Publications

A class action lawsuit filed this past May by a small group of independent music publishers against major online music services for failing to secure licenses to sell downloadable versions of certain songs brought to light what could be a crack in the way labels, digital content distributors and online music services clear music for digital distribution. The publisher’s copyright infringement lawsuit names as defendants Apple, AOL Music Now. Buy.com, Microsoft, Napster, Real Networks, Yahoo and others.

The standard practice for most labels, digital content distributors or online music services is to secure a license to digitally distribute a song by going through the Harry Fox Agency, the largest mechanical licensing, collection, and distribution agency for U.S. music publishers. (The license to distribute the sound recording itself is obtained from the record label or other owner of the sound recording.) The Harry Fox Agency grants licenses for a variety of digital formats, including full-length permanent digital downloads, limited use digital downloads, on-demand streaming, and more. Most labels and digital content providers prefer going through Harry Fox. However, certain publishers such as those who filed suit don’t use Harry Fox as a mechanical licensing agent, but instead grant mechanical licenses themselves.

Labels and digital content providers can always attempt to negotiate directly with publishers that don’t use the Harry Fox Agency. Most labels and digital content providers don’t particularly like this alternative as it could end up being very time consuming. A label could spend a fair amount of time negotiating the terms of a direct mechanical license only to have the deal implode at the last minute. Fortunately, the Copyright Act provides an alternative for labels and digital content providers seeking to obtain a license to digitally distribute a song – the compulsory license.

The Copyright Act provides for the compulsory licensing of songs (not the sound recording) for the making and distribution of “phonorecords.” Section 115 of the Copyright Act provides that, once a “phonerecord” (which includes within its definition digital phonorecords) of a musical work has been publicly distributed in the United States with the copyright owner’s consent, anyone else may, under certain circumstances and subject to limited conditions, obtain a compulsory license to make and distribute “phonorecords” (including a digital phonorecord) of the song without express permission of the copyright owner.

The first step in obtaining a compulsory license for the manufacture and distribution of phonorecords is to identify the copyright owner of the composition. This can be done by personally searching the Copyright Office, or requesting the Copyright Office to conduct the search. Additionally, there are services that perform these type of searches for a fee.

If the name and address of the copyright owner are located, the party seeking the compulsory license must send, by certified mail, a Notice of Intention to Obtain a Compulsory License to the copyright owner. A separate Notice of Intention is required for each title for which a compulsory license is sought. The notice must be sent either before or no more than thirty days after making a phonorecord of the song, and before the distribution of any such phonorecord. The Notice of Intention need not be filed with the Copyright Office.

After the Notice of Intention is sent and the distribution of the phonorecord commences, the compulsory license holder must make royalty payments accompanied by a monthly statement of account on or before the 20th day of each month for every phonorecord made and distributed in accordance with the license.

If the party seeking the compulsory license is not able to locate the name and address of the copyright owner, the license seeker must file the Notice of Intention with the Licensing Division of the Copyright Office, along with the applicable statutory fee. The compulsory license holder is not required to file a monthly statement of account with the Copyright Office. Any royalties due the copyright owner should be held on account by the compulsory license holder as the Copyright Office will not accept any royalty fees. The compulsory license holder should check the records of the Copyright Office on a periodic basis to see if the unidentifiable copyright owners are later identified. Once they are, the compulsory license owner should make all royalty payments directly to the copyright owner.

XM’s introduction of a new service called XM + MP3 that allows its subscribers to listen to XM’s service on a portable player and record up to fifty hours of programming. In addition, the new service and player (called Inno) allows users to isolate and save perfect digital copies of songs for unlimited replay as long as they maintain their XM subscription. The service also allows XM users to create custom playlists which trigger automatic recording and storage of songs on the playlist when broadcast over one of the many XM stations

The Recording Industry Association of America responded by filing suit against XM for “massive wholesale infringement.” The RIAA claims that the new XM service goes far beyond any type of “radio-like” service for which XM is licensed, and is, instead, distributing sound recordings like iTunes and the new Napster.

