Internet Law Lawyers, Data Security Law, Intellectual Property Law

Thursday, May 11, 2017

Internet Tech Terms in Use

Internet tech terms are commonly mentioned in a law firm’s discussions where the practice focuses on issues in the market engaging the Internet, and among other aspects, e.g., computing, e-commerce, data protection, software development, application development, data management infrastructure, cloud processing, and cyber security, to mention as few. As these terms arise in conversation, contracts reviewed or drafted, negotiations, legal advisory opinions, and in litigation, there is always the need to flesh out their meanings in the situation or business endeavor. It is also frequently needed to describe their use and how they interplay in the aggregate of the whole system, for lack of a better word. The word Internet remains the prevailing term to describe as parsimoniously as possible, the cyber realm in which all is being transmitted. The following terms, are thrown around, in articles galore, assuming the readers’ common awareness.

Our experience has been that the opposite is true. Many times, a client did not understand how their technology was stacked and was not aware of the difference between the client side of their system from the server side of their system. The data gathered by clients becomes overwhelming and they are not aware of the available tools to cull, read, and manage the data productively. They enquire about the cloud and how cloud computing could be an operative means for their business, but not appreciate the risks and the methods that can be applied. So, for purposes of enhancing a general understanding going forward, this piece will touch briefly on frequent terms that will be helpful to businesses, entrepreneurs, startups, collaborators, and much more. The following terms will be addressed in alphabetical order and not in rank of prevalence or importance.

Algorithm - Traditionally one thinks of math and formulas. What is actually being employed are a set of rules that sets a procedure by which data is attended to in order to execute a process. What that process is has no limits. An algorithm can be used to cull data by designated criteria, i.e., meta. It can be used for computer forensics involving the investigation for characters, words, images, phrases, and themes. An algorithm can be a set of rules that encrypt messages so that they are readable unless one has the key to encode the message. Calculations are possible for astronauts, missile delivery systems, orientation of satellites for defense or for communications, or for even to be able to watch an MLB game.

Application Programming Interface - A simply way of describing how API is discussed with clients when working on contracts and terms of use agreements for their clients’ project is to address API as a form and means of communication among software that is being used. The communication between software in and through devices may be via data patterns, certain criteria or variables, or queued calls. Depending on the contract and work to be done by the client for their client, there could be a computer program that is to be developed that itself will be based on building blocks devised by the programmer using an API. API may be for multiple purposes. An API can be for managing a library of software to work together, for managing database or operating a system, and it can be functioned via the web. The important aspect is understanding that there are instructions on how data is exchanged from software to software and how that data result is made usable.

Artificial Intelligence - People normally think of a robot when AI is mentioned. But it is not the physical appearance of an operation that should trigger attention. Attention is warranted on the hidden aspect which is the process that drives AI, i.e., rules, algorithms, software, etc. The rule that are utilized together create a process where either question can be answered, devices are made to begin operation, or even medical diagnosis can be drawn. AI can learn from itself as inputs of results are noted and assessed form continuous improvement. AI is just not all about robots, but could as well regard bots. Bots can be terms the soft side of AI. One can say that AI is a composition of processes driven by knowledge that can be continuously learned beyond what was initially programmed. The challenge for startups and established business and even for government institutions, is to how to learn the use of AI, and use it ethically.

Many uses are before us and many do not acknowledge AI’s existence. Consider the following examples of AI in our interactions: electronic financial transactions; job search and queries and the matching results; journalism using story telling agents, such as the Washington Post Heliograf; Pinterest enhancing the recognition of images and improved searches; investment funds indexing, to mention a few. The key to keep in mind is that AI can learn from itself.

Big Data - The term is used to describe multiple sourced data accumulation and multiple purpose use data. The former construes the immense obligation to manage what is received and the latter construes the ethics and means of how to use the data. The data can be telling of many things such as customer choices, consumer trends, investment trends, allocation of taxes, misallocation of revenues, frequency of transactions, trends in transactions, inventory adjustments, supply chain trends among vendors, employee computer use, employee attendance and productivity, national grading trends, and the list of uses continues on; it seems endless. What also makes it “big” is the multiple sources for the data. An individual’s everyday life creates data. Data is created by mobile use, web searches, buying gasoline or coffee, checking out a book at the local library, social media communications, forum memberships, newsletter interactions, and again, the list of sources continues.

