Cyber Litigation Trends

Cyber Litigation Trends

Trends and legal updates in cyber claims

Contributory Trademark Infringement: What is it and What are its Implications on the Insurance Industry?

Posted in Uncategorized

Contributory Trademark Infringement can Effect Carriers Issuing everything from the Standard Commercial General Liability Policy all the way to an Intellectual Property Trademark Abatement Policy 

It may be common knowledge that you cannot directly use someone’s trademark without first seeking permission. However, many carriers may not realize that a party can also be pulled into a trademark infringement lawsuit if it is determined they assisted or facilitated in a third-party infringing on someone else’s trademark. The purpose of this article is to help educate carriers on what contributory trademark infringement is and the effects it may have on a variety of policies. For example, the potential risks that may come with issuing a commercial general liability (“CGL”) policy to a flea market[1] or writing a trademark abatement policy for a well-known software program.[2]      

 Contributory trademark infringement occurs when a party either 1) intentionally induces a trademark infringement or 2) knows or should have known that it was supplying products or services to a party infringing on another’s trademark.[3] While the concept of contributory trademark infringement has been around since 1924[4], it was not defined into the above two-part test until 1982 when the United States Supreme Court made its ruling in Inwood Labs. v. Ives Labs.[5] This is the same two-part test which is applied by courts today.[6]  

Those holding a trademark are no longer limited to pursuing only the parties who are counterfeiting their products. Instead, they can now go after the, theoretically, far fewer market places or suppliers that are making this infringement profitable on a wide-scale basis. This includes the flea market that is renting space to a vendor dealing in counterfeit purses[7] all the way to the internet search engine that is allowing third-parties to link advertisements to a trademarked name.[8] While plaintiffs still need to prove the underlying infringement in order to pursue their contributory claim,[9] those parties who had historically been benefiting indirectly from the infringement can no longer claim ignorance as a defense.[10]

The implications for the carriers issuing the standard CGL policies are that they are now potentially on-the-hook for an insured that had previously been able to benefit from the underlying trademark infringement without the risk of being pulled into a potential lawsuit. These risks are not just limited to carriers issuing policies to brick-and-mortar store fronts. This threat has now expanded into the policies in place for companies selling advertising[11] and contractors making construction bids.[12] Contributory trademark infringement claims open a wide variety of potential defendants not previously at risk for these trademark infringement lawsuits.

For carriers issuing trademark abatement policies, they now have the ability to pursue the most cost effective means of bringing and litigating a trademark infringement lawsuit. Instead of targeting the countless counterfeiters, they can now focus on the companies and individuals facilitating the infringement on a large scale basis. Historically, one of the greatest difficulties in enforcing a trademark was the cost associated in bringing an infringement action. The question that would be asked was “is it worth spending a few hundred thousand dollars to bring down a mom and pop operation?” With the use of contributory claims, trademark holders are now being able to get more “bang for their buck” by going after parties with deeper pockets.

There is no clear answer for what the future holds for contributory trademark infringement claims. For now, it appears that courts are holding companies accountable for maintaining some form of safeguards to protect the rights of the trademark holder, even if they are minimal. For example, an insured leasing retail space can no longer turn a blind eye to the vendor selling a $300.00 designer purse for only $20.00.[13] Carriers who are at risk of being brought into a contributory trademark infringement claim need to consider trying to educate their insureds about the risk associated with allowing a third-party to use someone else’s trademark. They need to also discuss reasonable safeguards insureds should have in place to identify if such infringement is occurring. Carriers benefitting from the ability to bring a contributory trademark claim need to consider evaluating on a case-by-case basis with their insured who the primary target of an infringement lawsuit should be, the counterfeiter or their facilitator, because it may turn out that you need the assistance of one to make your case against the other.[14]

[1]Coach, Inc. v. Gata Corp., 10-CV-141-LM, 2011 WL 1580926 (D.N.H. Apr. 26, 2011) on reconsideration in part, 10-CV-141-LM, 2011 WL 2358671 (D.N.H. June 9, 2011).

[2]Rosetta Stone Ltd. v. Google, Inc., 676 F.3d 144 (4th Cir. 2012)

[3]Sarah Wells Orrick, Deciphering Rosetta Stone: Why the Least Cost Avoider Principle Unlocks the Code to Contributory Trademark Infringement in Keyword Advertising, 28 Berkeley Tech. L.J. 805, 810-11 (2013)

[4]“One who induces another to commit a fraud and furnishes the means of consummating it is equally guilty and liable for the injury.” William R. Warner & Co. v. Eli Lilly & Co., 265 U.S. 526, 530-531 (1924)

[5] “Even if a manufacturer does not directly control others in the chain of distribution, it can be held responsible for their infringing activities under certain circumstances. Thus, if a manufacturer or distributor intentionally induces another to infringe a trademark, or if it continues to supply its product to one whom it knows or has reason to know is engaging in trademark infringement, the manufacturer or distributor is contributorially responsible for any harm done as a result of the deceit.” 456 U.S. 844, 853-854 (1982).

