Internet Lawyer Blog

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose "cyberrisks," even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC's guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident's "personal information," such as social security number, home address, driver's license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California's lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

Continue reading "New Laws and Guidelines on Cybersecurity Disclosures Both Protect and Endanger Personal Information" »

Megaupload.com was among the world's biggest file-sharing sites with 150 million registered users and about 50 million hits daily. It was big enough that it earned founder Kim Dotcom $42 million in 2011.

The movie industry objected that the site was making money off pirated material; even though, Megaupload is based in Hong Kong and the founder was living in New Zealand, some of the alleged pirated content was hosted on leased servers in Virginia, which was sufficient for U.S. prosecutors to take action.

Thereafter, the site was closed and its founder and three Megaupload employees were arrested in New Zealand on allegations by American prosecutors that they facilitated millions of illegal downloads of films, music and other content, costing copyright holders at least $500 million in lost revenue.

The authorities in New Zealand were able to obtain artwork, weapons, and more than $8 million in funds and cars valued at nearly $5 million after serving 10 search warrants at several businesses and homes around Auckland.

A group of hackers retaliated for the recent news and claimed credit for attacking the Justice Department's website. After investigations by federal officials, it was confirmed that the department's website was down for several hours and the disruption was being "treated as a malicious act." This group of hackers who are also known as "Anonymous" claimed credit and also claimed that they also broke into the Motion Picture Association of America's website.

Fairfax Media located at New Zealand reported that the defendants were present at the courtroom for extradition proceedings which may last a year or longer. Dotcom's lawyer raised objections to a media request to take photographs and video, but then Dotcom spoke out from the dock, saying he didn't mind photos or video "because we have nothing to hide." The judge granted the media access, and ruled that the four would remain in custody until a second hearing Monday.

Michelle Obama is officially live on Twitter. The first lady's Twitter feed went live on Thursday and her link is being managed by the president's re-election campaign. The first two tweets came from the campaign staff and described the account as "a new way for you to connect with First Lady Michelle Obama and the President's campaign." The traffic was high within the first hour with more than 20,000 followers. President Barack Obama also has a Twitter account managed by the campaign. Its first tweet of the day: "It's not every day we get to welcome the First Lady of the United States to Twitter - happy to have you, Michelle Obama!"

This acknowledges that technology plays a key role in our lives and allows us to communicate with each other through different means and methods. Twitter is an online social networking service and microblogging service that enables its users to send and read text-based posts of up to 140 characters, known as "tweets". It was created in March 2006 by Jack Dorsey and launched that July. The service rapidly gained worldwide popularity, with over 300 million users as of 2011, generating over 300 million tweets and handling over 1.6 billion search queries per day. It has been described as "the SMS of the Internet." Twitter Inc. is based in San Francisco, with additional servers and offices in New York City.

In California, a new Facebook feature which permits an advertiser to publish or broadcast a user's "like" of its product to others in that individual's circle is under scrutiny.

The United States District Court in San Jose, California refused to grant a motion to dismiss which states that Facebook ads violate its user's right of publicity by utilizing their names and photographs without authorization. However, the court dismissed an unjust enrichment claim. In the lawsuit, Facebook's position is that user permission is not required to promote its user's likes to those in that user's circle, in a category it terms "sponsored stories." Facebook contends that such information is newsworthy and exempted under California's right-of-publicity statute. The company's position is that its users constitute public figures.

California's right-of-publicity statute is codified under Civil Code section 3344 which states as follows:

"Any person who knowingly uses another's name, voice, signature, photograph, or likeness, in any manner, on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of, products, merchandise, goods or services, without such person's prior consent, or, in the case of a minor, the prior consent of his parent or legal guardian, shall be liable for any damages sustained by the person or persons injured as a result thereof. In addition, in any action brought under this section, the person who violated the section shall be liable to the injured party or parties in an amount equal to the greater of seven hundred fifty dollars ($750) or the actual damages suffered by him or her as a result of the unauthorized use, and any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages. In establishing such profits, the injured party or parties are required to present proof only of the gross revenue attributable to such use, and the person who violated this section is required to prove his or her deductible expenses. Punitive damages may also be awarded to the injured party or parties. The prevailing party in any action under this section shall also be entitled to attorney's fees and costs."

