No company wants to learn that its good name or that of a key employee is being attacked by unknown parties on the Internet. Today, most public companies and many private companies face varied threats from individuals using the Internet in ways which harm these businesses or their management. Whether the harmful use appears in a sponsored discussion board or on a special purpose web site, the terms employed for this unwelcome publicity range from the “cybergripe” to the “cybersmear” to the “cyberattack.”
The cybergripe typically refers to postings in a customer or shareholder forum in which most of the commentary is negative. The cybersmear refers to more serious cybergripes which are false, defamatory or otherwise actionable. The cyberattack refers to the creation and use of a web site dedicated to disparaging a business. See, Jeffrey C. Dodd and Timothy C. Langenkamp, Strategies for Dealing with Attack Sites in Understanding Electronic Contracting 2003 335 (Practicing Law Institute 2003). For simplicity, this article will use the term “cybersmear” to encompass the range of negative commentary appearing on the Internet specifically directed against a business. This article will not deal with cruder attempts to misdirect web users away from the web site of a business through various Java programming “cyberjacking” schemes. See, Kenneth Sanney, Note, Cyberjacking, Mousetrapping, and the FTC Act: Are Federal Consumer Protection Laws Helping or Hurting Online Consumers?, 3 Vand.J.Ent.L.&Prac. 221 (2001).
The Problem – Damaging Attacks By Unknown Assailants
Many web portals such as Yahoo! contain a discussion board as part of their menu of services and information related to public companies. Members of the public can easily join the discussion board through a simple registration process with the web site host. The host will collect at least the e-mail address of the new participant, but may decline to collect the person’s name or other information. The new participant will then choose a pseudonym, and all subsequent postings from that person’s email address will be identified by that moniker.
Many public company discussion boards sink into a routine of rumors and recriminations. Occasionally, some of these rumors are serious enough to affect the stock price. The poster may be attempting to take advantage of these stock swings on the basis of his or her trading position. Beyond the short term effect on stock prices, some postings may accuse management of assorted misdeeds or criminal acts. They may disparage the business or products of the company. Some may be go beyond that to the very personal, accusing a manager of giving sexual favors to advance his or her career, or alleging an affair between two employees. And some postings may divulge sensitive business information, whether it relates to sales strategy, customer names or confidential technical information.
While postings on a discussion board are limited to text messages and perhaps hypertext links, attack web sites (including those using misleading names and other techniques to fool search engines into directing traffic to them) give the author the freedom to post all that and more: entire documents, graphics and images, with resources and links to other web sites that attract a greater audience. The author of such web sites can, for a fee, register directly with a registrar such as register.com and, also for a fee, locate a host for the site. In that case, it may be possible to obtain identifying information about the registrant. However, registrants sometimes submit false information to the registrar. Moreover, some hosts, such as thefreesite.com, offer free web page hosting to members of the public who may not need to provide much information to sign up. These sites, when used to attack a business, can include photographs, images of documents and graphics designed to embarrass a business or its management.
Of course, businesses have dealt with negative publicity for years. The public relations industry under the leadership of Edward L. Bernays emerged almost a century ago out of the need to manage the image of public companies. Negative information about businesses turns up in the print and broadcast media routinely. But except for the largest, most businesses tend to stay out of the media glare. The Internet is different. There is almost no limit upon the amount of information (negative or positive) that can be published about a business. That information is readily searchable and may be archived indefinitely by a search engine. Dodd & Langenkamp, supra, at 338. That information is also readily available to anyone, at any time, with a computer and Internet access.
Therefore, within the past ten years business management has been forced to deal with the existence of false, defamatory or secret information about their company that may become suddenly available and exposed to millions of people. While there are many options available to management to help cope with this situation, none is ideal and some entail significant risks for the business. The legal landscape reflects, to some extent, the naiveté of the judiciary about the seriousness of the issue, a lack of legislation dealing with the liability of cybersmearers, and an unlevel field of play for businesses.