[6] Supra note 3.

[7] Coach, Inc., 2011 WL at 1580926  

[8] Rosetta Stone, Ltd., 676 F. 3d at 144

[9]Suntree Technologies, Inc. v. Ecosense Int’l, Inc., 693 F.3d 1338, 1345-1347 (11th Cir. 2012)

[10] Coach, Inc., 2011 WL at 1580926  

[11] Rosetta Stone, Ltd., 676 F. 3d at 144

[12] Suntree Technologies, Inc., 693 F. 3d at 1338

[13] Coach, Inc., 2011 WL at 1580926

[14] Suntree Technologies, Inc., 693 F. 3d at 1343

What is a Patent Troll and Why Should Insurers of Software and Internet Based Companies Care?

Posted in Uncategorized

Patent Trolls have Cost U.S. Software and Internet based Companies Billions in Litigation Costs and Untold Amounts in Unreported Licensing Fees 

Since the mid-2000s, U.S. software and internet based companies have been under attack by patent trolls where losses have numbered in the billions. Hopefully, this article will offer some guidance as to how to deal with this “patent war” that has been raging for over a decade. For carriers, this threat and the potential risk is nothing new.  That said, there are some corner stone considerations to  identify when offering policies that cover intellectual property rights.

So what exactly is a patent troll? If you have been insuring software and/or internet based companies and are not familiar with the term, count yourself amongst the lucky ones. Patent troll is a slang term used to describe a non-practicing entity (“NPE”) that holds numerous broadly worded software and/or technology patents that targets primarily small-to-mid-size companies in a new form of what some have referred to as legalized extortion.  So let us take a look at how it works:

Starting in the 1960s and hitting its height during the software boom of the early 1990s, a number of computer programmers and/or companies applied for and were awarded software patents by the United States Patent and Trademark Office (“USPTO”). The USPTO, not being very familiar with software coding at the time, approved a vast number of these patents which included very broad language as to what the patent covered. Fast forward to the mid-2000s and welcome the introduction of the patent troll. These NPEs went out and purchased these loosely worded patents. The kicker is that these NPEs do not actually use the patent or produce any products.  Instead, they just hold the rights to these very broadly worded software and/or technology patents. The troll then looks for software and/or technology based companies that use a process and/or technology that could possibly be covered by one of its patents. For example, a company that uses the internet for marketing is a target for a number of these trolls. Sound familiar?

After the troll identifies a potential target, it will then send what is called an infringement letter to the company which states that the company is infringing on the troll’s patent and unless the company agrees to pay a licensing fee, the troll will sue. If the company refuses, it is slapped with a lawsuit which can cost several hundreds of thousands of dollars to defend with no guarantees that a court will find the troll’s patent unenforceable. If the company agrees to pay the licensing fee, it opens the door for other trolls to send infringement letters.

In 2011, Georgetown Law Journal published that software patents made up 74% of the most litigated patents.[1] Also in 2011, Boston University School of Law performed a study that found patent trolls costs U.S. companies over $500 billion in litigation loses, with an average loss of $83 billion per year from 2007 through 2010 (in 2010 dollars).[2] These figures did not take into account licensing fees companies agreed to pay to the trolls to avoid an infringement lawsuit.

In the past, companies and insurers were being advised to pay these licensing fees; however, over the past two years a growing trend has been emerging to fight these trolls. Some companies have found that when they challenge these infringement letters and threaten the validity of the patent, these trolls have backed down. The 2011 Georgetown Law Journal article discussed above found that when trolls (NPEs) litigate a suit, they only win 8.0-9.2% of the time (taking into consideration default judgments); however, if troll is successful the damages accessed can be significant (as discussed above).[3]

Unfortunately, at this time, there does not appear to be a clear cut answer as to how to handle these trolls, whether to pay the licensing fee or take the risk that comes with the lawsuit. Companies and their insurers need to address each encounter with a troll on a case-by-case basis and ultimately make a business decision as to what is in the company’s best interest, the risk associated with the lawsuit or the risk that additional trolls may come knocking if they see the company has already paid one of them. Whatever the decision maybe, making sure the company and the carrier understand all their options is paramount.                   

[1]John R. Allison et. al., Patent Quality and Settlement Among Repeat Patent Litigants, 99 Geo. L.J. 677,  695-96 (2011)

[2]James E. Bessen, Jennifer Ford & Michael J. Meurer, The Private and Social Costs of Patent Trolls, 17 (Boston Univ. Sch. of Law, Working Paper No. 11-45 (Sept. 19, 2011) (Revised November 9, 2011), available at

[3]Allison, Patent Quality at 708.


Email Disclaimers: Recipient Beware

Posted in Uncategorized

Email correspondences have become the norm in the legal world to exchange written communications with clients, opposing counsel, and governmental entities. In doing so, however, there exists the risk of inadvertent disclosures. As such, it has become common practice for senders to institute an automated disclaimer at the bottom of each email indicating that the communication may contain confidential and privileged information, and that if said email is received in error, it should not be read or copied, and the recipient should notify the sender immediately of same. See R. 4-4.4(b), Fla. Rules of Ethics.

