Creating Traps for the Unwary: Recent Technology Law Developments
Legal developments over the past year continue to confirm that many of the early technology-law legal
battles -- such as the validity of electronic contract formation -- are pretty well settled, even if those issues periodically arise in isolated cases. While there are many developments in this area at the federal level and a good deal of overlap between state and federal laws affecting technology issues, this overview principally highlights selected state-law trends and developments from the past 12 months or so involving technology-law issues that businesses should take note of as either confirmation of basic principles or matters on the horizon that should be monitored for potential impact.
Legal developments over the past year continue to confirm that many of the early technology-law legal
battles — such as the validity of electronic contract formation — are pretty well settled, even if those issues periodically arise in isolated cases. While there are many developments in this area at the federal level and a good deal of overlap between state and federal laws affecting technology issues, this overview principally highlights selected state-law trends and developments from the past 12 months or so involving technology-law issues that businesses should take note of as either confirmation of basic principles or matters on the horizon that should be monitored for potential impact.
Data Breach Matters
Issues regarding data breach [see Trust The Leaders, Issue 19, p. 16] have reached such a critical stage of notoriety and attention that some form of uniform federal legislation is likely not far off. The national Identity Theft Resource Center reported that as of early December 2008, over 558 data
breaches had been reported in 2008, eclipsing the total of 446 data breaches for all of 2007. Whether developments over the past year provide a tipping point for such legislation remains to be seen. In the absence of any uniform national legislation in this area, the states continue to fill this void by adding
to the patchwork of state-level legal requirements for data breaches. As of this writing, the vast majority of states have enacted a local statute imposing obligations for dealing with data breaches. Most of the states generally require a timely notification to affected persons whose personally identifiable information has been disclosed in an unauthorized manner. However, the standards for a qualifying breach vary by state. Significantly, most of the states do not allow a private right of action for such breaches, instead leaving enforcement up to the state attorney general or some other state agency.
As an example of state action, in 2008 Georgia added a new provision, O.C.G.A. § 16-9-6, to its criminal code that makes it a felony to use electronic means to falsely represent oneself as a business and thereby induce another person to provide identifying information. Essentially, this statute criminalizes so called “phishing” e-mails and Web sites and similar ruses intended to defraud unsuspecting persons by lulling them into divulging sensitive information. A safe harbor is provided for internet service providers and other telecommunications companies who, without knowledge of a fraudulent scheme, merely provided the bandwidth over which such activities were conducted.
In another 2008 addition to the Georgia criminal code, the Georgia Bureau of Investigation was given authority to investigate identity-theft fraud, which includes the additional power of issuing subpoenas.
These amendments are reflected in changes to O.C.G.A. §§ 16-9-123, 35-3-4 and 35-3-4.1.
Georgia also enacted in 2008 a statute that gives consumers the right to place and remove a security freeze on credit reports. O.C.G.A. §§ 10-1-913 through 10-1-915 were added to the already existing statute dealing with data-breach notification requirements imposed on information brokers.
Although data breaches affect many types of businesses, many of the more notable data breaches have involved retail businesses, with the massive 2006 data breach of over 45 million credit- and debit-card records affecting the retailer TJX/T.J. Maxx being the most notable. As a result, retailers
have become the subject of legislation seeking to impose additional requirements on them.
