Not that I don’t understand. If the startup is your brainchild, you want to get a prototype in the works, move ahead with alpha and beta testing, and start to market the product and talk to investors at the earliest possible date. You can’t allow yourself to be distracted setting up a payroll, talking to accountants or doing all of the coding yourself. Furthermore, if you’re like 99.9% of startups, you don’t have a lot of cash, which seems to make giving out something other than dead United States presidents an attractive option. Plus, your prospective partners may be your co-workers or roommates, and you want to do right by them. Right? Right?

Unfortunately, being too generous with equity is a common mistake made by startups. Naturally, it seems like an effortless and expedient way to get the ball rolling. Remember, though, that when you give out equity, you make partners of people whose commitment to the startup and time horizon may not be the same as yours, and whose contributions, while genuinely needed, may be more generic and easily replaceable than what you’re contributing (money, patentable ideas, reputation and stature as an innovator, connections with investors, etc.) Another risk is that the potential partner who seemed cool and focused at the last Philly Startup Leaders happy hour may turn out to be a certifiable flake who sees kabbalistic messages in Drupal.

These partners may lose interest in a few months, fail to perform as anticipated or hold different views from yours on the management and goals of your startup. Yet, being partners, they have legal claims on the assets of the startup, the right to access business records, and the right to have a say in (or even block) certain strategic decisions. Or they may want to sell their equity to third parties with whom you’d rather NOT be in business. The situation gets even messier and more unpredictable when (as frequently happens) the initial buy-in transactions and the partners’ rights and obligations with respect to their equity stakes and their roles in the startup are not well documented (or documented at all) in, say, an LLC operating agreement.

As with romance, it’s easier to get married than divorced. In my own legal practice I’ve seen a steady flow of what I call “app divorces” — that’s when two people without a long prior working relationship form an LLC to develop iPhone or Facebook apps, quickly encounter irreconcilable differences and decide to part ways. The story normally goes like this: one partner just is not putting his all into the relationship (”you’re not there for me!”). The other partner comes to me, and I have to figure out a way to unwind the partnership and cash out the wayward partner while keeping the intellectual property (ownership and practical control of the app) and as much cash as possible in the hands of my client.

So be stingy with your equity, dear startups. If you’re the primary innovator and/or source of funding, and the other guy is basically bringing labor and moxie, ask yourself how well you know him, how well you work together and whether a strict pay-for-services or commission-based relationship might be better. If the skill set you need is not particularly unique (say, coding or website design), could you get a freelancer or other independent contractor to do it under an agreement where they assign all intellectual property rights in the work product to your company? Or, as with payroll, is there an affordable third-party turnkey solution on the market?

Of course, sometimes you have no choice but to give out equity in order to get the services and skill sets you need, particularly where they’re not all that fungible or require a high degree of trust and comfort. In these situations, give out as little equity as possible, both to preserve your control as well as your ability to bring in other investors without diminishing your ownership stake too much. Don’t immediately offer 50-50 because it seems fair.

You could also create two classes of equity, one for yourself and other investors, and the other for service providers you need to woo. The first class of equity could have an exclusive claim to all distributions from the startup entity up to $XX, with holders of the second equity class only being entitled to their proportionate share of distribution proceeds over and above $XX. This is a good way of ensuring that a service provider partner doesn’t end up claiming a share in the investors’ money.

App divorces handled with sensitivity here

Performance vesting is tied to achievement of certain milestones — for example, 25% of the shares vest on successful testing of a prototype, another 25% on sales reaching $XX, etc. Combinations of time and performance vesting are also possible, so that, for example, 25% of the shares would vest if the holder is still employed after one year AND has successfully tested a prototype.

Where equity is shared among multiple partners, transferability and exit issues (if someone wants to get rid of their shares, to whom may be they be sold and how should they be priced?) also need to be carefully discussed and dealt with in a legal document such as an LLC operating agreement. Having multiple owners means you will need more legal consultation in the startup process, yet another reason to be stingy with your equity. (And don’t try to draft the documents yourself to save on legal fees; if your startup ends up doing well, that’s a great way to buy a litigator a new yacht.)

