The Legal Issues Are Somewhat Cloudy in the Cloud: A Primer for Lawyers on Cloud Computing

By Roy E. Hadley, Jr. and John L. Watkins [1. Roy E. Hadley, Jr. and John L. Watkins are both Partners in the Atlanta office of Barnes & Thornburg, LLP and co-lead the Firm’s Cloud Computing and Cyber-Security Team. Hadley practices in the Business Department and advises clients regarding data security, data breach and privacy issues. Watkins practices in the Litigation Department, and handles cases involving trade secrets and confidential information, as well as insurance coverage. Watkins also advises business clients on contracts and terms and conditions.]

"Cloud computing" has become a very hot topic. For the uninitiated, "cloud computing" generally refers to providing access to computer software through an Internet browser, with the software and data stored at a remote location at a "data center" or "server farm," instead of on the computer's hard drive or on a server located on the user's premises. This is also sometimes referred to "software as a service."

Proponents of this approach claim many benefits, including lower costs, less need for on-site support and "scalability." "Scalability" means that the number of licenses and available resources can easily be adjusted as the need increases. Access can typically be provided to any computer with a browser and an Internet connection, but can be controlled through password protection and other measures. Proponents also argue that the cloud makes it easier to manage and push down software upgrades. Software as a service is usually provided on a fee for service approach that may result in cost savings compared to the traditional local area network. Think of it as somewhat like renting as opposed to owning.

The Cloud is Here Now

Cloud computing is not a technology of the future, but is here today. Google, for example, uses this approach to provide its suite of business applications intended to compete with Microsoft Office. Google applications are provided free or at very little cost. Salesforce.com is one of the best known providers, providing customer relationship management ("CRM") software to a growing list of companies. IBM, Microsoft and Amazon, among many others, are also entering the playing field.

There appears to be little doubt that cloud computing is here to stay, and that it may indeed represent the future of information technology. There are many advantages and potential advantages to the cloud computing model.  For example, software is managed and upgraded off-site. Hardware costs are lower because all that is needed to access the system is an Internet connection and browser.  Buying and constantly upgrading servers and other hardware is said to be unnecessary.  The need for a large IT staff is diminished. Cloud providers also represent that they provide higher levels of security and uptime than typical networks. In short, it is argued that cloud computing provides the next generation of IT resources through a platform that is cheaper, scalable and more easily managed than local networks.

The Technical Side of the Cloud

That said, from a technical and legal perspective, cloud computing raises a host of issues. As a lawyer advising clients on cloud computing issues, an understanding of these issues is essential to being able to provide meaningful advice and counsel.  Perhaps foremost on most clients’ mind is the question "What happens if they lose my data?" The answers provided by many cloud vendors focus on technical concerns (such as the back-up procedures) and not legal issues.

Technical issues are important, and there are certainly technical safeguards that a client might want to consider, such as maintaining a back-up on site, or a back-up through a separate vendor. These approaches might provide some real practical protection in the event of a catastrophic failure or bankruptcy at the primary provider.  On the other hand, if a client adopts such procedures, the costs may rise. Clients will carefully need to weigh the costs and benefits of whatever solutions they implement.

Other technical issues might focus on what happens when the relationship ends, whether happily or not. Is there another vendor that can provide the software and host the data? Will data have to be converted to a different format? If the customer decides to switch back to a local area network, will the terminals that have been used for cloud computing (which usually can be very basic "low powered" machines) be of any use, or will a completely new network need to be installed?

Clouds Come in Many Different Shapes and Sizes

When clients ask you to help them with a “cloud computing” issue, the first thing you need to understand is what type of “cloud computing’ is the client talking about. Generally speaking, there are three basic types of cloud computing structures, each with different issues and considerations.

The first type of structure is cloud software as a service, which is usually referred to as SaaS.  Under this model, the client would use the vendor’s applications running on a cloud infrastructure.  These services are usually interfaced through a “thin client” such as a web browser. The end user has little control over the software’s parameters other than some minor configuration settings.

The second type of structure is cloud platform as a service, or PaaS.  Here, the client has the capability to deploy onto the cloud infrastructure client-created or otherwise acquired applications.  These applications are usually developed using tools or programming languages that are supported by the infrastructure vendor. The client has control over the applications and potentially some configuration control.  Generally, under both SaaS and PaaS models, the client has no control over the network, servers, storage or operating systems.

The third main structure is cloud infrastructure as a service, or IaaS.  Under this scenario, the underlying computing and network infrastructure is provided to the client.  The client usually controls applications, processing, storage, networks and other resources.  The client can often run software and applications of its choosing.

Generally speaking, based upon which structure is being considered by clients, the technical and legal issues will be specific to that structure. However, with that said, a core group of considerations will have to be addressed by you and your client when considering implementation of a cloud computing solution.

Legal Issues Begin to Rain Down from the Cloud

Clients usually look into cloud computing solutions to trim costs and expenses and gain efficiencies.  However, the reality is that these benefits may not materialize or other issues may arise that essentially take away any cost savings or efficiencies. It is important for clients to remember that “things happen” and no matter how carefully worded a contract may be, unforeseen issues may arise.

From a legal standpoint, cloud computing appears to raise a host of essentially contractual issues to be addressed by the parties' contract or licensing arrangements. There are also potential regulatory issues (ranging from privacy to export control issues), e-discovery issues, and certainly other issues that have not been thought of yet due to the still relatively recent, if widespread, adoption of cloud computing initiatives by businesses.

