E-Commerce Law Week, Issue 375

"Once More Unto the Breach, Dear Friends, Once More . . ."
". . . or close the wall up with our English dead."  So urged Henry V to his assembled lieutenants and soldiers during the siege of Harfleur during the Hundred Years War – at least according to William Shakespeare.  While it may be hard to summon Shakespearean eloquence to rouse the troops, the increasing prospect of litigation and government regulation on information security breaches should be enough to garner the attention of any sentient CIO, CISO, or company lawyer.  Recent incidents have caused a sharp response by litigants, legislators, and government agencies.  And in the wake of these events, the contours of a standard of reasonable care for data security is beginning to take shape as a result of FTC actions, state security legislation (beyond breach notifications), and federal regulation of the financial and health sectors.  So, even absent applicable statutory requirements, companies would be wise to ensure that they institute an information security policy that satisfies the emerging standard of reasonable care, lest they be the subject of the next big security incident or lawsuit. 

Internet Anonymity Wins a Round, But the Fight Is Far From Over
Internet subscribers' right to anonymity has been taking it on the chin lately.  Courts in the U.S. and in the Netherlands and the South Korean legislature have taken actions that would undermine subscribers' ability to remain anonymous.  But a recent state Supreme Court decision in Delaware cuts the other way, finding that a subscriber's constitutional right to engage in anonymous speech requires that courts apply a relatively high standard in determining whether to order the disclosure of the subscriber's identity in a defamation case.  In John Doe No. 1 v. Cahill, the Delaware Supreme Court held that courts should require the plaintiff to satisfy the summary judgment standard before requiring disclosure of an anonymous defendant's identity.  While this case involved political speech about a public figure, the First Amendment basis for the decision could affect the way courts consider suits by corporations against Internet posters of critical comments.  It might also have persuasive effect outside the defamation context, such as in "John Doe" suits by the music industry against file swappers, or even in cases involving law enforcement orders for subscriber information.  ISPs, who usually find themselves in the middle of these battles, will want to pay close attention to how this issue plays out.

A Viking Raid on EU Employee Email Monitoring?
The Norwegians have been a seafaring people at least since Viking days, and the Norwegian Society for Sea Rescue ("NSSR") is a humanitarian organization whose aim is "to save life and property at sea" (in 2004, the NSSR saved 40 people from drowning).  But even an organization like NSSR is not outside the reach of the long arm of EU data protection law.  In a move which will bring home to employers the risks of accessing or monitoring EU employee emails, the Norwegian Data Inspectorate has called for the NSSR to be prosecuted for breaching the country's Personal Data Act 2000, which implements the EU Data Protection Directive (although Norway is not part of the EU, it implements a substantial amount of EU legislation).

If the NSSR is prosecuted, the case will set a benchmark in determining the extent to which European employers can rely on work-related interests as grounds to access workers' electronic communications.  And regardless of the outcome, the case will serve as a reminder to employers of both the precautions that need to be taken in relation to the monitoring of workers' emails and the risks of improperly doing so.  Indeed, given the strict treatment of the a public service entity like the NSSR, the ramifications for for-profit corporations could be even more substantial.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.