Can Cybersmearing Be Stopped? – Several Approaches
A manager wishing to stop a cybersmear may assume that a negative posting violates some law. After all, it cannot be right for someone to post some rumor about a company’s earnings, especially if it is untrue. And it certainly cannot be right for a poster to allege falsely that he is having an affair with the wife of the president of a public company. See, HealthSouth Corp. v. Krum, No. 98-2812 (Pa.C.P. Centre County). See generally, Scot Wilson, Note, Corporate Criticism on the Internet: The Fine Line Between Anonymous Speech and Cybersmear, 29 Pepp.L. Rev. 533, 547-51 (2002). But as any lawyer knows, what is not right may not be actionable. A brief synopsis follows of the types of claims which can arise from a cybersmear.
The false statement made about the wife of the president of HealthSouth on a Yahoo! Finance bulletin board was libelous because it was both untrue and defamatory. Similar other untrue statements of fact may also be libelous (a human resources vice president “sleeping her way to the top”). The problem with cybersmears is that they often are not so off the wall or so unrelated to the company’s business. For instance, any discussion board posting stating that the CEO is incompetent, that the company’s products are lousy or that its stock price is due for a fall, would likely be considered a matter of opinion, not fact. And opinions on matters of public concern are protected by a qualified First Amendment privilege. See, e.g., Milkovich v. Lorain Journal Co., 497 U.S. 1 (1990). See also, Lyrissa B. Lidsky, Silencing John Doe: Defamation & Discourse in Cyberspace, 49 Duke.L.J. 855, 919-944 (2000). One judge has opined that virtually every statement posted on internet discussion boards, because of the very nature of the media and a perception of the absence of credibility, is therefore protected opinion. Global Telemedia, Inc. v. Does 1-25, 132 F.Supp.2d 1261 (C.D.Cal. 2001) (the court’s opinion focused mostly on outlandish messages like “you are one of the stupidest suckers who ever posted here” and the response “`you are` a degenerate who speaks regularly from his lower orifice.”). Even statements of fact cast as parody are exempt from libel claims. Beyond that, most publicly traded companies are likely to be considered public figures as to their business activities, which requires the companies to prove, like a politician, that the libeling defendant acted with actual malice. Lidsky, supra, at 907-912.
Apart from the opinion and public figure hurdles, most trial lawyers agree that any libel case is difficult to prove and therefore to win. Except perhaps to obtain recompense for very personal false statements appearing on the web, the result may not be worth the cost. See, Thomas G. Ciarlone, Jr. and Eric W. Wiechmann, Cybersmear May be Coming to a Website Near You: A Primer for Corporate Victims, 70 Def.Couns.J. 51, 51-52,62 (2003)(discusses well-known Varian Medical Systems libel litigation in California which resulted in a substantial libel verdict in 2001 against cybersmearers, but which did not stop negative web postings. For instance, former employees posted over 14,000 messages alleging that Varian’s management videotaped public bathrooms, then created a negative web site about the company.) Lidsky, supra, at 872-76 and n. 96 (citing statistics that “public figure” corporations win libel cases only five percent of the time).
2. Unfair Trade Practices/Business Disparagement
Some states, like Texas, recognize a tort of business disparagement, similar to the tort of “injurious falsehood”. Dodd & Langenkamp, supra, at 340-341. See also, Restatement (Second) of Torts § 623A. Other states have versions of so-called little Federal Trade Commission Acts which prohibit false advertising and unfair competition, and provide private causes of action for damages and injunctive relief. See, e.g., Ill.Comp.Stat.Ann. 505/1-12; Mass.Rev.Stat. Ch. 93-A; Colo.Rev.Stat. §§ 6-1-101-15. See also similar uniform acts found in 7A U.L.A. 69,139. But in the case of business disparagement, the same libel hurdles of malice and falsity will apply. In the case of unfair competition statutes, the defendant must normally be engaged in commerce, i.e. a competitor, and not merely a complaining customer, employee or stockholder.
Under federal law, Section 43(a) of the Lanham Act, 15 USC § 1125(a), prohibits false or deceptive advertising about another’s product, and allows damages and injunctive relief. But it is designed to deal with competitive situations, and not consumers or others who have a gripe with a company. Wojnarowicz v. American Family Association, 745 F.Supp. 130 (S.D.N.Y. 1990). See, Dodd & Langenkamp, supra, at 342-43.
