By Robert Milligan, Jessica Mendelson, and Joshua Salinas

On September 27, 2012, California Governor Jerry Brown signed two bills, AB 1844 and SB 1349, into law, making California the third state in the country – Maryland and Illinois are the others – to regulate employers’ ability to demand access to employees’ or prospective hires’ personal social media accounts. Appropriately enough, Governor Brown made the announcement via five major social media networks: Twitter, Facebook, Google+, LinkedIn and MySpace. Brown tweeted, “California pioneered the social media revolution. These laws protect Californians from unwarranted invasions of their social media accounts.”

California Assembly Bill 1844

California Assembly Bill 1844 (“AB 1844”) “prohibit[s] an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.” In other words, an employer may neither request nor require an employee or an applicant to divulge his or her personal social media account information.

This law, however, allows for employers to request the employee divulge social media “reasonably believed to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations, provided that the social media is used solely for purposes of that investigation or a related proceeding.” Furthermore, this law prohibits employers from threatening or taking retaliatory measures against employees that fail to comply with employer requests or demands that violate the statute.

This law “does not prohibit an employer from terminating or otherwise taking an adverse action against an employee or applicant if otherwise permitted by law.” Finally, unlike many other labor and employment laws, “the Labor Commissioner. . . is not required to investigate or determine any violation of this act.”

Senate Bill 1349

Senate Bill 1349 (“SB 1394”) prohibits public and private postsecondary educational institutions, and their employees and representatives, from requiring students or prospective students to disclose their personal user names or passwords, or to divulge personal social media information.

SB 1394 requires private nonprofit or for-profit postsecondary educational institutions to post its social media privacy policy on the institution’s Internet website.

Both AB 1844 and SB 1394 define the term “social media” broadly to include “electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, email, online services or accounts, or Internet Web site profiles or locations.”

Perspectives on the Bills

Proponents of these social media laws believe the laws will benefit the business community by providing California businesses with a shield from legal liability against plaintiffs who allege that these businesses have a legal duty to monitor their employee’s social media accounts. Additionally, they argue that this legislation could potentially save businesses millions of dollars by reducing costs related to monitoring social media accounts and cyber liability insurance premiums. Recently, both the California Chamber of Commerce and organized labor have expressed their support for the law.

Opponents of the bill argue that it will hurt employers by limiting their ability to regulate the workplace and investigate misconduct. Others believe the bill may make it more difficult for companies to identify workplace harassment. Members of the financial industry, including FINRA, argued that while the bill may have been well intended, it conflicts with the duty of security firms to record, supervise, and maintain business-related communications.

Some legal commentators have also expressed their concern that the definition of “social media” is far too broad because it governs effectively all digital content and activity. In fact, Illinois excludes “e-mail” from the definition of social media in its version of the statute.

What These Laws Mean For Employers

Businesses in California should take steps to comply with these new laws which will go in effect on January 1, 2013. Employers should make sure that interviewers or other persons involved in the hiring process do not request personal user names or passwords from applicants. Additionally, employers will need to be careful with company social media accounts. While the laws only apply to personal accounts, the lack of definition of the phrase “personal” is problematic, particularly since it is not always clear who owns company social media accounts. We have previously blogged on cases concerning the ownership of “social media assets” on Twitter, Facebook, and MySpace. Some experts recommend that companies utilize ownership agreements governing the social media accounts and content created by employees on behalf of the company and that they always have the account name and password for the company social media account (certainly prior to the employee’s termination). It may be helpful for employers to create clear policies on this issue to prevent future disputes.

Finally, employers should understand that the law does not constitute a complete ban on employers’ access to their employees’ social media sites. Employers are still permitted to require employees to divulge social media passwords when the information is used solely to investigate allegations of employee misconduct or employee violation of applicable laws and regulations. Similarly, employer-issued electronic devices do not fall under the umbrella of AB 1844; the bill specifically states that it shall not be construed to preclude an employer from requiring an employee to disclose passwords or usernames for such devices. Notwithstanding, an employer cannot ask for access to the “personal social media” that may be contained on the employer-issued electronic device.

There may also be additional issues for employers that employ BYOD (bring your own device) policies, where the employee uses their own personal device to access company email, applications, or other data. While the employer may not technically own the device, it still has an interest in its data and information that reside on the device. The broad definition of social media and lack of definition of “personal” in the new law may lead to some unintended consequences for employers.

By Misty Blair

In August, we waved farewell to the Cybersecurity Act of 2012 (S.3414). Or, so we thought. The bill, which followed a tortured path of at least four major iterations since the introduction of its predecessor in 2010, finally hit the brick wall of Senate gridlock when a cloture vote failed to end debate. While this failure effectively killed the bill, proponents are moving forward with alternative methods to implement some of its measures, including entreaties from legislators for voluntary compliance with cybersecurity schemes, and an executive order currently being drafted by the Administration.

On a broad level, the Act was intended to create a mechanism for protecting “critical infrastructure,” loosely defined as entities for which damage or unauthorized accessed could result in “the interruption of life-sustaining services,” “catastrophic economic damage,” or “severe degradation of national security.” The Act would have created a new agency to direct an inventory of the most at-risk sectors, as well as identification of the categories and owners of critical infrastructure within each such sector.

