Sal Orofino is the Principal of The Orofino Law Group, PLLC, specialized law firm providing in-house counsel to apparel and sports manufacturers that has represented brands like RVCA, WeSC and Metal Mulisha.
By Sal Orofino
E-commerce is now a bona fide reality for brands and retailers alike. We’ve seen the action sports industry compress from the ideology of brands doing their best to respect the core retailers’ market share to an end-run development of some extremely robust direct e-commerce programs. Brands have looked to companies to provide one-stop solutions for their e-commerce, 3PL and import/export needs. Similarly, retailers have been doing their best to harvest the power of the internet to create sales and drive foot traffic through social media campaigns.
Now for the question that lawyers live for and the topic of this article, namely, what about compliance? Creating a framework of understanding and periodic monitoring is equally as important as SEO strategies as laws are fast-changing in this dynamic area. As states look for increased tax revenues and courts run to keep pace with changes in technology and end-user advancement, penalties for non-compliance are not only steep, they can in fact be disastrous to business continuity and to the bottom line. What worked today likely will not work a week from now. This article gives direction on some of the most pressing areas to be aware of.
1. Common Themes
When reviewing your company’s e-commerce compliance program, one helpful way to approach the issue is to look at your website in terms of buckets. You should have a bucket for sales tax compliance, one for data security as relates to using and storing your customers’ confidential information and finally a bucket for data compromise and how to deal with it when it happens.
Understanding your legal and tax liability are huge issues for any e-commerce retailer. A detailed discussion of each of these issues is well beyond the scope of this article. However, please make sure that you are engaging qualified advisors on how to craft protective policies that comply with the major areas of concern.
a. Tax Liability
All companies should have a strong sales tax compliance program in place, determine at the outset the rights and usage to your intellectual property like trademarks, domain names and craft the appropriate usage policies and licenses. Further, you must also be very concerned with data privacy issues and have an appropriate terms and conditions policy in place. When crafting a risk management policy, look hard at disclaimers of liability and make sure your advisor is mindful of anything overly one-sided as courts have shown an unwillingness to enforce agreements of this type.
b. Data Security
Data security is every bit as serious as tax compliance. Companies should look to bolster their security program and harmonize it with its data compromise plan. Everyone who accepts credit cards online must build and maintain a secure network, manage passwords proactively, protect stored data, encrypt transmissions, use quality anti-virus software, maintain secure systems and applications, restrict data access to need-to-know personnel, restrict physical access, monitor each authorized user independently, track all network resource access and cardholder access, and maintain a written information security policy. Then, depending on your merchant ranking, you will have to demonstrate ongoing compliance in a self-reporting mode, through internal auditing.
Another interesting angle for all senior managers is the internal enforcing of data security, especially after a breach has occurred by an employee. In September of this year, the U.S. District court of Illinois found the cost of a company’s investigation into a former employee’s alleged data theft, and resulting lost customers and sales opportunities, can be counted as “losses” for the purposes of the Computer Fraud and Abuse Act (“CFAA”) $5,000 damage or loss minimum for pursuing a civil claim. While courts have been notoriously split over what exactly constitutes compensable “damage” or “loss” under the Act, this ruling continues the trend of expansive readings of the statute. This is good news for employers who want to use the CFAA to go after rogue employees and possibly their competitors.
Both federal and state agencies in nearly every state in the Union are very concerned with the protection of your customer’s private information. The burden for this protection doesn’t pass on to a third party provider if you outsource so you must take responsibility for a first rate data privacy program.
c. Data Compromise
Both federal and state agencies in nearly every state in the Union are very concerned with the protection of your customer’s private information. The burden for this protection doesn’t pass on to a third party provider if you outsource so you must take responsibility for a first rate data privacy program.
A recent development in California gives a striking example. SB 24, which goes into effect January 1, 2012, requires any entity that notifies more than 500 California residents of a breach to submit a copy of the notification to the state attorney general. It also mandates that data breach notifications contain particular content, such as the date of breach and a list of the personal information compromised in the breach. Failure to comply will carry with it stiff penalties.
When looking at your website user agreement, let’s first determine what that document does. A user agreement establishes the terms under which the relationship between a visitor and a website are governed. A common practice for small websites is to borrow language and attempt to customize the terminology to fit their needs. The problem here is in the details. Weighing the importance of strong legal provisions on your site against the risk of losing potential revenue-producing visitors, and balancing the risk of attrition with the benefit of enhanced legal protections, is not a simple exercise. From a drafting standpoint, courts view the enforceability of a website-user agreement in the context of fundamental fairness. The more one-sided an agreement, the more inclined a court will be in finding that it is unenforceable. A major factor is the actual or apparent knowledge of the user. Common sense, an appreciation for legal nuances, an intimate knowledge of the web and an understanding of industry standards and visitor expectations within your industry sector should guide you and your lawyer.
A final word of optimistic caution is in order. E-commerce, whether outsourced or done internally, is vital to the success of our industry. The responsibility for compliance, however, is on-going where liability ultimately rests on the shoulder of the person selling the goods. Stay informed and abreast of the current laws and enjoy your success!
About the author:
Orofino is the Principal of The Orofino Law Group, PLLC, specialized law firm providing in-house counsel to apparel and sports manufacturers that has represented brands like RVCA, WeSC and Metal Mulisha. Orofino also forms comprehensive integrated estate plans for some of the best athletes in action sports. He can be reached at (305) 790-2336 or by e-mail at salva@orofinogroup.com
TAGS: action sports lawyer, ecommerce, ecommerce compliance, Sal Orofino, the orofino law group
