Parties that operate websites may enjoy immunity from copyright liability for the infringing posts of their users under the terms of the Digital Millennium Copyright Act (“DMCA”). The DMCA offers a “safe harbor” from copyright infringement liability for Internet service providers where the provider establishes and publicizes in its website Terms of Use, a process for responding to claims of copyright infringement.

As part of the DMCA immunity process, service providers must designate and register with the U.S. Copyright Office, an agent to receive notifications of claimed copyright infringement. The U.S. Copyright Office has implemented a new online agent designation system, and all previously paper-filed agent designations will expire on December 31, 2017. Companies that wish to continue to enjoy DMCA safe harbor protections must re-register by filing a new agent designation electronically via the Copyright Office’s new DMCA web portal.

You can register (or re-register) your Agent to Receive Notice of claimed copyright infringements on the U.S. Copyright Office website, at the following link: https://www.copyright.gov/dmca-directory/. You will first need to create a DMCA Designated Agent Registration Account that will be used to log into the system, and then follow the prompts to register your agent information. There is a government fee of $6.00 for up to 10 domains. Registration is good for 3 years, from the date an agent designation is first made, or when it is amended or updated.

Please note also that accurate contact information for your designated DMCA agent must be available on your website, and is often included as part of a Terms of Service disclosure.

By Scott C. Hall.

The Federal Aviation Administration’s (“FAA’s”) Part 107 rule for small commercial drone operation, effective as of August 2016, has now been up and running for over a year. In light of this milestone, the FAA recently took the opportunity to highlight various successes resulting from the rule and to promote continuing drone innovation and operations. Yet, while much progress has been made in commercial drone use over the past year, an honest assessment also requires acknowledging that there are still many obstacles to overcome, and much work to do, to fully realize the benefits of commercial drone operation in the U.S.

One particularly notable success for the drone industry has been the important role played by drones in supporting emergency response and rescue efforts in connection with recent natural disasters, including Hurricane Harvey and Hurricane Irma. In addition to the use of drones by media outlets to provide news coverage of otherwise inaccessible areas affected by the hurricanes, the FAA issued well over 100 specific authorizations – sometimes within hours of a request – to drone operators performing time-sensitive search and rescue missions or assessing damage to roads, bridges and other critical infrastructure in disaster areas. FAA Administrator Michael Huerta commented on the role of drones in the wake of recent hurricanes as a “landmark in the evolution of drone usage in the country.”

However, despite these beneficial uses of drones in emergency response situations, not all drone news in connection with recent hurricanes and other natural disasters has been positive. As in years past, drones made news this year for interfering with emergency responders fighting wildfires in California. Because helicopters and other aircraft supporting critical emergency response efforts can easily collide with drones – causing potentially significant damage, injury, and even death – emergency response aircraft must often remain grounded if unauthorized drones are spotted in the area. This significantly impairs the ability of emergency responders to do their jobs. Unauthorized drone use also threatened to impede efforts of the U.S. National Guard, Marines and Coast Guard to rescue and recover individuals in hurricane disaster zones. In fact, these incidents caused the FAA to officially warn on its website that flying a drone in or near a disaster area may violate federal, state, or local laws and ordinances, and that unauthorized drone operators may be subject to significant fines if they interfere with emergency response operations. Thus, while drones are playing an increasingly important role in disaster response, continued misuse of drones has also complicated rescue and response efforts in various respects.

The FAA also touted the continued expansion of commercial drone use across a variety of industries, including insurance, news and media, construction, mapping and surveying, and infrastructure inspection, among others. According to the FAA, uses of drones for scientific research, emergency response, and government infrastructure improvements are also rapidly expanding. Additionally, several companies, including Amazon, Domino’s Pizza, 7-Eleven and Flirtey, have attempted to spark consumer excitement for drones in recent months by demonstrating the potential for drone delivery of food and other consumer products.

