Even though new technologies offer a number of benefits to associations, they can bring potential legal traps as well. Here's what you need to know to keep your association from getting caught in one. (Titled "Don't Get Trapped" in the print edition.)
New technology brings new opportunities for associations to leverage communication devices, systems, and networks. However, incorporating new technology into an association's operations or its external communication, membership, or marketing efforts without first considering the potential legal risks can expose the organization to liability. In order to keep from falling into these legal traps, associations must not only be aware of them but must also take proactive steps to avoid them. Here are some of the top legal traps that can snare an association using today's technology.
Trap 1: Online/Electronic Contracts
Electronic contracts are generally enforceable to the same extent as paper contracts. The Uniform Electronic Transaction Act, which provides that an electronic signature satisfies any legal requirement for a signature on a contract, has been adopted by 47 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Federal legislation, called the Electronic Signatures in Global and National Commerce Act, also endorses the use of electronic contracts in interstate commerce. However, even if electronic contracts are generally enforceable, associations that enter into contracts online still have to be mindful of contract formation requirements, such as showing knowledge of and agreement to the contract by both parties. Additionally, electronic contracting requires consideration of certain related issues, such as maintaining the level of security and authentication needed to reasonably verify the identity of the parties entering the contract.
Once an association decides to make its resources available online, the association should consider setting forth specific terms and conditions governing their use. These terms and conditions should address common issues such as end-user conduct, permissible use of intellectual property, notice of proprietary rights, disclaimers, limits on liability, the association's role or responsibilities, and other relevant legal issues. With respect to posting such terms and conditions, the association should not rely solely on mere notice. Recent court decisions suggest mere notice, without demonstrating agreement, is not sufficient to make the terms and conditions enforceable. Maintaining an enforceable legal document should be accomplished by providing both notice and an opportunity for the end user or other party to review the applicable terms and conditions and subsequently demonstrate agreement with them. An association also should implement a process to document and maintain a record for the online formation and execution of an electronic agreement in the same general manner that it keeps records of its paper contracts.
Trap 2: Social Media
Associations that operate interactive websites, listservers, blogs, or online forums or that utilize online social networks may face the risk of their users posting content that infringes or violates the rights of others. For example, with respect to copyrightable works owned by third parties, such as articles written by others, if the posting was made by an association employee, the association could be vicariously liable for copyright infringement if the posting was done without the permission of the copyright owner and the posting was done per or under the association's direction as the employer. If the posting was done by a third party, such as a member, an association could become liable if it contributes to the posting of the infringing content, alters the material so as to contribute to its content, or if it knew or should have known of the infringement and did not take prompt corrective action.
The safe-harbor provision of the federal Digital Millennium Copyright Act may help shield an association from liability for third-party postings that contain infringing material as long as the organization itself maintains a neutral role. The federal Communications Decency Act also provides some protection from defamation and other tort liability for postings by third parties as long as the association does not become the publisher of the content. Note that the CDA does not provide protection from antitrust, copyright, or trademark-infringement liability.
To further avoid potential risk, an association should post terms and conditions that govern the behavior of third-party posters and its employees and that clearly identify the type of acceptable content that may be posted to the website or other interactive online forum. In addition, associations should maintain a policy governing social media use by association employees.
Social media or networking sites also make it easier for someone to masquerade as another person or entity. For example, in LaRussa v. Twitter, Inc., Major League Baseball manager Tony LaRussa sued Twitter after discovering that someone both created an account using his name (www.twitter.com/TonyLaRussa) and posted negative tweets about him. LaRussa sued Twitter for trademark infringement as well as cybersquatting and misappropriation of his name. Although the suit was later voluntarily dismissed, it provides an example of both the need to monitor and enforce an association's online identity and the risk that can arise when an association does not establish and identify its official online presence. This is especially critical when an association plans to permit others, such as state and local chapters, to use its name online. An association should declare which sites are its own and provide rules for when someone else is using the association's name or trademark outside of its official sites.
Trap 3: Trademark
As a general rule, an association should only use a third party's trademark with permission. In addition, an association should remain vigilant with respect to protecting its own trademarks. Associations should monitor for impermissible use of the association's name or trademarks in or as keyword search terms, user account names, or as the primary variables in unauthorized search-engine-optimization efforts. To protect against trademark infringement via online advertising or online social networks, associations should consider reserving their own trademarks as user account names and as online search keywords to claim rights in the character string equal to an association's full or most recognizable names. And if they believe their trademarks are being improperly used, associations need to notify and communicate with the appropriate search engine operators or online advertisers.
Domain names remain another area where trademark rights can be easily trampled. Associations want domain names that are equivalent or similar to their organization's name, so they must remain diligent in their efforts to protect their trademark rights in connection with certain domain-name reservation or registration practices. Although registrars now recognize the protection and enforcement of trademark rights in their domain-name registration practices, new forms of cybersquatting constantly arise in connection with the increasing number of available top-level domains for domain-name registration.
For example, front runners are domain prospectors who register names immediately after potential brand owners have filed trademark registration applications with the U.S. Patent and Trademark Office. This has the effect of requiring the potential brand owner to purchase the domain name from the domain prospector. To protect against front running, associations should consider simultaneously registering for a domain name and trademark.