As businesses and their lawyers become more experienced with cloud computing platforms and issues, it is likely that a consensus will emerge about how cloud computing issues will be addressed. Hopefully, purveyors of cloud computing services will be flexible and reasonable in addressing legitimate business concerns. However, given the prevalence of "standard" licensing in the software field (often on a shrink-wrap or click-wrap basis) and efforts to limit liability under any circumstances, there is some cause for pessimism.

There is also the practical reality that the ability to obtain meaningful modification to a provider’s standard terms and conditions depends on what type of cloud services or infrastructure the client desires to implement. If, for example, a small client wishes to switch to Google’s free or low cost suite of office applications, the client is almost surely going to have to accept Google’s standard terms. If, on the other hand, a client is going to spend millions of dollars with a cloud provider, then it should be possible to negotiate the contractual provisions.

It is also important to consider the client’s industry and risk profile. For example, clients in the healthcare and financial services industries are subject to regulatory requirements and risks that must be considered in utilizing any kind of cloud-based architecture. Such issues are beyond the scope of this general article, but will represent one of the great challenges as clients in these industries move to the cloud. Companies with high-risk profiles and that are regularly involved in litigation also need to consider how adopting cloud architecture could affect access to information.

Regardless of whether the model is SaaS, PaaS, or IaaS, the following are some basic issues that you should consider when advising clients with respect to cloud computing arrangements:

  • What contractual obligations will the vendor assume with respect to protecting data? This could include reference to particular steps and procedures, including back-up obligations. The contract or license may specify a standard of care that the provider must meet.
  • What contractual obligations will the vendor assume regarding uptime, if any? Will the vendor provide any type of uptime warranty? Even if such a warranty is subject to a limited remedy, it would provide some incentive for the provider to limit downtime.
  • Most providers seem savvy enough to disclaim any interest in your data and will freely say -- in a sales setting anyway -- that "your data is your data." Well, that's good, but how does a client physically get their data back at the end of the contract period or if the vendor goes bankrupt? Of course, this issue may be affected (and mitigated) by the back-up procedures adopted.
  • What remedy limitations, if any, are in the vendor’s terms and conditions? Are consequential damages excluded? Are total damages capped (such as to a return of fees paid)? Even if contractual obligations are assumed, if remedies are severely limited, the provider may be shielded from liability.
  • Where is the client’s data going to be stored? Is the vendor willing to agree that all of the client’s data will be kept in this location under specified conditions and at agreed security levels? This could be important for regulatory reasons, but also for reasons associated with meeting general customer confidentiality obligations or complying with privacy policies.
  • Is there a forum selection clause in the terms and conditions? Many providers want to insist on litigating on their home turf (which often, it seems, is a state other than where the client is located), but that is rarely a happy instance for the client.
  • How does the client get out of this arrangement if the vendor does not perform and what is the client’s exit strategy? What rights does the client have upon termination? What obligations does the vendor have to assist in transitioning to a new vendor or back to a self-managed platform?

Don’t Forget About Data Security

Additionally, inherent in the adoption of any arrangement where a company’s data is entrusted to someone else is the issue of data security.  Whether it is malware, hacking, insider malfeasance, espionage, viruses and trojans, data breaches, or the ignorance of the many threats, all companies’ data is increasingly at risk and under attack.  While all threats and risks cannot be eliminated, they can be mitigated through proper policies, procedures and legal diligence.

One of the stated benefits of cloud computing by vendors is the ability to eliminate many of the above-mentioned risks because the vendor will be able to respond to issues and attacks in a real-time manner, either through updates or intervention.  From a legal prospective, however, you will need to contractually ascertain what the vendor will actually be providing and whether that will be sufficient given the client’s circumstances and business.

Don’t Forget About Trade Secrets

Many clients protect their most important intellectual property as trade secrets, instead of managing an extensive patent portfolio. Many types of information can potentially qualify for trade secret protection, including customer lists, business plans, technical specifications, financial information, programs and secret formulas. Under Georgia law, to qualify as a trade secret, the information must have actual or potential economic value and must not be generally known or readily ascertainable by others who can obtain economic value from it. In addition, the information must be subject to reasonable efforts to maintain its secrecy.

If a client is considering storing trade secret information in the cloud, it should consider the potential risks of doing so. Although it is difficult to predict how courts will react to trade secret claims based on information stored in cloud-based systems, a key factor will likely be the steps taken to maintain the secrecy of the information. Courts will likely inquire into whether the cloud provider has access to the data and whether it is bound to maintain the secrecy of such data. Other inquiries will focus on who from the client is permitted to have access to the information, password protection, and other security measures, much as in cases involving information stored on local networks.

It is possible that a cloud based provider may be able to demonstrate a higher level of security than that used in a client’s local area network. Much of the inquiry will focus on the particular architecture used. Nevertheless, because cloud-based technology is relatively new, clients with trade secret information should pay careful attention to documenting the security of the system before moving such important information to a cloud-based application.

Don’t Forget About E-Discovery

In 2006, the Federal Rules of Civil Procedure were amended to provide specific provisions for electronically-stored information (“ESI”).  Although discovery of ESI was permitted before the 2006 Amendments, the Amendments focused attention on e-discovery. Volumes have been written about e-discovery, and comprehensive review of e-discovery issues is beyond the scope of this article.  It is important to note, however, that the adoption of cloud-based technologies may raise new e-discovery issues.