At the same time, however, many in the industry lament the fact that the U.S. still seems to be years away from integrating commercial drone deliveries and other innovative drone uses into the regulatory regime, even while such uses are moving forward in other countries.  Indeed, the FAA has stated that – putting aside isolated publicity stunts – it does not believe that regulations for delivery drones will be ready until at least 2020, even while countries in Africa are currently benefitting from drone delivery systems transporting items such as blood and life-saving emergency supplies on a daily basis.

In addition to regulatory hurdles, part of the delay in drone innovation in the U.S. may be attributable to ongoing public skepticism regarding drones due to reported misuse of drones and their perceived potentially harmful impacts on safety and privacy.  For example, according to some reports, while 75% of consumers expect drone deliveries by 2021, only 44% said they liked the idea of drone delivery. Thus, despite the undeniable increase in commercial drone use over the past year under Part 107 – and the inevitable continued expansion over the next few years – fully realizing the many potential benefits and services drones can provide must still await slow regulatory and lawmaking processes and gain greater public acceptance of anticipated uses.

Ultimately, the FAA acknowledges that Part 107, as it exists currently, isn’t the end of the story – it’s the starting point. By 2021, the FAA estimates there could be as many as 1.6 million small drones in commercial operation throughout the country. There is still a lot to be done to realize the full commercial potential of drones, much of which will require increasingly complex drone operations (and correspondingly sophisticated laws and regulations), including for flights over people, operations beyond line-of-sight, delivery of goods, and even transportation of people. But, if commercial drone operations are to successfully accommodate the predicted increase in the number of commercial drones and expand on pace with expected innovations in the technology, it will require the coordination of many actors, including lawmakers at federal, state and local levels, drone manufacturers and operators, and greater acceptance by the public at large, to achieve.

Authored by Scott C. Hall and David (Duff) Beach.

The Equifax data breach has dominated news headlines for weeks, and Equifax will be dealing with the legal and financial fallout from the breach for many years.  While many companies may be relieved not to be in Equifax’s position right now, no company is immune to data breaches.  Those who fail to learn key lessons from Equifax’s mistakes may find themselves in the next headline.  Accordingly, companies in every industry, and of every size, that maintain any type of sensitive personal data—whether it be of customers, employees, or data maintained on behalf of others—should study the Equifax situation and ensure that they are better prepared for a data breach incident.

1.  Everyone (yes, everyone) will experience a data breach. 

When it comes to data breaches, the question is not if, but when.  This makes the more important question how will you respond?  Data breaches do not only result from malicious hackers or phishing scams.  They can occur when employees inadvertently access and/or mistakenly share personal data.  They can occur when company laptops, flash drives, or even personal phones or tablets that contain company data, are lost or stolen.  These kind of events occur in every company in every industry.  As a result, everyone needs to prepare to respond.  Indeed, the manner in which Equifax handled this most recent data breach—including: (1) the several weeks that elapsed before notifying affected individuals,(2) the executives who sold stock during the period between discovery of the breach and notifying the public, and (3) the company’s offer to provide credit monitoring services to affected individuals, but only in exchange for a waiver of certain legal rights against the company—indicates that Equifax was not sufficiently prepared to deal with this kind of a data breach.

Every company should have a basic data breach response plan in place that at a minimum  identifies who (among IT, HR, business operations, public relations, and other personnel) will respond to the breach, what their respective roles will be, and who will be the ultimate contact point and decision-makers with respect to the response.  The plan should also include a timeline and enumerated steps to follow regarding discovering the scope of the breach, investigating the cause, remedying or mitigating the breach, notifying affected individuals, and contacting law enforcement as necessary.

Because of the widely publicized nature of Equifax’s data breach, as well as other recent high-profile data breaches, no company will get a “free pass” or be able to argue that they had no idea a data breach could happen to them.  In effect, these high-profile breaches put everyone on notice that data security must be a priority for all.  Any company that chooses to put its head in the sand, does so at its own (certain) risk.