Under Section 114 of the Copyright Act, XM is entitled, by statute, to publicly perform sound recordings in a radio-like, non interactive service, via satellite radio. Under this statutory license, XM is not required to seek individual permission to use any sound recordings; but it must pay a statutorily prescribed royalty rate for the digital performance of those recordings. In its federal complaint, the RIAA claims that XM has gone beyond the limited license granted it under Section 114 of the Copyright Act, and is now, through the XM+MP3 service, “distributing” sound recordings without its permission. The RIAA likens XM to other digital distributors of sound recordings, such as Apple’s iTunes, Napster, etc.

The XM+MP3 service shares numerous qualities with other subscription services, such as Napster and Yahoo Music. They both allow users to maintain perfect digital copies of particular sound recordings for unlimited replay for as long as they maintain their subscription. There are some differences, however. The major difference according to XM and the Electronic Frontier Foundation, is that the XM+MP3 service involves the recording by a digital audio recording device.

According to XM, the new players and the XM+MP3 service were designed to follow the Audio Home Recording Act, a federal law passed in 1992 in connection with the settlement of a lawsuit brought by the recording industry against Sony’s DAT recorders. Under the Audio Home Recording Act, digital recording devices are legal as long as they incorporate specific security protocols which prevent serial copying, and the manufacturer of the digital recording device pays a royalty of up to $8 per new digital recording machine and 3% of the price of all digital audio tapes or discs. The royalty payments are made to the Copyright Office which then distributes the money to the copyright owners whose music is presumably being copied. The tradeoff for the royalty payments is that consumers could use the digital audio recorder for the non-commercial home taping of music from digital broadcast sources without engaging in copyright infringement.

The Audio Home Recording Act specifically allows for the non-commercial home taping of music from digital broadcast sources. However, that law was meant to provide clarity on an activity consumers have been engaging in ever since audio recording devices were available – recording songs from a radio broadcast. Back in the analogue days, a cassette tape recording of a song from an FM broadcast was a poor substitute for the actual record. The sound quality was extremely poor and always included DJ banter. In addition, taping from an FM broadcast was never a surefire guarantee – one never knew exactly when a particular song would play; ones fingers were never quick enough to catch the song from its first note.

The first digital audio recorders vastly improved on sound quality. They produced recordings that rivaled the originals. If a user was lucky or skilled enough to record a specific song from a digital audio broadcast, there really would be no need to buy the record. This is the reasoning behind the royalty payments required under the Audio Home Recording Act – it’s meant to compensate the artists whose work is being recorded for lost record sales.

Technologically, the XM+MP3 unit, the Inno, is far more advanced than the DAT recorders circa 1992. Most DAT recorders required manual activation in order to record, and could not automatically record like the Immo. In my opinion, it’s these features that case the XM+MP3 service and the Inno to go well beyond merely recording a song from a digital broadcast. The ability of an Inno user to disaggregate recordings into individual songs, and save them for repeated listening, and to create a “wishlist” which automatically compiles the selected tracks, makes the player and service more akin to a tethered subscription service than a DAT recorder. This distinction is important because it goes to how the record labels and artists should be paid. Artists and record labels are paid depending on the way in which a sound recording is used. If it is merely streamed or digitally broadcast, the artists and labels are paid less than if the sound recording is available for permanent download. Here, the XM+MP3 service functions more like iTunes than a radio receiver. While I applaud the Imnn’s technological innovations and think the XM+MP3 service is a great way for consumers to enjoy content, if XM is going to continue to offer this service, it should pay a rate similar to that paid by iTunes and Napster. XM’s service offers a quality not available with the manually activated DAT recorders. A user of the XM + MP3 service is practically certain to capture their chosen song; not so with fingers and a DAT recorder. It’s this certainty that makes the XM +XMP3 service exactly like Apple’s iTune service, and XM should pay accordingly.

A Federal district court jury in Nashville levied a $4.3 million dollar verdict against Sean Combs’ (Puffy) Bad Boy Entertainment, Bad Boy, LLC and Universal Records/UMG Recordings for infringing copyright owned by Bridgeport Music and Westbound records. The suit resulted from the use of a six second sample from the Ohio Player’s Singing in the Morning used by producer Easy Money in the title track to the Universal released Notorious B.IG.’s 1994 album “Ready to Die.”

