E-Commerce Law Week, Issue 494

A House Divided Against Itself Cannot Stand, But it Can Recess 

After another week of "chicken" between the President and Congress over amending the Foreign Intelligence Surveillance Act (FISA), the House voted to recess without passing a permanent amendment or extending temporary amendments enacted last summer.  On February 12, the Senate finally passed a bill to the President's liking, providing retroactive immunity to communications companies that cooperated with the government's warrantless wiretapping program.  But the House, which has its own rather different bill, refused to go along with the Senate on the immunity issue.  Ultimately the House also was unable to pass another temporary extension of last summer's temporary amendments, so those amendments have now lapsed.  Notably, however, any warrantless wiretaps that were implemented under the temporary amendments will remain in effect until their one-year authorization expires.  The House will take the whole issue up again when it returns from recess next week.  The immunity issue is obviously of great importance to the companies that cooperated with the warrantless surveillance program.  In the long-run, though, all communications providers will have to live with whatever compromise language the House and Senate work out about the scope of the government's surveillance authority.

Three May Keep a Secret, If Two of Them Are Dead (Or the Secret is Posted on an Obscure Website)

Ben Franklin's quip about the impossibility of keeping secrets may have to be revised after a recent federal ruling that a third party's posting of confidential business information to a publicly available -- but obscure -- website did not destroy the "trade secret" status of the information.  The court's ruling came in a dispute between Silicon Image, Inc. and Analogix Semiconductor, Inc., two manufacturers of "HDMI" microchips used in high-definition audio and video equipment.  Silicon Image sued Analogix for trade secret misappropriation under California law, alleging that Analogix had essentially stolen its confidential source code and developed chips that copied Silicon Image's designs. Analogix contended that the source code was no longer a trade secret, since someone had posted it to a Chinese-language website months before Silicon Image sued.  The court found that publishing the source code on the website "did not destroy the secrecy of the information at issue," since there was no evidence that the postings to the "obscure" website were "generally known" to "potential competitors."  The lesson for companies? Allowing your confidential information to be posted to a public website is undoubtedly a bad idea, but so long as the website doesn't attract much attention, the information may still be a trade secret.

With Breach Notification Laws, the Devil Can Be in the Details of Implementing Regulations

Complying with the hodgepodge of data breach notification laws in more than 40 U.S. states and territories can be a tall order.  But the burden is even greater when specific requirements stem from implementing regulations rather than statute.  In New Jersey,  a backlash from business has blocked adoption of  proposed regulations that were drafted last year by the state Division of Consumer Affairs, pursuant to New Jersey's Identity Theft Prevention Act.  As we previously reported, the Act covers breach notification, security freezes on consumer reports, the use of social security numbers, and the destruction of customer records, and gives state agencies the authority to draft regulations "necessary to effectuate" these provisions.  The Division of Consumer Affairs interpreted this mandate broadly, proposing regulations that would have required companies doing business in the Garden State to use encryption -- and a plethora of other technologies -- to protect the personal data of New Jersey residents.  The regulations also would have required businesses that suffer an actionable data breach to "mitigate any damage created by the breach of security ... as expeditiously as possible" and notify the Division of State Police of the Department of Law and Public Safety within six hours.  The Division of Consumer Affairs reportedly plans to revise its regulatory proposal after sifting through public comments and consulting with a work group drawn from financial institutions, other businesses, and government entities.  Given the wide-ranging effect of any single state's law -- or regulations -- in this area, businesses will want to keep track of developments and make sure their views are heard before potentially onerous new requirements are handed down.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.