The immensity of this data gave rise to the birth of Data as a Service well gave birth to “DaaS,” where the administrative handling of the data is outsourced due to cost constraints. Big data is assessed by it velocity (accumulation), volume (amount), value (usefulness), and variety (interrelated and not stratified). The volume is from captured data as it increases with web traffic and network processes. The variety is by its very nature diverse. Its value depends on relevance to the entity’s function and mission. The velocity aspects is by the consequence of integrated recording of activities. Data clients receiving the data run criteria for the use of the company that uses the data either for sales, product improvements, diagnostics, predictions, markets assessment, inventory allocations, etc.

Blockchain - Transactions and activity exchanges need to be recorded in order to be verified, measured, and accounted. What blockchain does is that it records transactions between participants, client and business, members of a group, etc. it can be programmed to set transactions which can be used for automatic payments that are then reconciled in near real time. Royalties are compensated as intellectual property is used. Such uses can also help in the development of business processes to enhance efficiencies. By serving as a ledger, transactions are confirmed and it could have multiple benefits, from adjusting inventories across the globe to tracking monetary flows of investments. There is also the security aspect of the blocks in general. These blocks of data cannot be altered and serve as a resource of verification with a time stamp. The blockchain technology has as well a link between blocks that confirms verification. It is essentially a software for integrated transaction recording. Blcokchain’s use is beneficial for records management, medical field, banking, investments, money transfers, policing identity screening, processing transactions (ATMs. EFTs, ACH), and internal revenue tracking.

Cloud Computing (CC) - The aspect of CC is a remote access feature to records, emails, data, that is not stored digitally by the entity on its servers. The computing through the cloud so-to-speak is by virtue of accessing the information from distance. Particular software enable that feature that as well provides the service benefit via the web. The cloud computing function uses software as a services SaaS where the client entity logs in on their account using the rented software to access their records, emails, etc. The idea is that data, records, documents, are stored in a central or diversified place and not at the business or entity’s place of operation.

Clients, then shift from owning infrastructure to renting and sharing resources that inevitably shares the administrative aspects of storage. By it allowing for remote access from anywhere via a web connection and access, the resources are shared, that is servers, storage, applications (API), algorithms, and hardware. The purpose is to minimize costs based on usage and based on a feature similar to the delivery of telecommunication systems, where the network is shared.

Interface - On many occasions when discussions regard a service issue, the interface comes up to determine where there could have been a quality issue. A user has experience with a head page that displays in a formatted feature the program to operate. The application then is interfaced for the user to access the program. What we tell clients is that is it the bridge between the user and the program. So the user interface is about the instructions used to access and operate the application. When the client issue regards multiple applications or devices, we discuss then the interface that facilitates the communication of coded instructions for the operating system and or the devices. It is essentially the means of integration.

Internet of Things – Client are seeking to streamline their processes and enquire of the liabilities of IoT, but more so, they wonder about the process. What takes place is convergence of systems by use of the Internet. The technology that administers data interfaces with the operational technology whereby data is transmitted to either function the device, record data driven by the device or driven, using the device. The IoT functions by recognizing the Internet Protocol of the device that then transmits the date through the network acknowledging the source of the data. This is typical of heart monitors issuing a reading, alarm system controls receiving a call for monitoring update while away from home, wearable fit watch transmitting distance on a run, or cyber security detection of an intrusion attempt. The IoT involves constant connection, transmission, and collection of data about uses, functions, and performance. Where a client may be concerned with measuring a certain process, i.e., rate of fermentation on a new beer recipe, the sensors can transmit the data needed to measure.

Malware – The occurrence of intrusions increasingly use malware where this type of software is coded to find vulnerabilities in a target system or network. Gaining access is the initial goal of the malware, which then heightens the importance of personnel training to recognize suspicious emails and links. There are a variety of malware types and they are commonly known as spyware to monitor and steal information, keylogger to trace character strokes on the keyboard, viruses to cease computing operations, worms seeking information inherent in the system, or ransomware seeking extort money by seizure of the computer operation. The carrier of the malware could deceptively be embedded in advertising (adware). Some malware attacks the operation system of the computer or network making the victim take certain predictable steps or forced steps that open the victim up to more harm. The controversial issue for client is if they had proper cyber liability insurance that would cover the cyber incident.

