E-Commerce Law Week, Issue 338

Final FACTA Rules on Data Disposal Maintain Status Quo
In a financial institution letter released February 2, the US federal bank and thrift regulatory agencies announced that they issued final guidelines to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Section 216 is designed to protect consumers against the risks associated with identity theft and other types of fraud. The new guidelines -- effective July 1, 2005 -- require any financial institution that maintains or otherwise possesses consumer information derived from consumer reports to properly dispose of it. The 12-page notice in the Federal Register might lead you to believe that the regulations actually say something substantial, but the agencies chose not to issue a prescriptive rule. Rather than taking a hard line and issuing specific guidelines, the agencies chose to allow institutions to follow the risk-based approach to handling security threats that is already in place under the existing guidelines. According to the agencies, this means that any changes to an institution's existing information security program are "likely will be minimal." 

When Must ISPs Disclose Subscriber Data? -- A View From Around The World
In one of her biggest hits, teen rock star Avril Lavigne sings "Why do you have to go and make things so complicated?" The sentiment is equally appropriate for Internet service providers (ISPs) considering the international legal patchwork regarding when an ISP must disclose subscriber information to owners of copyrighted material (like Ms. Lavigne's songs). Thanks to the music industry's aggressive international lawsuit campaign, ISPs around the world are finding themselves in court regarding their subscribers’ privacy rights. And courts hardly have been unified over how they see the issue.

In Germany, Austria, and the United States, recent rulings have set back the effort to force ISPs to disclose subscriber information. While these decisions represented defeats for the recording industry on narrow, statutory grounds, last year the federal court in Canada went even further by suggesting that file-sharing may be legal. On the flip side, the most recent ruling in Great Britain compelled several ISPs to disclose the names of alleged file-sharers. Meanwhile, Australia's courts have yet to weigh in on the issue, but the country's copyright laws now resemble those of the US, thanks to the Australia-United States Free Trade Agreement.

In short, ISPs facing recording industry requests for disclosure of subscriber information face a very uncertain legal environment, particularly because if disclosure is made where not required, subscribers could allege a violation of their data protection and privacy rights.

RFID Tags Are Hot, Maybe Too Hot ... Like McDonald’s Coffee?
Wireless RFID chips -- essentially high-tech bar codes that can be scanned from a distance -- are touted by some as the greatest thing since sliced bread. Their proponents claim that they can be used to slash warehouse management costs, reduce theft in retail stores, and may even be an essential tool for keeping the nation’s food supply safe from terrorists. On the other hand, opponents warn that the proliferation of RFID tags in everything we buy, eat, or carry could lead to the creation of a Big Brother regime of unprecedented proportions. Now, with the release of a study by researchers at Johns Hopkins University and RSA Laboratories, substantial security concerns are being raised regarding RFID. This comes at an inopportune moment for the technology, given the enhanced industry and public concerns regarding computer security and terrorism. Furthermore, legal liability of companies for information technology security breaches appears to be an increasing risk, and there is no reason to suppose that RFID is immune from such concerns.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.