III. Social Media Litigation
JLM Couture, Inc. v. Gutman was brought by JLM Couture, a clothing design firm, against Hayley Paige Gutman, the lead designer for JLM’s bridal collection before her resignation. The dispute was over the control of Gutman’s social media accounts. In Gutman’s contract with JLM, she signed over rights to the intellectual property in her name and designs. The history of her accounts showed high levels of cooperation between herself and JLM, promoting products, lines, and JLM itself. JLM moved for a preliminary injunction to prevent Gutman from making any changes to social media or using any of the intellectual property associated with her name or designs, on the grounds that she had breached her contract. The U.S. District Court for the Southern District of New York granted JLM a preliminary injunction prohibiting Gutman from changing or using the social media accounts. However, the court refused to enjoin Gutman from publicly disparaging JLM, inasmuch as she had not contractually waived her right to speak about JLM, and given the First Amendment rule against prior restraints.
In Takeguma v. Freedom of Expression LLC, plaintiffs were models whose images were used, without their permission, in social media advertising for a strip club owned and operated by the defendant. Plaintiffs asserted claims for misappropriation of likeness, violations of the Lanham Act, and false light invasion of privacy.
In deciding the cross-motions for summary judgment, the court first found that the false light tort was time-barred because the statute of limitations began to run with the initial publication of the social media advertisements. Not time-barred, however, were plaintiffs’ common law right of publicity claims. The court began by finding a common law right of publicity in Arizona based on a combination of state decisional and statutory law. The court then found that the right of publicity in Arizona was a property claim, not a libel or slander claim, and thus was subject to a two-year, not a one-year, statute of limitations. Lastly, the court found that triable issues remained in deciding plaintiffs’ false association claims under the Lanham Act. On the other hand, the court granted summary judgment to defendant on the false advertising claims, finding that plaintiffs’ claimed injuries were not within the “zone of interests” protected by the Lanham Act and that the alleged wrong was not the proximate cause of plaintiffs’ injuries.
IV. Computer Fraud and Abuse Act Cases
The Computer Fraud and Abuse Act of 1986 imposes criminal penalties against one who “intentionally accesses a computer without authorization or exceeds authorized access.” How to determine when someone “exceeds authorized access” has been problematic for courts because the intricacies of computer programs have expanded with time and the lines of authority and permitted access have blurred. In Van Buren v. United States, the U.S. Supreme Court shed some light on the meaning of that term.
Van Buren was a former police sergeant who ran a license-plate search in a state law enforcement database in exchange for $5,000, despite being aware that he was only allowed to use the database for law enforcement purposes. The government charged Van Buren with a felony violation for “exceed[ing] authorized access” of the computer system. The Eleventh Circuit found that Van Buren’s misuse of the computer was a violation of the CFAA because he had accessed the license plate database for an “inappropriate reason.” However, because other circuits had taken a narrower view of what it meant to exceed authorized access, the Court granted certiorari to settle the issue.
The Court reversed the Eleventh Circuit and held that Van Buren did not violate the CFAA. Even though he had an improper purpose for obtaining the data, he did not “exceed[] authorized access” because he had access to the database and was authorized to use it to retrieve license plate information. In dicta, the Court said that it would have been a violation if Van Buren had authorization to access the computer but then accessed folders, files, or databases that were off-limits to him. Commentators have said that the Court adopted a “gates up or down” approach to the CFAA, meaning that to violate the provision, a person must “bypass a gate that is down that the person isn’t supposed to bypass.”
In United States v. Eddings, the U.S. District Court for the Eastern District of Pennsylvania relied on the “gates up or down” approach to decide a case where an ex-employee who retained password access to her former employer’s computers accessed documents from the company’s e-mail server and sent them to donors and media members as part of an extortion plot. Her defense was simple: the gate was up, so she could not have violated the CFAA. The court, however, found that mere possession of a password was not enough to make access “authorized,” citing instances of password trafficking which are forbidden by the CFAA, and distinguishing Van Buren. The same court relied on Van Buren in deciding KBS Pharmacy, Inc. v. Patel. The facts more closely resembled those in Van Buren; pharmacy employees who had authorized access to the pharmacy’s database misused the information in starting their pharmacy nearby. The court found that the CFAA claim should be dismissed because, as in Van Buren, the defendants had access to the database at the time and only later misused the information.
In United Federation of Churches LLC v. Johnson, the plaintiff, perhaps better known as the Satanic Temple, brought claims against former members who hijacked two of its Facebook pages. Collectively, the two Facebook pages have over 17,500 followers. Access to the Facebook pages was controlled by the Church and limited to approved administrators who were subject to a code of conduct. The defendants in the case had been authorized administrators. After they renounced their membership in the Church, they took control of the Facebook pages and posted manifestos on the pages about what they claimed were abuses of the Church.
The Church brought several claims against the defendants, including claims under the CFAA, the Anti-Cybersquatting Consumer Protection Act (“ACPA”), and defamation. The court held that plaintiff failed to state a claim under the CFAA because it did not allege it had revoked the defendants’ authorization to access the Facebook pages. It also held that a post-domain path (i.e., “TheSatanicTempleWashington” in facebook.com/TheSatanicTempleWashington) is not a “domain name” and therefore use of plaintiff ’s trademark in that path is not a violation of the ACPA. Lastly, it declined to rule on the defamation claim, invoking the doctrine of “ecclesiastical abstention” and finding it “may not resolve the defamation claim without delving into doctrinal matters.”
