I’m sorry, we’re all working from home now?

John Shedwick Development Houses 01

So, depending on where you are, a week or two ago you sent everyone home with a pat on the back and instructions on how to work remotely, and a lot of hopes for a speedy return. Some of you were pretty well prepared, since you already have some telecommuters or maybe you are already partially virtual, but most of you (us!) really weren’t. Sure, you had some tools in place for remote work, but more for occasional use, and certainly not for all employees and weeks at a time.
For many small businesses, just getting anything workable in place has to be considered a victory, and most are probably just relieved that the number of fires to put out is decreasing. Given that this working from home situation is likely to last for a while, however, you may want to take a look at what you’ve done and make some improvements before you settle in to maintenance mode. After all, having an entire company performing almost all business functions at home is a lot different than most normal telecommuting scenarios. Here are a few thoughts to get you going.

  1. Put a policy in place. If you don’t have one, put some sort of temporary telecommuting policy in place, which outlines your expectations. Even if you already have a policy, you may need or want to deviate from that during these extraordinary circumstances, because things are genuinely different now. After all, some workers will be working on their own devices, others on company computers, and some from paper. Some will work too little, but some will work too much as well, and either can cause business and legal issues. Either way, you’ve got to set our your expectations and requirements or your employees won’t know what they are.
  2. Keep the team together. Even a close-knit group begins to fall apart with separation, so you’ll want to consider ways to keep the team connected. Sure, you can have a regular staff meeting, and your colleagues can e-mail or call, but that’s a little different than the around-the-water-cooler camaraderie they have at work. Normally, many IT departments shy away from (or forbid) messaging services like Skype or Slack, but used correctly those tools can be an excellent way to keep your colleagues in touch with one another (and you) while everyone is stuck at home. Used correctly is key here, so employees need to understand that substantive discussions about a project or a case need to be in e-mail or some other tool where they can be tracked. Instant messages like Skype are for non-substantive discussions and, yes, venting about your ten year old taking your laptop for history class while you try to work on your aging smartphone.
  3. Control your files. Let’s face it, no matter what kind of system you have in place, when a whole family is busily home-schooling and working remotely, that puts a premium on bandwidth and hardware accessibility in the household. That means your employees are making do as best they can to get the work done, and in order to do so, they may be saving files on their home computers, on Google Drive, or using a personal Dropbox or Box account. Normally, that may not be ok, but unless you were completely prepared for people to work at home you need to accept and acknowledge that it’s happening, and take control. If your folks need Dropbox, get a business account with backup and auditing functions, so you know where your files are and that they are backed up. If Google is the tool of choice, get a G-Suite account and have everyone work on the company account rather than on tens or hundreds of different personal accounts over which you have no control. Remember, you’re in emergency mode here, so you’re going to have to sacrifice the ideal for “good enough,” at least until everyone comes back to work. Fortunately, most of these solutions are quick to implement, inexpensive, and just as easy to stop as they were to start (with one caveat, which we’ll get to below).
  4. Control your files, part 2. Some employees have paper files, which are a whole different issue, especially when four people in a family are all working around the same kitchen table. Your policy will discuss that (more on that in a different post), but there are simple steps to make things easier for your employees. Start by providing employees with a “care package” of a bankers box and a few hanging folders, since most of them didn’t think to bring those things home when this adventure began, and follow up with folders or whatever your employees need to keep things organized. Otherwise, you may find that your important project file contains crayon drawings of Garfield the Cat but not that critical memo you’re looking for.
  5. Consider collaboration tools. There are lots of cloud-based tools out there to allow employees to collaborate on tasks and projects, which are both a boon for group work from different locations and a headache for IT. Most companies take a lot of time and energy to evaluate those tools before implementation, given the potential for misuse or data loss. Again, however, these are not normal times, so if necessary be prepared to look into tools which allow better collaboration quickly, particularly if your employees are already using them. Better to have some measure of control over the tools your team is already using than to tell them to stop while knowing they won’t (or when they can’t get their work done without them).
  6. Get ready for the return. After one or two months of working at home, some of your employees may be thrilled to be back, but for others the cat will be out of the bag – they now know they can indeed work at home, and they may like some of the “temporary” tools you brought in during the crisis. Be prepared to listen and discuss those expectations, and to implement any tools or processes you’ve learned where it makes sense to do so. After all, there’s a whole generation of folks coming up for whom working anywhere and on any device is completely natural, so why not use this experience to get a head start on the competition.