2.  Act quickly to show affected individuals that you are trying to protect them.

In responding to data breaches, time is of the essence.  Many have criticized Equifax for waiting until early September to notify affected individuals of a data breach it discovered in July.  Most state data breach notification statutes require that a company disclose a data breach “in the most expedient” time possible, without further clarification about what that means.  The minimum amount of time specified under state laws that contain specific time periods for notification is generally either 30 or 45 days from discovery of the breach.

In light of these general standards, Equifax’s timing for notification to individuals may not have constituted an improper or unlawful delay as a matter of law.  After all, it takes some time to investigate what happened, confirm what data was breached, and implement remedial measures. And, as a company responding to a data breach, you do not want to rush to publicize inaccurate facts that you later have to correct.  However, as a practical matter, 6 weeks is a lengthy period of time for sensitive personal information to be exposed without notifying affected individuals—and as the response to Equifax shows, many people believe this kind of delay is unreasonable, regardless of the legal standards.  Thus, while a company needs time to investigate the incident and communicate accurate facts to those affected, all companies should seek to notify those whose information has been compromised sooner rather than later.

3.  Take actions that demonstrate that you are genuinely attempting to remedy the problem.

Data breaches happen.  They will continue to happen.  And the public generally understands that not every data breach, especially a hacking attack, can be prevented.  However, when a data breach occurs, affected individuals want to know that the company is doing everything in its power to protect them, not itself.  Equifax added insult to injury when it offered to enroll affected consumers in free credit monitoring services—something required under at least some state data breach laws—only if consumers agreed to waive certain legal rights against the company.  Unsurprisingly, this did not go over well in the court of public opinion.  And, while Equifax has since agreed to provide credit monitoring without these legal restrictions, the reputational damage has already been done.

Ultimately, the legal fallout from any data breach will be what it will be based on the circumstances and whether the company had reasonable protections in place.  But reputational harm may damage the company as much or more than the legal process.  The best thing a company can do in the wake of a breach is to diligently correct its data security weaknesses and work with affected individuals to minimize the scope and harm caused by the breach.

4.  Consider what sensitive personal data you maintain or need to maintain and how to safeguard it.

It is a rare company that holds no sensitive personal data.  While credit reporting companies like Equifax have more sensitive information than most, all companies have some kind of personal data—in the form of customer or employee social security numbers, financial account numbers, or other information—that triggers data breach notification requirements.  All companies should, at a minimum, know the types of personal information they maintain, how and where is it stored, who has access, and whether it is sufficiently secured.  Companies then need to consider: (1) whether they truly need all the personal information they have and (2) whether such personal information can be separated, encrypted, or otherwise safeguarded to minimize the accessibility of such information or its usefulness if improperly accessed or exposed.

5.  Consider cybersecurity insurance and other professional services.

While every company will at some point experience a data breach incident, the potential risk largely depends on the type and volume of sensitive personal data a company maintains.  For those companies where there is a real possibility of significant financial injury if a data breach were to occur, cybersecurity insurance is something to consider.  Many companies elect not to carry cybersecurity insurance because they do not want to pay expensive premiums, they are unsure exactly what the policies will cover, or they are skeptical that they will suffer a significant cybersecurity incident sufficient to justify the cost of insurance.  But the Equifax breach reminds us that data breaches will occur—and likely with increasing frequency in coming years.  Companies with significant risk should analyze whether cybersecurity insurance makes sense for them.

As the Equifax breach shows, especially in the area of cybersecurity, an ounce of prevention is worth a pound of cure.  Companies should work with cybersecurity consultants, attorneys, or other professionals prior to a data breach both to protect against breaches, and to prepare to respond to a breach. Preventative cybersecurity training for employees is key, as human error is responsible for many data breaches.  Companies should ensure that their IT systems are reasonably secured, their personnel are reasonably trained, and their data breach response plan is ready to go for when a data breach occurs.  And it will.

Click here to download a printable PDF of this article.