V. Deceptive Business Practices
MoviePass, a subscription service launched in 2011, allowed members to watch as many movies as they wanted at any theater they wanted. According to the complaint issued by the Federal Trade Commission (“FTC”) in 2018, MoviePass realized that it was facing a significant cash deficit and decided to implement fraudulent business practices. For the subscribers using MoviePass most frequently, MoviePass implemented “password disruption,” a practice that invalidated the passwords of 75,000 subscribers and forced them to reset their passwords. It also imposed ticket verification requirements on 20 percent of users, which obstructed the use of the product due to problems with the software. MoviePass also failed to protect its customer data from unauthorized access. These practices, the FTC alleged, violated the FTC Act, and the negative option subscription plan violated the Restore Online Shoppers’ Confidence Act. MoviePass settled the claims with the FTC in exchange for promises to refrain from misrepresentations and comply with mandated security programs and third-party monitoring. MoviePass was bankrupt at the time of the consent order and unable to pay any money judgment.
Randon Morris, through a group of companies that he controlled, initiated millions of robocalls to households throughout the United States, promising work-from-home positions that would pay hundreds of dollars a day and falsely claiming to be associated with Amazon.com. People who paid defendants to create a website that would purportedly allow them to earn commissions from Amazon were left with a useless and occasionally defunct website with no way to recover their money. The FTC alleged that they had violated the FTC Act and the Telemarketing Sales Rule. Defendants stipulated to an order banning them from using robocalls or offering work-from-home business schemes and requiring them to pay over $2 million to settle the claims.
Flo is a popular and accessible smartphone app that allows consumers to track their menstrual cycles and gives them predictive information about ovulation and general gynecological health. Given the nature of the app, women must input sensitive health data to use it. In its privacy policy, Flo assured users that information shared with third parties did not include data related to the user’s menstrual cycle, pregnancy, or symptoms. However, Flo allegedly did share some of this information with third parties, including Facebook and Google. The Wall Street Journal broke the story that Facebook could use snippets of code to intercept a user’s sensitive health information transmitted from apps like Flo. The FTC alleged that Flo made numerous misrepresentations about privacy of users’ data, in violation of section 5 of the FTC Act. Flo agreed to a consent order prohibiting it from making misrepresentations about privacy and requiring it to instruct third parties to delete its users’ personal data.
Everalbum is a photo storage company and app that used facial recognition technology as part of its service. It allowed users to tag faces that its software would then group with similar faces. The FTC alleged that the facial recognition service was turned on by default despite Everalbum’s representations that it required affirmative action to use. When users deactivated their accounts, the app informed them that Everalbum would delete their photos. However, Everalbum allegedly retained photos in deactivated accounts indefinitely. The FTC alleged that through these misrepresentations Everalbum had violated section 5 of the FTC Act. Everalbum entered into a consent decree with the FTC, which requires deletion of photos on deactivated accounts and prohibits misrepresentations.
VI. Cybersecurity
Drizly, an alcoholic beverage delivery company, faced a class-action lawsuit in Massachusetts that alleged that a data breach had occurred, leading to customer information (including e-mail addresses, dates of birth, phone numbers, and IP addresses) being leaked to third parties on the “dark web.” Drizly agreed to a settlement with the class, paying $7.1 million in total. Each member of the class is anticipated to get around $14. The settlement agreement benefitted both sides: Drizly could have faced massive exposure had the suit been allowed to continue, and the plaintiffs might have had difficulty overcoming hurdles such as standing and proving injury.
Skymed sells emergency travel and medical evacuation services. Skymed’s website displayed a very prominent “HIPAA compliance” seal. Skymed admitted that the seal should not have been on the website and removed it in April 2019. The company allegedly failed to secure customers’ data leading to a security incident in May 2019. The FTC alleged that Skymed violated the FTC Act by misrepresenting its compliance with HIPAA and failing to secure customers’ data. The company agreed to a consent order requiring it to adopt a comprehensive security plan to prevent future incidents.
Ascension is an analytics company that provides mortgage data to other companies. One of its vendors, OpticsML, received mortgage information that contained the personal information of tens of thousands of consumers. Ascension was required to vet the security measures of OpticsML but failed to do so. OpticsML allegedly allowed the information to sit on an insecure server, allowing approximately fifty-two unauthorized IP addresses to access the information, some tied to Russia and China. The FTC alleged that this was a violation of the Gramm-Leach-Bliley Act Safeguards Rule. Ascension agreed to settle the claims in exchange for a mandated data protection plan.
VII. Conclusion
The survey period has provided numerous decisions with far-reaching implications. Practitioners should monitor the continuing evolution of the TCPA and CFAA as case law continues to limit liability. Considering the dramatic increase in online commerce, the FTC will undoubtedly continue to police cyber business practices. Similarly, disputes involving social media accounts will continue to proliferate.
Richik thanks Nathan J. Hall, Washington University School of Law, J.D. candidate 2022, for his immense contribution to this survey.