E-Commerce Law Week, Issue 359

Supreme Court Concludes Grokster and Friends Face Copyright Infringement Liability
In an eagerly anticipated (and handicapped) decision, the Supreme Court ruled unanimously on June 27, in Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., that software developers may violate federal copyright law when they provide computer users with the means to share music and movie files over the Internet -- at least when the software companies take "affirmative steps to foster infringement by third parties."  The opinion, written by Justice Souter, overturns the Ninth Circuit’s grant of summary judgment to Grokster and StreamCast (the two defendant file-sharing software companies), and clarifies the scope of a landmark Supreme Court case, Sony Corp. of America v. Universal Studios, Inc. -- in a manner that makes it largely inapplicable to peer-to-peer file sharing software. 

Brand X -- The Supreme Court and FCC Rules That Are Too Confusing To Have a Brand Name
Also on June 27 – a busy day for the Supreme Court – the Federal Communications Commission's ("FCC") efforts to keep cable broadband Internet services unregulated received the Court's blessing.  In a landmark ruling, the Court held that cable companies that provide high-speed Internet access are not subject to common carrier regulation.  In National Cable & Telecommunications Assn. v. Brand X Internet Services, the Court voted 6-3 to reverse an October 2003 Ninth Circuit decision and to uphold the FCC’s ruling that broadband Internet service provided by cable companies is an “information service” but not a “telecommunications service.”  The immediate effect of the Brand X decision is that broadband cable companies will not have to open up their networks to their competitors and will continue to be exempt from common carrier requirements under Title II of the Communications Act (which requirements DSL providers are currently required to meet).  The court also confirmed that the FCC has the authority to regulate cable modem services even if those services are not “telecommunications services.”  While this decision temporarily resolves the long-running dispute over the regulatory treatment cable broadband services, it does little or nothing to address the regulatory morass of the FCC's overall regulatory treatment of broadband services.

Plaintiffs Bar Looks for Silver Lining in Security Breaches
Like the proverbial tree falling in a forest, if the security of about 40 million credit card accounts is breached but no cardholders suffer losses, will a court order damages?  We may soon find out as a result of a lawsuit against CardSystems Solutions ("CardSystems") – a Tucson, Arizona-based third-party processor of credit card payment data that discovered in May that its security systems had been breached.  An investigation revealed that information on over 40 million credit cards had been compromised, making the incident the single largest such security breach to date.  On June 27, Eric Parke and the Royal Sleep Clearance Center filed a class action lawsuit in state court in San Francisco against CardSystems, Visa, MasterCard, and 200 unnamed Doe parties.  But damages from security-breach incidents are tricky to prove, so it's not clear yet just how lucrative these cases will be.

The Parke complaint is part of a rising tide of lawsuits arising from data security breach incidents. With an ever-increasing number of reported security breaches, the plaintiffs' bar is taking note and, not surprisingly, looking for a piece of the action.  But damages from security-breach incidents are tricky to prove, so whether the plaintiff lawyers' cut will be buying them new jets, or just a few nice new suits, remains to be seen.

Data Security Breach Bills -- The Hits Keep Coming
Get your Howard Dean "I'm on the primary warpath" scream ready, because we're going to Delaware and Louisiana, and then we're going to Maine, and New Jersey, and New York, and Texas.  Yeeeaaaaah!  Yes, that's right -- time again for a roll call of states whose legislatures have passed data security-related bills.  The Delaware, Maine, and Texas bills have been signed into law already, and the security breach notification bills in Connecticut (S.B. 650), Nevada (S.B. 347), and Tennessee (S.B. 2220), on which we have previously reported, also have now been signed by their respective governors.  Fortunately for companies doing business across state lines, these latest state bills contain security breach notification provisions modeled on the California security breach notification law (S.B. 1386) that we've come to know and, well, maybe we don’t love. 

Meanwhile, the prospects for federal breach notification legislation with a preemption provision increased with Sens. Arlen Specter's (R-PA) and Patrick Leahy's (D-VT) introduction of S. 1332, the "Personal Data Privacy and Security Act of 2005."  But unfortunately, in addition to breach notification provisions that would preempt many of the states' efforts on this front, the 91-page bill lays out a broad regulatory framework for data security that may end up causing more legal headaches than it relieves. In short, the security breach legislative landscape is full of potential pitfalls, at both the state and federal levels, and no doubt some of them yet remain concealed.

Another French Decision Highlights Thorny Issue of Internet Conflict of Laws
Apparently undeterred by their protracted battle with Yahoo! over the sale of Nazi paraphernalia on its California-based websites, a group of leading French anti-racism groups recently launched a bid to shut down another US-based website which publishes Holocaust denial and allegedly anti-Semitic literature.  The groups’ efforts led to a brief victory in April when a French court ordered the US companies that host the website to prevent users in France from accessing the site.  But after the web hosting companies failed to fully comply with the order, the French groups shifted their attention to the users themselves and instead pushed to have French ISPs block outbound access to the website.  Their efforts succeeded on June 13 when the Paris High Court ordered ten of the country’s primary ISPs to block access to the site.  This case is one of a series of decisions that has turned the centuries-old problem of conflict of laws into an Internet cause célèbre.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.