Authored by Timothy Crudo, Rees Morgan, Skye Langs, and Mark Hejinian.

On August 17, 2017, the United States Second Circuit Court of Appeals issued a landmark ruling in Meyer v. Kalanick¹ that clarifies the standards for contract formation in the age of smartphones and mobile contracting, providing important guidance to companies about how to design enforceable mobile contracts. The Second Circuit, applying California law to determine the enforceability of the arbitration clause in Uber’s Terms of Service (“Terms”), held that a “reasonably prudent smartphone user” unambiguously assents to a conspicuously hyperlinked contract when he downloads a smartphone application (“app”) to his mobile phone and signs up for an account. Coblentz, led by Timothy Crudo, Rees Morgan, Mark Hejinian, and Skye Langs, had filed an amicus brief in the case on behalf of the Internet Association and the Consumer Technology Association urging the Court to adopt the “reasonably prudent smartphone user” standard.

The case arose after Plaintiff Spencer Meyer used his mobile phone to download Uber’s smartphone app and register for an account. During the registration process, Meyer entered his credit card information and, on the same screen, clicked a button marked “Register.” The “Register” button was located just above a notice, hyperlinked to Uber’s Terms, that “(b)y creating an Uber account, you agree to the TERMS OF SERVICE & PRIVACY POLICY.”

After using Uber’s app to hail several rides, Meyer filed a class action lawsuit alleging that the app facilitates price fixing. Uber moved to compel arbitration under its Terms, but Judge Jed Rakoff of the United States District Court for the Southern District of New York held that the contract was not binding because the registration page did not provide reasonably conspicuous notice of the Terms, nor did Meyer unambiguously manifest assent to them.²

The Second Circuit reversed, cutting through the weeds of numerous decisions governing contract formation in the modern landscape of “clickwrap,” “browsewrap,” and “sign-in-wrap” agreements. While the question of whether a consumer has assented to terms of an online agreement turns on the design of the user interface – such as the proximity between the link to the contract terms and the manifestation of assent, as well as the amount of visual clutter on the page – the Court viewed the precedent of online contracting through the lens of what a “reasonably prudent smartphone user” would expect when downloading and using a mobile app.

The Court recognized that smartphones are increasingly ubiquitous, with modern consumers conducting significant business through mobile apps, including shopping, online banking, and health management. A reasonable smartphone user engaged in such e-commerce understands that by downloading apps and creating accounts, they are entering into contracts. Explicitly applying, for the first time, the standard of a “reasonably prudent smartphone user,” the Court held that, as a matter of California law, the design of the registration page on Uber’s mobile app provided “reasonable notice” to a smartphone user that he or she was entering into a contract, and that by clicking the “Register” button, Meyer unambiguously assented to Uber’s Terms.

The Second Circuit’s ruling clarifies the standards for mobile contract formation and provides companies with important guidance for designing user interfaces that will support the enforceability of internet or app-based consumer contracts. The ruling does not, however, mean that businesses no longer have to worry about the validity of the contracts their customers execute through online or mobile applications. Consumers are not automatically on notice that they are entering into a contract merely because they have downloaded and used a smartphone application or completed an online transaction. The terms and conditions still must be conspicuous, and it must be clear when and how consumers assent to them.  But the Second Circuit’s opinion recognized that the conspicuousness of the terms and the sufficiency of assent should be analyzed from the perspective of a reasonable person who engages in mobile contracting – someone, in other words, who would understand the import of hyperlinks and other common indicia of contract formation in the e-commerce era.

Now is a good time for businesses to review their online and mobile contracting practices. Make sure that your terms and conditions are highly visible on an uncluttered page or screen. Also make sure that users are required to affirmatively indicate their assent to the terms, either by clicking a button or checking a box, before engaging in any of the activities you intend to have governed by the contract. For mobile phone applications, the terms (or a link to them), along with a way to indicate assent, should be the only things displayed on the screen at the time of contract formation. Finally, while not necessarily required, requiring users to actually scroll through all the terms, and affirmatively indicate that they have read them and agree to them, goes a long way towards ensuring that users are on clear notice of the terms and have objectively assented to them.