Generally, punitive damages are awarded in addition to actual damages when the defendant acted with recklessness, malice, or deceit. Punitive damages, which are intended to punish and thereby deter blameworthy conduct, are generally not recoverable for breach of contract. The Supreme Court has held that three guidelines help determine whether a punitive-damages award violates constitutional due process: (1) the reprehensibility of the conduct being punished; (2) the reasonableness of the relationship between the harm and the award; and (3) the difference between the award and the civil penalties authorized in comparable cases. BMW of North America, Inc. v. Gore, 517 U.S. 559, 116 S.Ct. 1589 (1996).

For more information about this topic contact Los Angeles Attorney, Salar Atrizadeh, Esq.

In the recent years, online harassment or cyberharassment has become an important issue. This is because the Internet has changed our lives on so many levels. Generally, the law prohibits harassment and our readers should consider taking certain precautions when being harassed.

Cyberharassment is different from cyberstalking because it does not involve a credible threat. Cyberharassment occurs when someone sends harassing email messages, instant messages, or posts entries simply to torment another person. Different jurisdictions have different approaches in addressing cyberharassment in codifying their laws. For example, some include language addressing electronic communications in general harassment statutes. However, some states have created stand-alone cyberharassment statutes.

California Penal Code section 653.2 subsection (a) states that, "[e]very person who, with intent to place another person in reasonable fear for his or her safety, or the safety of the other person's immediate family, by means of an electronic communication device, and without consent of the other person, and for the purpose of imminently causing that other person unwanted physical contact, injury, or harassment, by a third party, electronically distributes, publishes, e-mails, hyperlinks, or makes available for downloading, personal identifying information, including, but not limited to, a digital image of another person, or an electronic message of a harassing nature about another person, which would be likely to incite or produce that unlawful action, is guilty of a misdemeanor punishable by up to one year in a county jail, by a fine of not more than one thousand dollars ($1,000), or by both that fine and imprisonment.

See California Penal Code section 422 related to hate crimes. See also California Penal Code section 653m for more information.

In California, the stalking laws are included under Section 646.9 of the Penal Code, which states that any person who willfully and maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety or that of an immediate family member is guilty of stalking. Stalking cases may include additional related charges such as: (1) Trespassing; (2) Vandalism; (3) Burglary; (4) Criminal Threats; and (5) Obscene, Threatening, or Annoying Phone Calls.

Please keep in mind that willfulness is a standard related to the culprit's state of mind. For example, when the person is acting purposefully, then he/she has the "conscious object" of engaging in conduct and believes or hopes that the attendant circumstances exist. If the person is acting knowingly, then he/she is practically certain that his conduct will lead to the result. If the person is acting recklessly, then he/she is aware that the attendant circumstances exist, but nevertheless engages in the conduct that a "law-abiding person" would have refrained from. If the person acts negligently, then he/she is unaware of the attendant circumstances and the consequences of his conduct, but a "reasonable person" would have been aware. Finally, if the person acts with strict liability, then mental state is irrelevant and he/she is strictly liable.

In the last few years and with the emerging of the world wide web, a new kind of stalking has developed which is also called "cyber stalking." This type of misconduct occurs when the violator utilizes the Internet, electronic mail (e-mail) or other communication devices to harass and stalk others. For example, it can occur by sending e-mails to the victim, impersonating another person in online chat rooms and e-mail messages, and disseminating lies in cyberspace. It is also important to note that the Internet is a cheap and efficient method for "cyber stalkers" to anonymously cause harm to their victims.

If you have any questions, contact me, Salar Atrizadeh, Esq. to discuss your options.

If you use email in your day-to-day business operations the CAN-SPAM Act is a law that sets the rules for commercial email. It also establishes the requirements for commercial messages, provides recipients the right to have the sender stop emailing them, and mentions the penalties for related violations.

The CAN-SPAM Act applies to bulk email and all commercial messages, which the law defines as "any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service," including email that promotes content on commercial websites. The law makes no exception for business-to-business email which means all email. As an example, a message to former customers announcing a new product line is required to comply with the law.

Each violation of the CAN-SPAM Act is subject to penalties of up to $16,000. Here are the CAN-SPAM Act's main requirements:

1. Do not utilize false or misleading header information. Your "From," "To," "Reply-To," and routing information - including the originating domain name and email address - should be accurate and identify the person or business who initiated the message.

2. Do not utilize deceptive subject lines. Stated otherwise, the subject line must accurately reflect the content of the message.

3. Always identify the message as an advertisement. Generally, the law provides some freedom on how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.

