Intellectual Property and Sarbanes-Oxley?

What does the Sarbanes-Oxley Act of 2002 (or “SOX”) have to do with intellectual property you ask? While these two topics have historically made for strange bedfellows, the importance of managing intellectual property assets and issues surrounding those assets under Sarbanes-Oxley is increasingly becoming a potential trap for the unwary.

Passed into law in 2001 in large response to the then-recent corporate corruption and fraud scandals involving the likes of Enron, WorldCom, HealthSouth, Tyco, Adelphia and others, Sarbanes-Oxley represents one of the most sweeping changes in U.S. securities laws in the past 70 years. In the wake of these scandals, SOX attempted to bolster investor confidence by increasing transparency and accountability in financial accounting involving public companies here in the U.S. SOX has proven, however, to be much more than a law addressing financial accounting. SOX is written broadly to trigger obligations with respect to any and all assets that have a material impact on the financial condition of a public company — including IP assets.  As intellectual property assets have come to comprise an increasingly more material part of the value of most all companies (not just “technology” companies, but all companies that rely on technology to conduct their day-to-day operations), intellectual property has come to play an ever more material role in the financial condition of those companies. As a result, intellectual property assets and the management of those assets and issues relating to those assets has (and will continue) to pose an increasingly more important issue with respect to SOX compliance (notably, even as to companies for which it has not posed an issue in the past). While the issue of SOX and IP will be front and center for public companies, even private companies that plan in the future to become publicly traded or that are planning an exit by merger or acquisition with a public company, should be wary of the potential risks posed by IP under SOX.

Earlier this week I covered this topic and discussed the growing importance of the management of intellectual property assets under Sarbanes-Oxley in a presentation at the 2008 Intellectual Property Institute in Denver. I had the pleasure of sharing the stage for the presentation with Dean Salter, one of my partners at Holme Roberts & Owen and truly the “dean” of the Denver securities law community. As usual when presenting with someone of Dean’s stature, I probably ended up taking away from the presentation just about as much as I contributed. The materials from the presentation are available online if you would like to read more about this topic. We will also be giving the presentation as a webinar later this year. Stay tuned for details.

OSBC 2008 Presentations Online

Last week marked the completion of another very successful Open Source Buinsess Conference (OSBC) in San Francsico.  Presentations from OSBC 2008 are now online.

Included among those presentations is my presentation on Putting Open Source Compliance to Work (On Your Own Terms).  The presentation covers a lot of ground, but is focused on providing companies that use open source software with tools to deal with the increasing level scrutiny of open source that has arisen with the ever-widening variety of roles in which open source software is being put to work by those companies.  Among the examples of this increased scrutiny, the presentation covers:

— The BusyBox lawsuits brought by the developers of the BusyBox open source utility against Monsoon Media, Xterasys, High-Gain and Verizon based on alleged violations of version 2 of the GNU General Public License (GPL);

— Renewed open source license enforcement by GPL-violations.org Project in Europe against Skype and others;

— Enforcement of software patents against open source software in cases involving RedHat and Novell; and

— The increasing trend of disclosures around open source usage and liability made by public companies in their filings with the SEC.

The presentation makes the point that companies that are not taking steps to implement open source compliance measures on their own terms are increasingly finding themselves being required to comply on terms set by one of these other groups.  The presentation discusses tools companies can use to put open source compliance to work on their own terms to address this changing source enforcement landscape, including:

— Strategies to address increased diligence and scrutiny from customers, investors, shareholders and others;

— Tools to evaluate the changing risks posed by open source;

— Current best practices for implementing compliance measures to address open source compliance risks; and

— Techniques for taking open source compliance efforts beyond merely risk mitigation to help add value to your business.

I encourage you to download a copy of the materials.