At the trial the parties stipulated that the required license had not been obtained from Bridgeport Music/Westbound Records. The issue left for the jury to determine was to calculate the fair market value of the use of the track. The jury awarded $733,878 in actual damages, which represented the fair market value of the use of the track. In addition, the jury awarded $3.5 million in punitive damages, which include a $1 million award against Bad Boy LLC.
The story is not the fact that Combs et al were hit with a very large verdict for copyright infringement. The story is why the jury levied such a significant punitive damage award. Susan Butler, the legal matters reporter for Billboard Magazine, published a story in the April 8, 2006 edition of the magazine which explained the reason behind the damage award.

According to Butler’s story, it was the pre-litigation activities of Combs, et al. that motivated the jury. Apparently between 1998 and 1999 letters were written from Bridgeport’s administrator to various music publishers, Arista records, which at one time had a joint venture with Bad Boy Entertainment, claiming copyright infringement of the Ohio Players’ sample. According to Butler’s story, Arista apparently forwarded the letter it had received to Bad Boy Entertainment care of Bad Boy’s law firm. Further, there was no evidence presented to the jury that Combs et al. responded to any letters or phone calls that Bridgeport’s administrator apparently made prior to filing suit. Although, according to Butler’s story, there was no letter addressed directly to Bad Boy Entertainment, nor was there evidence that Bad Boy or its lawyers had actually received Bridgeport’s letters, the jury took serious issue with Bad Boy’s apparent refusal to address Bridgeport’s concerns.

Butler’s story quoted the jury foreman as stating that Bad Boy et al should have done something prior to Bridgeport filing its lawsuit or taken some action to show “a willingness to attempt at least a settlement.” According to the quotes attributed to the jury foreman in Butler’s article, it appears that Bad Boy could have lessened the amount of the Punitive damage award by responding to Bridgeport’s concerns.

The lesson to be learned here is to take seriously any and all cease and desist letter received. This doesn’t mean that you necessarily have to admit infringement and pay a settlement. According to the jury foreman’s quote in Butler’s story, it would have been significant if Bad Boy responded to Bridgeport’s letter by denying infringement. But ignoring a cease and desist letter and refusing to engage a party making serious and repeated allegations of copyright infringement can be a very perilous tactic.

Picking an Errors and Omission policy can be an extremely important undertaking, especially for a technology focused company. When legal costs for defending a complex intellectual property infringement claim can exceed half a million dollars, the right E&O policy can mean the difference between the life and death of a company just starting to find traction in the market place. But more often than not, the decision on what policy to buy is left to an inexperienced company employee who only has a broker’s advice to rely on. This arrangement is probably fine for workers compensation and general commercial liability policies, but non-lawyers and lawyers are not familiar with technology companies and all the issues they encounter are out of their league when it comes to determining which E&O policy shifts the most risk.

There are a variety of possible claims that may trigger E&O coverage. Those claims are:
– Patent infringement – the making, using, offering to sell, or selling in the United States, or importing into the United States a patented invention, without authority form the patent owner; performing a patented process in the United States without permission (35 USC 271);
– Right Of Publicity – the use of another’s name, voice, signature, photograph or likeness in connection with a commercial activity without consent (Cal. Civil Code 3344 and 3344.1)
– Cyber-Squatting – bad faith intent to profit from use of another’s trademark as a domain name and engaged in actionable conduct, such as the registration, trafficking or use of a domain name that is identical or confusingly similar to, or dilutive of the registered trademark of another (15 USC 1125(d))
– Database/Network Security – any breach in the security of a database when that breach results in or could reasonably result in the disclosure by an unauthorized third party of personal information about California residents (Cal. Civil Code 1798.82)
– Copyright Infringement – violation of any of the exclusive rights granted to a copyright holder (see 17 USC 106-121)
– Trademark Infringement – use of a mark in connection with any good/service that is likely to cause consumer confusion as to affiliation, connection, association origin sponsorship or approval (15 USC 1125(a)(1); misrepresentation of the nature, character, qualities or geographic orgin of goods/services (15 USC 1125(a)(2); trademark dilution (15 USC 1125(c)(1)
– Trade Secret Misappropriation – acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means (Cal. Civil Code 2426.1(b)(1); or the disclosure of a trade secret of another without express or implied consent by a person who i) used improper means to acquire the trade secret; ii) or at the time of disclosure or use, knew or had reason to know that his knowledge of the trade secret was either derived from a person who utilized improper means to acquire it, or acquired it under circumstances giving rise to a duty to maintain security or limit use, or derived it from a person who owed a duty to maintain secrecy.

