In early February 2020, before most of us were truly aware of the implications of COVID-19, a well-respected IT consulting group predicted a $4.3 trillion global spend on information technology in 2020. Drivers of the projected activity included cybersecurity, outdated infrastructure, mobile accessibility needs, cloud and SaaS transitions, and on-premises technology requirements.  In late 2019, another well-respected consulting group had predicted that, in 2020, “[t]here will be increasing opportunities for technology vendors and service providers to grow their businesses, and for technology buyers to innovate and upgrade their infrastructure, software, and services.” In fact, as 2020 began, many deals for technology development, implementation and related services were signed and technology providers, consultants and related service providers (collectively referred to in this post as “vendors”) and their customers were busy building, implementing and testing new systems.

Then came COVID-19. Most people in the United States and in many other parts of the world are now working from home. Capital markets are volatile. The global economy came to a screeching halt and recessions are forecast.  As a result of these and other factors, many deals that were humming along nicely are now facing significant and unanticipated challenges. For example:

  • In many cases, neither the vendor nor the customer community is “in the office.” While it is not uncommon for software developers to work remotely, many important aspects of a complex implementation – e.g., hardware installation, software testing and user training – are most effective when done on site. Obviously, given the work-from-home and no-travel environment that we are in, this is not possible.
  • Key individuals from both the vendor and customer community may be less available, either due to their own illnesses or due to pressing family issues or other concerns related to the pandemic.
  • Some customers may experience significant and unanticipated financial distress, and as a result, the payment obligations associated with the initiative may become particularly burdensome for them. Vendors may also be facing similar financial distress.
  • Due to the downturn in the business climate resulting from the pandemic, the business volume assumptions on which the ongoing initiative was based may no longer be realistic.

This blog post is intended to suggest a practical approach that both technology vendors and their customers might take to find amicable solutions to challenged deals.

While Washington’s comprehensive data privacy bill (SB 6182) — inspired by California’s CCPA — died when legislators could not hammer out a compromise over enforcement mechanisms, the state legislature did reach agreement and Gov. Jay Inslee signed into law a facial recognition bill (SB 6280) that provides some important privacy and antidiscrimination provisions regarding state and local governmental use of the technology.

An interesting New York Times article last week posited that governments’ use of digital surveillance techniques for the COVID-19 response – such as the tracking of geolocation to gauge quarantine restrictions – would lead to more pervasive digital tracking in the future. On a related note, there have been reports of an increased use of facial recognition technologies as governments use digital tools to respond to the outbreak.

These developments bring to mind some interesting questions:

In the future, given our collective experience with this invisible foe, will there be a move away from contact-based security and access control systems to “germless” and “touchless” processes?

If so, what role will be played by facial recognition and other biometrics-based systems in that shift?

Teami, LLC (“Teami”), a marketer of teas and skincare products, agreed to settle FTC charges alleging that its retained social media influencers did not sufficiently disclose that they were being paid to promote Teami’s products. The FTC’s Complaint also included allegations that Teami made unsupported weight-loss and health claims about its products, an issue that is beyond the scope of this blog post. The Stipulated Order for Permanent Injunction and Monetary Judgment was approved by a Florida district on March 17, 2020.

This settlement is significant in that it identifies clear steps that an advertiser can follow in the interest of avoiding similar FTC allegations of deception with respect to paid endorsers. Compliance in this area remains an ongoing concern as the FTC reiterated in a statement accompanying the settlement that: “[T]he Commission is committed to seeking strong remedies against advertisers that deceive consumers because deceptive or inaccurate information online prevents consumers from making informed purchasing decisions….”

The U.S. Supreme Court’s busy intellectual property term (with six copyright and trademark cases) rolls on. On March 23, SCOTUS ruled in Allen v. Cooper, 589 U.S. ___, No. 18-877 (Mar. 23, 2020), that states, absent consent, may not be sued for copyright infringement. In particular, SCOTUS held that Congress did not have a sufficient constitutional basis to abrogate states’ sovereign immunity in copyright infringement actions when it passed the Copyright Remedy Clarification Act of 1990 (CRCA). However, the Court noted that, going forward, the ruling would not prohibit Congress from passing a more “tailored” copyright remedy statute if it found a valid basis to suspend sovereign immunity in copyright infringement cases against states.