In general, Federal Rule of Civil Procedure 26(b)(2)(B) distinguishes between ESI that is reasonably accessible and ESI that is not.  ESI that is not reasonably accessible does not have to be produced initially, but may be ordered to be produced on a showing of good cause. If a court orders the discovery of ESI that is not reasonably accessible, it may also order the party seeking the information to pay for some or all of the cost of obtaining it.

Courts have reached somewhat differing conclusions regarding the production of ESI. In general, however, courts will order the production of relevant information that is within a party’s possession, custody or control. It is difficult to predict how courts will react to the discovery of ESI that is in the possession of a cloud vendor and arguments about whether some or all of that information is (or is not) reasonably accessible. Of course, each case will largely depend upon the particular circumstances. Companies should not assume, however, that, because they have chosen to use a cloud-based vendor, their information will not be subject to discovery.

Clients, particularly those that face litigation on a routine basis, will want to consider adding provisions to their cloud services contract regarding discovery of ESI. Such provisions should govern access to the data and assistance from the vendor in the event of discovery requests.

Clients who adopt cloud-based technologies but are unable to respond to e-discovery requests, or unable to do so in a timely manner, run the risk of sanctions in litigation. Some courts have imposed substantial sanctions, so the risk is real.

Into the Cloud We Fly

As stated earlier, cloud computing is here to stay – at least until whatever new computing innovations may succeed it.  As more and more clients hear the siren song of cloud computing, namely lower costs and greater efficiencies, you will be increasingly called upon to provide advice and counsel in this multi-dimensional area. If you have clients that are considering going to the cloud, you should attempt to educate them early in the process regarding the potential risks and related mitigation strategies that the client might employ.

From the practitioner’s standpoint, you should stay abreast of the latest developments in cloud computing as many issues have yet to be identified. As matters begin to be litigated and as the case law develops, hopefully, the legal issues should begin to become more clear and settled.  Until then, lawyers need to begin considering these issues, because cloud computing is not likely to be going away anytime soon. Enjoy the flight!

Trends in Outsourcing Emerging From the Great Recession

By Diana J.P. McKenzie and Matthew C. Henderson [1. Diana J.P. McKenzie, Partner and Chair, Information Technology and Outsourcing Practice Group, Hunter, Maclean, Exley, and Dunn, P.C.,  dmckenzie@huntermaclean.com; and Matthew C. Henderson, Counsel, Information Technology and Outsourcing Practice Group, Hunter, Maclean, Exley, and Dunn, P.C., mhenderson@huntermaclean.com.] Approximately ninety percent of companies cut costs in 2009.[2. Pricewaterhouse Coopers 13th Annual Global CEO Survey] In the midst of a global recession, who could blame them?  In many cases, it was the cost of survival.  Outsourcing providers hoped for a surge.  In their view, what better way to cut costs than to outsource non-core business functions?  Outsourcing providers were disappointed.  Instead of a surge, many companies put outsourcing plans on hold and re-negotiated existing contracts with outsourcing providers at lower prices, in exchange for contract extensions and other trade-offs, such as adjustments to service levels.

Increased Contract Renegotiations

Over half of the companies in the outsourcing market saw increased contract renegotiations in 2009, primarily caused by the recession.[3. A dozen danger signs that your outsourcing contract is on the rocks] Information technology outsourcing (ITO) started the year slowly, but finished strong, with $56 billion in total contract value, and the strongest fourth quarter since 2003.[4. The TPI Index: An Informed View of the State of the Global Commercial Outsourcing Market Fourth Quarter and Full-year of 2009] Business process outsourcing (BPO), however, ended the year with a total contract value of $18.5 billion, the lowest since 2001.[Id.] Most industry commentators attribute the disparity between ITO and BPO in 2009 to the traditional ability to cut costs more quickly through ITO than BPO.  Despite the dismal performance of BPO in 2009, industry consultant Technology Partners International (“TPI”) reports that the market hit bottom and turned up in the second half of 2009.[Id.]

Other sources seem to support TPI’s conclusion.  A survey by consultant Gartner found that over 85 % of companies plan to maintain or increase their spending with outsourcing providers, with the vast majority of those surveyed believing the economy has recovered or will do so in 2010.[7. Gartner Survey Shows 85 Percent of Organizations Anticipate Spending on External Service Providers Will Increase or Stay the Same When Economy Recovers] Also, though cost-cutting remains a top-five priority, companies are shifting their focus from cost cutting to revenue growth.[8 Mark Raskino and Jorge Lopes, Early Findings From the 2010 Gartner CEO and Business Executive Survey (Dec. 9, 2010), available at  http://www.gartner.com/DisplayDocument?id=1250218.] Many outsourcing providers hope that outsourcing plans put on hold the last couple of years will come to fruition in 2010 and 2011, especially with regard to BPO.  In addition, approximately 422 outsourcing contracts worth a total of $15 billion will be up for renewal this year, which is 40% higher than 2009.[9. TPI, The TPI Index: An Informed View of the State of the Global Commercial Outsourcing Market Fourth Quarter and Full-year of 2009] Many of those are large contracts that will likely be broken up into smaller deals.  The trend in 2010 seems to be toward a higher volume of contracts for smaller contract values, with shorter turn-around times.  Also, with signs of an improving economy, buyers that have not renegotiated existing contracts may be racing to do so, as the window may be closing on opportunities to renegotiate existing contracts for better pricing.