However, what legal implications does such disclaimer really have? For starters, it is important to note that emails sent to governmental agencies may be automatically deemed a public record.  Although it does not appear that courts have directly addressed the particular issue of the enforceability of an email disclaimer, general contract law leads us to believe that the answer is that such disclaimers are not enforceable. In order to form contract, there must be an offer, acceptance, and consideration – simply put, both parties must agree to the terms of an agreement.

Pursuant to the contract formation, an email disclaimer would generally not be legally binding. More specifically, while an email disclaimer seeks to establish an agreement between the sender and recipient, thereby giving rise to a duty of nondisclosure, the act of receiving a message does not, in and of itself, give rise to an acceptance and agreement to keep the email contents confidential.

 While it is certainly unclear the extent to which disclaimers are enforced, email disclaimers in the legal world do serve an important purpose. Specifically, courts have considered email disclaimers in determining whether the content of an email should be deemed privileged communications. Diodato v. Wells Fargo Ins. Servs. USA, Inc., 2013 WL 3524829 (M.D. Pa. July 11, 2013) (finding that emails which carried disclaimers identifying the communications as confidential were protected by the attorney client privilege).

The “Real” Owners of Your Social Media Photos

Posted in Uncategorized

From capturing those unforgettable life moments to tracking your weight loss goals with fellow dieters – the 21st Century social media craze has truly redefined what it means to share one’s photographs with other Internet users. Today, sharing photographs has become a social media phenomenon in which Internet users have embraced such websites as Facebook, Instagram, Twitter to “like, comment, comment, hashtag” and otherwise share their personal photographs with the online community. But what exactly do you agree to when you post your photos online?

As small and often hidden the fine print may be, once you track it down you will find that your photos are, in many respects, far from “yours” once you post them on a social media website. Pursuant to copyright law, social media websites are quick to assert that the creator of a photograph has the exclusive right to display, copy, use, produce, and distribute such photographs. See 17 U.S.C.A. § 106 (West). Based upon their terms and conditions, however, users who post their photographs on such websites are, in effect, granting these companies a license to use their photographs in any way the company desires.

Facebook, for instance, states in its terms and conditions that a user “specifically grants Facebook with a non-exclusive, transferable, sub-licensable, royalty-free, wordwide license” to any photos posted on or in connection with Facebook. Similarly, Instagram[1] declares in its terms that, while it does not claim ownership of your photos, users effectively grant to Instagram “a non-exclusive, fully paid and royalty-free, transferable, sub-licensable, worldwide license to use” of photos posted shared via Instagram.”

 Interestingly, Twitter not only states that a user’s photos “may be syndicated, broadcast, distributed, or published” by its partners” – Twitter further declares that, if Twitter utilizes a user’s photos in any of the aforementioned ways, and such user does not have the right to those photos, the user may be held liable and Twitter will not be responsible or liable for its own use of a user’s photos.

So, what is the takeaway? Well, the digital age has really just begun, and the Internet will continue to provide a platform for which users may share their photos with others. So continue to share, comment, and hashtag to your heart’s content – but tread lightly, as in the mere click of the “post” button on what you believe to be “your page” and “your friends” may lead your photos to be shared and/or commercially exploited without any legal recourse whatsoever.

[1]Facebook has recently acquisitioned Instagram in 2013.

When is an Employee’s Speech Through Social Media Protected From an Employer?

Posted in Uncategorized

The widespread adoption of social media and other methods of public communication on the world wide web may present uncertainty about an employee’s right to speak freely through these modern forums. In general, an employer may come across public content posted by its employees such as on Facebook and Twitter. When the speech places the employer in an unfavorable light, there are questions as to whether it is protected, and whether an employer may act upon the speech.

For example, in Mattingly v. Milligan, Dana Mattingly was an employee of the Saline County Circuit Clerk of Arkansas.[i][1] While attending lunch with co-workers at a restaurant, she made multiple postings to her Facebook wall using her mobile phone.[ii][2] The posts, which were displayed to 1,300 of Ms. Mattingly’s “friends,” expressed her sadness over learning that some of her co-workers were being involuntarily terminated from employment.[iii][3]

Thereafter, Dennis Milligan, the clerk, received 6 calls on his home telephone from unknown constituents who complained about the terminations upon learning of the information.[iv][4] As a result, the clerk fired Ms. Mattingly for the postings.[v][5] Ms. Mattingly sued Mr. Milligan for violation of her free speech rights.[vi][6] Upon ruling on the clerk’s motion for summary judgment, the court determined that the “Facebook posts were made primarily to further her private interest in receiving emotional support and affirmation; the fact remains that she did not make them as an employee but as a citizen.”[vii][7] As a result, the court held that the speech was protected and denied the clerk’s motion against the free speech claim. [viii][8]

We have limited guidance from the higher courts regarding this area. Notwithstanding, it does appear that the location of dissemination is an objective factor that is often dispositive. Specifically, the recent case law suggests that speech is more likely to be protected when it is made in a home or public location; as opposed to an employer’s premises. The speech is also more likely to be protected when it is published and accessed through personally-owned equipment. However, other factors traditionally applied by the courts still dictate when the protection of speech falters; such as “fighting words” or speech that constitutes obscenity.

