When management assesses the various financial and legal risks of a company's day-to-day operations, it is safe to assume that the staff member listening to the latest Britney Spears album on his or her computer is not the top concern of most compliance officers. Given the substantial money damages that accompany copyright infringement and the increasing likelihood that the music and entertainment industries will soon focus their enforcement actions on corporations which may be liable vicariously or as contributory copyright infringers as a result of their employees' actions, online file sharing in the workplace should become a key concern for every company. To understand how corporate entities may become targets, it is necessary to understand the history of the battle between copyright holders and online file sharing providers and users.
Actions Against P2P Providers
When the Recording Industry Association of America ("RIAA") succeeded in pushing the old Napster out of business in 2001, the RIAA, Motion Picture Association of America ("MPAA") and other trade associations which represent copyright holders whose creative materials are traded via peer-to-peer ("P2P") file sharing networks breathed a collective sigh of relief. See A&M Records, Inc. v. Napster, Inc., 239 F.3d 1004 (9th Cir. 2001). That respite, however, was temporary as the cat and mouse game between content providers and technology developers moved to the next phase. The demise of the old Napster triggered an explosion in the availability and use of P2P services, through such providers as KaZaA, Morpheus, Grokster, iMesh, eDonkey2000, BearShare, LimeWire and dozens of other systems. At the same time, music sales have been steadily falling and many in the recording industry attribute such declines directly to the widespread availability of free music through such P2P networks.
With the Napster victory in hand, the entertainment industry proceeded to bring lawsuits against some of the most significant new players in the expanding P2P provider industry. The largest service, KaZaA, proved to be the most difficult to engage in litigation since the owner, Sharman Networks, is incorporated in the island nation of Vanuatu and operates out of Australia. While litigating jurisdictional issues with KaZaA, lawsuits proceeded against Streamcast Networks (a/k/a Morpheus) and Grokster. The old Napster was a centralized system in which copyrighted materials were transferred and/or stored using a network controlled by Napster and holding it liable for massive copyright infringement was not difficult. However, the new breed of P2P services differ from the old Napster, in that the systems are pure peer-to-peer systems in which individuals share files with one another by making folders located on their local computer hard drives directly available to other users via the Internet while the P2P operator is incapable of controlling the content of such files. In a dramatic set back for copyright holders, the U.S. District Court for the Central District of California held that Morpheus and Grokster were not liable for copyright infringement, in part because "...here, unlike in Napster, there is no admissible evidence before the Court indicating that Defendants have the ability to supervise and control the infringing conduct..." Metro-Goldwyn-Mayer Studios, Inc. et al. v. Grokster, LTD. Et al, 259 F.Supp.2d 1029, 1045 (C.D.Cal. 2003)
Actions Against Users
Unable to metaphorically chop off the head of the P2P beast, the RIAA then proceeded to take action against individual users of P2P services. Using the subpoena power available under the Digital Millennium Copyright Act, the RIAA sought to compel Internet Service Providers ("ISPs") to disclose the identity of individual P2P users. See, 17 U.S.C. §512(h). While some ISPs such as Verizon and Charter Communications challenged this process as unconstitutional, most ISPs complied with the thousands of subpoenas obtained by the RIAA. See In re: Verizon Internet Services, Inc., 257 F.Supp. 2d 244 (D.D.C. 2003). After collecting vast amounts of user information, the RIAA proceeded to sue 261 individual P2P users throughout the country.
The United States Copyright Act enables the holders of properly registered copyrights to sue for statutory damages and recover between $750 and $30,000 in damages, plus costs and attorneys fees, for each copyright infringed without the need to prove any actual damage or monetary loss to such copyright holder. See, 17 U.S.C. §504(c). In the event willful infringement is proven, this number can be increased to $150,000 per work. Therefore, an individual who intentionally downloads 10 songs from a P2P service could be liable for $1,500,000 damages in a copyright infringement suit despite the fact that the actual retail value of the 10 copies of the songs may be less than $100.
Unsuspecting people, from college students to retirees to children, received lawsuits claiming the maximum liability in the hundreds of millions of dollars per person. This practice of suing individuals peaked the interest of many in Congress who, led by Senator Norm Coleman (R-MN), expressed concern and echoed public outcries over these aggressive tactics against their sympathetic constituents. RIAA has agreed to modify its practices with respect to pursuing individual infringers to limit lawsuits to the most egregious file sharing offenders. The RIAA amnesty program offers to any user (other than those currently the subject of a lawsuit) that would agree to cease all illegal file sharing activities immunity from RIAA litigation. It does not afford such users any protection from non-RIAA owners of copyrighted materials that may have been shared through P2P services, such as performers.