Lessons Learned

So what have we learned from this recession?  How has it impacted existing outsourcing arrangements and how will it impact future outsourcing arrangements?

Buyers have been trending toward reasonably-priced service providers that specialize in providing specific services.  In some cases, this has led to multisourcing.  Of course, larger providers have reacted by increasing their menu of available services, by either developing expertise in-house or, more commonly, by purchasing smaller companies that have already developed the requisite expertise.  With larger providers, buyers tend to enter a master agreement with schedules for the various specific outsourced services.

Buyers are also entering into negotiations with a better understanding of the potential that an outsourcing arrangement could fail.  In 2000, Dun & Bradstreet reported that twenty-five percent (25%) of outsourcing arrangements failed after two years, and fifty percent (50%) of them failed after five years.[10. Dun & Bradstreet Survey Finds 50 Percent of Outsourcing Relationships Worldwide Fail Within Five Years; Principal Cause is Poor Planning for New and Evolving Business Process, Business Wire (Feb. 24, 2000), available at http://findarticles.com/p/articles/mi_m0EIN/is_2000_Feb_24/ai_59591405.] The flip side of the realization of the likelihood that an arrangement may fail is the realization of the effort it takes to make an arrangement succeed.  Therefore, contracts are changing to require more substantive meetings and information exchange before bidding, during negotiations, during transition and implementation, and post-implementation.

In addition, buyers are planning for the potential that different regions of the world may emerge from the recession at different rates.  With the erosion of India’s dominance in the outsourcing industry over the last few years, buyers have more options in outsourcing destinations.  China, as many predicted, has been increasing its share of the outsourcing market through 2009 and into 2010.[11. Paige Holden and Dave Miranda, Competition and Government Regulation Challenge Tech Sector Funding, According to BDO CFO Survey (Feb. 16, 2010), available at http://www.bdo.com/news/pr/1269.] Likely supported by the rise of “nearshoring” in the United States, Latin America’s share is also increasing significantly.[12. Id.] The Philippines is rapidly gaining on India in the BPO market.[13. Living Smartly, Indian BPO Sector Loosing Market Share (Jan. 7, 2010), available at http://living-smartly.com/2010/01/indian-bpo-sector-loosing-market-share/]

The prevailing view on global economic recovery is probably that popularized by Sir Martin Sorrell of WPP, which holds that the world will emerge from the recession in a L-U-V-shaped recovery, with Europe rumbling along near the bottom of the recession for a little while, the United States emerging in a faster U-shaped curve, and Brazil, Russia, India, and China (and other less-developed nations) emerging in an even faster V-shaped curve.

Outsourcing Contract Clauses

The fact that economic recovery is so unpredictable and likely to be variable throughout the world requires contracts that can adjust to the circumstances.  Currency fluctuations alone could drastically affect outsourcing costs.  Contracts with multi-national vendors should include provisions allowing the buyer to transition its work to one of the provider’s offices in another nation at little or no cost.  Contracts should also contain carefully considered disentanglement and termination clauses.  Disentanglement clauses typically require providers to assist buyers in transitioning the outsourced functions in-house or to another provider.  Termination clauses typically allow either party to terminate for breach, and the buyer to terminate for convenience, with varying negotiated consequences.  Termination clauses also will usually include provisions that allow for termination in the event of a change in control, something that is particularly relevant given the recent consolidation and acquisition activity in the outsourcing industry, such as Xerox’s purchase of Affiliated Computer Services, Inc., Aon Corporation’s acquisition of Hewitt Associates, Inc., and PricewaterhouseCoopers, LLP’s purchase of Diamond Management & Technology Consultants, Inc.

Outsourcing contracts are also trending toward fewer service levels with more flexibility.  One popular trend is to allow buyers to re-distribute the financial weight allocated to each service level on an annual basis.  So, for example, an agreement with three service levels may have the following distribution in Year 1: Service Level 1 - 20%, Service Level 2 - 30%, and Service Level 3 - 50%.  At the end of the year, if the buyer decides it would be more prudent to focus on Service Levels 1 and 2, it may have the following distribution in Year 2:  Service Level 1 - 40%, Service Level 2 - 40%, and Service Level 3 - 20%.  Flexible contract clauses, such as those described above, allow buyers to adjust priorities for improved returns on their investments with providers.

A final item that is becoming more prevalent in the United States (and arguably throughout the world) that significantly impacts outsourcing contracts is increased regulation.  Who bears the risk of new laws and regulations implemented during the term of the outsourcing agreement?  Buyers should study the trends in their industries and carefully consider the potential for new laws and regulations that may affect their outsourcing contracts, then negotiate the allocation of risk for the cost of compliance in their agreements.

In sum, all indications point toward more outsourcing contracts in 2010 and 2011.  Hopefully, buyers and providers will enter these contracts with better perspectives gained through difficult economic struggles.  As the old proverb says, a smooth sea never made a skillful mariner.

