E-Commerce Law Week, Issue 394

FTC, Is that a Pachyderm In Your Parlor, Or Are You Just Glad to Sue Me?
There's a huge elephant hiding in plain sight in the Federal Trade Commission’s (FTC) living room.  Yet companies are still acting like it doesn't exist, preferring to join the Commission for tea and biscuits rather than be so rude as to point out the pachyderm's presence. The elephant we’re referring to is the fact that the FTC has made itself the de facto regulator of industry data security practices on the basis of its authority to police "unfair ... practices in or affecting commerce." Companies continue to roll over and subject themselves to 20 years of government oversight rather than suggest that the FTC's claim of jurisdiction might be a tad of a stretch. The latest example involves CardSystems Solutions, which recently settled FTC charges that its failure to take "appropriate security measures" to protect consumers' sensitive information was an unfair practice in violation of the FTC Act. And as was the case with earlier FTC settlements with companies like BJ’s Wholesale and DSW, the FTC’s proposed consent order will require CardSystems (and its successor company, "Pay By Touch") to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.

Congress Reauthorizes Patriot Act After Senate Accepts "Fig Leaf" Changes, But the Debate Isn't Dead Yet
Renowned philosopher (and Yankee great) Yogi Berra once said "It ain’t over till it's over." Those words certainly describe the seemingly endless debate about reauthorization of the USA PATRIOT Act. As the "Patriot Debates" have raged on, we’ve seen proposals, counter-proposals, amendments, filibusters, and even a couple of last-minute, temporary renewal measures. Then House and Senate conferees finally agreed on a Conference Report (H. Rept. 109-333) in December that would extend the Act, with modifications, and the debate seemed finally to be over. But the Conference Report was then held up by a Senate filibuster. Last month, the debate really, truly seemed to be over when some of the filibusterers, after negotiations with the White House, agreed to proceed with a bill (S. 2271) that would make three exceedingly minor amendments to the Conference Report. In the past week, the Senate and House have now finally adopted both the Conference Report and S. 2271, and the White House has announced that the President plans to sign the reauthorization on March 9.  So apparently the Patriot Debates have ended.  But wait. On February 27, Senate Judiciary Committee Chairman Arlen Specter (R-PA) announced that he planned to seek additional changes to the Patriot Act after the reauthorization was passed. Sen. Specter’s bill would add additional, more meaningful civil liberties protections to the Patriot Act, including provisions from the Senate’s original reauthorization bill (S. 1389) that did not make it into the Conference Report. So the debate will continue.  And it seems like deja vu all over again.

When It Comes to the Patriot Act, Ignore the Hype and Read the Fine Print
When the USA PATRIOT Act was introduced in Congress weeks after 9/11, it was billed as measure vital -- and limited -- to counterterrorism investigations. Former Attorney General Ashcroft, for instance, testified that the the bill contained a set of "careful[ly] balanced, long overdue improvements to our capacity to combat terrorism." Of course, anyone who bothered to read the bill would have seen that many of its provisions actually expand government investigative powers for all sorts of crimes, not just terrorism. Amazingly, some judges still seem to be confused by the government's statements into thinking that the Act is limited to terrorism, even when they do read the law. Thus, a magistrate judge in the Middle District of Florida has twice refused to issue orders for electronic information directed at web portals based in California in non-terrorism investigations, believing that section 220 of the Patriot Act, which allows such "out-of-district" orders, applies only to terrorism cases.  Both times, though, the magistrate was overruled by a district court judge. In the most recent case, Judge Gregory Presnell concluded that "it seems" that Congress did intend to authorize nationwide orders for electronic information in all criminal cases. But even that judge seemed a bit uncomfortable, noting that the statute is "by no means … clearly, unambiguously or precisely written."  And the confusion is not about to go away. Section 220 is one of the previously sunsetted provisions that will be made permanent as part of the PATRIOT Act reauthorization.

Pacific Powers Push for Practical Privacy Principles
At a Symposium on Information Privacy Protection in E-Government and E-Commerce held on February 20-24, the Asia-Pacific Economic Cooperation ("APEC") moved one step closer towards the implementation of a Privacy Framework ("the Framework") throughout the region. Like the EU Data Protection Directive (the "Directive") and the Personal Information Protection and Electronic Documents Act ("PIPEDA") in Canada, the Framework is based on principles of notice to consumers of how their personal data will be processed, and individual consent to processing. But in other respects, the Framework is significantly less prescriptive than the EU and Canadian legislation, and APEC ministers have indicated that the Framework is likely to remain a set of broad harmonizing principles, rather than a basis for mandatory rules across the region.

Steptoe & Johnson and Corporate Counsel Magazine Continue Teleconference Series
On March 22, 2006, from 12:30 p.m. to 1:45 p.m., Steptoe & Johnson and Corporate Counsel will present "Managing Multi-National Corporate Governance: SOX and Data Protection." Please join US Securities and Exchange Commission Director of International Affairs, Ethiopis Tafara, French Commission Nationale de l’Informatique et des Libertes Senior Legal Advisor, Clalisse Girot, and Steptoe partners, Bob McLaughlin and Maury Shenk, for a discussion of managing the emerging tensions between the Sarbanes-Oxley Act whistleblower provisions and EU data protection law.

The teleconference is toll-free, and there is no charge to participate. For additional information or to register, please contact Alycia Polley (telephone 202.457.5436).

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.