New John Doe Copyright Infringement Suit Filed in Connecticut

A lawsuit relating to online copyright infringement of synthesizer software using “peer-to-peer” networks was filed recently in Connecticut District Court.  The case is captioned reFX Audio Software, Inc. v. Does 1-89.  The complaint alleges that certain individuals and Connecticut residents committed acts of copyright infringement through the use of a common “peer-to-peer” (“P2P”) file transfer protocol known as BitTorrent.  

A common tactic in mass copyright infringement lawsuits is the use by plaintiffs of “tracking software” which identifies the internet protocol addresses (“IP Addresses”) that were allegedly used to commit acts of software piracy. 

By way of background, Internet service providers, (i.e., Comcast, Cox, etc.) provide the account holders with specific IP addresses from which users can access the Internet.  In these lawsuits, attorneys bringing the lawsuits allege that each IP address is unique and is therefore linked to a specific user account. In order to identify the allegedly infringing users, reFX hired a Connecticut attorney to file a motion with the court, asking to conduct discovery in order to learn the identities of the account holders.  If granted by the court, the attorney for reFx will issue a subpoena to each of the Internet providers requesting that they turn over information (typically name, address, telephone number) for the account holder.  

On March 20th  Judge Janet Hall granted Plaintiff’s motion for leave to take discovery in the reFX Audio case.  As a result, certain Internet providers have now sent letters to cable customers and account holders notifying them of the pending lawsuit.  Typically, Internet providers will wait 60 days to allow  the account holders to seek legal counsel prior to providing the court-ordered personal information.

If you have received a letter from your Internet provider identifying your IP address as having participated in the alleged copyright infringement of reFX software, read here from our earlier post on the issue for next steps and to consider if you need to hire an attorney to represent you. 

We already have received calls in response to this lawsuit.  Many callers have read or been told to ignore these letters.   Each circumstance is typically unique in these cases, and there is no one size fits all defense.  Do not assume that ignoring the letter will result in the problem going away.  While it is true that in some cases ignoring the letter is an appropriate response, it many other cases the risks are too high to simply ignore the problem.  Once you are fully informed of all of your options such as, filing motions to quash, settling or compromising the claim, defending the action, or ignoring it,  you can then decide the proper cost/benefit for your case.

Software Liability Act in Connecticut – Good Idea or Too Much Regulation?

Do software publishers need more regulation to encourage creation of safe and reliable software?That was the general question posed for a debate at the RSA Conference USA on February 29, 2012. Sean Doherty of Law Technology News wrote an interesting article summarizing the two different positions.  One side of the debate favors creating a regime of "civil liability for software manufacturers whose code causes harm to consumers."  Opponents view a regime of civil liability for damages caused by software as another unnecessary regulation.  In addition, opponents maintain that our existing laws already provide remedies for software liability.  

In Connecticut, there is no software liability statute or act.  However, there are various existing legal theories that might apply to the sale of defective software, including:

  • breach of contract;
  • breach of express warranty;
  • breach of implied warranty; and
  • misrepresentation.

Of course, there are also defenses to breach of warranty claims regarding software.  In many instances, a software attorney writing a contract or license agreement will include a disclaimer of all warranties and a cap on damages.  

Some consumers and purchasers do not have the ability to hire an attorney to negotiate a purchase of software.  Will a software liability act prohibit such disclaimers?  Conversely, not all software vendors or manufacturers hire a software lawyer to protect their interests by drafting appropriate disclaimers in license agreements and contracts.  Will a software liability act also protect software publishers from frivolous claims? 

As noted by the debaters at the RSA conference, everyone wants better, more reliable software. However, I doubt that creating a new software liability regime, and thus more regulation, is the right answer.  I tend to favor the market solution.  Let the better software win.  

New Connecticut Business and Technology Law Firm

I am pleased to announce that I have started a new law firm, Aeton Law Partners LLP.  At my new firm, I will continue my litigation practice involving a wide array of business and technology matters.  In this new venture,  I have partnered with Attorney David Benoit.  Dave brings a wide range of experience in transactions related to business, technology, and intellectual property. Together, we provide a broad base of experience and general counsel legal services for our existing and expanding client base.  For more information on Aeton Law Partners, please contact me at 860 724 2163.

 

Did Courtney Love Make A Good Decision To Settle Her Twitter Case?