3. Securities Laws
To the extent a cybersmearer makes a statement which adversely affects a company’s stock price, that person could be liable to a stockholder for securities fraud under Rule 10(b)(5) of the Securities Exchange Commission (“SEC”) issued pursuant to Section 10(b) of the Securities Exchange Act, 15 USC § 78j(b). Ciarlone & Wiechman, supra, at 59-60. While the plaintiff stockholder litigation bar normally looks for deeper pockets than might be the case with a cybersmearer, there is some risk that stockholders may bring claims against managers who fail to stop cybersmears that depress a stock price.
Those who regularly participate in discussion boards of publicly traded corporations appear to be obsessed with the notion of market manipulation. The “pump and dumpers” square off against the “bashers” and the “shorts” in profanity ridden diatribes about a company’s virtues and flaws. There is a common perception that the “shorts” (i.e. “short sellers”) often hire proxies to post endless negative comments about a target company, particularly in response to anyone saying anything positive. They do so with the hope that the market price of the stock in these companies will be driven down, enabling the “shorts” to cover and to profit. While the SEC has occasionally expressed concern about this phenomenon, it has taken little action in this area. The SEC has focused almost exclusively on the public companies, alleging that the companies themselves are disclosing inaccurate or incomplete information on discussion boards to inflate their own stock prices.
An attack web site often will seek to use rope provided by its target to perform the hanging of the business to be cybersmeared. Whether it be material from its annual report or internal memoranda, a business may find much of its documentation posted on a web site for all the world to see, perhaps to ridicule or even to profit from. The material may be as simple as a photo of the president or it may be as complex as the source code of the company’s main software product.
In this case, the copyright owner has a claim for injunctive relief and money damages against the infringer under the Copyright Act, 17 USC § 101 et seq. Registration with the Copyright Office is not a prerequisite to ownership, although registration even after the fact will increase the remedies available to the business plaintiff. 17 USC § 412. See, Dodd & Langenkamp, supra, at 346-48.
The relationship of federal trademark law (Lanham Act, 15 USC § 1051 et seq.) to cybersmears is very close, since the name and other marks owned by a business are the bulls eye of the target for the cybersmearer. From the creation of web sites with the domain name `yourbusiness`sucks.com to the use of company logos in obscene or uncomplimentary ways, the Internet provides many opportunities for mischief and harm around a company’s marks.
The `yourbusiness`sucks.com web site phenomenon has generated a cottage industry of litigation and commentary. The recent decision in Taubman Co. v. Webfeats, 319 F.3d 770 (6th Cir. 2003) ruled in a fact-intensive case that because the defendant’s “taubmansucks.com” site was purely an exhibition of free speech and was not “in connection with the sale … of goods” (15 USC § 1114(1)), there was no violation of the Lanham Act. Id., 319 F.3d at 777-78. In fact, the Court held that “although economic damage might be an intended effect of `defendant’s` expression, the First Amendment protects critical commentary when there is no confusion as to source, even when it involves the criticism of a business”. Id. But see, People for the Ethical Treatment of Animals v. Doughney, 263 F.3d 359 (4th Cir. 2001) (injunction granted against parody site “peta.org” where found to be in connection with the sale of goods); Planned Parenthood Fed’n of America, Inc. v. Bucci, 152 F.3d 920 (2d Cir. 1998) (injunction granted where likelihood of confusion found after pro-life group acquired “plannedparenthood.com” domain name).
Of course, Congress has also passed the Anticybersquatting Consumer Protection Act, 15 USC § 1125(d)(1)(A), which forbids use of a confusingly similar domain name with the intent to profit from the same. That provision would not seem to help businesses facing an obviously negative domain name, such as those with the “sucks” suffix. Cf., People, supra; Rita A. Rodin et. al, Enforcing Your Trademark Rights under the UDRP and the ACPA in Trademark Law and the Internet: Challenges of the Digital Age, 201,203 (Practicing Law Institute 2002). And while the Uniform Domain Name Dispute Resolution Policy is a quicker and cheaper administrative remedy for trademark holders seeking the transfer of confusingly similar domain names, its panels also tend to uphold web site names that clearly express criticism of a business. Id. at 210-211.