Machine Learning – Our startup clients engaging in handling complex projects as a service, i.e., modeling, programming, email filtering, etc., utilize statistical data in a variety of ways. The projects involve computational tasks that engender creating productive information for the intended recipient client. Small business from collaboration centers may offer as a service analytics using machine learning that yield study results, model training, algorithms, diagnostics, predictions, and even security enhancing features. Machine learning is tasks driven to study a data set or a compilation of entries and catalog them by instructed variables. A client’s process using machine learning in their service provided could provide ways to filter emails for advertising, rank consumer choices, stratify demographics by region, or even make predictions on investments, interest rates, climate change, and effects of policies.

Open Source – In the growing sharing economy relying on collaboration, open source has been very beneficial. The unseen source code can be shared and utilized to recreate an improved software. OS is a series of devised software that has made it mainstream to foster innovation and serve as a backbone for other generations of processes. Once receiving a license to use an open source software, the user can modify the OS. The key is that there will be the restriction, that while a modified OS is shared or made available to others, the source code must also be shared. OS providers are focused on transparency and free exchange of code. The transparency aspect allows for adaptations to the software code for others to inspect and maybe they can improve on it. By allowing access to the source code,

Technology Stack - The combination of software components that addresses the operating system (OS), web server (Apache), database handling (MySQL), and the server coding environment (PHP), presents a typical stack. In operations, contracts address the clients side of the service and the server side. The Tech Stack is a categorization of the software that will be employed to run both the back-end and the front-end. It is the stack that comprises the architecture of the system for the business, entity, government agency, you name it. The backbone of the entity’s functioning mission or what is called business rules operate in the back-end of the system. Consumers, customers, and the like, access the front-end by a web browser, or if the individual is access using a mobile, then the access is through an app interface. While a system has its Tech Stack comprising it system software, applications are stacked apart. As cloud issues arise with clients, servers and their programs become an issue regarding database programs and the software support they will receive within the stack components.

Originally published www.lorenzolawfirm.com March 8, 2017
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.

Friday, March 10, 2017

Cybersecurity Rule Setting the Mark

Cybersecurity rule ideas, so far, have been piecemeal throughout the United States despite the numerous efforts. Opposite to the European Union’s efforts through their General Data Protection Regulation (GDPR) initiative, in the U.S. we have no such thing. We do have bolstering amendments to Gramm-Leach-Bliley Act, embodied in the Consumer Data Security and Notification Act of 2015 that seek to require financial institutions to notify of the data breach incident. While the term industries has expanded to encompass all entities that have handling operational responsibilities with consumer financial information, Congress responded to California’s promulgation of the California Notice of Security Breach Act, by itself proposing the Information Protection and Security Act. The race is on to set provisions with teeth that cut through the obstacles in cybersecurity and data management and be responsive to consumer protection needs.

Needless to say, companies have been required to address cybersecurity and the management of data, especially personal identifying information (PII). There is also a growing concern with the occurrence of corporate spying and the impetus that led to the Spy Act, i.e., Securely Protect Yourself Against Cyber Trespass Act. Though not a success, since 2011, initiatives have addressed legislative reforms to meet the concerns with information sharing, data management, cloud transfers, especially with the E.U. and the entities conducting business in the E.U. But the matter of setting a cyber security regulation has now been placed center-stage by the State of New York. In a press release, New York’s Department of Financial Services (DFS), announced its Rule to “protect consumer data and financial systems from terrorist organizations and other criminal enterprises.” The rule took effect March 1, 2017. The release noted that the provision “will require banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

The scope of its coverage hits all the points, including responsible connection along the lines of contracts by defining affiliates, penetration testing, persons, public available information, and as well the recurring monitoring obligation via risk assessments, authentications, and setting programs for advisory roles. More so it provides for its scope over authorized users and covered entities. The "authorized user" is deemed to be an employee, contractors, or agent with authorized access to the information systems of the covered entity. Its structure is labeled aptly with a girding focus on providing for a cybersecurity program, policy, chief information security officer, penetration testing, vulnerability assessments, results audits and screening, application security, personnel qualifications and clearances, vendor cybersecurity policies, and response plans. The requirements also delve into the encryption, multi-factor authentication, training, monitoring, notifications, post incident assessments, pre-incident security integrity audits and post-incident audits, and the expected implementation and enforcement.

