop (with online registration at www.copyright.gov), no business venture should be crying poverty.

Six Months after New York Spoke on Defamation Immunity for Online Service Providers, Analysis & Thoughts

By Lauren Mack & Kaiser Wahab

The New York Court of Appeals, New York’s highest court, handed down an opinion this June that was a big win for online service providers in one of the Union’s most populous and critical states.  The Court of Appeal’s first decision involving Section 230 of the Communications Decency Act (47 U.S.C. §230), (following nearly a decade of case law on this statutory provision in other jurisdictions) Christakis Shiamili & c., v. The Real Estate Group of New York, Inc. et al., found that The Real Estate Group of New York (“TREGNY”) was still protected from liability by Section 230, even after it had promoted a user’s comment to its own stand-alone post and added a new heading, subheading, preface, and image with caption.

Background

The plaintiff, Christakis Shiamili, is the CEO and founder of Ardor Realty Corp., an apartment rental and sales company operating in New York City.  TREGNY, the defendant in the case, is a competitor of Ardor in the New York City rental market and hosts a blog on its website dedicated to covering the New York City real estate industry.  An anonymous user, operating under the name “Ardor Realty Sucks,” posted a comment to TREGNY’s blog that suggested Shiamili mistreated his employees and was racist and anti-Semitic.

TREGNY took the lengthy comment and moved it to its own stand-alone post.  To this new post, TREGNY added the heading “Ardor Realty and Those People,” the sub-heading “and now it’s time for your weekly dose of hate, brought to you unedited, once again, by ‘Ardor Realty Sucks’. and for the record, we are so. not. afraid.,” and prefaced the comment with “the following story came to us as a … comment, and we promoted it to a post.”  TREGNY also added a depiction of Jesus Christ with Shiamili’s face and the caption, “Chris Shiamili: King of the Token Jews.”  This post sparked further anonymous comments, including ones that suggested Shiamili abused his wife and that Ardor was in financial trouble.

After commenting on the thread himself, Shiamili asked TREGNY to take down the allegedly defamatory statements.  TREGNY refused, and Shiamili then sued TREGNY, its COO Daniel Baum, and the COO’s assistant Ryan McCann who was operating the website, claiming defamation and unfair competition by disparagement.

The New York Supreme Court denied TREGNY’s motion to dismiss for failure to state a claim because discovery was necessary to uncover more information to determine the “defendants’ role, if any, in authoring or developing the content of the website.”  The Appellate Division unanimously reversed and dismissed the complaint on the basis that it did not allege that TREGNY authored the defamatory statements and that Section 230 of the Communications Decency Act “protects website operators from liability derived from the exercise of a publisher’s traditional editorial functions.”

The Opinion

The Court of Appeals affirmed the Appellate Division in a 4-3 decision, explaining that Section 230 provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  A defendant is immune from liability if it is “(1) a ‘provider or user of an interactive computer service’; (2) the complaint seeks to hold the defendant liable as a ‘publisher or speaker’; and (3) the action is based on ‘information provided by another information content provider.’”  The Court of Appeals also quoted seminal Section 230 case Zeran v. America Online, Inc., which found “Section 230 was enacted, in part, to maintain the robust nature of Internet communication and, accordingly, to keep government interference in the medium to a minimum.”

Turning to an analysis of the case at hand, the court found that the action sought to treat TREGNY as the publisher or speaker of information provided by another content provider because the complaint did not allege that TREGNY authored the defamatory content, only that it published and edited it.  Analysis of Section 230 from other courts made it clear that TREGNY could not be held liable for reposting content provided by another because it is within “a publisher’s traditional editorial functions.”  Critically, the court found that even though TREGNY did write the heading, sub-heading, introduction, and image caption, those portions of the post were not defamatory as a matter of law.  The court also rejected Shiamili’s argument that TREGNY was a content provider because it implicitly encouraged users to write negative comments on the grounds that the ability to create a forum for others to post negative commentary was precisely what Section 230 was meant to protect.

Shiamili urged the court to adopt the Ninth Circuit’s broader view of what constitutes “development” of third party content by an online service provider.  In Fair Housing Council of San Fernando Valley v. Roommates.com, the Ninth Circuit held that Roommates.com was not protected by Section 230 because it had contributed “materially to the alleged illegality of the conduct.”  The Court of Appeals declined to consider this view because that even under the Ninth Circuit’s narrower analysis, Section 230 still shielded TREGNY.

A Note on the Dissent’s Arguments

The three dissenting judges accepted that reposting the comment could be considered within the traditional editorial functions of a publisher, but felt that a reasonable reader could have believed the content of the post after seeing the headings, image, and caption that TREGNY had added.  This, the dissent argues, should be considered a material contribution to “the alleged illegality of the conduct” and deprive TREGNY of Section 230’s shield.  To them this was not the conduct of a passive conduit, especially in light of the competition between TREGNY and Ardor.