SFLC Settles With Verizon – Lessons Learned

The Software Freedom Law Center (SFLC) announced on Monday that an agreement has been reached to dismiss the lawsuit brought by Eric Andersen and Rob Landley, the two principal developers of the BusyBox open source software utility, against telecommunications giant Verizon Communications alleging that Verizon violated version 2 of the GNU General Public License (GPL) through the distribution of BusyBox in the firmware of the Actiontec MI424WR wireless router provided by Verizon to customers of Verizon’s “FiOS” fiber-optic Internet and television service. To date Andersen and Landley have also brought and settled similar suits alleging violations of the GPL against Monsoon Multimedia, Xterasys, and High-Gain Antennas. The Verizon settlement marks the end of the last of the suits brought by Andersen and Landley to date.

While the full terms of the settlement were not announced (other than as summarized in the press release issued by the SFLC), the terms appear to track those included in the settlement of the other cases. In particular, in return for reinstating the rights of Actiontec and Verizon to distribute BusyBox under the GPL, Actiontec has agreed to:

– Appoint an Open Source Compliance Officer within its organization to “monitor and ensure GPL compliance”;
– Publish the source code for the version of BusyBox it previously distributed on the Actiontec web site;
– Undertake substantial efforts to notify previous recipients of BusyBox from Actiontec and its customers, including Verizon, of their rights to the software under the GPL; and
– Pay an undisclosed amount of financial consideration to the plaintiffs.

The settlement does appear to be unique from the settlements reached in the other BusyBox cases in at least one respect. Each of the previous settlements (as announced on the SFLC web site) imposed obligations directly on the party named in the lawsuit — this despite the fact that in at least two of the other three BusyBox cases the allegedly offending device was provided to that party by a third party vendor. The settlement in the Verizon case, however, appears to impose obligations directly on Verizon’s third party vendor Actiontec. The reason for this appears to be related to the fact that, while Actiontec was not named as a defendant in the lawsuit, the agreement under which Actiontec provides its MI424WR wireless router to Verizon is rumored to include a clause under which Actiontec agreed to indemnify Verizon for liability relating to claims and lawsuits by third parties against Verizon relating to the router. If accurate, the indemnification clause would help explain why Actiontec (and not Verizon) played a central role in the settlement of the lawsuit against Verizon and appears to have agreed to bear the majority of the obligations under the settlement.

The presence of an indemnification clause in Verizon’s procurement agreement with Actiontec also underscores the value of being proactive in open source (and other) technology procurement measures. Open source compliance measures (and intellectual property and license compliance measures in general) are certainly not uniform across all companies — and companies cannot always depend on their suppliers to be as diligent as they themselves have been in their own compliance efforts. As a result, taking the step of reviewing procurement agreements to help ensure that suppliers of software and other technology agree in advance to stand behind their products and services in the event of an intellectual property infringement, license violation or other issue is an increasingly important practice (and one that appears to have paid dividends for Verizon in their BusyBox lawsuit).

“Lawyering Skills” Courtesy of the U.S. Supreme Court

For those of you who have not yet seen this (and I was one of you until earlier today), Bryan Garner, the founder of LawProse and the editor-in-chief of Black’s Law Dictionary (as well as a fantastic version of the Official Rules of Golf), has recently conducted a series of interviews with of the Justices of the U.S. Supreme Court (with the notable exception of Justice David Souter) regarding legal writing and other lawyer skills.  Garner is truly one of the definitive authorities (if not the definitive authority) on legal writing and legal usage of the English language (and, yes, he is a major proponent of the use of plain English in the law and legal writing).  He brings great depth and background to the interviews.  The interviews are available online on the LawProse web site.  I encourage you to take a look.