Not every E&O policy is the same; some policies cover a wider variety of claims than others. That is why it is very important for a company to involve their counsel in determining which policy is right for their needs. If a policy seems broad, but specifically excludes coverage for claims that are the most likely to be brought against the company, then the policy provides very little effective coverage and is a waste of money. Having a lawyer involved who understands the company’s business can help avoid uncovered claims.

Policy by policy, the language granting insurance coverage may differ. The insuring language of some policies may appear to cover everything under the sun (” The Company will pay on behalf of the Insured all sums in excess of the Deductible which the Insured shall become legally obligated to pay as Damages and Claims Expenses resulting from a Claim…”), while other policies are very specific about the coverage granted (“We will pay on your behalf money in excess of the Retention that you legally have to pay as a claim expense and damages because of a covered claim caused by a blip in your connected services”). Either way, the policy will also contain exclusions – or claims that are not covered – which narrow the coverage offered by the policy.

Even within the technology sector, different businesses will need different types of coverage. For example, a software company that makes and sells a CRM (Customer Relations Management) application will likely focus on securing robust IP coverage – patent, copyright, trademark and trade secret coverage. If a component of the application involves storage of user information on the company’s network, or if it sells its CRM application directly to consumers over the Internet, the company will also want to make sure that the policy provides good security perils coverage. If the company’s business involves the distribution of content, for example a news and social information portal, then the company will want to make sure that its E&O policy provides protection for invasion of privacy and defamation claims, as well as IP and security perils.

There are other elements of a good E&O policy than just covering the defense of a potential claim. California’s new database security laws requires notice to the public in the event of a breach in the security of a database that results in the unauthorized disclosure of personal information. If the compromised database is large, the notification costs can be costly. Certain E&O policies will provide coverage for this expense. Also, an E&O policy with robust securities perils coverage can also provide coverage for expenses related to denial of service attacks or computer viruses emanating from the covered company’s server.

E&O insurance is extremely expensive – One Million dollars of coverage can cost a company between twenty and thirty thousand dollars. It just makes sense for a company to be sure that its spending its money wisely and getting value for its premiums.

Intend to infringe – go to jail. That’s what the United States Attorney General proposed at a recent anti-piracy summit hosted by the U.S. Chamber of Commerce. United States attorney general Alberto Gonzales said the Department of Justice recently submitted to Congress the Intellectual Property Protection Act of 2005 aimed at toughening up intellectual-property enforcement.

Under current law, criminal copyright liability is applicable where a person infringes a copyright willfully, either for purposes of commercial advantage or private financial gain, or where that person reproduces or distributes by any means, one or more works with a total retail value of over $1,000 during any 180-day period. Willfulness has been held to mean that the defendant’s act was a voluntary, intentional violation of a known legal duty. As such, where the defendant raises bona fide issues concerning fair use or a lack of substantial similarity, while infringement may be found, the defendant may lack the required scienter for criminal liability.

The new bill would increase the scope of criminal copyright liability to include conduct that comprises an “intent to infringe” a copyright. The way in which the proposed language reads, the willful element would also apply to intent to infringe liability.

In Gonzales’ speech at the U.S. Chamber of Commerce’s Anti-counterfeiting Summit, he praised the proposed bill as toughening penalties for repeat criminal copyright offenders and overall strengthening copyright protection. “We also propose to strengthen restitution provisions for victim companies and rights holders, in order to provide maximum protection for those who suffer most from these crimes. And we propose to make clear that exporting infringing goods is the same as importing them…and should be punished accordingly” Gonzales said. Every member of the global economy has a responsibility to keep counterfeit goods out of the global market.”

The proposed legislation also expands the scope and breadth of property that is subject to forfeiture and destruction. Under the current law, the court has the discretion of ordering the forfeiture and destruction of certain infringing works. The proposed legislation appears to take away the court’s discretion in ordering forfeiture and now mandates forfeiture of those same infringing works. In addition, the new law appears to require the forfeiture of “any property constituting or derived from any proceeds obtained directly or indirectly” for the criminal copyright infringement, as well as “any property used, or intended to be used, in any manner or part, to commit or facilitate the commission of a violation” including “electronic, mechanical, or other devices for manufacturing, reproducing, or assembling such copies”. In addition, the proposed law would require convicted criminal infringers to pay restitution to the copyright owner as well as “any other victim of the offense.”