Don’t get me wrong — I’m not saying NEVER hand out equity. Just be cautious and, if you have questions or reservations, talk to a business lawyer. When you give equity for services, you’re buying more than those services; you’re also buying the service provider.

A Special Trademark Issues (STI) review team was created by ICANN in October 2009 to provide further recommendations on some of the proposed Rights Protection Measures (RPM’s), such as the creation of a global trademark clearinghouse to serve as a repository of data about asserted trademark rights and to validate these rights in domain name disputes. Another proposed RPM is the creation of a Uniform Rapid Service (URS) as a faster, cheaper alternative to the current Uniform Dispute Resolution Policy (UDRP) in shutting down blatant cybersquatters and typosquatters. On December 17, 2009, the STI issued a report adding some more flesh to these proposals. You can find it here.

The STI report gives some tantalizing hints concerning the shape the new URS will likely take. Unlike with the UDRP, the remedy for the successful complainant would not be transfer of the domain name, but rather a hold, so that it doesn’t resolve to the original IP address. The elements of a URS complaint would be the same as for a UDRP complaint: bad-faith registration and use of a domain name that is confusingly similar to a trademark, where the domain name registrant has no legitimate interest in the domain name. However, the standard of proof would be higher: clear and convincing evidence that there is no genuine issue of material fact requiring further consideration.

If upon initial examination a URS complaint appeared to contain the basic requirements, an initial freeze would be placed on the domain name to prevent its transfer or changing of the WHOIS record. A full hold — disconnection with the IP address — would be imposed on final determination. However, the registrant would have the right to appeal to another examining body which would review the complaint and facts anew.

Practically speaking, the URS process would not work to resolve genuinely two-sided trademark disputes, i.e., situations where the claimed trademark is weak or descriptive or where the registrant is conducting a legitimate business under a mark adopted in good faith or where the degree of similarity between the domain name and the claimed trademark is less than overwhelming. The UDRP, the Anti-Cybersquatting Consumer Protection Act, and traditional trademark causes of actions for infringement, dilution and false designation of origin would still be available in these situations. However, when I handled trademark matters in-house for a large publicly traded company (whose unpopular line of business made it the target of much brand abuse), my experience was that even in those cases where we were dealing with a clear cybersquatter who didn’t respond at all to our UDRP complaint, we still ended up paying thousands of dollars in legal and arbitration forum fees to obtain a transfer of the domain name registration.

For those whack-a-mole cases, the URS as envisioned by ICANN’s STI (how’s that for alphabet soup?) would be a genuine boon.

A sad day for Philadelphia, to be sure, but what makes it noteworthy for purposes of this blog is that the city is threatening to sue Facebook, MySpace and Twitter for failing to monitor the postings that, according to police, arranged for the mob to convene in the Gallery (the indoor shopping mall at 11th and Market Streets) for a fight. This raises the same website immunity issue under 47 U.S.C. § 230 in the Communications Decency Act (CDA) that I blogged about in connection with last summer’s lawsuit against Domelights.com.

The CDA immunizes a provider of an “interactive computer service” from liability for most state and federal claims arising from objectionable content posted by third parties: “No provider … of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” See 47 U.S.C. § 230(c)(1)). Websites fall within the statutory definition of an “interactive computer service.”

The CDA immunity was enacted to promote robust and unfettered free speech on the Internet by insulating website operators and ISPs from defamation claims and other actions which are triggered by objectionable content originating with third parties and for which the site operator or ISP merely provides a forum or conduit. It would be difficult or impossible for the operator of a website with thousands of users to pre-screen all posts for tortious or other unlawful content, and the law does not require this. Courts have held the CDA immunity to preclude a wide variety of claims against websites relating to offensive, tortious and even dangerous activities of their users, including, in a recent decision involving MySpace, an alleged failure to implement security measures to prevent sexually predatory behavior by users against other users. However, a website runs the risk of being deemed an “information content provider” (and falling outside the scope of CDA website operator immunity) if it has a role in creating or soliciting the objectionable content.

