Skip to content

Privacy & Public Policy

If you watched the first round of the NFL Draft, the big story was the sliding of Ole Miss offensive tackle Laremy Tunsil out of the top five to number 13. As the draft was unfolding, someone released a video of him smoking marijuana through a gas mask.  You can read the story here.  You can watch this interview right after he was picked.

To make matters worse, after he was picked, someone released text messages between Tunsil and one of the assistant coaches at Ole Miss where it looks like Ole Miss was paying Tunsil’s rent or his mother’s electric bill.  Read about it and see the texts here. Here is another interview where Tunsil admits the texts were his.

So, can Tunsil sue or is there a possible crime?

Yes and yes.

Assuming someone “hacked” his Twitter or Instagram account, even if Tunsil was somewhat lackadaisical about protecting it, and that this person did not have “authority” to access the account, then there is likely a violation of the Stored Communications Act.

The SCA makes it illegal for anyone to “intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.” Accessing his Twitter or Instagram accounts without his permission would likely be a violation.

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, fiduciary duty, wire fraud, trespassing, theft, extortion if there was money demanded in advance, and a number of other state law claims.

So, what are the criminal penalties?

Pursuant to 18 U.S.C. § 2701, “if the offense is committed for purposes of commercial advantage, malicious destruction or damage, or private commercial gain,” the criminal penalty for a first offense is a fine or imprisonment for not more than five years or both.

What about a civil lawsuit?

Tunsil could also sue the perpetrator.  Assuming he can establish there was no authority to access his accounts, the SCA provides that a plaintiff can recover:

damages in a civil action under this section the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation, but in no case shall a person entitled to recover receive less than the sum of $1,000. If the violation is willful or intentional, the court may assess punitive damages. In the case of a successful action to enforce liability under this section, the court may assess the costs of the action, together with reasonable attorney fees determined by the court.

18 U.S.C. § 2707.

To prove damages, I would have a composite of the mock drafts immediately prior to the release of the video to determine where Tunsil would have likely been drafted had the video not come out. Then, you take the difference between the guaranteed money that pick would have received and the money the 13th pick receives as your actual damages. Those damages could easily exceed $10 million.

Assuming the defendant wanted to purposefully hurt Tunsil, punitive damages would also be available.

What about Tunsil’s conduct?

Yes, Tunsil is shown smoking marijuana.  Yes, it appears he took benefits from Ole Miss in violation of the NCAA rules. If you are making a negligence claim, the plaintiff’s own negligence comes into play.

But, under the Stored Communications Act, his alleged bad acts don’t really come into play as far as liability.  A jury might consider his actions when deciding the causation. What really caused his damages? Was it the hacking by the defendant or Tunsil’s own bad acts?

Causation is usually a fact question in a civil trial, but would anyone really be surprised that an NFL prospect smoked marijuana at some point in his life? Tunsil says the video is old and his pre-draft drug tests all came up clean.

The video came out 13 minutes before the draft started. The argument is the slide in the draft only happened when the video came out. After all, even after he did these things (although no one knew), he was still considered a top five pick.

If there was a civil case, there could be a huge verdict, but then there is always the matter of collecting.

ADAAt the beginning of this year, we warned that there would be an uptick in American with Disabilities Act litigation related to website accessibility this year in a post entitled Does My Website Need to be ADA Compliant?  The answer then was “most likely yes.” Now, the adverse litigation results are start to come in.

According to this post from Syefarth Shaw’s Kristina Launey: “A First: California Court Rules Retailer’s Inaccessible Website Violates ADA“, a California court held recently that a retailer violated the act because it lacked access for the vision-impaired. This was a first in the nation determination regarding ADA applicability to a retail site.

The court granted a summary judgment in favor of the plaintiff on the application of the ADA because (1) there was “sufficient evidence that he was denied full and equal enjoyment of the goods, services, privileges, and accommodations offered by defendant [via its website] because of his disability”; and (2) there was a sufficient nexus to defendant’s physical retail store and the website.

The statutory penalty was only $4,000 and there is an injunction in place to force the store to become compliant. The real pain to the defendant is coming because the store is liable for the plaintiff’s attorneys’ fee in an amount to be determined.

 

This should motivate you to look into whether you need to be compliant and whether you are. Go back and read ADA our post from January or fin additional information here.

 

GawkerA few days ago, a jury in Florida awarded Hulk Hogan (real name Terry Bollea)  $140 million because Gawker posted a leaked sex video of the former wrestler. Rather than focus on the lurid details (which you can Google), let’s look at the law that led to the two-week trial.

To recap, Gawker allegedly received the video from an anonymous source. Other news outlets reported the existence of the tape. Gawker decided to publish the video in 2012 and had it on its site for six months.