While the rule takes effect, many entities will face compliance concerns with their policies and contracts. The example being set by New York’s DFS will probably catch the eye of Washington and set an example for other states, especially as the EU gets closer to enforce its GDPR. All concerns with cyber-attacks and cyber incidents are arising and it seems the lawmakers are seeing the need. The general hope is that the initiative catches the attention of managers and heads of covered entities and those in the fringes for the sake of cyber peace of mind and consumer protection at large. It may even wake up other states too.

Thursday, March 9, 2017

Internet of Things Security Claims

Internet of Things security claims have caught the attention of lawmakers and regulators. The Internet has been interesting to follow and work with as a realm of process and information exchange. As the devices used to transmit information increase in our lives and work, protecting what is transmitted from unwanted eyes is not necessarily going in the same direction as the advancement of innovation. With that concern is the Federal Trade Commission determining that standards are needed to address foreseen vulnerabilities. These vulnerabilities were of concern when the FTC’s study focused on devices transmitting amid networks through the concept of the Internet of Things (IoT).

Since 2014, efforts to standardize measures to enhance cyber security were taking shape with Executive Order and the Cybersecurity Enhancement Act of 2014. The emphasis was to perpetuate the work of the National Institute of Standards and Technology (NIST). The FTC acknowledges the urgency with in which Web applications are being deployed to achieve tangible communication features for daily used devices.

Along with these concerns, the FTC saw fit to file a complaint against a device manufacturer of devices commonly used for Internet access and transmission. The angle taken by the FTC regarding D-Link was one based on weaknesses on cyber security. The claims were not based on actual consumer harm experienced by consumers, but rather on the security of cyber itself. This complaint was addressing IoT devices, such as routers, cameras and their Internet Protocol. The FTC also discussed the software that is implemented to achieve the desired transmission for devices to work as desired. This approach also peered into consumers use of mobile apps in the transmission and delivery of communications.

Under the authority to address misrepresentation in business practices, the FTC seeks to determine of an entity misguided consumers into believing and trusting its representation, especially if the claims were of the cyber security nature, touting that measures were implemented to a level of prevention when they were not. Section 5(a) of the FTC Act, provides authority consistent with this role and pursuit in the D-Link matter. Claiming to implement security measure when the very commonly accepted measure was not, the FTC deems deceptive under its Act. To aggravate the matter, if the measures that were not taken are the ones that are reasonable to implement, and that they are known in the industry to prevent, if implemented, unauthorized access, then the entity is failing to take reasonable precautions. D-Link was considered to have deceptively led consumers to believe that security features were in place with its claims.

It is noteworthy that the issue of actual harm was not at the gravamen of the filing but rather the deceptive aspect of cyber security claims by the devise manufacturer. This matter is telling for business. If they advertise claiming security features, such claims better be backed up with reasonable measures to meet the claims. The FTC takes seriously claims without supporting measures. If the practices to ensure that the claims are met are indeed industry reasonable measures, the business in question will face a hurdle of credibility and reputation in the industry, not to mention the scrutiny of the FTC.

Advertising is key to business growth and brand development. Advertising, on the other hand, done with over statements and exaggerations and non-carried-out claims, is only asking for trouble. Business should take care to address their policies, manuals, promotions, packaging, advertisements, with an honest involvement with the technical stakeholders of the business and management before publishing any security claims to the consumer public. If carelessly crafted and promoted, materials published by a business will be seen as deceptive and will run counter to FTC guidelines which are intended to establish standards of practice, addressing considerations for Internet of Things devices.

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.

