E-Commerce Law Week, Issue 406

House Bill Threatens Jail Time for Failure to Notify of Security Breaches
Companies and their executives already can be sued in some states for failing to provide proper notification if their security is breached and personal data is accessed.  But House Judiciary Committee Chair James Sensenbrenner (R-WI) apparently wants company officials arrested too, if they don't act quickly enough. On May 25, the House Judiciary Committee approved an amended version of Rep. Sensenbrenner's "Cybersecurity Enhancement and Consumer Data Protection Act of 2006" (H.R. 5318). The bill would require companies to notify the Secret Service or the FBI within 14 days of discovery of a "major" security breach that creates a "significant risk of identity theft." Whoever fails to provide such notice -- with the "intent to prevent, obstruct, or impede an investigation" -- could be punished with up to a $1 million fine, five years imprisonment, or both. This introduction of criminal penalties represents a radical departure from previous government approaches to breach notification and a significant step beyond the civil penalties available under state notification schemes and other pending federal bills. As one might imagine, H.R. 5318 faces stiff industry opposition as a result. But since the bill's sponsor also happens to be the Judiciary Committee Chair, it has a decent shot at moving quickly for action on the House floor, probably after being combined with Rep. Cliff Stearns' (R-FL) "Data Accountability and Trust Act (DATA)" (H.R. 4127).

Am I My Contractor's Keeper? When It Comes To Security, Yes
One of the most common security breach scenarios involves a contractor accidentally losing sensitive data stored on a laptop, a disk, or a backup tape. So given the potential for an enforcement action by the Federal Trade Commission, a state AG investigation, or a contract or tort action arising from such breaches, the question is: what responsibility do companies have for the actions or omissions of their contractors that lead to a security breach? Or, put another way, what constitutes "reasonable care" when it comes to a company's selection and oversight of a contractor such that it will not be held liable for a contractor-caused security breach? There is no easy answer, but clues continue to emerge from various sources. The most recent contribution comes from the New Jersey Supreme Court 's Advisory Committee on Professional Ethics, which issued an opinion stating that those practicing law in New Jersey may "entrust[] documents to an outside provider" when they have "come to the prudent professional judgment" that the provider both has "an enforceable obligation to preserve confidentiality and security" and will make use "of available technology to guard against reasonably foreseeable attempts to infiltrate data." While only applicable to lawyers, and not directly addressing liability, this opinion is consistent with the theme struck by the FTC that a company should exercise due care in dealing with contractors -- both in establishing up front what contractors' security practices will be and in ensuring continued compliance.

Nasscom Moves to Preempt "Bangalore Backlash"
So far, we haven't seen the backlash against offshoring that one would expect in an election year, with politicians in the U.S. seeking to show their concern over the loss of American jobs to foreign countries. Maybe it's because Congress and the President are so focused on what we'll call "inshoring"-- illegal immigrants pouring over the border and providing a cheap labor pool right here in the U.S. of A. But whatever the reason, the Indian technology industry isn't taking any chances. That country's National Association of Software and Service Companies (Nasscom) recently announced plans to set up a self-regulatory body to improve the level of security in companies that provide offshore IT and business processing services. This move could help assuage at least one of the concerns that have been raised in the offshoring debate -- the notion that personal data will be at greater risk of breaches if it's sent overseas for processing. With the recent theft of personal information of 26.5 million veterans from the Department of Veterans Affairs, data security is continuing to receive front-page attention. So Nasscom's effort, if backed up with real measures, could be a savvy move not just to preempt offshoring restrictions, but also to give India's $17 billion outsourcing industry a competitive advantage.

Steptoe & Johnson LLP and IP Law and Business Magazine Continue Teleconference Series
On June 22, 2006, from 1:00 pm until 2:00 pm EDT, Steptoe partner, Scott Doyle, will discuss when and why a company should perform Competitive Patent Intelligence to navigate through the briar patch of murky IP conditions many companies now face. A "CPI" conceptualizes the patent landscape by drawing upon an analogy to real estate: identifying the valuable land and danger zones where third parties may have blocking patents, determining unclaimed valuable land for patent mining, suggesting barriers and design-arounds as protection strategies for mitigating threats, determining relative value of patented technology, and locating the public land of prior art.

The teleconference is toll-free, and there is no charge to participate. For additional information, please email Alycia Polley or contact her by phone at 202.457.5436.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.