No, it’s not an acronym advising you to come to dinner with your favorite vintage of pinot noir. BYOD stands for Bring Your Own Device, a movement that’s changing the landscape of information technology at workplaces across the globe. In the “old days,” companies issued electronic equipment to employees for work use. Today, employees want to use the latest electronics of their own choice for both work and play. Surveys consistently show that companies are giving in to such requests, citing the benefits of increased productivity and morale, as well as cost savings from not having to buy the equipment themselves. However, BYOD programs also create legal risks for companies, including:
- Violation of labor laws like the Fair Labor Standards Act due to the ability of workers to rack up overtime by doing work on personal devices practically anywhere and at any time, whether or not such overtime is authorized by management
- Violation of laws prohibiting disclosure of the private information of customers, clients, or patients, such as the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act
- Inadvertent disclosure of proprietary company information, which jeopardizes their confidentiality, and as a result, their status as protected trade secrets
- Complicating the e-discovery process, because electronic data that fall within the scope of a discovery request may reside on devices besides those under the direct control of the company
In light of these risks, the knee-jerk response of management might be to forbid BYOD entirely, but that is not necessarily the best approach. BYOD is more prevalent than one might think. A form of BYOD is in play whenever someone stores work data on a personal cloud storage account, uses a personal laptop to draft a memo for work, or forwards work-related word processing files to a private email account for easy access from home. A company need not officially adopt a BYOD program to have one, which is all the reason why management should be proactive about putting BYOD policies in place.
Learn about the specific risks that a BYOD program creates for your company. Develop guidelines on acceptable and unacceptable use of personal devices for work-related purposes. Notify employees of the policies in writing and provide training. Don’t wait until it’s too late!
Want more tips on BYOD? Come to the Advanced Employment Issues Symposium in Las Vegas from November 13-15, where I’ll be giving a presentation on “BYOD Challenges: When Employees Bring Their Own Devices to Work.” Registration information is available at www.aeisonline.com.
Creative Commons image courtesy of Daigo Oliva on Flickr
The Hawaii anti-paparazzi bill eponymously named after its chief supporter is back after getting an extreme makeover, and it just took another step toward becoming law in Hawaii. The Senate Judiciary Committee has recommended passage of a revised version of the Steven Tyler Act (SB426, S.D. 1). The revised bill is a big improvement from the original version. It goes a long way toward remedying the problems discussed in my previous post on the Act, and now it looks much more like the California statute after which it was patterned. But despite the revisions, the Act remains quirky in some ways, and it still doesn’t answer the question of why we need a brand-new privacy law.
Here are the highlights of the revised bill. The revised bill:
- creates an actual tort for constructive invasion of privacy, not just one in the name. The original bill tried to create a constructive invasion of privacy tort, but the parameters of the tort were not well-defined.
- defines certain concepts that are key to liability under the Act, like “personal and familial activity.”
- makes it very difficult to impose liability on those publicizing or selling images or sound recordings that were captured in violation of the Act.
- carves out exceptions to liability, including one for law enforcement activities.
- creates a fairly novel process for raising a defense against invasion of privacy claims in court based on the First Amendment or its counterpart in the Hawaii State Constitution.
Now, let’s look at some of the features of the revised bill in greater detail.
Constructive Right of Privacy
The revised bill creates two types of invasion of privacy, one physical in nature and the other constructive. Both require an intrusion into land owned or leased by the plaintiff. This is an important revision because it gets rid of the “taking pictures at the beach” scenario (i.e., why should a celebrity complain about invasion of privacy if her picture is taken on a public beach?)
An intrusion, however, does not necessarily require a physical trespass onto the plaintiff’s property. Spying and eavesdropping could constitute intrusion, but does not necessarily involve a physical trespass. The tort of constructive invasion of privacy accounts for this distinction, stating that non-physical intrusions will be treated as invasions of privacy. The use of “visual or auditory enhancing devices” to probe into the plaintiff’s private affairs, regardless of whether it involves a physical trespass, counts as an invasion of privacy. That’s how constructive invasion of privacy works.
