E-Commerce Law Week, Issue 491

Life Is Good, But Data Security Without Encryption -- Not So Much

The Federal Trade Commission has again taken action against a company for its failure to live up to representations made in its online privacy statement.  "Life is good, Inc." (LIG), a designer and seller of retail apparel, promised to store "in a secure file" any consumer information gathered while processing online purchases -- and then neglected to encrypt or otherwise adequately protect this information.  According to the FTC, LIG indefinitely stored consumers' credit card numbers, expiration dates, and security codes on an unsecured, Internet-accessible server.  After a hacker (using an SQL injection attack) stole thousands of LIG customers' information, LIG notified affected customers and law enforcement and took steps to prevent further breaches.  Still, proving that no good deed goes unpunished, the FTC launched an investigation and ultimately lodged a complaint, alleging that LIG had violated provisions of the FTC Act barring deceptive acts or practices.  LIG agreed to settle the complaint on the FTC's usual terms (including requirements for a comprehensive information security program and 20 years of FTC oversight).  The settlement reinforces the Commission's position as the principal federal arbiter of what constitutes "reasonable" data security.  It also underscores a trend in which the lack of encryption is increasingly regarded as a major factor in determining that a company's data security measures were inadequate.

FERC Powers Up Cyber Security Standards for U.S. Electric Grid

For years, the federal government has agreed with much of private industry that federal cyber security standards were a bad idea.  But, as we've previously reported, standards have emerged little by little from an array of sources at the state and federal level.  For instance, Nevada has enacted a law creating specific cyber security requirements for businesses, Massachusetts has proposed similar regulations, and, as discussed above, the FTC continues to insist through enforcement actions that companies implement "reasonable" measures for protecting consumers' information.  On January 18, the Federal Energy Regulatory Commission (FERC) joined the regulatory parade, issuing a final rule approving eight Critical Infrastructure Protection (CIP) Reliability Standards for protecting the cyber security of the U.S. power system.   Adopted pursuant to section 215 of the Federal Power Act (FPA), these Standards require owners, operators, and coordinators of the U.S. bulk power transmission and generation system to develop and implement cyber security policies that identify and protect "critical cyber assets."  While they do not mandate the use of encryption, the Standards create duties to use passwords, antivirus software, and other techniques to secure the cyber assets.  Companies outside the power industry should also take note, since the Standards at the very least may be looked to by other regulators and by courts in determining what constitutes reasonable cyber security.

France Mulls Implications of Increasing Data Requests from U.S.

Europe's data protection laws continue to cause headaches for multinationals that receive requests for data from U.S. government agencies and litigants.  After hearing from several concerned companies, the French Commission Nationale de l'Informatique et des Libertés (CNIL) recently promised to launch an inter-ministerial discussion to help resolve potential conflicts between demands for information stemming from litigation and investigations in the United States, on the one hand, and French data protection law, on the other.  According to the CNIL, the concerned companies cited not only possible violations of the EU Data Protection Directive and French implementing regulations -- including excessive collection and processing of data and failure to obtain individuals' consent for data processing or transfers of data outside the EU -- but also fears that sending data to the United States might compromise trade secrets.  While the CNIL's review will not result in any immediate action, it does signal that EU authorities may begin to push back harder against the increasing demands for European data emanating from the United States.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.