[i][1]. 2011 WL 5184283, at *1 (E.D. Ark. 2011).

[ii][2]. Id. at *2.

[iii][3]. Id.

[iv][4]. Id.

[v][5]. Id.

[vi][6]. Id. at *1.

[vii][7]. Id. at *4.

[viii][8]. See id. at *8

What is Private on Facebook?

Posted in Uncategorized

Largent v. Reed, No. 2009-1823, slip op. (Pa. C.P. Franklin Co. Nov. 8, 2011). Trial courts continue to allow discovery of social network (specifically Facebook) user profiles, and to deflect the privacy arguments offered to limit such discovery. In Largent, a personal injury Plaintiff refused to provide access to her Facebook account as part of civil discovery. In granting the Defendant’s Motion to Compel, the court provided an excellent synopsis of the overall state of the law in this area, a useful primer on the security and privacy setting available in Facebook, and illustrates the trend that courts throughout the country are refusing to view Facebook postings as “private.” In fact, the court in Largent says:

“There is no reasonable expectation of privacy in material posted on Facebook. Almost all information on Facebook is shared with third parties, and there is no reasonable privacy expectation in such information.” Id at 9 (internal citations omitted).

In response to the Plaintiff’s argument that she had modified the default account settings to provide more “privacy” on her account, the court further held:

[M]aking a Facebook page “private” does not shield it from discovery. This is so because, as explained above, even “private” Facebook posts are shared with others. Id at 10 (internal citations omitted).

The Largent court closes its discussion of the fact that subpoenas served directly upon Facebook are improper, per the Stored Communications Act, see 18 U.S.C. §§ 2702-03, and that a request for Facebook access must have some good faith basis, and not be a mere fishing expedition.

Largent illustrates what appears to be the emerging majority rule on social networking discovery: if you can demonstrate a good faith basis for seeking the material, and make the request upon the person with the account (rather than the social network itself), the discovery will likely be permitted. Whether the reasoning of Largent may apply to a social network or similar site with greater user privacy and less ubiquity, however, remains to be seen.

Commercial General Liability Coverage for Defamation:

Posted in Uncategorized


While the momentous events of the 2011 show that social media has the capacity to affect great political and social change, the very penetration of such media into the day to day lives of the population also carries with it unanswered questions in the areas of defamation and related torts. The same social media platforms – Facebook, Twitter, YouTube, and the like – that aided in toppling governments throughout the Middle East and allowed Western audiences an unprecedented and unfiltered glimpse into the events reshaping a region[1] can, unfortunately, also just as easily be the vehicle for the type of speech and disclosure that can give rise to civil liability and may trigger insurer duties to defend and indemnity.[2]

This article will examine the initial coverage questions and determinations that must be made when defamation – and specifically defamation involving social media – is tendered for defense and indemnity coverage under a commercial general liability (CGL) policy. As defamation causes of action are nearly always defined solely by state law,[3] it is important to note that many coverage decisions in this area should pay careful consideration to the specific state’s pleading and evidentiary requirements for a given defamation action. As will be discussed in greater detail below, the pleading requirements of a given state’s defamation jurisprudence may make any CGL coverage determination for defamation claims within that state a straightforward matter but, more likely, a case-by-case and fact-by-fact analysis would appear to be the more prudent course.

As an initial consideration, it should be determined whether the alleged “defamatory communication” occurred while the employee was acting “within the course and scope” of their employment.[4] While this would appear to be a relatively straightforward question, the recent trend towards remote work – especially for a more information-based work force – may blur this otherwise clear distinction. Suffice to say, consideration of not only where and when the allegedly defamatory communication was made, but also what other activities in which the insured was engaged, will likely be necessary.

Second, it is critical to consider whether the injuries or damages claimed in any defamation suit could be considered an “occurrence” under either Coverage A or Coverage B of a given CGL policy. With regard to Coverage A[5] for “Bodily Injury,” the determination will likely require an analysis of the state-specific jurisprudence, and the specific allegations of the defamation complaint. Initially, it should be noted that some states do not consider the posting of a defamatory statement on the internet to be an “occurrence,” as that term is generally defined for Coverage A purposes, as the act of posting such a statement on the internet is intentional, and accordingly, not an “accident” as required for coverage.[6] This interpretation, however, is far from universal. Other jurisdictions have held that, while the actual statement or communication may be a volitional act, that defamation itself is a tort that does not require “intent” – put another way, these jurisdictions have held that it is possible to negligently or recklessly defame a person or entity.[7] The question of whether defense or indemnity under Coverage A will also require the claims professional to examine whether the particular defamation claimant has alleged “bodily injury.” Many jurisdictions have held that simple reputational harm or “emotional distress,” without some physical manifestation, is generally not enough to constitute a “bodily injury” under Coverage A and, accordingly, the specific symptomatology alleged by the claimant – if any – should be carefully examined and the specific law of that jurisdiction considered.[8]