Sunday, February 26, 2017

Software Patent Filings Abstract Snags

Software patent filings have gone through snags during the approval process. For many, not having a clearly stated specific enhancement to preexisting software was a liability to the filing's success. Failing to satisfactorily describe a technical improvement on providing the innovation to the previous invents is another snag. Not distinguishing the innovation from previous filings and from what appears to be a conventional purpose and function is as well critical to its success. The struggle is with the abstraction of the descriptive process about the functionality of the intended software. What gets lost is the detail necessary to demonstrate valued distinctions that set it apart as a new filing from preexisting related applications and functions in the field within which the software inventor seeks.

The Supreme Court in the Alice[1] case, iterated the standard for overcoming a Rule 12(b) failure to state a claim for patent eligibility. As articulated. “a patent may be obtained for “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.” 35 U.S.C. § 101.” Furthermore, the Court has held that “Laws of nature, natural phenomena, and abstract ideas are not patentable.” [2] In Mayo, the Court stated that on the basis of patentability/validity determination that is determination that is independent of . . . any other statutory patentability provision.[3] It is in Mayo, that the Court established its two-step process to assess patent filing that only provide for abstract ideas.

The first step was to determine if the filing’s claim point to a patent-ineligible concept. If that is established, then the next step would be to determine if the “the elements of each claim individually or in combination allows the filing to have the nature of the claim transform to a patent-eligible application.”[4] As the Court filters through patent filings for software, the challenge is to discern what is truly novel and game changing on the software computing field and what is a routine process of imitation with different function, but still achieving the same without development and or improvement.

To this concern, the Court distills between software-related patent claiming an improvement to a process or system from those filings that are claiming language reciting an invention’s pinpoint discernable improvement to what has already been active in computing. In its own discourse, the Court alludes to the close calls, i.e., “in other cases involving computer related claims, there may be close calls about how to characterize what the claims are directed to.” That is, “some inventions’ basic thrust might more easily be understood as directed to an abstract idea, but under step two of the Alice analysis, it might become clear that the specific improvements in the recited computer technology go beyond “well-understood, routine, conventional activities” and render the invention patent-eligible.[5]

The Court in Bascom, stated that the patent filing claims to “filtering content is an abstract idea because it is a longstanding, well-known method of organizing human behavior, similar to concepts previously found to be abstract.” But what was distinctive, was the order of description of the specific function for the individual claims apart from what was conventional among computers, Internet Service Providers, networks, and filtering. The analytical inquiry into a claim’s patent eligibility weighs on the specific description of the inventive concept claimed.

The Bascom Court further elaborated, “the claims do not merely recite the abstract idea of filtering content along with the requirement to perform it on the Internet, or to perform it on a set of generic computer components. Such claims would not contain an inventive concept.” “Filtering content on the Internet was already a known concept, and the patent describes how its particular arrangement of elements is a technical improvement over prior art ways of filtering such content.” The specific location for the filtering system which was to be a remote ISP server, and allow the users to have the ability to adjust the filtering for their network accounts, distinguished it from the abstract concept of filtering in general.

Hence, a new way and an improvement was recognized as applicable to the claim being filed for a patent. Description of steps of claims cannot solely be achieving a process by function but must key in on way is the distinguishing feature from the conventional understood prior existing application. Or else, filing snags will continue for software patent filings seeking innovative ways to describe the same but with not so distinguishing improvements.

[1]Alice Corp. v. CLS Bank International, 134 S.Ct. 2347 (2014)

[2]Association for Molecular Pathology v. Myriad Genetics, Inc., 133 S. Ct. 2107, 2116 (2013) (quoting Mayo Collaborative Services. v. Prometheus Labs., Inc., 132 S. Ct. 1289, 1293 (2012).

[3] Mayo, 132, S. Ct. at 1303–04 (citing Bilski v. Kappos, 561 U.S. 593 (2010); Diamond v. Diehr, 450 U.S. 175 (1981), Parker v. Flook, 437 U.S. 584 (1978).

[4] Mayo, 132 S.Ct. at 1297.

[5] Bascom Global Internet Services v. AT&T Mobility, LLC, 827 F.3d 1341, 1350 (Fed. Cir. 2016).

Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web." Copyright 2017, all rights reserved Lorenzo Law Firm, P.A.