According to various online sources and media outlets, Courtney Love has settled (or is close to settling) the Twitter lawsuit brought against her by Dawn Simorangkir.  The trial was supposed to start tomorrow, and according to Amanda Bronstad at the National Law Journal, it was going to be broadcasted live.  Love was reportedly going to defend the case claiming that the Twitter comments were just opinion or hyperbole.   I categorized this as the "it was just a Tweet" defense. 

If the facts that have been reported are accurate, Love’s decision to go for a settlement was probably a good one.  Love’s defense was not likely to succeed.  She didn’t make isolated rambling comments.  There appeared to be intent to harm Simorangkir’s reputation in business with the comments.  In Connecticut, this may have amounted to defamation per se, trade libel, or commercial disparagement.

Given the nature of the comments, Simorangkir might have been entitled to a damages award even if she could not show a loss of business.     Simorangkir’s lawyer said Love "embarked in what is nothing short of an obsessive and delusional crusade to terrorize and destroy."    If true, the case goes beyond a simple Tweet or personal opinion.

The Twitter, Facebook, and LinkedIn universe was waiting to see what a jury would say about social media and defamation.  Unfortunately, if the settlement is final, we now have to wait for the next big Twitter defamation case.  It will not take long. 

Carders, Full Wallets and Identity Theft In Connecticut

I recently attended the Connecticut Privacy Forum.  One of the presentations was by Kim Peretti who is Director of Forensic Services at Pricewaterhouse and a former federal prosecutor that chased down identity thieves globally. (read an interview with Kim here about the infamous TJX case).   I learned quite a bit of information about trafficking in personal identifying information also known as PII.  You can read my live tweets from her presentation here. 

In the data theft industry, the thieves are called "carders."  They are out there looking for victims in person and online.   The primary goal is not only credit card information, but  "full wallets."  Full wallets is when the carder gets all the information you might have in your wallet.  Credit cards, license, bank cards, etc.  The thieves might get this information from you personally, but more likely through a company that keeps this type of information.  Once they get a full wallet, they typically sell it overseas where the information is stored on computer servers and offered for sale on websites.  Scary stuff. 

As a coincidence, I have had a recent uptick of inquiries from victims of identity theft.  There are many laws that are implicated in cases of identity theft such as wire fraud, computer fraud, and theft statutes. The theft may also involve a data breach such as in the case of TJX.   

Here is a quick summary of Connecticut’s statutory law for identity theft.

In Connecticut, an attorney can file a civil lawsuit on behalf of a victim of identity theft and obtain an award of one thousand dollars or treble damages, whichever is greater pursuant to statutory law. In addition, a victim can obtain an award of costs and reasonable attorney’s fees.  Damages may include documented lost wages, or any financial loss that can be tied to the identity theft. Courts have the ability to award other types of relief also, including but not limited to, not less than two years of commercially available identity theft monitoring.  

In Connecticut, attorneys may prove identity theft for civil damages by showing a violation of the criminal identity theft statutes.  This is similar to the civil theft statute and computer crime statute.  In general, the criminal identity theft statutes may be broken down under the following categories:

  • Class B felony identity theft.  This violation concerns cases where the victim is under the age of 60 and the value of money or theft exceeds ten thousand dollars or the victim is over the age of 60 and the value is greater than five thousand dollars.
  • Class C felony identity theft.  This violation occurs where the victim is under 60 and the value is greater than five thousand dollars, or if the victim is over 60.
  • Class D felony identity theft.  This occurs for any violation regardless of age or value.

To prove the underlying violation or actual identity theft, an attorney must prove in the following:

A person commits identity theft when such person knowingly uses personal identifying information of another person to obtain or attempt to obtain, in the name of such other person, money, credit, goods, services, property or medical information without the consent of such other person.

 

Personal identifying information is defined by the statute as:

any name, number or other information that may be used, alone or in conjunction with any other information, to identify a specific individual including, but not limited to, such individual’s name, date of birth, mother’s maiden name, motor vehicle operator’s license number, Social Security number, employee identification number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, savings account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation.

 

If you are a victim of identity theft, you should take fast action.    Some of the actions you might consider: 

  • Identify potential defendants for a lawsuit, such as the actual perpetrator or the source where the perpetrator obtained the information
  • Assess provable damages
  • Seek police involvement and file a private complaint
  • Take immediate action to help restore credit ratings
  • Filing for an injunction, damages or other lawsuit against perpetrators

Consulting an identity theft attorney is also a good idea.  An identity theft attorney can help a victim sort through the various options, take direct action on behalf of the victim, and determine if there are grounds for a lawsuit to seek an injunction, restraining order, or damages. 