Therefore, unless Facebook, MySpace or Twitter somehow had a hand in creating or soliciting any posts that incited the mayhem, it is difficult to see how the city could prevail in a claim for damages against them. This is how it should be. Social media provides networking tools and services to expand group communications, but like broadband and cell phone service, social media is morally neutral — it can be used for good (e.g., the Twitter Revolution in Iran) or ill (a mob of teenage thugs gathering at the Gallery for a fight).

If the operators of social media started losing expensive lawsuits because of their failure to monitor posts for hints of flash mob activity, they would have to charge for their services or go out of business. Internet privacy would probably also take a big hit as Facebook, MySpace and Twitter stepped up their monitoring and sharing of posts with law enforcement authorities. CDA website operator immunity was specifically intended to avoid such chilling effects on free speech.

More generally, the city of Philadelphia’s threats against social media betray the unfortunate mindset of big government nowadays that antisocial and self-destructive behavior must always be the fault, in whole or in part, of some business or society, not (or not simply) that of the persons engaging in the antisocial or self-destructive behavior. For example, childhood obesity is the fault of McDonald’s and other disseminators of “exploitive advertising,” not the fault of kids who eat Big Macs every day or their parents who let them. Plaintiffs’ lawyers aid and abet this erosion of personal responsibility and accountability by filing suits against businesses for failing to fulfill some fictitious duty to prevent every conceivable social harm.

At the risk of inciting political controversy, I respectfully disagree. The way to handle incidents like last week’s mayhem is not to sue technology companies on the West Coast, but to police known flashpoints such as the Gallery more aggressively and to mete out severe punishment for uncivilized behavior, which means jail time, not probation or community service. (In Philadelphia, the penalty for violating probation is often more probation, but that’s a separate issue.)

As a Center City resident who lives several blocks from the Gallery, I certainly share the city’s outrage over this latest flash mob incident. That is why I support the Philadelphia Police Department, the SEPTA transit police, and the Office of the District Attorney. But we’ve got to solve our own problems in Philadelphia, so let’s not pick on social media.

Readers of this blog know that the Bilski case will set the new standard for patent eligibility of business methods. In 2008 the U.S. Court of Appeals for the Federal Circuit upheld the Patent Office in setting a strict machine-or-transformation test that essentially bars the patenting of business methods except where they are tied to or transform something physical. If the Supreme Court agrees, this could invalidate a lot of Internet and software patents.

In the oral arguments several justices — most notably the newest one, Sonia Sotomayor — seemed uncomfortable with the intellectual contortions of the machine-or-transformation test, yet agreed that on some level a patentable invention must involve “technology.” But what is “technology”? How do you define it? A software patent whose claims delve into the nuts-and-bolts of the effects the programming has on the host computer probably teaches “technology”, but is it possible to drill down any further?

Here’s hoping (if not expecting) that SCOTUS brings some real clarity so that going forward clients will know when they are up to their elbows in “technology.” In the meantime, check out my recent articles (actually one article that my editor broke into two pieces because it was so verbose!) on the oral arguments in the Bilski case here and here.

Personally, I enjoy Twitter (can’t deny it, since you’ll see my tweets all over www.baerbizlaw.com!). I understand its value as a promotional tool for entrepreneurs, and, as a technology and social media lawyer, I relish the legal mind-benders it raises. Still, I can’t say that millions of tweets like “Lying on the couch!” or “I’m sipping a capuccino!” make me shiver with voyeuristic delight or enrich the world.

Speaking of legal mind-benders, consider Horizon Group Management v. Bonnen, a Cook County, Illinois circuit court case in which a property management company brought a defamation suit against a former tenant who tweeted, “Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it’s okay.” The case is interesting because it involves not only the content of Ms. Bonnen’s tweet (defamation and libel require factual content, specifically the publication of a false statement of fact; pure opinions are not defamatory), but also how it should be interpreted in the Twitter context.