The original bill bungled the concept of constructive invasion of privacy by not tying liability to the use of visual or auditory enhancing devices. The revised bill fixes that problem.
“Personal and Familial Activity”
The original bill left out definitions of key concepts. A notable one was “personal and familial activity,” which is what the plaintiff must have been engaged in when the defendant captured images or recordings of him or her. The original bill did not define the term. The revised bill adopts the definition used in the California anti-paparazzi law.
Having a definition rather than none is a step in the right definition, but the definition is still too vague. The revised bill defines “personal and familial activity” as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” What range of activities does “the plaintiff’s private affairs or concerns” include? The revised bill doesn’t say.
Liability of Sellers of Images and Recordings
One criticism of the Act was that it punishes sellers of images or recordings of celebrities. The Act imposes liability on those who sold images or recordings that were captured in violation of the Act if they had “actual knowledge” of the violation and received compensation for the rights to the images or recordings. One problem of the original bill is that “actual knowledge” was not defined, so the level of intent needed to trigger liability wasn’t clear. The revised bill remedies that problem by defining “actual knowledge.” The definition requires “actual awareness, understanding, and recognition” that the image or recording was taken or captured in violation of the Act. That’s difficult to prove.
But the revised bill goes one step further in limiting publisher and seller liability. The plaintiff has the burden of establishing actual knowledge by “clear and convincing evidence.” This is the highest standard of proof in a civil matter (just below the “beyond a reasonable doubt” standard in criminal cases).
The plaintiff’s burden to prove the liability of publishers and sellers is reminiscent of the “actual malice” standard applicable in libel cases brought by a public official or public figure. In other words, the revised bill makes it very, very difficult to prove publisher and seller liability.
The revised bill also makes clear that there is no derivative liability for publicizing or selling an image or recording if it had been previously publicized or sold before without violating the Act.
Exceptions to Liability
The revised bill creates exceptions to liability, most notably for activities relating to law enforcement and investigation into illegal conduct. The revised bill also clarifies that the Act does not preclude suits for other legal or equitable relief under other theories, including the Hawai‘i anti-SLAPP law or a claim for publication of private facts.
First Amendment Defense
Perhaps the most interesting feature of the revised bill is an expedited process for handling defenses based on the First Amendment or its Hawaii counterpart, i.e., Hawaii Constitution, Article I, Section 4 (the revised bill does not cite specifically to Section 4, which is the section that parallels the First Amendment, so the expedited process apparently applies to a defense based on any portion of Article I is raised). The basic idea is to give first priority to resolving questions of the constitutionality of enforcing the Act in a particular situation.
Here’s how the expedited process works. If the defendant files a motion to dismiss a claim for violation of the Act based on First Amendment/Article I grounds, the case basically comes to a halt until the motion is decided. The court cannot look outside the allegations in the pleadings to decide the motion, and all discovery is suspended until the motion is decided. The court must hold a hearing and rule on the motion on an expedited basis. If the court denies the motion, the defendant may immediately appeal the denial.
The revised bill also flips the burden of proof. When the defendant files a motion to dismiss based on a First Amendment/Article I defense, the plaintiff has the burden to prove that, more likely than not, the plaintiff’s “claim is [not] barred by a defense based on the First Amendment of the United States Constitution or article I of the Hawaii State Constitution” (note that the quoted language in the revised bill omits the word “not”; that’s probably a typo). If the defendant wins the motion, it can recover damages, attorneys’ fees, costs, punitive damages, and other sanctions against the plaintiff and even the attorneys and law firm representing the plaintiff.
Thoughts on the Revised Bill
The revised bill is much better than the original version. I’m still not convinced, though, that the solution to the problem of overzealous paparazzi is a new law. Hawaii already recognizes the privacy tort of inclusion into seclusion, and that seems to cover the type of intrusion addressed in the concept of “constructive invasion of privacy.” The tort of intrusion into seclusion does not require a physical invasion into the plaintiff’s personal space. The use of visual or auditory enhancing equipment to remotely gain access to the plaintiff’s private affairs would seem already covered under existing law. Creating a new law to deal with the issue would add little new benefits while potentially creating more problems.