The Future

This case signals that New York courts will take a very broad approach when it comes to future Section 230 cases and may outright dismiss claims when the site operator has exercised traditional editorial functions on the third party content.  But recent discussion around other laws pertaining to the Internet may signal a change of tone in the future (perhaps even a massive shift in the philosophy that governed early Internet legislation).  For example, one of the cornerstone Internet statutes, the Digital Millennium Copyright Act’s safe harbor provision (“DMCA”), which has for fifteen years protected online service providers from copyright infringement committed by users under certain conditions, faces a severe reversal of fortunes if pending legislation is signed into law.  Though having enjoyed broadly beneficial interpretations for online service providers (see the YouTube and MP3Tunes cases), legislation introduced this year – the PROTECT IP Act in the Senate and the Stop Online Piracy Act (“SOPA”) in the House – threaten to greatly weaken and possibly negate the  DMCA’s protection.

Could we see a similar legislative curtailing of Section 230 in the future?  It is unlikely to happen on its own, as the victims of speech constituting defamation and other torts shielded by Section 230 generally do not have the enormous lobbying power of large media companies.  Our own firm penned a Journal Note in the Cardozo Arts & Entertainment Law Journal about applying DMCA frameworks to defamation (DOES LIABILITY ENHANCE CREDIBILITY?: LESSONS FROM THE DMCA APPLIED TO ONLINE DEFAMATION).  However, if legislation similar to PROTECT IP and SOPA does become law, there is the potential for it to shift the norms and expectations of what responsibilities belong to online service providers to the point where the courts, legislature, or both may determine that online service providers should held responsible for the speech of their users as well.

 Online Platform Legal Audit Checklist

 Content

1)      Is there defamatory content on the platform?

A statement is generally defamatory when it is: 1) false, 2) published or made to a third party, and 3) injures the reputation of a third party.  Defamation is not always the result of a direct statement and can instead be inferred or insinuated, while a joke or statement of opinion may be the basis for defamation, if it is not clear that the statement was in fact meant to be taken as a joke or opinion.  Generally, only statements that are made as facts that are untrue can be defamatory, whereas opinions or the truth generally cannot.

2)      Does the platform infringe upon anyone’s “Right of Publicity”?

Generally, everyone has the right to control the use of one’s name, nickname, voice, picture, likeness, performance style, signature phrase and other identifying characteristics.  This is often referred to as the “right of publicity”.  Many states allow one to generally prevent the unauthorized commercial exploitation of one’s identity.  Hence, as a general matter, no one’s identity should be used for the platform’s commercial benefit (unless that person is being referred to for newsworthy or journalistic purposes) without that person’s written permission.

3)      Does the platform invade anyone’s privacy?

Online platform operators should avoid disclosing private information about third parties without their consent.  Many states allow third parties to sue for claims such as intrusion upon seclusion, public disclosure of private facts, and false light.

4)      Do you modify user submitted / generated content?

Section 230 of the Communications Decency Act provides that an online service provider will not be treated as the “publisher” of information submitted by another content provider.  This protects providers from claims such as defamation, intentional infliction of emotional distress, and other actions based on objectionable content, but only if the platform owner does not contribute to or could not be considered the creator of the content.  While generally user created content may be deleted without incurring liability, more intensive editing may destroy the protections Section 230.

5)      Additional Questions:

a)      Does the platform contain obscene materials?

b)      Are disclaimers used when appropriate, especially if there are legal, business, or tax discussions?

c)       Are there policies in place governing user comments, message boards, and other messaging systems?

d)      What are the penalties for users who violate platform policies?

e)      Must users indemnify the platform for any damage or liability arising from the user’s conduct?

Trademark

1)      Are third party trademarks used in an infringing manner?

A trademark is a word, name, symbol, image, or slogan that identifies and distinguishes a person’s goods or services from those of others.  Trademark infringement occurs when a third party’s use of the mark creates a “likelihood of confusion” or deceives consumers, such as by causing the public to believe that the third party’s product is made by or affiliated with the trademark owner.  The domain name itself can be considered infringing if the owner has no legitimate interest in the name and it is being used in bad faith (for example, if the owner bought the domain name for the purpose of selling it to the trademark holder).  This does not bar a third party from using the trademark in a non-confusing manner, such as by referring to the actual product.

2)      Are trademarks used in the platform’s code?

Trademark infringement doesn’t have to happen on the face of the platform – it can also happen below the surface.  Platform owners should make sure that they or their developers do not use third party trademarks in the platform’s meta-tags or other underlying code, as the courts have found that this use is also infringing.

3)      Additional Questions:

a)      Is the platform’s logo or slogan confusingly similar to a third party’s logo or slogan?

b)      Has the platform’s logo or slogan been registered as a trademark with the federal government?

Copyright

1)      Does the platform infringe on any third party copyrights?

