Category Archives: Electronic Communication

What cloud computing services need to know about the Aereo decision

In June. the United States Supreme Court issued its much-anticipated decision in American Broadcasting Cos. v. Aereo, Inc. The decision effectively shut down the Aereo service, at least temporarily as it explores fundamental changes to its business model to permit it to continue distributing content while complying with the Court’s decision.

The Aereo service in question offered subscribers the ability to watch television broadcasts over the Internet, streamed in substantially real time as the programs were being distributed over-the-air by the original broadcasters. Aereo implemented this service via a network of antennas. When a subscriber selected a program, Aereo would select an antenna, deliver the program to the subscriber via the antenna, and dedicate the antenna to the subscriber until the program was complete.

The question that the Court considered was whether Aereo’s retransmission violated U.S. copyright law.  The Court focused on the section of the Copyright Act that gives a copyright owner the exclusive right to “perform the copyrighted work publicly.” The Copyright Act defines that exclusive right to include the right to “transmit or otherwise communicate a performance . . . of the [copyrighted] work . . . to the public, by means of any device or process, whether the members of the public capable of receiving the performance . . . receive it in the same place or in separate places and at the same time or at different times.”

Aereo argued that it did not transmit any performances “publicly” but rather only enabled the transmission of content privately, to a single subscriber at a time. However, the Court found that Aereo’s overall system could transmit a program to many subscribers, and that its activities constituted a “public” performance. In particular, the Court stated:  “we conclude that when an entity communicates the same contemporaneously perceptible images and sounds to multiple people, it transmits a performance to them regardless of the number of discrete communications it makes.”

The Court’s conclusion, if taken out of context, could cause cloud storage service providers to be concerned. Services that allow users to store music, video and other content online for on-demand delivery may indeed wonder whether their services permit “public performance” when a user accesses stored online content.

However, the Court took care to say that its ruling was limited to an interpretation of the Copyright Act’s Transmit Clause, which the Court said was intended to apply “to cable companies and their equivalents, [and] did not intend to discourage or to control the emergence or use of different kinds of technologies.” The Court noted that the term “public” in this context “does not extend to those who act as owners or possessors of the relevant product. And we have not considered whether the public performance right is infringed when the user of a service pays primarily for something other than the transmission of copyrighted works, such as the remote storage of content.”

Thus, not only did the Court state that it was not addressing remote storage systems, it also hinted that it would not consider distribution of remotely stored content in a cloud storage service to be a violation of copyright law because those distributions were not to the “public.”

So, at least for the present, remote storage services can take comfort in lower court decisions such as Cartoon Network LP v. CSC Holdings (2nd Cir. 2008), which held that remote DVRs may operate without violating copyright law.

 

 

Court action against FCC’s “net neutrality” rules could change rules of Internet service

The “open” nature of high-speed Internet service in the United States may be at risk based on a new appeals court ruling that struck down the Federal Communication Commission’s “net neutrality” regulations.

Since 2010, the FCC regulations, known as the “Open Internet Order,” have prohibited broadband service providers (ISPs) from blocking access to lawful content. as well as from blocking applications that compete with the  provider’s service offerings. The Order also prohibits providers of fixed broadband service (i.e., non-mobile broadband) from unreasonably discriminating in transmitting lawful Internet traffic, such as by granting preferred status or speeds to websites that are affiliated with the provider or who pay a fee to the provider.

The Court’s decision in Verizon v. Federal Communications Commission struck down most of the Open Internet Order.  In particular, the Court said that the FCC went beyond its regulatory authority in imposing the anti-blocking and anti-discrimination rules on ISPs.

Notably, the Court did not say that the FCC could never impose such rules on ISPs. Instead, the Court found issue with the way that the FCC imposed the rules on ISPs. Specifically, the Court faulted the FCC for creating rules that could be considered common carrier obligations and then imposing them on ISPs that were not considered to be “common carriers” under the Communications Act.

The Court did uphold the Order’s requirement that ISPs disclose to consumers accurate information about their network management practices, performance and commercial terms of service.  So, although an ISP can now block or slow a particular website, it must disclose that practice to its subscribers.