Perhaps the most controversial portion of the Act would have authorized private entities to monitor their systems and share information with the government regarding perceived cyber threats. The Act also would have provided private entities with certain liability protections, including (1) immunity from suit arising in connection with the companies’ monitoring and information-sharing activities, and (2) protection from punitive damage claims arising out of cyber attacks occurring while an entity conformed to government-approved standards.

The Act attracted opposition from the left and the right. Some raised privacy concerns based on the information sharing provisions, while others worried that government-imposed standards would unnecessarily burden businesses. Last-minute amendments designed to alleviate or remove some of these concerns did not save the bill, despite garnering the approval of some watchdog groups.

The Administration apparently is no longer waiting on Congress. Homeland Security Secretary Janet Napolitano recently confirmed that a draft executive order is nearing completion. The draft is reported to contain many provisions similar to those in the Act, including the creation of a program through which companies operating key infrastructure could elect to meet government-developed standards. However, unlike the Act, an executive order would not be able to offer these companies protections from legal actions.

Congressional members are not sitting idle, either. Last week, Senator Jay Rockefeller, Chairman of the Senate Committee on Science, Technology and Transportation, took the unusual step of writing directly to the CEO’s of the nation’s 500 largest corporations. He told them that he “would like to hear more… about their views on cybersecurity, without the filter of Beltway lobbyists,” and he asked that they each answer a survey regarding their company’s cybersecurity practices and concerns (if any) with the Act’s proposed voluntary information-sharing programs.

Meanwhile, the need for some form of escalation in cybersecurity efforts is clearer than ever, as just last week sources confirmed that several major banks have been hit by some of the largest cyber attacks in history. For now, we must wait and see which avenue — legislation, executive order, senatorial supplications, or a combination — will bring this much-needed action.

If you’re an employer in an industry where non-compete agreements are common, perhaps you’ve been faced with the following scenario: You offer a sales position to a candidate who tells you she doesn’t think she has a non-compete with her employer, which is a competitor of yours. Once she’s onboard at your company, she begins soliciting her former employer’s clients. Within a matter of days, both you and your new hire get a cease and desist letter from your new hire’s former employer. The letter encloses a non-compete agreement that your new hire, in fact, signed with the former employer several years ago. The agreement prohibits, for one year after her termination, the very activity you hired her to perform.

What are your options at this point? Assuming the restrictions are enforceable, you could keep your new hire in the same role and expect that she (and maybe you) will be sued; you could staff your new hire in a non-competing position you had not anticipated for the next year; or you could terminate her. No matter what decision you make, the new hire probably just became much less useful to your organization and much more costly. What could you have done differently? Here are some pointers for any employer to avoid this same type of pitfall in a competitive hire situation:

Ask, ask and ask again. If non-competes are common in your industry, ask your job candidates more than once if they might have signed one. Oftentimes candidates forget that they signed non-competes. This is especially the case if a candidate has worked for her employer for several years and signed the agreement when she was hired initially. Also remind your candidate that non-competes are often tied to stock rewards or other bonuses, even if they aren’t present in an employment agreement.

Other times, your candidate knows that she signed an agreement with a non-compete clause. Yet, she does not have a copy of the agreement and does not want to ask her HR department for a copy because it will be a red flag that she is considering a new job. In that case, ask the candidate if she can find an unsigned copy of the agreement that likely contains the same or similar restrictions. Review it and consider the potential impact any enforceable provisions might have on your hiring and staffing decisions.

Job candidates often mistakenly think that the only agreements they are bound to are agreements with their most recent employer. Remind them that they need to provide you with all agreements that might still be in effect. For example, if they have only worked for their current employer for six months, chances are that they might have an agreement with the previous employer that is also in play.

Give Your Job Candidate Fair Warning. If your candidate tells you she doesn’t have an agreement with her employer, advise her that any offer you give her could be rescinded should a non-compete agreement surface in the future. If your candidate cannot get a signed copy of her agreement until she gives her employer notice, inform her that her offer will become “firm” only after you determine that there are no additional (or more significant) hurdles to hiring her.

Put it in Writing. Once she’s onboard, have your new employee sign an acknowledgement letter or an employment agreement informing her that your company has no interest in acquiring a ny proprietary information belonging to her former employer. Further advise that you expect her to abide by any lawful agreement she may have entered into with her former employer and it is her responsibility to make sure she complies with any ongoing obligations to the former employer. Finally, consider a provision that warns the new hire that you will not necessarily defend or indemnify her should any action be brought against her by her former employer for violation of a restrictive covenant agreement.

Employers looking to hire talented employees in a competitive landscape are often frustrated by the non-competes their job candidates are bound by. Yet, it’s best to know what those limitations are ahead of time so you can make fully informed decisions that protect your company. If you proceed otherwise, you will likely find that ignorance isn’t always bliss.

By Robert Milligan and Grace Chuchla

In a recent order, a federal court in the Northern District of California weighed in on the validity a forum selection clause contained in an employment agreement in connection with a California employee’s declaratory relief action to invalidate his non-compete provision with his former employer. The court found for the Pennsylvania-based employer and both denied the employee’s motion to remand the case to California state court and granted the employer’s motion to dismiss for improper venue. In doing so, the court rejected the employee’s argument that the effect of enforcing the forum selection clause would permit a Pennsylvania court to enforce the non-compete provision against him and thus “deprive [Plaintiff] of the protection of his own jurisdication’s laws and remedies.” 