The payment-card industry, led by Visa and MasterCard, has over the past decade pioneered a voluntary approach to card-related data security. Credit card and debit card issuing banks and retailers must adhere to a set of best practices loosely called the payment card industry (“PCI”) standards, which is administered by the PCI Security Standards Council as a self-regulatory approach to card-data security. The latest iteration of PCI standards is reflected in the PCI Data Security Standards (“PCI-DSS”), which may be accessed at pcisecuritystandards.org/security_standards/pci_dss.shtml. Failure to meet the applicable PCI standards results in the inability of non-complying retailers to have consumer card payments processed for purchases of their goods, which usually has been sufficient to ensure general compliance. Nevertheless, state legislators, believing a voluntary approach to such compliance has been insufficient to protect consumers, have started to mandate data-protection laws compliant with PCI-DSS or equivalent standards. California, Connecticut, Illinois, Massachusetts, Texas, Washington and Wisconsin are among the states that either have recently imposed, or are contemplating imposing, an obligation on retailers to adhere to PCI-DSS or similar standards, most notably by not allowing the storage of sensitive card or consumer information beyond a certain length of time following the underlying transaction. What most of these measures have in common is that financial institutions are expressly authorized to seek recovery against retailers whose negligence causes an affected financial institution to incur costs (such as card-reissuance costs) as a result of a related data breach. This is in contrast to most other state data-breach laws, which do not allow a private right of action to anyone in the chain of transactional activity.
Negligent Data-Security Claims
In what should not be a surprise, a clear trend is developing toward recognizing a negligence tort for failure to maintain reasonable security standards. This trend is partly because of increased data breaches and partly due to the fact that federal and state laws and regulations affecting data breaches and data security are gelling into a de facto minimum standard for information security that consumers and businesses have come to expect. Among the notable cases involving claims of information-security negligence are these:
While the essential principles of online contracting are well settled, legal skirmishes continue to take place in this area.
- U.S. v. American United Mortgage Co., No. 07C-7064 (N.D. Ill. Dec. 17, 2007). First Fair and Accurate Credit Transactions Act (“FACTA”) “Disposal Rule” settlement for improper disposal of consumer records.
- Stollenwerk v. Tri-West Health Care Alliance, No. CV-03- 00185-SRB (9th Cir. Nov. 20, 2007). The theft from a company location of computer servers containing sensitive personal information formed the basis for an information security negligence claim under Arizona law.
- Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121 (N.D. Cal. Mar. 24, 2008). Employer was sued for identity-theft risk after the theft of a laptop computer that was misplaced by a Gap contractor/vendor.
It is interesting to observe that while the essential principles of online contracting are well settled, legal skirmishes continue to take place in this area. The earliest such battles were over fairly fundamental issues such as whether parties could legally be bound at all by online contracting means. That argument has long been decided — such contracting is as valid as the offline kind, so long as the essential elements of contract formation are otherwise present. More recent maneuvering is focused on nuances at the margins of online or electronic contracting, and this past year’s developments provide ample examples of this.
The following cases, decided in the past year or so, illustrate the types of contracting issues still typically at issue:
- Whitnum v. Yahoo, No. 11098/06 2007 WL 2609825 (N.Y. Sup. Ct. Sept. 5, 2007). Court confirmed that limits of liability for indirect or consequential damages in a click wrap agreement are okay, so long as the click wrap agreement — in which a user’s assent is given by clicking on an “I Agree” or similar on-screen button — is otherwise valid.
- People v. Direct Revenue, LLC, No. 401325/06 (N.Y. Sup. Ct. Mar. 12, 2008). Limitations of liability in online click wrap found to be valid.
- Trujillo v. Apple Computer and AT&T Mobility, No. 07C4946, 2008 WL 4368937 (N.D. Ill. Sept. 22, 2008). In proposed class action against AT&T, AT&T sought to have plaintiffs bound by individual arbitration clause in service agreement that was purportedly available in an online form. Because a serious issue existed as to whether the service agreement was appropriately made available to each plaintiff prior to purchase of an iPhone, court refused to conclude that individual arbitration clause was necessarily valid.
- Reynolds v. Credit Solutions, No. 07-AR-1516 (N.D. Ala. Feb. 26, 2008). Court took exception to enforcing online contract involving procedure whereby service agent on phone walked customer through sign-up process including review of online contract that was quickly accepted by clicking assent.
- Feldman v. UPS, No. 06 Civ. 2490 (S.D.N.Y. Mar. 24, 2008). In challenge to provision in UPS’s online shipping contract that limits UPS liability for loss of items, court denied summary judgment to UPS because insufficient evidence supported accessibility or availability of contract prior to placing package for shipping.