Ms. Bonnen was represented by attorneys at The John Marshall Law School Center for Information Technology and Privacy Law. In their motion to dismiss, counsel for the defense cited a 2009 study in which more than 40 percent of tweets were deemed “pointless babble.” (ONLY 40 percent?) “When one considers Ms. Bonnen’s allegedly defamatory tweet in the social context and setting in which the statement was published,” they argued, “its nature as rhetorical hyperbole is readily apparent.” Or, to put the argument more bluntly, given the widely acknowledged stupidity of Twitter and the verbal diarrhea of many of its adherents, no one should reasonably have read a factual dimension into Ms. Bonnen’s moldy tweet.

Circuit Judge Diane Larsen granted Ms. Bonnen’s motion to dismiss without issuing a written opinion, although she did note in court that the complaint was too vague. The result, therefore, turned on the judge’s view that the complaint was not well constructed enough to satisfy the Illinois defamation standard.

Although I admit I was not in the courtroom, I find the outcome a bit surprising because the tweet does seem to state, or at least clearly imply, that Ms. Bonnen was or is a tenant in an apartment managed by Horizon and that she experienced mold in that apartment. The “social context” of the tweet may be a legitimate focus of inquiry at trial, but essentially holding tweets to be opinion, i.e., not “serious”, at the motion to dismiss stage is a bit hasty.

More broadly, I disagree with the notion that tweets are qualitatively different from other communications from a legal standpoint. You can communicate facts and harm reputations in a 140-character microblog post, just as you can through more traditional media. The medium shouldn’t matter. In its response to the motion to dismiss, the property management company pointed out that, indeed, many tweets are serious — for example, the U.S. Centers for Disease Control and Prevention use Twitter to publish information.

At a national intellectual property law seminar I attended last year, a roomful of IP lawyers representing big law firms, media companies and, of course, Baer Business Law largely agreed that tweets could even be copyrightable, if they contain a “modicum of creativity,” the copyright protection standard stated by the Supreme Court in the Feist case (which held that alphabetical telephone listings are not copyrightable). Twitter may very well be novel, if not epochal, as a unifier of the human family. Having said that, treat with extreme skepticism any claim that tweets are legally different from anything else you write.

Seriously, protecting your idea in business discussions is critical, and it’s all about timing, covering your steps, and controlling the manner and scope of the disclosure. I’ve written a guide for entrepreneurs on how to approach these issues and some tools and tips to keep in mind. You can find it here. Of course, you should also consult a business and IP attorney.

Title II of GINA prohibits both the use of individual genetic information in making employment decisions and any action by an employer to “request, require or purchase” genetic information, subject to certain limited exceptions. It also imposes strict confidentiality requirements when an employer or other covered entity comes into possession of genetic information. Title II applies to private and governmental employers with 15 or more employees. “Genetic information” is defined in the statute to include not only information about an individual’s genetic tests, but also genetic tests of family members and family medical history, including the manifestation of a disease or disorder in a family member. “Family members” include dependents as well as relatives of an individual or dependent from the first to the fourth degree. So, to take a completely hypothetical example, the fact that a maternal grandmother died of lymphatic cancer would be protected genetic information. This casts a very wide net indeed.

Employers Are Looking at You Online

The policies behind Title II of GINA are laudable: maintaining privacy and protecting individuals from job-related discrimination due to factors that are totally outside their control and not meaningfully related to their job qualifications or performance (but that may give rise to certain assumptions about insurance costs, work attendance, etc.). However, It’s not difficult to see how such an expansive definition of genetic information can create a legal minefield when blogs and social media are worked into the equation.

Blogs and social media provide the tools for us to share and publicize details about our personal lives, about where we are in this world and what we’re going through right now, as well as to foster an ever-greater interconnectedness that provides a substrate of meaning at the same time as it boosts our audience size. For these reasons, many employers, particularly those hiring for positions involving significant professional responsibility, customer or public exposure, or access to confidential information, Google job applicants and examine personal blogs and social media profiles as part of their due diligence process.

Generally speaking, employers are not legally prohibited from doing this and taking the findings into account when they make decisions about you (as long as the decisions aren’t based on certain impermissible factors defined by the law, such as race, gender, age, disability and now genetic background).

Therefore, if you plan to apply in the future for a financial services position managing the portfolios of wealthy clients, I would strongly advise you not to post a college photo of yourself drowning your svelte naked body in Yuengling. However humorous and compelling such a photo may be — and I really do like Yuengling! — it can easily be pulled up on the Internet years after it is posted, i.e., when you’re older, more professionally oriented and sober.

