search our site
 
 
 
 
 




In This Issue

Not All Blue Skies for Cloud Computing

Timothy J. Lockhart 

As most businesspeople now know, "cloud computing" is the Internet-based system by which companies such as Amazon and Google with large hardware and software resources handle, process, and store customers’ data at multiple locations, much as utility companies use a variety of resources to provide electricity over the power grid. Because of its significant benefits—comparatively low cost, rapid acquisition of capability, and ease of expandability, among others—cloud computing is here to stay. But as with any new technology, significant practical problems give rise to legal issues.

Network World has compared the current state of cloud computing, with its fast growth and sketchy legal framework, to "a Wild West boom town." One major issue is the lack of data-security standards. This issue results partly from cloud providers generally not being required to disclose where or how they store or process customers’ data. The issue also stems partly from cloud providers processing and storing data in countries that do not have privacy laws as strong as those in the United States and the European Union.

The Cloud Security Alliance, founded last year and having security-business members such as Iron Mountain and VeriSign, is now developing industry standards for the security of "cloud data." In the meantime, the online travel company Orbitz, which uses as well as provides cloud-computing services, is reportedly addressing the security issue by taking such due-diligence issues measures as conducting data-center inspections and on-site audits.

Other major issues include inappropriate or missing contract terms, inadequate warranties and indemnifications offered by cloud providers, and the currently unequal bargaining position between cloud providers and their customers. Some of these issues arise simply because relatively few lawyers have experience drafting, negotiating, and interpreting cloud-computing agreements. Others arise because there is much less certainty about what should be the "standard" provisions for cloud agreements than is the case with more traditional types of software contacts.

Some cloud agreements, particularly those governing software as a service ("SaaS"), evolved from earlier agreements used between application service providers ("ASPs") and their customers. Others arose from outsourcing agreements or traditional software license agreements. But regardless of how they developed, cloud-computing agreements should provide reasonable transparency about customers’ rights, particularly with regard to their data.

Here are some important provisions to include:

  • Agreements should contain performance standards, product warranties, intellectual-property ownership warranties, and indemnification provisions similar to those in traditional software licenses.
     
  • Customers should automatically get the benefit of a cloud provider’s upgrades in hardware and software, not be locked into whatever systems the provider had as of the effective date of the agreement. For example, World Trademark Review reports that adding new features and functions quickly is one of the key vendor characteristics the U.S. Patent and Trademark Office is seeking as it moves toward "Trademark Next Generation," a cloud-based system for end-to-end processing of trademark applications and related documents.
     
  • Agreements should cap a cloud provider's fee increases at a certain percentage per year.
     
  • Agreements should specify that cloud providers will give customers copies of their data on request and for a reasonable charge. Providers should not be allowed to keep data from their owners in the event of a dispute.
     
  • Agreements should contain terms requiring cloud providers to cooperate with customers who become involved in litigation—for example, by helping to respond to discovery requests.
     
  • Agreements should provide for a smooth transition period if a customer decides to move from one cloud provider to another.
     
  • Agreements should permit customers to receive reasonable post-termination support from a cloud provider at the provider’s customary hourly rates.
     
  • Large customers should try to use their size as leverage to negotiate more favorable terms and conditions. The City of Los Angeles was reportedly able to do this with Google.
     

Likewise, because of the differences between cloud computing and traditional data processing, "cloud customers" should:

  • Consider moving non-critical applications into the cloud first so that any transition problems will not be incurable.
     
  • Pay attention to "geek" issues such as the need to have the right number of, and privileges for, system administrators and the possibility of using data encryption.
     
  • Have cloud providers specify their data-backup policies, procedures, and schedules.
     
  • Require cloud providers to have written (and rehearsed) disaster-recovery plans—which, more broadly, all businesses should have, regardless of whether they use cloud computing.
     
  • Not permit cloud providers to claim they have no liability for lost data—after all, they are responsible for hosting the data.
     
  • Require cloud providers to state whether they own or control the relevant data centers or use other vendors’ facilities. If they use other vendors’ facilities, the providers should offer their customers a contractual remedy if those facilities fail for any reason.
     
  • Require cloud providers to comply with all applicable export and privacy laws, including but not necessarily limited to U.S. laws. For example, the European Union Data Directive, which is generally more stringent than U.S. privacy laws, may apply in many cloud-computing scenarios.

Although there are a number of additional points, the foregoing list provides a general idea of why businesses should move cautiously when considering cloud computing. This new computing environment definitely offers many advantages. But only businesses alert to the sorts of issues described above can properly protect themselves if they decide to "enter the cloud."

