E-Commerce Law Week, Issue 484

Piracy Fight Gives Rise to Unusual Ménage à Trois in France

On November 23, French President Nicolas Sarkozy announced that his Government and French Internet service providers have agreed to join film and music rightsholder organizations in their fight against illegal downloads of copyrighted material.  Under the accord, first time infringers would be sent a warning from their Internet service provider, while repeat offenders could have their account suspended or terminated.  If approved by the French parliament, the agreement could impose costly new record keeping and filtering requirements on ISPs, already burdened by a European trend towards tougher enforcement of copyrights online.  As we previously reported, the Belgian Court of First Instance in Brussels ruled in June that a local ISP must take certain proactive measures to block or filter peer-to-peer downloading of pirated audio and video files, and France's highest court of appeal for administrative decisions, the Conseil d'Etat, ruled last May that music industry groups could use automated monitoring of file-sharing systems in their fight against piracy.

Ninth Circuit Gives New Hope to Plaintiffs in Data Breach Cases

Late last month, the Ninth Circuit ruled that circumstantial evidence of a causal connection between a data breach and subsequent identity theft can support a negligence claim against the organization that suffered the breach.  The court's unpublished opinion in Stollenwerk v. Tri-West Health Care Alliance overturned a lower court's ruling that plaintiff Mark Brandt could not recover on a negligence claim stemming from six cases of identity theft that he allegedly suffered after his data was compromised by a theft of computer equipment from defendant Tri-West.  The Ninth Circuit held that it is a "matter of common knowledge" that "the type of information contained on the … [stolen] hard drives [was] the same kind needed to open credit accounts at the firms where [the identity theft] took place."  The court also noted that the identity theft had begun just six weeks after the breach and that Brandt had allegedly handled his personal information with care and had never suffered identity fraud before the breach.  On these facts, the court found that a reasonable jury could find a "causal relationship" between the breach and the identity theft, and so reversed the district court's order of summary judgment for Tri-West.  This ruling suggests that, even without evidence directly tying a data breach to subsequent incidents of identity theft, plaintiffs may be able to get to a jury in a suit against the organization that lost their data.

Will the EU Jump on the Breach Notification Bandwagon Before the U.S. Congress?

Long popular in U.S. statehouses, data breach notification laws could soon make the leap across the pond.  The European Commission recently proposed a directive that would require providers of "publicly available electronic communications services" that suffer a data breach to notify subscribers whose personal information has been compromised.  The proposed directive would amend an existing directive on privacy and electronic communications to require such providers to give timely notice to both the concerned subscriber and the national regulatory authority in cases where "a breach of security lead[s] to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data."  Notice to subscribers would include at least a description of the breach and suggested mitigation techniques, while notice to regulators would include a description of the breach's consequences and steps the provider has taken to address the breach.  If the directive is adopted, the "circumstances, format and procedures" for such notification will be established through technical implementing measures.  With the UK government recently suffering one of the largest known data security breaches ever, the proposed directive, and separate national legislation, may pick up steam quickly.  If that happens, the EU could speed past the U.S. Congress, which is still stuck in neutral when it comes to national breach notification legislation in the United States.

Steptoe & Johnson LLP presents:  "Product Recalls:  Effectively Managing the Process"

With high-profile recalls and product safety in the news, Steptoe & Johnson LLP invites you to a webinar designed to help companies: (1) Identify product hazards; (2) negotiate a corrective action plan with the CPSC; (3) maximize recall effectiveness; and (4) minimize the threat of follow-on consumer litigation. On January 10, 2008, at 1:00 p.m. EST, Steptoe partners Tom Barba, Sandy Chamblee, and Jennifer Quinn-Barabanov, along with Elisha Lawrence, General Counsel, Alltrade Tools, will discuss the steps companies should take to address and effectively manage product safety concerns.  Registration is free, but is on a first-come, first-served basis.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.