Background

On March 5, 2012, plaintiff Philip C. Hartstein, a resident of San Mateo, CA, resigned from defendant company Rembrandt IP Solutions, a Delaware limited liability company headquartered in Pennsylvania. Rembrandt identifies and develops business opportunities for a related company, which is engaged in the management of funds focused on investing in intellectual property and related opportunities across a broad spectrum of industries, technologies, and business methods, including generating revenues from patents. That same day, Hartstein filed suit in San Mateo County Superior Court, requesting declaratory relief and an injunction to invalidate the non-compete covenant of his employment agreement. Within Hartstein’s employment agreement, there was also a forum selection clause, which stated that Hartstein must “submit to the exclusive jurisdiction of the state courts located in Montgomery County, Pennsylvania and to the Federal Courts located in Philadelphia, Pennsylvania as to all actions and proceedings relating in any way to this Agreement and/or [Plaintiff’s] relationship with [Defendant].”

After leaving Rembrandt, Hartstein began employment as the Vice President and Portfolio Manager of IPNav, a direct competitor of Rembrandt’s. His new position at IPNav was similar to his old position, as both IPNav and Rembrandt compete for many of the same patent portfolios and investment opportunities.

Following Hartstein’s complaint, on May 4, 2012 Rembrandt removed the action to federal court on diversity grounds, asserting that Hartstein earned well over $75,000 and that the value of their trade secrets known to Hartstein was also well over $75,000. Additionally, on May 11, 2012, Rembrandt filed a motion to dismiss for improper venue. Hartstein then responded with a motion to remand based on the fact that Rembrandt had failed to establish that the amount in controversy exceeded $75,000.

Plaintiff’s Motion to Remand

Looking first to Hartstein’s motion to remand, the court found, for numerous reasons, that Rembrandt had met its burden in proving that the amount in controversy exceeds $75,000. It began by rejecting Hartstein’s argument that his worth to Rembrandt was too speculative to be properly considered when determining the amount in controversy. Based on Hartstein’s “central and high level role,” the court found it “more than likely” that Hartstein generated work worth more than $75,000 to Rembrandt. Additionally, putting future profits to the side, the court reasoned that Hartstein’s salary while at Rembrandt is “a simple and straightforward way to value the object of this litigation,” as this figure represents the value of the non-compete to the employee. Given that Hartstein’s salary was well in excess of $75,000, such reasoning drove yet another nail in the coffin of his motion to remand. Finally, Hartstein argued that the value of the non-compete to Rembrandt was zero because he had not misappropriated and did not intend to misappropriate any of Rembrandt’s trade secrets. Again, the court rejected this argument, finding that “the possibility that [Hartstein] will share Defendant’s trade secrets and confidential information…is very real.” Resting on this lengthy list of reasons, the court denied Hartstein’s motion to remand.

Motion to Dismiss for Improper Venue

After rejecting the motion to remand, the court moved on to Rembrandt’s motion to dismiss based on the forum selection clause of Hartstein’s employment agreement. It began its discussion of this motion by recognizing that, while the Supreme Court held forum selection clauses to be presumptively valid in M/S Bremen v. Zapata Off-Shore Co., 407 US 1, 92 S.Ct. 1907, 32 L.Ed.2d 513 (1972), the court also stated that such clauses are unenforceable if enforcement would “contravene a strong public policy of the forum in which suit is brought” Id. at 15. Hartstein’s opposition proceeded exactly along these lines; he claimed that enforcing the forum selection clause would “deprive [him] of the protection of his own jurisdiction’s laws and remedies” and result in a sure-fire win for Rembrandt in Pennsylvania to enforce the non-compete provision.

The court found Hartstein’s argument unpersuasive on the grounds that it did not “challenge the reasonableness of the forum selection clause itself, only the reasonableness of its effect.” Citing to Manchester v. Arista Records, Inc., 1981 US Dist. Lexis 18642 (C.D.Cal Sept. 15, 1981), the court stated that finding in Hartstein’s favor would force it to “make a determination of the potential outcome of the litigation” and lead to “speculation on the merits at the outset of the action.” In short, it did not matter to the court whether the ultimate effect of enforcing the forum selection clause may result in the enforcement of the non-compete provision which “was purportedly contrary to California law”; for the purpose of deciding the reasonableness of the forum selection clause, all that mattered was that, given the facts at hand, forum selection itself was not contrary to California law.

Takeaways

For some employers, particularly out-of-state employers, looking to work around California’s hostility toward non-competes, this decision suggests that forum selection clauses may provide a solution. Building on some previous California federal court decisions, the court makes it amply clear that it will not look beyond the text of a forum selection clause when determining its reasonableness.

However, that is not to say that all forum selection clauses are enforceable in California. For instance, as the court points out here, those that attempt to dictate the forum for suits arising out of franchise agreements are contrary to section 20040.5 of the California Business and Professions Code and therefore unenforceable (See Jones v. GNC Franchising, Inc., 211 F.3d 495). Additionally, some other California state and federal courts have been hostile to enforcing forum selection clauses when the impact would violate a strong California public policy such as California’s prohibition on non-compete provisions in the employment context. Certainly, a California state court may not follow this court’s reasoning particularly since the court relied upon federal law in analyzing the effect and scope of the forum selection clause. Thus, the court’s denial of the motion to remand could have been outcome determinative as a California state court could have ruled differently concerning the enforcement of the forum selection clause.