Tuesday, February 14, 2017

Data Security Negligence

Data security responsibilities are, at times, not met with the requisite level of diligence for compliance. Standards for compliance, for many businesses, institutions, and service entities, are not as specified as one would be drawn to believe. The disjuncture between responsibilities and efforts are becoming more evident with passing days as cyber incidents leave alarming concerns with consumers and business establishments.

Commonly prescribed is that personal data embedded in digital record transmissions must be transferred securely. However, the level of confidence that a service consumer, medical patient, loan customer, or even a student at an ATM demonstrates daily with their every swipe and approval is in the unseen information processing that the venue operates with, in order to provide the desired service. If that confidence is shaken with the notion that the private information is not being handled securely, the digital transactions will experience a hick-up and the public consumer will seek other means to transact, and back to cash and brick-n-mortar, we go. The integrity of the secure appearance of the merchant is held questionable and tenable.

At the point of transaction, the consumer is left with the confidence that the banking information provided to the institution is securely being transmitted and that the data is accurately being recorded, especially as balances are verified. But what if the measures are not followed by the merchant? How should a cyber incident be considered when negligence is involved in the cyber mishap? Who is to be held accountable for needing to demonstrate meeting the duty of care?

Negligence was an issue in In re Hannaford Bros.[1] This Maine District Court case involved the data security incident arising from a third party stealing the consumer data from grocery transactions. The question raised in the case was whether a customer can recover from the grocer for loss resulting from the third party’s data theft? It is conceivable that from the consumer point of view there will be the tendency to enjoy the convenience of the digital transaction by use of credit card at a store. Yet, with the convenience, there is also the risk of fraud and misuse of the account information, i.e., PII.[2] The average consumer believes that the law should address and protect their PII in circumstances where confidential information is stolen and allow for redress against the merchants and financial institutions. But how negligence should be analyzed in cyber incidents is a bouncing question dealt with traditional tort concepts of duty, breach, and causation with the ultimate tangible injury. Long have been the treatment of analysis under Article III to settle in each case the criteria of requisite case and controversy.

Negligence, however, seems to stand on an island in cyber incidents. To the individuals who have been affected by a cyber incident, the risk of fraudulent use of their account information is very real. So, the argument goes that the law should provide some form of protection. How that protection is conceived is still debatable. The grocery establishment in Hannaford Bros, typically argued that the law already provides protection to consumers by agreement. For instance, by the provision of the Electronic Fund Transfer Act, which limits a consumer's liability for fraudulent debit card transactions to no more than $50 (or, if the consumer fails to notify his bank "within two business days after the consumer learns of the loss or theft," no more than $500). 15 U.S.C § 1693g(a). Defendants usually argue that as well, the industry provides similar limits through contractual agreements with credit vehicles and associations such as Visa, MasterCard, etc. The store merchants will always seek to have the courts impose responsibility on the banks that issue the cards in order to facilitate any recourse to the consumer. So the cyber incidents that pertain to the misappropriation of digital transaction data pivot the consumer against the financial institutions to the liking of merchants or against the merchants to the liking of the financial institutions.

In the Hannaford case, the plaintiffs found themselves pivoted as such towards the merchant to determine the level care that the merchant undertook to care for the digital data of the credit and debit card transactions. The Plaintiffs argued that “... [they] made use of debit cards and credit cards issued by financial institutions to access their bank accounts or create credit relationships." Furthermore, that the merchant “provided electronic payment services," but failed "to maintain the security of private and confidential financial and personal information of ... credit and debit card customers" at supermarkets in . . .” in several states, including Florida. Hannaford did not argue that it was not subject to a reasonable duty of care consideration, but what was pointed out was that it believed that it was not subject to an economic loss consideration arising out of the traditional personal injury and property damage considerations. The court stated that “in a grocery transaction where a customer uses a debit or credit card, a jury could find that there is an implied contractual term that Hannaford will use reasonable care in its custody of the consumers' card data, the same level of care as the negligence tort . .” Hence, the conclusion was that consumers can recover when payment data are stolen, against a merchant, if the merchant's negligence is the direct cause of the loss in the customer’s account. In this case, the negligence analysis was drawn to delineate breach of a duty of care and causation of the loss of data security.

[1]In re Hannaford Bros. Co. MDL Docket No. 2:08-MD-1954. United States District Court, D. Maine. May 12, 2009.