Take the expedited process for dealing with First Amendment issues, for example. According to a Standing Committee Report, the expedited process was created in response to constitutional concerns about the Act. As a lawyer who represents media defendants, I welcome extra procedural protections for airing out First Amendment issues. But I do think the expedited process is somewhat sloppy. The process gives too much incentive to a defendant to respond initially to a Tyler Act claim with First Amendment defenses, even unmeritorious ones. The defendant has nothing to lose and everything to gain by using such a tactic. By filing a motion to dismiss on First Amendment grounds, the defendant can freeze discovery in the case, shift the burden of proof to the plaintiff, and potentially reap the benefit of recovering fees, costs, and damages from the plaintiff, his or her attorney, and even the attorneys’ law firm! There are few circumstances in which a defendant should not raise a First Amendment defense. And on the flip side, true victims of constructive invasion of privacy might think twice before suing under Tyler Act due to the risks involved. Which again begs the question: Do we really need the Tyler Act?
Use of Competitor’s Name in Keyword Advertising Ruled Not a Violation of Publicity Rights – Habush v. Cannon, 2013 WL 627251 (Wis. Ct. App. Feb. 21, 2013)
Can your business competitor use your name to promote itself and never mention your name to the public? Keyword advertising makes that possible. A competitor can bid on keyword search terms consisting of your company name to make links to its website appear whenever a person searches for your name on the Internet. A law firm that fell prey to such an advertising strategy decided to sue its competitor for violating its publicity rights, which is a form of invasion of privacy.
Robert Habush and Daniel Rottier are shareholders in Habush Habush & Rottier, a well-known personal injury law firm in Wisconsin. Another Wisconsin law firm also specializing in personal injury law, Cannon & Dunphy (C&D), bid on the keyword search terms “Habush” and “Rottier” through Google, Yahoo!, and Bing. As a result, when a person searched for “Habush” or “Rottier” in one of the three search engines, links to C&D’s website would appear at the top of the list of “sponsored” results, i.e., those links produced by keywords that been bid on and paid for by advertisers. Sponsored results generally appear above the “organic results” generated by the search engine’s algorithm.
Habush and Rottier sued C&D for violating Wisconsin’s invasion of privacy statute. Under the statute, a person’s privacy could be invaded by “[t]he use, for advertising purposes or for purposes of trade, of the name . . . of any living person, without having first obtained the written consent of the person . . . .” The main question was whether C&D engaged in a “use” of Habush and Rottier’s names.
Habush and Rottier argued that any attempt to benefit from the commercial or other value of a person’s name or image is a “use.” Under this interpretation, C&D “used” the names of Habush and Rottier. C&D countered that the statute covers only “use” that is visible to the public. Under that perspective, bidding on names for keyword advertising purposes is not a “use” because the public does not see the use of the names.
The court found both interpretations reasonable, but adopted C&D’s interpretation. The court held back from ruling that unauthorized use of a name can never be an invasion of privacy unless the use is visible to the public, but it agreed with C&D that bidding on a competitor’s name to get one’s ad placed near links to the competitor’s website in search results is not a violation of the competitor’s publicity rights.
The court analogized competitive keyword advertising to “proximity advertising.” Examples of proximity advertising include: a new car dealership opens across the street from an established car dealership; a business advertises on billboards next to a competitor’s billboards; a lawyer places a Yellow Pages ad near the phone listing of competing lawyers. Although a competitor is trying to take advantage of the name of an established business in each of these scenarios, none involves an impermissible “use”, such as when a competitor puts the name of an established business in its ad or on its product. The court similarly did not see a problem with using a third party—in this case, a search engine—to engage in proximity advertising.
LegalTXTS Notes: This is a pretty novel case because most competitive keyword advertising cases are based on theories of trademark infringement or dilution. Since Habush and Rottier are personal names, they might not have acquired sufficient second secondary meaning to qualify for trademark protection, so publicity rights was invoked as a creative alternative.
