District Court Holds Blockbuster Arbitration Provision Unenforceable

By Mehmet Munur

A District Court in Texas recently held Blockbuster’s website terms and conditions arbitration provision illusory and therefore unenforceable due to Blockbuster’s right to unilaterally modify it. The District Court cited to established Texas precedent to argue that nothing in the website terms prevented the arbitration provision's retroactive application.

The plaintiff sued blockbuster in connection with the controversial Facebook beacon program and its integration with Blockbuster as a violation of “the Video Privacy Protection Act, 18 U.S.C. § 2710, which prohibits a videotape service provider from disclosing personally identifiable information about a customer unless given informed, written consent at the time the disclosure is sought.” The plaintiffs argued and the court held that the arbitration provision was illusory and therefore unenforceable.

The district court analyzed the Blockbuster Terms and Conditions under Texas law. The terms and conditions state:

Blockbuster may at any time, and at its sole discretion, modify these Terms and Conditions of Use, including without limitation the Privacy Policy, with or without notice. Such modifications will be effective immediately upon posting. You agree to review these Terms and Conditions of Use periodically and your continued use of this Site following such modifications will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to any modification of these Terms and Conditions of Use, you must immediately stop using this Site.

In finding this run-of-the-mill terms of use provision illusory, the court relied not on another business-to-consumer case, but Fifth Circuit case analyzing business-to-business agreements.

More specifically, the District court relied on Morrison v. Amway where the distributors signed Amway’s standard distributorship agreement. Facing disputes relating to the calculation of profits, Amway instituted an arbitration provision and published it in its magazine as well as other media sent to the distributors. Amway required that the distributors sign an acknowledgement form and send it back to Amway. Though all distributors renewed their agreements with Amway, two different groups sued Amway in federal as well as state court, both of which were stayed pending litigation. The arbitrator issued judgments and awards without opinions and the district court confirmed these opinions. The parties appealed their case to the Circuit Court.

The Circuit Court examined Amway’s arbitration policy to determine whether it was a valid agreement to arbitrate under Texas law. While the distributors had agreed to conduct their business according to Amway’s Code of Ethics, which would be amended from time to time, “the only express limitation on that unilateral right [was] published notice.” The Circuit Court was concerned that this unqualified right to amend the arbitration policy might apply to disputes arising before as well as after its publication. The Circuit Court held that this unqualified right to modify the Code of Ethics was unenforceable.

The Circuit Court relied on two Texas Supreme Court decisions. In one case, Texas Supreme Court had concluded that application of the arbitration policy 10 days after reasonable notice would be enforceable. In another case, however, the Texas Supreme Court plainly stated that “if the defendant-employer retained the right to ‘unilaterally abolish or modify’ the arbitration program, then the agreement to arbitrate was illusory and not binding on the plaintiff-employee.”

The District Court, relying on Morrison v. Amway and the underlying Texas precedent, concluded that the Blockbuster arbitration provision was illusory. Based on this web of Texas Supreme Court, Circuit Court, and District Court opinions, companies using arbitration policies—either in human resources policies, supplier agreements, or website terms of use—should qualify them. Such qualification should include at least a 10 day delayed application period and an explicit statement that makes the arbitration provisions applicable only to disputes arising after reasonable notice to counter any arguments that the contracts are illusory.

The cases are Harris v. Blockbuster Inc., No. 09-217, (N.D. Texas Apr. 15, 2009) and Morrison v. Amway, 517 F.3d 248 (5th Cir. 2008).

Read More...

Court Strikes Down Electronic Signature Due to Weak Security Procedures

By Mehmet Munur

The US District Court in Kansas held on February 19, 2009 that the data security procedures Dillard’s Stores had created to authenticate the electronic signature its employees used to execute an arbitration policy were not sufficient. While the case may have turned on its particular facts, Dillard’s could have avoided such problems by abiding by ISO 17799 procedures in operating its electronic signature systems.

The plaintiff, Yolanda Kerr, successfully kept her claim in court because she disputed the formation of the arbitration agreement. In 2005, Dillard’s started requiring current and new employees to sign an electronic arbitration agreement through its intranet system. In theory, Dillard’s associates executed their agreements using either a social security number or associate identification number and a unique confidential password followed by clicking an “I accept” button. The plaintiff refused to electronically sign the arbitration agreement for nearly six months despite alleged threats from supervisors and the store secretary that she would be fired if she failed to do so.

