E-Commerce Law Week, Issue 342

"Lost Luggage" Incident May Increase Chance of Data Security Legislation
Nothing gets the attention of Congress more than an incident in which its members are the victims. And Bank of America hardly could have done a better (or worse, from its perspective) job of getting Congressional attention by announcing, on February 25, the theft of personal data of more than a million federal employees, including US Senator Patrick Leahy who has taken a lead role on consumer privacy issues. Bank of America claims it lost the information during transit to a backup data center last December. But Sen. Charles Schumer (D-NY) said he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers. However the information was lost, Bank of America immediately alerted the Secret Service, but waited until federal law enforcement authorities had completed their investigation to contact customers.

Coupled with the recent ChoicePoint incident, the Bank of America incident could easily provide the impetus for broad federal computer security legislation. Businesses that collect or store personal information may want to pay close attention to activity on Capitol Hill during the next several months, and consider the implications of any legislation for their own potential liability.

Vonage Wins Dubious Victory in Call-Blocking Case
Score one for Vonage -- maybe. On Thursday, Madison River Communication LLC entered into a consent decree with the Federal Communications Commission (FCC), agreeing that it would not block voice over IP (VoIP) calls traveling over its network. In return, the FCC dropped its investigation into Madison River's conduct. But the FCC never made clear whether Madison River's alleged conduct was actually unlawful, nor did the FCC clarify what the law actually is with respect to VoIP call blocking.

In some respects, the message the FCC is sending with this consent decree is troubling. Essentially, the FCC has announced -- without engaging in a rulemaking or engaging in a formal adjudicatory process -- that broadband providers should refrain from blocking VoIP calls or else face its displeasure. It remains to be seen whether the FCC will follow through and actually establish rules to regulate the conduct of broadband Internet providers -- a step that, so far, it has been reluctant to take.

CALEA, With An Accent on the "Eh?"
After a 30-month consultation process, the Canadian government appears ready to move forward with plans to impose technical wiretapping obligations on Canadian telecommunications service providers (TSPs). Officials from Industry Canada, the Department of Justice, and Public Safety and Emergency Preparedness Canada have issued a 200-plus-page proposal on updating Canada’s wiretap laws (the proposals themselves remain confidential, but a non-confidential summary is available). And, on March 4, these agencies wrapped up a series of one-on-one consultations with TSPs and equipment manufacturers.

Although modeled on the US Communications Assistance for Law Enforcement Act (CALEA), several of the Canadian government’s proposals go far beyond US law in what is required of service providers. Primarily, while CALEA contains a specific exemption for "information services," the Canadian government's proposals would apply to all types of telecommunications and Internet services, including email and voice over IP calls. Additionally, the government seems to be leaning toward a less industry-friendly approach than in the US, by failing to provide for industry standards to provide a "safe harbor" for compliance.

Going Phishing -- Can Lawmakers stop the Internet from Becoming a Virtual Amity Island?
Remember the scene in "Jaws" where, under the promise of a bounty for hooking the big fish, local fishermen jump in their boats and fan out in the waters for the hunt? The same thing may now be happening in Congress and in state legislatures as lawmakers fan out to fight a different kind of "phish."

Fed up with phishing attacks -- a form of online fraud in which Internet users are tricked into providing financial account data and passwords to phony websites run by fraudsters -- lawmakers want to create new criminal sanctions and stricter penalties for those who send fake emails or use phony websites in phishing scams. Sen. Patrick Leahy (D-VT) has introduced a bill (S. 472) on Capitol Hill, and the Virginia General Assembly already has passed legislation (HB 2631) making it a felony to use a computer to gather personally identifying information "through the use of material artifice, trickery or deception." That legislation is awaiting the governor's signature. And bills with slightly more specific language than the Virginia measure have been introduced in Arizona (SB 1447), New Mexico (SB 260), and Washington (HB 1888). These bills would make it a felony to falsely represent a business or organization in an email or website in order to obtain personally identifying information from an individual.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.