This week, I continue my coverage of an online chat panel session I moderated during eM+C’s recent All About eCommerce Virtual Conference & Expo.
The panel, which tackled legal issues such as the unauthorized sale of goods on eBay, CAN-SPAM and class-action lawsuits for data breaches, featured attorneys Jamie Hastings, the general counsel for Vermont Country Store, and David Bertoni, a partner at the law firm Brann & Isaacson.
For part 1, click here.
(For more, check out the on-demand replay of the All About eCommerce Virtual Conference & Expo.)
Q: Do you anticipate any legal changes still to come this year on pay-per-click bidding for branded/trademarked terms?
Hastings: Major changes ahead, starting with Google, which just announced it’s allowing people to purchase competitor names within ad text. Previously, it wouldn't appear. This is of great concern, and a couple of lawsuits have just been filed.
Q: How does that not infringe on the trademark?
Hastings: Up until now, it was OK to bid on competitors’ names, since it didn't directly appear in the search results. Courts held that it didn't constitute “use” in commerce to give rise to trademark infringement.
Bertoni: To me, it smacks of deceptive advertising — a kind of bait and switch.
Hastings: Now companies are trying to use other legal theories, such as unfair competition laws.
Bertoni: It's like calling information for the address of Company A and getting Company B's address.
Hastings: It is, in essence. We'll hear a lot more in the coming months. Virtually all cases with Google settle out of court.
Bertoni: Company B is getting the benefit of Company A's reputation and good will.
Hastings: Recommendation: Go into a Google or Yahoo browser periodically and type in your company name; check out the results. We've had some success with “CEO to CEO letters” — in essence, embarrassing the other party to stop the activity.
Q: A “gentleman's agreement” among the industry: We won't bid on yours, you won't bid on ours?
Bertoni: Most upper management are appalled to see this stuff being done.
Hastings: Yes, and quite often unaware — it's their outsourced SEO guys who are doing it.
Q: Speaking of protecting your property, have either of you encountered any class-action lawsuits for data breaches?
Bertoni: There have been a number. Interestingly, the ones that I've been following were dismissed because the named plaintiffs didn't suffer any injury.
Q: How do they differ with regard to e-commerce?
Hastings: Quite an interesting one recently, however, with Heartland [Payment Systems], a payment card processor. It was unusual in that it goes beyond the merchant to the processor. This is why Payment Card Industry Data Security Standards [Council] compliance is so important.
Bertoni: Folks who have possession of confidential customer data have both statutory and common law obligations to keep it private. Most state data breach statutes require that both names and some other proprietary information be disclosed, such as credit card/account numbers.
Q: Jamie, you told me recently that many merchants are “failing” the self-questionnaire for compliance to PCI Data Security Standards. Why is that?
Hastings: The new standard, version 1.2, is much tougher than version 1.1 of last year. Over 200 questions — if you fail one question, you fail all.
Bertoni: Interestingly, the No. 1 way that financial information gets disclosed is via lost or stolen laptops.
Hastings: So companies often retain third-party consultants to walk them through getting to a passing grade.
Bertoni: One bit of advice is that if you discover that a breach may have occurred, don't sit on it.
Hastings: And the No. 1 recommendation regarding security standards for merchants: Don't retain credit card data for longer than is required.
Bertoni: Under state laws, you can buy more time by contacting law enforcement, but the biggest problem — including from a public relations standpoint — is to spend weeks investigating a possible breach before advising customers (or law enforcement) that it might have occurred. A surefire way to get bad press and sued.
Hastings: And as we can all appreciate from a business/PR standpoint, whether it amounts to nothing is irrelevant at that point — the damage has been done.