Finally, this order lays out four factors to keep in mind when trying to determine the amount in controversy in a declaratory relief action seeking to invalidate a restrictive covenant: 1) the employee’s role and responsibilities within the company; 2) the profits earned by the employer on business generated by the employee during the period immediately before his termination; 3) the value of the non-compete to the employee (that is, how much money would the non-compete preclude the employee from earning); and 4) the value of the company’s trade secrets and confidential information known to the employee. Such a list is helpful to keep in mind when arguing for or against remand or removal.

We will continue to keep you apprised of the current developments in this evolving area.

California Governor Jerry Brown announced on Twitter, Facebook, Google+, LinkedIn and MySpace today that he has signed two bills (Senate Bill 1349 and Assembly Bill 1844) prohibiting public and private postsecondary schools and California employers from requiring applicants and employees to provide their social media account passwords.

“California pioneered the social media revolution. These laws protect Californians from unwarranted invasions of their social media accounts,” Brown tweeted.

Senate Bill 1349 prohibits public and private postsecondary schools from requesting social media passwords from students.

Assembly Bill 1844  prohibits employers from requiring or requesting an employee or applicant for a job from disclosing a user name or password for the purpose of accessing personal social media.

The Securities Industry and Financial Markets Association and FINRA previously spoke out  against Assembly Bill 1844.

We will provide a management alert outling the requirements of the new law.

By Jessica Mendelson and Grace Chuchla

On September 12, 2012, California Assembly Bill 1844 was enrolled and presented to Governor Brown. This bill is the counterpart to the Social Media Privacy Act (SB 1349), which was approved by the California State Senate in August 2012. AB 1844 is the work of Assemblywoman Nora Campos (D-San Jose), and seeks to prohibit employers from requiring employees to divulge their social media passwords during either the course of their employment or the hiring process. If Governor Brown signs AB 1844 into law, this would make California only the third state in the nation, after Maryland and Illinois, to limit an employer’s ability to request an employee’s social media passwords. We previously wrote about the new social media laws in Maryland and Illinois.

Assemblywoman Campos first proposed AB 1844 in February 2012. After many rounds of revision in both the Assembly and the Senate, the Assembly voted unanimously to accept the Senate’s revisions to the bill and pass it to Governor Brown. Notably, this bill has a nearly perfect unanimous record; aside from one reading in the Senate where the vote was 29-5 in favor, it has passed with zero “nay” votes at every other reading. Governor Brown has until September 30 to either sign or veto the bill.

The core of AB 1844 “prohibit[s] an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media.” In other words, an employer may neither request nor require an employee or an applicant to divulge his or her social media passwords. However, employers are still permitted to require employees to divulge social media passwords when the information is used solely to investigate allegations of employee misconduct. Similarly, employer-issued electronic devices do not fall under the umbrella of AB 1844; the bill specifically states that it shall not be construed to preclude an employer from requiring an employee to disclose passwords or usernames for such devices.

The reaction to this bill has been strong and varied among the business and legal community. Some people believe the legislation will benefit the business community. Bradley Shear, a leading social media attorney in Washington D.C.  was quoted in a Wall Street Journal legal blog,  as saying that this bill is “a huge win for the business community because it may provide California businesses with a legal liability shield from plaintiffs who may allege that businesses have a legal duty to monitor their employees’ personal password protected digital content.” According to the article, Mr. Shear believes this legislation could potentially save businesses millions of dollars by reducing costs related to monitoring social media accounts and cyber liability insurance premiums. Recently, both the California Chamber of Commerce and organized labor have made statements in support of the bill.

Others, however, take a different perspective. Margaret DiBianca, a Delaware attorney specializing in employment law, wrote on a Lexis Nexis blog that the new law will not benefit employers, and in fact, may hurt them. According to Ms. DiBianca, the law “limits an employer’s ability to regulate its workplace, investigate wrongdoing, and, in some instances, to protect employees.” She also wrote that “there has never been a successful lawsuit based on an employer’s failure to monitor [its] employees’ personal password protected digital content.” California State Senator Ted Gaines was quoted in the Huffington Post as saying that the bill may make it more difficult for companies to identify workplace harassment. Although Gaines is concerned with “protecting people’s privacy” he fears the bill will not allow employers to “address early harassment issues.”

A number of business organizations and companies have come out against the bill in recent days. The Securities Industry and Financial Markets Association (“SIFMA”) recently asked Governor Jerry Brown to veto this legislation. According to a recent BNA social media blog post, SIFMA recently wrote to Governor Brown, saying that while the bill may have been well-intended, it “conflicts with the duty of security firms to supervise, record, and maintain business-related communications.”  The Financial Industry Regulatory Authority (“FINRA”) also opposes the bill. In a letter to Governor Brown , FINRA suggested California should exempt financial institutions, noting that other states, including Maryland, had discussed this type of exemption in similar bills.

We will continue to keep you apprised of future developments related to this legislation and other social media legislation across the nation.

 

MPI, a Texas company, went to Kentucky and allegedly attempted to hire two Luvata employees, Foster and Meredith. Foster joined MPI soon thereafter. Over the course of the next few months while Meredith remained a Luvata employee, he and Foster allegedly spoke by phone repeatedly. In addition, prior to leaving Luvata for MPI, Meredith allegedly copied his employer’s computer files that described a trade secret manufacturing process, identified its customers, and contained its financial information. Once Meredith became an MPI employee, it allegedly replicated Luvata’s confidential manufacturing process and began competing with Luvata which then sued MPI, Foster and Meredith in a Kentucky federal court.