What Issues Went to the Jury

The lengthy jury instructions indicate Bollea sued for (1) invasion of privacy; (2) violation of his right of publicity; (3) intentional infliction of emotional distress; and (4) a violation of Florida’s Security of Communications Act.  Gawker denied the allegations and contend their actions were protected by the First Amendment.

Florida law on invasion of privacy

A number of acts can constitute an invasion of privacy. The first claim was for invasion of privacy based upon the publication of private facts which requires: (1) the publication of truthful private information; (2) that a reasonable person would find highly offensive; and (3) that does not relate to a matter of legitimate public concern. The final element is why there was a lot of discussion about the “newsworthiness” of the video and the effort by Bollea to distinguish between his real self and the character that he plays as Hulk Hogan.

Bollea also sued for invasion of privacy based on intrusion upon seclusion which requires: (1) the wrongful intrusion through physical or electronic means; (2)  into a place in which Bollea had a reasonable expectation of privacy; (3) in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities. Because of this claim, there was a lot of discussion about whether Bollea knew about videotaping.

Finally, there was a claim for invasion of privacy based on misappropriation of the right of publicity which requires: (1) the unauthorized use of the plaintiff’s name or likeness; (2) for a commercial or advertising gain.

Intentional Infliction of Emotional Distress

This claim consists of: (1) extreme and outrageous conduct by the defendant; (2) that causes severe emotional distress; and (3) was engaged in either with an intent to cause severe emotional distress or a reckless disregard of the high probability that it would cause severe emotional distress.  Extreme and outrageous conduct is behavior which, under the circumstances, goes well beyond all possible bounds of decency and is regarded as shocking, atrocious, and utterly intolerable in a civilized community.

Florida Security of Communications Act

This statutory claim requires: (1) the disclosure of oral communications; (2) in which the plaintiff had a reasonable expectation of privacy; (3) by one who knows or has reason to know that the communications were recorded without plaintiff’s knowledge or consent.

The First Amendment

The court instructed the jury that the newsworthiness of the video was a defense to Bollea’s claim for publication of private facts and a First Amendment defense to each claim. The court explained: “A matter of public concern is one that can be fairly considered as relating to any matter of political, social, or other concern to the community or that is subject to general interest and concern to the public. . . . The line between the right to privacy and the freedom of the press is drawn where the publication ceases to be the giving of information to which the public is entitled, and becomes a morbid and sensational prying into private lives for its own sake, with which a reasonable manner of the public, with decent standards, would say that he or she had no concern.”

Damages

As you know, the jury found in favor of Bollea.  The jury therefore had to assess damages. Bollea’s experts claimed the video raised the value of the website by $5 million to $15 million. Gawker retorted that it only added $11,000 in value because there were no advertisements next to the video.

The court instructed the jury to award “the amount of money that . . . will fairly and adequately compensate Plaintiff for the emotional distress he experienced as a consequence of the publication of the Video.”

On the misappropriation of the right of publicity, the court instructed the jury to award “an amount of money that . . . will fairly and adequately compensate Plaintiff for any economic damages relating to the publication of the Video.” 

The jury awarded compensatory damages in the amount of $55 million for economic damages and another $60 million in pain and suffering. The jury added another $25 million in punitive damages made up of $15 million against Gawker, $10 million against the founder of the site and $100,000 against one of the editors involved. Some media reports suggested Bollea only asked for $100 million in damages. There were reports that the jurors were disgusted by jokes made by Gawker employees at the time of publication and during depositions.

You can read another interesting take on the case here.

Gawker intends to appeal.

By now, you have probably read about how the FBI is asking Apple to create software that would help the FBI unlock the iPhone of one of the deceased San Bernadino attackers. You have probably heard the talking heads scream about the privacy vs. security policy debate, but what law is at play?

The All Writs Act

You may have even heard the government is relying upon the All Writs of Act which was passed in 1789. Three years of law school and sixteen years of practice and I had not heard of the All Writs Act at 28 . § 165U.S.C.  Surprisingly, it is very short:

(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
(b) An alternative writ or rule nisi may be issued by a justice or judge of a court which has jurisdiction. 

The purpose of the law is to fill in the gaps to give courts the power to enforce their orders and subpoenas.  Obviously, the use of the All Writs Acts has to be “agreeable to the usages and principles of law.”

How We Got Here

On February 16, 2016, the government received an ex parte order (which means without having anyone from Apple or anyone else arguing against the request) requiring Apple to provide “reasonable technical assistance to assist law enforcement agents in obtaining access to the data.” The order then lists what the court considers “reasonable technical assistance” including the oft-discussed decryption key that needs to be created to help unlock the phone. A copy of the order is here:  SB-Shooter-Order-Compelling-Apple-Asst-iPhone.