The bill would also modify the requirement that a copyright holder file a copyright application prior to the institution of criminal action for infringement. Under current law, section 411 of the Copyright Act requires a copyright registration as a prerequisite for any type of infringement action, be it civil or criminal. The new law would allow the DOJ to prosecute criminal infringers without the copyright owner first having to register the work.

In his speech, Attorney General Gonzales argued that the DOJ has a “responsibility to vigorously enforce IP laws – and develop a culture of respect for IP rights – in order to harness America’s creative energy and ingenuity for the future of our economy.” “While these crimes may appear harmless to some,” Gonzales continued, “they actually have a measurable impact on our entire economy – and they undermine the values of competition and creativity that are important to our way of life.”

On June 27, 2005, the United States Supreme Court handed down its decision in MGM v. Grokster.#160 That case involved an appeal from the Ninth Circuit by MGM, various record labels and other content owners of an adverse decision in their attempt to hold Grokster and other peer-to-peer network companies liable for copyright infringement.#160 MGM and the other content owners had initially filed a lawsuit against Grokster and other peer-to-peer network technology companies to hold them liable for damages resulting from their supplying the technology that enabled users to trade online copyrighted works.#160 The Ninth Circuit, upholding the District Court’s finding, held that the technology companies could not be held either vicariously liable or liable for contributory copyright infringement.#160 In coming to its conclusion, the Ninth Circuit interpreted the Sony v. Betamax case in holding that the distribution of a commercial product capable of substantial noninfringing uses could not give rise to contributory liability for infringement unless the distributor had actual knowledge of specific instances of infringement and failed to act on that knowledge.#160 Because the Ninth Circuit found the technology company’s software to be capable of substantial noninfringing uses and because respondents had no actual knowledge of infringement resulting from the software’s decentralized architecture, the court held that they were not liable.#160 (The architecture of the defendant’s file trading network is an open network.#160 That is, it does not have a central server like the old Napster network but rather uses nodes and supernodes; computer systems that are owned by users of the software and have no relationship to the defendants.)#160 The Ninth Circuit also held that the defendants did not materially contribute to their user’s infringement because the users themselves searched for, retrieved and stored the infringing files, with no involvement by respondents beyond providing the software in the first place.#160 Finally, the court held that the defendants could not be held liable under a vicarious infringement theory because the defendants did not monitor or control the software use and had no agreed upon right or current ability to supervise its use and had no independent duty to police infringement

The Supreme Court stated that the Ninth Circuit read the Sony case too broadly.#160 Instead, the Supreme Court stated that the test for contributory or vicarious liability revolves around the intent of the defendant, namely did the defendant distribute its device with the object of promoting the devices used to infringe the copyrighted works of third parties, as shown by clear expression on other affirmative steps taken to foster infringement.#160 If the defendant goes beyond mere distribution with the knowledge of third party action, the distributor is liable for the resulting acts of an infringement by third parties using the devices, regardless of the devices lawful uses.

What will this decision really do in the way of advancing the entertainment industry’s fight against illegal file trading, and how does this affect the growth of new technology?#160 Numerous pundits claim to have the answer.#160 However, human nature being what it is, I fail to see how anyone can predict the long term ratifications of this decision.#160 As a practical matter I believe that if a company creates a product with the primary intent that it be used for an illegal purpose, the company should be held liable.#160 If Grokster and the other defendants built a business model that depended on and encouraged users to engage in illegal file trading, then they should be held liable.#160

Representing record labels, television production companies, and other content owners, I understand how piracy affects their bottom line.#160 However, if illegal activity is an incidental byproduct to an otherwise productive and beneficial technology that is a cost of societal advancement that content owners have to bear.#160

The problem with the Grokster decision is how does one establish a company’s principal intent?#160 Unfortunately, unless the Company makes an express statement the only way is through litigation.#160 While I don’t think that the Grokster decision is death knell for new technology as some pundits declare, I do see how, as a result of this decision litigation can be used to slow or quash the growth of new technology.#160 This is a real possibility; especially when we are dealing with the entertainment industry.#160 I have found that some entertainment industry companies are reluctant to venture outside of their known safety zone.#160 They’re reticent to try new things that challenge or disrupt their existing business model.#160 From a business perspective, I can understand this.#160 Nobody likes to have their bottom line affected.#160 However, technological growth depends on innovative people pushing boundaries.#160 I would hate to see the Grokster decision slow technological advances that can, in the long run, be beneficial to all of us.