For further information or guidance regarding the validity and enforceability of your mobile contracts, contact Timothy Crudo at tcrudo@coblentzlaw.com or Rees Morgan at rmorgan@coblentzlaw.com.

¹ Meyer v. Kalanick, Nos. 16-2750-cv, 16-2752-cv (2nd Cir. Aug. 17, 2017).

² Meyer v. Kalanick, 200 F. Supp. 3d 408 (S.D.N.Y. 2016).

The California Supreme Court has just granted broad authority to counties and cities to impose documentary transfer tax (“DTT”) on certain transfers of interests in legal entities. Before June 29, 2017, tax practitioners’ prevailing view was that documentary transfer tax generally could not be imposed on transfers of interests in legal entities. There were two exceptions. First, for transfers of partnership interests that caused a partnership to terminate for tax purposes. Second, for charter cities that were permitted to enact their own DTT ordinances and had, in fact, enacted broader DTT rules. No more. On June 29, the California Supreme Court decided in 926 North Ardmore Avenue, LLC v. County of Los Angeles¹ that all California counties and cities may impose DTT on certain transfers of interests in legal entities.

California Revenue and Taxation Code Section 11911 allows a county or city to impose DTT on “each deed, instrument, or writing” by which real property “shall be granted assigned, transferred, or otherwise conveyed.” The statute’s language does not appear to permit DTT to be imposed on transfers of legal entity interests, such as stock, partnership interests, or LLC membership interests. Charter cities, however, are permitted to enact their own DTT ordinances, some of which have imposed DTT more broadly. For example, a San Francisco ordinance permits DTT to be imposed any time that a transfer of ownership interests in a real property owning legal entity would be treated as a change in ownership of real property under California Revenue and Taxation Code Section 64.

926 North Ardmore involved an attempt by the Los Angeles County Recorder to impose DTT on a transfer of partnership interests that gave rise to a change in ownership of the real property that the partnership owned indirectly through a lower-tier entity. Los Angeles County had not enacted an ordinance specifically imposing DTT on such transfers. The taxpayer, 926 North Ardmore Avenue, LLC, challenged this attempt. The California Supreme Court found for Los Angeles County. It ruled that despite the lack of any specific statutory authorization, California counties and cities can impose DTT on transfers of legal entity interests that give rise to a “change in ownership” of real property held by such legal entities under California Revenue and Tax Code Section 64(c) or (d). That is, DTT can be imposed even if the government entity imposing DTT is not a charter city that has enacted an ordinance allowing for DTT imposition in that situation. This is a sea change in the DTT world and contrary to what practitioners had widely believed was the state of the law.

California Revenue and Taxation Code Subsections 64(c) and 64(d) provide that real property held by a legal entity undergoes a change in ownership in two distinct situations. Under Subsection (c) and related property tax rules, a change in ownership occurs when any person or entity acquires control of a legal entity. Specifically, this occurs when a person or entity comes to own more than 50 percent of the voting stock of a corporation or more than 50 percent of both the capital and profits interests of a partnership or LLC. This ownership threshold can be met through direct ownership of the interests or indirect ownership through upper-tier entities. Under Subsection (d), a change in ownership of real property held by a legal entity occurs when: (1) persons or entities have contributed real property to a legal entity, (2) the transfer was exempt from reassessment under the so-called proportional ownership exception, and (3) the original contributors then, collectively, cumulatively transfer more than 50 percent of the total interests in the legal entity. In the case of a corporation, the 50 percent threshold is met when more than 50 percent of the corporation’s voting stock is transferred. In the case of a partnership or LLC, the 50 percent threshold is met when more than 50 percent of the profits interests and capital interests in the partnership or LLC are transferred.