Consideration of whether a particular defamation injury or harm is covered is somewhat more straightforward under Coverage B for “Personal or Advertizing Injury.” Gone is the requirement of a “bodily injury,” and further, the general definition of a “Personal or Advertizing Injury” expressly includes defamation in the form of libel and slander.[9] Accordingly, if an injury does not trigger coverage under Coverage A, it will likely still trigger Coverage B. Nevertheless, certain standard exclusions may nevertheless apply.

First, it should be noted that the standard “co-employee exclusion” will generally work to exclude coverage when one employee defames another employee. This exclusion is generally available not only when the defamatory statement occurred at the place of work, but also when the communications giving rise to the claim “arose from” the employment of the parties.[10] Next, the claims professional should consider the “expected and intended acts” exclusion, which excludes from coverage any harm or injury which was intentionally inflicted, or was of the “same general type” of an intended harm or injury.[11] However, with specific regard to defamation, several courts have held that the harm or injury that results from a libelous or slanderous statement is often an unintended consequence and, accordingly, the allegations of the particular complaint – as well as the individual state requirements for defamation discussed above – should be carefully examined before availing oneself of this exclusion to avoid coverage.[12]

The next two exclusions to carefully consider both depend on the knowledge and intent of the defaming speaker or publisher: the “knowing violation of rights of another” exclusion and the “material published with knowledge of falsity” exclusion.[13] In both of these cases, the claims professional must look closely at the allegations of the complaint or claim itself, as an allegation of intentional conduct alone may serve to avoid coverage,[14] but a claim that states the defaming publisher or speaker “knowingly, recklessly, or negligently” defamed another would likely trigger coverage, regardless of the above-discussed exclusions.[15] Accordingly, application of these two exclusions again requires an examination of the applicable state laws of defamation, in order to determine whether “intent” is an essential and required element of proof.

Finally, Coverage B contains a relatively new and untested exclusion, that may have great relevance to defamation claims in the social media context. Specifically, the “electronic chatroom or bulletin board” exclusion avoids coverage for personal or advertizing injury arising from a web-based publication that “the insured hosts, owns, or over which the insured exercises control.”[16] While it does not appear that this particular exclusion has been challenged in the courts as of the date of this article, it would nevertheless appear that a compelling argument could be made that an “insured’s” postings within the social media sphere would not give rise to a covered loss, as these types of “electronic chatrooms or bulletin boards” are presumptively within the control of the person who “owns” to them. While the “electronic chatroom and bulletin board” nomenclature is somewhat antiquated, it would nevertheless appear to contemplate and allow a denial of coverage for defamation for an insured’s posts on their own personal site, but potentially not for posts or “comments” left on another’s personal site.

In the ever-shifting and evolving environment of social media, it can be challenging to understand the implications and possible coverage scenarios that can emerge from online activity and commentary. The rapid and pervasive expansion of social media into the day-to-day lives of the populations domestically and abroad appears to be merely the beginning of an overall trend of interconnectivity, which could lead to a higher level of discourse, but which could just as easily lead to a proliferation of defamation and privacy claims. Further, the defamation jurisprudence generally differs between jurisdictions and, accordingly, must be considered on a state-by-state basis. Therefore, it remains of critical importance for the claims professional to fully familiarize themselves with the local authority when determining coverage questions for defamation causes of action under CGL policies.

[1] See e.g. Peter Apps, Insight: Social Media – A Political Tool for Good or Evil?, Reuters;

[2] See Latisha D. Rhodes, Esq., Insurance Implications of Social Media – Does Coverage Exist in Homeowners and CGL Policy Forms?, For the Defense, May 2011, pp. 26-33.

[3] See e.g. The Media Law Resource Center, (“Under the American federal law system, defamation claims are largely governed by state law, subject to the limitations imposed by the free speech and press provisions of the First Amendment to the U.S. Constitution as interpreted and applied by the Supreme Court and other courts.”)

[4] Please see Standard CGL Policy CG 00 01 10 01, Section II(2)(a)(“ Each of the following is also an insured: a. Your “volunteer workers” only while performing duties related to the conduct of your business, or your “employees”, other than either your “executive officers” (if you are an organization other than a partnership, joint venture or limited liability company) or your managers (if you are a limited liability company), but only for acts within the scope of their employment by you or while performing duties related to the conduct of your business.”)

