Cincom v. Novelis: Federal Copyright Law Trumps State Merger Law

September 28, 2009

Contract boiler plate – or the lack thereof – can be an Achilles heel in a software licensing transaction.  Case in point:  Cincom Systems, Inc. v. Novelis Corp., No. 07-4142 (6th Cir. Sept. 25, 2009).  Affirming the decision of the lower federal court, the U.S. Sixth Circuit Court of Appeals last week held that copyright infringement occurred where there was a failure to obtain the software licensor’s consent to an assignment of a software license agreement that resulted by operation of law under the Ohio merger statute.

This is true even though Cincom’s software continued to be used in the same business operation, at the same facility and on the same computer system as before the merger.  In 2003, Alcan Ohio completed an internal reorganization through a series of mergers in which its operations in Oswego, New York where the Cincom software had been used, ultimately was spun off into a new company, later renamed Novelis Corporation.  The license agreement between Cincom and Alcan Ohio stated that the license was personal to Alcan Ohio, that it was non-transferable and that no transfer was permitted without the prior written approval of Cincom. 

Novelis, as the successor to the subject portion of the former Alcan Ohio business, believed that the Ohio merger statute should control whether a transfer took place.  By Novelis’ reasoning, a transfer by operation of law and the vesting of the former entity’s license rights in Novelis was not the type of transfer sought to be prohibited under the license agreement.  While this might be true with other property, the Sixth Circuit agreed with the lower court that this is not the case with respect to copyrights or patents, transfers of which are controlled by federal law.  Bottom line:  if any entity other than the authorized licensee holds the license without permission of the licensor then the licensor’s copyright has been infringed.

While the assignability of license rights is always a matter of negotiation, assignment clauses in software license agreements frequently include terms that expressly allow assignment to a successor in interest to the business unit that originally licensed the software.  Where such language is not present, counsel reviewing a contract after the fact in preparation for a merger will sometimes take comfort that an assignment of a property interest by merger is one that occurs by operation of law and, thus, third party consent, if otherwise necessary, is not normally required absent an express prohibition against assignment or transfer by operation of law.  Such comfort is misplaced if licenses of patents and copyrights are involved.  In this context, silence is anything but golden and unless you include express permission in the license or obtain consent, copyright infringement will occur.    

Link to Decision:

Veoh Case Illustrates Path to DMCA Safe Harbor

September 26, 2009

A recent decision, UMG Recordings v. Veoh Networks, No. CV 07-5744 AHM (AJWx) (N.D. Cal. Sept. 19, 2009), by a federal district court provides a good example of the tensions sought to be balanced under the safe harbor provisions of the Digital Millennium Copyright Act (“DMCA”) and the way to successfully attain the benefits of one of these safe harbors.  While the Veoh case can be viewed as but one of the many ongoing skirmishes pitting music and film industry giants against emerging video and music sharing websites, the decision serves as useful guidance for sites of all sorts that host user-generated content.   

Veoh operates a widely used video sharing website.  Not surprisingly, users sometimes post unauthorized copies of copyrighted materials, including UMG (Universal) music videos.  Veoh maintains a clear copyright policy that is readily available to its users that prohibits posting of unauthorized content and Veoh’s normal practice is to remove promptly known infringing video postings.  Veoh also employs filtering technology that automatically blocks postings of known infringing content.   Notwithstanding these measures, UMG claimed that Veoh should have known that the type of site it operated would result in the posting of infringing content, that Veoh should have employed filtering technology earlier than it did, and that Veoh failed to remove improper videos based on UMG having merely identified UMG artists by name but not specific copyrighted videos.

Enter the DMCA.  The DMCA attempts to strike a reasonable balance between the need to protect the legitimate rights of copyright holders, on the one hand, and the desire to avoid improper constraints on freedom of expression and also to allow the continued development of electronic communications platforms, on the other.  As part of that balancing act, the DMCA contains in Section 512(c) a safe harbor provision against copyright infringement claims for internet service providers and other operators of websites that store user-generated content.  The safe harbor shields an online service provider from liability if the provider:

  1. Does not have actual knowledge that the content is infringing, is not aware of facts or circumstances that would make apparent that infringing activity has occurred, or upon becoming aware of infringing content, acts promptly to remove or disable access to such content;
  2. Does not receive a direct financial benefit from infringing content where the provider also has the right and ability to control such content;
  3. Upon notification of claimed infringement, responds promptly to remove or disable such content; and
  4.  Has adopted and reasonably implemented a policy that informs users that repeat infringers will have their access to the service terminated.

