E-Commerce Law Week, Issue 499

DoJ Inspector General Issues New Reports on FBI's Misuse of NSLs

The Department of Justice Inspector General issued his second annual report on the FBI's use of National Security Letters (NSLs) earlier this month, finding that several of the problems first identified in last year's report on the use of NSLs between 2003 and 2005 continued in 2006.  The problems included "the issuance of NSLs without proper authorization, improper requests, and unauthorized collection of telephone or Internet e-mail records."  NSLs are essentially administrative subpoenas that the FBI can use, without having to go to a court or a grand jury, to obtain a wide variety of customer records from telecoms, Internet service providers, financial institutions, and credit agencies.  The IG also released a new report on the FBI's use of Section 215 of the PATRIOT Act, which allows the FBI to seek an order from the Foreign Intelligence Surveillance Court "requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to obtain foreign intelligence information."  The IG found that some misuse of these "Section 215 orders" continued in 2006, but in much smaller numbers than it found for NSLs.  The FBI Director testified that the problems identified in the reports have been fixed by reforms instituted after last year's IG reports.  We'll have to wait till next year's annual report to see if that's the case.  In any event, with lawmakers calling for hearings on the misuse of NSLs, companies suspected of cooperating with deficient NSLs or Section 215 orders or providing more information than was requested could also face criticism -- and possibly suits alleging violations of the Electronic Communications Privacy Act.

Proposed SEC Regulations Would Require Data Breach Notification

Citing "the increase in reported security breaches and the potential for identity theft among" brokers, dealers, investment companies, investment advisers, and transfer agents, the Securities and Exchange Commission has proposed a rule (73 Fed. Reg. 13692 (Mar. 13, 2008)) that would impose new data security requirements on those institutions.  Among these requirements would be a duty to notify the Commission (or, for certain broker-dealers, their designated examining authority) "as soon as possible after [they] become aware of any incident of unauthorized access to or use of personal information in which … [t]here is a significant risk that an individual identified with the information might suffer substantial harm or inconvenience ... or [a]n unauthorized person has intentionally obtained access to or used sensitive personal information."  Covered institutions would also have to notify affected individuals if there has been unauthorized access to or use of "sensitive" personal information and "misuse of the information has occurred or is reasonably possible."  If adopted, the rule would create more consistency in the rules for financial institutions, since other financial regulators already require such breach notification.  See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (70 Fed. Reg. 15736 (Mar. 29, 2005)).  (Notably, though, the SEC's threshold for notification of regulators is higher than the other financial regulators'.)  The proposed rule would also impose new record-keeping requirements and duties to protect personal data during use and disposal.  Comments on the proposed rule are due by May 12, 2008. 

Student Loan Firm Settles FTC Charges Stemming from Employee's Sale of Unencrypted Consumer Data

The Federal Trade Commission continues to crackdown on companies that fail to adequately secure consumers' personal information.  In the Commission's seventeenth such action, student lender Goal Financial, LLC recently agreed to settle FTC charges stemming from several employees' unauthorized transfer of "more than 7,000 consumer files" to third parties in 2005 and 2006, and one employee's 2006 sale to the public of hard drives containing unencrypted personal data belonging to "approximately 34,000 consumers."  In its complaint, the Commission alleged that Goal Financial had failed to:  "adequately" assess risks to personal information it handled; restrict access to personal information to authorized employees; implement a comprehensive, written information security program; use "information safeguards" to manage the risks to customer information; "regularly test or monitor" the "effectiveness" of such safeguards; provide adequate data security training; and contractually require third party service providers to protect personal information.  According to the Commission, these practices violated the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA).  The Commission also charged that Goal Financial's privacy policy -- which stated that employee access to consumer information was granted on a "need to know" basis, and promised that "physical, electronic, and procedural safeguards that comply with federal regulations" were used to protect such information -- was "false and misleading," in violation of the GLBA Privacy Rule and the FTC Act's prohibition of deceptive acts or practices. 

When It Comes to the CDA, Courts Could Use A Good Editor

Courts have generally held that section 230(c)(1) of the Communications Decency Act (CDA) gives websites broad immunity from liability for information provided by third parties.  Some courts have also held that a website's editing of another party's content does not render the website itself a content provider and thereby deprive it of CDA immunity.  But the line between a website's mere editing (immune) and its provision of its own content (not immune) can be difficult to discern.  A recent federal court decision added to the muddle by holding that eBay could not assert CDA immunity for its allegedly false assertions that its Live Auctions are "very safe" and "run by reputable international auction houses," but that it could claim immunity for its promise that it screened the auction houses.  The courts' inability to draw a clear line between editing and content provision could become a serious problem for websites.  Until this issue is settled, websites should proceed with caution both in editing third-party content and in making claims about their services involving third-party content.

Seventh Circuit Rules That CDA Shields Craigslist from Suit Over Discriminatory Housing Ads

Meanwhile, the Seventh Circuit has affirmed a district court's decision granting summary judgment to craigslist in a suit alleging that it publishes discriminatory housing advertisements, in violation of Section 3604(c) of the Fair Housing Act (FHA).  In Chicago Lawyers' Committee for Civil Rights Under Law, Inc., v. craigslist, Inc., the appellate court found that the Communications Decency Act (CDA) barred the plaintiff's claim, since craigslist was "not the author of the ads," and CDA Section 230(c)(1) prohibits "treat[ing]" a "provider ... of an interactive computer service" as "the publisher or speaker" of "any information" provided by a third party.  But although the court ultimately found that the CDA shielded craigslist from liability for the housing ads, it also questioned other circuits' conclusion that Section 230(c)(1) provides "broad immunity from liability for unlawful third-party content" and suggested that craigslist might have been liable if it had induced people to post the discriminatory ads.  Though the court's opinion is rather muddled on this score, the doubts it expresses about the scope of CDA immunity provides more ammunition for those who would seek to hold websites liable for third-party content.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.