E-Commerce Law Week, Issue 431

How to Keep a Trade Secret Secret

Is proprietary technology still a "trade secret" if a company shares it with existing or potential customers?  According to a federal court in Illinois, it most likely is -- provided that the company takes reasonable steps to maintain its confidentiality.  In QSRSoft, Inc., v. Restaurant Technology, Inc., the court found that QSRSoft's use of password protection, licensing agreements, and other policies to restrict access to a proprietary computer system was sufficient to establish that the system likely remained a trade secret.  The court therefore denied a motion to dismiss QSRSoft's claim under the Illinois Trade Secret Act (ITSA).  Although the ruling is directly applicable only to ITSA cases, it speaks more generally to the question of what efforts a company must make to keep a trade secret secret, and to maintain a viable legal claim against competitors if the secret ends up leaking.

Plaintiffs Strike Out in Data Breach Lawsuit Against ChoicePoint

Databroker ChoicePoint in January agreed to a $15 million settlement with the Federal Trade Commission, resolving charges that the company’s security and record-handling procedures had permitted fraudsters to purchase access to the personal information of as many as 163,000 individuals, in violation of both the Fair Credit Reporting Act (FCRA) and the FTC Act.  But private litigants have had a more difficult time cashing in on the ChoicePoint breach.  Last month, in Harrington v. ChoicePoint, Inc., a consolidated class action suit, a federal court in California granted ChoicePoint's motion for summary judgment on the plaintiffs' FCRA claims, finding that the company’s records established that neither the content nor the communication of the plaintiffs' information to fraudsters was of a nature that could establish a violation of FCRA.  The ruling suggests that, absent specific evidence that the information allegedly disclosed contained the content of a consumer report and was actually transmitted to a third party, the plaintiff’s bar likely faces an uphill battle when attempting to recover for data breaches under FCRA.

German Court (Temporarily?) Limits ISP Retention of IP Logs

The highest German court for non-constitutional matters has upheld a lower court ruling requiring German ISPs to delete logs of IP addresses visited by a customer (at least those on flat rate Internet access plans) if requested by the customer.  Although this decision appears likely to stick for a couple of years, it may be reversed when Germany applies the new EU Data Retention Directive to Internet services in 2009.  Under the decision, customers of German ISPs have gained important rights to protect the privacy of their online activities.  But there are a number of important limitations to the scope of the decision.  First, the German courts' reasoning would not apply to an ISP that has a legitimate reason to keep IP logs -- e.g., for customers who are billed based on usage, or where there is a warrant or court order requiring such retention based upon suspicion of a particular subscriber.  Second, the lower German courts reportedly required the ISP to delete IP logs only when requested by a customer.  Third, and perhaps most important, the decision was based on German data protection law.  However, under the EU Data Retention Directive, Germany will be required by March 2009 to enact legislation requiring ISPs to retain traffic data on Internet communications for a period of 6-24 months.  This requirement is an explicit exception from EU data protection law, and appears likely to cover the same IP logs that the recent German court decisions now require to be deleted.

If You Put it On MySpace, Can It Really Be Private?

Many employers rely on search engines to find information about prospective or existing employees. Popular social networking sites like MySpace, Facebook, and Friendster give employers another online resource from which to gather information about prospective hires and current employees. But such Internet resources are off-limits to employers in Finland, according to a recent ruling by Finland's Data Protection Ombudsman, unless they obtain the applicant's or employee's consent.  Under Finland's Protection of Privacy in Working Life Act (the "Act"), employers may process personal data about employees or applicants only if it is "directly necessary for the employee's employment relationship."  Moreover, the Act provides that an employer "shall collect personal data about the employee primarily from the employee him/herself," and may collect data from other sources only if it obtains the employee's or applicant's consent.  The employer may use such information in making an employment decision only if it first notifies the employee or applicant, giving her or him the chance to check the reliability of the information.  The Ombudsman reportedly (no English translation is yet available) ruled earlier this month that a company ran afoul of the Act when it rejected a job applicant based on information it found through an Internet search.  It's not clear whether Finland's rule on employer Internet searches is likely to be adopted elsewhere in Europe, since Finland is reputed as having one of the strictest approaches to data protection and privacy and not all EU member states have employment-specific privacy legislation like the Act.  But it does raise a red flag for multinational companies, suggesting that they carefully consider the laws of the country in which they are operating before doing things that, in the U.S. at least, seem like no brainers.

BETonSPORTS Folds its Hand, Accepts Permanent Injunction

A federal prosecutor announced on November 10 that BETonSPORTS PLC, a British Internet gambling company, had agreed to a permanent injunction in a civil suit brought by the Department of Justice.  As we previously reported, following the July arrest of BETonSPORTS CEO David Carruthers, DoJ announced that it had named the company in civil and criminal actions alleging various gambling violations, fraud, tax evasion, and Racketeer Influenced and Corrupt Organizations (RICO) conspiracy.  Under the terms of the injunction, BETonSPORTS admits no wrongdoing but agrees, among other things, to cease soliciting and accepting sports wagers from individuals in the U.S., and to reimburse U.S. bettors for outstanding wagers.  The injunction is noteworthy not only for BETonSPORTS's acceptance of a total ban from the U.S. market, but also for the window it provides into the company's formerly U.S.-facing operations.  While BETonSPORTS's capitulation suggests that it no longer believes that these operations are worth the heavy legal price it was paying, other companies appear to be taking a different gamble by continuing to play the U.S. market.

FBI Requests CALEA Standard for Satellite Services

Early last month, the Federal Bureau of Investigation (FBI) wrote to the Telecommunications Industry Association (TIA) and Satellite Industry Association (SIA) to renew its request for a satellite-specific lawful intercept standard under the Communications Assistance for Law Enforcement Act (CALEA).  The last time this came up in 2002-2003, the satellite industry declined to develop a CALEA standard, in part because of doubts over whether a standard would reduce the costs associated with implementing the assistance capability requirements of CALEA in the context of satellite services.  The FBI's interest in having a satellite-specific CALEA standard has been revived by the satellite industry's move beyond simple telephony to the provision of VoIP and broadband Internet access services directly to the end user.  The FBI seems particularly concerned about satellite broadband and law enforcement's ability to conduct surveillance of such communications.  At this time, the industry has not yet formulated its response.  The FBI's move seems consistent with the concerns motivating the draft "Super CALEA bill" that the FBI has been shopping around Capitol Hill, and on which we previously reported.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.