Finding Family Medical Information Online

All kidding aside, what if someone’s family member is ill and, out of an understandable desire to unburden herself and seek support from her user community, she shares information about the illness and the distress she is experiencing? If an employer then reads the page, does this constitute an illegal acquisition of genetic information?

GINA’s prohibition on requesting, requiring or purchasing genetic information excludes situations “where an employer purchases documents that are commercially and publicly available (including newspapers, magazines, periodicals, and books, but not including medical databases or court records) that include family medical history.” In its proposed regulations issued in March 2009, the EEOC expanded the commercially and publicly available document exception to also cover genetic information from documents that are available “through electronic media, such as information communicated through television, movies, or the Internet, except that a covered entity may not research medical databases or court records, even where such databases may be publicly and commercially available, for the purpose of obtaining genetic information about an individual.” (Such information also would not be covered by GINA’s confidentiality requirements, although it still could not be used to discriminate.)

The EEOC is seeking further comment on how genetic information acquired from personal websites such as blogs and social networking sites should be treated.

Some commenters have recommended a total exclusion for information on publicly available web pages, on the theory that employers should not be penalized for stumbling across information that an individual deliberately posts for the entire world to see (obviously, making an employment decision based on this information would still be forbidden).

Other commenters have urged the EEOC to take into account the site’s user restrictions and privacy settings: if an employer pries its way into a restricted user group (like in the Pietrylo case) whose members can view an individual’s family medical history, that looks more like an illicit attempt to acquire private or protected information than reading a publicly available website.

Still other commenters have suggested a regulatory standard that delves into the employer’s motives: is the employer searching sites for the specific purpose of obtaining genetic information? From the viewpoint of an attorney counseling businesses, I hope the EEOC avoids such a subjective test, since anyone could raise this accusation in a legal or administrative complaint with the flimsiest of evidence (or no evidence whatsoever). Due to the messy factual issue of intent it would be difficult for the employer to get the case dismissed before trial, meaning that costly litigation would be an ever-constant threat. However, the EEOC may already be thinking along these lines, since its proposed rules prohibit an employer from researching publicly available medical databases and court records for the purpose of obtaining genetic information.

Employers: Be Careful Where You Look

Even before the EEOC speaks on these issues, employers should take special note of GINA where online research plays a role in employment-related decisions. My advice to employers is to focus on the presence or absence of naked beer-waterfall photos and other content that is clearly relevant to a candidate’s judgment or his or her qualifications to hold a position; don’t go searching for (or dwell on or document) confessional posts about a sick aunt, however poignant and compelling they may be. If you do, you may risk a claim for either illegal acquisition of genetic information or (if the candidate is turned down or suffers some other adverse employment action) genetic discrimination.

Technology marches on, and, as always, the law struggles to keep up and adapt.

The Christmas blizzard

Richard Convertino is a former federal anti-terrorism prosecutor who was forced out by an investigation of prosecutorial misconduct during the Bush administration. Information about the investigation was leaked to the Detroit Free Press. In his action against the Justice Department for whistleblowing retaliation and other claims, Convertino sought discovery of e-mails between Tukel, another prosecutor involved in the investigation, and his private attorney, e-mails that were sent from a Justice Department computer using Tukel’s DOJ account (not even a web-accessed personal e-mail account, as in Stengart). The court refused to grant access to the e-mails, holding that Tukel had a reasonable expectation of privacy which supported his assertion that the e-mails were still protected by the attorney-client privilege.

In finding for Tukel, the court specifically examined the Justice Department’s Internet use policy and determined that, in view of the policy, he was not on notice that his personal e-mails were being monitored and, therefore, his actions in deleting the e-mails from his account in an expeditious manner amounted to a non-waiver of the attorney-client privilege:

“Mr. Tukel reasonably expected his e-mails with his personal attorney to remain private…. Case law in this jurisdiction in not directly on point but New York gives the Court some direction. ‘[T]he question of privilege comes down to whether the intent to communicate in confidence was objectively reasonable.’ … In order for documents sent through e-mail to be protected by the attorney-client privilege there must be a subjective expectation of confidentiality that is found to be objectively reasonable…. [Four factors to determine reasonableness are] ‘(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?’ … Each case should be given an individualized look to see if the party requesting the protection of the privilege was reasonable in its actions….