Of course, attack web sites can use trademarked names as metatags or as purchased search engine key words to direct search engine users to a particular site. Such usage of a registered trademark has been found to create initial interest confusion. See, e.g. Eli Lilly & Co. v. Natural Answers, Inc., 233 F.3d 456 (7th Cir. 2000)(use of “Prozac” metatag for the web site of an herbal remedy alternative). See, Rodin et al., supra, at 220-24.
An attack web site can also contain numerous hyperlinks to pornographic sites, to sites selling products or even to sites of competitors of the attacked business. Where the links are to commercial sites, the commerce link to the Lanham Act is made. Thus if a web site which criticizes a business by name also creates links to a competitor, that may constitute trademark infringement because it makes commercial use of the trademarked name. See, Bihari v. Gross, 119 F.Supp.2d 309 (S.D.N.Y. 2000). If the mark is famous, there is also an argument that the hyperlink causes trademark dilution by tarnishment, prohibited by the Federal Trademark Dilution Act, 15 USC § 1125(c). See, Martha Kelley, Note, Is Liability Just a Link Away? Trademark Dilution By Tarnishment Under the Federal Trademark Dilution Act of 1995 and Hyperlinks on the World Wide Web, 9 J. Intell.Prop.L. 361 (2002). Of course, trademark dilution under the FTDA just got harder, since the Supreme Court ruled in Moseley v. V Secret Catalogue, Inc., 537 U.S. 418 (2003) that a plaintiff has to show “actual injury” to the value of its famous trademark in order to make out a dilution claim.
6. Trade Secrets
Most states have enacted some form of the Uniform Trade Secrets Act, 14 U.L.A. 433 (1990), which affords businesses with strong injunctive and damages remedies against persons who misappropriate a trade secret by acquisition or disclosure. A typical cybersmearer is a disgruntled former employee who obtains and posts technical or commercial trade secret information which the former employee received on the job and which was subject to appropriate confidentiality controls. When the employee left, he or she absconded with a copy of this information, and is using it to cause embarrassment or economic harm to the company. See, MCSi, Inc. v. Woods, 2003 U.S.Dist.LEXIS 3086 (N.D. Cal. 2003) (misappropriation of trade secrets alleged in postings on Yahoo! discussion board).
The major issue in trade secret litigation typically concerns whether the information is a trade secret. It requires findings that there is both independent economic value from its secrecy and reasonable efforts to maintain that status. Internal financial records can be a trade secret as well as technical materials. In cybersmear litigation, obviously only that portion of the negative material that is a trade secret can be enjoined through this statute. Still, the statute does provide a powerful remedy for a portion of what may get posted on a discussion board or on a web site.
Many a cybersmearer is a disgruntled former employee. That employee may remain subject to an employment or similar agreement containing some form of a confidentiality or nondisparagement or noncompetition clause. Those agreements may also explicitly reference injunctive relief as well as money damages remedies against former employees who violate the terms. Noncompetition provisions may be difficult or impossible to enforce. But confidentiality provisions are more typically enforced against former employees, typically those who held responsible positions with a business.
A business may even attempt by contract to limit its customer’s public statements critical of its products. But such provisions have backfired on a seller requiring it. See, People v. Network Associates, Inc. d/b/a McAfee Software, No. 400590/02 (N.Y.Sup. 1/6/03)(provision held to be a deceptive trade practice). Dodd & Langenkamp, supra, at n.71.
8. Property Torts
Some lawyers are dusting off intentional torts involving property rights and using them for internet-related offenses. In Kremen v. Cohen, 2003 U.S.App.LEXIS 14830 (9th Cir. 2003), the court held that the theft of a domain name constituted conversion, even though the right was intangible. However, in Intel Corp. v. Hamidi, 71 P.3rd 296 (Cal. 2003), the California Supreme Court found no trespass to chattels from the actions of Intel ex-employees sending thousands of negative emails to current Intel employees at their place of work. But, to the extent that a cybersmearer actually “invades” a company’s cyberspace, either through massive attacks on its server or through appropriation of its domain name or addresses, there may be a cause of action.