Apple’s Legal Argument

download (2)Apple primarily argues that Congress has already decided tech companies like Apple cannot be forced to provide access to encrypted devices. Apple’s brief is here. Specifically, Apple cites to the 1994 Communications Assistance for Law Enforcement Act at 47 U.S.C. § 1001, et seq.  CALEA, Apple argues,  specifically states that electronic communication service providers and mobile phone manufacturers cannot be forced to “implement any specific design of its equipment, facilities, services or system configuration” to unlock or decrypt phones.

Apple then argues that Congress has considered amendments to CALEA, but decided not to amend the 1994 law to require so-called back doors to encrypted devices or programs. According to the brief, “Congress, keenly aware of and focusing on the specific area of dispute here, thus opted not to provide authority to compel companies like Apple to assist law enforcement with respect to data stored on a smartphone the designed and manufactured.”

Case Law on the All Writs Act

The U.S. Supreme Court spelled out the test for whether the All Writs Act could be used in U.S. v. New York Telephone, 435 U.S. 159 (1977). In that case, the Court required the phone company to install a pin register device on two telephone lines.

The Court provided a three-part test:

(1) is the company so far removed from the controversey that its assistance could not be reasonably compelled?

(2) What is the burden on the company whose assistance is sought?

(3) Are there other alternatives?

In light of those factors, Apple argues:

(1) the company does not own or control or the phone or the data the government is seeking;

(2) It would be difficult for Apple to build the requested unlocking key and Apple does not want to for marketing and concerns about additional requests in the future.  Apple says it would take six to ten employees two to four weeks to develop it.

(3) The government made it more difficult when they changed the iCloud password and did not prove that the government exhausted all of the available digital forensics resources available to them.

Finally, Apple contends forcing them to create software would force them into compelled speech in violation of the First Amendment and would constitute an unlawful arbitrary action against Apple without due process in violation of the Fifth Amendment.

The Department of Justice’s Response

FBI-1In its response, the Government tried to shift the focus back to the specific facts of this case and this one phone in light of the three-part test and away from a greater policy argument.

The government says that just because Congress did not make any changes to CALEA does not mean the All Writs Act does not apply to fill in the gap as it has been used a number of times to require companies to unlock phones and other devices.

Regarding the three factors from the New York Telephone case,

(1) Apple purposefully licensed the operating system in the phone that allowed for encryption, so Apple’s involvement is sufficient.  Involvement does not mean a company participated or even specifically knew there was criminal conduct. It only requires that Apple be “closely connected” to the crime.

(2) While the burden to create the software might be burdensome on a small company, the Government says it would not be unreasonable for Apple which encrypted the software in the first place.  The Government would compensate Apple and work to minimize the burden.

(3) The FBI says it cannot unlock the phone without Apple because Apple built the code to prevent any access. They claim the fact that Apple cannot access it without building something new proves Apple is necessary.

Apple can file a response on March 15 and the hearing is scheduled for March 22.

I have been watching the events at my alma mater that led to the resignation of MU System President Tim Wolfe and Chancellor R. Bowen Loftin from afar. While I had heard inklings of discontent, I had no idea it was at this point until the football team got involved.

73741_1401374325373_749181_nOn many levels, I am trying my best to understand all the nuance involved, but am having difficulty. I haven’t been back to campus for five years to, of course, watch a football game.

Do I believe there is racism in Columbia, Missouri? Probably. Just like there probably is anywhere else in society. As a white male, I am probably not in a position to fully understand.

From the published reports, the protesters’ complaints appear to be isolated events that were handled poorly by the school administration or without enough concern. Part of the students’ concerns centered on how their protest at the Homecoming Parade was handled which you can watch here.  Things also did not go well when Wolfe was confronted in Kansas City a few weeks later.

Another complaint centers on racist taunts by unknown passersby to the African American young man who was elected student body president and homecoming king. Painting an entire school as racist, a school that elects a gay African American student to be president and homecoming king, is unfair. You can read about the events that led to the resignations here.

Should the administration have handled it better? Obviously. Letting it get to the point where the football team threatened not to play means it wasn’t handled the right way and probably left the school with few options.

Were the protestors’ demands unreasonable? Probably. Asking the system president to write a handwritten apology to the Concerned Student 1950 demonstrators and hold a press conference reading the letter while acknowledging his “white male privilege” and admitting to “gross negligence” takes away from the otherwise legitimate concerns raised. To throw in some law in the discussion, demanding racial quotas for the faculty and staff (“We demand that by the academic year 2017/2018, the University of Missouri increases the percentage of black faculty and staff campuswide to 10%) is probably unconstitutional.

