The ACPA and Consumer Wrath: Is consumer criticism a “bad faith” act?

As we have learned in class, the origins of the Anticybersquatting Consumer Protection Act (ACPA) 15 U.S.C.A. § 1125(d), was to protect trademark owners from having others use their famous and distinctive trademark in a domain name that is confusingly similar.  This law was welcomed especially in the early days of the internet, when domain name registrations were driving the development of internet law. However, although there is less cyber-squatting or cyber-piracy today, the ACPA continues to be used in courts – and sometimes to defend against different and new types of cyber-squatting. In the present case we have a blend trademark, cybersquatting, and free speech on the Internet.

The owner of a website called “McAllister Olivarius Truth,” run by a former client of the law firm McAllister Olivarius, will be on trial this summer, accused of cybersquatting. The jury is scheduled to hear the case in July 2018.  How did we get to this?

The defendant who runs the “Truth” website, Mark Myers Mermel, committed a series of actions that led him to be sued by his own former law firm.

The creation of the website, and the lawsuit, all finds its origins in a “client-gone-wrong” scenario between the two parties. The law firm McAllister Olivarius actually represented Mermel, a real estate developer and one-time candidate for lieutenant governor of New York, in a dispute with Yale University. Mermel later, for some reason, decided to not pay his legal bills for that representation.

MO

The firm then filed a breach of contract suit in Connecticut in 2016 to recover the fees. And, sometime during this billing dispute, Mermel then registered McallisterOlivariusTruth.com and populated it with some law firm-like text.  The firm’s actual domain is mcolaw.com.

In addition to creating the website, Mermel also threatened to post documents on the site he said would “cripple if not close” the firm, according to the complaint. He also offered to forego the plan if the firm would “walk away” from the unpaid legal bills or, at least, reduce them.

After learning of the website and these threats, the firm wanted to add anti-cybersquatting and evidence spoliation claims to the original case, but the Connecticut court denied the request. As a result, McAllister brought the claims to a new case filed in New York.

McAllister alleges in the NY suit that defendant Mermel registered the domain name McallisterOlivariusTruth.com to divert potential clients and others searching for information about the firm – which in turn would force McAllister to accede to Mermel’s demands and reduce or eliminate the amount it was seeking in unpaid legal fees.  Mermel allegedly threatened to publish damaging documents about plaintiff on the website. Mermel thereby, in McAllister’s view, violated the Anticybersquatting Consumer Protection Act (ACPA). Mermel made a motion to dismiss for lack of jurisdiction and for failure to state a claim.

The ACPA was written to address various forms of piracy or bad fair action using someone else’ trademark e.g. cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners. The ACPA provides for liability if a person registers, traffics in, or uses a domain name that is identical or confusingly similar to a distinctive mark, with a bad faith intent to profit from that mark.

As we learned in class, in order to state a claim under ACPA, a trademark owner must show the defendant:

  1. registered, trafficked in, or used a domain name,
  2. that is confusingly similar to the plaintiff’s trademark, and
  3. had a bad faith intent to profit from that domain name.

But here, in the “McAllister Olivarius Truth” website case, is the defendant using the mark for bad faith or is he using the mark as a form of commentary and criticism, as protected by the Frist Amendment?  Many U.S. cases hold that the First Amendment may trump trademark rights in similar situations.

For instance, in Bosley Medical Institute, Inc. v. Kremer, the Ninth Circuit held that it was not a trademark infringement for a former customer of Bosley to register the domain name Bosleymedical.com and use it to operate a website critical of Bosley. The court stated that Kremer, the unhappy customer, was making a non-commercial use of the trademark on his website, and therefore not infringement under the applicable federal law. Kremer earned no revenue from the website, he sold no goods or services, and there was no link to any of Bosley’s competitors’ websites. However, the Bosley Court also held “An infringement lawsuit by a trademark owner over a defendant’s unauthorized use of the mark as his domain name does not necessarily impair the defendant’s free speech rights.”

