E-Commerce Law Week, Issue 500

Is the Web Losing Its Immune System?

The once seemingly unbreachable immunity shield offered by the Communications Decency Act (CDA) against liability for third-party content has taken another blow.  Courts generally have interpreted section 230(c)(1) of the CDA as giving “provider[s] or user[s] of an interactive computer service" broad immunity from liability for information posted by third parties, but not for information that the providers or users post themselves.  But some courts have begun cutting back on the scope of that immunity, suggesting that it might not be available to people or sites that extensively edit, categorize or solicit content from others. In Doe v. City of New York, a federal district court in New York ruled that section 230(c)(1) did not shield the defendant from a workplace discrimination claim, since he “added his own allegedly tortious speech to ... third-party content he forwarded.”  Even more controversially, the court also found that the CDA immunity does not apply to an individual user -- despite the seemingly plain language of the statute to the contrary.  The court’s brief and somewhat muddled opinion does not clearly establish when a user of an interactive computer service might be able to claim protection from liability under 230(c)(1) of the CDA.  But it does fit into a broader trend of courts' narrowing the scope of CDA immunity -- especially in cases where the defendants have edited, encouraged, commented on or contributed to the allegedly tortious content.  Given the unsettled state of the law, providers and users that wish to keep their CDA liability shield intact should proceed with caution when handling information provided by third parties.

Virginia Is For Lovers -- Of Breach Notification Laws

Virginia native George Washington may have been "First in War, First in Peace," but his home state is a laggard when it comes to data security legislation.  Still, Virginia has now joined the list of more than 40 U.S. jurisdictions that have enacted data breach notification laws, as Governor Tim Kaine signed legislation earlier this month that requires any entity that owns or licenses the "unencrypted or unredacted personal information" of Virginia residents to notify both the state Attorney General and affected individuals if it "reasonably believe[s]" that such information "was accessed and acquired by an unauthorized person," and that the breach "has caused or will cause, identity theft or another fraud."  The law allows the state Attorney General to impose civil penalties of up to $150,000 "per breach," but presumably (though not explicitly) only in the event that the notification provisions are violated.  The law also states that it does not limit individuals from recovering "direct economic damages" for violations.  Meanwhile, Indiana's governor signed a bill that exempts the "unauthorized acquisition of a portable electronic device on which personal information is stored" from that state's breach notification law if the personal information on the device is "protected by encryption" and the encryption key remains secure.  Lawmakers and governors in at least five other states are also considering new breach notification requirements and federal legislation in the area may have received a new impetus from revelations of a data breach at the National Institutes of Health.

TJX and Reed Elsevier Settle FTC Charges Stemming from Data Breaches

The Federal Trade Commission is continuing its crackdown on companies with lax data security, announcing proposed settlements in two cases where the respondents allegedly failed to use encryption and other means to protect personal information.  In both cases, the FTC alleged that the companies' inadequate security violated the "unfair acts or practices" prong of the FTC Act.  In the first case, retailer The TJX Companies, Inc., agreed to settle charges that its failure to "provide reasonable and appropriate security for personal information on its networks" contributed to the landmark data breach it reported in January 2007, which compromised "tens of millions of unique payment cards."  In the second case, data brokers Reed Elsevier Inc. (REI) and Seisint, Inc. (now a wholly-owned subsidiary within REI's LexisNexis division), agreed to settle charges that their user ID and password structures "created an unreasonable risk of unauthorized access to sensitive consumer information stored in [the respondents'] databases" and allowed unauthorized persons to gain unapproved access to the databases on several occasions.  In both cases, the FTC alleged that the breaches resulted in identity theft.  The proposed settlements would require the respondents to:  establish and document a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity" of personal information "collected from or about consumers"; obtain an audit of their security program every two years for the next 20 years; and meet certain record keeping requirements for the next five years.  These settlements continue two trends in recent FTC actions -- increasing scrutiny by the FTC into the details of companies' security practices, and increased focus on companies' failure to encrypt consumer information.

Questions and comments about E-Commerce Law Week are always welcome.  Please send your feedback to Sally Albertazzie.