Georgia Referendum On Restrictive Covenants In Employment Agreements

By Mari L. Myer, The Myer Law Firm, Decatur, Georgia [1. Ms. Myer is the Principal of The Myer Law Firm, based in Decatur, Georgia.  A graduate of Boston University School of Law and Wellesley College (B.A. cum laude), she has over twenty years of experience litigating business and employment disputes, including matters involving restrictive covenants in employment agreements, trade secrets, intellectual property, employee separations, and business divorces.  She also negotiates and drafts employment agreements, separation agreements and related types of documents.  Her clients include small and medium sized businesses as well as individuals.  She is a long-time member of the Executive Committee of the Technology Law Section and chairs the Section’s Litigation Committee.] Georgia has long had a reputation for being very friendly to employers except in one area:  it is difficult to enforce a post-employment restriction against an employee either competing with the employer or soliciting business from the employer’s customers. These restrictions are commonly referred to as “restrictive covenants”.

Georgia’s reputation for being a difficult place to enforce restrictive covenants stems from a provision in its constitution that prohibits restrictions that restrain trade.  If a restrictive covenant runs afoul of this constitutional provision, the restriction can’t be enforced by a Georgia court.  The result is that Georgia’s courts will only enforce restrictive covenants that are very narrowly drawn and that will not prevent the employee from earning a living in his/her chosen field.

When deciding whether to enforce a restrictive covenant, a court will look at whether the covenant is reasonable as to its duration, scope and geographic territory.  The restriction cannot be revised - “blue-penciled” - by the court, which means that the exact language of the restriction must pass muster under Georgia law or it will be stricken altogether.

A. The Existing Caselaw Governing Restrictive Covenants is Clear Enough to Practitioners Familiar With it.

Although the rules governing whether a restrictive covenant will be enforced by a Georgia court can be confusing to one not familiar with this area of the law, the rules can be easy to understand and apply once the practitioner has studied them closely.  The result is that, although an enforceable restrictive covenant can be difficult for an inexperienced practitioner to draft under Georgia law, once a covenant has been drafted it is often easy to anticipate whether a court will enforce it.  This affords a level of certainty for both employer and employee that often enables the parties to negotiate a resolution of their dispute without resort to protracted litigation.

One consequence of Georgia’s constitutional prohibition against restrictions that restrain trade is that companies can and do hire employees away from their competitors and take advantage of the employees’ skills and contacts within the industry in situations where an employee hasn’t signed an enforceable restrictive covenant.  Although some employers are understandably troubled by this, others would argue that this behavior is classic free market competition that should be allowed to continue.

B. The Statutory Revision to the Law of Restrictive Covenants Will Create – Not Eliminate – Problems.

A change to the way Georgia’s courts interpret restrictive covenants may be coming if the Georgia Legislature has its way.  The Legislature has accepted critics’ arguments that the current state of Georgia caselaw governing restrictive covenants is both confusing and bad for business.  In 2009, a legislative act was passed and signed by the Governor, subject to approval by a majority of voters in an upcoming November 2010 constitutional referendum.  If the Act is approved in the  referendum, it will become effective immediately thereafter, and it will substantially rewrite the law governing restrictive covenants.  In a nutshell, O.C.G.A. §§13-8-51 et seq. (the “Act”) will allow employers and employees, and certain other types of entities, to agree in writing that, following termination of the parties’ relationship (employment or some other type of business relationship), the employee[2. This article uses the terms “employee” and “employer” loosely.  The Act sets rules governing a variety of relationships other than employment relationships, including by way of example those between independent contractors and principals and between distributors and manufacturers.] will refrain from competing with the employer or soliciting business from the employer’s customers.  The Act provides a handful of guidelines regarding what may be considered a reasonable restriction, and it authorizes courts to rewrite – “blue pencil” - restrictions that a court concludes are not reasonable.

Unfortunately, as is explained herein, what is being touted as a “silver bullet” to cure the perceived evils of the current caselaw governing restrictive covenants may turn out to be neither necessary nor the promised “cure”.

1. Expensive and Time-Consuming Litigation Will Be Necessary to Interpret the Act and to Determine Which of the Existing Caselaw May Still Apply.

First, if the Act becomes law the well-developed body of Georgia caselaw interpreting restrictive covenants will only provide guidance where it either (a) is not specifically rejected by the Act, or (b) addresses matters that are outside the coverage of the Act.  As is generally the case when comprehensive legislation is adopted, there will no doubt be quite a bit of litigation to (a) interpret the Act, and (b) establish which of the old caselaw will still apply and in what circumstances.  Such cases will take several years to wind their way through the trial and appellate courts in Georgia, with an uncertain outcome.  Until these cases are resolved by Georgia’s appellate courts, there likely will be differences in how individual judges interpret and apply the Act.  Thus, at least initially, the Act will create – rather than clear up - confusion in this area of the law.

2. The Act Has Gaps and Ambiguities That Must be Resolved By Expensive and Time-Consuming Litigation.

Second, the Act contains both gaps and ambiguities that also will have to be resolved by the courts.  Again, this will spark litigation that will likely take several years to wind its way through the courts, also with uncertain outcomes.

a. There is a Coverage Gap.

The most glaring gap comes from the categories of employees covered by the Act.  The Act’s coverage is limited to salespeople, members of management, key employees and professionals, as each of these terms is defined in the Act.  A threshold issue prior to application of the Act to a restrictive covenant will be whether the employee against whom the employer seeks to enforce the covenant falls within one of these four categories.  If the employee doesn’t fall within one of these four categories, the employee will not be covered by the Act.  While these four categories appear to encompass the types of employees that an employer is most likely to want to bind to a restrictive covenant, in some instances there will be a perceived need to bind employees who don’t fall within any of these four categories and thus are not covered by the Act.

b. The Act Suggests that the Categories of Employees Who Do Not Specifically Fall Within its Coverage Cannot Be Bound by Restrictive Covenants.