MPI’s motion to dismiss for lack of personal jurisdiction, on the ground that the Kentucky long-arm statute does not permit the exercise of jurisdiction over MPI and a related defendant company, was granted. The ex-employees’ Rule 12(b)(6) motion to dismiss the misappropriation claim against them was denied. Luvata Electrofin, Inc. v. Metal Processing Int’l, L.P., Case No. 11-CV-00398 (W.D. Ky., Sept. 10, 2012).

Luvata is in the business of electrocoating (“e-coating”) coils used in the heat transfer industry. Luvata maintained that its e-coating process is unique, is a trade secret, and cannot be reverse engineered. Foster was allegedly the company’s production supervisor, and Meredith was “intimately involved in running the” e-coating process. All Luvata employees signed non-disclosure agreements (but there was no non-compete provision).

At an e-coating conference held in Kentucky, MPI endeavored to hire both Foster and Meredith. After both initially declined, Foster left Luvata and went to work for MPI. Over the course of the next few months, he allegedly spoke to Meredith by phone more than 30 times, and at least twice Meredith reviewed Foster’s computer files at Luvata which contained trade secrets. In addition, Meredith allegedly copied onto his own CD and thumb drives files from his and Foster’s computers. On his last day at Luvata before joining MPI, Meredith allegedly used a program that “cleaned ‘unnecessary files’” from his and Foster’s computers. Foster allegedly told Luvata’s general manager that MPI was building an e-coating line, based on information Foster learned at Luvata, and that MPI soon would be competing with Luvata. MPI allegedly proceeded to reproduce Luvata’s secret e-coating process and began soliciting Luvata’s customers, and Luvata sued.

MPI’s motion to dismiss Luvata’s complaint for lack of personal jurisdiction was granted because, according to the court, MPI did not engage in acts in Kentucky that bore a “reasonable and direct nexus” to Luvata’s allegations of misappropriation of trade secrets. The court conceded the possibility “that something fishy was occurring” between MPI and Meredith but added that was only conjecture since Meredith may have been acting unilaterally to increase his value to his new employer. However, the court found sufficient to state a cause of action Luvata’s claim that Foster and Meredith violated their non-disclosure agreement with Luvata by disclosing its trade secrets to MPI. Luvata’s breach of fiduciary duty claim against its two ex-employees was dismissed as preempted by the Kentucky Uniform Trade Secrets Act.

Under the circumstances of this case, and particularly in light of the court’s decision denying the ex-employees’ Rule 12(b)(6) motion, the order dismissing Luvata’s lawsuit against MPI could be described as harsh, especially without giving Luvata an opportunity to take discovery. The suggestion that Meredith might have been acting on his own seems far-fetched but possible. Moreover, it is surprising that Luvata’s allegations held to be conjectural in connection with granting MPI’s motion to dismiss were found “to plausibly give rise to an entitlement to relief” as against the individuals. Of course, Luvata might have had an airtight action against them if they had signed non-competition agreements. Please see our recent post regarding a  Kentucky appellate case containing an overview regarding enforcing non-competes in Kentucky.

By Joshua Salinas and Jessica Mendelson

A federal district court for the Northern District of California recently held in a “competitor click fraud” case that a mere assertion of a violation of the Computer Fraud and Abuse Act claim without sufficient factual details regarding any inside or outside “hacking” is insufficient to establish subject matter jurisdiction over the action. (Incorp Services Inc. v. IncSmart.Biz Inc., No. 11-CV-4660-EJD-PSG, 2012 WL 3685994 (N.D. Cal. Aug. 24, 2012) The case also presented a novel personal jurisdiction issue involving alleged online false advertising where neither the defendants nor the plaintiff resided in California. The court found that personal jurisdiction existed because the defendant company’s website deliberately targeted California consumers and continuously exploited the California marketplace.

Background

Incorp Services Inc. (“Incorp”) is a Nevada-based corporation that provides a variety of company formation and registration services, including registered agent services across the country. Incorp expended resources to advertise its services on Microsoft, Google, and Yahoo! search engines. These search engines use a “pay-per-click” model that charges advertisers each time a user clicks on the advertiser’s ad and subsequently deducts those charges from the advertiser’s ad budget. The search engine stops providing advertising space when the advertiser’s advertising budget is depleted.

A rampant problem with this pay-per-click advertising model is “competitor click fraud,” a fraudulent scheme where companies – who are also advertising on the same websites as their competitors – repeatedly click on their competitors ads to drain their competitor’s advertising budget. As a result, companies can potentially “clean” the Internet of their rivals’ advertisements by exhausting their rivals’ advertising budgets.

Incorp filed a lawsuit in the Northern District of California last year under the Computer Fraud and Abuse Act (“CFAA”) alleging that it was the victim of this aforementioned fraud. Incorp alleged that a group of unknown Doe Defendants engaged in a campaign of repeatedly clicking on Incorp’s online ads, with no actual interest in learning about Incorp or purchasing Incorps’ services. Incorp alleged that the Defendants conducted this campaign in bad faith with the intent of deleting Incorp’s advertising budget to obtain a more prominent position in search engine results and consequently drive more potential customers to Defendants’ website.