[2] Personal Identifying Information

Wednesday, January 25, 2017

Internet Mugshot Publishing Curtailed

Internet mugshots published online haunt many for years with embarrassment. For many, as well, the mugshots do not bear a meaningful purpose for others throughout the Internet to know. What remains is the ill circumstance of having future employment out of reach or present employment terminated, for the inadvertent past event. The harm lingers for years. For years’ individuals who have had a mugshot taken for a past event, have been solicited by mugshot publishers to offer their removal or correction for a fee and have been pressured into having to pay a mugshot publisher for its removal or correction. The concern is over this business practice by Internet mugshot publishers of seeking payment for removal or correction, essentially extorting individuals.

Now Florida is joining California, Colorado, Oregon, Georgia, and several others seeking to regulate the mugshot publishing business. The Florida legislature is considering a provision to amend Sec. 943.0585 Florida Statutes. This amendment provides restrictions on businesses that publish on the Internet booking photographs. They are not to solicit or receive a fee for removal. This fee prohibition also applies for correction requests or modifications of such photographs. During the 2017 legislative session, the Florida Senate in SB 118, will place a provision long awaited by individuals who have had the grief of their photo being propagated on the Internet for a fee.

The amended provision by the Senate states as follows: “(1) Any person or entity engaged in the business of publishing or otherwise disseminating arrest booking photographs of persons who have previously been arrested through a publicly accessible print or electronic medium may not solicit or accept a fee or other form of payment to remove, correct, or modify such photographs. The provision also states that there is a time limit by which requests are to be responded and handled by the mugshot publisher. The provision states “Upon receipt of a written request from a person whose booking photograph is published or otherwise disseminated, or his or her legal representative, the person or entity who published or otherwise disseminated the photograph shall remove the photograph without charge within calendar days after receiving the request for removal.”

The legislative effort is not without teeth in that it provides for enforcement. Such enforcement allows for civil remedy. The provision states “The person whose arrest booking photograph was published or otherwise disseminated in the publication or electronic medium may bring a civil action to enjoin the continued publication or dissemination of the photograph if the photograph is not removed within 10 calendar days after receipt of the written request for removal.” If the mugshot publisher does not timely comply with the request to remove or correct the publication from a person whose arrest booking photograph was published or otherwise disseminated in the publication or electronic medium, a civil remedy of $1,000 for each day of noncompliance will be imposed along with an injunction. Attorney fees are as well provided along with court costs related to the issuance of the injunction.

Compounding the strength of the provision is the allowance for the consideration that if the request for removal by a person whose arrest booking photograph was published or otherwise disseminated in the publication or electronic medium is refused after there has been a written request, such refusal will be deemed as an unfair or deceptive trade practice in accordance with part II of Chapter 501, Florida Statutes. The caveat to note is that this provision does not apply does not apply to any person or entity that publishes or disseminates information relating to arrests unless the person or entity solicits or accepts payment to remove the information. Nevertheless, the concerns shared by many about their past and having the need to correct a record or to remove a digital online publication of a mugshot, are being now addressed in Florida.

Monday, January 9, 2017

Internet and Deceptive Advertising Vindicates the FTC

Internet advertising has become intricate and keen. Internet advertising may involve multiple participants. The purpose is essentially to sway readers to purchase products by making representations that at times appear too good to be true. That is what the Federal Trade Commission and the State of Connecticut determined prior to suing LeanSpa. The claims embraced issues of false information to convince consumers on the legitimacy of the product. Consumers were drawn to LeanSpa’s online sales site using story lines about users who did not actually use the product. Shipping and handling costs were passed down to the consumer while representing the that the consumer was receiving free trial. This story is all too common on television infomercials.

What was critical to the analysis undertaken by the court was that the charges assailed against LeanSpa and its principals involved the violations of several regulatory provisions, i.e. as for Connecticut, the Connecticut Unfair Trade Act and federally, the Electronic Funds Transfer Act (EFTA) and Sections 5 and 12 of the FTC Act. The findings revealed that there were misleading claims made about the weight-loss potential of the product being advertised. There was also the enticing method of stating ot the public that they can received free trials of the product but that they had to pay a shipping and handling. This sales method had a reoccurring function that was difficult to cancel. The consumers were trapped with monthly shipments. That triggered the EFTA which states conditions for transfers and consumer right to notifications and process.