4. Inform the recipients of your location. In sum, the email message must include your valid physical postal address. This can be your current street address, a post office box you've registered with the U.S. Postal Service, or a private mailbox you've registered with a commercial mail receiving agency established under Postal Service regulations.

5. Inform the recipients about opt-out options related to future emails. The email must include a clear and conspicuous explanation of how the recipient can opt out of getting email in the future. Make sure your spam filter doesn't block these opt-out requests.

6. Always honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient's opt-out request within 10 business days.

7. Always monitor what others are doing on your behalf. The law is clear that even if you hire another company to handle your email marketing, you cannot contract away your legal responsibility to comply with the law. Generally, both the company whose product is promoted and the company that actually sends the message can be legally responsible for any discrepancies.

Click here or on this link for more information.

In light of the circumstances, numerous states have enacted "cyberstalking" or cyberharassment" laws or currently possess laws that specifically include electronic forms of communication within more traditional stalking or harassment laws. In addition, many states have enacted "cyberbullying" laws in reaction to issues related to protecting minors from online bullying or harassment.

Cyberstalking constitutes use of the world-wide-web (i.e., the Internet), electronic mail or other electronic communications to stalk. It generally refers to a pattern of threatening or malicious behaviors. It may be considered the most dangerous of the three types of Internet harassment, based on a posing credible threat of harm. Penalties range from misdemeanor to felony. See Cal. Civil Code § 1708.7, Cal. Penal Code § 646.9.

Cyberharassment is different from cyberstalking since it may not involve a credible threat. It usually pertains to threatening or harassing email messages, instant messages, or to blog entries or websites dedicated solely to tormenting a person. Some state legislatures have dealt with this issue by inserting provisions which address electronic communications in general harassment statutes, while others have created stand-alone cyberharassment statutes. See Cal. Penal Code §§ 422, 653.2, and 653m.

However, cyberbullying and cyberharassment are used interchangeably sometimes. Generally, cyberbullying is used for electronic harassment or bullying amongst minors in the context of schools. Recent legislation seems to show a trend of placing the burden of enforcement of such policies on school districts. Hence, the laws establish the infrastructure for schools to handle this issue by amending pre-existing school anti-bullying policies to include cyberbullying or electronic harassment among children in educational environments. Most state laws enforce sanctions for cyberbullying on school property, school buses, or school functions. See Cal. Ed. Code §§ 32261, 32265, 32270, and 48900.

Samsung Electronics, the second largest maker of mobile phones, claims that Apple Inc. has infringed upon its patents since entering the mobile-phone market with the iPhone 3G, a lawyer for Samsung told a Dutch court as the Korean company seeks a ban on some Apple products in the Netherlands.

"Apple just entered the market in 2008 without taking care of the licenses," Bas Berghuis van Woortman, a lawyer for Simmons & Simmons LLP who represents Samsung, said in The Hague court. "Apple is consciously, structurally infringing the 3G patents."

The parties will be discussing settlement soon as this is yet another legal battle between two technology giants over intellectual property rights.

In the recent years, politically-motivated hackers have made sensitive information available to bloggers and mainstream media at unprecedented rates. For example, Wikileaks released leaked Afghan war logs and government diplomatic cables. Anonymous individual hacked and released emails from the computer security firm HBGary. A college student gained access to and released emails from Sarah Palin's Yahoo account. LulzSec hacked into and publicly released confidential data belonging to Sony and others. Most recently, the Antisec movement hacked into over 70 police departments and released confidential emails and other files.

A this time, some important questions to ask ourselves would be as follows:

1. What are some applicable legal issues when publishing information obtained by hackers?

2. Is there any limit on the type of information that may or may not be published?

3. Is it necessary to revise the laws that protect sensitive information?

Please contact our offices if you are facing similar legal issues.

Facebook Inc., which is currently considered the world's largest social network, plans more acquisitions so to improve its site design, keep services more reliable and advance its mobile features to compete with Twitter and Google which are active in the same arenas.

Facebook's director of corporate development, Vaughan Smith stated that, the company aims to make approximately 20 purchases in year 2011 which is up from 10 last year and one in 2009.

It is important for our blog readers to know that Facebook obtains income from advertising and takes certain commission when software developers sell virtual goods on its website. As we know, Facebook is a closely-held company and it does not disclose its financials. Based on my research, the company is seeking to generate $2 billion or more in earnings before interest, taxes, depreciation and amortization in 2011.

