E-Commerce Law Week, Issue 493

What's On Your BlackBerry?  Inquiring Border Agents Want to Know.

Many business travelers who carry laptops and other mobile devices on trips abroad have to worry about foreign restrictions on encryption and arbitrary customs rules.  But for those worried about protecting personal or confidential information, the most harrowing part of the trip might be their return to the good ol' USA, where customs agents have traditionally had sweeping authority to conduct warrantless -- even suspicionless -- searches of travelers' possessions, including the contents of their electronic gadgets.  While at least one magistrate judge recently held that the government could not force a traveler to turn over his password so the government could decrypt his Z drive, the courts have generally upheld the government's broad authority to conduct intrusive border searches.   In an effort to shed light on exactly what the government's policy is in this area, the Electronic Frontier Foundation and Asian Law Caucus sued the Office of Customs and Border Protection (and its parent agency, the Department of Homeland Security) on February 7 under the Freedom of Information Act (FOIA), requesting records related to the CBP's policies on border searches.  It seems unlikely that the EFF and ALC will obtain all of the information they want from the CBP -- a similar FOIA request filed by the Association of Corporate Travel Executives in 2006 netted only heavily redacted documents.  Still, whatever they obtain could lay the groundwork for a civil suit to enjoin the government's border search practices and, until this issue is resolved, travelers can anticipate intrusive searches at the U.S. border and the possible seizure of mobile devices and the copying of information.

California May Establish New Model for Breach Notification

Companies may soon have to meet new reporting requirements when providing notification of data breaches to California residents.  S.B. 364, which passed the California Senate late last month, would amend the Golden State's seminal breach notification statute to require that notification be made "in plain language" and include:  a description of the breach incident; an estimate of the number of affected individuals; a list of the types of information that may have been exposed; the dates of the breach, its discovery, and notification; contact information for both the entity that suffered the breach and the "major credit reporting agencies"; and an indication of whether notification was delayed or substitute notice was used.  Many of these proposed reporting requirements are already listed in a set of "Recommended Practices" released by the California Office of Privacy Protection in 2007.  The bill would also require all companies providing breach notification to California residents to submit an electronic copy of such notification to the California Office of Information Security and Privacy Protection.  (This Office, which combines the former Office of Privacy Protection with the data security operations of the Department of Finance, opened on January 1.)  If enacted, the California amendment could again serve as a model for other states, the U.S. Congress, and governments around the world. 

UK Information Commissioner Requires Retailer to Encrypt Laptops

Mandatory encryption is becoming a hot topic in the United States, with state legislatures considering legislation that would require businesses to encrypt personal information, and the Federal Trade Commission signaling that encryption is one of the key elements of "reasonable" data security.  A similar trend is brewing in the United Kingdom, where a recent decision by the Information Commissioner's Office (ICO) means that companies should start encrypting sensitive personal information stored on mobile devices.  The decision was based on the Seventh Data Protection Principle of the UK Data Protection Act 1998, which states, in general terms, that "[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."  The ICO decision involved retailer Marks & Spencer, whose contractor suffered a theft of a laptop containing the unencrypted personal information of approximately 26,000 M&S employees.  Since the UK Act generally holds companies responsible for the data security failings of their contractors, the Commissioner found that M&S had "contravene[d] the Seventh Data Protection Principle" of the Act by "fail[ing] to take appropriate measures to ensure the security of its data," and specifically required it to encrypt all personal information stored on its (and presumably its contractors') laptops. 

German and Swedish Gambling Laws Draw Legal Action from the EC

The tug-of-war between many EU Member States and the European Commission over restrictions on online gambling continues.  As we previously reported, the EC last June requested that France and Sweden amend their laws "to put an end to obstacles to the free movement of sports betting services," while continuing investigations into the sports betting and casino regulations of eight other Member States.  Last month, the EC opened new legal proceedings against Germany and Sweden, asking them to clarify the compatibility of national legislation restricting the supply of gambling services with articles of the European Community Treaty that guarantee nationals of Member States the freedom to establish business ventures, provide services, and transfer capital anywhere within the Community.  The EC's letters mark the beginning what could be a long legal battle between the Member States and the EC.  Companies that provide or support gambling services in the EU thus could face several more years of regulatory uncertainty.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.