E-Commerce Law Week, Issue 395

State Legislatures Continue Data Security Love-Fest
State data security bills continue to breed like rabbits. Seventeen states that failed to join the party in 2005 have now introduced measures of their own. The furthest along is Wisconsin’s S.B. 164 and Utah’s S.B. 69, both of which currently await the signature of the governor. Additionally, consumer notification measures in Arizona and Idaho have each passed one chamber. Meanwhile, several states with existing breach notification or other data security laws are considering refinements or enhancements to their laws. Awaiting governor approval in Indiana, for instance, is H.B. 1101 that would extend the state’s breach law -- which currently applies only to government agencies -- to cover all businesses. And New York and other states are considering bills that would allow consumers to place security freezes on their credit and protect the confidentiality of social security numbers. So unless a federal law with strong preemption is passed soon, companies victimized by a security breach will still have to figure out the nuances of dozens of different state laws to determine their notification obligations.

EU Privacy Body Says that Some Mail Must Get Through
In the 19th century when the mail in the United States had to cross rivers and still-wild territory on horseback, the motto of the Pony Express that "The Mail Must Get Through" was a high aspiration. Nowadays, when some hacker in his bathrobe can send ten million emails promising penis enlargement for next to nothing, the goals are a bit different. Indeed, many companies and individuals want to prevent the mail from getting through -- including when it's spam, when it contains viruses, and when it contains private or sensitive information. But in its "Opinion on privacy issues related to the provision of email screening services" ("Opinion") published at the end of February, the European Union's Article 29 Working Party (the "Working Party") stated that email may generally not be screened for "predetermined content" without the consent of users of an email service.  Hopefully, public discussion and the implementation process will lead to an approach that balances privacy concerns and business interests in content screening.

Note To Fugitives -- Don't Use Your Friend's Cell Phone
The government's continuing quest to use cell phones as tracking devices upon a showing of less than probable cause continues to meet skepticism from the courts, with, to date, two magistrate judges ruling in the government's favor, but five ruling against it. The government argues that it can obtain real-time cell-site information, on a continuing basis, using a combination of the USA PATRIOT Act-amended definition of a pen register and the Stored Communications Act. One reason most magistrates have rebuffed the government's argument is a provision in the Communications Assistance for Law Enforcement Act (CALEA) that appears to exempt subscriber location data from the type of data that can be obtained via pen register and trap and trace orders. In an interesting twist, a magistrate judge in the Southern District of West Virginia recently ruled that, while CALEA’s prohibition may not permit a court to authorize the use of a pen/trap device to locate a cell phone subscriber, the user of a cell phone who is not the subscriber enjoys no such protection. (In the Matter of the Application of the United States for an Order Authorizing the Installation and Use of a Pen Register with Caller Identification Device and Cell Site Location Authority on a Certain Cellular Telephone.)

Last Chance to Register for "Managing Multi-National Corporate Governance: SOX and Data Protection" Teleconference
On March 22, 2006, from 12:30 p.m. to 1:45 p.m., Steptoe & Johnson LLP and Corporate Counsel will present "Managing Multi-National Corporate Governance: SOX and Data Protection." Please join US Securities and Exchange Commission Director of International Affairs, Ethiopis Tafara, French Commission Nationale de l’Informatique et des Libertes Senior Legal Advisor, Clarisse Girot, and Steptoe partners Bob McLaughlin and Maury Shenk, for a discussion of managing the emerging tensions between the Sarbanes-Oxley Act whistleblower provisions and EU data protection law.

The teleconference is toll-free, and there is no charge to participate. For additional information or to register, please contact Alycia Polley (telephone 202.457.5436).

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.