One of the students then began a public hunger strike until the demands were met. Then, the football team got involved and refused to play until the hunger strike ended.  Head coach Gary Pinkel supported his players. Was this the right move? It certainly moved the needle, but I worry about whether a handful of players and then the team, as a whole, were leveraged. It is both encouraging, and somewhat alarming, to see young men take their position of prestige as SEC college football players and use it to get involved. Will this set a precedent and where is the line? Reading Tigerboard (admittedly not a place for cool-headed, well-reasoned analysis), the fan reaction was certainly mixed.

LoftinAbout 24 hours after the football team’s actions became public, the president resigned followed by the chancellor. Although the chancellor’s resignation becomes effective at the end of the year and may have had more to do with issues other than the handling the student protests. Ironically, the football team may be worse off with a new chancellor less supportive of the athletics department.

In response, Mizzou has promised to implement changes within the next 90 days which include:

  • The creation of a new position for a Chief Diversity, Inclusion and Equity Officer within the UM System which has already been filled on an interim basis
  • A review of UM System policies regarding staff and student conduct
  • Additional support for students, faculty and staff who have “experienced discrimination and disparate treatment”
  • Additional support for the hiring and retention of diverse faculty and staff
  • the creation of system-wide and campus-based diversity, inclusion and equity task forces
  • an education training program for holders of the university’s top leadership positions

Had the administration taken these steps prior to the football team’s involvement, would there have been two resignations? We may never know because we don’t know what would have happened with the hunger strike and what would the reaction have been had the administration gone 90% of the way but not conceded to all of the demands (which they could have never done). It may have gone a long way to assuage opinion of the public and maybe, more importantly, the football team.

Yes, this story does speak to better crisis communication techniques and the importance of getting in front of a controversy. The number one lesson for crisis communications is to be prepared and to have a plan. Once the controversy began, the school should have had a singular unified message.

If bombarded off campus (or even during the Homecoming Parade), the proper response would have been a polite refusal to engage at that time as it was not the appropriate time and place. There could have been a somewhat prepared “holding statement” such as “we take these issues seriously and are taking steps to ensure that every student is provided the best environment we can provide. This is not the time or place to get into the specifics, but we will be providing more details soon and invite continued discussions on the topic in the near future.” It would not have placated the protesters at the time, but it would not have added more fuel to the fire. A flagship state university is a much different animal than a private business, but the same basic tenets apply.

But, I justify this longer than usual and personal musing based on what happened next. Watch this:

As my wife gets tired of hearing, the University of Missouri is home of the best journalism school in the world. (I linked to something so it has to be true!) The student journalist handled this situation perfectly. The protestors — not so much.

Here are some basics about the First Amendment. The protesters have a right protest in the public parts of campus. And, yes, the very same First Amendment gives the journalists the right to cover the story from public property.

For the legal wonks, the Carnahan Quadrangle is very likely a limited or designated public forum being that it is on a university campus. Content-based speech restrictions are therefore subject to strict scrutiny. The school, however, can put reasonable time, place and manner restrictions as long as the restrictions serve an important governmental interest and the restrictions are narrowly tailored to serve that important governmental interest.

No one kept the protestors from doing their thing. Instead, the protestors tried to keep the media from doing theirs – covering the protest, which ironically is normally what protestors want.  It is true that journalists have no greater rights than non-journalists when it comes to accessing public property, but when you engage in a protest on public property, you can’t claim some of the public property as your own. The journalists had a right to be anywhere on the public grounds to cover the story.

The photographer handled the situation well making the Mizzou Mafia proud. You can read some perspectives of the journalists covering the story here and here.

More troubling, however, was the conduct of some of the Mizzou faculty who, in my opinion, mistreated the journalist and should have known better. For example, near the end of the video, a Mizzou professor of mass media (with the School of Communications and not the School of Journalism) tried to grab the camera and then yelled, “Who wants to help me get this reporter out of here? I need some muscle over here.” Ironically (a repeated theme to this story), this same professor had asked for media attention a few days prior. Unfortunately, this strange treatment of journalists is detracting from the protester’s efforts to further their true cause.

I don’t believe MU System President Tim Wolfe, or Chancellor R. Bowin Loftin, or Mizzou itself, is, in any way, racist. They could have handled the situation better and reacted quicker. Their downfall is a result of that failure. But, shouldn’t we hold the protesters, or at least the faculty that joins the protesters, to the same standard? The faculty member could have handled it better and, perhaps there should be some repercussions, on her end. The School of Journalism has already started distancing themselves from the faculty member and released this statement in support of the journalists. (Here’s another perspective from a law professor at Mizzou and more from one my former instructors at the J-SchoolStacey Woelfel).