 

Can You Record Phone Conversations In Connecticut To Help Your Lawsuit?

You might be surprised how many times I am asked this question.  Of course, the circumstances of every case warrant separate consideration, but here are the basic facts concerning recording of phone conversations in Connecticut as it relates to civil litigation and lawsuits: 

Civil Liability.  You are subject to liability in a civil lawsuit if you violate Connecticut General Statutes 52-570d entitled "Action for illegal recording of private telephonic communications."  The full text of the statute is here, but the basic summary is that an aggrieved person may bring a civil lawsuit for the recovery of damages and attorney’s fees if someone uses a device to record "an oral private telephonic communication" unless the use of the recording device involves:

  • the consent of all parties (some states only require one party consent), and such consent is obtained prior to the recording
  • the consent documented in writing or part of the recording
  • verbal notification given at the start of the recording
  • an automatic tone warning device producing a signal every 15 seconds

There are various exceptions to this rule, including for law enforcement and FCC officials.  In addition, one of the more relevant exceptions is for "any person who, [is] the recipient of a telephonic communication which conveys threats of extortion, bodily harm or other unlawful requests or demands."  For example,if your Mel Gibson’s girlfriend, and you are in Connecticut, its probably safe to record his phone calls. To recover in Connecticut, however, you have to prove actual damages related to the recording.

Many people that want to record phone conversations are trying to document conversations as evidence for potential use in a lawsuit.   However, if the recording is done unlawfully, Connecticut law prohibits the use of the recording in "any court of this state." As such, although an improperly recorded phone call might be available for use in a deposition, it will not be permitted as evidence in any court.  

Whether an improper phone recording is criminal will depend on the circumstances.  For example, it is a Class D Felony in Connecticut to engage in wiretapping or "mechanical overhearing" of a conversation.  Wiretapping and mechanical overhearing are defined to include "intentional overhearing or recording" of telephonic communication or conversations without the consent of at least one person involved.  This is more likely to apply to a situation like the allegations against Shaq O’Neal for intercepting cellular phone conversations he was not a part of as opposed to private two way conversations. However, the possibility of criminal penalty should be factored into any decision to record a phone call.

Keep in mind also that this post is only a summary as it pertains to Connecticut state law. If phone calls involve an out-of-state caller, different laws might apply.  For a good example of the intersection of various state recording laws, visit the website for the Reporters Committee for Freedom of the Press.  In addition to state law, there are federal wiretapping laws that might come into play. For an example of some federal laws, see this post on the Citizen Media Law Project.

The takeaway here is that if you improperly record phone conversations in Connecticut you could: (1) face criminal penalties; (2) face a civil lawsuit for damages and attorney’s fees; and (3) be precluded from using the recordings in court in any civil lawsuit.  As such, if you are planning on recording phone conversations of any kind, you would be well served to contact an attorney and get advice on whether to proceed.

Cyber Crime On The Rise And Costly – What Can You Do About It

The Ponemon Institute recently published the First Annual Cost of Cyber Crime Study. Download here.  The study was conducted by Ponemon, an independent research group with a focus on privacy and data protection, and ArcSight, a security and compliance management provider.  The study involved a benchmark cost analysis of 45 different companies ranging from 500 employees to over 100,000.                                                                             

Here are the significant points from the executive summary:

  • The median cost of cyber crimes for the 45 organizations was $3.8 million per year (ranging from $1 million to $52 million)
  • Cyber attacks are the most common occurence
  • The most costly attacks (amounting to 90% of the attacks) are web attacks, malicious code, and malicious insiders
  • The companies in the study were experiencing 50 successful attacks per week
  • Average number of days to address a cyber attack was 14 days, with insider attacks taking more than a month
  • Costs for company compliance depended greatly on the level of security programs at each company

The study defined cyber attack as any criminal activity conducted via the Internet, including theft of intellectual property, confiscating online information and accounts, distributing viruses, and disclosure of confidential information.  The study referred to some well publicized cases of cyber attack, such as TJX companies, which I posted about on this blog previously.

What should you do if you or your Connecticut business has been a victim of cyber attack? 