[5] It should be carefully noted that many, if not most, claims for defamation will fall outside of Coverage A, by operation of the “personal and advertizing injury” exclusion. Standard CGL Policy CG 00 01 10 01, Section I, Coverage A(o). Other coverage concerns are discussed above, however, as many have dual applicability in both Coverage A and Coverage B scenarios.

[6] See e.g. Mountain States Mut. Cas. Co. v. Hauser, 221 P.3d 56, 60 (Colo. Ct. App. 2009); Stellar v. State Farm General Ins. Co., 69 Cal. Rptr. 3d 350 (Cal. Ct. App. 2007).

[7] See e.g. Maine State Acad. Of Hair Design, Inc. v. Commercial Union Ins. Co., 699 A.2d 1153, 1157 (Me. 1997); Wagner, Nugent, Johnson, Roth, Romano, Erikson & Kupfer, P.A. v. Flanagan, 629 So. 2d 113, 115 (Fla. 1993); see also Restatement (Second) of Torts §558 (1977).

[8] See e.g. Allstate Inc. Co. v. Diamant, 518 N.E. 2d 1154 (Mass. 1998); Voorhees v. Preferred Mut. Ins. Co., 607 A.2d 1255 (N.J. 1992)(holding that a “physical manifestation” is required to trigger coverage for “bodily injury”); however, see also Lavanant v. Gen. Accident Ins. Co. of Am., 595 N.E. 2d 819 (N.Y. 1992)(holding that allegations of “mental anguish” may be construed to be a “sickness or disease,” and thereby satisfy the requirements for “bodily injury” under Coverage A.)

[9] “Personal or Advertizing Injury” is generally defined as follows: “oral or written publication, in any manner, of material that slanders or libels a person or organization or disparages a person’s or organization’s goods, products or services.” Standard CGL Policy CG 00 01 10 01, Section V(14)(d).

[10] See Standard CGL Policy CG 00 01 10 01, Section I, Coverage A(2)(e); Mactown, Inc. v. Continental Ins. Co., 716 So.2d 289, 293 (Fla. DCA 1998); State National Inc. Co. v. Affordable Homes of Troy, LLC, 386 F. Supp. 2d 1281 (M.D. Ala. 2005).

[11] See Standard CGL Policy CG 00 01 10 01, Section I(2)(a); Lincoln Logan Mut. Ins. Co. v. Fornshell, 722 N.E. 2d 239 (Ill. App. Ct. 1999); United Services Automobile Association v, Selz, 637 So.2d 320 (Fla. DCA 1994).

[12] See e.g. Cincinnati Ins. Co. v. American Hardware Mfrs. Ass’n, 898 N.E. 2d 216 (Ill. App. Ct. 2008); Cincinnati Ins. Co. v. Eastern Atlantic Ins. Co., 260 F.3d 742 (7th Cir. 2001)(noting that “intent to injure” is generally not an element of the tort of defamation).

[13] See Standard CGL Policy CG 00 01 10 01, Section I, Coverage B (2)(a)-(b).

[14] See e.g. Nationwide Mut. Ins. Co. v. Lake Caroline, Inc., 2006 WL 2805140 (S.D. Miss, Sept. 28, 2006).

[15] See e.g. Cincinnati Inc. Co. v. Pro Enterprises, Inc., 394 F. Supp. 2d 1127 (D.S.D. 2005); American Hardware Mfrs. Ass’n, 898 N.E. 2d 216 (Ill. App. Ct. 2008).

[16] See Standard CGL Policy CG 00 01 10 01, Section I, Coverage B (2)(k).

Publicly Traded Companies Beware of Potential New Suits Per the SEC’s Cyber Risk Disclosure Recommendations

Posted in Uncategorized

On October 13, 2011, the Security Exchange Commission, Division of Corporations, released “new guidance” to the shareholder disclosure requirements of publicly traded companies. Specifically, the SEC noted the significance of “cyber risks” in the scheme of assessing the overall risks and liabilities of a business. The rationale for recommending the inclusion of cyber risks relied heavily upon the breadth of exposure they can entail, including:

Remediation costs that may include liability for stolen assets or information and repairing system damage that may have been caused. Remediation costs may also include incentives offered to customers or other business partners in an effort to maintain the business relationships after an attack; Increased cybersecurity protection costs that may include organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; Lost revenues resulting from unauthorized use of proprietary information or the failure to retain or attract customers following an attack; Litigation; and Reputational damage adversely affecting customer or investor confidence.[1]

What is the effect of this new guidance? If nothing else, it certainly demonstrates near codification/recognition of the substantial impact any cyber security breach can have on the financial operation of a company. Only time will tell if alleged failures to adequately disclose cyber risk or cyber incidents in accord with these recommendations will open the door to new investor/shareholder claims of insufficient and/or misleading disclosures.


Copyright Infringement on the Web:

Posted in Uncategorized

Title 17 of the United States Code is the cornerstone of US copyright law. Modernization of this Act has been required to account for the massive transmission of intellectual property via the internet. As many websites are interactive – invite interactive/third party comments, publications, and content – online service providers are concerned regarding the level of oversight required when monitoring the constant influx of third party material.