A copyright owner has five exclusive rights: the right to reproduce the work, the right to distribute the work, the right to publicly perform the work, the right to publicly display the work, and the right to create derivative works (another work that incorporates all or a portion of the original work) from the work.  Platform owners must take care to not infringe on third party copyrights by reproducing, distributing, performing, displaying, or creating derivative works from copyrighted materials that they do not own the rights to or have permission to use.  This could include using a photograph from another platform, “framing” a third party website within the platform, or using any content submitted by users or independent contractors without permission (see below).

2)      Who owns the content available on the platform?

Do individual content providers own the materials they post or does it become property of the platform?  If content providers are employees of the platform owner, the content they post will be considered a “work for hire” and will automatically become the property of the platform owner.  If content providers are users or independent contractors, the copyright will remain with the posters unless there is an agreement stating otherwise.  Platform owners should make sure that they have a license to use any content that is not owned by them.

3)      If the platform contains user generated content, is it following the DMCA safe harbor provisions?

Section 512 of the Digital Millennium Copyright Act creates a safe harbor for platform owners and online service providers so that they will not be held liable for copyright infringement committed by their users.  To avail itself of this safe harbor, a platform cannot have actual knowledge of infringement, cannot receive a direct economic benefit when it has the right and ability to control the activity, and must quickly remove or disable access to infringing material once it has actual knowledge or notice of the infringing content. It must also have a system in place to process take down notices as detailed in the statute, and it may not induce its users to commit copyright infringement or hold itself out as a service meant to be used for copyright infringement.

4)      Additional Questions:

a)      Does the use of any copyrighted material that is not owned or licensed qualify as a fair use?

b)      Does the platform link to infringing content?

c)       Are proper copyright notices used?

d)      May users copy or post platform content elsewhere?

e)      Are there policies for the uploading of media or software to the platform?

f)       Can the platform exploit user submitted content and how?

Privacy

1)      What information are you collecting from your users and what are you doing with it?

Users should be made aware of what information is being collected about them, how it is used, and to whom it is disclosed.  Although there is currently no federal law governing online privacy in general, platform owners should make sure that they are complying with any applicable state or foreign online privacy acts.

2)      Is the platform directed at and collecting information from children under thirteen?

The Children’s Online Privacy Protection Act bars platforms from collecting personal information from someone under thirteen years old without verified parental consent if the platform is directed at children under thirteen or if it has actual knowledge that children under thirteen are providing it with personal information.  Personal information can include names, phone numbers, email addresses, and any other information from which the child’s identify can be determined.  Verified parental consent must be obtained through certain accepted processes and is revocable (in which case all gathered information, including information shared with third parties, must be deleted).  For platforms willing to obtain parental consent, a privacy notice must be clearly posted.

3)      Additional Questions:

a)      Does the platform or advertisers use cookies or behavioral data?

b)      Does the platform monitor and collect web traffic data?

c)       Who has access to cookie and/or web traffic data?

d)      If the platform collects sensitive information such as medical or financial information, social security numbers, or criminal histories, are any applicable state/federal laws or regulations being followed for the collection and storage of this information?

e)      Is there a way for users to opt out of having their information being collected and/or shared?

Revenue

1)      What is the platform’s advertising policy?

Platform owners need to make sure that any advertising is not false or misleading.  Agreements with all advertisers or advertising companies should require the advertiser to comply with all state and federal advertising laws and indemnify the platform owner from any claims relating to false or misleading advertising.

2)      Additional Questions:

a)      If a third party has sponsored a post to promote its product, is that fact disclosed?

b)      Is it easy for readers to tell editorial from advertising content?

c)       Do any sweepstakes, contests, or promotions comply with state and federal laws?

d)      If the platform is selling goods or services, is credit card and other information kept secure?

e)      Are any applicable sales taxes being collected?

f)       Are any laws regulating the sale of products available for purchase on the platform being followed?

Technical Matters

1)      What is in the platform’s service provider agreement(s)?

A service provider agreement should include:

a)      A full description of the services

b)      Any technical requirements

c)       Rates and how they will be calculated

d)      The term and when it may be terminated

e)      Any security measures the provider will have in place

f)       How confidential matters and proprietary materials will be protected

g)      Indemnification from the service provider’s conduct

2)      What is in the platform’s developer agreement?

A developer agreement should include:

a)      A full description of the services

b)      Rates and how they will be calculated

c)       Who will own the materials developed and the final product

d)      How the developer’s performance will be monitored

e)      The term and when it may be terminated

f)       Whether the developer will be responsible for regular updates or ongoing maintenance

g)      Indemnification from the developer’s conduct

3)      Additional Questions:

a)      Who owns the domain name?

b)      Who is the domain name’s registrar?

c)       Is the platform able to be accessed internationally?

d)      Is there a companion mobile application?

i)        Are there user agreements in place for such mobile apps?

ii)       Have many of the above items in this checklist been addressed in connection with that mobile app?