When Experience Matters ®
< Back to Previous Page
Related Practices

E-Commerce Law Week, Issue 458

June 2, 2007

Minnesota Law Helps Banks Recover Costs Stemming from Merchants' Data Breaches

When a merchant suffers a data breach, banks often are the ones to bear the lion’s share of the cost, paying to re-issue compromised credit cards and reimburse cardholders for fraudulent purchases.  As we've previously reported, a number of factors – including the structure of credit card contracts and courts' reluctance to permit recovery on a negligence claim where the only damages are economic in nature – have thus far made it difficult for banks to recoup these expenses from the merchant that suffered the breach.  But, in the wake of the landmark TJX breach, Minnesota has passed a law that could make it easier for financial institutions in the Land of 10,000 Lakes to obtain restitution from merchants   That law could become a model for similar legislation across the country. The new Minnesota law prohibits merchants' retention of certain credit and debit card information and holds merchants that improperly retain such data liable for any expenses that financial institutions incur as a result of the merchant's data breach.  At least five other states (California, Connecticut, Illinois, Massachusetts, and Texas) are considering similar measures.  While merchants may complain that this legislation unfairly saddles them with increased liability and new data security obligations, financial institutions will likely cheer this risk reallocation, since it allows them to recover costs stemming from security failings over which they have little control.

Google Scores a Less-Than-Perfect 5 in Copyright Case

The display of thumbnails of copyrighted images by search engines is probably protected by fair use, but their use of "in-line linking" to direct users' browsers to third-party webpages containing the full-size infringing image may constitute contributory infringement.  This is the upshot of Perfect 10, Inc. v. Amazon.com, Inc., in which the Ninth Circuit addressed Perfect 10's allegations that the image search services of Google and Amazon.com (through its A9.com search engine, formerly powered by Google) infringed upon Perfect 10's copyrights in images of nude models.  In 2006, a federal court in California preliminarily enjoined Google from "creating and publicly displaying" thumbnails of Perfect 10's copyrighted images, but refused to bar the defendants from "in-line linking" to allegedly infringing third-party webpages. The Ninth Circuit vacated the lower court's injunction, finding that the district court had gotten things precisely backwards.  The court of appeals held that Google's display of thumbnail images was likely a protected fair use, but that Google and Amazon.com might be contributorily liable for "in-line linking to full-size infringing images," since they thereby helped websites distribute the stolen works to "a worldwide audience."  The court therefore remanded for consideration of whether Google and Amazon knew that the images were infringing and failed to take measures to protect Perfect 10's works, as required to establish contributory liability.

Breach Laws Take Hold in Two More States: Will Congress Check their Advance?

Data breach notification laws continue to gain ground in state legislatures, with Wyoming and Maryland the latest to pass such laws, bringing the total to 37 states.   But even as the states close in on perfect cacophony -- that is, when 50 states have a breach law, but with each varying in important, trivial, and/or simply confusing ways -- federal legislation still faces a tough slog as congressional committees try to resolve jurisdictional spats.  Thus far, only three bills -- all in the Senate -- have been reported out of committee. The Senate Judiciary Committee has approved S. 495, and S. 239, both of which would trigger notice where a business or government agency discovers that "computerized data" containing personal information has been compromised, and this breach "result[s] in, or there is a reasonable basis to conclude has resulted in, ... access ... that is unauthorized or in excess of authorization."  Meanwhile, the Senate Commerce Committee has approved S. 1178, which would require businesses to provide notice when a breach "creates a reasonable risk of identity theft."  All three bills would preempt state laws.  At least five other bills dealing with breach notification have been introduced in the House and Senate.  Getting legislation through the House could prove particularly difficult, since the Energy and Commerce, Judiciary, Financial Services, and Oversight and Government Reform committees all claim jurisdiction.  But, given the public's increasing awareness of the problem and industry's continuing calls for a federal law with strong preemption, lawmakers may push to pass legislation before the 2008 elections.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.

CONTACT US | PRIVACY | TERMS OF USE | © 2008 STEPTOE & JOHNSON LLP, ALL RIGHTS RESERVED | ATTORNEY ADVERTISING | SITE BY FIRMSEEK
Washington | New York | Chicago | Phoenix | Los Angeles | Century City | Brussels | London