E-Commerce Law Week, Issue 464

Sixth Circuit Shoots Down Warrantless Wiretapping Suit

Last August, a federal court in Michigan ruled in ACLU v. NSA that the National Security Agency's warrantless interception of international telephone and Internet communications was unconstitutional, and issued a permanent injunction barring the government from "directly or indirectly utilizing the Terrorist Surveillance Program [TSP] in any way."  We noted at the time that the court's opinion was not very well reasoned, and it seems that the Sixth Circuit has agreed.  In a 2-1 decision, the court of appeals held that the plaintiffs lacked standing to bring their constitutional or statutory causes of action.  The majority found that, at its heart, the case involved "only one claim, namely, breach of privacy," and that the plaintiffs' claimed injury was not "concrete" or "imminent" enough to be justiciable, since no plaintiff could show that he "ha[d] actually been wiretapped."  Given the unlikely prospects for en banc review in the Sixth Circuit, we suspect the ACLU will petition for certiorari straight away, but the prospects for Supreme Court review are uncertain at best.  If other courts agree with the Sixth Circuit's analysis, standing could prove to be an insuperable barrier to other TSP-related cases. However, at least one case could surmount this hurdle, since government mishandling of documents has apparently provided the plaintiffs in Al-Haramain Islamic Foundation, Inc. v. Bush with proof that their communications were intercepted.  Even there, though, the state-secrets privilege may ultimately thwart the plaintiffs' suit.   

Credit Cards Fend Off Copyright Liability in Ninth Circuit, but Battle May Not Be Over

In a significant win for credit card associations and payment processors, the Ninth Circuit affirmed a lower court's dismissal of all causes of action in Perfect 10, Inc. v. Visa for failure to state a claim.  Perfect 10 had alleged that, by continuing to provide payment services to websites that trade in stolen copies of Perfect 10's adult images after receiving notice of the their infringement, Visa, MasterCard, and "several affiliated banks and data processing services" secondarily infringed upon Perfect 10's copyrights and trademarks.  In a 2-1 ruling, the Ninth Circuit found that Perfect 10's claims came up short, since the defendants'  payment systems were not essential to the distribution of the allegedly infringing images, were not designed to encourage infringement, and did not establish a "right and ability to control" the allegedly infringing activity.  The court also repeatedly noted that finding for the plaintiffs would contradict the U.S. policy of promoting e-commerce.  But the decision also drew a strongly worded dissent, which found significant tensions between the majority's opinion and the same circuit's May ruling in Perfect 10, Inc. v. Amazon.com, Inc. (In that case, on which we previously reported, the court held that search engines could face contributory liability for using in-line linking to aid third-party websites in distributing the full-size images.)  So, despite this win for the credit card companies, online payment processors should still tread carefully when serving suspect customers.

GAO Report Gives Gentle Nudge to Federal Data Breach Notification Legislation

While some companies have been pushing for national data breach notification legislation for several years as a means of preempting the myriad state laws, congressional action has been stymied by jurisdictional spats, elections, and other issues. With several notification bills still under consideration, Congress asked the Government Accountability Office to "review the costs and benefits of [a notification] requirement and the link between data breaches and identity theft."  The GAO's report, released last month, contains no official recommendations, but it does conclude that a national notification requirement could be "beneficial."  It also notes that a "risk based" notification standard "could avoid undue burden on organizations and unnecessary and counterproductive notifications of breaches that present little risk."  Although most legislation currently before Congress already contains a risk of harm threshold, the GAO's report could help ensure that this language is retained, when and if a bill makes its way to the President's desk.  That's good news for businesses that could otherwise be burdened by having to notify thousands of individuals even when there is little or no risk of identity theft or other harm.

Questions and comments about E-Commerce Law Week are always welcome.  Please send nyour feedback to Sally Albertazzie.