How Do I Build an Enforceable Online Agreement? — Not (Always) the Way SalesForce.com or Google Would

The issue comes up on an increasingly frequent basis. A client is preparing to begin delivery of a new service (or product) through their web site. As part of their preparations, the client involves me (or, let’s say “an attorney”) to help them implement an online (“click-through” or “click-to-accept”) contract covering the terms under which the new service (or product) will be provided to their users. While almost all clients understand that this will entail the preparation of an online “terms of service” contract, not all also appreciate that the contract document itself is really only part of the equation. Creating a legally enforceable online agreement is also dependent on how that contract is implemented and whether the implementation is sufficient to create a legally binding agreement with each user. Examples of how to implement online contracts certainly abound — and in addition to contacting legal counsel many clients will also naturally look to major web sites for guidance on how to implement their own online contracts. However, it is not always a given that even these larger players have made the best decisions in designing their online contracting practices. As a result, simply asking “What would SalesForce.com and Google Do?” is not always the best approach.

At last year’s American Bar Association (ABA) Annual Meeting in San Francisco a panel hosted by the ABA Committee on Cyberspace Law discussed the results of a year-long working group on legal best practices for electronic contracting. Given the increasing frequency with which all companies (technology vendors or otherwise) must deal with online contracting issues, the findings of the working group are likely to be of interest to many companies (particularly if the alternative involves simply relying on whatever practices have been adopted by other web sites). While the current law in the area of online contracting is certainly still developing and in places resembles more of a patchwork of seemingly inconsistent legal decisions, the working group found that certain basic principles have emerged for establishing legally enforceable online agreements. In particular, the panel indicated that the working group had identified four “bottom line” steps for forming legally binding online agreements:

1. The user must have adequate notice that the proposed terms exist;
2. The user must have a meaningful opportunity to review the terms;
3. The user must have adequate notice that taking a specified, optional action manifests assent to the terms; and
4. The user must, in fact, take that action.

Among these four steps, adequate notice of the existence of the proposed terms is among the most important. The concept here is nothing new. Online contracts are not different from traditional paper contracts when it comes to notice of terms. As the panel indicated, the standard here asks quite simply whether a reasonable user entering into the agreement would understand what the terms were. The panel suggested that this generally means making the terms immediately visible to the user before assent is given — for example, through an on-screen window with a button that the user must click before moving on to the next screen. While there are many examples of what would be deemed “reasonable” under the circumstances, the more the notice of the terms is not straightforward, the greater the risk that the notice will not be deemed reasonable to form a binding agreement.

Despite the urging of counsel, the panel noted (and I would concur) that this simple step is often abused or simply not followed. Many times, it is a failure to provide the terms of the contract or at least a functioning hyperlink to a separate page containing the terms. Sometimes it is more subtle in that certain terms are only presented after the transaction has been completed on a confirmatory screen or email. Recently, I was working with a client who was reluctant to present the terms of their online contract as in fact being part of a “binding” agreement. Instead, the client wanted to present the terms merely as a request (or suggestion) to the users of their web site. As the panel noted, not only must the terms be presented to the user, but it must also be explicit and clear that the terms form a binding agreement between the parties.

While notice is a continual hot-button issue, the other “bottom line” steps are also important. It is of note that providing a “meaningful opportunity” to read the terms of the contract does not necessarily require that the user actually read the terms of the contract, only that they be given the opportunity to read the terms (you can lead a horse to water, but you can’t make it. . . ). The discussion by the panel specifically cautioned against using separate pop-up windows for purposes of accomplishing this step. As someone who has a pop-up blocker set on his own browser, I would agree that there is definitely a risk in this practice.

The issue of assent is also not to be overlooked. While the now ubiquitous “I Agree” button is the norm, I have reviewed sites that instead allow the use of standard browser navigation buttons to manifest assent. The panel noted this issue and stated that assent must be through some action that the user would not otherwise take automatically (like using the buttons on their browser to navigate to the “next” page of the web site). Instead, assent should be through an “optional action manifesting assent” to the terms of the contract.

