E-Commerce Law Week, Issue 427

Court Cries OOH-RAH! for Employee Privacy

Does a Marine Corps "jarhead" have a greater expectation of privacy in personal emails sent from a workplace computer than, say, a company lawyer on Wall Street or in Silicon Valley? In some circumstances, yes. That's the surprising answer from the United States Court of Appeals for the Armed Forces in a recent decision, United States v. Long. In August, the U.S Court of Appeals for the Ninth Circuit held in United States v. Ziegler that "an employer's policy of routine monitoring" of computer use may preclude an objectively reasonable expectation of privacy in a work computer. In contrast, the court in Long found that the Marine Corps' monitoring policy and a log-in banner stating that use of the computer constituted consent to monitoring were not sufficient to extinguish a servicemember's reasonable expectation of privacy. The court based its conclusion mainly on the precise wording of the banner and on office practices that suggested employees retained some privacy regardless of what the official policy said. Significantly, the search in Long involved a law enforcement search and so did not directly address the issues of computer monitoring by employers for work-related reasons, or the issue of when private employers can consent to law enforcement searches. Still, the case serves as a reminder to all employers to take care in how they word their policies and log-in banners and to be sure that practices are consistent with policy.

If a Court Order Falls in the Woods and No One Obeys It, Does Anybody Care?

Woody Allen once said that "eighty percent of success is showing up." But when questions of jurisdiction are involved, some companies think not showing up is the better course. The problem with that strategy is that it can lead to a default judgment and a possible contempt order. That's what Spamhaus, a UK spam-fighting service, learned the hard way. Spamhaus initially chose to stay home rather than dispute a claim by e360Insight LLC, an Illinois Internet marketing company, that Spamhaus had unjustly blacklisted it as a "spammer" and damaged its business and reputation. e360Insight was rewarded with a default judgment that included a permanent injunction and damages of $11.7 million U.S. Spamhaus initially responded by trying to turn the dispute into a conflict of laws issue, asserting in public statements that default judgments in the U.S. are invalid and unenforceable in the UK and that a U.S. court order to a British organization to stop blocking spam in the UK "goes contrary to U.K. law." In the near term, this issue is not really about a conflict of laws, but about whether Spamhaus has any assets that could be seized in the U.S. to satisfy the court's judgment. A conflict of law will arise only if e360Insight attempts to enforce the U.S. judgment in the UK. In any case, Spamhaus has now decided to enter the fray in the U.S., appealing the default judgment to the Seventh Circuit. In the meantime, the district court denied e360Insight's request for a contempt order that would have forced ICANN or a domain name registrar to suspend Spamhaus' website. The court reasoned that neither ICANN nor the registrar was a party to the suit and, in any case, an order knocking Spamhaus' site offline was too onerous a sanction for Spamhaus' non-compliance with the default judgment.

Courts Find Risk of Identity Theft Alone is Insufficient to Establish Standing

Data security breaches can be costly and burdensome for companies to deal with, what with state breach notification requirements, investigations by state attorneys general or the Federal Trade Commission, and lost business due to customers' data security concerns. But thus far, absent evidence that the lost data has actually been misused, companies have had little to fear from the plaintiffs' bar. While federal courts in Minnesota and Arizona have found that there may be some compensable damages even where there is not actual identity theft -- including awards for the cost of credit monitoring and possibly for the increased risk of future harm -- neither of those courts actually awarded damages.  And recent decisions by federal courts in Arkansas and Ohio could insulate corporations from post-breach lawsuits altogether where there is no evidence of concrete harm. In Bell v. Acxiom Corp. and Key v. DSW, Inc., the courts ruled that the allegation of an increased risk of identity theft did not demonstrate the requisite concrete injury, and therefore was insufficient to establish standing to sue. Nevertheless, the particulars of these cases -- including Bell's ignorance of whether her personal information was even contained within the stolen databases, and Key's failure to allege that she had personally "incurred the cost and inconvenience" of obtaining credit monitoring -- suggest that companies may still face suits where there is a higher likelihood of identity theft, or where measures taken in response to a data breach have caused harm.

EU Eyes More Prescriptive Cybersecurity Regulations

Computer security obligations have existed for some time under the EU Privacy and Electronic Communications Directive, which requires providers of electronic communications "to take appropriate technical and organizational measures to safeguard security." Although this general obligation is quite broad, it has limited specific content, and has prompted virtually no regulatory action. But this may change, as the European Commission's "Communication on the Review of the EU Regulatory Framework for Electronic Communications Networks and Services," adopted this past June, found that the current "lack of appropriate security measures" demands new "specific regulatory measures," in addition to continued technological development and self-regulation. As described in the Commission's Staff Working Document released alongside the Communication, these proposed measures include data breach notification and liability requirements for electronic communications providers, as well as new regulatory powers to demand audits and "issue binding instructions." On the other hand, the Article 29 Working Party (created to oversee the implementation of EU Data Protection Directive) and several industry groups have recently argued that such requirements would be both unnecessary and unduly burdensome. But while such concerns may yet slow the legislative process, the clear EU trend is away from a hortatory position on cybersecurity, and towards something akin to the increasingly regulatory-minded U.S. approach.

French Court Validates Compliance of SOX Whistleblower Program

A French court in late September arguably put a close to a chapter in the episodic conflict between U.S. and EU privacy law, when it upheld a whistleblower hotline that was adopted by a subsidiary of German agro-chemical conglomerate Bayer AG in order to comply with the Sarbanes-Oxley Act. In 2005, decisions by a French court and by the French data protection authority the Commission Nationale de l'Information et des Libertés ("CNIL") called into question the legality of such hotlines. And in December 2005, the CNIL adopted a decision setting out rules with which such hotlines must comply in order to satisfy the requirements of French data protection law. Although the decision by the High Court in Lyon depended on the specifics of the whistleblower program, it should provide a fair degree of comfort to companies that have made a good faith effort to comply with the December 2005 CNIL decision.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.