9. Terms of Service
Most every discussion board or web site host requires participants to mouse click their agreement with specific terms of service for use of the board or site. Those terms typically include provisions prohibiting scandalous matter or material in violation of the intellectual property rights of another. They also give the host the discretion to remove material or terminate the rights of a contributor. Ciarlone & Wiechmann, supra, at 62. See, excerpts from Yahoo! Terms of Service, attached as Exhibit 1.
A business that is victimized by a cybersmear certainly can contact the host to request that it exercise its discretion to enforce its terms of service against a cybersmearer. These hosts will often cooperate by removing offensive material. Ciarlone & Wiechmann, supra, at 62. But the business does not have a cause of action against the host, because Section 230 of the Communications Decency Act, 47 USC § 230 (“CDA”) has been interpreted to give immunity to internet service providers with respect to the content of materials appearing on their sites. See, e.g., Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997). But see, Batzel v. Smith, 333 F.3d. 1018 (9th Cir. 2003) (analyzing whether listserv moderator is covered by CDA § 230); Paul Ehrlich, Comment, Communications Decency Act § 230, 17 Berkeley Tech.L.J. 401 (2002)(arguing that § 230 does not provide total immunity).
Procedural Roadblocks to Pursuing the Cybersmearer
As discussed in the previous section, there are several possible legal claims that a business may make against a cybersmearer, which could result in injunctive relief or damages. Those causes of action have, built within them, certain defenses which can make it difficult for a business to succeed with such a claim. For instance, libel claims come with public figure and opinion speech defense, and trademark claims require proof of a commercial use of a protected mark. But there are other legal hurdles facing businesses in pursuit of these claims, and those are discussed in this section.
Most discussion board participants use a pseudonym. Their identity is hidden to other users of the board, and the host may have little more identifying information beyond an e-mail address. The identity of the owner of an attack web site may be more public, unless it is operated as a web page hosted by a third party. In order to get relief against the cybersmearer, eventually the business needs to uncover the identity of that person. Obtaining that identity is often as difficult as winning the case on the merits.
In the cybersmear context, businesses have often resorted to naming “John Doe” as defendants in litigation, coupled with expedited discovery requests (subpoenas) aimed at the third party web host to obtain the identity of the poster or web page owner. This process is not ideal, since a John Doe leaves unsolved personal or subject matter jurisdiction issues for the court. Particularly federal courts are hostile to John Doe defendants. See, Bryant v. Ford Motor Co., 844 F.2d 602,605 (9th Cir. 1987); Megan M. Sunkel, Note, And the I(SP)S Have It … But How Does One Get It? Examining the Lack of Standards for Ruling on Subpoenas Seeking to Reveal the Identity of Anonymous Internet Users in Claims of Online Defamation, 81 N.C.L.Rev. 1189, 1200-07 (2003).
One alternative available in some states is to bring a discovery action directly against the third party host, seeking in that action only the identity of the cybersmearer. See, Exhibit 2, attached. Such litigation may be available against the host, even if it is immune from liability under the CDA. This works well in other contexts. An employer may be immune from suit under worker’s compensation law, but may be sued by an employee solely to discover what manufacturer made the machine on which the employee was injured. See, Robbins v. Kalwall Corp., 417 A.2d 4 (NH 1980).
A second alternative is available where there is an allegation of copyright infringement. There is a subpoena provision in the Digital Millenium Copyright Act, 17 USC § 512(h)(“DMCA”) which permits a copyright owner to subpoena an internet service provider to produce the identity of a person using infringing material on its site. The owner must apply to the federal court for issuance of a subpoena, accompanied by a declaration that there is an infringing use of copyrighted material. A sample application and subpoena is attached as Exhibit 3. The constitutionality of this provision has been upheld twice recently in In re Verizon Internet Services, Inc., No. 03-MS-0040(JDB) (D.D.C. 4/24/03) and No. 02-MS-0323(JDB) (D.D.C. 1/24/03), 240 F.Supp. 24 (D.D.C. 2003). The ACLU, Yahoo! and some other ISPs are joining this issue with Verizon, and this battle is not over.