In the interest of encouraging such interactive websites, including the global dissemination of information and view points, certain safe harbor provisions were included in Title 17 via the Digital Millennium Copyright Act. See 17 USC 512(c)(providing protection of online service providers concerning content provided by third parties). Specifically, the DCMA affords a safe harbor for online service providers; entities engaged in providing a forum for online communications and content. The Safe Harbor Provision, 17 USC 512(c) offers a complete bar to monetary damages and injunctive (subject to certain exceptions). More significantly, it does not require that the OSP (online service provider) actively monitor the content published by third parties.

There are four safe harbor provisions set forth in Chapter 5. To illustrate, the breadth of protection, we will focus on 512(c) stating in pertinent part:

(1) In general.-A service provider shall not be liable for monetary relief…, if the service provider-

(A)(i) does not have actual knowledge that the material or an activity using the material on the system or network is infringing;

(ii) in the absence of actual knowledge, is not aware of facts or circumstances from which infringing activity is apparent;

(iii) upon obtaining knowledge, acts expeditiously to remove or disable access to, the material…

Other conditions must be met, and the alleged victim must sufficiently notify the OSP of the exact content that is infringing. The requisites as to the notice – commonly referred to as the “take down notice” – are set forth in section 512(c)1.

The breadth of this protection is evident in its application. In this vein, consider the landmark decision rendered in Viacom v. YouTube. This case involved Viacom’s/Plaintiff’s claim that YouTube/Google permitted third parties to download and disseminate certain sitcoms subject to Viacom’s copyrights. Plaintiff/Viacom sued YouTube and Google for “knowingly” [1] permitting same.

Although Viacom presented evidence that defendants took active measures to facilitate the transmissions[2], Defendant, YouTube and Google, prevailed on summary judgment; in pertinent part, the court held that the safe harbor provision provided absolute immunity for unknowingly permitting third parties to download and disseminate videos subject to Viacom’s copyright.

The Viacom case exemplifies the burden placed on a plaintiff to establish actual knowledge sufficient to overcome the protection of safe harbor protections when the website provider acts in good faith to take down infringing content upon notice of same. In light of the immunity provision, and this particular opinion, one might assume that the legislature wants to encourage the interactive nature of websites, and deter the implication that the “innocent” platform provider is responsible for questionable third party conduct.

[1] 718 F. Supp 2d 514 (S.D.N.Y 2010)

[2] Viacom asserted that thumbnails were created for the subject episodes each time a third party published the content. Defendant asserted that the “thumbnails” was an automated response to any new content, regardless of its origin, thereby, not rising to the level of actual knowledge of the alleged copyright material. Id.

Cyber Security of Consumers’ Financial Information

Posted in Uncategorized

With the rapid growth of the use of technology in business comes great risk to consumers private information, and a concomitant risk to many of the businesses that are charged with the protection of that private information. In recent years, the Federal Government has enacted regulations, albeit vague in form, in an attempt to manage these risks. One such act, entitled the Gramm-Leach-Bliley Act (GLBA), or the Financial Services Modernization Act, was enacted by Congress in 1999 in an effort to provide a forward-looking framework within which “financial institutions” must proactively protect consumers’ nonpublic financial information.1

Financial institutions are required by the GLBA to “establish appropriate standards” to safeguard customer’s personal financial information, in order: “(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”2

In response to this directive, the Federal Trade Commission (FTC) promulgated the Safeguards Rule, which requires financial institutions subject to FTC jurisdiction to adopt safeguards against disclosure of customers’ personal information.3 The FTC’s Safeguards Rule is intentionally broad to allow flexibility for the broad range of businesses covered by the Rule. It provides a “framework for developing, implementing, and maintaining the required safeguards, but leaves each financial institution discretion to tailor its information security program to its own circumstances.”4 The Rule requires each covered financial institution to implement steps including, but not limited to, designating employees to coordinate the safeguards in order to ensure accountability; identifying and assessing the risks to customer information in each relevant area of the company’s operation; and designing and implement information safeguards.5


Plaintiffs have attempted to bring suit under the GLBA for businesses’ alleged violations of the GLBA. However, it has been consistently held that the GLBA does not provide for a private right of action.6 In fact, by its very terms, the GLBA can only be enforced by “the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission.”7 Courts have held that, although the GLBA does not provide for a private cause of action, it does set forth identifiable standards, the breach of which may be used to satisfy an element of a common law negligence per se cause of action.8

Although case law indicates that a Plaintiff may bring an action in negligence per se based upon an alleged violation of the GLBA, defense counsel may defend against such a claim by utilizing a Motion for Summary Judgment establishing that the covered financial institution had written security policies in place to protect consumers’ financial information. In Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. CIV. 05-668 RHK/JSM, 2006 WL 288483 (D. Minn. Feb. 7 2006), Plaintiff alleged that Defendant owed a duty under the GLBA to secure Plaintiff’s private information, and the duty was breached by allowing an employee to keep nonencrypted private data on his laptop. The court found that Plaintiff did not present sufficient evidence to support the claim that Defendant had breached a duty established by the GLBA, based upon the fact that Defendant had “written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act.”9