Image by Shuvaev

No more DIY in the US for Foreign Trademark Registration

Patria trademark registration from 1892

Courtesy of our friend David Copland, a trademark lawyer based in Dresden, Germany:

Amendments to the Trademark Rules of Practice published in the U.S. Federal Register of July 2, 2019 require as of August 3, 2019 all foreign trademark applicants, registrants, and parties to a TTAB proceeding are required to use a U.S.-licensed attorney for filing any trademark-related submissions to the U.S. Trademark Office.  

Previously all trademark filings could be made directly by a foreign individual, or by a member of a foreign limited corporation, a partner of a foreign partnership, or an officer of a foreign corporation.  Under the prior rules, foreign counsel could “ghost write” filings which foreign trademark owners could submit directly.  This will no longer be possible. 

The Madrid system does not allow for designation of a U.S. attorney for applications submitted through WIPO’s International Bureau.  Consequently, initial applications filed through the Madrid system need not be filed by a U.S.-licensed attorney.  However, any further submissions to the U.S. Trademark Office related to a Madrid application, such as responses to office actions or registration maintenance filings, will require the foreign trademark owner to have a U.S. attorney.

Other than an initial application filed under the Madrid system, foreign trademark owners must be represented by a U.S.-licensed attorney for all U.S. trademark filings after August 3.

For more information see the USPTO Website or give us (or David) a shout. 

DMCA – After the counternotice

Knight without arms

Sometimes throwing down the gauntlet does more harm than good

Once the counter notice is sent things get tricky – many customers think that, having sent the counter notice, the materials can be returned to the website immediately, but that’s not true. The materials must remain offline for ten days after receipt of a valid counter notice, whether they are infringing or not. This provision is definitely favorable to copyright holders, and annoying to those who have to work around the removal for that ten day period. That waiting period can be particularly impactful when the content is timely, since that ten day window can be just enough to ensure that the content is irrelevant by the time it can be returned to the website. Not surprisingly, we see a lot of questionable DMCA notices during tight political races.

Even more important to remember, if you’re the one sending the counter notice, is that you are essentially throwing down the gauntlet and daring the other party to sue you, since that’s the only way to prevent the return of the materials to the website. Before sending that counter notice, you might want to consider long and hard whether (1) the other party is likely to sue and (2) whether you can afford to defend yourself (and deal with months or even years of legal aggravation) just so that you can use that photo of a kitten cuddling with a hamster on your blog. All kidding aside, lawsuits are painful and expensive, and potential damages for copyright cases can be astronomical, so sometimes it’s better to fold even if you are in the right.

Having received the valid counter notice, the hosting provider will forward it back to the sender of the original notice, which starts the clock ticking on the ten day waiting period. At that point the copyright holder has to either sue or accept that the materials will be put back online. While the law tends to be on the side of a valid copyright holder, the same caveats as above apply – lawsuits are an expensive and messy way to resolve a dispute, and collecting on a large judgment from a blogger with an audience of his mother and three of his best acquaintances may be more trouble than it’s worth. Just today I received a withdrawal of a counter notice against a very large company, which strongly suggests that, rather than sue a small website operator, the company reached out and came to an amicable resolution of the copyright dispute.

That being said, sometimes a lawsuit is the only way to ensure the continued removal of the material. Once the lawsuit is filed, the provider of the notice must provide proof of the lawsuit to the web host, who will forward it to the customer. At that point the web host’s job is done, at least until the lawsuit is complete months or years down the line.

DMCA – I’ve sent a notice, so now what?

Once you’ve sent your DMCA takedown notice, the host will likely do one of three things:

  • Ignore the notice
  • Ask for additional information or for missing wording
  • Forward the notice to the customer and request that the materials be removed

The first option, ignoring the notice, is typically a bad idea for hosts given the imbalance between statutory damages and the cost of simply removing the materials. Unless the notice is manifestly inaccurate or abusive, most hosts will at least ask for additional information.
Typically, when my clients ask for more information it’s for one of two reasons: either the materials haven’t been identified in a way which allows them to be verified, or the notice is missing some of the “magic words” which Congress, in its infinite wisdom, decided are necessary. Most hosts will want to at least have some sense that the materials in question are on the website and match the allegedly infringing materials, so make sure the links are precise enough to allow them to do that. And, for heaven’s sake, just include the “good faith” and perjury language – whether you like it or not, it’s a requirement under the law, so it needs to be there.
Typically the host will give the customer a few days to remove the materials – according to the statute, materials must be removed “expeditiously,” but as far as I know that hasn’t been litigated, so no one knows exactly what that means. It’s probably safe to say that up to three days is pretty safe, a month would not be, but where that line is drawn probably depends on the specific facts of the situation. A small host with limited staff would probably get a little leeway on a late removal, whereas Google or Yahoo might not.