- Alliance Laundry Sys., Inc. v. Thyssenkrupp Materials, No. 07-C-589 (E.D. Wis. Aug. 5, 2008). E-mail exchange setting forth details of a proposed sale is acceptable to show formation of a contract.
Open Source Software
For the general business community, the legal issues associated with the use of open source software have long been “sleeper” issues that have not received a great deal of attention. Unlike most proprietary software applications, open source software is typically made available with relaxed license and distribution restrictions that include access to the underlying software source code. However, because the use of open source software has become more prevalent in many industries,
businesses of many types are becoming more alert to the legal implications of use, including the sometimes-peculiar compliance requirements imposed by the licenses that accompany certain releases of such software.
Many businesses only first become aware of open source issues as part of a significant transaction undertaken by that company — for example, in connection with a software development arrangement or as a result of the representations and warranties required in an acquisition transaction. Prompted
by the inquiries that routinely accompany such projects, the company executives may only then learn for the first time that a core application used in the enterprise consists of a critical open source component or that a resourceful information technology specialist has adapted an open source module to accomplish some critical processing function.
While numerous open source licenses exist, the most common is the General Public License (“GPL”). In mid-2007, the Free Software Foundation, one of the more prominent open source clearinghouses, released GPL version 3. GPL version 3 represents a significant departure from GPL version 2 and, because the case law associated with open source licenses is scarce, many licensing practitioners are reluctant to advise use of open source software that adopts GPL version 3 for its governing license terms.
Thus, the mid-2008 case of Jacobsen v. Katzer, No. 2008- 1001, 2008 WL 3395772 (Fed. Cir. Aug. 13, 2008), represented a rare open source case and also provided some additional guidance in this area of the law. The applicable license terms, which were governed by principles of California state contract law and federal copyright law, regulated the use of certain open source code that was useful for model train controllers. The user who was being held accountable by the foundation that had originally released the open source code had apparently either overlooked the underlying license terms or not read them closely enough. Parsing through the license terms, the court found that an “artistic license” proviso, which the foundation had adopted for the software, was a threshold condition to the license (giving rise to a copyright-infringement claim) rather than a mere covenant on scope (which would have resulted only in a breach-of-contract claim). The lesson from Jacobsen is that open source
license terms matter and that a user ignores them at his peril, particularly in a business environment where open source use is becoming more common.
ALI Principles of Software Contracts Project
The American Law Institute (“ALI”) continues to advance an important project that it began in 2004 and about which many lawyers and businesspeople may not be sufficiently aware. The project has as its purpose to propose legal principles to guide courts in interpreting, and to assist practitioners
in drafting, software contracts and resolving disputes arising out of software transactions. The project is less a “restatement” approach than it is a suggestion of best practices associated with software contracting.
At the May 2008 Annual Meeting of the ALI, the membership approved Tentative Draft No. 1 of the ALI’s Principles of the Law of Software Contracts. Tentative Draft No. 1 of the Principles contains chapters on standard agreements, warranties, indemnities and remedies, among other subjects that software licensing lawyers frequently deal with in contract negotiations. The Principles in their present form provide extensive commentary and numerous examples of the application of many aspects of software law. Among the notable proposals reflected in the Principles are several important limitations on the ability to disclaim warranties against infringement and merchantability in certain contexts. While the Principles remain the subject of public commentary from members of the bar and business
community and thus undoubtedly will develop further, even in their present form this is a useful resource to businesses and lawyers interested in making the transaction process proceed more smoothly and efficiently.
Technology law issues affect virtually every business of any size, whether those businesses are owners of proprietary technology or users of technology tools and applications. While the pace of technology use and adoption of improvements will likely outpace the ability of the law to keep up, legal principles in the technology area have evolved in expansive directions. Many traps in this area exist,
and will continue to emerge, for the unwary.