If the employee is not in one of the four categories covered by the Act, the court must determine whether the Legislature intended to preclude the enforcement of restrictive covenants against such an employee.  The language of O.C.G.A. §13-8-54(b) suggests that only restrictive covenants that fall within the Act can be enforced.  If the court concludes that this was the legislative intent, then some categories of employees who could have been subject to restrictive covenants under the existing caselaw will not be subject to restrictive covenants that are signed after the Act goes into effect.

Since the Act facially states that it only applies to restrictive covenants signed after the Act’s effective date, courts must decide whether to enforce restrictive covenants signed by employees who fall outside the scope of the Act, where the restrictive covenants were signed prior to the Act’s effective date.

If courts conclude that, notwithstanding O.C.G.A. §13-8-54(b), restrictive covenants can still be enforced against categories of employees who fall outside the scope of the Act, the restrictive covenants applicable to these other categories of employees will be governed by the existing caselaw and not by the Act.

Of course, different trial courts will likely reach different conclusions on these threshold issues – again creating uncertainty that must be resolved through years of litigation in the trial and appellate courts.

3. Blue Penciling Will Allow Judges to Rewrite Covenants from the Bench, With a Resulting Loss of Both Predictability and Control.

a. Blue Penciling Will Create Uncertainty as to How and When a Court Will Rewrite a Covenant.

An additional area of concern regarding the Act is the effect of the inclusion of a provision allowing courts to blue pencil otherwise unenforceable restrictive covenants in a way that renders them enforceable.  At least initially, courts are likely to use different criteria to determine when to rewrite a poorly drafted covenant and when to simply refuse to enforce it – again creating issues to be resolved by the appellate courts.  This initial outcome can be predicted from an analysis of how Georgia’s trial courts have interpreted their existing blue penciling powers with respect to restrictive covenants ancillary to a sale of business:  sometimes courts have enforced the restrictions as written; sometimes courts have rewritten the restrictions and then enforced the rewritten restrictions; and sometimes courts have concluded that the restrictions don’t hew closely enough to the law to be “saved” – in which case the courts have thrown out the covenants altogether.  It is difficult to discern from the caselaw in which blue penciling has been considered in the sale of business context when and how a court will interpret such a covenant.  This has had the effect of creating considerable uncertainty regarding what such a covenant can safely require of the business seller.  Under the Act, this uncertainty will likely play out in the context of employee restrictive covenants as well. This uncertainty is just the opposite of what the Legislature has stated it intended to accomplish with the Act.

b. Blue Penciling Will Authorize Trial Court Judges to Rewrite Covenants, Possibly With Little Regard for the Parties’ Actual Intent.

Voters who object to judges legislating from the bench should be concerned that the blue penciling power granted to judges under the Act will in some instances have the effect of allowing trial court judges to rewrite contracts from the bench.  This will, of course, remove from parties the power to negotiate their own agreement where a judge finds fault with the terms of the restrictive covenant.  Although it is reasonable to expect a judge to try to rewrite a covenant in a way that reflects the parties’ actual intent, the Act places very few limits on the judge’s discretion in this respect.  An unhappy party will be left to seek yet another re-write by an appellate court.  Thus, by allowing a trial level judge to blue pencil, the Legislature has forced parties to give up control over their own “deal”.

Conclusion:  The Act is Likely to Create Confusion and Deliver Greater Control Over Contract Terms to Trial Court Judges.

In contrast to the problems with the Act that are described above, under the current caselaw, the rules are sufficiently clear as to what a restrictive covenant can and cannot require in order to be enforced by a Georgia court.  A careful practitioner can draft an enforceable restrictive covenant simply by following these rules.  Similarly, counsel can determine the enforceability of a restrictive covenant with a fair degree of certainty without having to litigate over it.

Although the Act allows the employer and an employee covered by the Act to agree on a duration, scope and territory of a restriction on either competition or solicitation of customers, and even offers some guidance as to durations that will generally be considered reasonable for various types of agreements, the ability to have a court blue pencil a poorly drafted restrictive covenant after the fact is an “out” for a lazy practitioner.  The poorly drafted restriction still could be stricken by a court altogether, or it could be enforced as written, or it could be rewritten by a court in such a way as to be unrecognizable to the parties.  And the parties will not know which of these events will occur until a trial court reviews the restrictive covenant. As a result, this flexibility in the Act – which is touted by its supporters as one of its chief benefits - will inevitably lead to litigation over whether the restrictive covenant (a) is sufficiently specific to be understood and obeyed by the employee, (b) requires modification by the court before it will be enforced, or (c) is so poorly drafted that a court will simply strike it rather than rewrite it.  Relying on the Act, a lazy practitioner may in some instances be able to draft a post-employment restriction that will escape being thrown out altogether by a court (as would likely happen under the current caselaw), but the parties will wind up litigating over the specifics of an enforceable restriction.  The result will be to increase litigation costs at the back end without providing any certainty on the front end as to the ultimate outcome.   Surely this is not in the best interests of most clients.

Employees’ Online Endorsements Can Result In Employer Liability

By Chuck Rice, Kilpatrick Stockton, LLP, Atlanta[1] Employees’ blogs and social-networking websites raise a number of potential legal issues for employers, but recently issued Federal Trade Commission (“FTC”) guidelines on product endorsements reveal a largely unforeseen risk:  employer liability for false or misleading advertising stemming from employees’ online postings about their employers’ products or services.