Incorp later identified the IP addresses associated with the alleged click fraud and amended its complaint to add IncSmart.Biz, Inc. (“IncSmart”) as a defendant and to include claims against IncSmart for, inter alia, false advertising under the Lanham Act. Incorp alleged that IncSmart falsely advertised that IncSmart provides registered agent services for states where IncSmart does not have the necessary qualifications or did not obtain the necessary certifications to conduct business.

Incorp also amended its complaint to add officers of IncSmart as defendants, as well as one of the officer’s elderly mother. All of these individual defendants were residents of Nevada and had no meaningful personal ties to the State of California. Neither individual defendant owned or leased any real or personal property in California, nor had they ever owned or been required to pay taxes in California.

Accordingly, IncSmart and the individual defendants filed motions to dismiss the amended complaint for lack of personal jurisdiction and improper venue, or alternatively, a transfer of venue. Specifically, they contended that Nevada was the appropriate forum and not California.

As a preliminary matter and before reaching the personal jurisdiction issue, the court decided to first analyze the existence of subject matter jurisdiction for the CFAA claim.

Subject Matter Jurisdiction

The court noted that it may dismiss an action for lack of subject matter jurisdiction where the court lacks a statutory or constitutional basis for deciding the case. In this case, Incorp pled the following:

“In clicking on Incorp’s online ads without having an actual interest in Incorp’s website or services, Defendants exceed their authorized access to the Search Engines’ protected computers….” (emphasis added).

Relying on United States v. Nosal, 661 F.3d 1180 (9th Cir. 2011), which has been previously discussed in greater detail in this blog, the court found that Incorp’s CFAA claim required a showing of additional facts to establish subject matter jurisdiction.

“The Court observes that there are no direct or clear allegations of ‘hacking’ in this passage-being, broadly, ‘the circumvention of technological access barriers,’ not violation of use restrictions.”

In other words, the court held that clicking online ads “without having an actual interest” does not constitute “exceeds authorized access” under the CFAA. The court also held that if Incorp was contending that Incorp’s online activity violated any terms of use policies, it was insufficient to state a claim under the CFAA in light of the Nosal decision that violations of “use restrictions” are not violations under the CFAA. As such, the court granted Incorp leave to amend with respect to the CFAA claim so that Incorp could clarify and reallege how IncSmart’s conduct violated the CFAA.

Personal Jurisdiction

The court then addressed personal jurisdiction. Under the Fourteenth Amendment’s Due Process clause, the court may exercise personal jurisdiction over a defendant who has “certain minimum contacts with the forum, such that maintenance of the suit does not offend traditional notions of fair play and substantial justice.” Incorp did not contend that the court has general jurisdiction, and therefore, the court addressed specific jurisdiction.

The traditional test for establishing specific jurisdiction involves a three-prong test:

  1. The non-resident defendant must have sufficient minimum contacts, i.e., “purposefully direct his activities” toward the forum state or purposefully avail himself of “the privilege of conducting activities in the forum.” A split has arisen between the circuits concerning analysis under this prong when the minimum contacts are online – the Calder effects test, the Zippo sliding scale test, and the totality-of-circumstances test. The Ninth Circuit has followed the Calder effects test, which requires that the defendant allegedly must have (i) committed an intentional act, (ii) expressly aimed at the forum state, (iii) causing harm that the defendant knows is likely to be suffered in the forum state. Applying this analysis, the court in this case found that IncSmart allegedly used a highly interactive website to offer California specific services to California residents. The court found that this suggested a deliberate intent to access and sell to California consumers, and that IncSmart “continuously and deliberately exploited” the California marketplace with its website. The court held that IncSmart could reasonably expect to be subject to litigation in California.
  2. The claim must arise out of the defendant’s forum-related activities. Here, the court found that the claim arose from IncSmart’s activities via its website, which specifically targeted California consumers.
  3. The exercise of jurisdiction must be reasonable. Finally, the court found that IncSmart failed to present a compelling case that rendering jurisdiction would be unreasonable, and that requiring the case to be refiled in an alternate forum would merely delay the resolution of the case. As a result, the court denied the motion for lack of jurisdiction over the corporation and some of its officers. The court granted the motion with leave to amend, however, with respect to one of the officer’s elderly mother because she was not connected to IncSmart’s website and there was no evidence of any personal jurisdiction.

Improper Venue/Transfer of Venue

Regarding venue, the court concluded that the Defendants failed to establish the necessary burden required to transfer the case to Nevada. In particular, the court noted that Incorp’s choice of forum should be overturned sparingly, and the Defendants failed to show an inconvenience regarding the location of witness and/or documentary evidence. Thus, no transfer of venue was needed.

Takeaways:

(1) Are click fraud claims viable under the CFAA after Nosal?

Some commentators anticipated that the CFAA may represent the future in effective click fraud deterrence. This would become increasingly valuable as more advertising dollars are moving from traditional print and television to online advertising. In fact, Microsoft was the first to bring civil action for click fraud under the provisions of the CFAA a few years ago. (Microsoft Corp. v. Lam, No. C09-0815(W.D. Wash. filed June 15, 2009).  Microsoft contended that the fraudulent clicks at issue violated its terms and conditions, and, thus exceeded authorized access by violating these use restrictions. Unfortunately, no substantive rulings came out of the case as the parties reached a settlement prior to any motion practice.

This case seems to suggest that click fraud claims based on violations of terms of use policies may not be viable under the CFAA after Nosal. The court in this case allowed Incorp to amend its CFAA claim, but it remains unclear how click fraud can constitute activity “without authorization” or “exceeding authorized access” under the statute. One positive note for click fraud victims is that the court’s reliance on Nosal may limit its holding to jurisdictions that follow the Ninth Circuit’s narrow interpretation of the CFAA regarding violations of use restrictions or terms of use policies.

