E-Commerce Law Week, Issue 356

"Notification Law? We Don't Need No Stinkin' Notification Law In Ohio," Says AG As He Sues DSW
OK, it's not exactly news when an attorney general tries to burnish his consumer-advocate bona fides in preparation for a run at the governorship. But Ohio Attorney General Jim Petro has at least found a new way to do it. He filed a breach notification lawsuit without relying on a breach notification law. That's because Ohio still doesn't have one. Undeterred, on June 6, Petro filed a complaint against shoe retailer DSW, Inc. The complaint asks the court to compel DSW to individually notify each Ohioan whose personal information was stolen from the company’s computer files as a result of a data breach that DSW disclosed this past March. Petro is arguing that DSW’s failure to notify “each and every [affected] consumer” in Ohio constitutes a deceptive act in violation of the state’s Consumer Sales Practices Act (R.C. 1345.02(A)).

State Security Breach Notice Laws -- The Bandwagon Rolls On
As data security continues to rank among the top concerns of state legislatures across the country, four additional states recently joined the increasingly less-exclusive “breach notification law” club.  Since our last update, legislatures in Nevada (S.B. 347) and Tennessee (S.B. 2220) passed data security bills with breach notification provisions closely modeled on California's breach notification law (S.B. 1386).  Both bills await signature by the Governor.  Meanwhile, two bills were signed into law by their state Governors – Connecticut's S.B. 650, which is also closely modeled on California's S.B. 1386, and Minnesota's H.F. 2121, a breach notification law nearly identical to California's.  The Nevada bill is the broadest of the four, with its breach notification sections accompanied by provisions requiring data destruction and provisions requiring businesses to implement and maintain “reasonable security measures.”  Also included in the bill are other anti-identity theft measures.

ICANN Gives Green Light for Virtual Red-Light District
In a video store, the adult videos are usually tucked away in a back room, "guarded" by a black curtain that just about anyone could actually pass through -- er, or so we hear.  But now, the Internet Corporation for Assigned Names and Numbers (ICANN), the organization responsible for overseeing domain-name assignments, has approved the creation of a virtual black curtain for segregating "adult" web content in a virtual back room -- a .xxx domain.  The new domain is getting plenty of attention, but so far we haven't see much ink spilled about the awkwardness that the .xxx domain creates for businesses.  Should companies that aren't in the porn industry register new .xxx web addresses with their trademarked names?  What's better -- for IBM to register "www.ibm.xxx" or for some porn company to do so?  In order to help answer these types of questions, ICANN requested in April 2004 that the World Intellectual Property Organization (WIPO) provide expert advice on IP issues involved in the introduction of new top-level domains (TLDs).  WIPO’s report, “New Generic Top-Level Domains: Intellectual Property Considerations," suggests ICANN implement safeguards to protect IP rights when new TLDs are introduced.  WIPO’s chief recommendation is that ICANN introduce a “uniform preventive IP protection mechanism” to help prevent unauthorized domain name registrations in new TLDs.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.