Also, Facebook was able to raise more than $2 billion from investors, including $1.5 billion from an investment led by Goldman Sachs Group, Inc. sometime on or about January 2011.

Experts in the field believe that the future of all computing is mobile. Hence, it is probably high-tech company's (e.g., facebook, google, twitter) top priority. For example, Snaptu, which is a mobile startup Facebook acquired earlier this year, was purchased for approximately $60 million.

I believe that mobile computing will be changing applicable technology and certain state and federal laws. Issues such as privacy, security, intellectual property, e-commerce, and constitutional law will arise in the near future. I also believe that Facebook's future is promising due to the substantial financial backings by optimistic investors. However, the future of technology is uncertain and as we know, the legal system must catch up with the rapid changes.

In April 2010, David Kernell faced trial for "hacking" into then-Alaskan Governor Sarah Palin's personal email account.

In November 12, 2010, David Kernell was indicted (i.e., a grand jury believed there was sufficient evidence to place him on trial on federal charges). Thereafter, a jury convicted him of two charges. First, computer fraud. Second, obstruction of justice. David Kernell's defense was that his conduct was a prank. However, the jury was not pursuaded and he was sentenced to one year and one day in federal prison with a recommendation to spend his time in a halfway house.

This case is illustrative of the types of crimes an email hacker may face including: (1) Wire Fraud; (2) Computer Fraud; (3) Identity Theft; and (4) Obstruction of Justice.

Wire fraud involves the use of a computer, television, telephone, or radio to obtain property or money from another person by and through deception or trickery. Even though taking money is common through Internet scams, however, stealing personal and confidential information also constitutes wire fraud. One important requirement for wire fraud is that the emails, telephone calls, or wire transmissions have to go between two or more states or countries.

Computer fraud is similar to wire fraud but it only applies to computers. In addition, it requires some kind of "interstate" connection. The law applies only to computers used:

(i) By or for financial institutions (e.g., banks, credit unions); and/or
(ii) In a manner that has an effect on interstate or foreign commerce, or communications in the United States.

Identity theft happens when a person uses fraud, deception, or trickery to obtain and utilize someone else's personal data or information. Generally, such information is used by the culprit (i.e., thief) to obtain funds, but it may not be the case at all times.

Obstruction of justice includes numerous actions. Generally, it happens when there is interference with a legal process or an official investigation. For example, David Kernell was charged with this crime since he allegedly attempted to delete evidence from his computer related to his hacking activities prior to federal investigators were able to obtain it.

Related Links:

1. Identity Theft, Privacy & Security Information and Resources from the U.S. Federal Trade Commission (See http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm)

2. Fight Back Against Identity Theft (See http://www.ftc.gov/bcp/edu/pubs/articles/naps03.pdf)

3. KnoxNews: See http://www.knoxnews.com/news/2010/nov/12/prosecutors-palin-hacking-push-prison-time

A rise in attacks by hackers in 2011 is showing limits of an older generation of security software from Symantec Corp. (www.symantec.com) and McAfee Inc. (www.mcafee.com) and is placing pressure on these high-tech companies to upgrade products.

These and similar companies are seeking to keep up with cloud computing and the growth of workers plugging mobile devices into networks. According to Johannes Ullrich, a researcher at the SANS Technology Institute (www.sans.edu), none of the recent attacks tied to hacker groups such as Anonymous and Lulz Security could have been repelled by traditional antivirus programs or firewall software.

George Kurtz, who is the current chief technology officer at McAfee, now part of Intel Corp. (www.intel.com), expressed his concern by comparing the current predicament to a "security Armageddon" which is also of great concern for end users and customers.

The Pentagon's new strategy for blunting cyber-attacks focuses almost exclusively on improving defense instead of deterring intrusions or threatening retaliation, the vice chairman of the Joint Chiefs of Staff, Marine General James Cartwright, stated on July 14, 2011.

Deputy Defense Secretary William Lynn today released the Pentagon's "Strategy for Operating In Cyberspace," which outlines five "strategic initiatives." One is increased partnering with other U.S. agencies and private industry to craft a "whole-of-government" approach.

Read more here.

The White House will host a Twitter town hall with President Barack Obama on July 6. The president will answer questions submitted via Twitter, which limits messages to 140 characters. The town hall will focus on jobs and the economy, and a video feed of Obama's answers will be streamed online.

See www.twitter.com/salaratrizadeh for more information.