Despite continued scrutiny over the legal immunity online providers enjoy under Section 230 of the Communications Decency Act (CDA), online platforms continue to successfully invoke its protections. This is illustrated by three recent decisions in which courts dismissed claims that sought to impose liability on providers for hosting or restricting access to user content and for providing a much-discussed social media app filter.

In one case, a California district court dismissed a negligence claim against online real estate database Zillow over a fraudulent posting, holding that any allegation of a duty to monitor new users and prevent false listing information inherently derives from Zillow’s status as a publisher and is therefore barred by the CDA. (924 Bel Air Road LLC v. Zillow Group Inc., No. 19-01368 (C.D. Cal. Feb. 18, 2020)). In the second, the Ninth Circuit, in an important ruling, affirmed the dismissal of claims against YouTube for violations of the First Amendment and the Lanham Act over its decision to restrict access to the plaintiff’s uploaded videos. The Ninth Circuit found that despite YouTube’s ubiquity and its role as a public-facing platform, it is a private forum not subject to judicial scrutiny under the First Amendment. It also found that its statements concerning its content moderation policies could not form a basis of false advertising liability. (Prager Univ. v. Google LLC, No. 18-15712 (9th Cir. Feb. 26, 2020)). And in a third case, the operator of the messaging app Snapchat was granted CDA immunity in a wrongful death suit brought by individuals killed in a high-speed automobile crash where one of the boys in the car had sent a snap using the app’s Speed Filter, which had captured the speed of the car at 123MPH, minutes before the fatal accident. (Lemmon v. Snap, Inc., No. 19-4504 (C.D. Cal. Feb. 25, 2020)).   

With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely.  This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.

Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies.  Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.

Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company.  Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals.  The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures.

As part of the response to the outbreak of COVID-19, many organizations are working on contingency and business continuity plans that include an all-employee “work-from-home” scenario.  If it becomes necessary to implement such a plan, all employees of the organization will access the organization’s networks and systems remotely. Unfortunately, many organizations that are testing these plans are discovering that that their remote access technologies may not be able to handle, without significant degradation in performance, the volume of activity this will generate.  Indeed, given the complex host of business applications and collaboration tools that many businesses employ, many entities may not be fully ready for their entire workforce to access their systems remotely without first checking in with their vendors and IT personnel.

This is understandable. Except for the case of those businesses that always operate “virtually” — without any fixed offices — most organizations build their remote access infrastructure (including the related telecommunications, security, videoconferencing, collaboration and other software tools that are involved in remote access) based on an assumption that only a portion of an organization’s employees will use remote access at any given point in time.  For example, contractual service level commitments (in which vendors promise certain levels of performance of their systems) often assume a simultaneous user base being a subset of all employees of the organization.  Further, SaaS-based services that are priced based on a specific number of “simultaneous users” may not anticipate all, or substantially all, of the company’s employees using the service at the same time.

Organizations should be reviewing their agreements with the myriad set of vendors that provide software related to remote access. These reviews should evaluate what commitments, if any, are included in those agreements that may be helpful in what may be this unprecedented “100% work-from-home” effort.  To the extent contractual deficiencies or other issues are identified, early engagement with vendors can be helpful.  For example, in the event service level commitments appear insufficient to meet anticipated demand, an early discussion with the vendor may result in an increased allocation of the vendor’s resources to that customer.  And while some SaaS service agreements priced by the number of simultaneous users may allow customers to exceed simultaneous user limits (with a premium true-up at a later date), others impose hard blocks on usage in excess of contract limitations.  To the extent these issues are identified in an agreement, customers are best served by engaging with the vendor in advance – to avoid premium true-ups or interference in service.

In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials.