E-Commerce Law Week, Issue 392

Stakes Rise, As Another Data Security Breach Leads To Class Action
No good deed goes unpunished, the old saying goes. That's what the lawyers at Providence Health System must be thinking. After discovering the theft of 365,000 unencrypted patient records from an employee's car in the Portland, Oregon, area in early January, the health-care provider apparently decided to do the right thing and notified affected patients and employees on its own, since Oregon does not (yet) have a security breach notification law.  But now Providence finds itself the subject of an investigation by the Oregon State Attorney General into whether it violated consumer protection laws by failing to take reasonable measures to protect medical records.  And as if that weren’t enough to worry about, on January 30, a former Providence patient filed a class action complaint against the company in the Oregon Circuit Court, Multnomah County, alleging that Providence was negligent in failing to safeguard health information. So now it's not just the Federal Trade Commission and State AGs companies need to worry about, but private plaintiffs and the plaintiffs' bar, too. And if they want to minimize their legal risks, companies need to have an effective plan to prevent and, if necessary, respond to a security breach, and ensure that relevant employees are trained to carry it out.

Metatag?  Or Meta-Hide-'n-Seek?
Any business with an Internet presence wants to increase its website traffic.  And one of the best ways to do this is to rely on something web surfers never see -- a bit of HTML coding called a "metatag" that describes the content of a website. Search engines use these small pieces of hidden coding to index web pages according to content so web surfers can be directed to web pages with the content they request.  Where things can get problematic, though, is when businesses manipulate hidden metatags to draw more eyes to their websites.  One way to do this, for instance, is to use the trademark of a competitor in your metatags to attract that competitor’s customers. But that clever tactic just ran into a roadblock, when a federal court in Ohio ruled that the use of a competitor's mark in metatags to pull consumers to a website constitutes trademark infringement, even if consumers eventually realized that the site was not that of the competitor. This decision could have major -- and negative -- ramifications for Google and other search engines that allow companies to use competitors' marks as keyword search terms, so that their own paid ads (and links) are displayed when someone searches for the competitor's name.

Can the Government Use Cell Phones As Tracking Devices Without Probable Cause? Four Courts Say "No," One Says "Yes"
We're all used to figure skating judges giving markedly different scores for a single routine in the Winter Olympics. But that sort of divergence is a bit more disconcerting when it comes to judging the US government's creative attempts to justify intrusions on privacy. That's exactly what we're seeing, however, regarding the government’s efforts to use cell phones as tracking devices upon a showing of less than probable cause -- with four magistrate judges ruling against the government, and one for it.  Most recently, magistrate judges in Maryland and the District of Columbia have rebuffed the government's theory that it could obtain real time cell site information, on a continuing basis, using a combination of the Patriot Act-amended definition of a pen register and the Stored Communications Act (SCA). Meanwhile, a magistrate judge in the Southern District of New York has achieved the distinction of being the only judge so far to buy into the government's "imaginative" legal theories, holding that the SCA is “a far more obvious source of authority” for disclosing real time cell site data than Rule 41 search warrants. The courts’ lack of unanimity on this issue creates a confusing situation for telcos and Internet service providers, who should continue to display ample caution in responding to pen register and trap and trace orders involving cell site information.  It also virtually invites "magistrate-shopping" by the government, at least until appellate courts start weighing in on the issue.

European Issues for SOX Expand, But Moderate
The apparent conflict between the whistleblower provisions of section 301 of the Sarbanes-Oxley Act ("SOX") and European legislation implementing the EU Data Protection Directive ("Directive") expanded to a Europe-wide front earlier this month when the Article 29 Working Party (which comprises EU member state and European Commission data protection officials) released an Opinion on the issue.  Although the Opinion makes clear that the tension between SOX and the Directive will be an issue across the 25-country EU for companies subject to SOX, the good news is that the problem did not get any worse, and appears to be moving towards resolution. So, even though a number of issues remain before this kerfuffle settles down, it does not appear that the conflict between SOX and the Directive is as serious a problem as appeared to be the case just a few months ago.

UN Opens Convention on Electronic Contracting for Signing by Member States
In the fine United Nations tradition of ratifying faits accomplis, the UN Commission on International Trade Law ("UNCITRAL") decided that it was time to formally usher in the e-commerce age with its Convention on the Use of Electronic Communications in International Contracts (the "Convention"). Opened for signature on January 16, the Convention seeks to establish "uniform rules to remove obstacles to the use of electronic communications in international contracts." Essentially, it ratifies the use of electronic communications in the contracting process and offers some basic parameters for using electronic signatures and automated message systems during contract formation. The Convention goes to great lengths to emphasize the optional nature of its scheme, which is presumably a response to the strong business interests that wanted to retain the supremacy of the parties' agreed upon terms. The Working Group that produced it met six times from 2002-2004 and received significant input from business interests represented by the International Chamber of Commerce. Member states have until January 16, 2008, to ratify it, and UNCITRAL plans to sponsor an event during its 39th session in New York (June-July 2006) to promote signing the treaty.

Steptoe & Johnson and Corporate Counsel Magazine Continue Teleconference Series
On March 22, 2006, from 12:30 p.m. to 1:45 p.m., Steptoe & Johnson and Corporate Counsel magazine will present "Managing Multi-National Corporate Governance: SOX and Data Protection." US Securities and Exchange Commission Director of International Affairs, Ethiopis Tafara, French Commission Nationale de l’Informatique et des Libertes Senior Legal Advisor, Clarisse Girot, and Steptoe partners, Bob McLaughlin and Maury Shenk, will discuss how to manage the emerging tensions between the Sarbanes-Oxley Act whistleblower provisions and EU data protection law.

The teleconference is toll-free, and there is no charge to participate.  For additional information or to register, please contact Alycia Polley (telephone 202.457.5436).

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.