The bad news is that it looks like two men who worked hard and wanted the best for the university lost their jobs. Another person who appeared to be a well-liked professor may lose hers, too. The whole thing is a circus.

The good news is the hunger strike is over, there may be some changes to redress the situation, and hopefully both the administration and the protesters can learn from this.

For the rest of us, life will go on and I will continue to support my alma mater from afar. After all, there is a football game to played on Saturday.

Update: The professor in the video has apologized and resigned from her “courtesy appointment” with the J-School.

Hungary 461Earlier this month the Court of Justice of the European Union struck down the EU-U.S. Safe Harbor Framework which previously provided U.S. companies comfort in that they could follow the framework and know they were not violating the more strenuous E.U. personal data privacy laws. The scrapping of the Safe Harbor is a result of recent Snowden revelations about the U.S. data collection efforts in the E.U.

Created in 2000, the Framework allowed for the lawful transfer of European citizens’ personal data to the U.S.  Without it, the E.U. prohibits the transfer of personal data to non-European Union countries that do not meet the European Union “adequacy” standard for privacy protection as directed in the European Union Directive on Data Protection of 1995.   The U.S. is not on that list. For a good description of the ruling, go here.

I’m not Facebook or a cloud storage company, so why do I care?

Data transfers have not come to an immediate hault. Likewise, trans-Atlantic trade has not stopped. But, you may not realize you transfer the personal data of E.U. citizens and need to be prepared. Certainly, if you previously relied upon the safe harbor, you need to make some changes.

Do you take orders from E.U. customers?  Do you have subsidiaries in the E.U., but process the H.R. functions here? Do you host the company email here that includes email accounts of E.U. citizens?  Do you store information from E.U. citizens? You can see how easily you can become susceptible to possible data transfers of personal information of E.U. citizens.

So what do I do?

Because the ruling is so new, a lot of people are still trying to figure out what exactly this means.  Some suggested actions include:

1. Update the Privacy Policy

Many privacy policies provide that the company follows the Safe Harbor guidelines. This should be updated and the policy should go into greater detail about what “adequate protections” you use to protect data.

2. Get consent for transfers of data outside the E.U.

Under the E.U. Directive, you can legally transfer personal data with the subject’s consent.  This is based on one of the derogations to the EU Data Protection Directive. This may help with the occasional customer, but when it comes to your employees in the E.U., many of the authorities have found that you cannot get real consent from employees because of the lack of leverage for the employee to say no.

If you are dealing with consumers, you would need to document and obtain actual consent.  Having a statement in a privacy policy hidden on your website is not sufficient.  You must make the E.U. citizen actually consents through a click-wrap agreement and document their consent.  It may not be enough to simply have them agree that you may transfer their data to other countries with less rigorous data protection laws, but you may have to notify them that their data may be transferred to a jurisdiction where their data may be subject disclosure pursuant to a court order or other governmental action.

3. Use one of the alternative mechanisms

The options other than Safe Harbor that were available before the ruling are still possibilities. These include the Binding Corporate Rules and Standard Contractual Clauses.

The Standard Contractual Clauses can provide an efficient short-term fix.  They can be used to transfer data within one company (the H.R. or email server issues) or between a company and a vendor. The magic involved here is in describing what and how data is collected, stored and protected in the appendices of the SCCs.

The Binding Corporate Rules may be an alternative, but it may take time to get them approved because they require approval from the data protection authorities in each country of the E.U. from where you would transfer data. This process can also be expensive to implement. Some jurisdictions are tougher than others. The U.K. is less restrictive than Germany, for example. Therefore, it may depend on in which jurisdictions you have operations.

4. Segregate E.U. Data

To the extent you store data, you can segregate it and keep from transferring the data on E.U. citizens out of the E.U. This may not be practical for most people, but if it is an option, it may be the better one than trying to navigate through this morass.

5. Stay Classy San Diego

ron-burgundy-2 (1)While you can no longer rely upon on Safe Harbor to avoid problems, you should maintain those safeguards in place because you promised to do it. Showing that you are taking best practice precautions may save you from any harsh penalties if anyone ever complains.

The likely outcome is that E.U. and U.S. officials will create a new framework that addresses some of the concerns set out in the order to allow for transfer of data. The good news is some European officials have already stated they plan on proposing new guidelines and do not plan to aggressively enforce any data transfers in the near term that satisfied the Safe Harbor.

In the meantime, stay calm and consider the options. Watch to see if the European authorities issue guidelines you can live with. Check in here for guidelines that may be forthcoming. Individual countries may also provide their own guidelines.