Anticipated Actions Against Corporate Users
Now that P2P service providers are unlikely to be held liable and actions against individual P2P users are met with heightened scrutiny, copyright holders may consider large corporations as the prime targets. Most large corporate entities have elaborate computer networks, vast amounts of bandwidth, and thousands of employees who may be sharing music files. These days Internet usage in the workplace is nearly as common as telephone usage. Yet despite numerous reports that P2P usage is widespread on many corporate computer networks, the RIAA has only filed lawsuits against individuals in its 2003 enforcement program. In one rare exception, the RIAA settled in 2001 with Integrated Information Systems of Arizona, a technology services company that allegedly permitted employees to use a dedicated company server for sharing music files, for a reported $1,000,000. The absence of enforcement actions against corporations could quickly change. The New York Times reported on October 10, 2003, that RIAA has filed suit against the New Jersey flea market operated under the Columbus Farmer's Market name, alleging sale of counterfeit CDs by lessees of the market operator. Mainstream corporations may be next.
It is far easier to trace the origins of a corporate P2P user than a home P2P user. Individuals accessing P2P services from home generally connect to the Internet through broadband or dial-up ISPs, such as telephone and cable companies and AOL and MSN. These ISPs randomly assign each user an Internet Protocol ("IP") address to access the Internet which changes with each separate Internet session. In order to match an IP address to an individual user, the RIAA must subpoena records from an ISP. Many large corporate users, however, have large pools of IP addresses permanently reserved for their use. Therefore, once an IP address is associated with online file sharing, there is no need to file a subpoena to reveal the identity of an individual user since the IP address can be easily traced directly back to a large corporation.
With this information in hand, copyright holders could seek to bring actions against the corporate entity without ever knowing, or needing to know, the specific identity of the individual user on the other side of the corporate firewall. Since employers can be held liable as contributory or vicarious infringers for the acts of their employees while using the company's computer networks, as long as the prohibited use can be traced back to the corporation in question, the copyright holder's search can end there. Even if the corporation does not contribute to the infringement or benefit from it in any way, merely defending such an action would be costly and disruptive. To further the goal of dissuading use of P2P networks, suing individuals may prove to be more effective since the resources of most individuals to contest such lawsuits are not as significant as those of large corporations. Many individuals, while receiving lawsuits alleging liability for hundreds of millions of dollars in statutory damages, have settled such cases for a few thousand dollars. However, if the goals of the RIAA's enforcement actions shift from making examples of randomly selected individuals to collecting larger sums of money from infringers, then actions against deep-pocketed corporations could become the next phase in the legal wranglings. At the same time, with the current RIAA enforcement actions scaring individuals away from engaging in file sharing at home, such users may turn to their office computers more for such activities, believing that they are less likely to be held personally liable. Much like the enforcement actions of the Business Software Alliance ("BSA") which pursues corporations for using unlicensed software, the RIAA may encourage disgruntled employees to confidentially disclose actions on their employer's networks and use such disclosures to force large settlements.
It is incumbent upon every company that permits Internet access in the workplace to take firm measures to stop illegal file sharing, lest the company become subject to millions of dollars in liability. It can safely be assumed that any employee accessing a P2P network is either uploading or downloading copyrighted materials. No employee needs to ever access a P2P service for business purposes. Even the legal online music services, such as the new Napster (formerly PressPlay), Rhapsody/Listen.com and Apple's iTunes, post personal use only licenses and prohibit any use of their services for a commercial purpose. The sole exception for P2P usage may be if the employee is searching for public domain works, but such access should be limited and closely supervised. If an employee needs to share a permitted file with another party, then the file can be attached to an email without using a P2P service. In addition, P2P software often has other programs bundled with the download unbeknownst to the end user, and P2P networks have seen an increase in the number of computer viruses.
10 Practical Recommendations
With this background, the following are steps for a corporate compliance program and best practices to take to deter and eliminate illegal file sharing on corporate networks and to protect the company from liability: (i) Assign responsibility for compliance to a senior officer and senior IT department member; (ii) Create a regular audit program which specifies tasks, frequency, responsibilities and reporting; (iii) Adopt employee policies, and send employees reminder notices, which prohibit the downloading of any materials from the Internet of a software or entertainment nature for storage or use on company equipment, unless specifically authorized by senior management; (iv) Inform employees that they will be held personally responsible for any damages as a result of copyright infringement; (v) Restrict Internet access to web sites that provide P2P services and require specific manager approval where absolutely necessary for a legitimate and documented business purpose; (vi) Regularly search network drives for common file extensions of potentially illegal files such as *.mp3, *.wav, *.wma, *.mov and *.mpg; (vii) Identify departments or locations where infringement is perceived to be likely or is found to be prevalent; (viii) Conduct random inspections of employees' local computers for the presence of file sharing software or illegal multimedia files and arrange for the orderly deletion of any prohibited materials after documenting the contents discovered; (ix) Take disciplinary action against any employee that violates the company's policies regarding copyrighted materials; and (x) Document all policies, procedures and enforcement actions in connection with the foregoing.
It is no longer a risk-free alternative to ignore the actions of employees using the corporate network. By taking a proactive approach to prevent the use of the corporate network for infringing purposes, a company can minimize the risk of inviting a lawsuit which would be costly to defend and potentially even more costly in a settlement or adverse judgment.