The New FTC Guidelines

Section 5 of the FTC Act prohibits businesses from engaging in unfair or deceptive acts or practices affecting commerce, and the FTC has interpreted this prohibition as covering false or misleading advertising practices.  With respect to unlawful advertising practices, the FTC recently issued revised guidelines on endorsements of products and services, and these guidelines cover advertising achieved through “new media” such as blogs and social-networking sites.  These guidelines, which went into effect on December 1, 2009, define “endorsement” as an advertising message that consumers are likely to believe represents the opinions or experiences of a party other than the sponsoring advertiser.  Under the guidelines, a business that pays the party making the endorsement or that has an ongoing relationship with that party can be held liable for false or misleading statements made by the endorser about the business’s goods or services or for the endorser’s failure to disclose the relationship between the endorser and the business, even if the business has no control over the content of the endorser’s statements.

The new guidelines raise significant liability concerns for an employer when its employees promote the employer’s products or services on their personal blogs or social-networking pages.  If the employer is found to be “sponsoring” those employee endorsements, it can be held liable under the FTC Act for any false or misleading statements in the employee’s message, and a simple failure to disclose the employment relationship in the endorsement can render an otherwise true and honest statement unlawfully misleading.  In determining whether a business is sponsoring an individual’s internet-communicated endorsement, the FTC will consider a number of factors, including whether the individual receives compensation from the business, the length of the relationship between the individual and the business, and whether the business has provided the endorsed products or services to the individual free of charge.  In the case of an employer and an employee, compensation would be present in the form of wages, an employment relationship of significant duration will often exist, and, in some cases, the employee may receive the employer’s products or services free of charge or at reduced prices.  Thus, an employer could be found to be the sponsor of an employee’s online endorsement of the employer’s goods or services, even though it has not actively solicited the endorsement and has no direct control over the content of the endorsement.  Of course, when an employer directs or encourages its employees to promote the employer’s products or services on their personal internet sites, the FTC would have little difficulty in establishing that the employer is the sponsor of employee endorsements.

In comments published with the revised guidelines on endorsements, the FTC stated that it would consider the existence of an employer’s policies and procedures governing employee postings on blogs and social-networking sites in determining whether the employer should be held liable for misleading employee endorsements on such sites.  The FTC indicated that it would generally not pursue an enforcement action against an employer based on the actions of a single employee who violated a company policy that “adequately” covered the employee’s inappropriate endorsement.

Practical Implications

Even if an employer has not actively solicited employee endorsements of its products or services, the new FTC guidelines suggest that the mere existence of an employment relationship may support a presumption that the employer sponsored misleading endorsements on an employee’s personal blog or social-networking page.  To minimize the risk of liability for false or misleading advertising in this situation, an employer should be pro-active and adopt a policy addressing statements about the employer’s products or services on employees’ websites.  Such a policy should inform employees about what constitutes an employee endorsement, what disclosures must be made in connection with employee endorsements, and what statements would be inappropriate.  The policy should also require employees to submit proposed endorsements of the employer’s products or services to the employer’s marketing or legal staff for approval before they are posted on the internet.  Although employee endorsements on personal web pages can be a valuable marketing tool, exerting an appropriate level of control over such endorsements can mean the difference between a successful advertising strategy and a costly lawsuit under the FTC Act.

[1] Mr. Rice, who is resident in the Atlanta office of Kilpatrick Stockton, LLP, focuses his practice on a full range of labor and employment law matters across many industries.

“Lex Nokia” And Confidentiality In Electronic Communications In Finland

By Eija Warma, of Castren & Snellman, Helsinki, Finland[1]. In Finland, the Constitution[2] guarantees everyone a basic right of privacy, and specifically states that “The secrecy of correspondence, telephony and other confidential communication is inviolable”. Because of this fundamental right, a recent amendment to Finland’s Act on the Protection of Privacy in Electronic Communications (the “Act’) prompted a broad discussion about the essential rights of the country’s citizens and garnered the amendment several nicknames, including “Lex Nokia” and the “Snoop Act”.

Background

Privacy in electronic communications guarantees confidentiality for both the content of the message and any identification data. According to the Act, a “message” means a phone call, e-mail message, SMS message, voice message or any comparable message transmitted between parties or to unspecified recipients in a communications network through which such message and data is not meant to be commonly available. “Identification data” means data that can be associated with an individual subscriber or user and which is handled in a communications networks for the purpose of transmitting, distributing or providing messages.

In 1997, the European Parliament enacted a Directive that focused on protection of privacy in the telecommunications sector[3]. Its purpose was to supplement an earlier directive addressing the processing of personal data and the free movement of such data[4] and sets basic requirements for all type of processing of personal data. The 1997 Directive was amended in 2002[5] to correspond to more current technical developments and terminology and covered “electronic communications”. In the preamble of the 1997 Directive, the European Parliament stated that the purpose of the Directive is to guarantee confidentiality of communication in accordance with the international instruments relating to human rights. In addition, in the case of public communication networks specific legal, regulatory and technical provisions should be made in order to protect fundamental rights and freedoms of natural persons and legitimate interests of legal persons, in particular with regard to the increasing capacity for automated storage and processing of data relating to subscribers and users. The preamble also stated that equipment of users of electronic communications networks and any information stored on such equipment are included within the private sphere of the users requiring protection under the European Convention for Human Rights and Fundamental Freedoms. Spyware, web bugs, hidden identifiers and other similar devices have the ability to enter a user’s equipment without user knowledge in order to gain access to information, to store hidden information or to trace the activities of the user, all of which may seriously intrude upon the privacy of the user. Because of this, the use of such devices is only allowed for legitimate purposes with the knowledge of the applicable user.

