E-Commerce Law Week, Issue 402

When It Comes To Security Breach Lawsuits, Court Says "No Harm, No Foul"
Negligence suits against companies that have suffered computer security breaches often contain a fatal flaw: unless there is actual evidence that the plaintiff's personal information was misused, proving damages can be extremely tricky. Plaintiffs in Minnesota recently learned this lesson the hard way, when a federal court ruled against them in their lawsuit against Wells Fargo Bank. In October 2004, computers loaded with unencrypted customer information were stolen from a third party hired by the bank to print mortgage statements. As of yet, there has been "no indication" that any information on the stolen computers was accessed or misused by the thief. Consequently, the US District Court for the District of Minnesota ruled that the plaintiffs "failed to establish damages," and, accordingly, granted summary judgment to Wells Fargo on all counts in Forbes v. Wells Fargo Bank. The case provides a reminder that despite the growing popularity of security-breach lawsuits, the cases will likely not prove very lucrative for the plaintiffs' bar unless the stolen information is used in some way that causes harm -- or "reasonably certain future harm" -- to the persons whose information was stolen. Nevertheless, even when the stolen information is not misused, companies who suffer breaches could still face investigations and suits by state attorneys general and enforcement actions by the Federal Trade Commission.

Will Mandatory Data Retention Soon Make the Leap Across the Pond?
The European Union has wrestled with the issue of mandatory data retention by Internet Service Providers and telecommunications companies for years. As we previously reported, the EU Parliament finally approved a Data Retention Directive earlier this year requiring the retention of non-content information for 6-24 months. The principal evil meant to be addressed by the Directive? Terrorism. Last week, Attorney General Alberto Gonzales, speaking before the staff at the National Center for Missing and Exploited Children, announced that the Justice Department is continuing to explore mandatory data retention for the United States. While terrorism is still obviously a major concern, the Attorney General's main focus was child pornography. Gonzales was short on details, but by complaining that "the failure of some Internet service providers to keep records has hampered our ability to conduct investigations in this area," he signaled that the Administration may soon begin to push for mandatory data retention laws, at least for ISPs.

Encryption Controls Come Back to Bite VoIP?
In the 1990s, US technology companies fought a pitched battle with the federal government over export controls on encryption software and hardware.  The battle ended with a virtual surrender to industry and resulted in amendments to the US Export Administration Regulations (EAR) that permit almost any encryption software or hardware product to be exported after a one-time technical review by the US Department of Commerce (DOC) and National Security Agency. But this major liberalization has been implemented with significant complexity in the details. And now, providers of certain Voice-over-Internet Protocol (VoIP) hardware and software are contending that the devil living in those details has been poking them with his pitchfork.

Under the EAR, encryption software and hardware (except for products that provide an "open cryptographic interface" that allows users to choose their own encryption methods) fall into one of the three regulatory categories: "mass market", "ENC Unrestricted," and "ENC Restricted." And certain specified ENC Restricted products are not exportable to "government end-users" in countries other than the 25 EU member states, Australia, Canada, Japan, New Zealand, Norway, and Switzerland. In order to sell certain VoIP products to government end-users in countries other than the favored ones listed above, US exporters must obtain an individual license from DOC. This can be done, but is time-consuming and expensive. Given that US industry faces robust competition from foreign competitors who can supply these products when US manufacturers cannot, there seems little reason not to level the playing field -- a principal reason for past liberalization.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.