1. Dino Tsibouris (614) 360-1160 dino@tsibouris.com Enforcement Issues in E-Commerce to Originate, Retain, and Produce Electronic Records 1

2. Enforcement Issues 2

3. Requirements of Enforceable Contracts Offer Acceptance Consideration Proved using legally sufficient evidence. 3

4. Requirements of Online Agreements 1.Display terms to the user. 2.Obtain agreement to the terms from the user. 3.Using clear and unambiguous words and methods of acceptance. 4

5. Requirements of Online Agreements 4.Prevent user from access if he does not agree. 5.Provide notice of consequences for acceptance or rejection. 6.Retain, accurate, accessible, and enforceable records. 5

6. Properly Display the Terms Trujillo v. Apple Plaintiff sues Apple and AT&T in class action for iPhone battery life. AT&T argues that terms were available in the store at the time of purchase, through a single click on a hyperlink on the home page, and at activation. 6

7. AT&T attorneys have to retract statements. Terms were not available in the store. Terms were not available through a single click online. Different versions were available in print and online. Plaintiff did not activate the phone. 7

8. Trujillo v. Apple Court recommended monetary sanctions against AT&T. Court states that theoretical availability of agreements failed in practice. Court held that AT&T failed to show that the terms were available during the purchase of the phone. Lesson: Terms must be displayed properly. 8

9. Obtain Agreement to Terms Prudential v. Dukoff Husband and wife apply for life insurance using an electronic application. Prudential refuses to honor contract based on material misrepresentations. Prudential cannot prove if husband or wife signed the contract. 9

10. Prudential v. Dukoff Proof of time of contract formation crucial to prove misrepresentation. Prudential only offers computer printout showing contract date, husband offers different date. Court holds printout insufficient. 10

11. Prudential v. Dukoff Husband argues that wifes statements cannot be used against him because she did not sign them. Husband argues that the signature should have included a unique identifier capable of verification under the sole control of the person using it. 11

12. Prudential v. Dukoff Prudentials system used only a click- through, home address, and social security number. Court just barely allowed the e-signature to survive. Prudential did not have the procedures in place to sign the application, such as email authentication. 12

13. Prudential v. Dukoff Prudential is forced to settle the case. Lesson: 1) Ensure that the correct user signs the agreement. 2) Electronic signature must be properly authenticated. 3) Records regarding formation of electronic contracts must be maintained and produced at trial. 13

14. Obtain Agreement to Terms In Re Gillig: Husband co-signs for wifes loan from Sallie Mae. Wife has access to husbands PC, which has same password as his email. Wife changes schools, continues obtaining loans. 14

15. In Re Gillig Marriage sours, they file for divorce. Both the husband and wife get restraining orders against one another. Sallie Mae Fraud department contacts Husband about latest loan obtained a month after the divorce. Husband delivers ID Theft Affidavit. 15

16. In Re Gillig Husband claims he never knew, thought she was on scholarship. Last loan taken out a month after the divorce. Wife testified that loans are electronically signed using electronic signature authorized through email. Sallie Mae never produced email showing husbands authorizing e-signature. 16

17. In Re Gillig Court did not believe the ex-wifes testimony that husband co-signed for loan after divorce and restraining order. Court discharged the loan in the husbands bankruptcy proceeding. Lesson: Ensure that the correct user authorizes the signature. 17

18. Clear Words and Methods of Acceptance Huggins v. FNC Plaintiff sues real estate company in class action. Real estate company attempts to compel arbitration using one version of the agreement. Plaintiff argues that he is not bound by the agreement. 18

19. Huggins v. FNC Plaintiff argues that FNC electronically modified its agreement and got rid of arbitration provision. FNC uses banner to announce amendment to terms, allows users to view terms later, decline the new terms and continue to do business. FNC argues its attempted amendment was unsuccessful. 19

20. Huggins v. FNC Court holds that the modification clause was ambiguous and construes it against FNC. Court also finds that FNC waived its right to argue that it did not amend the agreement due to the posting and the banners. FNC is unable to force plaintiffs to arbitrate. 20