“On the facts of this case, Mr. Tukel’s expectation of privacy was reasonable. The DOJ maintains a policy that does not ban personal use of the company e-mail. Although the DOJ does have access to personal e-mails sent through this account, Mr. Tukel was unaware that they would regularly access and save e-mails sent from his account…. Because his expectations were reasonable, Mr. Tukel’s private e-mails will remain protected by the attorney-client privilege.”

As with Stengart (which was recently argued before the New Jersey Supreme Court), I am unconvinced that rulings like this create a broad right of privacy in personal communications sent through an employer’s IT resources. For one thing, the Internet use policy in Stengart as well as the DOJ’s policy in Convertino explicitly permitted personal use but were less than clear that ALL communications (personal as well as work-related) were subject to monitoring. Had the policies contained language like the following, the results might have been different: “We reserve the right to monitor, and periodically monitor, ALL communications sent using our computers and Internet access, whether personal or work-related, and including personal e-mails sent using your web-accessed e-mail (e.g., gmail, hotmail) account. You agree that you have no expectation of privacy in these e-mails and other communications. You should NOT send sensitive personal e-mails from a work e-mail account or a work computer.”

Secondly, I maintain that the attorney-client privilege is something special. If it’s held to be waived, the legal effect on a litigant — loss of or inability to implement legal strategy or exercise legal rights — is potentially catastrophic. Privileged e-mails are different from, say, embarrassing e-mails or e-mails that could get you into trouble with your boss. My sense is that courts will strain to avoid piercing such a hallowed privilege, except where a litigant has acted in a totally cavalier manner with regard to secrecy. I don’t agree with those legal commentators who claim the Convertino case actually reflects a dawning recognition that, due to the timing constraints in our harried modern lives, personal e-mails MUST be sent from work and should be shielded for that reason (regardless of how an employer’s computer/Internet use policy is worded or distributed). The court didn’t say this. In its own words, the case was about what the employee did and did not know about monitoring, pure and simple.

This battle will continue, of course. In the meantime, employers should think carefully about what personal uses of company Internet access and IT resources they wish to permit and make sure their approach to monitoring is clearly explained, particularly when read together with the sections of the policy detailing any approval of personal use.

Carpenters Hall at Yuletide

According to the PTO, the average time between filing and the first office action (PTO response) on a green technology patent application is 30 months, with the final action on the applications coming after 40 months on average. The PTO estimates that participation in the pilot program will shave a year off the time to get a green technology patent. Green technology eligible for the pilot program is defined as patent applications relating to environmental quality, energy conservation, development of renewable energy resources or greenhouse gas emissions reductions. You can download detailed eligibility and petition requirements on the PTO website here.

2. Online Privacy and Behavioral Advertising. Check out Yahoo!’s new Ad Interest Manager, which enables you to see information about your online browsing activities that Yahoo collects for targeted advertising purposes. The new site feature was unveiled with great fanfare on December 7, which — coincidentally? — was the same day the FTC kicked off the first of three new Privacy Roundtables examining online data collection for behavioral advertising and similar topics and the adequacy of current privacy rules and industry self-regulation.

Yahoo! may be ahead of the curve. The noises the FTC is making seem to indicate impatience and dissatisfaction with the current state of self-regulation in behavioral advertising (supposedly based on notice and choice, as provided in the behavioral advertising self-regulatory guidelines issued by the FTC in February 2009). More aggressive privacy regulation, as well as stepped-up administrative enforcement, may be on the way. Of course, this is exactly what I predicted last summer.