DMCA – A few things to remember

In the last post, I told you how to prepare a DMCA Takedown notice, but I also mentioned a few caveats. Some of those are:

  • As I’ve said before, make sure you have all of the elements of the notice. It’s really not that hard.
  • In a similar vein, don’t lard up the notice with a ton of extraneous language. Lawyers in particular love to do this, but typically it just makes things more complicated for anyone who has to read it and slows the process. Often, the longest letters also leave out critical elements, which means they are actually less effective than a straightforward, simple notice. No one needs the back story – if the item is infringing we don’t need to know that the website belongs to your Uncle Max, who snuck the photo from your grandmother’s basement.
  • The DMCA is a pretty easy way to take down content which is copied, but that also makes it tempting to use for items which you want removed but for which you do not actually have the copyright (e.g., that unflattering photo of you which was actually taken by someone else, or that photo in your grandmother’s basement which you probably didn’t take). You can be held liable for false or inaccurate DMCA notices, so keep that in mind.
  • The DMCA is not for trademark complaints, although some service providers ask for a trademark notice which incorporates some of the elements of the DMCA. Don’t be surprised if a DMCA notice for a trademark matter doesn’t result in an immediate takedown (or any takedown at all).
  • While DMCA notices are most often sent to web hosting companies (and Google), anyone who has third-party content on their website, from comments to contributions, can and should register a DMCA agent. Before sending a cease and desist to a website, consider whether the content is actually the website owners and, if not, check to see if they have a DMCA agent
  • Unfortunately, people intent on copying online materials will often change providers as soon as the first notices are received, so before sending that angry followup to the host make sure the materials are still hosted with them

Unfortunately, as many frustrated writers and photographers have found, combating copyright infringement online resembles a game of whack-a-mole, so you may have to prioritize your copyright battles accordingly.
Next, we’ll find out what happens after your notice arrives at the web host.

DMCA – The takedown notice

DMCA removed notice

Since we’re on the topic of the DMCA, I thought I’d put together a primer on the DMCA takedown and notice procedures. As I mentioned in my last post, the takedown procedure offers a quick way for copyright holders to have their materials taken offline while reducing the risk for internet hosts and service providers – with caveats. We’ll cover the caveats later, but for now we’ll focus on the takedown notice, which notifies the host or ISP that there is infringing material on a website which they host. The takedown notice is addressed to the service provider, not the actual infringer, and will be forwarded by the service provider to its customer.

The takedown notice must include the following:

(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

This is pretty easy – anything which you intend to be a signature can be your signature. A scan will do, your name typed and preceded by /s/, just your name, or, in the right circumstances, even an “X” will do. As long as it can be construed as a signature it will probably suffice.

(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.

This is the stuff you want removed, typically in the form of a URL leading directly to the infringing material. If there are too many to list, you can reduce it down to a reasonable sized list, but remember the host should be able to find those materials reasonably quickly – you can’t just point to the home page and say “it’s here” unless the entire home page is a copy of your materials. If the infringement is only a small portion of the page or site, consider providing a pdf with the infringing materials circled or highlighted.
Don’t list your own copyrighted materials here, or you risk having them removed. That’s like what my brother did a few years back when he called the city to have a car towed and inadvertently reported his own car, then in an effort to correct it he reported his car again. He then had to move his car. Don’t do it.

(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.

In most cases, this is where you’ll provide links which show your materials in their original location. Again, a host should be able to look at the pages listed under (ii) then look at the list under (iii) and, without too much effort, see what is allegedly infringing. Use a list of URLs where needed, and an attachment showing the exact location of the original photo or text can be helpful where appropriate.
If your content isn’t online, provide enough information for the host to verify in some way that the materials are yours. I’ve seen links to books on Amazon, citations for published papers, and even scans of documents attached to DMCA notices – as long as the host has something credible to rely on it should suffice, and if it doesn’t they’ll likely let you know so you can supplement the notice with additional materials.

(iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.

This should be pretty self-evident, but it should really be more than just a reply-to address in an e-mailed complaint. A DMCA notice with contact information which is intended to avoid disclosing the identity of the complainant may be ignored by some service providers.

