E-Commerce Law Week, Issue 367

Back to the Future -- Cybersecurity and Critical Infrastructure Protection
The recent flurry of breach notification legislation in Congress and state legislatures might lead one to think that cybersecurity is all about preventing identity theft and protecting personal information. Broader concerns about protecting "critical infrastructures" from cyber attacks that could cripple their operation just seem so -- so "1990s." Perhaps it was the fact that the "Digital Pearl Harbor" scenario warned of by some cybersecurity gurus never materialized, or perhaps it was the years of false starts and personnel rollover at the Department of Homeland Security's cybersecurity shop that led to the broader concerns receiving little attention from policymakers the last four years. Whatever the cause of that period of repose, Washington now appears ready to revive its interest in the critical infrastructure aspects of cyber security -- and in a major way. Several provisions in the mammoth “Energy Policy Act of 2005” (signed by President Bush on August 8) lay out a regulatory scheme to establish cybersecurity standards for power utilities across the country. The provisions mark the first real effort by Congress to impose cybersecurity standards, not for the sake of protecting the privacy of personal information, but for the sake of preventing attacks that could disrupt the functioning of critical infrastructure. And for this reason, companies that own or operate parts of other "critical infrastructures" -- financial institutions, telecommunications companies, and Internet service providers, for instance -- may want to take a close look at the legislation, since parts of it could represent their regulatory future.

Court Says Websites Are "Tangible" Under Patent Marking Statute
Just because you don't need a board to surf the web doesn't mean a website is not “tangible” -- at least as far as patent law is concerned. On August 8, a federal court held that websites incorporating patented software are “tangible items” under the patent marking statute (35 U.S.C. § 287(a)), and therefore must be marked to give constructive notice to potential infringers. In Soverain Software, LLC v. Amazon.com, Inc., the U.S. District Court for the Eastern District of Texas granted summary judgment to defendant Amazon.com, ruling that “tangible items” are those items that can be marked, while “intangible items” are items that cannot be marked. And since Amazon.com proved that websites can indeed be marked, the court ruled that they are, therefore, “tangible items.” This straightforward decision should provide some helpful clarity to the increasingly complex arena where patent law intersects with the World Wide Web.

Dog Days Update on Security Breach Notification Laws
August vacations are in full swing … unless you're a North Carolina legislator. Before its members headed to the Outer Banks or the Blue Ridge mountains, the state legislature on August 23 passed the “Identify Theft Protection Act” (S.B. 1048), which includes a security breach notification requirement.  The bill (which Governor Mike Easley has yet to sign) is broader than the breach notification provisions we've seen enacted in many states. For example, the bill uses a broader definition of "personal information" that includes biometric data. In addition to requiring breach notification, the bill also limits the use of Social Security Numbers (SSNs) and establishes certain data destruction requirements. Meanwhile, earlier this month, on August 2, the Ohio House of Representatives passed a security breach notification bill (Sub. H.B. 104) that is modeled on California's law (S.B. 1386), but would require notice to be given within 45 days (subject to a delay for law enforcement purposes) and would require an agency or business to notify consumer reporting agencies if the breach is likely to affect more than 1,000 Ohio residents.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.