Current Legal Issues Facing Businesses on the Internet: Legal Risks and How They Can Be Avoided
© 1999 Thelen Reid & Priest LLP
In 1997 Thelen Reid & Priest formed the Internet Practice Group, an interdisciplinary association of attorneys from different departments of the firm devoted to legal issues arising in the growing online business environment. Since then Internet law matters handled at the firm have increased exponentially. Yet the Internet is such a recent phenomenon that many companies still do not recognize all the pitfalls that can accompany doing business online. Business persons and even general counsel are still learning how to navigate the Internet safely. This article is intended to alert businesses to some of those legal risks—and how they can be avoided through timely legal counseling.
Policing the Internet
Every company, even those not conducting significant business online, should be concerned about harm it may suffer due to the online conduct of others. The principal examples include trademark infringement, copyright infringement, defamation, and unauthorized access torts. We advise all our clients to be proactive in policing the Internet to prevent harm to their interests. Trademark risk has changed in the online environment. In the area of trademark law legal risks have changed due to the advent of the Internet. There is no such thing as a local or regional trademark on the Internet—the global nature of the Internet means that unregistered trademarks that previously did not conflict due to geographic or industry separation now find themselves in conflict when used online, where every Web-based advertisement is accessible in every market. In contests over desirable domain names—the phrases such as "thelenreid.com" that companies use to identify their Web sites—unregistered marks are at a distinct disadvantage. In short, the Internet places an increasing premium on registered trademarks, and on unique "strong" marks. It also places a premium on diligence in policing the Internet to uncover infringing uses at the earliest opportunity. In the past year we have handled a number of matters involving conflict over the rights to domain names, some of which resulted in litigation or threats to sue, others of which were resolved through a purchase of the domain name by one of the contending parties.
Defamation of companies and management online is increasing. Companies are also finding themselves under attack from negative Web pages, which disparage their products, management, financial condition, employment practices or other aspects of their business. Such pages frequently divert users from the company's official page by closely mirroring its domain name or using the target company's trademark on their own page to fool search engines into pulling up the critical page in response to a search request designed to find the official page.
Disparaging and potentially actionable material is frequently found in investment oriented chat rooms or chat rooms designed around a given industry focus. Many former employee sites have been established specifically for the purpose of airing grievances against former employers. In addition, as with conventional media, the Internet can be a venue for copyright infringement, and misappropriation of famous persons' name or likeness. "Hacking" or improper access torts are becoming increasingly common.
Many of our clients conduct routine sweeps of the Internet to uncover instances of trademark infringement, copyright infringement or disparagement. Others ask us to perform that service for them. The good news is that usually we can get the infringing or defamatory material removed without litigation, however sometimes a reasonable result cannot be negotiated and litigation results. In the summer of 1998 Thelen Reid lawyers obtained a preliminary injunction in federal court against the promoter of just such a rogue Web site on behalf of a non-profit group whose mission and message was disparaged on the site. The disparaging site diverted users from the organization's official site by use (and abuse) of the organization's trademarked name. The preliminary injunction was upheld in the Third Circuit, and the permanent injunction trial of that matter is proceeding.
Setting Up Your Online Presence
Most companies have some form of Internet presence by now, ranging from a static Web page which is little more than a simple, electronic advertisement to complex Web pages which allow a full range of electronic commerce activities to be performed online, including communication and contracting with the company's supply chain, distribution channel and ultimate consumers. In some ways the process of setting up a Web page is easy. Professional Web page developers can take your company through the entire process from initial concept to final design. In many cases the developer will host the page on its server, handle updates, and arrange for electronic payment and encryption systems. However, such vendors frequently offer standard Web page development and hosting agreements containing hidden time bombs that can result in substantial legal difficulties down the road.
Development agreements should be clear about ownership of intellectual property. The parties may not share the same assumptions as to who will own the intangible property rights in the developed product, including copyright, trademark, patent, and publicity rights. Silence on this issue should not be taken as comforting, however. The work-for-hire doctrine under copyright law may not be applicable, resulting in the developer retaining full ownership of the copyrights to the work it creates for the other party. A development contract should specify who owns the content that goes into the Web page, otherwise conflicts may erupt if the company decides to revise the page or move it to a new host.
Performance specifications and warranties are important features of any development contract. The contract also should specify procedures for acceptance and testing of the finished page. Web hosting agreements also raise concerns. Nobody likes a Web site that is down, slow or otherwise unreliable. A Web hosting agreement should specify the level of service the company is paying for. A company should consider being able to terminate the agreement for failure to maintain the contracted-for service levels.
Often hosting services take care of domain name registration. This is fine so long as the registration is done in the name of the company, or is transferred to the company. Problems may arise where the host owns the name and the company seeks to switch hosting services down the line.
It's not sufficient merely to have a Web site; rather, surfers expect updated information. For this reason, the Web host should provide specified tools to enable remote updating through file transfer from the company. Some Web hosts will provide updating services. Other companies may opt to have their initial developer provide updates. In any event, a company ought to consider who will provide the updates, and how they will be incorporated into the Web site. The hosting agreement should also deal with responsibility for security. Sophisticated software and the use of "cookies" can provide important information about visitors to the site and their use of the site. Visitors may also be asked to provide personal information through registration or in connection with transactions. Such information can be used to further modify a site to better serve its users. Often a company will want to control any information obtained through its Web site; however, this information may also be valuable to the hosting service. The hosting agreement should state which party has what rights to information obtained from users.
Finally, a company must be able to move its Web site to another host's server on short notice, especially in the event of a breach of the Web hosting agreement. The contract should require the Web host to transfer the contents of a site in a medium selected by the company on 24 hours notice. The Web host should also be obligated to provide reasonable assistance in effecting the transfer to another server, at least where the termination is not due to a breach by the company.
The above illustrates the range of issues that should carefully be considered in establishing an Internet presence. Although everyone from teenagers to Fortune 500 companies has Web sites, this does not mean the form agreements often proposed by Web developers and Web hosts will provide necessary protection for a company seeking to do business online.
Contracting on the Internet
In some ways the Internet is an ideal environment for contracting, whether with business partners or ultimate consumers. Because it is essentially instantaneous and interactive, contracting online can be structured to eliminate ambiguities that can result from the exchange of paper documents in the real world. The so-called "battle of the forms" often results when businesses contract with one another by exchange of pre-printed forms. While those forms will probably agree on basic terms like price, quantity, delivery and the like, they may contain varying boilerplate terms regarding arbitration clauses, forum selection, limitations of warranties, opportunity for cure, and the like. Internet contracting can be set up with only one form—the offeror's—with acceptance limited to the offered terms. Collateral terms offered in free text can be avoided by providing that acceptance can be indicated in only one manner—by "clicking" or typing "I accept" in a given box. Similarly, the instantaneous nature of the Internet avoids disputes over the timing of offer and acceptance, such as whether an offer was still outstanding at the time the acceptance was made—the family of issues referred to by lawyers as the "mailbox rules."
A Web page is an ideal platform for contracting for other reasons as well. Disputes over whether a purchaser or seller was made aware of certain terms, such as limitations of remedies, can be avoided online by structuring the Web page in such a manner that the purchaser must view the desired text before proceeding to the execution page. Disputes over the validity of click-wrap licenses can also be avoided by careful structuring of the Web page. The need to keep legal disclaimers in their place: Business people do not want their Web pages cluttered up with legal disclaimers and boilerplate provisions. In our experience assisting clients to construct online contracting environments, legal protections can be integrated into Web pages in a legally enforceable but non-distracting manner through careful design of the Web page and focusing on the legal provisions that are critical to the selling entity. Digital signature legislation: The news is full of stories regarding efforts in various state legislatures, Congress, and the National Conference of Commissioners on Uniform State Laws, to enact legislation to facilitate electronic commerce, including digital signature legislation and encryption legislation. We continue to track those initiatives, and depending on how those lawmaking efforts turn out, they may in fact make electronic commerce easier, safer and more reliable. But the Internet is up and open for business now, and the legal tools already exist to render e-commerce feasible today. Most companies are not waiting.
Exposure to Foreign Jurisdiction Risk
The global nature of cyberspace is its strength but can also pose dangers. A company may want to reach only a small, select audience with its message, but once the company's Web page is posted it will necessarily reach the entire world. This can cause problems when the company's message is illegal in certain jurisdictions, or when communicated to certain audiences such as minors. Industries traditionally regulated on a geographical basis, such as insurance and securities, need to consider how to avoid making offers or other communications online that are unlawful in certain jurisdictions because they have not been pre-approved or filed, or because the entity making the offer or communication is not registered or licensed there.
Perils exist in less regulated industries as well. Regulations regarding subjects such as advertising, defamation and decency differ substantially in jurisdictions outside the United States. American companies have found themselves unexpectedly subject to regulatory attack overseas for engaging in comparative advertising that would have been perfectly legal and even unremarkable in the United States.
Personal jurisdiction may depend on the interactivity of a Web site. In addition, doing business online, or even just advertising on a Web page, may subject an entity to suit in distant jurisdictions. Parties entering into contracts over the Internet can anticipate this risk and attempt to contract around it with choice of law, choice of forum, or arbitration clauses. But some torts, like defamation or trademark infringement, do not require any transaction to take place to be actionable. In those cases the issue of personal jurisdiction in a distant forum, at least under United States law, comes down to whether the Web page was "targeted" at the forum state such that the courts of that state will find it fair to require the company to defend a case there. This issue has arisen in cases handled by this firm within the past few months and will doubtless arise with increasing frequency in the years to come.
The law in this area remains unsettled and continues to evolve. If any trend can be discerned it is that interactive Web sites, which invite the viewer to register, provide data or information, and generally enter into an online relationship with the Web page sponsor, are more likely to support assertion of jurisdiction over a distant Web page sponsor than a mere static Web page.
One significant area where foreign law diverges from United States law concerns the privacy of personal data—obtaining, using and distributing personal data, such as names, addresses, phone numbers, income, medical conditions, and characteristics of race, sex, age, ethnicity and political affiliation. United States law on privacy is sporadic at best, targeting individual subject matters and industries for attention (credit reporting agencies, electronic communications, student records, video rental records) and leaving other areas substantially unregulated at the federal level (medical records, direct marketing, and the Internet). Industry and the Clinton administration continue to favor voluntary industry self-regulation of information gathering and use on the Internet; however, the Federal Trade Commission and privacy advocates are increasingly demanding some form of federally legislated protection.
The European Commission Privacy Directive: By contrast, privacy regulation in Europe is more systematized and bureaucratic, with many countries having governmental bureaus charged with protecting the interests of individuals in data that is collected about them. Rights of data subjects are similarly more developed, including the right to access data collected about oneself, to be informed when and why data is being collected, and to have data collected only for limited, specified purposes. Freewheeling collection, purchase and sale of personal data for marketing purposes in the American fashion would not be permitted under such systems. The European Commission and Parliament issued a directive in 1995 which requires all European Union member states to have privacy legislation in place that will prevent transmission of personal data to countries like the United States, which do not offer their citizens equal protection. Active negotiations have been underway in recent months between members of the Clinton administration and EU representatives to gain as much assurance as possible that data flows to the United States will not be interrupted. Meanwhile individual United States companies and even whole industries will attempt to comply with privacy standards acceptable to the EU by entering into individual contracts and commitments, or adopting industry standards, related to privacy rights.
Any company that needs to receive personal data from Europe, whether from other entities or its own affiliates, needs to consider how it will respond to the challenge posed by the EC privacy directive.
Internet and Email Policies and the Workplace
Employees tend to use electronic mail differently than paper communications such as letters or memorandum in the work place. The popularity of electronic mail largely results from its dual nature of being as efficient and informal as a spoken conversation, while also having the permanence of a written letter or memorandum. Unfortunately, this informality often is accompanied by inappropriateness. Employers need to warn supervisors and employees to use the same care in drafting email messages that they would in drafting a letter or memorandum. Furthermore, companies should be adamant that their electronic mail may be monitored by supervisory personnel. Employees must understand that email frequently lasts longer than messages that are sent to individuals on paper, and is far more easily forwarded to other (unintended) users both within the company and outside the company.
Internet access as source of liability for discrimination and harassment: A recent poll of 9,000 Internet users by MSNBC revealed that almost one in five persons visited cybersex sites while at work. Allowing employees to access such sites and either transmit their contents to others, or allow others to observe them accessing such sites, raises the possibility of liability for the creation of a hostile work environment. In addition, republication of such material may violate copyright and/or trademark laws.
Record keeping and retention: A common use for email or an intranet is to communicate requests for vacation, family leave, training, disability accommodations, promotion or transfer, adjustments in compensation, and even timekeeping. These items are typically considered personnel records and need to be retained under federal law, as well as under the laws of many states, including California. Policies to retain records indicating both transmission and receipt of such documents are essential.
Public Company Issues
Securities lawyers are increasingly receiving inquiries about the risks and potential rewards of using the Internet. On the risk side, we have been advising public companies about the need to update corporate disclosure policies to take the Internet into account. Many companies still operate on a dual system, while press releases and securities filings are carefully scrutinized for any inaccuracy with securities disclosure principles in mind, elsewhere in the company vague, overly optimistic, or just plain speculative information is being exchanged online without sufficient oversight. Information disclosure and document retention policies need to be updated to take the online world into account.
On the benefit side, companies are increasingly asking about the feasibility of using the Internet to save costs in delivering the annual report, proxy materials, and offering materials. The SEC has clarified the procedures that need to be followed to meet the "delivery" requirements for electronic disclosure documents. This is an area where we expect to see significant growth during 1999.
The issues presented above are relevant to all companies doing business on the Internet, not just companies that consider themselves to be in the high-tech field. These issues confront main-street business, whether in construction, manufacturing, retailing, utilities, securities, professional services or other lines of business. They exist even for companies with a minimal online presence. Some of them, especially the risks discussed under the heading "Policing the Internet," even exist for companies that have no online presence.
We believe the legal risks posed by the Internet can be managed in ways that do not detract from its attractiveness as a medium in which to do business. But every chief executive, general counsel and chief information officer owes it to him or herself to understand those risks and obtain appropriate advice.
The Internet Practice Group at Thelen Reid & Priest. The Internet Practice Group is an interdisciplinary group of attorneys from the firm's Technology, Business & Finance, Tax, Commercial Litigation and Labor departments who share an interest in helping clients do business online. For more information about the firm's Internet law practice, please call your regular Thelen Reid & Priest attorney contact. If you do not have such a contact, please call Karl Belgum in the San Francisco office (email@example.com, 415/955-3641), Paul Winick in the New York office (firstname.lastname@example.org, 212/632-6756), or Allen Melser in the Washington, DC office (email@example.com, 202/508-4050).