No, the world is not ending, but a change will have to be made. We will monitor the situation and provide updates as available.

UPDATE: 10-15-15

This morning, I participated in a conference call with our international partners in our First Law Institute Data Protection/Retention Group.  The general consensus was that SCCs are the way to go in the interim, but they are not foolproof for all situations and entering into the agreements does not really address the policy concerns raised in the court’s ruling.

During the esoteric part of the conversation, some of the European partners conceded that other countries engage in surveillance and if you applied the policy behind the ruling, there should be no data transfers outside of the E.U. to almost any other country that engages in any form of cyber surveillance. No matter what measures a company puts in place, the ruling focused on the government surveillance rules which would trump whatever the contractual arrangements are in the SCCs.

The good news is that our European partners believe new guidelines, or a Safe Harbor 2.0, will emerge soon.

 

 

In a developing story, The New York Times is reporting that the FBI is investigating the St. Louis Cardinals for hacking into the Houston Astros’ computer networks to steal the Astros’ internal baseball operation intelligence which is apparently working.

Quick aside:  click here to see highlights of last night’s win and the emergence of some of the Astros’ young stars.

The Astros’ GM responsible for the resurgence of the team used to work for the Cardinals. The two used to compete in the National League Central before the Astros moved to the American League West (I’m still getting used to that).

According to the NYT article:

Law enforcement officials believe the hacking was executed by vengeful front-office employees for the Cardinals hoping to wreak havoc on the work of Jeff Luhnow, the Astros’ general manager who had been a successful and polarizing executive with the Cardinals until 2011.

When Luhnow left St. Louis, he helped the Astros build their “Ground Control” database which mirrored a similar effort he helped lead when with the Cardinals.  This is all part of the sabermetrics / big data craze in professional sports.  It’s the reason that at the game I attended earlier this month, it seemed like the shift was employed on defense almost half the time.

Some leaked information was already published in an embarassing article on Deadspin which included some trade prospects and player evaluations.

The FBI claims the Cardinals used a master password list compiled by Lunhow and associates when they were with the Cardinals to guess their passwords on the Astros’ systems.  The FBI was able to determine the hack had been done from a computer at a home that some Cardinals officials had lived in.

Here’s more background and detail from The Washington Post.

So what are the legal issues?

We often advise clients who have been hacked to contact law enforcement authorities. When it is on a smaller scale or not as high profile, it is hard to get them to take action.  It is almost always better if you can get law enforcement to investigate and do the heavy lifting.

On the criminal side, you are looking at fines and up to five years in prison based on the statutes discussed below.

But, you can still resort to the civil courthouse.

The Computer Fraud and Abuse Act

The CFAA (18 U.S.C. § 1030) makes it illegal to access a data base without proper authority or to exceed one’s authority impairing the computer system or data accessed and was passed to address hacking.  Liability is premised on there being at least $5,000 in losses in any one-year period. The CFAA is primarily a criminal statute.

A plaintiff could make a civil claim under the CFAA to recover actual damages, injunctions or other equitable relief. A criminal conviction can result in fines and imprisonment.  On the civil side, plaintiffs sometimes struggle establishing the required $5,000 in a statutorily-defined “loss” to pursue a CFAA claim.

The CFAA defines “loss” as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”  18 U.S.C. § 1030(e)(11).

Lost opportunities (like trades, or the value of the actual information) often do not qualify as the type of loss covered by the statute.  The loss usually results from costs of investigation and the expense to shut down the computer network.

ECPA and the SCA

The Electronic Communications Privacy Act (18 U.S.C. § 2510) and the Stored Communications Act (18 U.S.C. §§ 2701-12) are equally important sister statutes.  Generally speaking, the ECPA applies to electronic communications in transit and the SCA applies to communications stored on servers.  By gaining access to a database on the Astros’ servers, the perpetrators may be liable under the Stored Communications Act.

A plaintiff under the ECPA can recover a minimum award of $10,000 or $100 per day of violation — whichever is greater, or, actual damages, plus punitive damages, attorneys’ fees and costs.   Criminal violations can result in up to five years and fines up to $250,000 for individuals and $500,000 for organizations.

The SCA meanwhile, which is technically part of the ECPA, makes it illegal for anyone to “intentionally access[] without authorization a facility through which an electronic communication service is provided or . . . intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”

In addition to these statutes, there could be additional claims like RICO, breaches of contracts, wire fraud, trespassing and a myriad of state law claims.

The best revenge would be to rectify this dark moment in Houston Astros history from the 2005 NLCS (although the Astros won Game 6 in St. Louis before being swept by the White Sox in their only World Series appearance).