(2) Highly interactive websites that deliberately target a forum state may establish personal jurisdiction

Moreover, this case reaffirms the use of the Calder effects test within the Ninth Circuit for analyzing minimum contacts online. As companies continue to expand and increase their presence and business activities online, it is important to recognize that certain online activities may establish personal jurisdiction that may not otherwise exist. As demonstrated in this case, district courts within the Ninth Circuit when analyzing personal jurisdiction will look into the interactivity of a party’s website and/or how the party’s online activities deliberately target a specific forum. Thus, even if a party is not “physically present” in a particular forum, the party’s may not be able to use the Internet as a digital shield to hide from the court’s jurisdiction.

 

On September 14, 2012, the State Bar of California Intellectual Property Section presented its 2012 IP and the Internet Conference. The conference featured high level experts from companies such as Twitter, Yahoo!, Warner Bros. Entertainment, Salseforce.com, True Religion Brand Jeans, and Autodesk, who covered emerging issues and hot topics in intellectual property and Internet law. Below are a few highlights from yesterday’s speakers:

1. Hot Topics in Internet Law

Santa Clara University Professor Eric Goldman was the first speaker and addressed the hottest issues and latest cases in Internet law. Eric discussed the recent keyword advertising lawsuits against Google (Jurin, Rosetta Stone, Cyber Sitter, and Home Decor), and noted that issues regarding these innocuous advertising practices should have died years ago. Eric also highlighted the remarkable decision in the recent anti-counterfeiting case Tre Milano v. Amazon, which found that “Amazon could ignore Tre Milano’s unverified takedown notices because Amazon is a ‘transactional intermediary,’ not the actual seller of counterfeit goods.” Finally, Eric discussed failed SOPA legislation and how the online anti-piracy battlegrounds have shifted towards DOJ criminal prosecutions (i.e. Megaupload), ICE domain name seizures (i.e. Dajaz1 and Rojadirecta), International trade agreements (i.e. ACTA and TPP), and ex parte TRO’s against non-litigants. Professor Goldman has an excellent blog which it closely followed in the IP community.

2. Privacy Design Basics

Lara Kehoe Hoffman, Security Counsel of Autodesk, discussed the “Privacy by Design” concept, which embeds ways to address privacy and data protection concerns into the design of technology itself. Lara recommends using high-level principles as a baseline for developing “privacy principles” and stressed two keys: (1) adopting principles articulated in a way that makes sense to employees and (2) implementing Privacy by Design in a practical way (e.g. reasonable procedures). As a practical note, Lara emphasized the importance of making sure leadership is on board with this conceptual approach.

3. Dealing with Data Breaches

Nicholas Cramer, Director of Data Breach Response for AllClear ID, and William L. Stern from Morrison & Foerster, explained how companies can prepare for and deal with data breaches. Nicholas and William noted that the government, military, and education sectors lead in data breaches, while only about 8% of breaches occurred in banking. In particular, William stated that there were 419 substantial data breaches reported in 2011, involving more than 22 million records. They explained that dealing with these breaches is important for companies because 75% of customers remember the breached brand and 68% feel that the company could have done more. They described how to respond to a breach, which includes a cyber forensic investigation, notifying affected consumers, having call center support, and ID monitoring/protection.

4. Social Models and Innovation Ecosystems

Peter Coffee, VP and Head of Platform Research for Salesforce.com gave a highly entertaining and very informative lunchtime talk. He suggested that companies should “think social” and not simply rely on social media. He explained that customers will describe their bad experiences online and may tell the entire world when they’re not happy. Companies can benefit, however, by fostering positive social behavior. For example, he described Coca-Cola’s new Freestyle vending machines, which allow customers to create their own soft drink recipes and share those recipes using QR codes through social media. The customer’s friends can then take those QR codes to a Freestyle machine and try out their friend’s recipe. On the other hand, companies that have a Facebook page but never respond to their customers’ inquiries or complaints, simply have an echo chamber for negative reviews of their company.

5. Practical Strategies for Dealing with Impersonation and Reputational Harm on the Internet

Timothy Yip, in-house counsel for Twitter, and Charles J. Harder from Wolf Rifkin, discussed the legal issues and practical insights into the problems associated with online imposters, defamers, and infringers. They recommended that companies who are dealing with reputational harm on the Internet, such as in Yelp or Amazon reviews, should familiarize themselves with the features, practices, and policies of these sites. If there is something a company does not like, it should preserve it immediately (e.g. screenshots) in case they want to bring further action. Companies should not expect that the harmful or disparaging information will remain online indefinitely. Additionally, companies should be careful who preserves this information. If the matter goes to litigation, you do not want your CEO or trial lawyer becoming a witness merely for the purpose of authenticating the screenshot or printout. It is recommended to have someone such as a permanent paralegal to preserve and later authenticate the document.

Timothy also discussed the emerging issues in social media ownership, such as when a company has a summer intern create a Twitter account under the company’s name, the intern leaves, and the company discovers that the former intern is now posting Twitter messages under the company’s account. Timothy recommends having ownership agreements when employees create social media accounts, using social media policies, and registering the company’s email account with the account (not the employee’s Gmail or other personal email account).

