E-Commerce Law Week, Issue 401

DOJ Drops Appeal of Decision Lifting NSL "Gag Order" in Library Case
Among the issues at the center of the debate over reauthorization of the USA PATRIOT Act was the "gag order" that National Security Letters (NSLs) imposed on their recipients, prohibiting the recipient from disclosing "to any person" that the FBI had sought or obtained information. In the eventual reauthorization legislation, Congress agreed to permit judicial review of an NSL's gag order, but required a court to accept as conclusive the government's assertion that a gag order should not be lifted, unless the court determined that the government was acting in "bad faith." Meanwhile, parallel to the Congressional debate, challenges to the constitutionality of NSLs have been moving through the courts, with the government losing at the district court level in each cases. Earlier this month -- citing the recent Patriot Act revision compromise -- the Department of Justice dropped its objections to the district court's injunction lifting the gag order in one of these: Doe v. Gonzales. Although DOJ explained this change of heart by pointing to the new "discretion" regarding NSL gag orders that Congress now "encouraged" it to exercise, it seems better explained by the fact that, in this case, the NSL recipient's identity had already been made public because of clerical errors by both the district court in Connecticut and by DOJ itself, or perhaps by nervousness over how DOJ would fare in the Second Circuit. So it's doubtful that this move signals any broad change in policy at DOJ regarding gag orders.

One of the Many Perils of French Employment Law
In Lucent Technologies v ESCOTA, the Court of Appeal of Aix en Provence rejected an appeal by Lucent Technologies of a lower court decision finding the company responsible (and fining it 4000 euros) for a parody website created by its employee Nicolas Breil. Breil created a look-alike for the website of ESCOTA (a highway authority in southern France) using his workplace Internet access provided by Lucent, but built the site on servers operated by Lycos (not Lucent). The parody site used the name ESCROCA (based on the French verb "escroquer" -- to swindle), displayed a penis as a logo, and was designed so that Internet search engines would identify it in response to a search for "ESCOTA." The French courts did not have difficulty finding that the ESCROCA website infringed the ESCOTA trademark, notwithstanding Breil's argument that the site was created for purposes of humor. But much more surprisingly, both the lower and appellate courts concluded that Lucent was jointly liable with Breil for the infringement. (ESCOTA's claims against Lycos were dismissed, based on Lycos' immunities as a service provider and its willingness to take down the ESCROCA website once called to its attention.)

New BITS Data Security Framework Broaches a Breaching Whale of a Problem
"To accomplish his object Ahab must use tools; and of all tools used in the shadow of the moon, men are most apt to get out of order." So Ishmael describes the difficulties inherent in turning that most essential of means -- people power -- to a desired end. Modern day captains of industry and e-commerce -- hobbled by stolen laptops, not white whales -- face similar difficulties in their efforts to develop security plans that account for the often neglected human element. Unlike the routing of packets through a network, the human handling of data stored on physical media presents a number of uncertainties -- and opportunities for mischief. A company may have excellent electronic security measures in place, yet -- whether due to employee negligence or inadequate corporate policies -- remain vulnerable to breaches involving data stored on laptops, backup disks, and other media. Given the recent spate of laptop thefts and other losses of physical media at such well known companies as Fidelity Investments, Ameriprise Financial, Boeing, and Verizon Communications, and cognizant of its member financial institutions' obligations under the Gramm-Leach-Bliley Act to protect "customers' nonpublic personal information," BITS Financial Services Roundtable has released a new report that attempts to address this soft underbelly of the data security behemoth.

UK Data Protection Authority Takes Surprisingly Flexible Approach to Sale of Consumer Data
Upholding its reputation as one of the most flexible EU data protection authorities (DPAs), the Office of the UK Information Commissioner recently released Good Practice Note taking a surprisingly flexible approach to sale of databases containing consumers' personal data. To the initial question "Can databases be sold?," the Information Commissioner gave a qualified "Yes." The first circumstance in which the Information Commissioner notes that consumer databases may be sold is where the consumers included in the database have given their consent. The second, and more controversial, circumstance is the Information Commissioner's statement that if a business is insolvent, bankrupt, going out of business, or being sold, the "[UK Data Protection] Act will not prevent the sale of a database containing the details of individual customers, providing certain requirements are met." The "requirements" relate mainly to using the information for the "same or similar" purposes to those for which the information was gathered, and providing notice to consumers in the database of the sale. But nowhere does the Information Commissioner say that consumers must be given the chance to object to further use of their information upon a sale, and the authorization of "similar" use is quite flexible. Such guidance will certainly raise a few eyebrows at other EU DPAs.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.