In addition to the four bottom line steps, the panel also noted that the ultimate issue in any contracting situation is one of proof — can the party seeking to enforce the contract prove that the necessary steps were followed to form a binding agreement? The situation is no different in the context of online contracting. This means proving that a user either clicked a box (or was presented with a set of terms and continued forward anyway). While many web sites are set up to help provide this proof, it is worth considering what you would do if your agreement was challenged by a user and you had to prove that your web site implemented these four “bottom line” steps when the user accessed the site. While not always an easy task, the panel noted that particularly where a web site has gone through multiple updates or revisions (and what web site hasn’t), retaining records of the prior iterations of the site can be a valuable aide in helping to prove that users of the previous versions of the site did in fact enter into a binding agreement.

As I have mentioned in prior posts, the law in this area continues to evolve. The “bottom line” steps provided by the working group of the ABA Committee on Cyberspace Law are certainly of assistance — particularly, as noted above, when the alternative involves relying on whatever practices have been adopted by other web sites. However, best practices for online contracting are likely to continue to change as the law of online contracting continues to evolve. As a result, continued periodic review and update of online contracts and contracting practices will continue to be a must to help ensure continued legal compliance.

Busy Box Settles Another Case

News today from the Federal District Court for the Southern District of New York that Eric Andersen and Rob Landley, the two principal developers of the BusyBox open source utility, have moved to voluntarily dismiss the case they brought again High-Gain Antennas alleging that High-Gain had violated the GNU General Public License (GPL) by distributing the Busy Box software without complying with the terms of the GPL. The dismissal itself was officially approved by Judge Leonard B. Sand on March 3, 2008. While no press release has yet been issued by the Software Freedom Law Center (SFLC) , the non-profit legal group that represented the Andersen and Landley in the case, the strong presumption in a situation such as this is that the dismissal signals that case against High-Gain Antenna has reach a settlement. To date Andersen and Landley have brought similar suits alleging violations of the GPL against Xterasys Corporation, High-Gain Antennas, and telecommunications giant Verizon Communications. A settlement in the case against High-Gain Antenna would mark the third such settlement leaving only the case against Verizon still pending.

While Busy Box and the SFLC have not brought another suit since filing their case against Verizon back on December 6, 2007, action in the Verizon case looks to be coming soon as Verizon currently has until March 14, 2008 to answer or otherwise respond to the complaint filed against them in the case. It remains to be seen if the case against Verizon will be settled out of court or continue beyond this date and become the first lawsuit alleging a violation of the GPL ever to go to trial in the U.S. Regardless, the cases brought by Busy Box remain significant in demonstrating that open source licensors have the will and the ability to successfully enforce the GPL against alleged violators in court, rather than limiting themselves to pursuing other means of enforcing violations outside of court. What changes these and any future cases drive in the open source license enforcement landscape and open source compliance largely remains to be seen, but for certain they are driving changes. For additional information on the previous settlements, please refer to my prior posts (here, here, here, here, and here).

Data Breach Notification Laws – Not Just For California Anymore

It has now been more than five years since California became the first state to pass a data breach notification law (California SB 1386) mandating that companies notify consumers when they have lost the consumer’s personal data.  While not all states have followed suit, the folks at CSOonline have published a very handy resource showing those states that have now passed their own data breach legislation.

The research by CSOOnline reveals that 38 states that have enacted some form of data breach disclosure law. Most of these laws follow the general outline of the California law and require that companies immediately disclose a data breach to their customers. However, the laws differ in their details and in particular on issues such as:

1. Deadlines and timing requirements for informing customers of a data breach.
2. Penalties faced by companies for failure to disclose.
3. Private rights of action for customers in the case of failures to notify.
4. Exemptions in which companies need not report breaches.

Customer data is becoming an ever more valuable (and marketable) asset for all technology companies (whether or not they are operating through a software as a service business model). As this trend increases, state and federal government agencies have likewise increased their focus on the protection of that data. In the current environment, knowledge and observance of the laws governing customer/consumer data has become an essential requirement for those companies that collect, use, and mine that data as part of their business models. While CSOOnline points out that their resource is not meant to be comprehensive, it is a handy tool to help in starting to understand the legal landscape in the area of data breach notification.