A negligence per se claim may also be defended against through a Motion to Dismiss based upon the Economic Loss Rule, which states that purely economic losses are not recoverable in negligence absent personal injury or property damage. A recent landmark case involving corporate giant TJ Maxx involved claims of negligence, which the court dismissed based upon the economic loss rule.10 In that case, TJ Maxx issued credit cards to consumers, who then used those cards to purchase goods at TJ Maxx stores. TJ Maxx discovered that hackers had stolen personal and financial information of consumers who used the credit cards. The Plaintiffs formed a class action lawsuit against TJ Maxx to recover their costs and alleged various counts, including negligence.11

The Plaintiffs argued that their claims were not barred by the economic loss rule because they experienced property damage in that the compromised credit cards could no longer be used and that card verification codes were lost. The court disagreed with Plaintiffs’ position on the basis that the cost of replacement cards is an economic loss, and dismissed the negligence count.12 Thus, to the extent the state recognizes the economic loss doctrine, actions based upon the theory of negligence per se may be disposed of at the Motion to Dismiss stage.


The GLBA does not specify fines to be imposed upon violation of the Act. However, potential exposure for businesses can be significant, as evidenced by the multimillion dollar settlement resulting from the TJ Maxx case. The Plaintiffs settled with TJ Maxx for compensation to those injured, agreeing to implement a credit monitoring plan, institute identity theft insurance, and providing $6.5 million in attorneys’ fees and costs. TJ Maxx settled with 41 state Attorneys General for $9.75 Million and an agreement to fund state data protection and prosecution efforts. The details of the information security program adopted by TJ Maxx are stringent, and require detailed levels of security. 13

In 2005, the first two instances of the FTC’s enforcement of the Safeguards Rule resulted in non-monetary settlements. In these cases, the FTC issued a Complaint charging two mortgage companies with violation of the FTC’s Safeguards Rule for not having reasonable protections for consumers’ private information. The parties thereafter executed an Agreement Containing Consent Order, where the companies agreed to implement an assessment and report from a third-party professional, using procedures and standards that set forth security program safeguards appropriate for the businesses’ size and function.14

Thus, potential exposure for businesses in failing to implement security measures could entail significant monetary settlements/damages, as well as significant costs in implementing security plans that are likely more stringent than if implemented without the intervention of lawsuits and settlements. The aforementioned discussion demonstrates the potential exposure to lawsuits, damages, and settlements under the emerging cyber security laws, and highlights the importance of proactively implementing security measures to protect not only consumer nonpublic information, but the time and resources of all involved.

1 Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified in scattered sections of 12 and 15 U.S.C.). The GLBA applies to “customers,” including “any person (or authorized representative of a person) to whom the financial institution provides a product or service, including that of acting as a fiduciary.” The “financial institutions” consist of “any institution engaged in the business of providing financial services to customers who maintain a credit, deposit, trust, or other financial account or relationship with the institution.”

2 15 U.S.C. §6801(b).
3 16 C.F.R. §314, Standards for Safeguarding Customer Information; Final Rule.
4 16 C.F.R. §314.4.
5 Id.
6 See 15 U.S.C. §6805; Dunmire v. Morgan Stanley DW, Inc., 475 F.3d 956, 960 (8th Cir. 2007) (“[n]o private right of action exists for an alleged violation of the GLBA”); Lentz v. Bureau of Med. Econ. (In re Lentz), 405 B.R. 893, 899 (Bankr.N.D.Ohio 2009) (“courts have consistently held there is no private right of action created by Congress in the GLBA”); French v. Am. Gen. Fin. Servs. (In re French), 401 B.R. 295, 310 (Bankr.E.D.Tenn.2009) (“[by its very terms, the Gramm-Leach-Bliley Act does not provide a private right of action”).
7 15 U.S.C. § 6805(a).
8 See Nicholas Homes, Inc. v. M & I Marshall & Ilsley Bank, N.A., 2010 WL 1759453 (D.Ariz., Apr. 30, 2010) (“The Court agrees that, although the GLBA does not provide for a private cause of action, it also does not preclude a common law cause of action.”), and Basham v. Pacific Funding Group, 2010 WL 2902368 (E. D.Cal., July 22, 2010) (“[T]he violation of a statute can be used to satisfy an element of a negligence cause of action.”).
9 Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. CIV. 05-668 RHK/JSM, 2006 WL 288483, at *4 (D. Minn., Feb. 7, 2006).
10 In re TJX Companies Retail Security Breach Litigation, Civil Action No. 07-10162-WGY (D. Mass., Dec. 18, 2007).
11 Id.
12 Id.
13 Tara M. Desautels and John L. Nicholson, Pillsbury Winthrop Shaw Pittman LLP, TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts (2009),