The Finnish Electronic Communications Privacy Act

The 2002 directive was enacted in Finland in 2004 by the Act[6]. The purpose of the Act is to guarantee confidentiality in electronic communications and define specific circumstances when confidentiality is allowed to be breached. According to the Act, a breach is permissible in the following situations: 1) by  consent of a sender or recipient, 2) to facilitate handling of providing and using services, 3) to allow handling for billing purposes, 4) to allow handling for marketing purposes by the service provider, 5) handling for the purposes of technical development, 6) handling for the purpose of detecting a technical fault or error; and 7) handling in cases of misuse. In practice these exceptions proved to be very problematic. The content of the section of the Act dealing with these exceptions was so broad and ambiguous that telecommunication operators and corporate subscribers[7] had insufficient guidance to address several important business matters that involved email communications in their workplaces.  Among these concerns was how properly to investigate suspicions of unauthorized disclosures by employees of business secrets through use of email accounts. This was a particular concern for technology companies, whose businesses are largely dependent on innovations resulting from highly confidential research and development activities.  Chief among these was Nokia, which is based in Finland, and, thus, the at times critical references to the amendment as the “Lex Nokia”.

The “Lex Nokia” Amendment

To address various concerns raised by the initial form of the Act, a follow up legislative committee was established shortly after the Act was passed into Finnish law. The committee drafted an amendment specifically to address the problematic situation posed by the risk of employees making unauthorized information disclosures through use of email.  The amendment was enacted and it came into effect on June 1st 2009.  The amendment essentially provides that a corporate subscriber has the right to monitor identification data automatically within the network if certain prerequisites are satisfied but a corporate subscriber is not allowed to read or open the content of the actual message. Prior to its enactment, the amendment faced significant opposition among labour organizations, professors, many interest groups and individual citizens because there was a widespread belief that the proposed modifications to the Act would give a corporate subscriber a right to breach a user’s confidentiality, which, as already noted, is considered as a fundamental right in Finland.

According to the amendment before a corporate subscriber can undertake automatic monitoring, the corporate subscriber must  1) limit access to trade secrets and draft an adequate data security policy, 2) identify those  persons who have access to trade secrets, and it is only these people whose emails can be subject to suggested automatic monitoring, 3) handle the issue in a co-operation procedure, 4) notify the office of the Finnish Data Protection Ombudsman[8], and 5) give a yearly report to the employees and to the data protection ombudsman of the actions under the amendment that the corporate subscriber has actually undertaken.   Automatic monitoring can be based on the size, type, quantity or means of communications or the receiver of the relevant information. If any suspected unauthorized disclosures are found a corporate subscriber has the right to manually review the identification data of that specific message. However, this does not give a right to review the content of the message. Based on the information obtained by the company, the corporate subscriber must then decide whether it wants to take further actions in the matter. If it suspects that the elements of an offense are fulfilled, then a request for a police investigation has to be made. If a corporate subscriber violates this procedure the sanctions vary from fines to imprisonment of responsible agents for up to three years.

The Effect To Date

By the end of September 2009 the Finnish Data Protection Ombudsman had not received any notification from corporate subscribers for the adoption of allowed automatic monitoring. However, this is not surprising given that companies cannot start monitoring before drafting an adequate data security policy and it takes time to prepare the required documentation.  Both the data protection ombudsman and the representatives of the Confederation of Finnish Industries, EK[9], which is the leading business organisation in Finland, believe that there will be notifications in the course of time. The actual implementation by businesses is just going to take some time.

In other Scandinavian countries legislation does not prohibit business from monitoring identification data for legitimate purposes. Even in Germany, which has one of the strictest European privacy laws, legislation allows monitoring of identification data if it is necessary for preventing misuse. In general, many European countries allow a company to monitor its own communications networks so long as the company has informed employees in advance of this possibility. As a practical matter, this means that Finland has enacted one of the strictest laws with respect to privacy in electronic communications.

[1] Ms. Warama has studied at Tulane Univesrsity Law School and holds an LLM from the University of Minnesota Law School.  In 2009 she completed a six-months secondment with the Atlanta office of Smith, Gambrell & Russell, LLP.  Ms. Warma’s practice focuses on employment law and intellectual property, technology and life sciences matters.

[2] The Finnish Constitution (731/1999)

[3] Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector

[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[5] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector

[6] The Act on the Protection of Privacy in Electronic Communications (516/2004)

[7] A “corporate subscriber” means a company or organization that subscribes to a communications service or a value added service and which handles users’ confidential messages, identification data or geographic information in its communications network. The term is unique to Finland and it has not been adopted in any other European country.

[8] http://www.tietosuoja.fi/1560.htm (September 25, 2009) The Data Protection Ombudsman guides and controls the processing of personal data and provides related consultation.

[9] http://www.ek.fi/www/en/index.php (September 25, 2009) EK was one of the biggest exponents of the amendment.