E-Commerce Law Week, Issue 467

Massachusetts Law Seeks to Secure Residents' Information (But It Won't Secure A Red Sox Division Lead in August)

Spurred in part by last winter's landmark TJX data breach, Massachusetts lawmakers have enacted legislation requiring corporations and other "legal entities" to notify Bay State residents if their personal information is compromised.  The law, signed by Governor Deval Patrick on August 2, also requires a Massachusetts agency to draw up substantive data security regulations, and mandates that companies that dispose of state residents' personal information ensure that it "cannot practicably be read or reconstructed."  Massachusetts is now the 38th state that requires companies to notify individuals of a data breach (Oklahoma requires notification only by governmental entities).   The law will do little, however, to stem the onslaught of pinstriped breeches during the crimson stockings' traditional August swoon.

Court CANS Union Speech, But Are Companies -- or Presidential Candidates -- Next?

The CAN-SPAM Act (officially, the Controlling the Assault of Non-Solicited Pornography and Marketing Act) establishes requirements for those who send certain kinds of "commercial electronic mail messages" and provides penalties for violators of the statute's strictures.  But what counts as a "commercial" email may not be as clear as one might have thought.  CAN-SPAM defines a commercial email as one with the "primary purpose of ... commercial advertisement or promotion of a commercial product or service."  A Federal Trade Commission regulation (16 C.F.R. § 316.3) states in a footnote that the Commission will regard as "commercial" only those emails that constitute "commercial speech" within the meaning of the First Amendment.  In Aitken v. Communications Workers of America, a federal court in Virginia recently held that union-organizing emails were commercial speech, and therefore subject to CAN-SPAM's requirements.  The court's broad interpretation of what constitutes "commercial speech" means that some emails that don't appear on their face to be promoting a commercial product or service may nevertheless fall within the ambit of CAN-SPAM.  And the court's expansive definition of a "transactional or relationship" message as covering any emails that address an employment relationship or benefit plan means that some emails could be covered by the Act even where the sender does not have an established relationship with the recipient.  So while the decision's immediate impact is limited to unions, in the long term it could end up creating difficulties for companies, non-profits, and even political candidates.

FBI Proposes Paying Telecoms to Retain Data

In its funding request for 2008, the Federal Bureau of Investigation has asked Congress for more than $5.3 million to compensate three telecommunications companies for their development of systems for the storage and retrieval of "at least two years’ worth of network calling records.  These systems would be accessible only by the telecoms, which would presumably provide the government with records only pursuant to a lawful request.  The money would also be used to pay each company to "provide a dedicated on-site employee to process the exigent lawful requests for data."  While close cooperation between telephone companies and the government is nothing new, the FBI's request does suggest that the Department of Justice prefers to pay for a piecemeal approach to data retention, rather than wait for congressional action.

German Court Rules that Skype Violated Open Source License

Open source software (OSS) is big right now.  Part of what makes OSS so attractive is its licensing structure.  OSS licenses require that software source code (i.e., the version that can be read and changed by human programmers) must be made publicly available, and most OSS licenses -- including the most popular, known as the GNU General Public License (GPL) -- require anyone who distributes a program based on OSS must likewise make their changes publicly available. Many companies have discovered that using OSS code in their products makes good business sense.  But using OSS software in a commercial product can also create legal complications.  A case in point is a German court ruling (see case summary) that distribution of an OSS mobile phone using the Skype software without a copy of the GPL or source code violated the license's terms.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.