E-Commerce Law Week, Issue 425

Congress Takes Parting Shot at Internet Gambling

Stop the flow of funds from bettors to gambling establishments, and you can stop online gambling. That's the theory behind the Unlawful Internet Gambling Enforcement Act of 2006, which opponents of online gambling steamrolled through Congress by tacking it onto the conference report on completely unrelated legislation regarding port security. The bill, which the President is expected to sign, would prohibit any person "engaged in the business of betting or wagering" from "knowingly accept[ing]" payments made by financial institutions on behalf of individuals engaged in "unlawful Internet gambling." But since it may be difficult to reach the operators of gambling services located outside the U.S., the real teeth of the legislation lie in the "[p]olicies and procedures to identify and prevent restricted transactions" that the bill authorizes. The bill states that within 270 days of the subchapter's enactment, the Secretary of the Treasury and the Board of Governors of the Federal Reserve System must work with the Attorney General to "prescribe regulations ... requiring each designated payment system, and all participants therein, to identify and block or otherwise prevent or prohibit restricted transactions through the establishment of policies and procedures reasonably designed to identify and block or otherwise prevent or prohibit the acceptance of restricted transactions." Depending on exactly what these regulations say, they could mean costly new transaction coding and blocking obligations for U.S. financial institutions and payment networks, a well as a few new responsibilities for Internet service providers.

Data Breach Settlements Help Define "Reasonable Care"

When it comes to data breaches, the Federal Trade Commission is no longer the only active regulator. As two recent cases demonstrate, other authorities, both inside and outside of the U.S., also play a role in setting and enforcing data security standards. At the state level, the Oregon State Attorney General announced last month that Providence Health Systems would pay $95,764 to a consumer protection fund -- as well as whatever sum is necessary to continue providing credit monitoring and restoration services and make good on patients' claims for "direct financial loss" -- to settle claims stemming from a data breach that occurred late last year. And in Canada, the Alberta Office of the Information and Privacy Commissioner last month released the results of its investigation into a breach by MD Management Ltd., recommending that the financial services company take several steps to better protect personal information. These actions should serve to remind U.S. companies -- especially those that do business abroad -- that they need look beyond the FTC when attempting to determine what constitute "reasonable" data security measures. Both actions also highlight the importance of encrypting personal data stored on mobile devices.

Judge Upholds Google's Sale of Trademarked Search Terms

National consensus on the legality of search engines' sale of trademarked search terms may still be a ways off, but in the Second Circuit at least, the tide seems to have turned in favor of the search engines. On September 28, the U.S. District Court for the Northern District of New York dismissed computer services franchiser Rescuecom Corporation's complaint against Google, Inc., finding that Google's sale of plaintiff's trademarked name as a search term advertising "trigger" did not constitute a "use in commerce" of the Rescuecom mark. The court's ruling follows similar decisions in other Second Circuit cases, which have generally upheld the legality of Internet services' "internal use" of trademarks for advertising purposes. (See 1-800 Contacts v. WhenU.com, Inc., and Merck & Co., Inc. v. Mediplan Health Consulting, Inc.) But the decision marks the first instance in which a court has specifically ruled that a search engine's use of trademarked search terms -- including the sale of such terms as advertising triggers -- does not constitute a "use in commerce." Nevertheless, the court's ruling flies in the face of decisions issued by the Eastern District of Virginia, the District of Minnesota, the Northern District of Georgia, the Northern District of California, and the District of New Jersey. So while search engines and advertisers facing litigation in the Second Circuit may be able to breathe a sigh of relief, the use of trademarked terms in keyword advertising programs is still very much in legal limbo.

The Great Pretexting Pile-On Begins

Thank to Hewlett-Packard's boardroom spying scandal, pretexting has come under a harsh spotlight in Congress, state legislatures, the media, and now the courts. Over the last few weeks, data brokers, private investigators, and other companies that use deception to obtain a customer's phone records have come in for tongue-lashings in congressional hearings, faced new suits by Cingular and Verizon Wireless, and watched as California Governor Arnold Schwarzenegger signed a bill intended to terminate their pretexting practices. Perhaps the only good news for pretexters is that Congress failed to pass a bill explicitly banning the practice before recessing until after next month's election. But the pretexters themselves aren't the only ones feeling the heat: HP's former Chairman and General Counsel, among others, were taken to task during the September 28 hearing before the House Energy and Commerce Committee for their failure to question contractors' assertions that "records were obtained from publicly available sources in a legal and appropriate manner." And while telecommunications companies are rightly portraying themselves as victims of pretexters, it's safe to assume that they will see regulatory and possibly legislative action over the next several months that would require them to institute stronger measures to protect customer information.

California Files Charges Against HP Officials, Contractors

For five key players in Hewlett-Packard's pretexting fiasco, it was out of the frying pan of a congressional hearing and into the fire of a criminal indictment earlier this month, as California Attorney General Bill Lockyer announced the filing of criminal charges in Santa Clara County Superior Court. Those named in the complaint include Patricia Dunn, HP's former chairwoman; Kevin T. Hunsaker, former in-house lawyer and ethics chief; Ronald R. DeLia, the managing director of a security contractor; and Matthew Depante and Bryan C. Wagner of information broker Action Research Group (ARG), which DeLia hired to ferret out the source of HP's boardroom leaks. The complaint charges the five defendants with violations of California Penal Code Sections 538.5 ("transmit[ing] by means of wire ... communication ... false or fraudulent pretenses, representations, personations, or promises ... for the purpose of ... obtain[ing], from a public utility, confidential, privileged or proprietary information, [or] customer records"); 502(c)(2) ("[k]nowingly access[ing] and without permission tak[ing], cop[ying], or mak[ing] use of any data from a computer, computer system, or computer network"); 530.5(a) ("willfully obtain[ing] personal identifying information ... for any unlawful purpose, including ... obtain[ing] ... goods [or] services ... in the name of [another] person, without the consent of that person"); and 182(a)(1) ("conspir[ing] ... to commit any crime"). Though HP CEO Mark Hurd and former General Counsel Ann Baskins were not indicted, Lockyer made clear that the investigation is ongoing, so no one is out of the woods yet.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.