Hawai‘i has its own publicity rights statute, so would the outcome have been different had the lawsuit been filed in Hawai‘i? Hawai‘i courts have not had the occasion to interpret the statute, but if you buy the reasoning of the court in Habush, the answer is probably not. The Hawai‘i statute is similar enough to the Wisconsin statute for the logic of Habush to apply.
As a partner in a law firm (and therefore a business owner), I’m not sure how I feel about Habush. I think the court rightly rejected the interpretation that any attempt to benefit from the commercial value of a person’s qualifies as a violation of publicity rights. That’s a pretty broad proposition. But something about the decision makes it hard to swallow. There’s an element of deception the court doesn’t adequately address. I wonder if, instead of claiming violation of publicity rights, Habush and Rottier could have sued under an unfair competition theory.
The Senate Judiciary Committee of the Hawaii legislature just voted to approve the “Steven Tyler Act” (SB465), an anti-paparazzi law named after the Aerosmith lead singer, who personally showed up to testify in favor of the bill at a hearing today. The Tyler Act, which apparently was prompted by Tyler’s experience with paparazzi near his Maui home, attracted written testimony from an assortment of celebrities including Britney Spears, Neil Diamond, Tommy Lee, and Avril Lavigne. My favorite testimony letter was Ozzy Osbourne’s because it had a little cartoon drawing of Ozzy in the bottom right corner.
Cartoon from written testimony on SB465 by Ozzy Osbourne, 2/6/13
The final fate of the Tyler Act remains uncertain, but now that it’s taken an important step forward, I thought I’d share my thoughts on the bill in its current form. (The Tyler Act isn’t exactly related to technology law, but I’m blogging about it because I also practice in First Amendment, privacy, and media law.)
It’s important to understand that the Tyler Act mimics California’s anti-paparazzi law (which is currently facing its own legal challenges). As much as legal commentators panned the California law, the Tyler Act should attract its fair share of criticism, if not more, because its language is much more loose and vague. And that’s not good when it comes to writing a law. You know the Aerosmith song “I Don’t Wanna Miss a Thing”? Well, there are quite a few things the Tyler Act misses. Here are some examples.
The centerpiece of the California law is the creation of a new tort called “constructive invasion of privacy.” This kind of invasion of privacy is “constructive” in that it doesn’t require the defendant to have physically trespassed onto the plaintiff’s property. Use of a “visual or auditory enhancing device” is enough. So, a person using a telephoto zoom lens to snap pictures of J-Lo on the balcony of her home could be liable for invasion of privacy without having stepped foot onto J-Lo’s property. The idea is that use of devices to intrude into someone’s private space is just as invasive as physically entering into their space.
The Tyler Act uses the term “constructive invasion of privacy,” but it doesn’t exactly track the theory behind the tort. Here’s the main liability section of the Tyler Act:
A person is liable for a civil action of constructive invasion of privacy if the person captures or intends to capture, in a manner that is offensive to a reasonable person, through any means a visual image, sound recording, or other physical impression of another person while that person is engaging in a personal or familial activity with a reasonable expectation of privacy.
See any reference to “visual or auditory enhancing device”? There is none. The Tyler Act says a person could commit a constructive invasion of privacy “through any means.” A cheapie disposal camera would do it. So would the audio recording app on your iPhone. And if devices lacking in any “enhancement” feature do the trick to capture a “visual image, sound recording, or other physical impression of another person,” query whether there was an invasion of personal space, constructive or otherwise. (Note that if an invasion into private space truly occurred, even in the absence of a physical invasion, Hawai‘i law already provides a remedy through the common law tort of intrusion into seclusion, which is a form of invasion of privacy.)
But the problems with the Tyler Act don’t stop there. The Act applies when the plaintiff is engages in a “personal or familial activity.” That language also appears in the California law, which is defined as “intimate details of the plaintiff’s personal life, interactions with the plaintiff’s family or significant others, or other aspects of the plaintiff’s private affairs or concerns.” Cal. Civ. Code § 1708.8(l). The definition excludes “illegal or otherwise criminal activity ….” The meaning of “personal or familial definition” is pretty vague even with that definition, but at least the California law includes a definition. The Tyler Act doesn’t! It’s anyone’s guess what “personal or familiar activity” means under the Tyler Act.
