Don’t Get Cyber-Sued

 Don’t Get Cyber-Sued


By Peter S. Vogel

Lawsuits and fines based on data breach and privacy violations are in headline news every day. Yet there are things to be done to help protect the company from data related class-actions, regulatory enforcement, individual plaintiff lawsuits, and the reputational harm that comes with them. Those three things are: ensure data privacy, use Click Agreements where appropriate, and adopt Terms of Service (ToS) that suit the company’s needs.

As CEO, take the time to read the company’s ToS, Click Agreements, and Privacy Policies. Counsel should routinely ask C-level executives and lawyers if they’ve read their IT policies. Few executives read these contracts – maybe about one percent. As for those visitors who go to the company’s website, or purchase goods or services through the website, probably even less. Yet courts around the world generally enforce both ToS for merely accessing a website, and Click Agreements when there is a sale of goods or services. Also regulators in the U.S. such as the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) oversee compliance with Privacy Policies.

  • Make Sure Your Terms of Service Are Consistent With Your Business

Since 2000 I have taught the Law of eCommerce at the SMU Dedman School of Law.  In the second class each semester we carefully review the ToS for the four most Sidebar - General Counsel - JF 15popular search engines – Google, Yahoo!, AOL, and Bing. The ToS for these four largest search engines are different because each of the companies created ToS to suit their business operations. Too many businesses do not take the time to create their own ToS. Instead they crib those of a similar business.The best business practice is to have ToS that suit the business’ Internet operations.

Why is this important? Because ToS are similar to purchase orders where there are many terms and conditions that the business cares about to control risk, among other things. For instance, a company can limit its warranties and damages. Some may limit the amount of damages to the amount paid by the visitor or to a specified amount such as $100. The types of damages can be limited, so consequential and punitive damages can be excluded. Or, the visitor can be forced to use alternative dispute resolution or to submit to jurisdiction in the home city and require the court to apply the laws of your state.

  • Read Your Click Agreement

If agreeing to ToS is important to prove a transaction took place such as when a purchase is made, and for a myriad of other reasons (ask counsel), then there is an absolute need for a Click Agreement, as well. Requiring web customers to click an agreement before using a purchase feature on the website makes it easier for a court to enforce the ToS.

In the event there is a legal dispute relating to the sale of goods and services, the Internet staff can testify that at the time of the transaction every purchaser got a Click Agreement speed bump and had to hit “I Agree” or the sale would never have occurred.

  • Protect Private Information of Customers

Internet businesses may have access to customer personal information. Privacy laws in the U.S. and other countries often require companies to protect this information. In the U.S., for example, in addition to general laws relating to data  protection of personally identifiable information, there are  the Health Insurance Portability and Accountability Act of 1996 (HIPAA)  in health care, the Children’s Online Privacy Protection Act (COPPA) to protect children under 13, among others. Outside the U.S., there is the EU Data Directive, and many others.

Companies need to protect customer data to comply with federal laws, or risk fines and public humiliation. (See Sidebar for recent fines from the FCC for violations.)

The FTC generally regulates privacy in the US, but as demonstrated by the FCC’s fines, other agencies will penalize companies that fail to protect customer privacy. Even though Privacy Policies are not required in the U.S., if a website has a Privacy Policy, the company must adhere to that policy. There are also privacy laws in the European Union, Canada, Japan, and many other countries, so understand how those privacy laws affect the company.


To reduce the risk of Internet business operations, it is incumbent upon the Chief Executive to make sure that the company complies with privacy laws, uses Click Agreements and relevant ToS.

Peter Vogel is a Partner in the Dallas office of Gardere and practices in the areas of intellectual property litigation and Internet & computer technology. With a B.B.A. from the University Texas, an M.S. in Computer Science from American University, and a J.D. from St. Mary’s University School of Law, Mr. Vogel is an Adjunct Professor at the SMU Dedman School of Law and teaches courses on the Law of eCommerce and eDiscovery, and is Founding Chair of the Texas Supreme Court Committee on Information Technology.


Related posts

Leave a Reply

Your email address will not be published.