E-Commerce Law Week, Issue 380

Senate Moves Closer to Passing Massive Data Security Bill
It’s been more than 10 months since the ChoicePoint security breach imbroglio touched off a national wave of concern over identity theft and the broader issue of data security, and Congress continues to inch its way towards a legislative fix to the problems.  That process took a step closer to the finish line on November 17, when the Senate Judiciary Committee approved the "Personal Data Privacy and Security Act" (S. 1789).  Sponsored by Committee Chairman Arlen Specter (R-PA) and ranking member Patrick Leahy (D-VT), the bill provides perhaps the most ambitious federal response to identity theft to date.  But it also goes far beyond identity theft, and offers the first broad-ranging federal effort to impose information security requirements on industry and to regulate the burgeoning data brokering industry.  In addition to a fairly standard security breach notification provision, S. 1789 contains -- among other things -- a requirement that businesses implement data privacy and security programs to protect sensitive personal information, new regulations on data brokers, and regulations on government access to and use of commercial data.  But before the legislation moves forward, Sen. Specter will have to resolve jurisdictional issues with the Senate Commerce Committee and the Senate Banking Committee, both of which also have jurisdiction over identity theft legislation.  And the Senate will have to decide whether to move forward with the Specter-Leahy bill or the competing  S. 1408, an ID theft bill that the Commerce Committee approved this past July.

Third Circuit Offers a Tutorial on the CFAA  as a Civil Cause of Action
A recent decision by the US Court of Appeals for the Third Circuit in P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC, clarified that injunctive relief is available in civil suits brought under the Computer Fraud and Abuse Act (CFAA ), 18 U.S.C. § 1030, and that a civil suit can be brought not just where access to a computer causes damage, but also where something of value is allegedly taken from that computer.  This clarification was necessitated by a district court's utter confusion over the terms of the CFAA, including whether it even offered a basis for a civil claim.  This just goes to show how novel civil suits over security breaches still are.  Nevertheless, despite feeling compelled to give the district court a primer on the CFAA, the Third Circuit upheld the lower court's denial of a preliminary injunction on the ground that the plaintiffs had failed to allege what precisely the defendants had taken from their computers, an essential element of a claim based on § 1030(a)(4).  So apparently the district court wasn't the only one that needed to be taken to school.

It’s not CoE-LEA, but not just Cybercrime either -- and it’s now on the Senate Calendar
If it’s the Council of Europe’s (CoE) Convention on Cybercrime, why has no large country in Western Europe ratified it yet?  A fair question, but not one that has given the US Senate much pause.  The Convention has been reported out of the Senate Foreign Relations Committee and is now on the full Senate's calendar, raising the prospect that the US will lead the charge for the CoE's project, before the treaty gets past skeptical audiences in Britain, France, Germany, Italy, Spain, or Sweden.  The question is, will anyone follow?  Despite significant changes to the treaty since its initial introduction to address industry concerns,  there is a lingering atmosphere of discomfort among businesses and privacy groups in both the U.S. and Europe.  One concern is that the treaty is not limited by a requirement of dual criminality -- i.e., the US will assist foreign governments in investigating crimes that aren’t crimes in the US (within the bounds of the Constitution and similar guarantees), and vice versa.   Another is that producing the data that will be sought under the treaty will likely increase the burden on industry, and create non-trivial collateral legal risks that come along with providing data on third parties.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.