In April of 2006, the plaintiff missed a day of work. When she showed up for work on April 28, she told the store secretary that she had missed the day of work because she did not have access to the intranet site that contained her schedule. To give her access to the schedule, the secretary accompanied the plaintiff to a computer kiosk, reset her password to the default password, and demonstrated how to access the system. Then the store secretary took control of the computer again and navigated through various screens with the plaintiff beside her. Plaintiff alleged that the store secretary electronically signed the arbitration agreement at this point. After the interaction at the computer, the two left the break room together. Five minutes later, the system automatically sent the employee’s account an email confirming the execution of the arbitration agreement. The email stated that failure to reply to the email would deem agreement to the plaintiff’s electronic signature of the arbitration agreement. Someone opened the email but did not respond. Dillard’s later terminated the plaintiff for allegedly calling a supervisor a profane name. The plaintiff sued for discrimination and Dillard’s attempted to compel arbitration at court.

In analyzing the electronic signature, the court concluded that Dillard’s failed its burden to show through a preponderance of the evidence that the plaintiff knowingly and intentionally executed the agreement for two reasons. First, the court did not want to impute the electronic signature to the plaintiff due to the possibility, however minimal, that the store secretary may have fraudulently executed the agreement while plaintiff was standing beside her. Second, the court held that Dillard’s did not have adequate security procedures in place to restrict unauthorized access to the execution of the arbitration agreement. While the record showed that the employees were at the kiosk on April 28, it did not show that the plaintiff was at the kiosk precisely at 3:26:20. In other words, Dillard’s failed to show that the username, authentication, and the signature coincided with the employee’s log in. It is unclear whether Dillard’s systems had the capacity to log such information or if Dillard’s failed to produce such evidence. Nevertheless, the two factors persuaded the court hold that Dillard’s had not satisfied its obligation to show that there was an enforceable arbitration agreement.

In sum, Dillard’s electronic signatures system failed for two reasons. The systems failed to log associates’ access to the system and the system did not require that the associates change their default passwords immediately. In fact, both policies, are recommended under of ISO 17799 Information technology — Security techniques — Code of practice for Information Security Management. ISO Section 10.10.1 Audit Logging requires that “[a]udit logs recording user activities, exceptions, and information security events should be produced and kept” and include “dates, times, and details of key events, e.g. log-on and log-off.” Arguably, the formation of a legally binding agreement that compelled arbitration is such an event. Furthermore, ISO Section 11.2.3 User Password Management requires that “when users are required to maintain their own passwords they should be provided initially with a secure temporary password . . . , which they are forced to change immediately.” Here, it appears that Dillard’s system continued to operate and allow either the plaintiff or the store secretary to electronically sign the arbitration agreement. Implementing both of these procedures would have greatly helped Dillard’s satisfy its burden. However, it is unlikely that ISO 17799 would not have protected Dillard’s store secretary from fraudulently executing the arbitration agreement by either using the default password or using the plaintiff’s username while she stood by her side.

Unfortunately, the court was not too impressed with the security procedures that Dillard’s already had in place because they were violated. For example, associates were prohibited from sharing passwords and supervisors could only log into associate’s accounts if they reset their password to the default password. Dillard’s also posted notices regarding the confidentiality of passwords. Nonetheless, the two employees, in effect, shared their username and their password and the authentication failed because the system could not keep track of the actual person that signed the agreement. Such user failure combined with a weak logging and password feature resulted in the failure of the electronic signature.

The case is similar to Campbell v. General Dynamics, No. 03-11848-NG (D. Mass. June 3, 2004) where the court held that the employer could not prove an employee’s acceptance of an arbitration policy simply by sending a link to the policy in an email. There General Dynamics proved that the employee had opened the agreement but could not show that he had indeed clicked on the link or agreed in any other way. Furthermore, that email did not even mention the importance of the arbitration policy until its fifth paragraph. The court had noted that General Dynamics could have required the plaintiff to signify his acceptance by a return email he had read the email and accepted the conditions of the arbitration policy. In sum, both the employers in Campbell and Kerr failed to successfully use the technology they had available to them.

This case should set a good example for all employers using electronic signatures for policies. IT, HR, and Legal Departments may need to collaborate to ensure that established security procedures such as the ISO 17799 are used for variety of issues including authentication, accurate system audit logs, and password resets. Moreover, all industries depending on electronic signatures should focus on security procedures to preempt the argument that the electronic signatures they collect do not in fact belong to their system users.

The case is Kerr v. Dillard Store Services, Inc., No. 07-2604-KHV, (D. Kan. Feb. 17, 2009).

Read More...