E-Commerce Law Week, Issue 349

Code Yellow -- Elevated Risk of Dumb Security Breach Legislation
Can you name the terrorism codes lower than today's "yellow -- elevated risk"?  There are two, but no one knows what they are, because the government has never announced a risk code lower than yellow.  If a constantly "elevated" terror risk can lead citizens to become blasé about real dangers, what happens when we are barraged with security breach notices that don't ever seem to result in actual identity theft?  Nothing good, according to Federal Trade Commission (FTC) Chairman Deborah Platt Majoras.   In a series of appearances at Congressional hearings on data security and identity theft recently, Majoras has repeatedly warned Congress of the dangers of “over-notification.”  Majoras' fear of a culture of over-notification is not without merit, as demonstrated by a recent security breach notice that Tufts University sent to its alumni for pretty much no good reason at all.  Meanwhile, heedless of  Majoras' advice, Sen. Dianne Feinstein (D-CA) has reintroduced a tougher version of her breach notification bill (S. 751, formerly S. 115).  The new bill drops the safe harbor section that would have allowed companies to be deemed in compliance if they maintained "reasonable notification procedures" as part of an information security policy.  And Sen. Charles Schumer (D-NY) has introduced his “Comprehensive Identity Theft Prevention Act” (S. 768) -- a broad bill that contains a breach notification provision and would create an Office of Identity Theft within the FTC.

Spiders Can Enter Contracts Too!
It wouldn't be unheard-of for a web surfer to accept the terms of a Terms of Use or "click-through" agreement without actually reading it ... and then for a court to hold him to the terms of that agreement.  So is there a difference if  his automated software tool does the "clicking" -- also without actually reading the agreement?  Not according to the US District Court for the Northern District of California.  In Cairo, Inc. v. CrossMedia Services, Inc., the court held that automated software tools called “spiders” can legally consent to the terms of use or terms of service agreements on websites they visit -- thereby committing their operators to the terms of those agreements and subjecting them to liability for violations.  (The case breaks new legal ground, but the court designates its opinion as "unpublished," which usuallly means that the ruling has little or no precedential impact.  In this case, it may mean that the court lacks confidence in its judgment -- or simply that no one has yet asked the court to publish the opinion.) 

FTC Seeks Comment on COPPA Implementation
The FTC announced on April 21 that it is requesting public comment on its rule implementing the Children’s Online Privacy Protection Act (COPPA).  Enacted in 1998, COPPA prohibits deceptive practices in connection with the collection, use, or disclosure of personally identifiable information from and about children on the Internet.  And the statute requires the FTC to review its implementing rules no later than April 21, 2005 -- think of it as the regulatory world's version of a "tell us how we're doing" survey.  So how is the FTC doing?  By and large, the COPPA Rule has not been a big headache for mainstream web businesses, which either avoid "directing" their websites at children or refuse to allow participation by people who enter too low an age.   But some ideas floated in the notice, such as regulating when customers can use the "back" button on their browsers, could change all that.

Little Rock Comes Up With Big Data Security Bill
Arkansas.  Home of the Wal-Mart mega-store.  So is it any surprise that Arkansas has produced a comprehensive data security bill that puts even California to shame?  Signed into law by Arkansas Governor Mike Huckabee on April 4, the “Personal Information Protection Act” (Act 1526) is the broadest data security bill enacted at either the federal or state level.  The Act not only requires notification of a security breach, but it also contains a data retention and destruction requirement and a requirement that business maintain “reasonable security procedures.”  But there are at least two saving graces to Arkansas' s data-security hat trick.  Unlike California's bellwether security breach notification legislation, the Arkansas law does not give individuals a private right of action, and it lets businesses decide not to issue a notification if they determine that "there is no reasonable likelihood of harm to customers" due to a security breach.

Canada Takes the Lead on 911 for VoIP
The Canadian Radio-television and Telecommunications Commission (CRTC) in early April adopted a Decision requiring Canadian providers of voice over Internet protocol (VoIP) telephone services to offer specified levels of access to 911 emergency calling.  As VoIP becomes increasingly widespread, and anecdotal evidence of problems with absence of VoIP emergency calling becomes part of the gossip of the Internet, there is little doubt that other regulators will begin to follow suit. Regulators around the world have imposed increasingly significant emergency requirements in recent years, and it is not realistic to assume that the VoIP market will be ignored. Accordingly, as regulators in the US, Europe and elsewhere address this issue, it will be essential for VoIP providers to engage in the process to ensure that requirements are imposed in a manner that is manageable for industry.

New Regulatory Fight Looming for Broadband Providers?
If you want to study how the FCC is slowly pulled into yet another regulatory initiative, you couldn't do better than watching the growing fight between Vonage and broadband providers. Vonage Holdings has repeatedly complained -- sometimes to the FCC -- that its customers' VoIP calls have been disrupted by local broadband providers.  The FCC has generally taken a hands-off approach to VoIP regulation and has avoided any clear rulings on when VoIP call blocking  might be improper.  It's still trying to stay out of the fight, but recent incidents involving VoIP call blocking make it harder for the FCC to sit on the sidelines.  In the meantime, broadband providers should be cautious about blocking certain types of traffic such as VoIP calls,  because the line between legitimate and illegitimate network controls is getting murkier.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.