Consequently, taxpayers must now carefully consider with their tax advisers whether any transfers of legal entity interests could cause a change of control of a legal entity that holds real property or a could cause them to exceed the 50 percent thresholds described in Subsection 64(d). Before 926 North Ardmore, the prevailing view was that these concerns only needed to be addressed in charter cities with ordinances specifically allowing DTT to be imposed in these situations. After 926 North Ardmore, these are statewide concerns. Given that DTT rates of tax can be substantial in some jurisdictions, for example up to 3 percent in San Francisco, we encourage tax payers to seek the advice of counsel when transferring interests in any legal entity that owns real property, whether directly or indirectly through a lower-tier entity.

For additional information, contact Jeffry Bernstein at jbernstein@coblentzlaw.com.

^1. Cal. S. Ct. No. S222329.

Authored by Scott Hall

Pursuant to a settlement agreement with the Attorneys General of nearly all 50 states¹, Target Corporation will pay $18.5 million to settle claims brought by the state Attorneys General arising from the November 2013 data breach – involving the credit or debit card information of approximately 40 million Target customers – caused by cyberattacks on Target’s network.

The settlement is the latest in a string of settlement payments made by Target as a result of the breach, which includes payments of over $100 million to banks and credit/debit card companies for fraudulent charges and other damages, as well as a $10 million payment to settle a civil class action brought by affected customers.  In total, Target reports that, to date, the cost of the data breach has exceeded $200 million.²

Notably, the settlement agreement with the Attorneys General goes beyond mere payment of monetary penalties.  It requires Target to take specific steps to ensure implementation of a comprehensive information security program aimed at avoiding future breaches.  The settlement agreement requires Target to implement this new security program within 180 days of the effective date of the agreement, and mandates that Target, among other things: (1) maintain a written policy that adequately addresses the administrative, technical and physical safeguards for personal information maintained by Target, taking into account Target’s size, the nature of its operations, and the sensitivity of personal information maintained by it; (2) employ an executive or officer with an appropriate background or experience to implement and maintain the program; and (3) maintain encryption protocols and related policies reasonably designed to protect personal information.  Target is also required to separate its customer credit and debit card data from the rest of its computer network and to test for, and correct, vulnerabilities in its computer network.³

Within one year of the settlement, Target must obtain a third-party “information security assessment” to review and report on the implementation of the new information security program.  The Attorneys General have the right to initiate a proceeding for any failure to comply with the provisions of the settlement agreement, as well as for any other failure to comply with applicable data security laws.  In other words, Target’s implementation of these data security policies and procedures will be under a regulatory microscope for the near future.

The moral of the story for other companies, as made clear in a statement by Connecticut Attorney General George Jepsen, is that “Companies across sectors should be taking their data security policies and procedures seriously.  Not doing so potentially exposes sensitive client and consumer information to hackers.”⁴  This is true even for companies that do not face the significant exposure of a large retailer like Target.  Regardless of company size or industry, the settlement sends a message that companies must either implement reasonable and adequate data security safeguards, or risk a breach that could result in government implementation and oversight of a much more rigorous and burdensome program.

In sum, this is reminder that now is a good time for all companies to review their data security policies and programs, data breach response protocols, and compliance with applicable consumer protection and data security laws, to ensure that they do not become the next example of what not to do.

^1.Alabama, Wyoming and Wisconsin are not parties to the settlement.  A copy of the settlement agreement is available at:  http://www.ct.gov/ag/lib/ag/press_releases/2017/20170522_targetmultistateavc.pdf

^2.See “Target in $18.5 million multi-state settlement over data breach” (Reuters May 24, 2017), available at: http://www.cnbc.com/2017/05/24/target-in-18-point-5-million-multi-state-settlement-over-data-breach.html

^3.Certain of the specific data security requirements expire after five years (Settlement Agreement ¶ 32.)

^4.See http://www.ct.gov/ag/cwp/view.asp?Q=593122&A=2341