The FCC is expected to appeal the decision.  Alternatively, the FCC could attempt to re-write the rules within the guidelines of the decision. Either way, it will be interesting to see whether any broadband service providers change the way that they deliver services to consumers. Under the Court’s ruling, an ISP who is also a cable service provider could block or slow certain over-the-top services so long as they disclose that fact to subscribers. An ISP could charge a higher fee for access to certain sites, or perhaps a reduced fee to consumers who are  willing to accept a more limited scope of the World Wide Web.   Alternatively, some ISPs may use the Court’s ruling as an opportunity to attract new consumers by pledging to make all sites freely available without blocking or discrimination.

Either way, consumers are likely to see changes in their broadband service soon based on the new ruling.

New Data Breach 411 app helps companies navigate data breach laws

It’s a general counsel’s worst nightmare. Sensitive data. Gone. Stolen by faceless thieves who breached the company’s seemingly secure network.DataBreach411-2

As my partner Scott Vernick of Fox Rothschild recently stated:  “Data breaches can severely impact a company’s reputation and have debilitating consequences to businesses big and small.”

A new mobile phone app launched by the Fox Rothschild Privacy and Data Security Practice provides a guide to swift damage control in situations like this. The app—called Data Breach 411—can help companies who are affected by a breach navigate the various laws and regulations relating to data breaches. Currently, 46 states have laws in place addressing how organizations should prepare for and respond to the loss or theft of data.

According to Vernick:  “Our app is a ‘one stop shop’ for in-house counsel and privacy officers to instantly access the relevant state-specific details on what they need to do, who they need to notify, when and how. The ability to access these state rules at your fingertips can make all the difference in terms of what’s at stake for an organization: loss of reputational integrity, public trust and business, and time-consuming and costly remediation efforts.”

Information available via the Data Breach 411 app include:

  • State Security Breach Statutes: An alphabetical listing of the states that have data breach laws in place and links to all the relevant notification statutes.
  • HIPAA/HITECH Statutes: Breach notifications rules and other pertinent information related to the loss or theft of personal health information.
  • Resources: Links to credit agencies and credit monitoring services as well as the FTC website. Also, a section on COPPA – the Children’s Online Privacy Protection Act – and relevant information surrounding the mining of data on minors. This section also includes links to Fox’s Privacy Compliance & Data Security Blog and its HIPAA, HITECH and Health Information Technology Blog.

The Data Breach 411 app is currently available for free in the iTunes Store. An Android version will be available soon. To download the app, click here.

Does your website privacy policy describe how you handle “do not track” requests? If not, read this . . .

A new California state law is prompting businesses around the country to update their website privacy policies to more fully describe how the business handles certain customer data.

California’s Online Privacy Protection Act (CalOPPA) already required any commercial website or online service that collected personally-identifiable data from California residents to post a privacy policy. The new law amends CalOPPA to mandate that privacy policies explicitly describe how the website or service will respond to “do not track” requests from users.

My partner Mark McCreary prepared a detailed summary of the CalOPPA amendment and its additional disclosure requirements.  Mark’s summary is available via this link.

Federal Trade Commission issues new “.com Disclosures” guidance for online advertising

On March 13, 2013,  the FTC updated its “.com Disclosures” guidance document for online disclosures to address new issues resulting from the expanding use of smartphones and other mobile devices for advertising purposes.

Originally published in 2000, the FTC guide addresses how companies who are engaged in online advertising should provide the various disclosures that are required by the laws that the FTC enforces. These disclosures include those required to prevent a claim that a particular advertisement is misleading or deceptive.   Examples include: Continue reading

FTC proposes update to children’s online privacy rules

The Federal Trade Commission (FTC) has proposed an updated set of online privacy rules to address the use of new technologies — including mobile technologies – by children under the age of 13.  The original rules, issued in 2000 to implement requirements of the Children’s Online Privacy Protection Act (COPPA), require operators of commercial websites and online services directed to children under age 13 to:

  • post a privacy policy describing how the site handles children’s personal information;
  • provide direct notice to parents and obtain verifiable parental consent before collecting children’s personal information;
  • give parents the option to allow the operator to collect and use a child’s information, but not disclose it to third parties;
  • give parents access to their child’s personal information for review and/or deletion;
  • give parents the opportunity to prevent further use of the information; and
  • maintain the confidentiality, security, and integrity of information collected from children.

