E-Commerce Law Week, Issue 472

MPAA Nearly Hoist With Its Own Petard, But Escapes With Its Knickers Barely Singed

It's becoming harder to tell the content pirates from the protectors these days, as the purveyors of content have adopted increasingly aggressive defensive measures that are themselves of dubious legality (such as Sony BMG's unlawful inclusion of spyware in music CDs).  A recent example of this involves the Motion Picture Association of America's purchase of allegedly "hacked" emails of owners of a website that is part of the "BitTorrent" peer-to-peer network, apparently as part of the MPAA's campaign against the sharing of bootleg movies.  The MPAA was able to get away with this little bit of email piracy because of ambiguities in the law about the distinction between when an email is "intercepted" (and therefore covered by the Wiretap Act) and when it is accessed while in "electronic storage" (and therefore covered by the Stored Communications Act).  In Bunnell v. MPAA, a federal court in California granted the MPAA's motion for summary judgment, finding that the emails at issue were accessed while in storage and therefore not covered by the Wiretap Act.  Since the plaintiffs had not pled an SCA claim, MPAA got off the "hook."  But since the court's decision seems to run directly counter to the First Circuit's en banc decision in United States v. Councilman, this is not the last word on this issue.  And it may not be "The End" for MPAA yet, either.

Kaspersky Casts Aspersions, But Zango Gets Zilch

Section 230(c)(2) of the Communications Decency Act shields "providers" and "users" of "an interactive computer service" from liability for:  "(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or (B) any action taken to enable or make available ... the technical means to restrict access to material described in paragraph [A]."  In Zango, Inc. v. Kaspersky Lab, Inc., a federal court in Washington State found that paragraph B of this so-called "Good Samaritan" safe harbor shelters companies, such as Kaspersky Lab, that distribute software used to block the operation of programs that the company identifies as "potentially harmful or malicious," even if the software provider lacks "good faith."  The ruling should reassure purveyors of security software that they will not be held liable for their filtering of spam or malware.  The decision is also indicative of courts' generally broad reading of the CDA's liability protections.  But, in not requiring that the provider act in "good faith," the court's ruling also contains the seed of future decisions that could shield more noxious forms of filtering and blocking activity.

Kiwi Privacy Commissioner Proposes Breach Notification Guidelines

Governments the world over continue to ramp up efforts to help organizations respond to data breaches.  Last month, the New Zealand Privacy Commissioner released a draft version of voluntary guidelines for responding to data breaches.  According to the Privacy Commissioner, the guidelines -- which were "adapted, without substantive change," from Canadian documents that we covered in a recent report -- are intended to help Kiwi corporations adopt best practices before they are "faced with big breaches of the US kind."  Like the Canadian documents, the Kiwi guidelines cover breach containment, risk assessment, notification and prevention, and suggest that organizations consider the risk of harm posed by a breach when deciding whether to notify individuals.  While the guidelines are not mandatory, the Privacy Commissioner noted that, under principle 5 of the Privacy Act 1993, notification might be required as part of a company's duty to take reasonable steps to prevent the misuse of personal information.  The Commissioner also pointed out that providing notification could help individuals protect themselves from any harmful effects of data breaches, thereby limiting an organization's liability for a breach.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.