Similarly, the Tyler Act doesn’t define “offensive” or “reasonable expectation of privacy.” Nor does it contain an exception for publicizing matters of “legitimate public concern,” unlike the California law. This is problematic because it imposes liability for conduct not remotely resembling the opportunistic antics of paparazzi. Suppose a celebrity’s Kauai mansion catches on fire, spreading flames to her neighbor’s homes. The celebrity rushes out to the sidewalk with her kids, watching as firefighters put out the blaze. A photojournalist arrives on the scene and takes a picture of the celebrity and her kids from across the street. He then sells the photo to a local daily newspaper, which uses it alongside a front-page article about the fire. That’s hardly TMZ-style content, but under the vague language of the Tyler Act, the photojournalist and newspaper could be sued for constructive invasion of privacy.
Now, you might ask, why would the newspaper be liable? That’s because the Tyler Act says:
Any person who transmits, publishes, broadcasts, sells, offers for sale, uses any visual image, sound recording, or other physical impression, or who subsequently retransmits, republishes, rebroadcasts, resells, reoffers to sell, or reuses any visual image, sound recording, or other physical impression that was taken or captured in violation of this section shall constitute a violation of this section if:
(1) The person had actual knowledge that the visual image, sound recording, or other physical impression was taken or captured in violation of this section; and
(2) The person received compensation, consideration, or remuneration, monetary or otherwise, for the rights to the unlawfully obtained visual image, sound recording, or other physical impression.
Imposing liability for publishing information obtained in violation of the Tyler Act runs into First Amendment problems. Under Supreme Court precedent, the First Amendment protects speech that publishes the contents of a communication that was illegally intercepted as long as the publisher itself did nothing illegal to obtain the communication. See Bartnicki v. Vopper, 532 U.S. 514 (2001). Even more troubling is the Tyler Act’s authorization of courts to issue injunctions against future violations of the Act. Since publication of information obtained in violation of the Tyler Act could itself violate the Act, a court could literally issue an order “halting the presses.” That’s called a prior restraint, which is regarded by courts as the most offensive of First Amendment violations.
There are other problems with the way the Tyler Act is written – like the absence of an exception to liability for actions taken in a legitimate law enforcement investigation, or the fact that the Act is not limited to actions taken in Hawai‘i (unlike the California anti-paparazzi law, whose applicability is limited to actions within California) – but I think the point is made well enough. Although the Tyler Act is well-intentioned, more thought and care needs to go into making it a clear, constitutional law that doesn’t inadvertently turn well-meaning fans, reporters, and publishers into law-breakers.
Now that the 2013 legislative session in Hawai‘i is in full swing, let’s take a look at what new measures are in the pipeline to regulate Internet activity. A chart of relevant information about each bill is available here. Here’s a summary of the Internet-related proposals working their way through the legislature.
Social Media and Internet Account Passwords
A set of bills (SB207 and HB713) proposes to join other states in banning employers from asking employees or job applicants to disclose the passwords to their personal social media accounts. Another set of proposals (HB1104 and HB1023) would extend the ban to educational institutions and their students or prospective students.
Three bills (HB1226, SB525, and HB397) would require the board of education to adopt various policies and programs to combat cyberbullying in public and charter schools.
Apparently responding to incidents in which teachers and students conducted inappropriate relationships online, HB678 would allow a teacher in a public or charter school to engage in electronic communication with a student (including cell phone calls) only on Department of Education networks and systems.
SB325 would require businesses to implement a comprehensive, written policy and procedure to prevent identity theft and train all employees in implementation of the same.
HB462 would establish a statewide cybersecurity council to identify and assess critical computer infrastructure, identify cybersecurity “best practices,” recommend incentives for voluntary adoption of such best practices, evaluate the efficacy of such practices, and report annually to the legislature.
We’ll be tracking these bills, reporting on their status periodically, and posting revisions to the chart. Stay tuned!