Changes proposed in the new rule include:

  • an expanded definition of “personal information” that includes substantially all information that can be used for online profiling or directed behavioral advertising – including geo-location information, instant messaging user IDs, voice over IP (VOIP) identifiers, video chat user IDs, and tracking cookies;
  • a requirement that key information be presented to parents in a succinct “just-in-time” notice, and not just in a privacy policy;
  • new methods to obtain verifiable parental consent, including electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s identification is deleted promptly after verification is done;
  • a requirement that website operators ensure that service providers or others to whom they disclose a child’s personal information implement reasonable procedures to protect it, retain the information for only as long as is reasonably necessary, and properly delete the information; and
  • a requirement that self-regulatory “safe harbor programs” audit their members at least annually and report the results of those audits to the FTC.

The FTC will accept comments on the proposed rules through November 28, 2011.

Social Media Use in Doctor / Patient Communications

My colleague Rebekah Monson recently co-authored an article discussing the growth of social media as a tool for doctor/patient communications.  Although this use of social media requires careful consideration so that private information is not Tweeted, Facebooked, or otherwise make available for public view, Rebekah points out that

Social media is a powerful tool that can be used effectively and efficiently for peer, patient, and family communication, as well as a vehicle for learning, as part of patient education, graduate medical education (GME), and continuing medical education (CME). . . .The Internet is replete with lay opinions and medical misinformation. Surgeons who use social media have a unique opportunity and non-legal responsibility to critically review and correct this misinformation.

The full text of Rebekah’s article can be found here.

 

 

HIPAA privacy violations result in penalties exceeding $4.3 million

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) recently announced its first-ever civil monetary penalty against a health system for alleged violations of the HIPAA privacy rule.  The penalty of over $4.3 million, which was levied against Cignet Health, was followed by OCR’s announcement of a $1 million settlement resolving a HIPAA privacy complaint against certain entities affiliated with Mass General. 

My colleague Rebekah Monson recently published an article describing the actions that resulted in penalties, as well as the penalty calculation methods.  As Rebekah notes in the article:

While the Cignet case could be considered to be an isolated and extreme example, the type of HIPAA breach in the Mass General case is not unusual. The timing of the two announcements, significant penalties, and three-year [corrective action plan] (for Mass General) may signal OCR’s plans to use the HITECH-increased penalties as an enforcement tool.

The full text of the article is available here.

Advanced IP Forum for Advertising Counsel scheduled for April 2011

The American Conference Institute is hosting new seminar that is tailored to help companies learn how to avoid advertising-related pitfalls that can weaken a company’s brand and expose the company to intellectual property litigation.  The new seminar, titled Advanced IP Forum for Advertising Counsel, will feature speakers from leading media and brand-driven companies, along with counsel who represent them.  Topics of the seminar will include:

  • strategies for resolving conflicts and avoiding patent litigation when advertising using new technologies;
  • sidestepping copyright landmines:  what the DMCA, YouTube and Hulu mean to brand media strategies;
  • licensing negotiation strategies for new media; and
  • best practices for combatting widespread IP infringement on the Internet.

The seminar will be held in New York City on April 27-28, 2011, with optional workshops on April 29.  (Full disclosure:  I am one of the speakers at the seminar.  I will discuss strategies for avoiding patent infringement claims when using new advertising technologies.) 

For more details, visit the ACI website.  Early bird registration pricing is available through February 28.

California rules that retailers may not record ZIP codes for credit card transactions; new lawsuits follow

The California Supreme Court recently ruled that ZIP codes are “personal identification information” under the state’s credit card consumer protection statute.  Accordingly, the Court ruled retailers may not collect and record ZIP codes from consumers as a condition to completing a credit card transaction. 

Just a few days later, several law firms in San Francisco and Los Angeles filed class action lawsuits against major retailers, seeking damages for alleged violations of the California law.

First enacted in 1971, the Song-Beverly Credit Card Act prohibits California retailers from Continue reading