Protecting Your Company’s Online Data

Digital data is becoming a hot commodity these days because it enables AI tools to do powerful things. Companies that offer content should keep up with the evolving technology and laws that can help them protect their online data.

As data becomes available online, it can be accessed in different ways leading to various legal issues. In general, one basis for protecting online data lies in the creativity of the data under the Copyright Act of 1976. Another basis lies in the technological barrier of the computer system hosting the data under the Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act. It is also possible to protect online data based on contractual obligations or tort principles under state common law. In terms of the data, a company would need to consider its proprietary data and user-generated data separately, but any creative content is invariably entitled to copyright protection. Without owning the data, the company can still enforce the copyright via an exclusive license from its users. In terms of the computer system, a company could evaluate different security measures for restricting access to the data without severely sacrificing visibility and usability of the company, the data and/or the computer system.

In a typical scenario, a company may make its data accessible to the public as is, publicly available in an obscured or tracked form, and/or accessible only to a select group. Let’s consider these scenarios separately.

When the data is accessible to the public as is, another party’s obtaining the data cannot be considered as computer abuse. See hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019) (holding that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not or, at least, likely does not constitute access without authorization under the CFAA). The company can still pursue a copyright infringement claim, for instance, but even that is subject to the fair use defense. See Id; Getty Images (US), Inc. v. Stability AI, Inc., 1:23-cv-00135 (D. Del).

Otherwise, the data can be digitally obscured and effectively tracked before publication with the company’s logo, a watermark or another obscuring device, which can complicate or sometimes deter use of the data. That in turn can enable the company to establish a technology circumvention claim when another party compromises the company’s intent of copyright management by altering or canceling the obscuring device from the data. See Id. That can even allow the company to make a trademark infringement claim since another party can be damaging the company’s branding with the same act. See Id.

In addition, the data can be shielded by a code-based authentication mechanism with a requirement for a login or a verification response, for instance, which can complicate or sometimes deter access to the data. Since such deterrence does not eliminate access, the company would still need to deal with undesirable use by authenticated users or their bot delegates. However, the stronger the authentication mechanism, which can be enhanced with measures to detect and prevent malicious behavior or intent, the better the chance of establishing a computer abuse or circumvention claim. See Ryanair DAC v. Booking Holdings Inc. et al., No. 20-01191 (D. Del. Oct. 24, 2022) (holding that when the plaintiff’s system requires a username and password to obtain access to a particular portion of their website, whether the plaintiff’s steps to protect that portion of the website ― such as blocking accounts believed to be associated with screen scraping and using other code-based measures to limit unauthorized access to the website ― would render that portion of the website sufficiently off-limits to undesired access even with a username and password need to be resolved in the course of the litigation.)

In conclusion, to the extent that access to the data can be limited, a company that offers content is advised to strengthen the design of its content publication channels, such as websites or social media, to not only make it less easy to access and use the data but also make it clearer how the data should be accessed and used. The latter could be reinforced by also enhancing the terms and conditions to define unauthorized use and license restrictions and reserve audit rights.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress