E-Commerce Law Week, Issue 422

HP Affair Puts Pretexting in the Spotlight

"Pretexting" has long been a favorite tool of identity thieves and private investigators.  It usually involves calling up a phone company and pretending to be a subscriber in order to gain access to personal information. It's really just another term for "social engineering," a favorite practice of computer hackers looking for a head start on breaking into a network. But the recent revelations that contractors hired by Hewlett-Packard used pretexting to obtain phone records of company directors and reporters has put a new, harsh spotlight on the issue. HP and involved individuals now face criminal investigations on both the state and federal levels, as well as potential lawsuits. And, at the very least, the HP affair will give a boost to the FCC's rulemaking effort on the protection of customer proprietary network information (CPNI). In February the FCC announced that it was "seek[ing] comment on what additional steps, if any, the Commission should take to further protect the privacy of [CPNI] that is collected and held by telecommunications carriers." In particular, the FCC sought comment as to whether "consumer-set passwords, audit trails, encryption, limiting data retention, and notice procedures" might be feasible means of improving the security of CPNI. The FCC is expected to issue a proposed rule by the end of October.

Louisiana Indictment Ups the Ante for Internet Gambling Operations

Following the July indictment of former BetOnSports PLC CEO David Carruthers, many online gambling "experts" were quick to argue that the arrest was an isolated incident and not the beginning of a widespread crackdown. But the arrest earlier this month of Sportingbet's non-executive chairman Peter Dicks for violations of a Louisiana law barring "gambling by computer" suggests that the campaign against offshore Internet gambling operations may spread -- and the stakes increase. Dicks was arrested shortly after his arrival at John F. Kennedy International Airport in New York on non-Sportingbet-related business. Although trading of Sportingbet's shares on the London Stock Exchange was briefly suspended, the British company has continued to solicit bets from the United States, stating that it "has not received correspondence from any US authority regarding this or any related matter." Louisiana has reportedly issued several additional warrants for others in the online gambling business. Dicks was allowed to leave the country, however, on the promise that he'd return for a hearing at the end of the month in New York. Could it be that, after upping the ante, Louisiana decided to fold? Whatever the case, in the near term, the recent arrests will cause many Internet gambling executives to avoid travel to the United Stakes. Two big open questions are whether other states will join in the prosecution party, and whether they or the federal government will go after investors.

Five Credit Card Companies Father New Security Standard

Visa and MasterCard have been flirting for some time with the idea of forming an organization devoted to establishing industry security standards. On September 7, the two companies unveiled the fruit of this collaboration:  the birth of the Payment Card Industry (PCI) Security Standards Council, and the release of an updated PCI Data Security Standard (DSS). While the first DSS, which took effect in 2005, was a joint effort of Visa and MasterCard, the new Council also includes American Express, Discover Financial Services, and JCB.  The Council's mission is to "develop, enhance, disseminate and assist with implementation of security standards for payment account security." To that end, the DSS requires all participating "merchants, banks, [and] POS [point of sale] vendors" -- as well as their service providers and other contractors -- to implement six sets of security requirements: build and maintain a secure network, protect card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The new Council and the updated Standard should help make consumer data more secure and reduce banks' exposure to fraud. The Standard, by identifying specific security measures, may also influence the emerging standard of "reasonable care" for data security looked to by courts and regulatory agencies.

Steptoe & Johnson LLP and IP Law and Business Magazine Continue Teleconference Series:  "U.S. Supreme Court Revisits Non-Obviousness"

On September 28, 2006, from 1:00-2:00 p.m. EDT, Steptoe will be hosting its fourth-in-a-series teleconference co-sponsored by IP Law and Business Magazine. Steptoe partner Roger Parkhurst will lead a panel that will discuss the Supreme Court's revisit of non-obviousness in KSR International Co. v. Teleflex Inc. and the implications the outcome will have for U.S. patents and their owners. Roger is well known in the IP bar and is a former President of the American Intellectual Property Law Association. Please RSVP to Alycia Polley, or by telephone at 202.457.5436.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.