6. Tech Agreements in the Online World

David W. Tollen from Adeli &Tollen LLP discussed the impact of online business models on technology contracts. He authored the go-to manual for IT agreements – “The Tech Contracts Handbook.” David addressed several issues of concern in cloud/SaaS contracts. In particular, he stressed that these contracts should grant promise of service or a subscription – not a software or copyright license. He also warned against using non-disclosure agreements in these types of contracts because they are more suited for trade secrets and sensitive business information; instead, he recommends using clauses that effectively and comprehensively address data control, management, and security.

He also cautioned against using choice-of-law provisions that have no connection or relationship to the parties or the services to which they are contracting. He described how contracting parties may not want to designate Delaware as the governing law, when neither party is in Delaware nor will any services be performed in Delaware. Delaware is favored for corporate law, but not legal issues arising out of these tech agreements. David mentioned that you could find several form contracts and clauses at his website – http://www.techcontracts.com.

7. Tips and Strategies to Address Infringement on the Internet

The final session was a presentation by Deborah Greaves, Secretary & General Counsel for True Religion Brand Jeans, Christian Dowell, Legal Director of Global Brand & IP Litigation at Yahoo, and David Kaplan, Senior VP and IP Counsel for Warner Bros. Entertainment. Deborah described a new innovative strategy that companies are using in their fight against counterfeit goods – civil litigation. The strategy involves identifying a large number of websites that are selling the counterfeit goods (sometimes a single infringer will have numerous websites), gathering evidence that the site is in fact selling counterfeit goods (sometimes even purchasing goods from the site for physical evidence of infringement), naming those websites as defendants in a lawsuit, seeking an ex parte TRO, seizing the goods or financial assets, then seeking a permanent injunction. She noted that courts will allow companies to serve the alleged counterfeit sellers by email because they often fail to provide accurate contact information in their domain registration. These companies usually fail to respond to the Complaint and the company obtains a default judgment. The infringing sites are subsequently transferred to the company as the true owner.

This strategy was first established in the landmark case The North Face Apparel Corp., et al. v. Fujian Sharing Import & Export Ltd. Co., et al., No. 10 Civ. 1630. (AKH) (S.D.N.Y., Sept. 13, 2010) and is being increasingly used to combat counterfeit sellers. An advantage to the default judgment is that company’s can amend the same order to add new infringing (but related) websites without having to initiate a new lawsuit.

It was great conference and I highly recommend future Bar programs. Additional information about the talks can be found on Twitter by searching the hashtag #CAIPSection.

 

Last month we blogged about a district court for the Northern District of California that distinguished the Ninth Circuit’s recent U.S. v. Nosal decision and allowed an employer to bring a counterclaim under the Computer Fraud and Abuse Act (“CFAA”) against a former employee for alleged violations of a verbal computer access restriction. (Weingand v. Harland Financial Solutions, 2012 U.S. Dist. LEXIS 84844 (N.D. Cal. June 19, 2012). Recently, the court reaffirmed its conclusion regarding Nosal concerning the employee’s subsequent motion to dismiss that CFAA counterclaim.

Defendant employer Harland Financial Solutions alleged that it verbally authorized plaintiff and former employee Michael Weingand to return to its offices after the termination of his employment to copy his personal files from his prior work computer. A dispute arose, however, when Weingand allegedly “accessed , without authorization, over 2,700 business files,” some containing confidential, proprietary, and copyrighted information. (See our previous blog post for further details regarding the background of this case).

As discussed in our previous post, the court granted Harland’s motion for leave to amend its answer to assert a counterclaim against Weingand for violations of the CFAA.

Harland subsequently amended its answer to assert the CFAA counterclaim. Weingand then moved to dismiss the claim for “failure to state a plausible claim for relief.” (FRCP 12(b)(6)).

On August 29, 2012, the court denied Weingand’s motion to dismiss. The court noted that it already rejected a bulk of Weingand’s arguments in the prior motion for leave to amend. The court acknowledged, but declined to adopt, Weingand’s argument that verbal authorization could not be the sort of authorization cover by the CFAA:

Notably, the court reiterated its prior conclusion concerning Nosal:

“although Nosal clearly precluded applying the CFAA to violating restrictions on use, it did not preclude applying the CFAA to rules regarding access.”

Additionally, the court noted that many of the issues raised by Weingand concerning the scope and nature of his authorization, what constituted “personal” files, and whether he exceeded Harland’s authorization, were factual questions appropriate for summary judgment — not a motion to dismiss.

The court denied Weingand’s motion to dismiss because Harland alleged specific details about Weingand’s alleged unauthorized access, including when, where, and what Weingand allegedly accessed and copied.

The court’s reassertion that Nosal does not preclude employers’ “access restrictions” is significant because it reaffirms that Nosal may not be as broad of a limitation for employers that seek to use the CFAA against departing employees that steal valuable company data. After Nosal, it was feared that employers would have no recourse under the CFAA against employees that violate clear and explicit computer, network, and information security policies.

The court allowed Harland to proceed with its CFAA claim based on a mere verbal access restriction. This holding remains consistent with the Ninth Circuit’s prior decision in LVRC Holdings LLC v. Brekka: “The plain language of the statute therefore indicate that authorization depends on actions taken by the employer.” Thus under Weingand, an employer’s computer access policies may remain viable post-Nosal to bring CFAA claims in the Ninth Circuit against employees that violate those policies and steal valuable company data.