June 01, 2020

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

Court Enforces Arbitration Clause Against Contractor of Customer

By John Ottaviani, Partridge Snow & Hahn LLP

A Pennsylvania federal court recently enforced the arbitration clause in an online license agreement where each log-on displayed a link to the terms and stated that use of the system constituted acceptance of the terms. Healthplan CRM, LLC d/b/a Cavulus v. Avmed, Inc., No. 2:19-cv-1357NR (W.D. Pa. April 28, 2020).

Avmed subscribed to Cavulus’s cloud-based customer relationship management (CRM) software for insurance companies managing Medicare Advantage plans, pursuant to a license agreement that contained an arbitration clause.  Avmed decided to replace Cavulus with another CRM platform.  Instead of asking Cavulus to provide Avmed’s customer information in a suitable electronic format, Avmed decided to engage NTT to transition its historical customer data to the new CRM platform, granted NTT a sublicense to access the Cavulus platform to do so, and notified Cavulus of the arrangement.  When Cavulus suspected that NTT was going beyond mere copying of data and was copying Cavulus’s “customized and proprietary workflows and recreating them” in the new CRM platform, Cavulus filed a demand for arbitration against Avmed and NTT for breach of contract, theft of trade secrets, and violations of the Pennsylvania Uniform Trade Secrets Act.  After NTT refused to participate in arbitration, and Avmed objected to arbitrability of the claims, NTT sued to enforce arbitration.  The court agreed with Cavulus and ordered the parties to arbitration.

The court disagreed with NTT that it was not bound by the arbitration provisions of the license agreement.  Evidence revealed that 9 NTT employees logged into the Cavulus system more than 75 times on behalf of Avmed.  Each time, the NTT employee was presented with a screen that required the entry of a user name and password, and to click on a LOG ON button.  About one inch below the entry boxes, was a single sentence reading “Use of Cavulus constitutes acceptance of the End User License Agreement,” with a hyperlink to the Agreement itself.  The court found the presentation of terms to be reasonably conspicuous and enforceable against NTT.  In particular, the link was not concealed at the bottom of the webpage or in fine print, the blue hyperlink stood out against the white background of the page, and the link appeared in a sentence that straightforwardly advised the user that use of the platform constitutes acceptance of the linked terms.

The case also follows the recent (and very helpful) trend of including screen shots in the opinion to demonstrate how the user engages with the website.Cybersecurity

Law Firm Must Face Cyberattack Claim from Client

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

A law firm that allegedly made promises regarding its cybersecurity in agreeing to represent a prominent Chinese political dissident now faces malpractice claims from the client, after his information was published by hackers. Wengui v. Clark Hill, PLC, C.A. No. 19-3195 (JEB) (D. D.C. Feb. 20, 2020). Law firm Clark Hill, PLC, agreed to represent businessman Guo Wengui in connection with his application for asylum and allegedly represented to Wengui that the firm had adequate cybersecurity in place to withstand hacking that Wengui warned would target the firm, presumably from persons associated with the Chinese government. After hackers breached the firm’s computer systems and published Wengui’s confidential information on the internet, Clark Hill withdrew from the representation on the grounds that it may be called as a witness in connection with the asylum application.

Wengui sued the firm for legal malpractice, among other claims. The U.S. District Court for the District of Columbia granted the law firm’s motion to dismiss as to the firm’s withdrawal, finding that Wengui failed to allege it caused injury. But the court denied the firm’s dismissal motion with respect to the cyberattack, finding that Wengui had sufficiently pleaded the firm misrepresented its security precautions and mishandled Wengui’s confidential information. Additionally, Wengui had sufficiently pleaded harm from the disclosure based on the publication of his information by the hackers.

Redbox Watches Online Agreement Process Fail

By John Ottaviani

Redbox attempted to enforce its online terms and conditions, containing an arbitration clause, against a user who filed a lawsuit alleging that Redbox had sent unauthorized text messages. But in Wilson v. Redbox Automated Retail, LLC, No. 19-cv-01993 (N.D. Ill. March 25, 2020), Redbox watched the court dismantle Redbox’s agreement procedure and refuse to enforce the arbitration provision.

The court examined both Redbox’s kiosk purchase screens and online sign-in screens and found them inadequate to provide a user with “constructive notice” of the applicable terms and conditions. With respect to the kiosk screen, the court found that the “PAY NOW” button that the user clicks to effect the transaction and manifest assent to the terms and condition was separated by two other button from the terms of use. Because of the intervening buttons and the general clutter of the screen, the court found that customers renting at the Redbox kiosk did not have constructive notice that they were assenting to the Terms of Use when hitting the  “PAY NOW” button, and refused to find that the customer had agreed to the Terms of Use when renting a movie from the Redbox kiosk.

Similarly, the court found that users who rented movies online did not agree to the Terms of Service when they logged into their accounts.  In this case, the court found that the sign in screen did not have the same “clutter problem” as the kiosk screen.  However, after examination, the court found that the hyperlinks to the terms of use were not conspicuous enough.  Redbox’s hyperlink contained white text to contrast with other gray text on the page but did not contain any other distinguishing characteristics (such as underlining, bolding, capitalization, italicization, or large font), and did not match the style used for the other hyperlinks on the page.  As a result, the court concluded that the user never assented to Redbox’s terms of use and refused to enforce the arbitration clause.

The decision is consistent with decisions of the First Circuit in Cullinane v. Uber Technologies, Inc., and the Second Circuit in Meyer v. Uber Technologies, Inc.  The case also follows the recent trend of including screenshots in the opinion to demonstrate how the user engages with the website.  Finally, the case illustrates that courts are continuing to raise the bar and refusing to enforce many online contract formation processes that do not provide a clear and conspicuous notice of terms and do not require a clear manifestation of assent.

Second Circuit Denies En Banc Review of 2019 Ruling on Donald Trump’s Twitter Activity

By Emily Bryant-Álvarez, Morris Nichols Arsht & Tunnell, LLP

The Second Circuit denied rehearing en banc its 2019 decision which held that President Donald Trump violated the First Amendment by blocking the Knight First Amendment Institute, among others, from interacting with his Twitter account. Knight First Amendment Inst., et al. v. Donald J Trump, et al., C.A. No. 18-1691 (2d Cir. Mar. 23, 2020). In its earlier ruling, the Court found that the dialogue on Twitter resulting from President Trump’s tweets constitutes a public forum, and that his blocking of Twitter followers, a form of state action, results in viewpoint exclusion. The dissent argued that the President’s Twitter account is personal and therefore not a public forum.

The Court affirmed that the First Amendment does not permit a government official who uses a social media platform for official purposes to exclude persons from an otherwise open dialogue because they expressed views disfavored by an official. For First Amendment purposes, the Court noted, the critical question is how President Trump uses his personal account, created six years before he took office, in his capacity as president. Pointing to numerous examples, as well as statements from his own administration, the Court concluded that President Trump’s Twitter account is his primary vehicle for official communications. As such, blocking responses to such communications constitutes state action. Further, the Second Circuit affirmed that the distinction between the President’s tweets, categorized as government speech, and the interactive space on Twitter in which the public engages with such tweets, categorized as a public forum, was appropriate.  It analogized Twitter dialogue to the portion of a town hall meeting in which public comment is permitted, and noted that a public forum need not be spatial or geographic, consistent with other Second Circuit decisions.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.