E-Commerce Law Week, Issue 376

When a PIN Is Not Enough -- FFIEC Issues Guidance For Customer Authentication
Managing your bank account online is pretty simple these days.  You go to your financial institution’s secure website, you type in your account number and a PIN, and voilà , you’re in business.  Of course, this very simplicity carries increased risks over time, as hackers and fraudsters hone their expertise at exploiting it.  And as the bad guys become smarter, so must the systems that guard against their attacks.  Recent Guidance issued by the Federal Financial Institutions Examination Council (FFIEC) says as much, and suggests that in the future, Internet authentication may not be so simple.  Released on October 13, the Guidance, entitled, "Authentication in an Internet Banking Environment," warns banks that single-factor authentication (a password or a PIN, for instance) is inadequate for high-risk transactions.  The Guidance states that "authentication techniques employed by [a] financial institution should be appropriate to the risks associated with [its] products and services."  More specifically, transactions involving access to customer information, or the transfer of funds to other parties, should be authenticated using multifactor authentication -- such as a PIN and a USB "token," or a PIN combined with biometric identification.

French Court Takes the SOX Off of US Whistleblowers
The situation in France is getting increasingly dicey for whistleblower programs adopted to comply with Section 301 of the US Sarbanes-Oxley Act ("SOX").  In June, the French data protection authority (the "Commission Nationale de l’Informatique et des Libertes" or "CNIL") rejected two corporate whistleblower programs at the French subsidiaries of US corporations on privacy grounds.  Now, a French court has gone one step further and ordered the local subsidiary of another US firm to withdraw a whistleblower hotline initiative, ruling that the provision of the hotline was disproportionate to the potential wrongdoing it might uncover.  Further developments are likely regarding compliance with the SOX whistleblower provisions in France and elsewhere in the EU.  Not only has the CNIL indicated that it will publish specific new guidance on the matter, but it has also asked the Article 29 Working Group (an official EU body composed of data protection commissioners from across the EU) to consider preparing similar pan-European guidance on compliance.

New CALEA Rule Faces Its First Legal Challenges
Ever since the Federal Communications Commission ("FCC") announced its intention, nearly two months ago, to extend the scope of the Communications Assistance for Law Enforcement Act ("CALEA") to cover broadband Internet access service providers and "interconnected" Voice over Internet Protocol ("VoIP") service providers, it’s been clear that privacy groups, educational institutions, and at least a smattering of Internet providers and tech companies would not go along without a fight.  Well, the gauntlet has now been taken up.  On October 24 and 25, two petitions were filed in the U.S. Court of Appeals for the DC Circuit seeking review of the FCC's rulemaking.  The American Council on Education, a non-profit organization that represents approximately 1800 colleges and universities, filed the first petition.  The second was filed by a coalition of public interest and business entities, including the Center for Democracy and Technology, the Electronic Frontier Foundation, and Sun Microsystems.  Both petitions claim that in extending CALEA to broadband internet providers and interconnected VoIP, the FCC made findings and conclusions that were “arbitrary, capricious,” and “contrary to law."

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.