Maybe Springer, Correa, Altuve, Tucker, McHugh and Velasquez can get their recompense out of the courtroom.

Here’s my interview on Sports Radio 610 from this afternoon’s Triple Threat Show.

Kate bluebonnets

It’s Spring in Texas which means one of two things – the bluebonnets are out and in odd years, our legislature is back at work.  One makes me grateful to be in Texas and the other only meets every other year.  Here are a few bills we are watching this session:

Service of Process Via Social Media- HB 241

The Legislature is making another effort on this.

The bill provides:

Sec. 17.032.  SUBSTITUTED SERVICE THROUGH SOCIAL MEDIA PRESENCE.
(a)  If substituted service of citation is authorized under the Texas Rules of Civil Procedure, the court, in accordance with the rules adopted by the supreme court under Subsection (b), may prescribe as a method of service an electronic communication sent to the defendant through a social media presence.

(b)  The supreme court shall adopt rules to provide for the substituted service of citation by an electronic communication sent to a defendant through a social media presence.

It looks like the bill stalled in committee.

Codifying a fair reporting privilege – SB 627

The Legislature continues to show its disdain for defamation suits.  This time, they are considering a bill that would codify a sometimes-recognized common law fair reporting privilege.  The privilege allows for a fair reporting of public records and allegations as long as done in good faith.  It looks like this one may become law.

The bill provides:

(b)  This section applies to:

(1)  a fair, true, and impartial account of:

(A)  a judicial proceeding, unless the court has prohibited publication of a matter because in its judgment the interests of justice demand that the matter not be published; (B)  an official proceeding, other than a judicial  proceeding, to administer the law; (C)  an executive or legislative proceeding (including a proceeding of a legislative committee), a proceeding in or before a managing board of an educational or eleemosynary institution supported from the public revenue, of the governing body of a city or town, of a county commissioners court, and of a public school board or a report of or debate and statements made in any of those proceedings; or (D)  the proceedings of a public meeting dealing with a public purpose, including statements and discussion at the meeting or other matters of public concern occurring at the meeting; [and]

(2)  publication of allegations made by a third party regarding matters of public concern, regardless of the truth or falsity of the allegations; and

(3)  reasonable and fair comment on or criticism of an official act of a public official or other matter of public concern published for general information.

(c)  This section does not abrogate or lessen any other defense, remedy, immunity, or privilege available under other constitutional, statutory, case, or common law or rule provisions.

(d)  This section shall be construed liberally to effectuate its purpose and intent fully.

Civil Penalties for Frivolous Patent Claims – SB 1457

This bill also looks like it might be headed for passage.  The pertinent part of the bill states:

       Sec. 17.952.  BAD FAITH CLAIM OF PATENT INFRINGEMENT PROHIBITED.

(a)  A person may not send to an end user located or doing business in this state a written or electronic communication that is a bad faith claim of patent infringement.

(b)  A communication is a bad faith claim of patent infringement if the communication includes a claim that the end user or a person affiliated with the end user has infringed a patent and is liable for that infringement and:

(1)  the communication falsely states that the sender has filed a lawsuit in connection with the claim;

(2)  the claim is objectively baseless because:

(A)  the sender or a person the sender represents does not have a current right to license the patent to or enforce the patent against the end user; (B)  the patent has been held invalid or unenforceable in a final judgment or administrative decision; or (C)  the infringing activity alleged in the communication occurred after the patent expired; or

(3)  the communication is likely to materially mislead a reasonable end user because the communication does not contain information sufficient to inform the end user of:

(A)  the identity of the person asserting the claim; (B)  the patent that is alleged to have been infringed; and (C)  at least one product, service, or technology obtained by the end user that is alleged to infringe the patent or the activity of the end user that is alleged to infringe the patent.

The bill only allows for enforcement by the Attorney General and not private litigants.

We will keep on eye on these any other bills of note.

fcc_logoAs expected, the FCC passed the net neutrality rules today.  Other than spokesmen for the large telecoms (and perhaps some politicians who listen to that lobby), you don’t hear much reasoned opposition to net neutrality.

I have to admit that my views have been changing on the issue from a position of: (1) a solution in search of a problem; (2) to a desire to help make sure start-ups have a fair shake and access to the consumers; (3) to let the market take care of any ISP’s that throttle content; (4) to what about the people who don’t have more than one option for an ISP?

Now, I feel like we are at a Hobson’s Choice.  Do we trust the Government, or do we trust Big Business?  More precisely, who do we trust not to be a jerk in the future?

  • Do you think the likes of Comcast would throttle competitors’ content or force the big content providers into fast lanes leaving all start-ups back at dial-up speed?
  • Do you think the Government can stay at this minimally invasive level of regulation whereas before the Internet has thrived, at least in part, because of the lack of government regulation.

