E-Commerce Law Week, Issue 492

Fail to Encrypt? Go Directly to Jail!

When it comes to data security, state legislatures -- like nature -- abhor a vacuum.  With Congress still dithering on national breach notification legislation, most states have filled the void with their own individual requirements, resulting in a mish-mash of different laws that companies have to contend with when they suffer a data breach.  Now states seem poised to go down a similar path with encryption -- possibly creating even greater confusion and complications for companies.  Following the lead of Nevada and Massachusetts, the legislatures in Michigan (S.B. 1022) and Washington State (H.B. 2838 and H.B. 2574) have recently introduced bills that would require businesses to use encryption to protect personal information.  The states differ, though, in how they define encryption, when they would require its use, and how they would enforce the mandate.  Michigan takes the most extreme approach, as it would provide criminal fines and imprisonment for anyone who fails to encrypt computerized "personal identifying information" collected for business purposes.  The Michigan and Washington bills would also allow banks to recover certain expenses from companies that suffer a data breach -- including costs for cancelling or reissuing credit or debit cards, closing or opening accounts, providing refunds to cardholders, and notifying customers.  (Minnesota already has similar requirements.)  Finally, at least four more states are considering jumping on the breach notification bandwagon this year.  So 2008 promises to be another banner year for data security legislation at the state level.

Has Any Statute Engendered As Much Confusion As the CFAA?

Given the utter disarray among courts that have tried to interpret it, we're beginning to wonder whether the "CFAA" refers to the Confusing, Flexuous and Ambiguous Act rather than the Computer Fraud and Abuse Act.  Another federal court recently added to the judicial befuddlement, ruling that a CFAA plaintiff must allege both "damage" and "loss" as defined by the Act in order to state a claim, and also adopting a narrow interpretation of "damage."  In Garelli Wong & Associates, Inc., v. Nichols, the court dismissed a financial consulting company's CFAA claim against its former employee William Nichols, who had allegedly used client information copied from his former employer's database to drum up business for a competitor.  The court held that "it is necessary for a plaintiff to plead both damage and loss in order to properly allege a civil CFAA violation."  Moreover, rejecting the reasoning of other courts, the court further held that Nichol's alleged copying of "trade secret" information from Garelli Wong's computer could not be considered "damage" under the CFAA, since Nichols was not alleged to have deleted information from the database or otherwise "impair[ed]" its "integrity."  As we have previously reported, courts have also reached conflicting decisions on the question of whether an employee's access to a company computer is "unauthorized" or "in excess of authorization" within the meaning of the Act if he is authorized to access the computer but then does something that breaches a duty of loyalty to the company -- such as using company information to benefit a competitor.  Despite the confusion, the CFAA remains a viable -- and powerful -- tool for companies to use against disloyal former employees or competitors that gain access to the company's sensitive information.  But a successful CFAA claim requires an understanding of the intricacies of the Act and careful pleading.

Congress Buys Some Breathing Room with 15-Day Extension to FISA Amendment

Congress averted -- or at least postponed -- a showdown with the President on January 29, passing a bill to extend last August's amendment to the Foreign Intelligence Surveillance Act (FISA) for 15 days past its scheduled sunset on February 1.  The President signed the extension, despite his earlier promise to veto a temporary extension of the FISA amendment and his insistence that Congress pass a permanent amendment with retroactive immunity for telecoms that assisted the government's warrantless wiretapping program.  While retroactive immunity still seems like a good bet, there is a chance that the House will not go along with it or that one or more Senators may seek to block it.  So another high-stakes confrontation between the President and Congress seems likely in the coming weeks.

EU Court Weighs in on Internet Anonymity

As copyright holders continue to seek legal recourse against file-sharers, Internet service providers in the United States and Europe are increasingly being asked to perform a delicate balancing act -- weighing copyright owners' need to identify illegal file-sharers against Internet users' interest in maintaining anonymity under American and European law.  The European Court of Justice (ECJ) took up the scales late last month, ruling that EU law does not require Member States to force ISPs to unmask anonymous subscribers targeted for legal action by copyright owners.  But Member States may still choose to oblige ISPs to identify subscribers in such cases, as long as they balance the property rights of copyright holders against subscribers' right to privacy.  That means the legal regime applicable to ISPs may vary with each European country, causing the potential for legal confusion and intra-European conflicts of law.  For copyright owners, the ECJ decision may not be the total victory they sought, but it does open the door to national legislation that ultimately gives them the ability to go after illegal file-sharers.  So the "K Street" equivalents of European capitals may get pretty busy lobbying on both sides of this issue.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.