Back To Top

Federal Court Finds Web Hosts Contributed to Sale of Counterfeit Goods

Ruby W. Foley 

Recently a federal court partially upheld a jury’s award of $32.4 million in damages against two web host companies (and their owner) for contributing to copyright and trademark infringement by hosting websites which sold counterfeit Louis Vuitton goods. Louis Vuitton Malletier, S.A. v. Akanok Solutions, et al., No. 5:07-cv-2952-JW, 2009 WL 1636914 (N.D. Cal., June 10, 2009).

Defendants, Akanok Solutions Group, Inc. and Managed Solutions Group, Inc. were Internet service providers ("ISPs") that provided Internet protocol addresses to various websites. They sold their Internet protocol addresses and the use of their servers to customers who used the servers to host the customers’ web content. The owner of the ISPs, Steven Chen, was also named a defendant in the lawsuit.

In 2007, Louis Vuitton Malletier, S.A., the well-known maker of luxury goods, discovered that some of the defendants’ customers were selling counterfeit goods on their websites that infringed on Louis Vuitton’s trademarks. Louis Vuitton notified the defendants on several occasions of the infringement and asked them to shut the websites down, but the notices were apparently ignored. Louis Vuitton subsequently filed suit, alleging willful contributory infringement of its copyrights and trademarks.

The jury found each the defendants liable for willful contributory infringement of 13 of the plaintiff’s trademarks and two of the plaintiff’s copyrights and awarded statutory damages for contributory copyright infringement—in this case, damages of $300,000 per defendant. However, in an unusual move, the jury also awarded statutory damages for contributory trademark infringement of $10,500,000 per defendant.

In response, the defendants filed a motion for judgment as a matter of law with respect to both the copyright and trademark infringement claims.

Contributory Copyright Infringement

The court determined that the test for contributory copyright infringement is "(1) knowledge of another’s infringement and (2) either (a) a material contribution to the infringement or (b) inducement of the infringement."

The court found that the evidence presented at trial established that the defendants had "ample notice" of directly infringing activity occurring on websites that they hosted because Louis Vuitton sent numerous letters regarding the infringement. Thus, the court found sufficient evidence to support the jury’s finding of knowledge of infringement.

The court then stated that there is liability for contributory infringement where "the defendant engages in personal conduct that encourages or assists the infringement." In the Internet context, where a computer system operator learns of specific infringing material available on its system and fails to purge such material from the system, the operator knows of and contributes to direct infringement.

The court found that defendant Management Solutions Group owned the servers but did not operate them, so there was insufficient evidence for the jury to find that Managed Solutions Group encouraged or assisted the infringement. However, defendants Akanok Solutions and its principal Steve Chen actually operated the servers. Those "operator defendants" provided the servers with data storage, routers, and data bandwidth to the websites. Accordingly, there was sufficient evidence to establish that the operator defendants materially contributed to the infringement.

The court also found that neither of the ISPs met the threshold requirements to qualify for the “safe harbor” limiting damages under the Digital Millennium Copyright Act (“DMCA”). Neither ISP had designated a “copyright agent” to serve as a point of contact as the DMCA requires, and neither removed the infringing material once notified by Louis Vuitton of the infringement.

Contributory Trademark Infringement

With respect to contributory trademark infringement, the court stated that to be liable "a defendant must have (1) ‘intentionally induced’ the primary infringer to infringe, or (2) continued to supply an infringing product to an infringer with knowledge that the infringer is mislabeling the particular product supplied." The court also stated a host that permits others to use its premises but remains "willfully blind" to their directly infringing acts may be held liable as a contributory infringer.

For the same reason described above, the court found the evidence insufficient with respect to Managed Solutions Group but sufficient as to the operator defendants, who continued to service the infringer’s website after having knowledge of the infringement.

Conclusion

What should ISPs do in the wake of the Louis Vuitton case? First, they should be careful to comply with the DMCA’s safe-harbor requirements. Second, they should establish procedures for interested parties to report infringements on the sites the ISPs host. Upon notice of a complaint, the ISP should investigate it promptly and, if necessary, take corrective action.

Third, they should consider following up with the complainant whenever feasible. An ISP can report the outcome of a complaint and evaluate whether that outcome seems likely to satisfy the complainant or could cause the complainant to take more aggressive action such as filing a lawsuit involving the ISP.

Note: The trademark-related portion of this article appeared in the International Trademark Association’s INTA Bulletin on August 1, 2010.

Back To Top