Last week’s BMG v. Cox decision has gotten a lot of attention for its confusing take on secondary infringement liability, but commentators have been too quick to dismiss the implications for the DMCA safe harbor. Internet service providers are still not copyright police, but the decision will inevitably encourage ISPs to act on dubious infringement complaints, and even to kick more people off of the Internet based on unverified accusations.

This long-running case involves a scheme by copyright troll Rightscorp to turn a profit for shareholders by demanding money from users whose computer IP addresses were associated with copyright infringement. Turning away from the tactic of filing lawsuits against individual ISP subscribers, Rightscorp began sending infringement notices to ISPs, coupled with demands for payment, and insisting that ISPs forward those notices to their customers. In other words, Rightscorp and its clients, including BMG, sought to enlist ISPs to help coerce payments from Internet users, threatening the ISPs themselves with an infringement suit if they don’t join in. Cox, a midsize cable operator and ISP,  pushed back and was punished for it.

Before the suit, Cox had quite reasonably decided to stick up for its customers by refusing to forward Rightscorp’s money demands. Going along would have put Cox’s imprimatur on Rightscorp’s vaguely worded threats. The Digital Millennium Copyright Act safe harbors, which protect ISPs and other Internet services from copyright liability, don’t require ISPs who simply transmit data to respond to infringement notices, much less forward them.

Unfortunately, Cox failed to comply with another of the DMCA’s requirements. To receive protection, an ISP must “reasonably implement” a policy for terminating “subscribers and account holders” who are “repeat infringers” in “appropriate circumstances.” Past decisions haven’t defined what “appropriate circumstances” are, but they do make clear that a repeat infringer policy has to be more than mere lip service. Cox’s defense foundered—as many do—on a series of unfortunate emails. As shown in court, Cox employees discussed receiving many infringement notices for the same subscriber, and giving repeated warnings to those subscribers, but never actually terminating them, or terminating them only to reconnect them immediately. The emails painted a picture of a company only pretending to observe the repeat-infringer requirement, while maintaining a real policy of never terminating subscribers. The reason, said the Cox employees to one another, was to eke out a bit more revenue.

Despite the emails, BMG’s case had a weakness: the notices from Rightscorp and others were mere accusations of infringement, their accuracy and veracity far from certain. Nothing in the DMCA requires an ISP to kick customers off the Internet based on mere accusations. What’s more, the “appropriate circumstances” for terminating someone’s entire Internet connection are few and far between, given the Internet’s still-growing importance in daily life. As the Supreme Court wrote last year, “Cyberspace . . . in general” and “social media in particular” are “the most important places (in a spatial sense) for the exchange of views.” Even more than a website or social network, an ISP can and should save termination for the most egregious violations, backed by substantial evidence.

The Court of Appeals for the Fourth Circuit acknowledged this, to a point. The court was “mindful of the need to afford ISPs flexibility in crafting repeat infringer policies, and of the difficulty of determining when it is ‘appropriate’ to terminate a person’s access to the Internet.” The court ruled that Cox had lost its safe harbor, not because its termination policy was too lenient, but because it failed to implement its own policy. “Indeed,” wrote the court, “in carrying out its thirteen-strike process, Cox very clearly determined not to terminate subscribers who in fact repeatedly violated the policy.”

The court also ruled that “repeat infringer” isn’t limited to those who are found liable by a court. But the court stopped short of holding that mere accusations should lead to terminations. The court pointed to “instances in which Cox failed to terminate subscribers whom Cox employees regarded as repeat infringers” after conversations with those subscribers, implying that they, at least, should have been terminated.

The court should have stopped there. Unfortunately, it also pointed to the number of actual suspensions Cox engaged in—less than one per month, compared to thousands of warnings and temporary suspensions—as a factor in denying Cox the safe harbor. That focus on “body counts” ignores the reality that terminating home Internet service is akin to “cutting off someone's water." And the court didn’t acknowledge that Cox’s decision to stop accepting Rightscorp’s notices—which included demands for money—protected Cox customers from an exploitative “speculative invoicing” business.

So where does this decision leave ISPs? Certainly, they should not repeat Cox’s mistake by making it clear that their termination policy is an illusion. But nothing in the decision forbids an ISP from standing up for its customers by demanding strong and accurate evidence of infringement, and reserving termination for the most egregious cases—even if that makes actual terminations extremely rare.

The case isn’t over; losing the DMCA safe harbor doesn’t mean that Cox is liable for copyright infringement by its customers. BMG still needs to show that Cox is liable under the contributory, vicarious, or inducement theories that apply to all service providers. The Fourth Circuit ruled that the jury got the wrong instructions, and that contributory liability requires more than a finding that Cox “should have known” about customers’ infringement. Because of that faulty instruction, the appeals court sent the case back for a new trial. The court’s ruling on inducement liability was confusing, as it seemed to conflate “intent” with “knowledge.” It’s important that the courts treat secondary liability doctrines thoughtfully and clearly, as they have a profound effect on how Internet services are designed and what users can do on them. That’s why, while we expect to see more suits like this, we hope that ISPs will continue to stand up for their users as Cox has in defending this one.