Associations must remain aware of cybersquatters that engage in drop catching, instances where cybersquatters wait for a registration for a domain name to expire and then immediately register the domain name. Cybersquatters profit by building traffic off of the prior registrants. This is especially true of domains that contain trademarks. Associations can avoid drop catching by being proactive in their efforts to renew their domain names.
Trap 4: New Technology
When a new technology gains widespread use and acceptance, it is still important for an association to be aware of the related legal or business requirements and potential risks associated with it. For example, more and more associations are conducting business transactions and accepting payment through their websites. Associations that utilize credit and debit cards to process payment transactions should ensure that their efforts to protect consumer account information comply with PCI Data Security Standards. PCI DSS is a set of 12 security standards created by the credit card industry that are intended to help organizations protect customer account information from theft and misuse.
Though there are no federal or state laws that mandate compliance with all 12 PCI standards, several states, including Minnesota, have recently enacted statutory requirements similar to PCI DSS. The Minnesota law prohibits merchants from storing sensitive authentication data after payment cards are authorized. As a result, associations that process payment-card data should validate their data security, handling, and storage processes and take proactive steps to ensure their compliance with PCI DSS. They will also need to implement the necessary security programs and measures required to remain in compliance with PCI DSS. Though PCI compliance may be cumbersome or costly, secure payment systems will avoid running afoul of PCI DSS requirements and will help associations preserve member loyalty and brand value. (For more on PCI DSS, see "PCI Simplified," TechnoScope, December 2009.)
Associations also must protect against the risks that accompany employee use of employer-issued mobile devices. Many associations are permitting use of, or even providing their employees with, mobile devices to facilitate their work. Doing so means that employers should make every effort to protect the information managed or stored through such devices in the same manner that the association manages the information on its own internal computer network. For example, the use of third-party applications on mobile devices is now a prevailing norm. Though most mobile-operating-system vendors require third-party applications to be tested for approval and certification, this often is not enough protection to avoid viruses or other forms of malware, making it essential for associations to purchase antimalware programs and adopt measures that address both their internal and mobile networks. Additionally, employers should implement processes to protect information on employee mobile devices that are lost or stolen.
Trap 5: Employee Use
Since new technology makes it easier to access and disseminate information, trade-secret protection becomes harder to manage and enforce. Trade-secret owners therefore must take extra precautions for the use, handling, and transmission of their valuable or proprietary information in digital form. Associations should implement policies directed specifically at disclosure that may occur online or through mobile devices that focus on restricting and controlling employee access to and disclosure of trade secrets. For example, associations should prohibit employees from storing confidential information on unauthorized digital devices or posting confidential information on unaffiliated websites. Additionally, associations should actively promote security compliance to their employees and require that employees promptly report any security breaches. Finally, upon termination of employment, associations should require employees to delete any association information that has been stored on personal electronic devices.
In addition to remaining mindful of trade secrets in connection with mobile devices, the capabilities of remote access are increasingly expanding the traditional notion of the workplace. This expansion has ramifications on both controlling and monitoring employee conduct. According to the U.S. Supreme Court's recent decision in City of Ontario v. Quon, employers can monitor employee text messages on employer-issued mobile phones or pagers—if done in the appropriate manner. In that case, the city reviewed an employee's text messages (and those of two fellow coworkers) after the employee exceeded his texting limit. In conducting its review, the city discovered many of the employee's text messages to be personal and sexually explicit. The court held that the search did not violate the employee's Fourth Amendment rights to reasonable search and seizure. (For more info on Quon, see "Updating E-Communication Privacy Policies," Association Law & Policy, July 2010.) While Quon involved a government employer and thus posed different legal standards than most associations face, it serves as an important reminder that associations should consider adopting policies that explicitly address telecommuting as well as the ability to monitor employee conduct outside an association's own offices (e.g., on personal computers linked to the association's network) and that specifically make clear to employees that they have no reasonable expectation of privacy when using these services.
In addition to safeguarding confidential information and maintaining productivity, monitoring can be justified as necessary to help protect associations from vicarious liability for employee conduct. Courts have regularly held employers liable for their employees' inappropriate use of employer-provided mobile devices. For example, in Ellender v. Neff Rental, Inc., an employer was held vicariously liable for the negligence of an employee who caused an accident in his personal vehicle while conducting business on his employer-provided cell phone. Therefore, associations should establish written policies that work to monitor and deter inappropriate use of association-related devices both in and outside of the office.
While new technology may help associations build community and engage members, it's also important that they consider the legal implications that come with the technology. If associations take proactive steps, they can avoid the traps and continue to serve their members at the highest level.
Jeffrey S. Tenenbaum chairs Venable's Nonprofit Organizations Practice Group in Washington, DC. A.J. Zottola is a partner at Venable in the Technology Transaction & Outsourcing Group in Washington, DC, and focuses his practice on intellectual property, computer, internet, new media, and technology law. Emails: [email protected], [email protected]
This article is not intended to provide legal advice or opinion and should not be relied on as such. Legal advice can only be provided in response to a specific-fact situation.