Intellectual Property issues in NFT (non-fungible tokens) sell side transactions

by | Feb 3, 2022 | Business Law, Intellectual Property

NFTs are unique, effectively non-destructible tokens stored in the blockchain – a decentralized ledger system that uses computing resources to validate the holder of cryptographically unique data without reliance on a single source of truth such as a bank or government [further reading].  The NFT references a link to a resource – typically on the internet or in a game – where some content is available.  An NFT has a single owner (which can be an entity), and generally NFT’s cannot be subdivided once they are created, though they can be transferred.

An NFT can represent anything – digital art, a book, a page from a movie script, a signature, a title document to a car or house or real estate, an in game “skin” or custom article, a representation of something in a virtual reality construct (currently being referred to as the metaverse), like clothing, shoes and so on.  It can also link to something that is itself a representation of something tangible – for example, an NFT can link to a digital object that might be used in a game, as an avatar or in the metaverse, but that also is created tangibly (for example, this shoe created using artificial intelligence), or it can be an electronic representation of part of the notes to a very famous song.  A decent list of many potential uses of NFTs is set out in this article 15 NFT Use Cases That Could Go Mainstream.

NFTs were originally born from a desire to find a way to establish the “provenance” (title) to digital art.  See NFTs Weren’t Supposed to End Like This.   As pointed out in that article, the blockchain cannot actually store the thing it points to – for example, an image – there is not enough space. It only has the space to really hold a link to that image. As NFT use becomes both widespread and also, referencing property that the NFT holder might not own, many legal issues are now coming to light.

Who owns an NFT and exactly what do they own?

A case filed a few days ago on February 1st is challenging the sale of the “very first NFT” by Sotheby’s for 1.47 million dollars. Free Holdings Inc. v McCoy et al., case number 1:22-cv-00881 (S.D.N.Y).   In that case the Plaintiff claims that the sale of the NFT, which is apparently a copy of the original token the founder of NFT’s created, violated its ownership rights to the actual NFT, which it claims to have in its wallet.[1]   The defendants have apparently asserted that the actual NFT (the digital token itself) was “removed” or “burned” from the Namecoin blockchain where it was created, and thus does not even exist.  The plaintiff is claiming that the original owner allowed the token to “expire” and it somehow renewed that token and placed it in its wallet.

This case presents a novel issue . . . what does “title” to an NFT really mean?  The NFT itself is represented solely electronically (a token stored in a blockchain), and only functions electronically – once retrieved, it points to a resource on the internet and identifies the person holding the token as the true owner of … what? That link? The actual resource that is at that link?  Is a picture of the token framed as art actually the NFT (and who owns the token itself, the text string)?  That token is publicly viewable by anyone – the blockchain just limits how it can be transferred, and identifies the NFT holder as at least someone who has digital rights to the link. Is the token itself a copyright?  We may get some guidance in the Free Holdings case.

A person who purchases an NFT should be aware that they are only really purchasing a public and decentralized proof system that establishes that they are the owner of the token, because that token is in their wallet. The actual thing displayed at that resource location probably is under copyright protection, and the owner of the copyright is probably not transferring ALL of the rights to the copyright in whatever that resource depicts. However, there is probably at least an implied license to publicly display whatever the NFT points to on the internet (or in a game, or the metaverse, or wherever that content can be displayed). The result is very similar to the result when someone buys a physical painting or art object. While they have title to that thing (the tangible thing, the painting) – in the absence of a very specific agreement, they do not own the copyright represented by that thing.

What rights must a person who creates an NFT have to the underlying content or server?

Those are very good questions. Could I create an NFT to any URL on the internet (i.e. to any picture that is publicly viewable) and sell that? Do I have to be the “owner” of that image or have any license to it? Do I have to control the web server that serves that image upon a request? What disclosures do I have to make to a purchaser of the NFT as to what rights they are receiving, whether I am the copyright holder of the image, or that I control the server? Does the contract imply I will perpetually, until the end of time, maintain that server and that resource location? What happens if I go bankrupt, or the blockchain service I used goes bankrupt, or the server company? Can multiple NFTs be sold that point to the same resource? Does the NFT platform owe a duty of due diligence to verify rights in the underlying resource? There is nothing built into the NFT or blockchain system that requires unique resource links. Even if an NFT provider limited links to be unique, other NFT providers need not respect that prior link and can create NFTs in their blockchain, pointing to the same resource.

Most NFTs are sold using “smart contracts” – which are essentially a series of pre-made instructions in the blockchain that, when triggered, simply occur. See How smart contracts work. No human sees them, nor reviews them, approves them, or checks they were made or not made. The whole idea is that the blockchain system itself verifies the “transaction” occurred, without human involvement and without a centralized verification system (such as an intermediary bank, certificate signer, government title repository etc). They are not the proper place to agree to whatever license rights and obligations are connected to the underlying resource represented in an NFT. Even if they were, the smart contract process will not meet electronic signature requirements under UETA or ESIGN which are applicable in the US. Those terms would have to be in the underlying terms of service of the NFT provider and the NFT seller.

These issues will play out under traditional legal principles – in the author’s view predominantly under contract law (based on what the terms of service of the NFT provider and seller say), under advertising law – what disclosures must an NFT seller make to meet the requirements of advertising law – that the sale was induced by truthful, non-misleading and fair representations about the NFT?, under the law of publicity rights (use of a person’s likeness to sell a product or service), and of course finally under intellectual property law, principally copyright law.

On that last point, at least under US law, a question arises whether the Digital Millennium Copyright Act notice and take down provisions will apply to NFT transactions. For example, suppose person X sells an NFT to a linked resource at location Y, and was not the owner of the copyright of the image there. If the purchaser does nothing else (such as displaying that image embedded in a game or web page) – can the copyright owner force the NFT platform to take that down that link – assuming the copyright owner does not control that resource? Is that NFT itself a violation of 15 USC 1125(a), indicating a false association with the owner of the copyright (or perhaps implicitly stating the NFT owner owns the copyright?). Under certain cases in the US (e.g. Dastar), misrepresentation as to authorship is often not an actionable.

Are NFT providers liable for NFT sales that violate the rights of a third party?

Most third parties will not have agreed to the NFT provider’s terms of service, which undoubtedly will disclaim liability for any claims arising from acts of the NFT seller. If the third party’s rights are violated, can they sue the NFT provider? In the US, the NFT provider may have immunity under Section 230 of the Communications Decency Act if the NFT is “information provided by another information content provider”. But is it? The NFT provider actually creates the NFT and provides the functionality. However, the NFT owner is the person creating the information that is stored in the NFT.

Summary and some recommendations

There are more questions than answers today, however in any NFT sale transaction, at least the following should be closely reviewed:

  • The terms of Service of the NFT Platform provider. A buyer will be agreeing to these terms. They are likely not favorable to the Buyer, and also likely not negotiable. As a result, the value of that NFT is highly dependent on the reputation and likelihood of that platform staying in business.
  • The terms and conditions of the sale from the Seller. Does the Seller represent it has the IP rights to the resource? That they are unique? Will not be resold in a different NFT? Is their liability limited or remedy limited?
  • Some diligence into the actual art/resource/item should be done – and this may be very difficult. There are no real regulations in this area (outside of general unfair and deceptive consumer protection laws) – so even finding the true author or owner of a work may be very difficult – even in the US where we sort of have a registration system. The less able a buyer is to verify the provenance of the underlying resource, the more strongly worded the representations, warranties and consequences of breach should be. In a worse case, an escrow should be set up so that some post transaction verification can occur before all, or at least some, of the actual transfer of the cryptocurrency occurs.

For more information, contact Mike Oliver or Kim Grimsley.

[1] – Etherscan defines a wallet as follows: “A wallet address is a publicly available address that allows its owner to receive funds from another party. To access the funds in an address, you must have its private key.” Link

Mike Oliver and Kim Grimsley Recognized Again in the 28th Edition of the Best Lawyers®️ in America

by | Aug 19, 2021 | Featured, Firm Matters

Best Lawyers, an international lawyer ranking and referring source that is currently celebrating its 40th anniversary, has announced its 28th Edition of The Best Lawyers in America® for 2022, which will include Mike Oliver and Kim Grimsley.  In order to be featured, lawyers are nominated, critiqued by currently recognized lawyers on the caliber of their work, and analyzed accordingly.

Mike Oliver has been recognized in this publication for the past 16 years since being recognized initially in 2006.  He is also recognized as “Lawyer of the Year” for his work in Trademark Law in Baltimore – which will also be his 8th “Lawyer of the Year” award, having previously been named for his work in various fields, including copyright, intellectual property, and information technology law. This is granted to only one lawyer per specialty and location a year, given to lawyers with the highest overall peer-feedback in such area and region.

Mike has been practicing intellectual property law for over 30 years.  In addition, his knowledge as a computer programmer has been a valuable asset for those clients in the software and technology industry.

Kim Grimsley has been recognized again in this publication for her professional excellence by her peers – she is being recognized in the fields of Copyright Law and Trademark Law.  This will be Kim’s second year being featured.

Kim has been practicing intellectual property law for 20 years, and she has enjoyed working with clients – from start-up businesses to publicly traded companies in all industries – in building and protecting their intellectual property in the United States and worldwide.

Everyone at Oliver & Grimsley would like to congratulate Kim and Mike on their continued hard work and excellence. 

Kudos to Our Client Hunt A Killer, a Creative and Explosive Maryland-based Company with Exciting Adventures Coming Your Way!

by | Aug 17, 2021 | Client Spotlight

Hunt A Killer started in 2016 with a plan to immerse its audience in the world of crime solving. Mixing the cultural fascination of true crime with the game play strategy of a roleplay tabletop game, their monthly subscription box quickly took off with consumers, and the company has grown with more than 3 million game boxes shipped. Now, the Maryland-based company that started with a pair of childhood friends is venturing into the world of publishing as it teams up with Scholastic Books.

Planned to release in spring of 2022, the first book in the Hunt A Killer series will be a young adult novel called Perfect Score by Angelica Monai. It will follow the story of a young sleuth, Jo, who witnesses what she believes to be a murder after moving to a new school. It is currently available for pre-order for paperback and e-book.

That is not all – the interactive game company is also teaming up with the classic young adult detective, Nancy Drew. In October 2021, a special game box called “Mystery at Magnolia Gardens” is planned to release. Players will be tasked with piecing together all the clues Nancy Drew has gathered in order to solve a mysterious poisoning.

Last year, Hunt A Killer teamed with Lionsgate Games to produce a special series based on the Blair Witch universe.

As a client of Oliver & Grimsley, our entire team would like to congratulate Hunt A Killer’s crew on their continued success. We are honored to have the opportunity to work with them and look forward to seeing what new projects are in store for the future. Kudos to you Hunt A Killer!

Kim Grimsley recognized in Best Lawyers 2021 “Women in the Law” Edition

by | Jun 9, 2021 | Firm Matters, In the News

The sixth annual “Women in the Law” Business Edition of The Best Lawyers in America released June 4th, 2021 and lists Oliver & Grimsley’s own Kim Grimsley as one of the four named women in IP in the Baltimore area. The publication features female attorneys from across the United States in all practice areas that are honored with the Best Lawyer distinction. To achieve such distinction, lawyers are nominated by their peers and then judged by region and practice area. 

Kim Grimsley has over 20 years of experience in intellectual property matters, with trademark clients from across the globe. In 2013, she opened Oliver & Grimsley, LLC with partner Mike Oliver. Kim was recently honored in the 27th Edition of The Best Lawyers in America, where Oliver & Grimsley, LLC was also featured as Regional Tier 1 ranking for Baltimore in Copyright, Information Technology, and Trademark Law and a National Tier 3 ranking in the 2021 U.S.News – Best Lawyers® “Best Law Firms” for Information Technology Law.

Everyone at Oliver & Grimsley would like to congratulate Kim on her achievement and look forward to her continuing to excel in the future.

DHHS fine for HIPAA Computer Security Violations held arbitrary and capricious

by | Jan 15, 2021 | HIPAA, Privacy, Privacy Law

In University of Texas M.D. Anderson Cancer Center v. US Dept of Health and Human Services, No. 19-60226 (5th Cir. 1/14/2021) the Fifth Circuit held that the DHHS’ fine for violating the HIPAA Security Rule was “arbitrary, capricious, and contrary to law.” To say that the government lost this case is an understatement – the government’s arguments were roundly rejected in broad language – so much so that the government is going to regret ever having brought this case . . .

In brief, University of Texas M.D. Anderson Cancer Center (UT) had three computer security lapses in the early 2010 period – one laptop and two thumb drives, each that stored electronic Protected Health Information (ePHI), were not encrypted, and were lost or stolen. The DHHS originally fined them over 4 million dollars for violating rules that in most cases require ePHI to be encrypted, and that prohibit disclosure of ePHI to unauthorized persons. UT’s administrative efforts on appeal were unsuccessful, but when they petitioned to have the case reviewed by the court, the DHHS admitted that the maximum fine they could impose was $450,000. UT however objected to even that fine on 2 grounds, that a state instrumentality is not a person under the HIPAA enforcement provisions, and that the fine was arbitrary and capricious under the Administrative Procedures Act. The court did not address the first argument and assumed UT was a person subject to HIPAA enforcement.

Under the HIPAA Security Rule, “a HIPAA-covered entity must “[i]mplement a mechanism to encrypt and decrypt electronic protected health information.” 45 C.F.R. § 164.312(a)(2)(iv)” (emphasis by court). UT had done so – it had policies that required portable and mobile devices to be encrypted, it provided employees certain technology (dongles) to encrypt these devices, and it trained them how to do so. DHHS argued that the mere fact that 3 devices were not encrypted meant that UT had violated the rule. The court disagreed:

[T]he Government argues that the stolen laptop and the two lost USB drives were not encrypted at all. That appears undisputed. But that does not mean M.D. Anderson failed to implement “a mechanism” to encrypt ePHI. It means only that three employees failed to abide by the encryption mechanism, or that M.D. Anderson did not enforce that mechanism rigorously enough. And nothing in HHS’s regulation says that a covered entity’s failure to encrypt three devices means that it never implemented “a mechanism” to encrypt anything at all.

UT v. DHHS, at p. 7 (slip)

The court goes on to provide numerous examples of scenarios where unauthorized disclosure of unencrypted ePHI would likely not violate the regulation, primarily because the regulation is not written to make data loss a strict liability.

The same result was found under the Disclosure Rule. That rule in general prohibits a Covered Entity from “disclosing” PHI except as permitted by the rule. The Disclosure Rule defines “disclosure” to “mean[] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” 45 C.F.R. § 160.103. The administrative law judge held that the loss of data on unencrypted devices was a “release” however the court disagreed and stated “That interpretation departs from the regulation HHS wrote in at least three ways. First, each verb HHS uses to define “disclosure”—release, transfer, provide, and divulge—suggests an affirmative act of disclosure, not a passive loss of information. One does not ordinarily “transfer” or “provide” something as a sideline observer but as an active participant. The ALJ recognized as much when he defined “release” as “the act of setting something free.” But then he made the arbitrary jump to the conclusion that “anyloss of ePHI is a ‘release,’” even if the covered entity did not act to set free anything.It defies reason to say an entity affirmatively acts to disclose information when someone steals it.”

Finally, the court was particularly upset that the DHHS took the position that it “can arbitrarily and capriciously enforce the CMP rules against some covered entities and not others.” UT had argued that in other similar cases either no fine was imposed, or fines much smaller than the fine imposed on UT were imposed. It also argued that DHHS refused to consider factors expressly stated in its own regulations (none of which the DHHS could prove – for example, that any individual suffered financial harm)

This case is an incredible loss by the DHHS. It will need to completely overhaul its entire regulatory enforcement structure, most likely it will need to re-write regulations, and it will need to train its ALJs better about how to handle administrative law appeals in light of arguments made by the petitioners. Finally, the case is incredibly helpful for Covered Entities and Business Associates in their efforts to avoid civil money penalties for small and inadvertent infractions (as long as they otherwise meet data security requirements).

Importantly, all entities that store and process PHI should be careful in drafting their Business Associate Agreements and related agreements to distinguish between regulatory violations (which under this case are not strict liability in many scenarios), and contractual liability. Many Business Associate Agreements are written as if *any* “loss” of PHI outside of the entity is a breach. Business Associates should be careful in reviewing these agreements so as to not undertake greater liability than that imposed under the regulations.

For more information contact Mike Oliver