  • Act quickly.  Responding quickly to a cyber attack is essential.  Hopefully, your business has developed a data loss and privacy plan that will address the steps your business should take in response to a cyber attack.  There should be a dedicated response team and protocal for any such event.   
  • Determine whether notification is necessary.  Depending on the nature of the attack and the information compromised, notification of consumers, customers, or governmental authorities may be required.
  • Consult a privacy attorney and business litigation attorney to determine what legal steps might be taken to address the attack.  For example, if there was an identifiable person or group responsible, such as an insider or a competitor, there may be criminal or civil remedies for computer crimes that provide for the recovery of damages.
  • Determine if insurance is available to cover the damages from the cyber attack. See some of my prior posts on insurance to address data loss and security breach.  Also, read this article by Tom Risen of the National Journal that summarizes the potential solutions that insurers offer to businesses in the United States. 

Although the Ponemon study involved large companies, many experts in the field suspect that small business are equally, if not more, exposed to cyber attacks.  Therefore, regardless of the size of your company, it is a good idea to have a risk management audit to determine your company’s ability to respond to a cyber attack.  Advanced planning is critical to mitigating damages from cyber attacks.

 

 

Civil Liability For Computer Crimes In Connecticut

In Connecticut, a person commits a computer crime if there is any violation of the provisions in Connecticut General Statutes 53a-251.  This is Connecticut’s computer crime statute.   The statute defines criminal conduct under the following categories:

  • Unauthorized access to a computer system
  • Theft of computer services
  • Interruption of computer services
  • Misuse of computer system information
  • Destruction of computer equipment

The computer crime statute itself does not provide for a civil cause of action.  Instead, a victim of a computer crime may rely on Connecticut General Statutes 52-570b, which permits a civil lawsuit for computer-related offenses. The statute provides a basis for a lawsuit for "an aggrieved person who has reason to believe that any other person has been engaged, is engaged or is about to engage in" conduct that violates the computer crime statute. 

As part of a computer crime lawsuit, a business may seek a temporary or permanent injunction, restitution, actual damages, unjust enrichment, an order to appoint a receiver who may take property into his possession, or any other equitable relief.  Punitive damages may be available if there is a showing of malicious or willful conduct. Further, a victim of computer crime may obtain an award of attorney’s fees and costs.

One of the more common types of computer crime or cyber attack is an insider attack with unauthorized access to a computer network.  A common example is a disgruntled employee or vendor with some level of access to the computer network of a business that turns into unauthorized use or damaging conduct. The cyber attack might involve theft of confidential or proprietary information, installing a virus or malicious code to infect the system, or theft and disclosure of information to third parties. 

The most common defense raised to computer crime charges is "authorized access."  The statute exempts conduct that might qualify as improper, but was undertaken with a reasonable belief that it was authorized.  As such, the issue of authorization becomes a critical element in these cases.  Courts might look to the policies and practices of a business with respect to access and security to determine if a reasonable belief defense exists.  Courts will also look to the nature of the conduct to determine if a reasonable belief defense is legitimate under the circumstances of the case.

Responding quickly to a computer crime or cyber attack is important.  A business that is the victim of a computer crime or cyber attack should consider involving an attorney as part of the response team depending on the severity of the incident.  The attorney can assess whether a business that is victim of a computer crime can bring a lawsuit to recover damages or possibly make a claim for losses to an insurance company.  An attorney can  also assist with critical decision making regarding notification to outside parties in the case of a security breach or data loss.  An attorney can further assist with determining the need for involvement of an appropriate forensic expert to preserve and develop critical electronic evidence of the cyber attack. 

 

Understanding Risks and Avoiding Lawsuits – Negotiation of the Master Services Agreement

Recently, I received a call from an attorney trying to figure a way out of a Master Services Agreement for his client.  His client, the purchaser, was stuck owing a lot of money to a technology vendor under a Master Services Agreement that was not working for the client.  The problem – – there was no protection under the contract for the purchaser and no clear way out without owing money to the vendor. 

The problem is not unique to technology purchasers.  Bad contracts also can hurt technology providers.   Take for example a recent case involving a technology company in a lawsuit over installation of new software for a small business.  The business claimed loss of profits due to extended down time as a result of a claimed breach of warranty.  The problem for the technology vendor – –  no protection in the contract with a limitation of remedy provision or disclaimer of warranty.  This opened up a claim for consequential damages that neither party contemplated.

In these cases, whether you are the attorney for the customer or the vendor, many times you are left saying "I wish you called me when you negotiated this contract."   In most instances, when a large or significant service and technology purchase is involved, the relationship between customer and vendor is set forth in a Master Services Agreement.  Master Services Agreements are typically contracts in information technology or professional services that govern a long term vendor-client relationship.  The contract includes general provisions on price, payment terms, and project scope.  The contracts usually include a Statement of Work. The Statement of Work will define the project specifics, services, or deliverables.

While the negotiation of a Master Services Agreement can be quite complex depending on the scope of the project, there are some general terms and clauses that should be considered or included in each agreement to avoid mutual misunderstandings, bad financial decisions, and unnecessary business litigation.  This applies to both sides of the negotiation whether you represent the customer or the vendor.  

There are some standard clauses and considerations in Master Services Agreements that can help the parties reach a true meeting of the minds as to the scope, risks, and obligations. Here is a checklist of some topics and questions that should be discussed as part of the negotiation of a Master Services Agreement:

  • Price.  Very important to remember that the sticker price or price on the contract is many times not as important as the soft costs and expenses.  It benefits both sides of the deal to make sure the price and payment terms (including add on fees like renewals, maintenance and service) are clear and understood.
  • Payment.  Is the agreement going to call for payment by time and materials?  A fixed fee?  A hybrid of both?  Will the payments be tied to meeting milestones on deliverables?  Penalty or late fees? Any retained amounts until completion?  For both sides of any deal, it is better to work out the details on payment ahead of time and avoid problems before they arise.
  • Intellectual Property.  Who is going to own the intellectual property rights to the new software or work performed?  If this is not addressed in the contract, unintended results may occur where the vendor has future property rights for a project paid for by the customer. 
  • Warranty.  What is the scope of the warranty of the work? Will the warranty be limited to the vendor’s performance in a workmanlike manner or is greater warranty protection needed for a new product installation?  Does the vendor warrant the software or other products? The warranty many times provides the basis of the claim for damages against the vendor.  By limiting or expanding the warranty, the scope of liability is understood by both parties at the outset. 
  •  Statement of Work.  This is the document that will provide the specifics on the deliverables under the agreement.  Will it be a separate document?  How much detail will be included?  What assumptions are made?  How can the scope of the project increase?  What are the due dates and deadlines?  An overly broad Statement of Work can be a problem for both a vendor and customer. 
  • Confidentiality Agreement.  Typically, the parties to a Master Services Agreement will want a mutual confidentiality agreement or non-disclosure agreement to prevent disclosure of proprietary information and company trade secrets.  How will you define proprietary information and trade secrets?  How long will the agreement last?  What are the penalties for violation?
  • Indemnification.  These clauses typically shift the risk associated with a loss or a claim from one party to another.  For example, what happens if the customer gets sued for patent infringement for work product of the vendor?  Should the vendor have to defend and indemnify the customer for the lawsuit?
  • Attorneys fees and Alternative Dispute Resolution (ADR).  How will disputes under the contract be resolved?  ADR clauses in the contract can provide for the award of attorney’s fees to the prevailing party and force all disputes to be resolved in a binding arbitration as opposed to a typical lawsuit in court.   More and more, both customer and vendor are seeking to avoid costly litigation by electing for a streamlined dispute resolution process.
  • Insurance.  Does the vendor have errors and omissions insurance?  Should it be required in the contract?
  • Termination.  What terms will govern when one party is unhappy or if a party is in breach?  How do you get out of the contract?  30 days notice?  10 days notice?  Is there any payment for at will termination?  Does work stop upon notice?

These are just a few of the major considerations at play for both a purchaser and vendor under a Masters Services Agreement.  For any significant transaction,  it is advisable for a technology lawyer to negotiate the contract.  Early involvement of a technology attorney can save time and expense later and help each party understand the risks of any particular project. 

 

 

Thank You to Hartford Business Journal and Advanced Copy

Thank you to Advanced Copy for nominating me for Best Use of Blogs for the Hartford Business Journal’s Strateg E Awards for 2010.  Thank you to the Hartford Business Journal for selecting this Blog as a finalist and putting on a great event yesterday. 

Congratulations to Thomas Clifford who won for his Blog, Bringing Brands to Life.  Tom is a big fan of Daniel Pink who has some revolutionary ideas for business management.  I just read Pink’s latest book "Drive: The Surprising Truth About What Motivates Us."  Great read.