The Veoh court found that, contrary to the strained contentions of UMG, Veoh easily satisfied each of the safe harbor elements.  The court noted that service providers are not required to take any particular actions just because infringing activity could be taking place and what the DMCA requires is notice of specific works claimed to be infringed not generalized assertions that all works involving a particular artist must be addressed.  Providers are also not required to adopt any particular technology, such as filtering technology, or, if they choose to do so, adhere to a timetable preferred by a complainant.  What is required is that the service provider act reasonably under the circumstances.  For all these reasons, the court held that Veoh in fact acted reasonably and granted Veoh’s motion for summary judgment against UMG.

Like the sturdy little train engine of storybook fame, Veoh has seemingly become the “little website that could,” having now scored at least three successive court victories in as many years against claims of copyright infringement.   However, operators of websites that are further below the radar screen should still take note of this case.  Even though greater attention has been garnered by the music and film industries in notable online copyright cases, the types of well thought out steps implemented by Veoh to address issues of alleged infringement are ones from which any website with contributed content can benefit.

Is Massachusetts the New California?: Heightened Data Security Requirements Take Effect January 2010

September 17, 2009

As early as 2003, when California enacted the first state-law dealing with data breach notification requirements, that state has long been regarded as the most aggressive in the country when it comes to issues of protecting personal information from risks of data breaches and identity theft.  Enter Massachusetts with what may be not only the broadest subsequently-enacted data breach notification statute by virtue of its requirement that data actually be encrypted at a specified level (128+-bit encryption), but effective January 1, 2010, all businesses that maintain personal information on Massachusetts residents must affirmatively adopt a security policy that meets minimum standards or risk penalties and enforcement actions.

Under authority of Massachusetts General Laws, Chapter 93H, Section 2, the Massachusetts Office of Consumer Affairs & Business Regulation adopted regulations mandating written security programs and minimum computer security measures.  These regulations are codified at 201 C.M.R. 17.00 ( 

Because of how populous Massachusetts is, the regulations encompass a significant number of businesses across the country.  The comprehensive written security program must satisfy twelve specific criteria and generally reflects common sense practices that may not be that difficult for many organizations to comply with, particularly if efforts are already underway to implement an identity theft protection program under the Federal Trade Commission’s Red Flag Rules, now scheduled to take effect on November 1, 2009.  (

However, numerous companies will likely be caught off guard by the breadth of this state’s minimum computer system security requirements.  In particular, two of the more onerous provisions are the requirements that covered data that is in transmission and covered data stored on laptops and other portable devices be encrypted.  Specifically, the elements that must be included for a computer security program to be compliant are:

  1. Secure user authentication protocols including control of user IDs, secure password selection method, control of data security passwords, restricting access to only active users, and blocking access after multiple unsuccessful attempts;
  2. Secure access control measures that restrict access to only those who need personal information for job duties, and assign unique IDs plus passwords to each person with computer access;
  3. Encryption, to the extent technically feasible, of all transmitted records and files containing personal information that will travel across public networks or be transmitted wirelessly;
  4. Reasonable monitoring of systems for unauthorized access;
  5. Encryption of all personal information stored on laptops or other portable devices;
  6. Reasonably up-to-date firewall protection and operating system security patches;
  7. Reasonably up-to-date versions of system security agent software, including malware protection and virus definitions; and
  8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Massachusetts is undoubtedly a harbinger of the continuing trend that we should continue to expect toward stricter minimum data security standards at both the federal and state levels.

Hertz v. Luzenac Reaffirms Trade Secret Principles

September 16, 2009

The 10th U. S. Circuit Court of Appeals, in Hertz v. The Luzenac Group, Nos. 06-1324, 06-1358  (10th Cir. Aug. 11, 2009), recently reaffirmed some trade secret basics in a case involving the alleged misappropriation of a proprietary process by two former employees of a manufacturer.  Although the defendant-employees alleged that each of nine separate elements of a proprietary process for Luzenac Group’s production of a form of vinyl silane-treated talc called 604AV were publicly known, the 10th Circuit held that even where separate elements may be publicly known, a trade secret may still be found to exist when a process is considered as a whole.   This is because the manner in which the individual elements are combined — or the exact details of how the Luzenac Group fine tuned a given element — is not something that would necessarily be known, even if aspects of individual elements are the subject of general industry knowledge.  

The Circuit Court also determined that the lower court erred by focusing on the steps that the Luzenac Group failed to take to protect its proprietary process rather than the reasonableness of the protective steps that were taken.   Among other things, Luzenac Group posted signs directing employees to keep the process confidential, had key employees and contractors sign confidentilaity agreements, barred visitors from viewing the production process and marked important documents with confidentiality legends.  The Circuit Court therefore determined that while there might always be additional steps that could have been taken, it does not follow that the measures adopted by Luzenac Group were unreasonable under the circumstances.  

Finally, the Court stated that even if the subject information did not rise to the level of a trade secret, the Luzenac Group was not precluded from pursuing breach of contract claims against the former employees based on the written confidentiality agreements signed by those employees.

Link to Decision: