The High-touch Legal Services® Blog • For Startup/Early-stage Companies

On December 28, 2009, RockYou, a developer of applications for Facebook and other social networks, was sued in the U.S. District Court for the Northern District of California. The class action complaint alleges failure to encrypt users’ e-mail addresses and passwords and was filed shortly after a hacker copied that information for 32 million RockYou users.

RockYou’s potential exposure is huge. Among the various causes of action are:

• Breach of contract
• Negligence
• Violation of California’s Unfair Competition Law (Business & Professions Code Section 17200)
• Violation of California’s Computer Crime Law (Penal Code Section 502)
• Violation of California’s Security Breach Information Act (Civil Code Section 1798.80)
• Violation of California’s Consumer Legal Remedies Act (Civil Code Section 1750)

The lesson for any company that stores users’ personally identifiable information: Make sure that information is encrypted!

This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.

A few months ago, I posted Does your Employee Handbook address social media? This post discusses a specific social-media issue that is of great importance to every employer: Online endorsements of products or services by employees.

The Federal Trade Commission has published Guides Concerning the Use of Endorsements and Testimonials in Advertising. Actions that are inconsistent with the Guides may result in an FTC enforcement action.

Read more…

Megan Meier, the victim

Lori Drew is the woman who, using Myspace in 2006, cyberbullied 13-year-old Megan Meier into committing suicide.

Drew’s actions were, without question, reprehensible. The interesting issue for this post, however, is the U.S. government’s decision to bring criminal charges under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. Section 1030.

Under CFAA, it is a crime to access a computer without authorization or in excess of authorization. The government alleged that because Drew created a false identity on Myspace, in violation of Myspace’s terms of service, to bully Meier, Drew violated CFAA in a manner that resulted in Meier’s death.

Although the jury found Drew guilty of misdemeanors under CFAA, the judge determined, as a matter of law, that CFAA was void for vagueness: Users cannot reasonably be expected to know that any conscious violation of any website’s terms of service constitutes a criminal act, and law enforcement would have too much discretion in enforcing the law. United States v. Drew, U.S. District Court for the Central District of California, 8/28/2009.

For some time, now, I, too, have thought that use of CFAA in this case was inappropriate, but for a different reason: In my opinion, Drew did not use Myspace’s computers without authorization or in excess of authorization – she used them under false pretenses, which is a different issue.

* * *

Follow-up: California’s equivalent to the CFAA is set forth in Penal Code Section 502.

This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.

An unhappy tenant wrote the following tweet about her landlord: “Who said sleeping in a moldy apartment was bad for you? Horizon realty thinks it’s okay.”

The landlord learned about the tweet and, in response, filed a $50,000 lawsuit stating that the tenant maliciously and wrongfully defamed the landlord.

More details on Avvo.

The moral: When using social media, be very careful about what you write about any company or person. If you would be reluctant to make the statement to its/his/her face, think twice before you post it.

This blog does not provide legal advice and does not create an attorney-client relationship. If you need legal advice, please contact an attorney directly.