While Verizon is engaged in appeals to avoid turning over to the Recording Industry Association of America information about DSL subscribers (and music downloaders), id., many web hosts do not fight third party subpoenas. In fact, their terms of service, discussed earlier, tell users not to expect anonymity in the face of subpoenas. Joshua L. Furman, Cybersmear or Cyber-SLAPP: Analyzing Defamation Suits Against Online John Does as Strategic Lawsuits against Public Participation, 25 Seattle U.L. Rev. 213,230-33 (2001); Wilson, supra, at n. 18; Ciarlone & Wiechmann, supra, at 62.
Most of the reported cases seeking discovery to determine the identities of cybersmearers discuss whether the anonymity of the poster is protected by the First Amendment. Courts and commentators have waxed eloquent on the important free speech values contained in anonymous speech, citing the Supreme Court’s decision reaffirming the importance of preserving the anonymity of unsigned political leaflets, McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995). As a result, a number of state and federal judges have refused to issue subpoenas directed at web hosts to disclose the identities of cybersmearers. Some of these cases may take McIntyre too far, and some courts have seemed to be carried away with free speech values at the expense of the value of permitting the victims of cybersmears to litigate their cases. See generally, Caroline E. Strickland, Note, Applying McIntyre v. Ohio Elections Commission to Anonymous Speech on the Internet and the Discovery of John Doe’s Identity, 58 Wash.&Lee L.Rev. 1537,1571-85 (2001).
Courts have created multi-part tests to weigh the interests of the anonymous poster against those of the business that has been cybersmeared. The first major articulation of such a test occurred in Columbia Insurance Co. v. Seescandy.com, 185 F.R.D. 573 (N.D.Cal. 1999), a trademark infringement case involving an anonymous poster. The court created a four factor test, which was later adopted by a New Jersey appellate court. Dendrite Int’l, Inc. v. John Doe, 775 A.2d 756 (N.J.Super.Ct.App. 2001). The four requirements are: 1) enough identity of the unknown defendant to determine jurisdiction; 2) an attempt to locate and serve the unknown party; 3) proof that the underlying action would survive a motion to dismiss; and 4) a discovery request specifically geared to complete service of process. Columbia, 185 F.R.D. at 579-80. Other cases considering subpoenas to locate the identities of cybersmearers are collected in Sunkel, supra, at 1207-1213.
2. Anti-SLAPP Statutes
A number of states have passed legislation designed to prevent businesses from filing lawsuits to intimidate citizens fighting real estate development or other corporate activities. Those lawsuits became known as Strategic Lawsuits Against Public Participation (“SLAPP”), and they found the wrath of legislators around the country. Foremost among them is California’s statute, Cal.Civ.Proc.Code § 425.16, which requires plaintiffs claiming damages based upon a defendant’s statements to survive a special motion to strike. To go to trial, the court must rule that the plaintiff has a “probability that he or she will prevail on the claim”. This seems to create a separate constitutional issue for the plaintiff, whose jury trial right on disputed factual issues may be infringed by the court’s preliminary ruling. See, Opinion of the Justices (SLAPP Suit Procedure), 641 A.2d 1012 (N.H. 1994)(advisory opinion holding proposed state legislation unconstitutional based upon special motion to strike procedure). Nevertheless, a number of states have enacted Anti-SLAPP statutes. See, e.g., Fla.Stat.Ann. § 768.295; Mass.G.L.A. ch.231, § 59H; N.Y.C.P.L.R. § 3211(g). Activist groups like the California Anti-SLAPP project (www.casp.net) are ready for war on behalf of cybersmearers using these statutes.
In cybersmear cases, the Anti-SLAPP statutes may be used to prevent the disclosure of anonymous posters and may lead to the dismissal of lawsuits against those posters, complete with an award of attorneys fees. See, Batzel, supra, (statute may be applied in conjunction with CDA § 230); ComputerXpress Inc. v. Jackson, 113 Cal.Rptr.2d 625 (Cal.App. 2001)(statute applied to portion of claims, attorneys’ fees awarded); Global Telemedia (statute applied); MCSi, Inc., supra (statute not applied); Furman, supra, at 245-48 (arguing that Anti-SLAPP statutes rather than First Amendment should be the primary defense against cybersmear lawsuits).