Similarly, in Lucas Nursery v. Landscaping, Inc. v. Grosse, 359 F.3d 806 (6th Cir. 2004), a consumer won a case against a landscaping company when she registered its trademark as a domain name and used the website to express her anger with the landscape services. TMI, Inc. v. Maxwell, 368 F.3d 433 5th Cir. 2004), in the Fifth Circuit, had a similar outcome. A home builder had a very unhappy customer who registered the home builder’s trademark as a domain name after being upset with the quality of the home he purchased. The court did not find it “acting in bad faith” – the critical third element to any ACPA claim. The website featured the customer’s story of his dispute with the builder, along with a disclaimer at the top of the webpage indicating that it was most certainly not the home builder’s official website.

In these two cases, dissatisfied customers use of a site with a company’s trademark name to complain about the company is not bad faith – at least under the ACPA law. The free speech/consumer commentary rights of the customer are an important part of the U.S. law and commerce, and will be protected, even in the face of a trademark claim.

However, even with varying precedent, here Mermel’s argument that the attaching “Truth” in his website name, and thereby making it a forum for criticism, was a hard sell to the judge. Attaching “Truth” to a trademark is less of a distinguisher than, for instance, using a website name that ends in “.sucks.” [There is a line of litigation about .sucks websites]. In this case, then, without “Truth” clearly revealing the critical consumer nature of the website, McallisterOlivariusTruth.com could be confusingly similar to the firm trademark.

And, finding that the website was also potentially being used as a means to blackmail the law firm to lower or eliminate the owed legal bills also does not sit well for the ACPA test for “bad faith action.”   The website wasn’t so much created to tell the truth, but to extort the firms finances for Mermel’s  own gai. This put that action it within a “bad faith intent to profit” factor of the ACPA.

Therefore, in dismissing the motion, the court found McAllister Olivarius “has plausibly alleged that its mark is distinctive, that defendant’s domain name was confusingly similar to its mark, and that, on the facts pled, plaintiff adequately has alleged that defendant had a bad faith intent to profit from the mark.”

Mermel and McAllister will then be going to trial on the full ACPA claim in July. We will keep an eye out for this case over the summer session.

Advertisements

Unlocking Phone can be Constitutional: Fingerprints vs. Passcodes

Since 2014, approximately 67% of all smart phones in police evidence lockers are encrypted. For police, detectives, and the district attorneys, this creates a huge burden with regards to evidence and prosecution. During the conflict between Apple and the FBI over the San Bernardino phone encryption, former NYPD Police Commissioner Bill Bratton asked in an op-ed, in light of encrypted phone cases, “The Constitution guarantees no absolute right to privacy.  It guards against unreasonable search and seizure. How is what we are talking at all unreasonable?”

According to the courts, it could be unreasonable. There is a difference in the law with regards to how a phone is locked. Courts have looked at physical evidence (fingerprint) vs. knowledge (passcode), and have made these distinctions in caselaw.

Recently, in Minnesota v. Diamond, the Minnesota Court of Appeals affirmed that an order requiring a suspect to provide his fingerprint to unlock his cellphone was constitutional. The defense argued that the court violated the defendant’s Fifth Amendment right against self-incrimination by ordering the defendant to provide the fingerprint to access the information on the phone. There was, in fact, incriminating evidence found in the cellphone after it was unlocked.

This was a matter of first impression for the Minnesota Court of Appeals’ attention, but a similar issue had also recently arisen in Florida.

The Florida Court ruled that a man suspected of voyeurism using his phone must turn over his four-digit passcode to police. Though police had a warrant, they could not access the phone without the passcode.  A trial judge denied the motion to force the man to submit the code. The judge equated it to compelling him to testify against himself – in violation of the Fifth Amendment. The Florida Second District Court of Appeals reversed the decision stating that the passcode is not related to criminal activity that may or may not exist on the phone.

Courts have previously ruled that suspects must provide their fingerprints to unlock a phone, as mentioned in Diamond, but not a passcode or combination. Again, the distinction is between physical evidence of a fingerprint and knowledge of a passcode. A 2014 decision by the Virginia Beach Circuit Court found that individuals could not be forced to give up their phone’s passcode, but they could be ordered to provide a fingerprint to unlock the phone.

The Supreme Court’s 1988 decision in Doe v. U.S. ruled that a person may be compelled to give up a key to a strongbox, but not a combination to a safe. This is the interpretation courts are using when it comes to providing passcodes and fingerprints. However, the three-judge Appeals Court panel didn’t agree with this approach. They found the comparison with the current state of technology outdated; that providing a passcode would not be as self-incriminating as directly giving authorities evidential documents.