(v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

These two requirements seem to confuse people, but in reality it’s easy (and required). You simply have to parrot these two lines in your notice, e.g. “I have a good faith belief …” and “The information in this notification …” Whether you think it makes sense or not, these two statements are required, and leaving them out (or creatively rewriting them) can render the notice ineffective.

Some people (often attorneys) feel the need to lard up their notices with everything from copyright registration information to all sorts of creative reservations of rights or nasty threats. None of that is necessary, and much of it is superfluous. If the notice is proper, in order to benefit from the immunity provisions, an ISP has to either remove the materials or ask for clarification (if certain elements are present but the notice is not entirely in compliance with the law). If the notice is non-compliant it can, and probably will, be ignored.

Too much information … information … information

German letterhead schematic

One of the questions I’m asked all of the time is one which no one on this side of the Atlantic Ocean would ever expect, and that is, what are the legal requirements for business letterhead in the US? The answer is, there are none, usually accompanied by a vaguely perplexed look. That’s not entirely true, as I’ll discuss below, but it’s pretty darn close. But first, why the question in the first place?

Perhaps unsurprisingly, Germany does regulate the content of letterhead, as do most European countries to one extent or another. Although the requirements differ for different types of corporations, German letterhead (Briefbogen) typically includes the company name and address, the court at which the company is registered, the company’s number in the corporate registry (Handelsregisternummer), and the managing directors or officers of the corporation. Germans also typically include their complete banking information, including the IBAN or similar bank number and account.

In the US, in contrast, letterhead is typically limited to the company name, address, phone numbers, and website address. personalized letterhead may also include an e-mail address or other contact information, and occasionally letterhead will include a slogan or information about the company’s productions. That’s typically it – no additional information is required or expected. In fact, you can leave most of that information off if you really want, although it may not make as professional an impression.

While not a requirement under the law, it is advisable for companies to include their full legal names somewhere on the letterhead, including “Inc.” or “LLC” or whatever, to clearly indicate to the recipient of any correspondence that they are dealing with a limited liability business entity. Certain industries include additional information by custom (e.g., law firms include the names of partners in the partnership), but that’s not a legal requirement.

It’s also important that the letterhead not be deceptive – while you don’t have to include any particular information on your letterhead, the information you choose to include should be accurate and clear.

So, to be clear, you do not need your EIN (tax number), directors, officers, or bank information on your US letterhead. In fact we recommend against it, because that’s just information that scammers can use to try and social engineer their way into your company bank account.

For more information about German letterhead requirements, see this summary from the Hamburg Chamber of Commerce (in German) or shoot us an e-mail.

Hey, I’ve lost my company’s domain name!

The registration system for domain names isn’t really set up for corporate ownership, since the “owner” of a domain name is typically the person who is listed as registrant rather than the corporation. The down side of this system is something we see all the time, particularly with small companies – a domain name is registered by a well-meaning, tech-savvy employee (all too often in his or her personal account) and, when that employee moves on, the company is stuck without control over critical domain names and related accounts. If the employee is fired, it’s even worse, since the now-disgruntled employee may well have control over the company’s entire online presence for an indeterminate period of time.

While there’s no silver bullet here, there are a few best practices which make it easier to regain control over a domain under the control of a wayward (or simply unreachable) ex-employee. Those are:

  • Make sure the company name and address is listed as the Registrant, along with the name of an officer who is most likely to remain with the company. The tech savvy employee can be listed as administrator, to facilitate management of the domain without jeopardizing ownership.
  • Corporate web assets should be held in an account which is in the company’s name and paid for with a company credit card, and should be kept separate from other business or personal websites and domains.
  • Have an agreement in place making it clear that, upon termination of employment for any reason the domain name registrant and admin are to be changed to an officer of the company’s choosing. Ideally, this should be in a standalone agreement so you can provide it to the registrar without divulging hiring or salary information.
  • Make sure renewal notices and the like go to a generic e-mail address, ideally one which is monitored by more than one person, so that termination or resignation of an employee doesn’t result in a lapsed registration (although there are downsides to this as well).
  • Make sure someone other than the admin knows the password to the account (but be judicious, you also don’t want the password becoming generally known). For particularly active accounts, you may want to request a regular update confirming the password and listing all domain names along with expirations dates for the corporate account.
  • Make sure all domains are registrar locked against transfer and deletion

The above isn’t foolproof, since a knowledgeable or well-placed employee can manage to retain control no matter what the circumstances, and given that registrars differ in how they handle requests relating to domain name ownership. Also, be aware that some of the above suggestions may have downsides as well, so consider what’s best for your organization when determine who has access to accounts and how.

