How is this DMCA abuse? A copyright owner is requesting that a site that has safe harbor protection remove an unauthorized copyrighted work. The employee that originally created the unauthorized package may no longer work for the bank, unable to be identified, or doesn't have the credentials anymore.
At some point the corporation needs to take responsibility for what its actors do... You can't just say everything good that happens is because the corp is awesome and everything bad that happens is because that one guy did something stupid so it's all his fault and the corp is still awesome.
IANAL, but yeah, under the imputation doctrine, the company is usually responsible for the actions of its employees. There is a small exception, but it generally only applies when the employee goes fully rogue, harming the company itself in the process, but here it seems to be a mistake, so not applicable, AFAIUI.
Still, that doesn't mean they can be bound by a license granted by an unauthorized employee. I think at most they would have to pay damages, if any.
That is absolutely not true, and it flies in the face of the notion of "due diligence".
This bank uploaded their own code to the repo, and when they found it they didn't bother to do any investigating before they started sending legal demands.
It was 100% their responsibility to ensure that they were not responsible for their own leak before they started making legal threats.
They decided to skip due diligence, and they should pay the price for wasting others' time and energy, regardless of their "intentions".
The upload itself does not constitute the Company's policy. It is not "The Bank's" action. There is a legal standard for a company's action, which is a signature by an executive or possibly a lower signing officer. The employee that uploaded this almost certainly is not an officer. Their failure to discover that the upload was their own error is their failure.
Thus, a DMCA request is appropriate, as the GP points out, the original employee that did the action quite likely cannot undo that action.
IIRC that's not quite how it works. It can be complex but one element often involved is whether the third-party had an objectively reasonable belief that the employee had the requisite authority. Who else than a software engineer would be uploading to a code repository?
That said, that relates mostly to vanilla contract and agency law. Copyright law can add its own twists.
The banks employee granted NPM a (probably) valid license to distribute the code (quoted below - from the tos). Submitting a DMCA request claiming requires claiming under penalty of perjury that no such license exists. That's (probably) incorrect, any lawyer reasonably knows that a license would have been granted, and as such (probably) criminal. Unfortunately (?) this sort of perjury is never prosecuted in practice.
> (From npm tos) Your Content belongs to you. You decide whether and how to license it. But at a minimum, you license npm to provide Your Content to users of npm Services when you share Your Content. That special license allows npm to copy, publish, and analyze Your Content, and to share its analyses with others. npm may run computer code in Your Content to analyze it, but npm's special license alone does not give npm the right to run code for its functionality in npm products or services
Unlikely, npm has a reasonable belief that a bank employee entering into a contract with them has the right to do so, and that is generally sufficient for the contract to be binding on the bank.
Yeah they can. This whole thing sounds ridiculous. I have a hard time imagining this ending any other way than the code being removed if the bank presses the issue.
SMH.