The police had probable cause and a warrant to search the phone. Judge Anthony Black wrote in the Florida Second District Court’s decision, “Moreover, although the passcode would allow the State access to the phone, and therefore to a source of potential evidence, the State has a warrant to search the phone—the source of evidence had already been uncovered … Providing the passcode does not ‘betray any knowledge [Stahl] may have about the circumstances of the offenses’ for which he is charged.”

Consumer class action revived for Neiman Marcus data breach

The 7th Circuit Court of Appeals reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus.  Last Monday (7/20), the Court held that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support standing.

While we haven’t covered standing explicitly in class, standing is defined as a party’s right to make a legal claim or seek judicial enforcement of a duty or right.  For example, to have standing in federal court, a plaintiff must show (1) that the challenged conduct has caused the plaintiff actual injury, and (2) that the interest sought to be protected is within the zone of interests meant to be regulated by the statutory or constitutional guarantee in question.  Sometimes it can be referred to as “standing to sue

The initial lawsuit against Neiman Marcus was in January 2014, when the company publicly disclosed that it had suffered a data breach where hackers collected the credit card information of approximately 350,000 customers. A number of consumers filed a class action lawsuit. The suit alleged that Neiman Marcus put the plaintiffs at risk for risk for identity theft and fraud by delaying to disclose information about the breach for a month. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing.

On appeal, the 7th Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The 7th Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

The 7th Circuit’s ruling combined with and the Central District of California’s ruling in Corona last month [Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015).] suggests a trend: consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.  For other cases in the trend see: In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., 2014 U.S. Dist. LEXIS 96588 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, 2014 U.S. Dist. LEXIS 124126, (N.D. Cal. Sept. 4, 2014).

Nevada Law Updates Definition of Personal Information

As we will learn later this semester, Nevada has been on the front lines of creating law that protects personal information, requires encryption of credit card data, and adoption of PCI-DSS standards into law.  Now they have adjusted their laws again to reflect technological changes in personal information.  Nevada Governor Sandoval recently signed into law A.B. 179, which expands the definition of “Personal Information (PI)” in the state’s famous data security law. The law will take effect on July 1, 2015. Under the new law, PI now includes:

  • A “user name, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account;”
  • A medical identification or health insurance identification number; and
  • A driver authorization card number.

In addition, although Nevada’s data security law previously excluded “publicly available information…lawfully made available to the general public” from the definition of PI, the new law narrows the scope of that exclusion, limiting it to information available “from federal, state or local governmental records.”

http://www.leg.state.nv.us/Session/78th2015/Bills/AB/AB179_EN.pdf

Sample ACPA Case: CrossFit, Inc. v. Jenkins

As we have learned in class, the origins of the Anticybersquatting Consumer Protection Act (ACPA) 15 U.S.C.A. § 1125(d), was to protect trademark owners from having others use their famous and distinctive trademark in a domain name that is confusingly similar.  This law was welcomed especially in the early days of the internet, when domain name registrations were drivinf the development of internet law or “cyberlaw.”  However, although there is less cyber-squatting or cyber-piracy today, the ACPA continues to be used in courts.

For example, in CrossFit, Inc. v. Jenkins, No. 13-CV-01219-MSK-CBS, 2014 WL 4706066 (D. Colo. Sept. 22, 2014) the district court in Colorado found that the owner of the Internet website http://www.crossfitnutrition.com, which offered the sale of vitamins, supplements, and nutrition products, had engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark and service mark associated with fitness training and consulting.

CrossFit, Inc. is engaged in the worldwide business of fitness training and consulting. It is a well=protected IP rand and owns many registered trademarks using the term “CrossFit.”

Mr. Jenkins owned and controlled the website in question (www.crossfitnutrition.com) which offers vitamins, supplements, and nutrition products for sale.

CrossFit alleged that Jenkins utilized the CrossFit mark to trade on the good name associated with CrossFit.  CrossFit alleged violation of the ACPA – CrossFit not only sought damages ($122K) but also an order requiring the domain name registrar to transfer the http://www.crossfitnutrition.com domain to CrossFit.

According to the record, Jenkins failed to answer the complaint entirely – which was a serious mistake for any defendant in an ACPA (or any other) action.