Download: New Laws Attempt to Regulate the Internet.pdf

Article first appeared in the March / April 2004 issue of Sacramento Lawyer, the bi-monthly publication of the Sacramento County Bar Association.

Last year the Internet was front and center in a number of controversies and new legislation. Aside from the music and movie industries continuing struggle and court battles over content piracy, 2003 saw significant legislative activity in areas dealing with the Internet. California’s legislators spent a significant amount of time on Internet related legislation, including crafting extremely strong anti-spam laws (SB 186) only to have it preempted by a weaker federal act. What follows below is a wrap up of the more relevant Internet legislation, federal and state, passed last year.

The Federal CANSPAM Act
In the early days of December, 2003, the United States Congress enacted the Controlling the Assault of Non Solicited Pornography and Marketing Act of 2003, also known as the CANSPAM Act of 2003. Supporters of this act call it tough; it has substantial criminal penalties and fines for spammers. The chief co-sponsor of the Act, Senator Charles Schumer (D-New York), is quoted as saying: “With this bill, Congress is saying that if you are a spammer you can wind up in the slammer.” However, critics of the Act, which went into effect on January 1, 2004, complain that it does not go far enough and is not as tough as its supporters would like the general public to believe.

CANSPAM prohibits specific conduct related to electronic mail. Specifically, the Act prohibits the use of false headers, using false information to register five or more email accounts, and intentionally initiating multiple commercial email messages from any combination of these accounts; engaging in email address harvesting and “dictionary attacks”; using scripts or automated programs to register multiple electronic mail accounts for the purpose of transmitting commercial electronic mail messages; and relaying or retransmitting commercial electronic mail messages through a computer network which the person does not have access rights, as well as other tricks of the spam trade. The Act provides for substantial monetary fines and penalties as well as jail time up to five years. In addition, the Act provides for forfeiture of all property traceable to the gross proceeds obtained from the offenses, and any equipment or other technology used in committing the offenses.

The Act also requires the senders of sexually oriented material to place a warning label on commercial electronic mail that contains sexually oriented material. However, if the recipient of these messages has already provided his or her affirmative consent to continue to receive these messages, no warning label is required.

While the imposition of civil fines, forfeiture and jail time make the Act sound rather ominous, critics still complain it will not stem the flow of spam. Critics say the problem is that the new law lacks an opt-in mechanism. This, critics say, will allow spammers to continue to send unwanted spam, despite the Act’s harsh criminal and civil penalties, as long as the message contains an opt-out mechanism and a functioning return email address. Because the new federal law preempts state law that specifically regulates commercial email messages, provisions like California’s law, which requires express consent or a prior commercial relationship, will not apply.

The new federal law places enforcement with the Federal Trade Commission and allows civil actions by the various state Attorney General Offices. The Act also allows a limited private cause of action by internet access service providers. However, unlike California’s law, the new federal law does not provide a private cause of action by consumers. Still, most commentators believe that California consumers will be able to pursue a remedy under California’s unfair competition laws. (Bus. & Prof. Code, 17200.)

The preemption provision does leave some exceptions. The Act only supersedes state law that “expressly regulates the use of electronic mail to send commercial messages except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” In addition it appears that states may still have the right to pursue claims that may arise in spamming situations, such as state trespass laws, breach of terms of service or use contracts, and actions under the Computer Fraud and Abuse Act.

On an international level, the new federal act places the United States at odds with Europe and its spamming legislation. In Europe, for the most part, spam is per se illegal. Ninety percent of Europe’s spam originates in the United States where spamming, after January 1, 2004, will be allowed. This is bound to cause tension between the United States and Europe as the two nations continue to attempt to harmonize intellectual property laws.