Leave it to the BBC Radio to have Mark Cuban on as a guest to provide additional interesting arguments as to why the new regulations are bad–by focusing on the future?  Listen here.  In effect, Cuban asks whether we want companies to be able to manage their networks as we start to see more driverless cars and online virtual reality applications.  Will the next new thing have to ask the government for permission to run online?

The regulations, as currently written, take a soft hand approach.  But, we should be vigilant to make sure they stay that way.  You know the story of the cooked frog, right?  If you put him in boiling water, he will jump out of the pot.  You put him in cool water and gradually turn up the heat, you will end up with a cooked frog.

For a good analysis prior to today’s release, read this.

I love college basketball.  Given that my Missouri Tigers haven’t given me much to talk about, I thought we could discuss the efforts by this upset Duke fan to have her image removed from the Internet captured during the Miami – Duke game that snapped Duke’s incredible 41-home-game winning streak.  You can read about it here.

I am not a Duke basher (nor fan) and I don’t want to pile on this poor fan.  Believe me, after what Kentucky did to Mizzou last night, I felt worse.  This does, however, raise some interesting legal questions.

How do you remove images from the Internet?

 

1. Copyright

The primary way is to use the Digital Millennium Copyright Act.  If you own the copyright to the image, it is usually pretty easy to get images removed from websites operated in the U.S. and to have the search engines de-index them.  You can read more about the DMCA here.  Generally, if you take the picture, you own the copyright.  The copyright to this image belongs to ESPN and probably the ACC or NCAA.  You know that really quick copyright notice for broadcasts – any use of images is prohibited, blah, blah, blah.  Screen shots would be included.  The fan could ask ESPN to get these images removed.  ESPN may be a little busy, however, because I think Tom Brady may have sneezed.

2.  Invasion of Privacy

There is little expectation of privacy in the stands of a nationally televised sporting event.  Do a search for certain NSFW conduct at sporting events to see how people forget this sometimes.  Also, look at the back of your ticket next time you head to a game.  There is a lot of fine print about the lack of privacy you may experience.  Nevertheless, let’s go through the common law claims of intrusion upon seclusion, publicity to private facts, appropriation of likeness and false light.

Intrusion upon seclusion.  The elements of the claim are: (1) intentional intrusion; (2) upon private affairs of another; (3) that is highly offensive to another.  Being upset at a basketball game is not a private affair.  Most states follow the stand in doctrine which provides that if the media stands where the general public could observe the events, then there is no intrusion.

Publicity to private facts.  To prevail on a claim, the information must not be a matter of legitimate public concern and its publication would be highly offense to a reasonable person.  I am not suggesting comments to a blog are true indications of what is offensive, but a quick view of them reveal that using that screenshot is not highly offensive to most.

Commercial appropriation of likeness.  This requires the (1) appropriation of one’s name or likeness; (2) for a commercial purposes.  Although ads are sold on blogs, the use of the name is not for a commercial purpose.  This cause of action usually applies to celebrities when a store tweets about them without permission or makes video games about them.  If a UNC fan used this picture to start selling t-shirts, then she may have a claim, but not for the use of the image on Twitter or blogs.

Portrayal in false light.  It requires: (1) publishing information that creates a false impression; (2) thereby casting the person in a false light; (3) creating emotional (as opposed to commercial) harm; and (4) the act is highly offensive.  I suspect there is nothing false about this fan’s feelings.  Like I said, no one saw me in my living room with a look of disgust last night, but there is nothing false impression about how she is feeling and why she is upset.

3.  Approach the websites

According to the article, the first image appeared on Twitter.  Under the Twitter Rules, posters are not supposed to abuse others, infringe on the rights of others or violate copyrights.  If you ask nicely and point out how posts violate a site’s terms, sometimes the wesbites will take it down although they may not legally have to.  In fact, in the terms of service, Twitter says it may not monitor the tweets and:

You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive.

In addition to being at the mercy of Twitter’s whims that day, the problem is now that the image is on many other sites as well.

The Streisand Effect

We have talked about the Streisand Effect before.   It’s the name given to the phenomena resulting from increased attention to online posts, stories, websites, etc. only after someone complains about them or raises a legal issue about them.  Had the fan not asked to remove the image, I would not have read about it and would not be blogging about it. Sometimes, the wiser move is to let it go (no, I will not sing it).  It’s a bad business development strategy on my part, but is often the best advice I have ever given.

On the bright side, at least the fan was not wrongfully accused of being caught cheating on her boyfriend at the Ohio State v. Alabama game.

http://www.youtube.com/watch?v=-2QQj1n57ok