The ACPA was written to address this exact form of piracy on the Internet called cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners. The ACPA provides for liability if a person registers, traffics in, or uses a domain name that is identical or confusingly similar to a distinctive mark, with a bad faith intent to profit from that mark.

As we have learned in class, in order to state a claim under ACPA, a trademark owner must show the defendant:

  1. registered, trafficked in, or used a domain name,
  2. that is confusingly similar to the plaintiff’s trademark, and
  3. had a bad faith intent to profit from that domain name.

Here, the court concluded that the allegations supported CrossFit’s claim for violation of the ACPA by Jenkins.

The court found that Jenkins engaged in cyberpiracy, in violation of the ACPA, by using a domain name confusingly similar to the famous and distinctive “CrossFit” trademark.  Jenkins had no authorization to use the mark, and acted with a bad faith intent to profit from the name.  He created the false impression that he was a licensed “CrossFit” affiliate and that his products were endorsed or sponsored by the plaintiff,.

CrossFit also showed that the crossfitnutrition.com domain name registered by Jenkins was identical or confusingly similar to their distinctive or famous marks. The CrossFit name is widely recognized around the world, and their company does an excellent job of controlling its well-built reputation through trademark and other IP protection.

The likelihood of confusion was clear from Jenkins’s use of the word “crossfit” in connection with the nutritional information and products offered on his crossfitnutrition.com website. His use of the CrossFit name created the false impression that he was a licensed CrossFit affiliate and/or that his products were endorsed or sponsored by, associated with, or originate from CrossFit, thereby creating consumer confusion.

CrossFit had specifically informed Jenkins that his domain name was likely to create consumer confusion and constituted unauthorized use of the CrossFit Marks, yet he continued to use the domain name with the intent of diverting consumers. This was evidence of bad faith the court was looking for.

The court awarded CrossFit damages, attorney’s fees, and ordered the transfer of the crossfitnutrition.com domain name to CrossFit.

ACPA can be a powerful weapon for helping control cybersquatting – the deliberate, bad-faith, and abusive registration of Internet domain names in violation of the rights of trademark owners.

Welcome to Cyberlaw Online: Summer 2015

This site is intended for students enrolled in Cyberlaw: Privacy. Ethics, and Digital Rights Online.  This semester’s blog will feature new cases and laws, discussions related to our coursework, and guest bloggers from fields such as Information Assurance, IP Law, Cybercrime, and others. To start, let’s look at a quote from CEPS that clearly quantifies many of the issues we will cover this summer.

“Cybersecurity is now a leading concern for major economies. Reports indicate that hackers can target the U.S. Department of Justice or Iranian nuclear facilities just as easily as they can mine credit card data. Threats have risen as the Internet has become a critical infrastructure for the global economy, with thousands of operations migrating onto it. Put simply, as the global economy relies more on the Internet, the latter becomes increasingly insidious. There is no doubt that the Internet is efficient. But it now needs a more concerted global effort to preserve its best aspects and guard against abuses….”

– Andrea Renda, Senior Research Fellow, Centre for European Policy Studies

October is National Cyber Security Awareness Month!

National Cyber Security Awareness Month (NCSAM) is this October! NCSAM is a “collaborative effort to ensure everyone has the resources they need to stay safe online.”

NCSAM is organized by the U.S. Department of Homeland Security and the National Cyber Security Alliance. Another partner, the Higher Education Information Security Council (HEISC) annually gathers a list of resources for colleges and universities.  I thought this might interest to the Northeastern’s IA Program community:

Additionally, in celebration of NCSAM in October, Educause is hosting a FREE online webinar featuring three CIO’s from across the United States, hosted by Marc Hoit, Vice Chancellor & CIO, North Carolina State University.

In addition to talking about current information security issues on their campuses, the CIOs will discuss the “big questions” about information security in Higher Ed.  The title is “CIO Insights on Cybersecurity” on October 14, 2014 at 1:00–2:00 p.m. ET.

Speakers include:

  • Peter J. Murray, CIO/VP, University of Maryland, Baltimore
  • Michele Norin, Chief Information Officer, The University of Arizona
  • Melissa Woo, CIO/Vice Provost for Information Services, University of Oregon

This will probably be an interesting and enlightening talk in a field (higher education) where quite a bit of IA-focused inquiry is discussed day-to-day.