Disability-related lawsuits find new targets

Since at became law in 1990, there’s little doubt that the Americans with Disabilities Act (ADA) has helped make public buildings and businesses more accessible to the disabled. At the same time, however, brick-and-mortar businesses have long complained about the cost of ADA compliance, and claim that many ADA-related lawsuits are more about making money for lawyers than about actually increasing accessibility. Now that most shopping has moved online, lawsuits have begun to extend the ADA to websites and other online services, concepts which really didn’t exist at the time the law was passed.

For example, Home Depot was sued in 2015 by a blind Pennsylvania man alleging that the Home Depot website relied too heavily on images without the alternative text and descriptive links required to allow access by the sight-impaired. The same plaintiff had filed at least 68 similar lawsuits targeting online retailers. Companies from Target to eBay have been sued for ADA issues, and many companies have paid out millions to the government or class action plaintiffs, in addition to the cost of becoming compliant after the fact. Now, plaintiffs’ lawyers have begun targeting platform providers, in what may well result in a new wave of ADA litigation against the internet’s infrastructure providers.

While it’s increasingly clear that internet accessibility is required under the ADA, it’s less clear what constitutes an accessible website. Here are some of the steps you can take to make your website more accessible and less likely to result in a lawsuit or legal liability:

  • Perform a website audit, to determined what aspects of your website might not meet reasonable accessibility standards.
  • Update your website to comply with the Web Consortium’s Web Content Accessibility Guidelines 2.0 (WCAG), currently the closest thing there is to an accessibility standard under the ADA.
  • Make sure your development and design policies include guidelines for continuing WCAG compliance, since it’s all too easy to lose sight of accessibility in the stress of a new site or product rollout.
  • Train customer support and technical personnel to understand and facilitate use of your website by disabled customers, and to be sensitive to the needs and complaints of disabled users.

Although the Department of Justice is expected to issue guidelines some time in 2018, it’s probably not a good idea to wait. In addition to good risk management, it may well be good business, to keep both your disabled and able-bodied customers happy.

Do I really have to worry about the new European privacy rules?

Is it finally time to pay attention to European efforts to regulate privacy? At least according to pwc, the answer is yes.

Let’s face it – many Europeans regarded the former “Safe Harbor” as a loophole big enough to drive a truck through, and many US companies quietly agreed by effectively ignoring it. The GDPR is an attempt to address that more effectively, at least with respect to American companies with assets in Europe, particularly behemoths like Google and Facebook. As of May 25, 2018 most processing of European personal data will have to comply with the GDPR (General Data Protection Regulation), including processing by US-based companies. There are a few reasons for US companies to be more concerned about the GDPR than previous efforts to regulate privacy:

  • The GDPR has the effect of law, without the need for individual (and often inconsistent) country legislation.
  • All businesses which “target” EU nationals are subject to the regulation, no matter where they are based.
  • The fines have been increased significantly and can be tied to worldwide revenue, to ensure that they are meaningful for even the largest of companies.

Of course, it’s easy for EU officials to threaten Google, which has at least four data centers located in the EU, each presumably worth many millions of dollars. It’s a little harder for them to penalize US companies which don’t have assets on the ground in the EU, particularly given that US courts are likely to be skeptical of attempts to enforce the regulation against companies with no offices in Europe. So, how do you know if you should be worried about the GDPR? If you answer yes to any of the following you need to start getting your privacy house in order:

  • Do you have assets in Europe? As already noted, you should be GDPR compliant unless you’re willing to kiss those assets goodbye without compensation.
  • Do you have personnel in Europe? Even with limited assets on the ground, you need to consider the risk to your employees, and the subsequent risk to your company if they are penalized and decided to sue.
  • Is the European market is important to you, or is it expected to be important to you in the future? Obviously, an adverse judgement in the EU could result in loss of any European-based revenue, to say nothing of the loss of customers due to bad publicity.

Notwithstanding the hype, companies with no footprint in Europe and minimal aspirations of success in the European market probably have little to fear from the GDPR. That being said, given increasing concern over privacy on this side of the ocean, even those companies may want to consider implementing some of the GDPR requirements, to minimize any penalties and to make compliance easier if and when it becomes necessary. Besides, better privacy practices may well make business sense for a lot of US companies.