E-Commerce Law Week, Issue 408

Gobbledygook Carries the Day on CALEA
In a major victory for the Federal Communications Commission, on June 9, a three-judge panel of US Court of Appeals for the D.C. Circuit denied (2-1) a petition for review of the FCC's Order from last August extending the Communications Assistance for Law Enforcement Act (CALEA) to broadband Internet access service providers and "interconnected" Voice over Internet Protocol (VoIP ) service providers. CALEA requires that "telecommunications carriers" ensure that their networks are capable of being accessed by law enforcement for surveillance purposes.  Led by the American Council on Education, a coalition of academic, business, and public interest entities had brought the challenge, arguing that the FCC's findings and conclusions were "arbitrary, capricious," and "contrary to law." During oral arguments last month, one member of the panel expressed hearty skepticism over the FCC's arguments for extending the law to cover broadband providers, calling them "gobbledygook" and "nonsense." This led many observers to speculate that at least the broadband part of the FCC's ruling would be overturned. But it was not to be. The panel held that even though the petitioners' interpretation of CALEA was plausible -- and perhaps "even better" than the FCC's, the Commission's interpretation was "reasonable" and thus must be upheld under the doctrine set out by the Supreme Court in Chevron USA, Inc. v. Natural Resources Defense Council, Inc. (1984). All three judges agreed that the FCC's extension of CALEA to interconnected VoIP was permissible under the statute.

State Breach Laws Still Spreading Like Wildfire.  Will Congress Douse the Flames?
As summer approaches, state data breach laws continue to burn across the landscape like an uncontrolled prairie fire. With recent news of breaches at Wells Fargo and Ohio University fanning the flames, the conflagration will likely continue to spread. Nebraska, New Hampshire, Hawaii, and Idaho are the latest states to catch. A breach at the Veterans Administration, though, reportedly jeopardizing the personal information of millions of veterans and active servicemembers, could finally prove to be the catalyst for action in the US Congress, which could preempt the state laws.  But with Congress' summer recess just around the corner, and an early break for mid-term elections this fall, time is running short. So even though it's only June, the odds are growing longer that Congress will quench the fire of state laws this year. Businesses therefore will need to keep abreast of all the minuscule variations among the different state laws.

Will the FTC Step Into the Health Information Breach?
Which law governing the protection of your personal data would you think has been the most aggressively enforced: the Health Insurance Portability and Accountability Act (HIPAA) concerning your intimate health records; the Gramm-Leach-Bliley Act (GLBA) concerning your sensitive financial information; or the Federal Trade Commission Act concerning your ... well, not explicitly concerning any of your information at all, really. If you chose HIPAA, you'd be wrong: according to a Washington Post news report, of the 19,420 grievances lodged under HIPAA's privacy rule since it took effect in April 2003, only two have led to criminal charges, and none has netted civil fines. In contrast, over the same three-year period the FTC has taken action in ten cases involving alleged violations of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce" (but says nothing specific about personal information), and three additional cases involving violations of both the GLBA's Safeguards Rule and the FTC Act. This discrepancy is especially surprising given the highly personal nature of medical records. According to a 2005 survey, nearly two thirds of Americans "are concerned about the confidentiality of their personal health information," a number which is only likely to go up in the wake of recent revelations of a breach of medical records at the Veterans Administration.  With one more big breach of medical data, though, this discrepancy might not last much longer. The Department of Health and Human Services could begin enforcing HIPAA. Or, more likely, the FTC could step into the breach -- the health-information-security-breach breach, that is.

The Sins of Napster Could be Visited Upon Its Investors
From beyond its Chapter 11 grave, Napster's sins of copyright infringement have come back to haunt the defunct company's former investors. Nearly five years after Napster's dissolution, several record companies originally party to A&M Records, Inc. v. Napster, Inc. continue to seek compensation for Napster's copyright infringement from "the still-solvent entities that invested in Napster before it ceased operations," including Bertelsmann AG and Hummer Winblad Venture Partners. The former Napster investors sought summary judgment to limit their liability to "those works that were the subject of notice to Napster, and more narrowly, those works of which [the investors] had actual notice." In a May 17 order, the United States District Court of the Northern District of California denied the investors' motion, finding that the Supreme Court's ruling in Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd. supports a broader liability standard than "actual notice," and allows for liability either where the defendant took steps to induce infringement by third parties or "should have known" of infringement and failed to prevent it. The ruling suggests that, in the mercurial legal landscape of e-commerce, investors should remain wary of supporting a business model that depends on encouraging or inducing infringement of intellectual property.

Her Majesty's Government to Ask for the Keys to the Treasure?
The Home Office of Her Majesty's government, which has responsibility for law enforcement in the UK, announced in mid-May that it intends to belatedly bring into force the controversial Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). Part III is the only significant part of RIPA yet to be brought into force. It would allow a wide range of law enforcement entities, when in possession of encrypted information, to issue a notice requiring disclosure of the relevant encryption keys from a person in the UK, so long as such disclosure is necessary in the interests of national security, preventing or detecting crime, the economic well-being of the UK, or effective performance of any statutory power or duty -- in short, for practically any reason at all. In its upcoming consultation on Part III, the Home Office is likely to explore issues regarding the extent of the encryption key disclosure authority that it should bring into force, the nature of bodies that should have such authority, and associated safeguards. The way in which the Home Office addresses such issues will help determine the extent to which UK law enforcement will have access to the crown jewels of corporate information security systems.

European Commission Unveils "Culture of Security"
Aiming to "revitalize" Europe's approach to network and information security (NIS), the European Commission on May 31 released a Communication entitled "A strategy for a Secure Information Society – 'Dialogue, partnership and empowerment'." In the Communication, the Commission reviews current and emerging NIS threats and lays out a holistic approach" to address them, involving cooperation between the public sector, the private sector, and individual users. The Communication calls on the European Network and Information Security Agency (ENISA) to play the leading role in this effort and it envisions ENISA serving as a center for information sharing, "cooperation amongst all stakeholders," and dissemination of best practices. The Communication stops far short of proposing any decisive action -- which seems to be good news for business. Given the rapidly-shifting environment of information security threats with which companies must contend, a simultaneously rapidly-shifting regulatory environment (even one that is well intentioned) may not actually help the problem. So for once, the European Commission seem to be getting it right by taking a sensible, light-touch approach to regulation. On the other hand, since it's difficult to identify any concrete results from the US experience with a similar approach to infosec in the 1990s and early 2000s, it's not clear the Communication will "revitalize" anything other than the European pulp and paper industry.

Steptoe & Johnson LLP and IP Law and Business Magazine Continue Teleconference Series
On June 22, 2006, from 1:00 pm until 2:00 pm EDT, Steptoe partner, Scott Doyle, will discuss when and why a company should perform Competitive Patent Intelligence to navigate through the briar patch of murky IP conditions many companies now face. A "CPI" conceptualizes the patent landscape by drawing upon an analogy to real estate: identifying the valuable land and danger zones where third parties may have blocking patents, determining unclaimed valuable land for patent mining, suggesting barriers and design-arounds as protection strategies for mitigating threats, determining relative value of patented technology, and locating the public land of prior art.

The teleconference is toll-free, and there is no charge to participate. For additional information, please email Alycia Polley or contact her by phone at 202.457.5436.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.