E-Commerce Law Week, Issue 476

Facebook Left Red-Faced by Attention from State Attorneys General

As the social networking site Facebook and its young executives are quickly learning, life in the spotlight can bring all sorts of attention -- good and bad.  Just as the company is piquing the interest of Internet powerhouses, and peaking in value, separate investigations by state attorneys general are revealing one of the main vulnerabilities of the social networking business -- the risk of members' using the site to do bad things.  In recent weeks, a steady stream of state attorneys general have announced that they are investigating the privacy practices of Facebook and other social networking sites.  (See statements from the attorneys general of Connecticut and North Carolina, Ohio, and Mississippi.)  In New York, Attorney General Andrew Cuomo went further, subpoenaing Facebook for copies of complaints its has received regarding "inappropriate solicitation of underage users and inappropriate content on the site," the website's responses to these complaints, and "all Facebook policies on user safety and all representations made to consumers about the safety of the site."  And, across the Hudson, New Jersey Attorney General Anne Milgram announced that her office had issued a subpoena to Facebook seeking information on whether convicted New Jersey sexual offenders have profiles on the site.

U.S. Agencies Propose Internet Gambling Regulations for Financial Institutions

As we previously reported, the Unlawful Internet Gambling Enforcement Act of 2006 (UIGEA) (enacted as Title VIII of the SAFE Port Act) prohibits any person "engaged in the business of betting or wagering" from "knowingly accept[ing]" payments made by financial institutions on behalf of individuals engaged in "unlawful Internet gambling."  Since it can be hard to reach the off-shore gambling houses that engage in such "restricted transactions," the UIGEA also directed the Treasury Department and the Board of Governors of the Federal Reserve System to prescribe regulations requiring any "designated payment system, and all participants therein," to bar the transactions.  Last week, the agencies issued a Notice of Joint Proposed Rulemaking setting out draft implementing regulations.  While the proposed regulations appear to be fairly flexible, there are many details in which little devils may be hiding.  Comments are due by December 12, 2007.

Court Rejects Government's Effort to Access Dialed Content Without a Wiretap Order

A federal magistrate in New York has ruled that the government must show probable cause and obtain a Title III wiretap order, rather than relying on a pen- register order, before accessing "post-cut-through dialed digits" -- i.e., the digits that a caller dials after his call is connected -- since such digits often represent call content.  The court found that using a pen-register order to gather such dialed content is not permitted by the pen-register statute and would violate the Fourth Amendment, since a pen-register order can be obtained on a mere certification by the government that dialing (or other routing or addressing information) is "relevant" to a criminal investigation.  This decision is in line with previous rulings by federal courts in Texas and Florida, suggesting an emerging consensus.  Interestingly, the government's theory for why it should be allowed to obtain communications content without a Title III order -- essentially, that it should be allowed to collect whatever it can, subject to "minimization" requirements -- bears some resemblance to its recent approach to surveillance under the Foreign Intelligence Surveillance Act.  On both fronts, the government is running into serious judicial resistance.

TJX Proposes Settlement with Consumers Harmed by Data Breach

Retailer TJX has announced a proposed settlement agreement in a consolidated consumer class action stemming from a data breach that exposed the personal data of tens of millions of TJX customers.  The consolidated suit alleged, inter alia, that TJX's handling of customers' social security, credit and debit card numbers was negligent and in breach of contract.  Under the terms of the tentative settlement, TJX admits no wrongdoing, but agrees to provide harmed customers with some combination of credit monitoring, identity theft insurance, reimbursement for drivers' license replacement costs and certain losses resulting from identity theft, and some form of limited monetary reimbursement.  If approved by a federal court in Massachusetts (a big "if," in light of recent statements by the court), the agreement would settle all consumer claims brought against TJX and Fifth Third Bank (which handled TJX's credit card accounts) in the United States, Puerto Rico, and Canada.  Acceptance of the settlement would also be contingent upon the plaintiffs' approval of an independent expert's report assessing whether TJX has made "a prudent and good faith attempt ... to minimize the likelihood of [computer] intrusions in the future."  Should the agreement be approved, TJX would avoid not only a lengthy trial, but also the potential for a precedent-setting win by the plaintiffs' bar.

Connecticut Suit Accentuates the Legal Risks from Data Breaches

As the TJX case makes clear, a data breach can trigger fines against the company, loss of goodwill, expensive breach notification requirements, and investigations by the Federal Trade Commission and state attorneys general.  But companies and other victimized entities are not without their own legal recourse against contracters entrusted with a company's information.  A recent suit by Connecticut's Attorney General against consulting company Accenture over the loss of confidential state information suggests that, rather than shouldering all the blame, companies may consider suing the responsible contractor, especially in cases where the contractor failed to live up to its contractual obligations.

The Keys to the Kingdom -- RIPA Part III Now in Force

The United Kingdom has finally made effective Part III of the Regulation of Investigatory Powers Act 2000 (RIPA), seven years after its enactment and a year after the UK Home Office decided to hold a public consultation on its provisions.  As previously reported, Part III of RIPA gives UK officials the authority to issue a notice to "any person" in possession of a decryption key to either decrypt encrypted information or provide the key for such decryption.  Such notice may be issued for national security, crime detection or prevention, or "in the interest of the economic well-being of the United Kingdom."  (How's that for an economic policy?)  Of course, it remains to be seen whether UK authorities will use their new powers under Part III with restraint and discretion or will instead use them aggressively to collect the decryption keys of the many companies with operations in the UK.

France Takes the Lead on Data Retention

President Nicolas Sarkozy is apparently not the only French official who thinks France should take a leading role on European matters.  The French Parliament was one of the first among EU member states to introduce new legislation obliging communication service providers (both Internet and telephony) to retain certain categories of data for a minimum of one year ahead -- a year and a half ahead of the September 15, 2007, deadline imposed by the EU Data Retention Directive for telephony services.  And while many of France’s EU neighbors have failed to meet that deadline, the French courts have already ruled on the validity of the French legislation.  The highest court of appeal on administrative issues in France, the Conseil d’Etat, recently upheld the legislation in two decisions, rejecting arguments that it violates the data privacy rights of French citizens and does not provide adequate cost reimbursement to service providers.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.