21. Keep track of versions McKee v. AT&T McKee files class action lawsuit against AT&T for long distance phone line late charges. AT&T move to compel arbitration under agreement. Attorneys sign declaration and attach customer service agreements. 21

22. McKee v. AT&T 9 months later, attorneys retract statement, file another declaration and agreement. AT&T attorneys perjure themselves in an attempt to prove the right version of the contract in court. AT&Ts agreement is amended 5 times during the litigation. 22

23. McKee v. AT&T Judge denies to reconsider the new agreement. AT&T must litigate, cannot arbitrate the claims. Lesson: Keep track of different versions of your agreements and when and to whom they apply. 23

24. Must Satisfy Evidentiary Standards In re Vee Vinhnee Vinhnee files for bankruptcy, includes two American Express accounts. Court requires American Express to produce evidence of the debt. American Express employee testifies that he is the custodian of records and that it was regular practice to retain records electronically. 24

25. In Re Vee Vinhnee Court requires further authentication foundation regarding the computer and software used to assure continuing accuracy. Court refuses to admit the electronic business records due to deficient evidentiary foundation. The trial court and the appeals court agree that authenticity must be established. 25

26. Court mentions 11 step Imwinkelried foundation for computer records. Expands on the importance of policies, procedures, access controls, recording, logging, backup, changes, and audit procedures. American Express was out nearly $20k due to its inability to prove the debt.

27. Affiant Must Have Personal Knowledge GMAC sends out memo to agents to cease evictions, cash for keys transactions, or lockouts and REO sale closings in certain states. GMAC Mortgage officer admits in court that he signs affidavits without personal knowledge of facts, sometimes 27

28. GMAC Robosign GMAC is reportedly no alone in providing cooked up affidavits to the court. JPMorgan Chase employee also testified that she signed as many as 18,000 affidavits per month. 28

29. Recap 1.Display Terms to the User. 2.Obtain Agreement to the Terms from the User. 3.Using Clear and unambiguous Words and Method of Acceptance. 4.Prevent User from access if he does not agree. 5.Provide notice of consequences for acceptance or rejection. 6.Retain, accurate, accessible, and enforceable records. 29

30. Privacy Issues 30

31. Privacy Issues to Avoid Draft accurate privacy policies that represent actual company practices. Obtain necessary acceptance for sharing. Do not bury privacy practices. Document and account for breaches. 31

32. Accurately Represent Privacy Policies CollegeNET and XAP allow high school students to apply for college. CollegeNET charges schools for applications to colleges. XAP offers the service for free, but sells students personal information to departments of education, student-loan guarantee authorities, and banks. 32

33. CollegeNET v. XAP XAP states in its privacy statement that personal data is not released without users express consent. XAP releases personal info to third parties when users say Yes to: Are you interested in receiving information about students loans and financial aid? 33

34. CollegeNET v. XAP CollegeNET sues for unfair competition. Court finds that XAP did not obtain explicit click-through XAP did not provide clear opt in because it was a bad idea. XAP intended to lull students into a false sense of security Court awards $4.5 million in damages. 34

35. Do Not Bury Privacy Disclosures Sears invites customers to join program for $10 Customers download program as a part of program Program tracks online browsing 35

36. FTC Sears Enforcement Action Sears failed to clearly and conspicuously disclose the extent of tracking. Customers shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails were tracked. Sears buried the disclosure regarding tracking in the 75 th line of a multi-stage agreement. 36

37. FTC Sears Enforcement Action As a result of the enforcement action Sears was forced to: – Cease collection of data – Destroy the information it collected – Provide clear and prominent notice of tracking software and the information it collected – Obtain express consent for such downloads – Notify consumers and explain how to uninstall software 37

38. Properly Document Breach ECMC announces loss of student loan data on March 16 Law enforcement recovers it March 20-21 CDs and floppies found in open safes nearby ECMC announce that it does not appear that the personally identifiable information on ECMCs 3.3 million federal student loan borrowers has been compromised. 38

39. ECMC Breach CT AG Blumenthal still wanted to investigate: – How may CDs in each safe – Whether ECMC had encryption policy – If files were unencrypted – Retention period for files – Explain and provide support for ECMCs announcement on its website. 39

40. Questions? 40