Congress Readies Itself to Tackle Cybersecurity Legislation

Written by Keenan W. Ng

With Congress coming back from its summer recess, it will be focusing on a few cybersecurity related bills.  One of the most controversial of these bills is the Cybersecurity Information Sharing Act of 2014 (“the Act”), introduced by Senator Dianne Feinstein (D-CA) and Senator Saxby Chambliss (R-GA) for the fourth consecutive year.  The Act is supposed to “improve cybersecurity in the United Sates through enhanced sharing of information about cybersecurity threats, and for other purposes.”  While some of the ideas and the language behind the Act seem reasonable and commonsense, the devil is in the details- or rather, the definitions in the Act- and could have some very interesting implications for individuals and businesses. 

The Act allows for private companies and the Federal government to share information categorized as “cyber threat indicators” and “countermeasures” as they relate to cybersecurity threats and cybersecurity purposes.  Private companies could also share such information with other private companies for the same purposes.  The Act would also allow private companies to monitor their own “information systems,” as well as the information systems of other companies and Federal entities with written consent.       

For companies sharing applicable information with other companies, the Act would provide an antitrust exemption if applicable information is shared for cybersecurity purposes as defined under the Act.  Though to be sure, the Act does not protect any sharing of information that would permit price-fixing, monopolizing, or other conduct that would traditionally violate federal antitrust laws.

The Act also provides companies with protections from liability (1) if a firm monitors information and information systems as consistent with the Act; (2) if a firm shares or receives cyber threat indicators or countermeasures as consistent with the Act; and (3) if a firm believed in good faith that it was actions were permitted under the Act.  

Not surprisingly, many civil liberties organizations such as the American Civil Liberties Union and the Electronic Frontier Foundation have expressed considerable concern with the Act.  In particular, key terms such as “cyber threat indicators,” “countermeasures,” “cybersecurity purpose,” and “cybersecurity threat” are very broadly defined, thus encompassing a vast amount of information that private companies might “voluntarily” provide to Federal agencies.      

Because of the liability protections provided by the Act, however, consumers and those whose information is shared with Federal agencies would have little to no recourse through the courts.  For businesses, however, the Act provides some breathing room – from a legal standpoint – with regard to sharing information.  Whether this elicits a consumer response is an entirely different matter.             

Ninth Circuit Affirms That Yelp! Can Use Hardball Sales Tactics To Sell Advertising To Businesses

Written by Keenan W. Ng

On Tuesday, the Ninth Circuit affirmed a district court ruling in Levitt v. Yelp! Inc. dismissing an action by a group of small businesses that Yelp! extorted, or used extortionate sales tactics, to induce small businesses to purchase advertising with Yelp! in violation of the federal Hobbs Act (civil extortion) and the California Unfair Competition Law.  The plaintiffs generally claimed that Yelp! sales people contacted them about purchasing advertising services in connection with their Yelp! pages.  When the plaintiffs declined to purchase the advertising, the plaintiffs alleged that Yelp! manipulated its service to lead to a downgrade in the businesses ratings.  The plaintiffs alleged that such tactics included removing positive reviews, re-posting negative reviews that had previously been taken down, allowing more negative reviews to appear first, and even authored negative reviews. 

    

Judge Marsha S. Berzon, writing for the Court, found that Yelp!’s tactics, while certainly could be considered “hard-bargaining,” did not amount to civil extortion because “a litigant must demonstrate either that he had a pre-existing right to be free from the threatened harm, or that the defendant had no right to seek payment for the service offered.”  In short, the plaintiffs had to show that Yelp! had no right to manipulate its own ratings algorithms to plaintiff’s detriment or that Yelp! had no right to seek payment for its advertising services. 

The Court stated that the businesses had no pre-existing right to be on Yelp! or to have positive reviews.  Moreover, because the website and review service belongs to Yelp!, it has not obligation to provide all, or even any, reviews of the businesses as “Yelp [would be] withholding a benefit that Yelp makes possible and maintains.”  In short, the review service that Yelp! provides is its own service; it can do what it wants with it, even manipulate the review process.  Asking businesses to pay Yelp! for more favorable treatment is not extortion because Yelp! had a right to control its own processes. 

With respect to the allegation that Yelp! purposefully authored negative reviews, the Court found that the plaintiffs were unable to point to any evidence suggesting that Yelp! engaged in those practices as the posts a generally anonymous due to the use of screen names. 

What does this opinion mean?  It means that Yelp! is a business and the fact that it is on the Internet changes nothing.  While many see the Internet as a public good, the services that are provided on the Internet most certainly are not.  You are not entitled to use Yelp! or any other online service and that can be swiftly taken away because you are always using those products under their terms.    

With that in mind, businesses should be wary about their actions on the Internet and to be cautious about the level of trust they place in Internet companies.  In addition to being cognizant of a product’s terms of service think about ways that use of the service could go awry.  The Internet feels like a public domain, but it is full of for-profit businesses, just like the real world and you should be as wary of a for-profit website as you would be of a brick-and-mortar business.