I am monitoring this situation closely, and if there is a new rulemaking, I am considering participating in the public comment process. I acknowledge the concern in government and academic circles about the ability to build profiles and derive personal information by associating and combining data on the Internet and applying behavioral analytics (connecting the dots to tease out or guess specific attributes of an Internet user, such as demographic information, based on browsing activity and clickstream data). However, as a matter of personal opinion I tend to fall into the “what privacy?” camp and am not convinced we are dealing with a full-scale public emergency that warrants shackling innovative new technologies and communication channels.

3. Workplace Internet Privacy Before the NJ Supreme Court. Stengart v. Loving Care Agency, Inc., a New Jersey appellate court case I blogged about this past summer, was argued before the New Jersey Supreme Court on December 2. The issue in Stengart is whether an employee’s e-mails to her attorney using her personal web account are still covered by the attorney-client privilege in her suit against the employer where she accessed the account from a work computer. (The defendants’ counsel found the e-mails when imaging the computer’s hard drive during discovery.) The employer had a poorly drafted Internet use policy that (arguably) rendered all communications over the computer subject to monitoring, although the policy also allowed limited personal use of the computer.

The case is important, because if the Supreme Court agrees with the appellate court that the employee did have an expectation of privacy in the e-mails to her attorney, notwithstanding the Internet use policy, it could curtail employers’ previously untrammeled ability to regulate the use of their IT resources.

A finding for the employee seems likely, since the New Jersey Supreme Court is a liberal bench that has often taken a broadly protective approach to the attorney-client privilege. Also, at least two of the justices, including Chief Justice Rabner, seemed troubled by the employer’s reliance on the policy as support for its position that it could monitor anything transmitted using its computers.

The big question, then, is how broad or narrow the ruling will be. Was this a badly drafted policy that on its terms shouldn’t be construed to apply to such personal communications? Or going forward do all Internet use policies need to specifically call out the right to monitor communications using web-accessed personal e-mail accounts? Or (most radical) will an employer’s “unilateral” reservation of the right to monitor its IT resources be held unenforceable as a matter of public policy when applied to certain types of communications — such as e-mails to a “spouse, a physician or a cleric”? (The possibility of such employer monitoring appeared to disconcert Justice Albin.) If the court were to take the most radical approach, this might scare employers into slamming the door on ANY personal use of workplace computers and Internet access.

4. Data Breach Dixie-Style. Several restaurants in Louisiana and Mississippi, including the rustically named Mel’s Grill, Sammy’s Diner and Crawfish Town USA, have sued Radiant Systems, a provider of point-of-sale (POS) hardware and software, and the distributor Computer World, Inc. to recover fines and penalties imposed by Visa and MasterCard after a foreign hacker exploited security vulnerabilities to access the systems remotely. The plaintiffs, whose claims include negligence and breach of contract, allege that the POS solution was not compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that the distributor also was also out of compliance (according to the plaintiffs, among other things, the system retained sensitive credit card information unnecessarily and the distributor used the same password for 200 different systems). The plaintiffs also alleged that Radiant had, in fact, been warned about by Visa about the vulnerability of the POS system in 2007.

The negligence claims are significant because of the plaintiffs’ attempt to use PCI compliance to set the baseline for reasonableness in order to show that the defendants’ behavior was negligent. However, the plaintiffs will face an uphill battle if their contracts with the defendants contain the typical technology vendor/service provider legalese limiting product- and service-related claims to breaches of the narrow warranties given in the contract, disclaiming damages for lost or stolen data, characterizing third-party criminal acts as force majeure for which the vendor is not responsible, and limiting the customer’s recoverable damages to direct damages no greater than the fees paid for the defective product or service.

However this case unfolds, the loss suffered by the restaurants highlights the need to carefully scrutinize and negotiate technology agreements covering products that store or process sensitive personal information. The customer should strongly consider requiring the vendor/service provider to warrant that they have validated compliance with PCI and will update their product or service as needed to maintain compliance. The customer should also seek indemnification against claims and losses resulting from a data breach where the breach is attributable to a defect in PCI compliance. (Many vendors/service providers will scream at this, protesting that their prices don’t reflect assumption of these risks. The proper response to this is “why not?”, especially if a vendor/service provider hypes itself as being PCI-certified.)

Of course, don’t place absolute trust in having a strong contract; make sure you do your due diligence too.