The FTC, LeanSpa and principals entered a settlement that set requirements for disclosure about terms of refunds, endorsements, and of the trial promotion itself, involving the charges and the ability of cancelling. The defendants had to provide disclosure that the endorsements were actors and not actual users. They also had to engage in clinical trials that would substantiate their claims for the effects of the product being sold and to also substantiate that their product had undergone clinical trials. The FTC was imposing the requirement of having competent and reliable scientific evidence.

Subsequently, the FTC amended its complaint asserting claims on an affiliate marketing network operator LeadClick that allegedly swayed shoppers to LeanSpa’s web store. The news appearing presentations appeared realistic to consumers about the weight loss benefits and experiences. The news appearing statements were never clarified to consumers for them to learn that they were actors and not independent news outlets.

The function and roles between product company and marketers distinguished, revealed elements of liability that the FTC could not ignore and that the court noted. A program called HitPath was used by LeadClick. This program would register the clicks and would recognize to which account it would be attributed. The system would recognize the affiliate that was responsible for the lead in by the consumer to the product. This information allows the marketers to allocate appropriate compensation to the affiliate, i.e., commission. The marketing campaign was deemed suspect by the FTC and essentially the court in its decision.[1]

The Second Circuit determined that LeadClick’s marketing campaign was liable for systematically conducting a program that deceived consumers noted levels of transactions. While defenses were raised, the discussion dealt with the depiction of the defendant’s role on the marketing process with affiliates, placements of ads and sales, creation of ads, and potential immunities under Section 230 of the Communications Decency Act. The court looked into the revenue stream between the merchant clients, the affiliates, LeadClick, and LeanSpa. The court also determined the creation of the ads via false news representations.

What the court determined demonstrated that while creation of the news sites did not originate with the defendant, there were other pertinent aspects that drew liability to the defendant. The court found that the defendant knew that affiliates were using fake news to sell the LeanSpa product. The court also became aware that the defendant approved the ads, as well, the defendant provided content for the ads. These three aspects drew direct liability to defendant and demonstrated direct involvement on the marketing plan toward consumers. The defendant, per the court, was aware of the deception and did not curtail it nor stop it. Hence, the defendant was deemed directly liable under the FTC Act. The defendant in response claimed that its actions were so similar to aiding and abetting liability. Yet the court determined that the defendant’s actions contributed to the deception on consumers and it was not tantamount to eh exception under the FTC Act. By the defendant purchasing ads and providing content it is liable. Having knowledge that the third-party marketers were using false information,[2] attributed liability to the defendants. The Second Circuit noted that the Eleventh Circuit, previously found the FTC to have provided the requisite evidence to demonstrate liability by virtue of the defendant’s knowledge of third-parties’ false statements to consumers. It as well found that the Ninth Circuit, in FTC v. Neovi, Inc.[3] had determined liability of the defendant by it having caused the harm not just aiding.

While defendant defended by claiming to be immune under Section 230 of the Communications Decency Act (CDA), the court artfully informed that defendant that “grant of immunity applies only if the interactive service provider is not also an ‘information content provider’ of the content which gives rise to the underlying claim.” The court also stated that an information content provider within the CDA is “any person or entity that is responsible, in whole or in part, for the creation or development of information provided through the Internet or any other interactive computer service.” Since the defendant was the content provider and writer exerting discretion, it was not immune from liability. The court deemed the defendant as participating in the placement and publishing of the content. LeadClick’s participation was ‘material’ to the deceptive content.

The decision out of the Second Circuit sends signal to marketers to beware of the its content and affiliates representation. The effort to be at arm’s length may not be enough to shield it from liability under the FTC Act or to claim immunity under the CDA. Disclosures are becoming more of the norm in consumer protection regimes with endorsements clarified as to their identity to avoid misrepresentations.

[1] Federal Trade Commission v. LeadClick Media, LLC, (2nd Cir. 2016).

[2] See FTC v. IAB Mktg. Associates, L.P., (11th Cir. 2014).

[3] See FTC v. Neovi, Inc., (9th Cir. 2010).