California’s New Standard for Identifying Anonymous Internet Posters
Companies face the difficult issue of protecting themselves from cybersmears by anonymous Internet users. One of the most problematic issues is determining which standard must be met by a plaintiff to obtain the identity of an anonymous poster who has used the Internet to spread defamatory statements.
The Sixth Appellate District Court of Appeal in California recently weighed in on the different standards used to determine when a plaintiff can compel the disclosure of an anonymous Internet poster’s identity, thereby adding to the complexity plaintiffs face. This decision can impact a company in two ways. First, it impacts when a company can obtain information regarding an anonymous poster who may be making defamatory statements regarding the company, or its executives. Second, while a commercial Internet service provider was at issue in this most recent case, private companies often find their own networks are used to post these type of comments. Companies should ensure compliance with the Court of Appeal’s standards, particularly regarding notice, before identifying any user of its network in connection with a subpoena to identify an anonymous poster.
In Krinsky v. Doe 6, CV059796 (February 6, 2008), the Court of Appeal recognized the First Amendment protections afforded to Internet users, but recognized these protections are not unlimited. In this case, the defendant allegedly had posted a number of statements about a company and its executives that were deemed to be crude and derogatory. One of the executives sought to compel Yahoo! via a subpoena to disclose the identity of the poster. The defendant brought a motion to quash the subpoena, which was denied by the trial court.
The Court of Appeal examined the different standards imposed by other state and federal courts, and created its own standard. While it adopted at some level the concept that the poster must received notice of the subpoena (as required by the Dendrite line of cases — Dendrite International, Inc. v. Doe, 775 A.2d 756, 761 (2001)), it seemed to indicate that a statement in a Web site’s terms of service that disclosure will be made in response to a subpoena would be sufficient notice. The Court of Appeal also held that a plaintiff need only show prima facie evidence of a claim to support disclosure of an anonymous poster’s identity, in contrast to the other states that require higher, summary judgment-level standards to be met before disclosure is made. See, Doe v. Cahill, 884 A.2d 451 (Del. 2005). It also did not consider the new hybrid standard created by an Arizona court which combined the Dendrite and Cahill tests. See, Mobilisa, Inc. v. Doe, 1 CA-CV 06-0521 (Ariz. 2007). Interestingly, the Court of Appeal also distinguished its own holding in O’Grady v. Superior Court 139 Cal.App.4th 1423 (2006), because this court distinguished, as many courts have, obtaining the content of communications (the issue in O’Grady) and obtaining the identity of a poster.
Despite concluding a lower standard applied, the Court of Appeal did not permit disclosure of the poster’s identity. It concluded that the prima facie standard was not met because the alleged statements at issue in the case, while offensive and at some level childish, were “crude, satirical hyperbole” that was not actionable on Florida’s defamation law.
The case sends a somewhat mixed message to potential plaintiffs in these actions. While the Court of Appeal did adopt the lower prima facie standard, its focus on the hyperbolic nature of the statements, and its resulting conclusion that the statements were not defamatory, ultimately seems to not increase a plaintiff’s abilities to identify posters. In many cases, the postings at issue are similar to those in this case. Moreover, the conclusion almost seems to encourage more extreme statements in order to try and fall within a potential “hyperbole exception,” which would be a strange result.
New FACT Act “Red Flag” Rules Place Additional Compliance Burden on Companies
The Fair and Accurate Credit Transactions Act (FACT Act) was one of the first federal financial privacy laws that applied to non-financial institutions. As new rules affecting the FACT Act have been implemented, the burdens placed upon non-financial institutions have increased, and recently enacted rules have added to the burdens placed upon companies, whether they are financial institutions or not.
On January 1, 2008 a new series of regulations became effective requiring companies to examine for and have programs in place should “red flags” indicate identity theft. There is a phased-in compliance date of November 1, 2008. These regulations require creditors and financial institutions to develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities and must:
- Identify relevant red flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those red flags into its Program
- Detect red flags that have been incorporated into the Program of the financial institution or creditor
- Respond appropriately to any red flags that are detected to prevent and mitigate identity theft
- Ensure the Program, including the red flags determined to be relevant, is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor with regards to identity theft
There also are training requirements that must be met. Therefore companies that have not performed an assessment and training or developed a program to comply with these regulations should consider what obligations they must meet to come into compliance.