Outspoken critics of spam lament that the new federal law will do absolutely nothing to stem the growing tide of unwanted commercial email. Some critics note that spammers are deceptive by nature and, despite the new law, would not hesitate to use false or misleading email headers. In addition, the Act will do nothing to prevent serious spammers from opening up accounts in Bermuda or South Africa and continue to bombard the United States with spam from off shore.

Companies Now Required To Disclose Breaches Of Database Security
On July 1, 2003, a new law began requiring businesses to disclose to California residents any breach in the security of their databases when that breach results in or could reasonably result in the disclosure or acquisition by an unauthorized third party of personal information about California residents. This also applies to companies that maintain computerized data for others.

California Civil Code section 1798.82 applies to companies located both within and outside of California. While the new law was implemented as a measure to combat the increasing incidents of identity theft, it will also have sweeping implications for a wide range of businesses. While companies that encrypt all personal data will be exempt from the new law’s disclosure requirements, those that do not must begin to comply with the law or face penalties prescribed in the statute.

The new Civil Code section 1798.82 revolves around the unintended disclosure or acquisition of “personal information” due to a breach in the security of a computer database. The statute provides: “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” The section also provides that “Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

A breach of the security of the system occurs when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The good faith acquisition of personal information by an employee or agent of the owner of the system for business purposes is not a breach of the security of the system, provided that the personal information is not used or subject to further unauthorized disclosure.

The type of personal information which triggers the disclosure requirement includes an individual’s first name or first initial and last name in combination with any one or more of the following:

(1) Social security number.

(2) Driver’s license number or California Identification Card number.

(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Not included in the definition of “personal information” is publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Upon discovery of a breach in the security of a business database, the business must notify California residents of the breach in “the most expedient time possible and without unreasonable delay.” Business may make these notifications through written notice. A business may also make these notices electronically, as long as the notice provided is consistent with the provisions regarding electronic records and signatures as provided in the Electronic Signatures in Global and National Commerce Act.

If the business required to provide notice to Californians regarding the breach of security can demonstrate that the cost of providing notice would exceed $250,000, or that the business must send out more than 500,000 notices, or that the business does not have sufficient contact information the business may provide substitute notice through e-mail notice, posting the notice on the businesses web site, and notification to major statewide media.

The new law applies to companies that conduct business in California, regardless of whether they are located physically within the state. The statute gives no guidance on the circumstances when a company is conducting business in California, and therefore subject to the provisions of the statute. This lack of guidance makes it extremely difficult for companies not domiciled in California to determine whether they must comply.

If an out of state company is subject to the provisions of the statute and does not know it, that company could be in for a rude awakening. The statute authorizes any customer injured by a violation of the statute to recover damages.

If they haven’t already done so, companies should take steps to comply with the new law. Companies should establish internal policies and protocols that would be implemented when a breach which would require notice under the statute is discovered. In doing so, the company should implement a means to retain all records dealing with the discovery of the security breach and subsequent notification if it is later challenged in a civil suit.

California Adopts An Online Privacy Policy
The California Online Privacy Protection Act of 2003, which goes into effect on July 1, 2004, requires the operator of a commercial website to maintain a privacy policy that meets certain requirements. The privacy policy must specifically provide the following information: 1) it must clearly identify the categories of personal user information (i.e., first and last name, street address, e-mail address, telephone number, Social Security number and any other information that would enable the user to be contacted either online or offline) collected through the website; 2) it must provide a description of the process by which a user can review and request changes to any personal user information; 3) it must explain how the operator will notify consumers of changes to the privacy policy; and 4) and it must provide the effective date of the privacy policy. The Act requires the commercial operator to “conspicuously post” such a privacy policy.

To be conspicuously posted, the privacy policy must either be posted on the home page or there must be an iconic or text hyperlink on homepage or the first significant page that links to privacy policy. The icon or text hyperlink must contain the word “privacy” and must be in a color an/or size which contrasts with the background and surrounding text.

The reach of the Act is longer than most might think. The new privacy policy requirements apply to operators of commercial websites or online services that collect personally identifiable information through a website from individual consumers who live in California, regardless where the website operator resides.

Scott Hervey is a shareholder with Weintraub Genshlea Chediak.

This article is the copyrighted property of the Sacramento County Bar Association and Sacramento Lawyer has given Weintraub Genshlea Chediak permission to publish this article in its entirety.