Companies seeking to stop cybersmears in anti-SLAPP jurisdictions need to consider the significant risks associated with using the judicial system to protect its interests.
3. First Amendment
Many of the obstacles to the pursuit of cybersmearers spring from First Amendment values. These values show up substantively in the application of the law of libel and trademark. They show up procedurally in the denials of discovery to uncover anonymous discussion board posters. But that same First Amendment might not help a business that tries to correct the record publicly against a cybersmearer. In Kasky v. Nike, Inc., 45 P.2d 343 (Cal. 2002), cert. dismissed as improvidently granted, 123 S.Ct. 2554 (2003), the California Supreme Court let proceed to trial an unfair trade practice case brought by a citizen against Nike because of allegedly false and misleading publicity it put forth as its argument concerning working conditions in its third world factories. While that case is not over, it could have a chilling effect on companies wishing to correct forcefully the diatribe of a cybersmearer. In an ironic twist, the company which defends itself could then get sued by the cybersmearers.
Given the uncertain terrain over which cybersmearers must be pursued, what should a business do when facing an attack? Strategies depend upon the particular facts of the attack, the risk tolerance of the company, and the legal landscape in the state.
1. Preventive Measures
Many companies buy up derogatory variations of their trade names, including those with the “sucks” suffix, to prevent others from acquiring them. Good confidentiality and nondisparagement provisions in employment agreements are essential to provide a disincentive to former employees from starting to cybersmear. Some businesses have even made nondisparagement or confidentiality a term of an agreement with a customer for the sale of its products.
Beyond that, businesses should monitor discussion boards or web sites dealing with their companies. Wilson, supra, at 575-76. They may be able to identify and stop cybersmearers earlier, before damage has occurred to the company.
Usually, the first task for a business is to locate the identity of the cybersmearer. For an attack web site, theoretically a business can track its owner and the internet service provider hosting the site. Registered owners can be found on WHOIS, but unfortunately much false information is on file. There are tools to discover internet protocol addresses of web sites to locate its host, and its internet service provider. Attached as Exhibit 4 is a primer of basic investigation techniques, prepared by Hemanshu Nigam of Microsoft. Unfortunately, this tool will not lead to the identity of a discussion board poster on a third party’s web site, such as Yahoo!.
If by self help, subpoena or self-revelation, the cybersmearer’s identity becomes known, the business can send out a cease and desist letter. Sometimes those letters have the desired effect. Also, the company may contact the customer service representative of the web host and request that the offensive postings or poster be removed from the site. Companies like Yahoo! may well comply with such requests voluntarily.
The company may decide to join the fray by arranging for corrective information to show up on its web site or in the discussion boards. Such a move could succeed or backfire, and should be considered with top notch public relations expertise. Moreover, some corrective information may be called for under securities law so that cybersmears do not mislead investors in public companies. Id. at 576-77. But, as mentioned before, posting corrective information then poses the risk of an unfair trade practices lawsuit from someone alleging that the business’ rebuttal is false. See, Kasky, supra.
The most coveted information for the business is the name of the cybersmearer. Many cases end after the identity of the person responsible has been uncovered. Why? Experience shows that a well placed cease and desist letter or court complaint can quiet the cybersmearer. See, Lidsky, supra, at 875-83. But to get that information takes a subpoena to a web host. If there is any copyrighted material involved, a subpoena pursuant to the DMCA can be readily obtained. Outside of that, a business may wish to seek a subpoena in a jurisdiction (not New Jersey or California) that is less enamored with the free speech rights of anonymous cybersmearers and which does not have a strict Anti-SLAPP statute. Where direct discovery actions are permitted against the web host, that should be considered as well.
If the company then wishes to pursue its litigation claims, those based upon trade secrets or confidentiality agreements seem less imbued with the free speech concerns of, say, trademark and libel claims. But in any event, the company should exercise some discretion, unless it wishes to end up like Varian Medical Systems, with a substantial judgment but with continuing negative publicity. Or even worse, the company the company bringing the suit against cybersmearers could end up like ITEX Corp., which brought such a suit, only to result in a subsequent SEC suit against it for securities fraud. Wilson, supra, at 579-80.